Modifying/Populating your Database

Let’s introduce some content to our database. We will add the following:

• a node calledPeople (to store users)

• a node calledGroups(to store groups)

• a group called miners

• a user calledjohn

Create the following LDIF file and call it add_content.ldif:

dn : ou=People , dc=example , dc=com o b j e c t C l a s s : o r g a n i z a t i o n a l U n i t ou : Peo ple

dn : ou=Groups , dc=example , dc=com o b j e c t C l a s s : o r g a n i z a t i o n a l U n i t ou : Groups

dn : cn=miners , ou=Groups , dc=example , dc=com o b j e c t C l a s s : posixGroup

cn : m i ne r s gidNumber : 5000

dn : u i d=john , ou=People , dc=example , dc=com o b j e c t C l a s s : i n e t O r g P e r s o n

o b j e c t C l a s s : p o s i xA c c o un t o b j e c t C l a s s : shadowAccount u i d : john

sn : Doe

givenName : John cn : John Doe

displayName : John Doe uidNumber : 10000 gidNumber : 5000

userPassword : {CRYPT}x g e c o s : John Doe

l o g i n S h e l l : / b i n / bash

homeDirectory : /home/ john Note

It’s important that uid and gid values in your directory do not collide with local values. You can use high number ranges, such as starting at 5000 or even higher.

Add the content:

$ ldapadd −x −D cn=admin , dc=example , dc=com −W−f add_content . l d i f Enter LDAP Password : ********

adding new e n t r y ” ou=People , dc=example , dc=com”

adding new e n t r y ” ou=Groups , dc=example , dc=com”

adding new e n t r y ” cn=miners , ou=Groups , dc=example , dc=com”

adding new e n t r y ” u i d=john , ou=People , dc=example , dc=com”

We can check that the information has been correctly added with the ldapsearchutility. For example, let’s search for thejohn entry, and request thecn andgidnumber attributes:

$ l d a p s e a r c h −x −LLL −b dc=example , dc=com ’ ( u i d=john ) ’ cn gidNumber dn : u i d=john , ou=People , dc=example , dc=com

cn : John Doe gidNumber : 5000

Here we used an LDAP “filter”: (uid=john). LDAP filters are very flexible and can become complex. For example, to list the group names of whichjohnis a member, we could use the filter:

(&( o b j e c t C l a s s=posixGroup ) ( memberUid=john ) )

That is a logical AND between two attributes. Filters are very important in LDAP and mastering their syntax will help a long way. They are used for simple queries like this, but can also select what content is to be replicated to a secondary server, or even in complex ACLs. The full specification is defined in RFC 4515.

Notice we set the userPassword field for the john entry to the cryptic value {CRYPT}x. This essentially is an invalid password, because no hashing will produce justx. It’s a common pattern when adding a user entry without a default password. To change the password to something valid, you can now useldappasswd:

$ ldappasswd −x −D cn=admin , dc=example , dc=com −W−S u i d=john , ou=p e o p l e , dc=

example , dc=com New password :

Re−e n t e r new password : Enter LDAP Password :

Note

Remember that simple binds are insecure and you should add TLS support to your server!

Modifying the slapd Configuration Database

Theslapd-configDIT can also be queried and modified. Here are some common operations.

Adding an index

Useldapmodifyto add an “Index” to your{1}mdb,cn=config database definition (fordc=example,dc=com).

Create a file, call it uid_index.ldif, with the following contents:

dn : o l c D a t a b a s e ={1}mdb , cn=c o n f i g add : olcDbIndex

olcDbIndex : m a i l eq , sub Then issue the command:

$ sudo l d a pm o d i f y −Q −Y EXTERNAL −H l d a p i : / / / −f uid_index . l d i f m o d i f y i n g e n t r y ” o l c D a t a b a s e ={1}mdb , cn=c o n f i g ”

You can confirm the change in this way:

