License

Copyright (C) 2008-2017 Oliver Bohlen.

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.

A copy of the license is included in the section entitled "GNU Free Documentation License".

Introduction

This documentation comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.

Howto: OpenLDAP for Gentoo Linux

Here a little howto to set up your own basic LDAP-Server
After emergeing openldap you should generate your encrypted LDAP-rootpw and set this later in LDAP-Server config file.

slappasswd
New password: my-password
Re-enter new password: my-password
{SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
You can create users, groups, computers,... with the WebGUI PHPLDAPAdmin. Have a look at the OpenLDAP WebGUI Howto.

If you want to use this solution you need the following howto(s) finished:

Required software

The required software has to be installed with the following command(s):
emerge net-nds/openldap

Changes in /etc/ldap.conf

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/ldap.conf

Changed on 24.02.09
Issued by olli
Beginning line 15

LDAP Client configuration (how to connect to LDAP-Server)

BASE         dc=example,dc=com
URI          ldaps://127.0.0.1:636
pam_login_attribute	uid:caseExactMatch:
TLS_REQCERT   allow
NETWORK_TIMEOUT 3
timeout 3
timelimit 3
bind_policy hard
bind_timelimit 3
nss_reconnect_tries 3
nss_reconnect_sleeptime 1
nss_reconnect_maxsleeptime 8
nss_reconnect_maxconntries 2
nss_initgroups_ignoreusers adm,amavis,apache,arpwatch,asterisk,at,bin,clamav,cron,cyrus,daemon,ddclient,dhcp,distcc,ez-ipupd,fetchmail,ftp,get,halt,hsqldb,icecast,ices,ldap,lp,mail,mailman,man,mediatomb,memcached,messagebus,minidlna,mysql,named,news,nobody,ntp,openvpn,operator,pdns,polkitd,portage,postfix,postmaster,privoxy,root,rpc,saned,shutdown,smmsp,snort,squid,sshd,sync,tcpdump,tor,uucp

Changes in /etc/nscd.conf

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/nscd.conf

Changed on 02.09.14
Issued by olli
Beginning line 46

NSCD-Config for LDAP hangs

	reload-count            unlimited
	positive-time-to-live   passwd          2592000
	positive-time-to-live   group           2592000

Changes in /etc/openldap/ldap.conf

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/openldap/ldap.conf

Changed on 24.02.09
Issued by olli
Beginning line 15

LDAP Client configuration (how to connect to LDAP-Server)

BASE         dc=example,dc=com
URI          ldaps://127.0.0.1:636
pam_login_attribute	uid:caseExactMatch:
TLS_REQCERT   allow
NETWORK_TIMEOUT 3
timeout 3
timelimit 3
bind_policy hard
bind_timelimit 3
nss_reconnect_tries 3
nss_reconnect_sleeptime 1
nss_reconnect_maxsleeptime 8
nss_reconnect_maxconntries 2
nss_initgroups_ignoreusers adm,amavis,apache,arpwatch,asterisk,at,bin,clamav,cron,cyrus,daemon,ddclient,dhcp,distcc,ez-ipupd,fetchmail,ftp,get,halt,hsqldb,icecast,ices,ldap,lp,mail,mailman,man,mediatomb,memcached,messagebus,minidlna,mysql,named,news,nobody,ntp,openvpn,operator,pdns,polkitd,portage,postfix,postmaster,privoxy,root,rpc,saned,shutdown,smmsp,snort,squid,sshd,sync,tcpdump,tor,uucp

Changes in /etc/openldap/ldap.ldif

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/openldap/ldap.ldif

Changed on 02.03.09
Issued by olli
Beginning line 1

LDAP DNs for basic structure. Insert this file with

ldapadd -x -D cn=Manager,dc=example,dc=com -W -f /etc/openldap/ldap.ldif
when the slapd is started.

