====== LDAP con slapd 2.5.13 ======
Aggiornando da Debian 11 a **Debian 12 Bookworm** che installa **slapd 2.5.13**, non è più supportato il vecchio backend **HDB**, in syslog si legge l'errore:
slapd[1081465]: lt_dlopenext failed: (back_hdb) file not found
Il backend alternativo consigliato è **LMDB**.
Durante l'aggiornamento (fallito) del pacchetto è stato comunque creato il backup della vecchia installazione, questa si trova in **/var/backups/slapd-2.4.57+dfsg-3+deb11u1/**. Conviene copiare i file presenti per lavorare su quelli.
===== Migrazione da HDB a MDB =====
FIXME La **[[https://discourse.ubuntu.com/t/service-migrating-from-openldap-2-4-x-to-2-5-x/23807|Service - Migrating from OpenLDAP 2.4.x to 2.5.x]]** non ha funzionato; fallisce quando si tenta di ricaricare il database **dc=rigacci,dc=org.ldif** con il comando **slapadd**.
Per ripristinare il servizio si sono eseguite ex-nove tutte le operazoni necessarie, in particolare:
* Caricato lo schema **mozillaAbPersonAlpha**.
* Creato il database #2 per gestire il suffisso **ou=Addressbook,dc=rigacci,dc=org**.
* Creata la organizationalUnit **Addressbook**.
* Creata la inetOrgPerson **cn=guest**.
* Caricate tutte le entry objectClass **mozillaAbPersonAlpha**.
===== (Re)installation from scratch =====
By installing the **slapd** package from scratch, an empty LDAP database is created using the **dn** (//distinguished name//) **dc=lan,dc=rigacci,dc=net** (i.e. the output of the ''%%hostname --domain%%'' - which in our case is ''lan.rigacci.net'' - is used to generate the **dc** //domain content// parts of the name). During configuration you are asked for a password to be assigned to the admin user, i.e. to the item **cn=admin,dc=rigacci,dc=net**.
The LDAP database is numbered as **#1**; initially it contains only the root objext **objectClass: organization**. You can view it with the command
slapcat -n1
If you run **dpkg-reconfigure slapd** it is possibile to generate the LDAP database again; you can change the distinguished name, assign a different organization name and the admin password.
Actually a special database numbered **#0** named **cn=config** is created too. Here you can view the configuration options of the database #1, the (hashed) password of the admin user, etc. You can view that special database using:
slapcat -n0
Reading the dump of database #0, you can see that the **cn=config** database has the **olcRootDN: cn=admin,cn=config**, but it does not have an **olcRootPW**, so you cannot modify the config database connecting with a login/password pair. See below on how to modify the **cn=config** database (e.g. to add a new database backend).
===== Enable SSL =====
Create a self signed certificate or get it from some provider, like **[[https://letsencrypt.org/|Let's Encrypt]]**. Copy the files into **/etc/ldap/ssl/** and give them permissions for the //openldap// user.
Create the following file **config-ssl.ldif**:
dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/ssl/fullchain.pem
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/ssl/privkey.pem
-
replace: olcTLSCACertificatePath
olcTLSCACertificatePath: /etc/ssl/cert
and load it into the slapd 2.5 configuration:
ldapmodify -Y EXTERNAL -H ldapi:/// -f config-ssl.ldif
Enable ldaps into **/etc/default/slapd**:
SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"
Restart the slapd service.
===== Adding a second (new) database =====
Suppose you want to create a new LDAP database, beside the **#0** (the ''cn=config'' one) and the **#1** (with the suffix ''dc=lan,dc=rigacci,dc=net''). This is possibile because the slapd daemon can serve different DITs (Directory Information Tree) eventually using different database backends, different olcRootDN, etc. The only constraint is that different databases must have different suffixes belonging to different hierarchy trees.
To add a new LDAP database you will use the **ldapadd** command. You may find several tutorials on the net that instruct on how to use the **slapadd** command, but beware that ''slappadd'' is not intended for incremental use; it is used for the initial configuration of the slapd service, when you feed it a single complete LDIF.
