There are 2 main ways of having OpenLDAP configured :
- One using a single conf file (on debian/ubuntu systems, located in /etc/ldap/sldapd.conf)
- A new one which tends to store the configuration into a specific LDAP branch (name cn=config), and composed of several files located generally into /etc/ldap/slapd.d).
We document here the second case (slapd.d-style configuration).
Note : It's also possible to delegate the authentication of certain users to a remote Active Directory or LDAP, see the SASL Doc page.
sudo apt-get install slapd ldap-utils
You will need to provide the LDAP administrator password. Choose a strong one.
Before creating the LDAP tree, you should have a look at the users and groups we'll be adding.
The file bootstrap.ldif creates the database and an administrator account (cn=admin,dc=georchestra,dc=org) with a password set by default to secret. You should change it.
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f bootstrap.ldif
If successful, the above command should display: adding new entry "olcDatabase=mdb,cn=config".
To create the root DN, use the root.ldif file:
ldapadd -D"cn=admin,dc=georchestra,dc=org" -W -f root.ldif
This will ask the password for the cn=admin,dc=georchestra,dc=org dn, which was set with the previous command.
Groups in geOrchestra are instances of groupOfMembers objects, which allows empty groups (contrary to groupOfNames, which were used in previous geOrchestra releases).
This objectClass comes from rfc2307bis and is not available by default in OpenLDAP. As a result, we need to import its structure into the cn=config database, using the groupofmembers.ldif file:
ldapadd -Y EXTERNAL -H ldapi:/// -f groupofmembers.ldif
The optional "memberof" overlay is great to check if a user is a member of a given group. Use the memberof.ldif file to add the module and configure the overlay.
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f memberof.ldif
Caution: by default, we're adding the overlay to the {1}mdb,cn=config database. You may have to customize this if your setup is different (having a look at the /etc/ldap/slapd.d/cn=config/ directory).
The georchestra.ldif file creates the default geOrchestra users & groups:
ldapadd -D"cn=admin,dc=georchestra,dc=org" -W -f georchestra.ldif
This will also ask the password for the cn=admin,dc=georchestra,dc=org dn.
Note that you are free to customize the users (entries under the "users" OrganizationUnit) to fit your needs, provided you keep the required geoserver_privileged_user.
To manage the directory, there are (at least) 3 options:
- from the command line, use ldapvi (install with
sudo apt-get install ldapvi):
ldapvi --host localhost -D "cn=admin,dc=georchestra,dc=org" -w "secret" -b "dc=georchestra,dc=org"
- Apache Directory Studio, a powerful desktop client.
- our own ldapadmin web application, available at
/ldapadmin/privateui/to members of theMOD_LDAPADMINgroup, is probably the easiest one.