Setting up an LDAP server

From BNL Physics Computing

This topic documents how the Physics Deptartment Scientific Computing Support LDAP server was set up.

Contents 1 Overview 2 Installation 3 Configuration 3.1 Server Listen URLs 3.2 General Config 3.3 Generating SSL certs 4 Directory Definition 5 Populate the Directory with existing user info 6 A note on how other groups can integerate into this server 7 Going further

Overview

The server is a Debian x86 system so these instructions are somewhat Debian specific. The hostname of the server is "home.phy.bnl.gov".

Installation

 apt-get install slapd openssl

Configuration

Server Listen URLs

Setup the LDAP server slapd to listen on the internal interface w/out SSL and the external w/ SSL by editting /etc/default/slapd to contain:

 SLAPD_SERVICES="ldap://127.0.0.1/ ldaps://home.phy.bnl.gov/"

General Config

The full slapd.conf is available on request (see Computing Contacts resource). The main things to do in this file are to:

• list what schemas the server should support.
• set the suffix of this directory
• point to the SSL certs

Generating SSL certs

To generate the SSL cert files follow other wiki entry.

Directory Definition

Use ldapadd to define the "uo=People" directory to hold user info. The following base.ldiff file can be used as input

 dn: ou=People,dc=phy,dc=bnl,dc=gov
 objectClass: top
 objectClass: organizationalUnit
 ou: People
 
 dn: ou=Group,dc=phy,dc=bnl,dc=gov
 objectClass: top
 objectClass: organizationalUnit
 ou: Group

Populate the Directory with existing user info

There are various free software tools to help here but I wrote my own that makes use of ITD's LDAP and XML-RPC user services (to check for eligibility). See LDAP management tools for details.

A note on how other groups can integerate into this server

Groups can elect to integrate their users into the existing dc=phy,dc=bnl,dc=gov directory or to carve out their own sub-directory. The former would allow users who require it to log in to other systems already in LDAP and to immediately benifit from existing tools. The latter would keep that groups accounts separate and would require some simple modifications to existing tools but would still benefit from a running LDAP server that they get "for free".

Going further

Next you might want to convert your clients. See Setting up an LDAP client.