In Ubuntu 9.10 Karmic Koala the installation of OpenLDAP got a bit complicated. Upon installation you are not asked for your password anymore, and you have to set up the database yourself. And this is only possible using the OpenLDAP server's root account. Yes, you read correctly: only a very minimal cn=config is provided by default.
There is an official statement about this [1] (in short: this is part of a future strategy to bring OpenLDAP to a broader spectrum - keyword: Kerberos), but unfortunately there is neither (november 4th, 2009) an official nor an inofficial HowTo on how to set up the whole thing. So here is my take:
First, install OpenLDAP:
Code:
apt-get -y install slapd ldap-utils
A dpkg-reconfigure slapd is useless btw.
Now add a few schemata (only core.schema is provided by default):
Code:
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
After that, we set up the initial cn=config database. Open a temporary file in your favourite text editor:
Code:
vi /root/db.ldif
and insert the following listing: (download disini *ubah extensi txt ke ldif)
Code:
###########################################################
# DATABASE SETUP
###########################################################
# Load modules for database type
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/lib/ldap
olcModuleLoad: {0}back_hdb
# Create directory database
dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=home,dc=com
olcRootDN: cn=admin,dc=home,dc=com
olcRootPW: 1234
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=home,d
c=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=admin,dc=home,dc=com" write by * read
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcDbIndex: uid pres,eq
olcDbIndex: cn,sn,mail pres,eq,approx,sub
olcDbIndex: objectClass eq
###########################################################
# DEFAULTS MODIFICATION
###########################################################
# Some of the defaults need to be modified in order to allow
# remote access to the LDAP config. Otherwise only root
# will have administrative access.
dn: cn=config
changetype: modify
delete: olcAuthzRegexp
dn: olcDatabase={-1}frontend,cn=config
changetype: modify
delete: olcAccess
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {CRYPT}7hzU8RaZxaGi2
dn: olcDatabase={0}config,cn=config
changetype: modify
delete: olcAccess
Apply this configuration with the following command:
Code:
ldapadd -Y EXTERNAL -H ldapi:/// -f /root/db.ldif
This creates an administrative LDAP user cn=admin,dc=home,dc=com with the password 1234. Be aware: from now on this user has all privileges on your LDAP-server!
Now set up a minimal LDAP DIT. Open another temporary file:
Code:
vi /tmp/base.ldif
and insert the following (download disini *ubah extensi txt ke ldif):
Code:
# Tree root
dn: dc=home,dc=com
objectClass: dcObject
objectclass: organization
o: home.com
dc: home
description: Tree root
# LDAP admin
dn: cn=admin,dc=home,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
userPassword: 1234
description: LDAP administrator
...and apply it:
Code:
ldapadd -x -D cn=admin,dc=home,dc=com -W -f /tmp/base.ldif -h 127.0.0.1
when asked for a password, enter 1234. From now on you should be on the level of a fresh OpenLDAP installation in Jaunty. The rest is your part.
By the way, with the following commands you can read your cn=config:
Code:
ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W olcDatabase={1}hdb
ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W
and your LDAP DIT (this time as anonymous user - hence no password is shown for your cn=admin,dc=home,dc=com):
Code:
ldapsearch -xLLL -b dc=home,dc=com
TAHAPAN SELANJUTNYA .....
Skenario berikut untuk memfungsikan Openldap sebagai server untuk menyimpan data email client supaya bisa diakses dari komputer mana saja dalam jaringan (sudah ditest pakai email client Thunderbird, Outlook 2003, outlook 2002 dan Outlook express).
*** Membuat Directory Addressbook di Domain home.com
sudo ldapadd -x -D cn=admin,dc=home,dc=com -W -f /tmp/address.ldif -h 127.0.0.1
isi address.ldif (download disini *ubah txt ke ldif):
# addressbook, home, com
dn: ou=addressbook, dc=home, dc=com
objectClass: top
objectClass: organizationalUnit
ou: addressbook
# search result
search: 2
result: 0 Success
*** Input data di Directory Addressbook di Domain home.com
sudo ldapadd -x -D cn=admin,dc=home,dc=com -W -f /tmp/contact.ldif -h 127.0.0.1
isi contact.ldif :
dn: cn=John Doe, ou=addressbook, dc=home, dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: John Doe
gn: John
sn: Doe
mail: johndoe@test.com
physicalDeliveryOfficeName: Breketek, Tbk., Staff
postalAddress: -
l: -
ou: addressbook
st: -
postalCode: -
telephoneNumber: 0
facsimileTelephoneNumber: 0
pager: 0
mobile: 0361-7927014
homePhone: 0
BACKUP DATABASE OPENLDAP
script sederhana:
buat file backup-ldap.sh yang isinya :
#!/bin/bash
DATADIR=/var/backup/ldap
DATE=$(date +%Y-%m-%d)
# Backup LDAP
echo “Backup LDAP”
slapcat -l $DATADIR/ldap-backup-$DATE.ldif
echo “Compress LDAP backup files”
gzip -9 $DATADIR/ldap-backup-$DATE.ldif
echo “Delete backup file older than 5 days”
# Delete old file
find $DATADIR/*.gz -mtime +5 -exec rm {} \;echo “Done!”
exit
buat executable dengan chmode +x backup-ldap.sh, terus jalankan :
sudo backup-ldap.sh
RESTORE DATABASE OPENLDP
Pertama-tama decompress file gzip :
#gunzip ldap-backup-2009-12-30.ldif.gz
Matikan slapd :
#/etc/init.d/slapd stop
setelah itu jalankan perintah:
#slapadd -v -c -l ldap-backup-2009-12-30.ldif -f /etc/ldap/slapd.conf
setelah itu restart slapd
#/etc/init.d/slapd restart
No comments:
Post a Comment