# Base DN
dn: dc=example,dc=com
dc: gabosh
objectClass: top
objectClass: domain

# Group DN (/etc/group)
dn: ou=Group,dc=example,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit

# User DN (/etc/passwd; /etc/shadow)
dn: ou=People,dc=example,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit

# User DN - Normal Users
dn: ou=People,ou=Users,dc=example,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit

# User DN - System Users
dn: ou=People,ou=SystemUsers,dc=example,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit

Changes in /etc/openldap/schema/dlz.schema

File permissions:
Owner: krey
Group: 513
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/openldap/schema/dlz.schema

Changed on 01.12.15
Issued by olli
Beginning line 1

This is the LDAP-Schema for BIND DLZ-LDAP.

#
# 1.3.6.1.4.1.18420.1.1.X is reserved for attribute types declared by the DLZ project.
# 1.3.6.1.4.1.18420.1.2.X is reserved for object classes declared by the DLZ project.
# 1.3.6.1.4.1.18420.1.3.X is reserved for PRIVATE extensions to the DLZ attribute
#                     types and object classes that may be needed by end users
#                     to add security, etc.  Attributes and object classes using
#                     this OID MUST NOT be published outside of an organization
#                     except to offer them for consideration to become part of the
#                     standard attributes and object classes published by the DLZ project.

attributetype ( 1.3.6.1.4.1.18420.XXX.XXX.XXX
        NAME 'dlzZoneName'
        DESC 'DNS zone name - domain name not including host name'
        SUP name 
        SINGLE-VALUE )
        
attributetype ( 1.3.6.1.4.1.18420.1.1.20
	NAME 'dlzHostName'
        DESC 'Host portion of a domain name'
	SUP name
        SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.18420.1.1.30
        NAME 'dlzData'
        DESC 'Data for the resource record'
        SUP name
        SINGLE-VALUE )       
        
attributetype ( 1.3.6.1.4.1.18420.1.1.40
	NAME 'dlzType'
        DESC 'DNS record type - A, SOA, NS, MX, etc...'
        SUP name
        SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.18420.1.1.50
	NAME 'dlzSerial'
        DESC 'SOA record serial number'
        EQUALITY integerMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
        SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.18420.1.1.60
	NAME 'dlzRefresh'
        DESC 'SOA record refresh time in seconds'
        EQUALITY integerMatch        
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
        SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.18420.1.1.70
	NAME 'dlzRetry'
        DESC 'SOA retry time in seconds'
        EQUALITY integerMatch        
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
        SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.18420.1.1.80
	NAME 'dlzExpire'
        DESC 'SOA expire time in seconds'
        EQUALITY integerMatch        
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
        SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.18420.1.1.90
	NAME 'dlzMinimum'
        DESC 'SOA minimum time in seconds'
        EQUALITY integerMatch        
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
        SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.18420.XXX.XXX.XXX0
        NAME 'dlzAdminEmail'
        DESC 'E-mail address of person responsible for this zone - @ should be replaced with . (period)'
	SUP name
        SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.18420.1.1.110
	NAME 'dlzPrimaryNS'
        DESC 'Primary name server for this zone - should be host name not IP address'
	SUP name
        SINGLE-VALUE )
        
attributetype ( 1.3.6.1.4.1.18420.1.1.120
	NAME 'dlzIPAddr'
        DESC 'IP address - IPV4 should be in dot notation xxx.xxx.xxx.xxx IPV6 should be in colon notation xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx'
	EQUALITY caseExactIA5Match 
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{40}
	SINGLE-VALUE )
        
attributetype ( 1.3.6.1.4.1.18420.1.1.130
	NAME 'dlzCName'
        DESC 'DNS cname'
	SUP name
        SINGLE-VALUE )
        
attributetype ( 1.3.6.1.4.1.18420.1.1.140
	NAME 'dlzPreference'
        DESC 'DNS MX record preference.  Lower numbers have higher preference'
        EQUALITY integerMatch        
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
        SINGLE-VALUE )
        
attributetype ( 1.3.6.1.4.1.18420.1.1.150
	NAME 'dlzTTL'
        DESC 'DNS time to live - how long this record can be cached by caching DNS servers'
        EQUALITY integerMatch        
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
        SINGLE-VALUE )
        
attributetype ( 1.3.6.1.4.1.18420.1.1.160
	NAME 'dlzRecordID'
	DESC 'Unique ID for each DLZ resource record'
	SUP name
	SINGLE-VALUE )

