Support #727
Updated by Daniel Curtis almost 9 years ago
This is a guide on installing an OpenLDAP server on FreeBSD 9.
h2. Prepare the Environment
* Make sure the system is up to date:
<pre>
pkg update && pkg upgrade
portsnap fetch extract
</pre>
* Install portmaster:
<pre>
pkg install portmaster
pkg2ng
</pre>
h2. Install OpenLDAP Server
* Install the openldap24-server package from the ports tree:
<pre>
portmaster net/openldap24-server
</pre>
#* *NOTE*: Make sure to enable *[X] PPOLICY* during the openldap24-server port configuration.
* Edit the OpenLDAP Client config file:
<pre>
vi /usr/local/etc/openldap/ldap.conf
</pre>
#* Change the BASE to your own environment:
<pre>
BASE dc=example,dc=com
URI ldap:// ldaps://
# SIZELIMIT 0 indicates unlimited search size
SIZELIMIT 0
TIMELIMIT 15
DEREF never
</pre>
* Change the default password:
<pre>
slappasswd -h "{SSHA}" >> /usr/local/etc/openldap/slapd.conf
</pre>
* Edit the OpenLDAP Server config file:
<pre>
vi /usr/local/etc/openldap/slapd.conf
</pre>
#* And change as necessary on each server:
<pre>
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/corba.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/collective.schema
include /usr/local/etc/openldap/schema/openldap.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
loglevel 256
modulepath /usr/local/libexec/openldap
moduleload back_mdb
moduleload back_ldap
allow bind_v2
database mdb
suffix "dc=example,dc=com"
rootdn "cn=Manager,dc=example,dc=com"
directory /var/db/openldap-data
maxsize 1073741824
# Indices to maintain
index objectClass eq
rootpw {SSHA}A6ia1SPQlY4J5qWBUkPg1qqiwZHrL0mb
</pre>
* Edit the rc.conf file:
<pre>
vi /etc/rc.conf
</pre>
#* And add the follow to the end of the file:
<pre>
slapd_enable="YES"
slapd_flags='-h "ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap://0.0.0.0/"'
slapd_sockets="/var/run/openldap/ldapi"
</pre>
* Start slapd:
<pre>
service slapd start
</pre>
h2. Install LDAP Web Frontend
h3. Install Nginx
* Install nginx and php56:
<pre>
pkg install nginx php56
</pre>
* Configure the default PHP settings
<pre>
cp /usr/local/etc/php.ini-production /usr/local/etc/php.ini
</pre>
* Create a configuration directory to make managing individual server blocks easier
<pre>
mkdir /usr/local/etc/nginx/conf.d
</pre>
* Edit the main nginx config file:
<pre>
vi /usr/local/etc/nginx/nginx.conf
</pre>
#* And strip down the config file and add the include statement at the end to make it easier to handle various server blocks:
<pre>
#user nobody;
worker_processes 1;
error_log /var/log/nginx-error.log;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
# Load config files from the /etc/nginx/conf.d directory
include /usr/local/etc/nginx/conf.d/*.conf;
}
</pre>
* Edit /usr/local/etc/php-fpm.conf:
<pre>
vi /usr/local/etc/php-fpm.conf
</pre>
#* Make the following changes:
<pre>
listen = /var/run/php-fpm.sock
listen.owner = www
listen.group = www
listen.mode = 0660
</pre>
* Start and enable nginx and php-fpm at boot:
<pre>
echo 'nginx_enable="YES"' >> /etc/rc.conf
echo 'php_fpm_enable="YES"' >> /etc/rc.conf
service php-fpm start
service nginx start
</pre>
h3. Install LDAP Account Manager
* Install LDAP Acccount Manager:
<pre>
pkg install ldap-account-manager
</pre>
* Add a lam.example.com server block:
<pre>
vi /usr/local/etc/nginx/conf.d/lam.example.com.conf
</pre>
Add the following:
<pre>
server {
listen 80;
server_name lam.example.com;
root /usr/local/www/lam;
access_log /var/log/lam.example.com-access.log;
error_log /var/log/lam.example.com-error.log;
allow 192.168.1.0/24;
deny all;
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
location ~ (tmp/internal|sess|config|lib|help|locale) {
deny all;
return 403;
}
}
</pre>
* Restart nginx:
<pre>
service nginx restart
</pre>
* Open a web browser and go to http://lam.example.com
*# Click on +LAM Configuration -> General Settings+, the default master password is *lam*; make sure to change it before going into production.
h2. Resources
* http://loga.us/2014/08/16/openldap-and-multi-master-replication-in-freebsd-part-i-openldap/