Table of Contents

OpenLDAP

Installation

apt-get install slapd ldap-utils ldapvi

By default the server will use cn=config, you can edit it with ldapvi:

ldapvi -Y EXTERNAL -h ldapi:// -b cn=config

To edit the tree as admin:

ldapvi -h ldap://server -D cn=admin,dc=example,dc=com

Security

Disallow anonymous bind:

0 cn=config
[...]
olcDisallows: bind_anon

Enable TLS with starttls:

0 cn=config
[...]
olcTLSCertificateFile: /etc/ldap/ssl/fullchain.pem
olcTLSCertificateKeyFile: /etc/ldap/ssl/privkey.pem

Force use of TLS

11 olcDatabase={1}mdb,cn=config
[...]
olcSecurity: tls=1

You can now connect with tls with:

ldapvi -ZZ -h ldap://server -D cn=admin,dc=example,dc=com

Disable read access to all by dropping the line olcAccess: {2}to * by * read in olcDatabase={1}mdb,cn=config

Replication

Reset replication and copy whole database from a given server (rid)

slapd -d sync -u openldap -g openldap -h ldap://ldap3.example.com -c rid=000,csn=0

Backup

slapcat > dump.ldif
slapcat -b cn=config > config.ldif