OpenLDAP 2.4.x configuration

data.ldif

dn: dc=migus,dc=org
objectClass: dcObject
objectClass: organization
dc: migus
o: migus
description: Migus Dot Org

dn: cn=Manager,dc=migus,dc=org
objectClass: organizationalRole
cn: Manager
description: Migus Dot Org Directory Manager

dn: ou=Group,dc=migus,dc=org
ou: Group
objectClass: organizationalUnit
description: Migus Dot Org Groups

dn: ou=People,dc=migus,dc=org
ou: People
objectClass: organizationalUnit
description: Migus Dot Org People

dn: uid=adam,ou=People,dc=migus,dc=org
cn: Adam C. Migus
cn: Adam
givenName: Adam
givenName: C.
sn: Migus
ou: People
objectClass: person
objectClass: inetLocalMailRecipient
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: adam
userPassword: changeme!
mail: [email protected]
uidNumber: 1001
gecos: Adam C. Migus
homeDirectory: /home/adam
mailRoutingAddress: [email protected]
mailLocalAddress: [email protected]
displayName: Adam C. Migus
loginShell: /bin/bash
gidNumber: 100

dn: uid=posixagent,ou=People,dc=migus,dc=org
objectClass: account
objectClass: simpleSecurityObject
authzTo: dn.regex:^uid=[^,]*,ou=People,dc=migus,dc=org$
uid: posixagent
userPassword: changeme!

dn: uid=cyrusagent,ou=People,dc=migus,dc=org
objectClass: account
objectClass: simpleSecurityObject
authzTo: dn.regex:^uid=[^,]*,ou=People,dc=migus,dc=org$
uid: posixagent
userPassword: changeme!

dn: uid=mailagent,ou=People,dc=migus,dc=org
objectClass: account
objectClass: simpleSecurityObject
authzTo: dn.regex:^uid=[^,]*,ou=People,dc=migus,dc=org$
uid: mtaAgent
userPassword: changeme!

Makefile

CONF := /etc/openldap
BACKUP := $(CONF)/backup.ldif
DATA := $(CONF)/slapd.d
LIB := /var/lib/ldap

LDIF := ./data.ldif
INPUT := ./slapd.conf.custom

GROUP := ldap
OWNER := root

restart: clean install
        systemctl restart slapd

install: $(INPUT) $(LDIF)
        install -d $(DATA) -o $(OWNER) -g $(GROUP)
        slapadd -f $(INPUT) -l $(LDIF)
        slaptest -F $(DATA) -f $(INPUT)
        chown -R $(OWNER):$(GROUP) $(DATA) $(LIB)
        chmod -R u=rwX,g=rX,o= $(DATA) $(LIB)
        chmod -R g+rwX $(LIB)

backup:
        slapcat -c -F $(DATA) -l $(BACKUP)
        chown $(OWNER):$(GROUP) $(BACKUP)
        chmod u=rw,go= $(BACKUP)

clean:
        systemctl stop slapd
        find $(LIB)/* ! -name DB_CONFIG -delete
        rm -rf $(DATA)

slapd.conf.custom

include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema

access to dn.base="" by * read
access to dn.base="cn=Subschema" by * read

access to attrs=authzTo
        by self read
        by anonymous auth

access to attrs=entry,objectClass
        by anonymous auth
        by self read
        by users search

access to attrs=userPassword,userPKCS12
        by self write
        by anonymous auth
        by * none

access to attrs=shadowLastChange
        by self write
        by anonymous auth
        by * none

access to attrs=telephoneNumber,facsimileTelephoneNumber,homePhone,homePostalAddress,mobile,pager,photo
        filter="(objectClass=organizationalPerson)"
        by self write
        by users read

access to attrs=givenName,sn,title,mail,street,postOfficeBox,postalCode,postalAddress,physicalDeliveryOfficeName,ou,st,l,displayName,initials,userCertificate,preferredLanguage,userSMIMECertificate
        filter="(objectClass=organizationalPerson)"
        by users read

access to filter="(|(objectClass=groupOfNames)(objectClass=groupOfUniqueNames))"
        by dnattr=uniqueMember read
        by dnattr=member read

access to dn.regex="dc=([^,]+),dc=([^,]+)$"
        attrs=entry
        filter="(objectClass=posixAccount)"
        by dn.exact,expand="uid=posixagent,ou=People,dc=$1,dc=$2" read
        by self read

access to dn.regex="dc=([^,]+),dc=([^,]+)$"
        attrs=uid,cn,uidNumber,gidNumber,homeDirectory,loginShell,gecos,shadowLastChange,shadowMin,shadowMax,shadowWarning,shadowInactive,shadowExpire,shadowFlag
        by dn.exact,expand="uid=posixagent,ou=People,dc=$1,dc=$2" read
        by self read

access to dn.regex="dc=([^,]+),dc=([^,]+)$"
        attrs=gidNumber,memberUid
        by dn.exact,expand="uid=posixagent,ou=People,dc=$1,dc=$2" read

database        mdb
suffix          "dc=migus,dc=org"
rootdn          "cn=Manager,dc=migus,dc=org"
rootpw          secret
directory       /var/lib/ldap

index objectClass                       eq,pres
index ou,cn,mail,displayName            eq,pres,sub
index mailLocalAddress                  eq,pres
index uidNumber,gidNumber               eq,pres
index uid,memberUid                     eq,pres,sub
index member                            eq,pres
index uniqueMember                      pres
index nisMapName,ipServiceProtocol      eq
index default                           sub

sasl-authz-policy to

sasl-regexp
        uid=([^,]*),cn=scram-sha-512,cn=auth
        uid=$1,ou=People,dc=migus,dc=org

sasl-secprops noanonymous,noplain

password-hash   {CLEARTEXT}

security ssf=128 update_ssf=256 simple_bind=128

localSSF 256

TLSProtocolMin 3.1
TLSCipherSuite HIGH:!SSLv3:!SSLv2:!ADH
TLSCACertificateFile /etc/openldap/cert.pem
TLSCertificateFile /etc/openldap/cert.pem
TLSCertificateKeyFile /etc/openldap/key.pem
TLSVerifyClient never

loglevel conns stats

On a Linux distribution that has an OpenLDAP server package like OpenSUSE:

1. Install the OpenLDAP server package
2. Put these 3 files in /etc/openldap
3. Edit the user in data.ldif
4. run make

Verify that the OpenLDAP package starts slapd with -F /etc/openldap/slapd.d.
Alternatively, rename slapd.conf.custom to slapd.conf.