Tuesday, 2 July 2013

Basic setup in Debian slapd package

After issuing apt-get install slapd a few steps are required in order to:
  • change basename suffix;
  • enable logging;
  • speed up admin authentication.
The Debian version is release 7 Wheezy.

Change basename suffix

Package creates a database with suffix aligned to domain name. Domain name is read from /etc/resolv.conf or the like. If you want to change it, the dpkg command can help you:
sudo dpkg-reconfigure slapd
The second time you can choose the domain name.

Enable logging

To enable logging, create a ldif modify file:
dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: Stats
name it enable_log.ldif and apply to openLDAP with:
sudo ldapmodify -H ldapi:/// -Y EXTERNAL -f enable_log.ldif
Next ensure slapd sends log to a facility, for example local6. This is done in /etc/default/slapd:
# Additional options to pass to slapd
SLAPD_OPTIONS="-l local6"
(then restart slapd). By the way, to avoid filling the hard drive with openldap log, instruct logrotate to handle them: drop in /etc/logrotate.d/ a file called 'ldap':
/var/log/ldap.log
{
       rotate 90
       daily
       missingok
       notifempty
       delaycompress
       compress
}

Speed up admin authentication

In order to avoid typing admin password to populate directory, authorize SASL/EXTERNAL with root access to do that. Create a ldif file (enable_sasl_acl.ldif):
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
 ,cn=auth manage by * break
and switch it on with:
sudo ldapmodify -H ldapi:/// -Y EXTERNAL -f enable_sasl_acl.ldif
Now you are able to add ou, users and groups without password as long you are root, with '-H ldapi:/// -Y EXTERNAL' switch.

No comments: