Install LDAP Server

The following instructions describe how to install and set up an OpenLDAP server for use by the Content Engine.

On your ldap-host, while logged in as root:

Download and install the OpenLDAP server. For example, on a Debian-based Linux distribution:
```
# apt-get install slapd ldap-utils
```

Import the LDAP schemas delivered with OpenLDAP:

# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/misc.ldif

Create a new text file and open it. Enter the following LDIF (LDAP Interchange Format) code to define your LDAP database:

# Load dynamic backend modules
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib/ldap
olcModuleload: {0}back_hdb

# Create the database
dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=your-company,dc=com
olcRootDN: cn=admin,dc=your-company,dc=com
olcRootPW: your-password
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcDbIndex: cn,sn,mail pres,eq,approx,sub
olcDbIndex: objectClass eq
olcDbIndex: member eq

You can just paste the above code into the text file, but make sure that you replace the placeholders your-company and your-password with appropriate values. Note that although the password you are entering is unencrypted, it will be overwritten by an encrypted password when you create the base DN in step 9 below.

Save the file you have created in a temporary location (/tmp/db.ldif, for example).
Enter the following command to create your database:
```
# ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/db.ldif
```
Generate a user password for your database by entering:
```
# slappasswd -h {MD5}
```
slappasswd will then prompt you to enter a password twice:
```
New password: your-password
Re-enter new password: your-password
```
When you have entered the password twice, slappasswd returns the password as an encrypted string, for example:
```
{MD5}a4GKOmvxI07STJQAIZIrYw==
```
Make a copy of this string.
Create a new text file and open it. Enter the following LDIF (LDAP Interchange Format) code to define your base DN:
```
dn: dc=your-company,dc=com
objectClass: dcObject
objectclass: organization
o: your-company.com
dc: your-company
description: Escenic root

dn: cn=admin,dc=your-company,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
userPassword: your-encrypted-password
description: LDAP administrator
```
You can just paste the above code into the text file, but make sure that you replace the placeholders your-company and your-encrypted-password. Replace your-encrypted-password with the encrypted password you created in step 6.

The blank line in the above code is significant. If you copy it from a PDF version of this manual, you may find that when you paste it into your file, the blank line has been removed. Make sure you replace it, or the file will not work.
Save the file you have created in a temporary location (/tmp/base.ldif, for example):

Enter the following command to create your base DN:

# ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/base.ldif

Create a new text file and open it. Enter the following LDIF (LDAP Interchange Format) code to modify the system access control list (ACL):
```
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootDN
olcRootDN: cn=admin,cn=config

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: your-encrypted-password
```
You can just paste the above code into the text file, but make sure that you replace the placeholder your-encrypted-password with the encrypted password you created in step 6.
Save the file you have created in a temporary location (/tmp/system-acl.ldif, for example):

Enter the following command to create your base DN:

# ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/system-acl.ldif

Create a new text file and open it. Enter the following LDIF (LDAP Interchange Format) code to create an Escenic administrator with read/write access to the LDAP database:
```
dn: olcDatabase={1}hdb,cn=config
add: olcAccess
olcAccess: to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=your-company,dc=com" write by anonymous auth by self write by * none
olcAccess: to dn.base="" by * read
olcAccess: to * by dn="cn=admin,dc=your-company,dc=com" write by * read
```
You can just paste the above code into the text file, but make sure that you replace the placeholder your-company.
Save the file you have created in a temporary location (/tmp/rw.ldif, for example):
Enter the following command to create your administrator:
```
# ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/rw.ldif
```
Create a new text file and open it. Enter the following LDIF (LDAP Interchange Format) code to create an Escenic user with read-only access to the LDAP database:
```
dn: olcDatabase={1}hdb,cn=config
add: olcAccess
olcAccess: to * by dn="cn=read,dc=your-company,dc=com" read by self write by * auth 
olcAccess: to dn.base="" by * read
olcAccess: to * by dn="cn=read,dc=your-company,dc=com" write by * read
```
You can just paste the above code into the text file, but make sure that you replace the placeholder your-company.
Save the file you have created in a temporary location (/tmp/ro.ldif, for example):

Enter the following command to create your user:

# ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/ro.ldif

You should then verify that the LDAP server is running and accessible by trying to connect to the LDAP port (389) from each of your other hosts using telnet:

$ telnet ldap-host 389

where ldap-host is the host name or IP address of the ldap-host. If a connection is opened, then the LDAP server is running and accessible. Press Ctrl-Z to close the connection.