====== OpenLDAP ======

  * https://www.openldap.org/doc/admin24/


===== Installation =====


<code>
apt-get install slapd ldap-utils ldapvi
</code>

By default the server will use ''cn=config'', you can edit it with ldapvi:

<code>
ldapvi -Y EXTERNAL -h ldapi:// -b cn=config
</code>


To edit the tree as admin:

<code>
ldapvi -h ldap://server -D cn=admin,dc=example,dc=com
</code>

===== Security =====

Disallow anonymous bind:

<code>
0 cn=config
[...]
olcDisallows: bind_anon
</code>

Enable TLS with starttls:

<code>
0 cn=config
[...]
olcTLSCertificateFile: /etc/ldap/ssl/fullchain.pem
olcTLSCertificateKeyFile: /etc/ldap/ssl/privkey.pem
</code>

Force use of TLS

<code>
11 olcDatabase={1}mdb,cn=config
[...]
olcSecurity: tls=1
</code>

You can now connect with tls with:

<code>
ldapvi -ZZ -h ldap://server -D cn=admin,dc=example,dc=com
</code>

Disable read access to all by dropping the line ''olcAccess: {2}to * by * read'' in ''olcDatabase={1}mdb,cn=config''

===== Replication =====

Reset replication and copy whole database from a given server (rid)

<code>
slapd -d sync -u openldap -g openldap -h ldap://ldap3.example.com -c rid=000,csn=0
</code>


===== Backup =====

<code>
slapcat > dump.ldif
slapcat -b cn=config > config.ldif
</code>