#------------------------------------------------------------------------------
# Object class definitions
#------------------------------------------------------------------------------

objectclass ( 1.3.6.1.4.1.18420.1.2.10
	NAME 'dlzZone'         
        DESC 'Zone name portion of a domain name'
        SUP top STRUCTURAL
	MUST ( objectclass $ dlzZoneName ) )
        
objectclass ( 1.3.6.1.4.1.18420.1.2.20
	NAME 'dlzHost' 
        DESC 'Host name portion of a domain name'
        SUP top STRUCTURAL
	MUST ( objectclass $ dlzHostName ) )
        
objectclass ( 1.3.6.1.4.1.18420.1.2.30
	NAME 'dlzAbstractRecord' 
        DESC 'Data common to all DNS record types'
        SUP top ABSTRACT
	MUST ( objectclass $ dlzRecordID $ dlzHostName $ dlzType $ dlzTTL ) )
        
objectclass ( 1.3.6.1.4.1.18420.1.2.40
	NAME 'dlzGenericRecord' 
        DESC 'Generic DNS record - useful when a specific object class has not been defined for a DNS record'
        SUP dlzAbstractRecord STRUCTURAL
	MUST ( dlzData ) )
        
objectclass ( 1.3.6.1.4.1.18420.1.2.50
        NAME 'dlzARecord'
        DESC 'DNS A record'
        SUP dlzAbstractrecord STRUCTURAL
        MUST ( dlzIPAddr ) )
        
objectclass ( 1.3.6.1.4.1.18420.1.2.60
        NAME 'dlzNSRecord'
        DESC 'DNS NS record'
        SUP dlzGenericRecord STRUCTURAL )

objectclass ( 1.3.6.1.4.1.18420.1.2.70
        NAME 'dlzMXRecord'
        DESC 'DNS MX record'
        SUP dlzGenericRecord STRUCTURAL
        MUST ( dlzPreference ) )
                
objectclass ( 1.3.6.1.4.1.18420.1.2.80
        NAME 'dlzSOARecord'
        DESC 'DNS SOA record'
        SUP dlzAbstractRecord STRUCTURAL       
        MUST ( dlzSerial $ dlzRefresh $ dlzRetry
               $ dlzExpire $ dlzMinimum $ dlzAdminEmail $ dlzPrimaryNS ) )
               
objectclass ( 1.3.6.1.4.1.18420.1.2.90
	NAME 'dlzTextRecord' 
        DESC 'Text data with spaces should be wrapped in double quotes'
        SUP dlzGenericRecord STRUCTURAL )
        
objectclass ( 1.3.6.1.4.1.18420.1.2.100
        NAME 'dlzPTRRecord'
        DESC 'DNS PTR record'
        SUP dlzGenericRecord STRUCTURAL )
        
objectclass ( 1.3.6.1.4.1.18420.1.2.110
        NAME 'dlzCNameRecord'
        DESC 'DNS CName record'
        SUP dlzGenericRecord STRUCTURAL )
        
objectclass ( 1.3.6.1.4.1.18420.1.2.120
        NAME 'dlzXFR'
        DESC 'Host allowed to perform zone transfer'
        SUP top STRUCTURAL
        MUST ( objectclass $ dlzRecordID $ dlzIPAddr ) )


Changes in /etc/openldap/schema/dnszone.schema

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/openldap/schema/dnszone.schema

Changed on 02.04.10
Issued by olli
Beginning line 1

This is the LDAP-Schema for BIND SDB-LDAP.

