Support #727
Updated by Daniel Curtis almost 9 years ago
{{>toc}} This is a guide on installing an OpenLDAP server on FreeBSD 9. h2. Prepare the Environment * Make sure the system is up to date: <pre> pkg update && pkg upgrade portsnap fetch extract </pre> * Install portmaster: <pre> pkg install portmaster pkg2ng </pre> h2. Install OpenLDAP Server * Install the openldap24-server package from the ports tree: <pre> portmaster net/openldap24-server </pre> #* *NOTE*: Make sure to enable *[X] PPOLICY* during the openldap24-server port configuration. * Edit the OpenLDAP Client config file: <pre> vi /usr/local/etc/openldap/ldap.conf </pre> #* Change the BASE to your own environment: <pre> BASE dc=example,dc=com URI ldap:// ldaps:// # SIZELIMIT 0 indicates unlimited search size SIZELIMIT 0 TIMELIMIT 15 DEREF never </pre> * Change the default password: <pre> slappasswd -h "{SSHA}" >> /usr/local/etc/openldap/slapd.conf </pre> * Edit the OpenLDAP Server config file: <pre> vi /usr/local/etc/openldap/slapd.conf </pre> #* And change as necessary on each server: <pre> include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/corba.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/collective.schema include /usr/local/etc/openldap/schema/openldap.schema pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args loglevel 256 modulepath /usr/local/libexec/openldap moduleload back_mdb moduleload back_ldap allow bind_v2 database mdb suffix "dc=example,dc=com" rootdn "cn=Manager,dc=example,dc=com" directory /var/db/openldap-data maxsize 1073741824 # Indices to maintain index objectClass eq rootpw {SSHA}A6ia1SPQlY4J5qWBUkPg1qqiwZHrL0mb </pre> * Edit the rc.conf file: <pre> vi /etc/rc.conf </pre> #* And add the follow to the end of the file: <pre> slapd_enable="YES" slapd_flags='-h "ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap://0.0.0.0/"' slapd_sockets="/var/run/openldap/ldapi" </pre> * Start slapd: <pre> service slapd start </pre> Testing the slapd configuration to demonstrate a successful connection: <pre> ldapsearch </pre> #* _Example output_: <pre> # extended LDIF # # LDAPv3 # base <dc=example,dc=com> (default) with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 3 result: 32 No such object # numResponses: 1 </pre> h2. Populate the LDAP Server * Create the domain template file: <pre> vi /usr/local/etc/openldap/example.com.ldif </pre> #* And add the following: <pre> dn: dc=example,dc=com objectclass: dcObject objectclass: organization o: example dc: example dn: cn=Manager,dc=example,dc=com objectclass: organizationalRole cn: Manager </pre> * To import this file into the server: <pre> ldapadd -D "cn=Manager,dc=example,dc=com" -W -f /usr/local/etc/openldap/example.com.ldif </pre> * To verify the data was imported correctly using the ldapsearch command: <pre> ldapsearch </pre> #* _Example output_: <pre> # extended LDIF # # LDAPv3 # base <dc=loga,dc=us> (default) with scope subtree # filter: (objectclass=*) # requesting: ALL # # loga.us dn: dc=example,dc=com objectClass: dcObject objectClass: organization o:: bG9nYSA= dc:: bG9nYSA= # Manager, example.com dn: cn=Manager,dc=example,dc=com objectClass: organizationalRole cn: Manager # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2 </pre> h2. Install LDAP Web Frontend h3. Install Nginx * Install nginx and php56: <pre> pkg install nginx php56 </pre> * Configure the default PHP settings <pre> cp /usr/local/etc/php.ini-production /usr/local/etc/php.ini </pre> * Create a configuration directory to make managing individual server blocks easier <pre> mkdir /usr/local/etc/nginx/conf.d </pre> * Edit the main nginx config file: <pre> vi /usr/local/etc/nginx/nginx.conf </pre> #* And strip down the config file and add the include statement at the end to make it easier to handle various server blocks: <pre> #user nobody; worker_processes 1; error_log /var/log/nginx-error.log; events { worker_connections 1024; } http { include mime.types; default_type application/octet-stream; sendfile on; #tcp_nopush on; #keepalive_timeout 0; keepalive_timeout 65; #gzip on; # Load config files from the /etc/nginx/conf.d directory include /usr/local/etc/nginx/conf.d/*.conf; } </pre> * Edit /usr/local/etc/php-fpm.conf: <pre> vi /usr/local/etc/php-fpm.conf </pre> #* Make the following changes: <pre> listen = /var/run/php-fpm.sock listen.owner = www listen.group = www listen.mode = 0660 </pre> * Start and enable nginx and php-fpm at boot: <pre> echo 'nginx_enable="YES"' >> /etc/rc.conf echo 'php_fpm_enable="YES"' >> /etc/rc.conf service php-fpm start service nginx start </pre> h3. Install LDAP Account Manager * Install LDAP Acccount Manager: <pre> pkg install ldap-account-manager </pre> * Add a lam.example.com server block: <pre> vi /usr/local/etc/nginx/conf.d/lam.example.com.conf </pre> Add the following: <pre> server { listen 80; server_name lam.example.com; root /usr/local/www/lam; access_log /var/log/lam.example.com-access.log; error_log /var/log/lam.example.com-error.log; allow 192.168.1.0/24; deny all; location ~ \.php$ { fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass unix:/var/run/php-fpm.sock; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } location ~ (tmp/internal|sess|config|locale) (tmp/internal|sess|config|lib|help|locale) { deny all; return 403; } } </pre> * Restart nginx: <pre> service nginx restart </pre> * Open a web browser and go to http://lam.example.com *# Click on +LAM Configuration -> General Settings+, the default master password is *lam*; make sure to change it before going into production. *# Go to +LAM Configuration -> Edit Server profiles+, select any of the profiles and enter the password *lam*. Change the domains from the default to *dc=example,dc=com*. Click *Save* when finished. *# Go back to login page and log in as the Manager user h2. Resources * http://loga.us/2014/08/16/openldap-and-multi-master-replication-in-freebsd-part-i-openldap/ * https://www.ldap-account-manager.org/static/doc/manual-onePage/index.html