Using ''ldapadd'' to create a new database, requires the privilege to modify the ''cn=config'' database. The default Debian installation does not assign a password to the ''cn=admin,cn=config'' entry, so you cannot use a standard TCP connection to the server, you must use the **EXTERNAL SASL mechanism**.
Here it is the example of an LDIF file to create a new DIT database, supposed to contain an addressbook. We will use the MDB backend and the ''/var/lib/ldap/abook/'' directory will contain the data. The database will be populated later. The item ''cn=admin,ou=Addressbook,dc=rigacci,dc=org'' is defined here and it will be used as an administrator account with full privileges on the database itself. Beware that the **olcSuffix** must not be a child of an already existing database suffix (notice that we used the ''org'' top level domain instead of ''net'' used in the previous examples).
The file was named **abook-db.ldif**:
dn: olcDatabase=mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: mdb
olcDbDirectory: /var/lib/ldap/abook
olcRootDN: cn=admin,ou=Addressbook,dc=rigacci,dc=org
olcRootPW: MySecret
olcSizeLimit: 1500
olcDbMaxSize: 104857600
olcSuffix: ou=Addressbook,dc=rigacci,dc=org
olcDbIndex: objectClass eq
olcDbIndex: cn,givenName,mail,sn eq,sub
olcAccess: to * by dn="cn=admin,ou=Addressbook,dc=rigacci,dc=org" write
by anonymous auth
by dn="cn=guest,ou=Addressbook,dc=rigacci,dc=org" read
Notice we will grant read-only privileges to an item **cn=guest** in the same LDAP tree; that item will be added into the database later. Before creating the database we create the destination directory and assign the required permissions:
mkdir /var/lib/ldap/abook
chmod 750 /var/lib/ldap/abook
chown openldap:openldap /var/lib/ldap/abook
==== Method #1: connecting without a password ====
To integrate the new configuration into the existing one and to activete it, just run the following command as **root**:
ldapadd -Y EXTERNAL -H ldapi:/// -f abook-db.ldif
The new database will be created and it will be assigned the number **#2**. An LDIF configuration file will be created into **/etc/ldap/slapd.d/cn=config/olcDatabase={2}mdb.ldif**.
If the suffix is child of an already existing database, we will get the following error:
adding new entry "olcDatabase=mdb,cn=config"
ldap_add: Other (e.g., implementation specific) error (80)
additional info: namingContext "ou=Addressbook,dc=rigacci,dc=org"
already served by a preceding mdb database
==== Method #2: setting a password for the cn=config database ====
If you want to use ''ldapadd'' over a standard TCP connection to alter the ''cn=config'' database, you must first add the **olcRootPW** attribute to the database. Create an **config-chpasswd.ldif** file:
dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: ConfigMySecret
then feed this file to the running slapd service, authenticating with the EXTERNAL SASL mechanism:
ldapmodify -Y EXTERNAL -H ldapi:/// -f config-chpasswd.ldif
Now it is possibile to connect the slapd service and feed the //abook.ldif//, we will bind using the ''cn=admin,cn=config'' name with the associated password:
ldapadd -x -W -D "cn=admin,cn=config" -f abook-db.ldif
===== Adding an additional schema =====
The default installation of slapd in Debian 12 creates some LDAP schemas into the default configuration; namely (see the **/etc/ldap/slapd.d/cn=config/cn=schema/** directory):
* cn={0}core.ldif
* cn={1}cosine.ldif
* cn={2}nis.ldif
* cn={3}inetorgperson.ldif
Suppose you want to install an additional schema, e.g. the **mozillaAbPersonAlpha**, to create an address book database. Get the schema file from the **[[https://wiki.mozilla.org/MailNews:Mozilla_LDAP_Address_Book_Schema|Mozilla Wiki]]** and have a look inside it; from the comments you can see that this schema depends upon //core//, //cosine// and //inetorgperson//, this means that no other schemas are required. Save the schema file into **/etc/ldap/schema/mozillaabpersonalpha.schema**.