# A schema for storing DNS zones in LDAP
#
attributetype ( 1.3.6.1.4.1.2428.20.0.0  NAME 'dNSTTL'
	DESC 'An integer denoting time to live'
	EQUALITY integerMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )

attributetype ( 1.3.6.1.4.1.2428.20.0.1 NAME 'dNSClass'
	DESC 'The class of a resource record'
	EQUALITY caseIgnoreIA5Match
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.0.2 NAME 'zoneName'
	DESC 'The name of a zone, i.e. the name of the highest node in the zone'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.0.3 NAME 'relativeDomainName'
	DESC 'The starting labels of a domain name'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.12 NAME 'pTRRecord'
	DESC 'domain name pointer, RFC 1035'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.13 NAME 'hInfoRecord'
	DESC 'host information, RFC 1035'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.14 NAME 'mInfoRecord'
	DESC 'mailbox or mail list information, RFC 1035'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.16 NAME 'tXTRecord'
	DESC 'text string, RFC 1035'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.18 NAME 'aFSDBRecord'
	DESC 'for AFS Data Base location, RFC 1183'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.24 NAME 'SigRecord'
	DESC 'Signature, RFC 2535'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.25 NAME 'KeyRecord'
	DESC 'Key, RFC 2535'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.28 NAME 'aAAARecord'
	DESC 'IPv6 address, RFC 1886'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.29 NAME 'LocRecord'
	DESC 'Location, RFC 1876'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.30 NAME 'nXTRecord'
	DESC 'non-existant, RFC 2535'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.33 NAME 'sRVRecord'
	DESC 'service location, RFC 2782'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.35 NAME 'nAPTRRecord'
	DESC 'Naming Authority Pointer, RFC 2915'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.36 NAME 'kXRecord'
	DESC 'Key Exchange Delegation, RFC 2230'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.37 NAME 'certRecord'
	DESC 'certificate, RFC 2538'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.38 NAME 'a6Record'
	DESC 'A6 Record Type, RFC 2874'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.39 NAME 'dNameRecord'
	DESC 'Non-Terminal DNS Name Redirection, RFC 2672'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.43 NAME 'dSRecord'
	DESC 'Delegation Signer, RFC 3658'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.44 NAME 'sSHFPRecord'
	DESC 'SSH Key Fingerprint, draft-ietf-secsh-dns-05.txt'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.46 NAME 'rRSIGRecord'
	DESC 'RRSIG, RFC 3755'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.47 NAME 'nSECRecord'
	DESC 'NSEC, RFC 3755'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

objectclass ( 1.3.6.1.4.1.2428.20.3 NAME 'dNSZone'
        SUP top STRUCTURAL
	MUST ( zoneName $ relativeDomainName )
        MAY ( DNSTTL $ DNSClass $
              ARecord $ MDRecord $ MXRecord $ NSRecord $
	      SOARecord $ CNAMERecord $ PTRRecord $ HINFORecord $
              MINFORecord $ TXTRecord $ AFSDBRecord $ SIGRecord $
              KEYRecord $ AAAARecord $ LOCRecord $ NXTRecord $
              SRVRecord $ NAPTRRecord $ KXRecord $ CERTRecord $
              A6Record $ DNAMERecord $ DSRecord $ SSHFPRecord $
              RRSIGRecord $ NSECRecord ) )

Changes in /etc/openldap/slapd.conf

File permissions:
Owner: root
Group: ldap
Permissions: -rw-r-----

Click here for a download of the complete file: /etc/openldap/slapd.conf

Changed on 24.02.09
Issued by olli
Beginning line 6

Include basic schamas

include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema

Changes in /etc/openldap/slapd.conf

File permissions:
Owner: root
Group: ldap
Permissions: -rw-r-----

Click here for a download of the complete file: /etc/openldap/slapd.conf

Changed on 19.02.10
Issued by olli
Beginning line 25

This inserts some self build schemata e.g. for Groups in Groups or mixing DNS with DHCP entries

include         /etc/openldap/schema/gabosh.schema

Changes in /etc/openldap/slapd.conf

File permissions:
Owner: root
Group: ldap
Permissions: -rw-r-----

Click here for a download of the complete file: /etc/openldap/slapd.conf

Changed on 24.02.09
Issued by olli
Beginning line 40

Certificates for using TLS.

