Installing OpenLDAP on Debian Stretch

The goal is to install OpenLDAP with a baseline configuration.

The server is a Debian “Stretch” server. Validate that by running lsb_release.

root@barad-dur:~& lsb_release -a
No LSB modules are available.
Distributor ID:	Debian
Description:	Debian GNU/Linux 9.3 (stretch)
Release:	9.3
Codename:	stretch

First things first, install OpenLDAP daemon (slapd) and the appropriate LDAP utilities.
On the server, run (either as root or with sudo)
apt install slapd ldap-utils
You’ll be prompted to enter an administrative password. Choose one you’ll remember.
To be explicit, re-run the configuration engine with dpkg-reconfigure slapd.
You’ll be prompted to enter the DNS name of the domain a name for the organization. In my case, I chose “telperion.org” for both. This is important because the top of the DIT (the directory information tree) will be created using a distinguished name (dn) of “dc=telperion,dc=org”.

OpenLDAP uses itself for configuration (pretty cool, huh). This allows slapd to reconfigure on the fly without needing to be restarted. Installing and configuring slapd sets up two databases, one for data and one for configuration of slapd itself. Use the slapcat command to dump the contents of the databases.

According to the manpage, the slapd configuration database is always the first created, so to see the contents of the configuration, use the “-n0” option. Run slapcat -n0 to see the current configuration of slapd.

The second database contains information provided by the debian package configuration setup. Run slapd without any options to see the contents of the second database. Running slapcat -n1 would produce the same result (zero indexed for software engineers!). The domain name you typed in the dpkg-reconfigure step above, should be included as a distinguished name. In my case, it is

To see just the entries for each, use ldapsearch with the “dn” filter. There should be just two entries (as seen also by running slapcat | grep ^dn).

root@barad-dur:~# ldapsearch -x -LLL  -b dc=telperion,dc=org  dn
dn: dc=telperion,dc=org

dn: cn=admin,dc=telperion,dc=org

root@barad-dur:~# slapcat  | grep ^dn
dn: dc=telperion,dc=org
dn: cn=admin,dc=telperion,dc=org

ldapsearch can eventually be run from anywhere on the network with the appropriate configuration. Use slapcat to run locally. We can do the same for configuration. Set the base to cn=config to dump the entries for the configuration file. This search requires SASL authentication mechansim and to identify the localhost and protocol explicitly.

root@barad-dur:~# ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dn
dn: cn=config

dn: cn=module{0},cn=config

dn: cn=schema,cn=config

dn: cn={0}core,cn=schema,cn=config

dn: cn={1}cosine,cn=schema,cn=config

dn: cn={2}nis,cn=schema,cn=config

dn: cn={3}inetorgperson,cn=schema,cn=config

dn: olcBackend={0}mdb,cn=config

dn: olcDatabase={-1}frontend,cn=config

dn: olcDatabase={0}config,cn=config

dn: olcDatabase={1}mdb,cn=config

root@barad-dur:~# slapcat -n0 | grep ^dndn: cn=config
dn: cn=module{0},cn=config
dn: cn=schema,cn=config
dn: cn={0}core,cn=schema,cn=config
dn: cn={1}cosine,cn=schema,cn=config
dn: cn={2}nis,cn=schema,cn=config
dn: cn={3}inetorgperson,cn=schema,cn=config
dn: olcBackend={0}mdb,cn=config
dn: olcDatabase={-1}frontend,cn=config
dn: olcDatabase={0}config,cn=config
dn: olcDatabase={1}mdb,cn=config

By default, the inetorgperson and nis schema are included. This will help when we begin to populate the database as those schemas define the object classes we’ll use to build our directory.

Leave a Reply

Your email address will not be published. Required fields are marked *