We will use the **slaptest** tool in a tricky manner. First we will create a **slapd-tmp.conf** using the old **slapd.conf(5)** syntax (OpenLDAP pre-2.5 versions), then ''slaptest'' will be used to generate, into a temporary directory, the configuration files using the new **slapd-config(5)** syntax. From the temporary directory only the ldif file relative the mozillaAbPersonAlpha schema will be copied into the actual slapd configuration directory.
echo "Creating a slapd-tmp.conf file..."
cat << EOF > slapd-tmp.conf
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/mozillaabpersonalpha.schema
EOF
echo "Converting slapd.conf(5) file into slapd-config(5) ldif files..."
mkdir slapd-tmp.d
slaptest -f slapd-tmp.conf -F slapd-tmp.d
echo "Copying mozillaAbPersonAlpha schema into actual Slapd config..."
systemctl stop slapd.service
cp "slapd-tmp.d/cn=config/cn=schema/cn={4}mozillaabpersonalpha.ldif" "/etc/ldap/slapd.d/cn=config/cn=schema/"
chown openldap:openldap "/etc/ldap/slapd.d/cn=config/cn=schema/cn={4}mozillaabpersonalpha.ldif"
chmod 0600 "/etc/ldap/slapd.d/cn=config/cn=schema/cn={4}mozillaabpersonalpha.ldif"
systemctl start slapd.service
===== Restore from the backup file =====
The upgrade process created a backup of the existing LDAP database into the **/var/backups/slapd-2.4.57+dfsg-3+deb11u1/** directory. In our case there is a single file **dc=rigacci,dc=org.ldif** containing all the required entries. In the following examples we extracted from the file the logically different items to be restored.
Beware that the restore will be not a perfect copy of the previous database. Several tags must be purged from the backup file before feeding it back to the LDAP server because they are not allowed to be set directly. They are:
* structuralObjectClass
* entryUUID
* creatorsName
* createTimestamp
* entryCSN
* modifiersName
* modifyTimestamp
Once a snippet of the file is ready, you can feed it to the slapd service with the following command:
ldapadd -x -W -D "cn=admin,ou=Addressbook,dc=rigacci,dc=org" -f file.ldif
In the following three paragraphs we will see what is needed for a full restore.
==== Create the Addressbook organizationalUnit ====
dn: ou=Addressbook,dc=rigacci,dc=org
objectClass: top
objectClass: organizationalUnit
ou: Addressbook
==== Create the Addressbook guest person ====
dn: cn=guest,ou=Addressbook,dc=rigacci,dc=org
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
sn: guest
cn: guest
userPassword: ReadOnlySecret
==== Load all the mozillaAbPersonAlpha entries ====
Each mozillaAbPersonAlpha item is somethink like this, after removing the unallowed tags:
dn: cn=Niccolo Rigacci,ou=Addressbook,dc=rigacci,dc=org
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: mozillaAbPersonAlpha
cn: Niccolo Rigacci
givenName: Niccolo
sn: Rigacci
mail: niccolo@rigacci.org
telephoneNumber: 055-0118525
mobile: 327-5556667
facsimileTelephoneNumber: 055-0118525
homePhone: 055-8979395
mozillaWorkUrl: http://www.rigacci.org/
==== Testing an ldapsearch ====
Finally you can test if the LDAP database is working doing a full search with **ldapsearch**:
ldapsearch -W \
-H ldap://127.0.0.1/ \
-D "cn=guest,ou=Addressbook,dc=rigacci,dc=org" \
-b 'ou=Addressbook,dc=rigacci,dc=org'
The **ldap** protocol is on port **389/tcp**, **ldaps** is on **636/tcp**.
===== Web References =====
* **[[https://www.openldap.org/doc/admin25/index.html|OpenLDAP Software 2.5 Administrator's Guide]]**
* **[[https://discourse.ubuntu.com/t/service-migrating-from-openldap-2-4-x-to-2-5-x/23807|Service - Migrating from OpenLDAP 2.4.x to 2.5.x]]**