TLSCertificateFile      /etc/ssl/example.com/example.com.crt
TLSCertificateKeyFile   /etc/ssl/example.com/example.com.key
#TLSCertificateFile      /etc/openldap/ssl/ldap.crt
#TLSCertificateKeyFile   /etc/openldap/ssl/ldap.key
#TLSCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:!SSLv3
loglevel         stats acl

Changed on 24.02.09
Issued by olli
Beginning line 53

Set the search path for LDAP modules


Before change
# modulepath	/usr/lib/openldap/openldap
After change
modulepath  /usr/lib/openldap/openldap

Changed on 24.02.09
Issued by olli
Beginning line 65

Load the hdb-LDAP module for HDB storage-backend
You should create the HDB-configfile:

cp /var/lib/openldap-data/DB_CONFIG.example /var/lib/openldap-data/DB_CONFIG


Before change
# moduleload	back_hdb.so
After change
moduleload  back_hdb.so

Changed on 24.02.09
Issued by olli
Beginning line 99

Set ACLs on the encrypted User password. This disables to get the encrypted passwords with e.g. "getent passwd shadow" for shadow-accounts or with ldapsearch. If you don't want so use LDAP-Auth for Samba you can leave the samba* attributes and line with smbadmin out.


# Only access over local network
access to dn="dc=example,dc=com"
  by peername.ip="127.0.0.1" read break
  by peername.ip="my.lan.network.ip%XXX.XXX.XXX.XXX" read break
  by peername.ip="XXX.XXX.XXX.XXX%XXX.XXX.XXX.XXX" read break

# ACL for passwords
access to attrs=givenName,userPassword,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaPwdMustChange,sambaPasswordHistory,sambaAcctFlags,shadowLastChange
  by dn="cn=smbadmin,ou=SystemUsers,ou=People,dc=example,dc=com" write
  by anonymous auth
  by self write
  by * none

# Global anonymous read access
access to * 
  by * read

Changed on 24.02.09
Issued by olli
Beginning line 124

LDAP Base DN


Before change
suffix		"dc=my-domain,dc=com"
After change
suffix                "dc=example,dc=com"

Changed on 24.02.09
Issued by olli
Beginning line 131

LDAP Root DN


Before change
rootdn		"cn=Manager,dc=my-domain,dc=com"
After change
rootdn                "cn=Manager,dc=example,dc=com"

Changed on 24.02.09
Issued by olli
Beginning line 139

Encrypted LDAP Root password from slappasswd


Before change
rootpw		secret
After change
rootpw {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXX

Changed on 23.11.09
Issued by olli
Beginning line 149

Define slapd indexes for LDAP tuning and for getting rid of the "bdb_equality_candidates: (uid) not indexed" log entrys. Don't forget to run slapindex as ldap user!


Before change
#index	objectClass	eq
After change
index objectclass,entryCSN,entryUUID   eq
index cn                      pres,sub,eq
index sn                      pres,sub,eq
index uid                     pres,sub,eq
index displayName             pres,sub,eq
index uidNumber               eq
index gidNumber               eq
index memberUid               eq
index uniqueMember            eq
index sambaSID              eq
index sambaPrimaryGroupSID  eq
index sambaDomainName       eq
index default               sub
index                       zoneName                         eq
index                       relativeDomainName               eq

Changes in /gtc/test/etc/thinclient/server-profile/etc/openldap/schema/dnszone.schema

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /gtc/test/etc/thinclient/server-profile/etc/openldap/schema/dnszone.schema

Changed on 02.04.10
Issued by olli
Beginning line 1

This is the LDAP-Schema for BIND SDB-LDAP.

