OpenLDAP is one of the more interesting, sometimes challenging services to get up and running on FreeBSD. It implements a light-weight directory protocol that can be used for authentication and authorization by programs that support LDAP. Let’s look at the installation and configuration below.
Note: We assume a fictional top level domain of acme.com. Replace it with your own domain.
Installation
First step is to edit the /etc/hosts file and append a line similar to the following:
127.0.1.1 admin.acme.com admin
We’re now good to install the OpenLDAP server and client for FreeBSD via the pkg command.
pkg install openldap-server pkg install openldap-client
The package openldap-server would give us the server components (affectionately called slapd) and configuration files. openldap-client gives us the client accessories: basically tools that let us add, modify, delete stuff and query/search for stuff inside the LDAP directory.
Configuration
Before we start, let’s get ourselves a nice strong password that we can use to do administrative tasks. We use the slappasswd command for this:
slappasswd -h '{SHA}'
New password:
Re-enter new password:
{SHA}Y2fEjdGT1W6nsLqtJbGUVeUp9e4=
We have specified that we want a SHA-1 summed password. We got back a base64 encoded version of our password. Keep the password for use later.
Let’s now edit the server configuration file /usr/local/etc/openldap/slapd.conf and and make it look similar to the following:
# Make sure the lines below are present
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/corba.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/collective.schema
include /usr/local/etc/openldap/schema/openldap.schema
#... make sure the lines below are un-commented
moduleload back_mdb
moduleload back_ldap
#... make sure the lines below are modified accordingly
suffix "dc=acme,dc=com"
rootdn "cn=admin,dc=acme,dc=com"
#... replace rootpw value with the one we created
database mdb
maxsize 1073741824
rootpw {SHA}Y2fEjdGT1W6nsLqtJbGUVeUp9e4=
directory /var/db/openldap-data
index objectClass eq
Edit the file /etc/rc.conf and append the following lines
slapd_enable="YES" slapd_flags='-h "ldapi://%252fvar%252frun%252fopenldap%252fldapi/ ldap://0.0.0.0/"' slapd_sockets="/var/run/openldap/ldapi"
This enables start of ldap service at boot and makes the service listen to all addresses. We are almost done, let’s start the LDAP service
service slapd start
Verifying the installation & configuration
Let’s test if it all works. We shall run the following command from within the FreeBSD machine:
ldapsearch -x -W -D cn=admin,dc=acme,dc=com Enter LDAP Password:
We could also run the command from outside the system like so.
ldapsearch -x -H ldap://sub.domain.com
Where sub.domain.com is the fully qualified domain name (fqdn) of the FreeBSD system. You can also use the IP address in place of the fqdn. You should get results similar to the following if your setup is successful:
# extended LDIF # # LDAPv3 # base <> (default) with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 32 No such object # numResponses: 1
Adding data to the directory
Create a file (addstuff.ldif) containing the following contents.
dn: dc=acme,dc=com objectclass: dcObject objectclass: organization o: labs dc: acme dn: cn=admin,dc=acme,dc=com objectclass: organizationalRole cn: admin
Explaining LDAP is out of the scope of this post. So that’s for some other time. Now let’s add the data to LDAP using the ldapadd command.
ldapadd -x -W -D cn=admin,dc=acme,dc=com -f addstuff.ldif Enter LDAP password:
The same thing can be done from outside the machine via the following command.
ldapadd -x -W -H ldap://sub.domain.com -D cn=admin,dc=acme,dc=com -f addstuff.ldif Enter LDAP password:
We can add more data from here if we want to: addppl.ldif . After doing this, let’s check if it has worked from within the FreeBSD system:
ldapsearch -x -LLL -b dc=acme,dc=com
and from outside the system like this:
ldapsearch -x -H ldap://sub.domain.com -b dc=acme,dc=com
If this worked, we should be able to see a bunch of names, cn, sn, userPasswords, etc. in the output. We have successfully installed OpenLDAP on FreeBSD.
Hope you liked this post. Try it out and send your feedback/questions via. the blog’s comments section.
This was wonderfully helpful, though there is one issue I’m running into. When I start the slapd service, I get the warning-
/usr/local/etc/rc.d/slapd: WARNING: slapd: Can’t find socket /var/run/openldap/ldapi
Any thoughts?
Thank you for your time!
Thank you very much.
This post is very useful.
How to update a record in OpenLDAP using command line?