$ sudo l d a p s e a r c h −Q −LLL −Y EXTERNAL −H l d a p i : / / / −b \ cn=c o n f i g ’ ( o l c D a t a b a s e ={1}mdb) ’ olcDbIndex

dn : o l c D a t a b a s e ={1}mdb , cn=c o n f i g olcDbIndex : o b j e c t C l a s s eq

olcDbIndex : cn , u i d eq

olcDbIndex : uidNumber , gidNumber eq olcDbIndex : member , memberUid eq olcDbIndex : m a i l eq , sub

Change the rootDN password:

First, runslappasswdto get the hash for the new password you want:

$ s l a p p a s s w d New password :

Re−e n t e r new password :

{SSHA}VKrYMxlSKhONGRpC6rnASKNmXG2xHXFo Now prepare a changerootpw.ldif file with this content:

dn : o l c D a t a b a s e ={1}mdb , cn=c o n f i g changetype : modify

r e p l a c e : olcRootPW

olcRootPW : {SSHA}VKrYMxlSKhONGRpC6rnASKNmXG2xHXFo Finally, run theldapmodifycommand:

$ sudo l d a p m o d i f y −Q −Y EXTERNAL −H l d a p i : / / / −f changerootpw . l d i f m o d i f y i n g e n t r y ” o l c D a t a b a s e ={1}mdb , cn=c o n f i g ”

We still have the actual cn=admin,dc=example,dc=com dn in the dc=example,dc=com database, so let’s change it too. Since this is a regular entry in this database suffix, we can useldappasswd:

$ ldappasswd −x −D cn=admin , dc=example , dc=com −W−S New password :

Re−e n t e r new password :

Enter LDAP Password : <−− c u r r e n t password , about t o be changed

Adding a schema

Schemas can only be added tocn=configif they are in LDIF format. If not, they will first have to be converted.

You can find unconverted schemas in addition to converted ones in the /etc/ldap/schema directory.

Note

It is not trivial to remove a schema from the slapd-config database. Practice adding schemas on a test system.

In the following example we’ll add the password policy (ppolicy) schema. This schema exists in both converted (.ldif) and native (.schema) formats, so we don’t have to convert it and can useldapadddirectly:

$ sudo ldapadd −Q −Y EXTERNAL −H l d a p i : / / / −f / e t c / l d a p / schema / p p o l i c y . l d i f adding new e n t r y ” cn=p p o l i c y , cn=schema , cn=c o n f i g ”

If the schema you want to add does not exist in LDIF format, a nice conversion tool that can be used is provided in the schema2ldif package.

Logging

Activity logging for slapd is very useful when implementing an OpenLDAP-based solution yet it must be manually enabled after software installation. Otherwise, only rudimentary messages will appear in the logs.

Logging, like any other such configuration, is enabled via theslapd-configdatabase.

OpenLDAP comes with multiple logging levels with each one containing the lower one (additive). A good level to try isstats. The slapd-config man page has more to say on the different subsystems.

Create the file logging . ldif with the following contents:

dn : cn=c o n f i g changetype : modify r e p l a c e : o l c L o g L e v e l o l c L o g L e v e l : s t a t s Implement the change:

sudo l d a p m o d i f y −Q −Y EXTERNAL −H l d a p i : / / / −f l o g g i n g . l d i f

This will produce a significant amount of logging and you will want to throttle back to a less verbose level once your system is in production. While in this verbose mode your host’s syslog engine (rsyslog) may have a hard time keeping up and may drop messages:

r s y s l o g d−2177: imuxsock l o s t 228 m es s ag es from p i d 2547 due t o r a t e−l i m i t i n g You may consider a change to rsyslog’s configuration. In /etc/rsyslog .conf, put:

# D i s a b l e r a t e l i m i t i n g

# ( d e f a u l t i s 200 me s sag es i n 5 s e c o n d s ; below we make t h e 5 become 0 )

$ S y s t e m L o g R a t e L i m i t I n t e r v a l 0 And then restart the rsyslog daemon:

sudo s y s t e m c t l r e s t a r t s y s l o g . s e r v i c e