OpenLDAP

From Secure Computing Wiki
Revision as of 12:02, 7 February 2008 by 74.95.66.25 (Talk) (Installation)

Jump to: navigation, search

So, at work, we've finally got enough systems and users that we're seriously considering an OpenLDAP server for authentication, as well as for our customer/client contact lists, etc. I've never before successfully rolled out an LDAP system, and I've for certain never rolled one out that does authentication for any systems.

Hopefully, this, when finished, will lay out the entire process of installed OpenLDAP Server 2.4.6 on a FreeBSD 6.2 system. Being that FreeBSD 6.3 and 7.0 are due out in short order, I should be able to update this page and make note of any differences you may come across.

Please note, while I'm working through this, this page is a work-in-progress. That means there may be some funny looking edits, and I use these pages as scratch paper of sorts during my installation, to make certain all of the necessary notes get made.

Ecrist 12:56, 4 February 2008 (CST): With a few weeks since my initial post here, I'm going to finally finish this document. There have been quite a few things to work through and I've finally got a broader picture of what's going on.

System Overview

As we're big fans of ezjail, we're going to install an LDAP system with one master server, and one slave. All of our email clients will be pointed to the slave for read operations, with that server redirecting any writes to the master server. While OpenLDAP 2.4.x* is available, all of my testing has been done with OpenLDAP 2.3.40, so that's what this document will use.

*: 2.4.x supports a new master-master setup that we're not going to cover here. The multi-master configuration is still considered fairly experimental.

Installation

In our setup, we're going to have two OpenLDAP servers (one master, one slave). In addition, we're going to install phpldapadmin on our master server to help us get a better view of our directory structure.

To begin, we install the following ports:

  • net/openldap-server23
    • enable SASL
    • other defaults should be fine
  • www/apache22
    • enable LDAP
  • lang/php5
    • enable APACHE (apache module)
    • Don't forget to add the following lines to your apache configuration file:
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps
  • lang/php5-extensions
    • enable LDAP
    • enable PCRE
    • enable SESSION

Configuration

Now that we have all the ports installed, we need to configure slapd. Edit /etc/rc.conf and add the following line:

slapd_enable="YES"
apache22_enable="YES"

Also, edit /usr/local/etc/apache22/httpd.conf and add the following lines:

Around line 107 add:

AddType application/x-httpd-php .php .inc
AddType application/x-httpd-php-source .phps

Around line 183 add:

Alias /phpldapadmin "/usr/local/www/phpldapadmin/htdocs"

<Directory "/usr/local/www/phpldapadmin/htdocs">
        Options Indexes
        AllowOverride none
        
        Order allow,deny
        Allow from all
</Directory>

Around line 228, edit to read:

    DirectoryIncex index.html index.php