Products of Aardvarks With Chisels: Configuring the server

	Products of Aardvarks With Chisels : Linux : LDAP stuff : HOW-TO : Configuring the server
	First you need to get the LDAP server software compiled and installed. Do that however you want to. I'm running the SuSE binaries mostly, but I've compiled OpenLDAP from tarball or source RPM in a few cases. However you do it, pick the method that you feel comfortable with. If your vendor has a prebuilt package, you're probably as well off using that. I'll assume you're running OpenLDAP in my config notes... You need to change 2 main configuration files on the server. One of them is slapd.conf. It's probably in /etc/, /etc/openldap/, or /etc/ldap - depending on who built your binary. You need to set up some parameters in there. There will probably be a couple of lines at the top of the file, that say to include slapd.at.conf and slapd.oc.conf (using full paths). As long as those files exist, they're probably fine by default. There's also probably a "schemacheck" parameter. I don't know what that means, but mine's "off" and it works fine, so that's my recomendation. The "referral" line is there to refer lookups that this LDAP server doesn't know about to another server that probably will know. You probably don't need that. If you did, you'd know (I guess). There's also "pidfile" and "argsfile" settings, which default to files in /var on my default instalation. For the database-specific options (still in slapd.conf), you'll start with a "database" entry, specifying "ldbm" as the type, probably. Then you'll have a "suffix". Use the domain name style. For example, I us "dc=cloudmaster,dc=com" (with the quotes). Then there's a "directory" entry. Change that to /var/ldap, and remember to create /var/ldap and both "chown root.root /var/ldap" as well as "chmod 700 /var/ldap" (assuming the server runs as root, which it probably does). You might consider making a new user and group called ldap if you're concerned. I don't see any obvious problem with that... Anyway, you need to specify a distinguished name to administer the server with, and a password. The "rootdn" entry shoucl be something like "cn=admin,dc=cloudmaster,dc=com" (with the quotes). The rootpw entry can be a plaintext password (bad idea), or creypted in several ways. I use a perl one-liner echo password \| perl -nle 'print "{crypt}", crypt($_, 'DS');' change "password" to your desired password, and paste the whole line in, including the part about {crypt}. Since the clients will be looking up the cn,sn,and uid - as well as ipserviceport's and ipportnumber's, we'll build an index Add these 2 lines: index cn,sn,uid pres,eq,approx index ipserviceport,iphostnumber pres,eq That indexes the names for eqality, presence, and approximate matches. the other2 don't match partially - it's all or nothing, so "approx" is left out. You shoudl also set up some access rules. Only the user or admin shoud be able to see passwords, users can change anything about themselves, and everyone can look at everything else, so: access to attr=userpassword by self write by dn="cn=manager, dc=parkland, dc=cc, dc=il, dc=us" write by * compare access to * by self write by dn="cn=manager, dc=parkland, dc=cc, dc=il, dc=us" write by * read Stick a line tha tsays "loglevel 0" in there too, so your log files don't get filled up with the defualt logs. There's a lot of them. Maybe comment the loglevel line out, and then uncomment it after you're sure stuff works... You also need to edit ldap.conf. It's probably in the same directory as slapd.conf. In there, you only need to lines: BASE dc=cloudmaster, dc=com HOST cloud233.cloudmaster.com there are other things you can configure in there, but you shoudl know that it's possible to have a seperate ldap.conf (usually /etc/ldap.conf) for the pam_ldap and nss_ldap utilities. The one you just configured is for the LDAP utilities, like ldapsearch and ldappasswd... That reminds me, set the permissions on slapd.conf to 600 and the permissions on ldap.conf to 644.
	[Append to This Answer]
	2000-Jun-22 12:36am

Previous:	What will I need?
Next:	Configuring the clients

This document is: http://www.cloudmaster.com/~sauer/projects/index.cgi?file=45

	[Search]	[Appearance]
This is a Faq-O-Matic 2.719.

This FAQ administered by sauer@cloudmaster.com