Snow Leopard, Ubuntu, LDAP & Automounter Step 2: Install and configure slapd & related utilities

This article is one part in a multi-part series about how to have centralized logins and home directories with Mac OS 10.6 using an Ubuntu 9.10 server, LDAP & Automounter.  You can find the parent article here.

Important Note: Unless stated otherwise, all the commands in this procedure should be run as root.  To become root from a typical admin user, just type sudo su and enter your password.  You can also just stay the regular user and put the word sudo in front of every command.  I’m using to a root prompt and that drives me crazy, so I just su to root.

References.  This page told me that the LDAP docs for 9.10 contained errors and that this thread and this doc is what I should use.  This procedure is based off of those procedure, but is enhanced a bit.

1. Install slapd, etc.  This installs slapd, some tools that will be useful, and the odbc stuff. The odbc might have already been installed, but I found out it was a prerequisite, so I add it to be installed in case it’s not.

# apt-get install slapd ldap-utils migrationtools unixodbc odbcinst1debian1

2.  Load some basic schema files that need to be loaded before anything will work. In a terminal enter:

# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif

3. Pick a password that will become your LDAP admin password.  If you lose it, you’re screwed, so pick one you can remember.  I’m going to use 1234 in this example.

4. Pick a “domain” name that you’re going to call your LDAP setup.  It really doesn’t matter.  I just chose home.com. A lot of the examples you see out on the Internet use example.com.
5. From here on out in the procedure, you need to create a file with some stuff in it, then import that file with the ldapadd command.  Let’s do the first one.  Create the backend configuration by creating a file called /tmp/backend.ldif with the contents in the following table.

Note: Remember to change “1234″ with the password you’re going to use.  Otherwise you’ll have 1234 as your password.
Also if you’re not going to use home.com as your domain, then remember to change “home” and “com” to the appropriate strings.

###########################################################
#DATABASE SETUP
###########################################################

# Load modules for database type
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/lib/ldap
olcModuleLoad: {0}back_hdb

# Create directory database
dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=home,dc=com
olcRootDN: cn=admin,dc=home,dc=com
olcRootPW: 1234
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn=”cn=admin,dc=home,dc=com” write by anonymous auth by self write by * none
olcAccess: {1}to dn.base=”” by * read
olcAccess: {2}to * by dn=”cn=admin,dc=home,dc=com” write by * read
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcDbIndex: uid pres,eq
olcDbIndex: cn,sn,mail pres,eq,approx,sub
olcDbIndex: objectClass eq

###########################################################
# DEFAULTS MODIFICATION
###########################################################
# Some of the defaults need to be modified in order to allow
# remote access to the LDAP config. Otherwise only root
# will have administrative access.

dn: cn=config
changetype: modify
delete: olcAuthzRegexp

dn: olcDatabase={-1}frontend,cn=config
changetype: modify
delete: olcAccess

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: 1234

dn: olcDatabase={0}config,cn=config
changetype: modify
delete: olcAccess

What does all this mean?  It basically is the basic config saying that you’re going to have a home.com domain and its super-user password is to be 1234.  Other than that, I haven’t a clue. ๐Ÿ˜‰

6. Import this configuration information into LDAP using this command:
# ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/backend.ldif

Note that this first time we run the ldapadd command, we don’t have to supply a password.  That’s because this is before we have one.  Once this command has been run, you will always need to authenticate to LDAP using a username and password to run ldapadd again.  This will be reflected in the rest of the procedure.

7. Create another temporary file called /tmp/base.ldif with these contents:

# Tree root
dn: dc=home,dc=com
objectClass: dcObject
objectclass: organization
o: home.com
dc: home
description: Tree root

# LDAP admin
dn: cn=admin,dc=home,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
userPassword: 1234
description: LDAP administrator

8. Then import it into LDAP with this command:

# ldapadd -x -D cn=admin,dc=home,dc=com -w 1234 -f /tmp/base.ldif

Note: The “-D cn=admin,dc=home,dc=com -w 1234” string says that you want to log in as admin to the home.com domain and that your password is 1234.

You now have a fresh OpenLDAP installation in Ubuntu 9.10.

9. Now we need to create an “organizational unit” (ou) called people and one called groups.  An organizational unit is just a fancy name for group.  The ones that Apple will be looking for is People and group, to give it the username and group (Unix style concepts) of the user that’s trying to log in.

Create a file called /tmp/ou.ldif with these contents

dn: ou=People,dc=home,dc=com
objectClass: organizationalUnit
ou: people

dn: ou=group,dc=home,dc=com
objectClass: organizationalUnit
ou: group

Don’t ask me why People is capitalized and group is not.  Just do it. ๐Ÿ˜‰

10. Import it with this command:

# ldapadd -x -D cn=admin,dc=home,dc=com -w 1234 -f /tmp/ou.ldif

11. Test that everything went OK.  The quickest way to confirm that all of your syntax was alright is to resart slapd.  It will complain of any typos.

# /etc/init.d/slapd restart

It should restart without errors.

12. Another way to confirm is to run some queries:

# ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -w 1234 olcDatabase={1}hdb
# ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -w 1234

You should see the things in the query that you put in the config files and added with ldapadd.

13. Run another query (substituting the appropriate value for home and com)

# ldapsearch -xLLL -b dc=home,dc=com

This should run without a password and should show you the People and group organization units (ou’s) that you added.  You should see lines that start with “dn: ou=group” & “dn ou=People”

LDAP is now setup and is ready to be further configured. The next step is to import the Apple and Samba schemas into LDAP.


Written by W. Curtis Preston (@wcpreston), four-time O'Reilly author, and host of The Backup Wrap-up podcast. I am now the Technology Evangelist at Sullivan Strickler, which helps companies manage their legacy data

5 comments
  • I get the following error on Ubuntu Server 10.04 LTS

    modifying entry "cn=config"<br />ldap_modify: No such attribute (16)<br />	additional info: modify/delete: olcAuthzRegexp: no such attribute<br />

    Is it safe to just remove those four lines from the backend.ldif

  • I don’t seen “olcauthzregexp” anywhere in the text, so I’m thinking you have a cut and paste issue.

  • [quote name=Rob Moggach]I get the following error on Ubuntu Server 10.04 LTS

    modifying entry "cn=config"
    ldap_modify: No such attribute (16)
    additional info: modify/delete: olcAuthzRegexp: no such attribute

    Is it safe to just remove those four lines from the backend.ldif[/quote]I am getting the same issue as well.

  • I read through this guide earlier and I’d just like to say thanks for your time and effort compiling all of this, I’ve just started to execute the install commands on the first page so a far way to go yet but the guide seems flawless. I appreciate your time and skill!

  • the code is not working properly , how can i correct the errors and run this succesfully