Install LDAP Server
The following instructions describe how to install and set up an OpenLDAP server for use by the Content Engine.
On your ldap-host, while logged in as
root
:
-
Download and install the OpenLDAP server. For example, on a Debian-based Linux distribution:
#
apt-get install slapd ldap-utils -
Import the LDAP schemas delivered with OpenLDAP:
#
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif#
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif#
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif#
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/misc.ldif -
Create a new text file and open it. Enter the following LDIF (LDAP Interchange Format) code to define your LDAP database:
# Load dynamic backend modules dn: cn=module{0},cn=config objectClass: olcModuleList cn: module olcModulepath: /usr/lib/ldap olcModuleload: {0}back_hdb # Create the database dn: olcDatabase={1}hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {1}hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=your-company,dc=com olcRootDN: cn=admin,dc=your-company,dc=com olcRootPW: your-password olcDbConfig: {0}set_cachesize 0 2097152 0 olcDbConfig: {1}set_lk_max_objects 1500 olcDbConfig: {2}set_lk_max_locks 1500 olcDbConfig: {3}set_lk_max_lockers 1500 olcLastMod: TRUE olcDbCheckpoint: 512 30 olcDbIndex: cn,sn,mail pres,eq,approx,sub olcDbIndex: objectClass eq olcDbIndex: member eq
You can just paste the above code into the text file, but make sure that you replace the placeholders your-company and your-password with appropriate values. Note that although the password you are entering is unencrypted, it will be overwritten by an encrypted password when you create the base DN in step 9 below.
-
Save the file you have created in a temporary location (
/tmp/db.ldif
, for example). -
Enter the following command to create your database:
#
ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/db.ldif -
Generate a user password for your database by entering:
#
slappasswd -h {MD5}slappasswd
will then prompt you to enter a password twice:New password:
your-passwordRe-enter new password:
your-passwordWhen you have entered the password twice, slappasswd returns the password as an encrypted string, for example:
{MD5}a4GKOmvxI07STJQAIZIrYw==
Make a copy of this string.
-
Create a new text file and open it. Enter the following LDIF (LDAP Interchange Format) code to define your base DN:
dn: dc=your-company,dc=com objectClass: dcObject objectclass: organization o: your-company.com dc: your-company description: Escenic root dn: cn=admin,dc=your-company,dc=com objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin userPassword: your-encrypted-password description: LDAP administrator
You can just paste the above code into the text file, but make sure that you replace the placeholders your-company and your-encrypted-password. Replace your-encrypted-password with the encrypted password you created in step 6.
The blank line in the above code is significant. If you copy it from a PDF version of this manual, you may find that when you paste it into your file, the blank line has been removed. Make sure you replace it, or the file will not work.
-
Save the file you have created in a temporary location (
/tmp/base.ldif
, for example): -
Enter the following command to create your base DN:
#
ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/base.ldif -
Create a new text file and open it. Enter the following LDIF (LDAP Interchange Format) code to modify the system access control list (ACL):
dn: olcDatabase={0}config,cn=config changetype: modify add: olcRootDN olcRootDN: cn=admin,cn=config dn: olcDatabase={0}config,cn=config changetype: modify add: olcRootPW olcRootPW: your-encrypted-password
You can just paste the above code into the text file, but make sure that you replace the placeholder your-encrypted-password with the encrypted password you created in step 6.
-
Save the file you have created in a temporary location (
/tmp/system-acl.ldif
, for example): -
Enter the following command to create your base DN:
#
ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/system-acl.ldif -
Create a new text file and open it. Enter the following LDIF (LDAP Interchange Format) code to create an Escenic administrator with read/write access to the LDAP database:
dn: olcDatabase={1}hdb,cn=config add: olcAccess olcAccess: to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=your-company,dc=com" write by anonymous auth by self write by * none olcAccess: to dn.base="" by * read olcAccess: to * by dn="cn=admin,dc=your-company,dc=com" write by * read
You can just paste the above code into the text file, but make sure that you replace the placeholder your-company.
-
Save the file you have created in a temporary location (
/tmp/rw.ldif
, for example): -
Enter the following command to create your administrator:
#
ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/rw.ldif -
Create a new text file and open it. Enter the following LDIF (LDAP Interchange Format) code to create an Escenic user with read-only access to the LDAP database:
dn: olcDatabase={1}hdb,cn=config add: olcAccess olcAccess: to * by dn="cn=read,dc=your-company,dc=com" read by self write by * auth olcAccess: to dn.base="" by * read olcAccess: to * by dn="cn=read,dc=your-company,dc=com" write by * read
You can just paste the above code into the text file, but make sure that you replace the placeholder your-company.
-
Save the file you have created in a temporary location (
/tmp/ro.ldif
, for example): -
Enter the following command to create your user:
#
ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/ro.ldif
You should then verify that the LDAP server is running and
accessible by trying to connect to the LDAP port (389) from each of your
other hosts using telnet
:
$
telnet ldap-host 389
where ldap-host is the host name or IP
address of the ldap-host. If a connection is
opened, then the LDAP server is running and accessible. Press
Ctrl-Z
to close the connection.