# A schema for storing DNS zones in LDAP
#
attributetype ( 1.3.6.1.4.1.2428.20.0.0  NAME 'dNSTTL'
	DESC 'An integer denoting time to live'
	EQUALITY integerMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )

attributetype ( 1.3.6.1.4.1.2428.20.0.1 NAME 'dNSClass'
	DESC 'The class of a resource record'
	EQUALITY caseIgnoreIA5Match
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.0.2 NAME 'zoneName'
	DESC 'The name of a zone, i.e. the name of the highest node in the zone'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.0.3 NAME 'relativeDomainName'
	DESC 'The starting labels of a domain name'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.12 NAME 'pTRRecord'
	DESC 'domain name pointer, RFC 1035'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.13 NAME 'hInfoRecord'
	DESC 'host information, RFC 1035'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.14 NAME 'mInfoRecord'
	DESC 'mailbox or mail list information, RFC 1035'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.16 NAME 'tXTRecord'
	DESC 'text string, RFC 1035'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.18 NAME 'aFSDBRecord'
	DESC 'for AFS Data Base location, RFC 1183'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.24 NAME 'SigRecord'
	DESC 'Signature, RFC 2535'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.25 NAME 'KeyRecord'
	DESC 'Key, RFC 2535'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.28 NAME 'aAAARecord'
	DESC 'IPv6 address, RFC 1886'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.29 NAME 'LocRecord'
	DESC 'Location, RFC 1876'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.30 NAME 'nXTRecord'
	DESC 'non-existant, RFC 2535'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.33 NAME 'sRVRecord'
	DESC 'service location, RFC 2782'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.35 NAME 'nAPTRRecord'
	DESC 'Naming Authority Pointer, RFC 2915'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.36 NAME 'kXRecord'
	DESC 'Key Exchange Delegation, RFC 2230'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.37 NAME 'certRecord'
	DESC 'certificate, RFC 2538'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.38 NAME 'a6Record'
	DESC 'A6 Record Type, RFC 2874'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.39 NAME 'dNameRecord'
	DESC 'Non-Terminal DNS Name Redirection, RFC 2672'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.43 NAME 'dSRecord'
	DESC 'Delegation Signer, RFC 3658'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.44 NAME 'sSHFPRecord'
	DESC 'SSH Key Fingerprint, draft-ietf-secsh-dns-05.txt'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.46 NAME 'rRSIGRecord'
	DESC 'RRSIG, RFC 3755'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.47 NAME 'nSECRecord'
	DESC 'NSEC, RFC 3755'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

objectclass ( 1.3.6.1.4.1.2428.20.3 NAME 'dNSZone'
        SUP top STRUCTURAL
	MUST ( zoneName $ relativeDomainName )
        MAY ( DNSTTL $ DNSClass $
              ARecord $ MDRecord $ MXRecord $ NSRecord $
	      SOARecord $ CNAMERecord $ PTRRecord $ HINFORecord $
              MINFORecord $ TXTRecord $ AFSDBRecord $ SIGRecord $
              KEYRecord $ AAAARecord $ LOCRecord $ NXTRecord $
              SRVRecord $ NAPTRRecord $ KXRecord $ CERTRecord $
              A6Record $ DNAMERecord $ DSRecord $ SSHFPRecord $
              RRSIGRecord $ NSECRecord ) )

Setting up services

For starting the new service after system reboot you should add it to a runlevel with the following command(s):

rc-update add slapd 

Please send a feedback to: doc<at>gabosh.net

Howto listing
File Index

Here you can find the official Gentoo Linux Forums where you can find a lot of answers.

Here a link to the official Gentoo Linux Homepage.

Edit Howto

About / Impressum

Click here for About / Impressum

Wishlist

If you want to support my work you can find my Amazon whishlist here