Wednesday, June 6, 2012

OpenLdap, Slapd and Fedora 17

Single most useful statement about OpenLdap I found was in "LDAP for Rocket Scientists" :
The bad news is that IOHO never has so much been written so incomprehensibly about a single topic with the possible exceptions of BIND and ... and ...
Last time I had used slapd was some years ago. I needed to help a colleague. Fortunately, it was on Ubuntu and the absence of slapd.conf was not too intimidating. It wasn't hard to find that all one needed to do was
# dpkg-reconfigure slapd
I would need to help my colleague some more. So, I decided to set one up at home - on Fedora 16. And that is when I found the comment from "LDAP for Rocket Scientists". There did not seem to be an equivalent of Debian option for getting started. Also, the slapd.d files are substantial differences in the files in slapd.d in Debian and Fedora. Although I managed to get started using ldapmodify, the feeling has been that there has to be a simpler way, especially when I started using tls.

I used self-signed certificates but was having difficulty in getting the certificated trusted. Meanwhile, I upgraded to Fedora 17. There were changes in the way slapd is setup. Instead of /usr/openldap/cacerts, it uses /usr/openldap/certs directory. There are some scripts like and There must be some documentation somewhere about these changes. I just haven't found it yet.

So, I plan to drop the slap setup done so far. Start afresh on Fedora 17, making use of the tools provided and see if it makes life simpler.

A few simple things which have tripped me so far -
  • Each ldap application is a client and has its own configuration file. It does not need to use /etc/openldap/ldap.conf
  • Fedora now relies on sssd for ldap authentication. Since I keep upgrading my system, it did not have this server and was using nss_ldap and pam_ldap.
  • The 'Common Name' on the certificate. 
The steps in next post.

No comments:

Post a Comment