openldap configuration

Explains the structure of the ldap tree, inheritanca of ldap schemas

ldapmodify and the like, modify entries from the command line

config file settings

# ldap.conf
BASE    dc=srick,dc=org
#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666                                                                                                                 
URI     ldapi://

#TLS_CACERT /usr/local/etc/letsencrypt/live/tools.hzn.srick.org/chain.pem                                                                                                          
LDAPTLS_CACERT=/usr/local/share/certs/ca-root-nss.crt

#LDAPTLS_REQCERT=never                                                                                                                                                             

#SIZELIMIT      12                                                                                                                                                                 
#TIMELIMIT      15                                                                                                                                                                 
#DEREF          never

# slapd.conf
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema

pidfile  /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args

# Load dynamic backend modules:
modulepath /usr/local/libexec/openldap
moduleload back_mdb

database mdb
maxsize  1073741824
suffix   "dc=srick,dc=org"
rootdn   "cn=rootdn,dc=srick,dc=org"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw   {SSHA}xyz

create the dcObject dc=srick,dc=org

dn: dc=srick,dc=org
dc: srick
description: My wonderful company as much text as you want to place
 in this line up to 32K continuation data for the line above must
 have <CR> or <CR><LF> i.e. ENTER works
 on both Windows and *nix system - new line MUST begin with ONE SPACE
objectClass: dcObject
objectClass: organization
o: srick.org

ldapadd -x -D "cn=rootdn,dc=srick,dc=org" -W -H ldapi:// -f dcObject.ldif

add the hzn ou

dn: ou=hzn,dc=srick,dc=org
changeType: add
objectClass: top
objectClass: organizationalUnit
ou: hzn

ldapmodify -x -D "cn=rootdn,dc=srick,dc=org" -W -H ldapi:// -f ou.ldif

add user

dn: uid=steffen.rick,ou=hzn,dc=srick,dc=org
changetype: add
objectClass: inetOrgPerson
description: Steffen Rick your favorite SA
cn: Steffen Rick
sn: srick
uid: steffen.rick
userPassword: {SSHA}xyz

add user using the more common nis class (useful for the integration with dovecot)

dn: uid=user123,ou=hzn,dc=srick,dc=org
changetype: add
objectClass: posixAccount
description: Test user
cn: Test User
sn: user123
# taken from nis.schema, posixAccount
uid: user123
uidNumber: 1001
gidNumber: 0
homeDirectory: /home/srick
# slappasswd generated
userPassword: {SSHA}8RYV6wdYiMaEaxA0vDmnKwLHwufspcGT

change user's password

ldappasswd -H ldapi:// -x -D "cn=rootdn,dc=srick,dc=org" -W -S "uid=steffen.rick,ou=hzn,dc=srick,dc=org"

delete user

ldapdelete -H ldapi:// -x -D "cn=rootdn,dc=srick,dc=org" -W "uid=steffen.rick,ou=hzn,dc=srick,dc=org"

searching in ldap

ldapsearch -x -D "cn=rootdn,dc=srick,dc=org" -W -b "dc=srick,dc=org" "o=srick.org"

delete

ldapmodify -x -D "cn=rootdn,dc=srick,dc=org" -W -H ldapi:// -f delete.ldif