I will describe here the installation of an addressbook for use with e-mail clients, and a web-interface for modifying it (as very few ldap clients seem to support ldap write access)
Disclaimer
Software
Installing OpenLDAP from ports
Configuring and Starting OpenLDAP
Adding initial entries
Change Passwords
Configure Access Control
Installing phpLDAPadmin
Changing password using the web interface
Adding entries using the web interface
Configuring Outlook to use the LDAP address book
The procedure described in this document worked for me but of course I can't guarrantee that it will for you, and that you won't lose data and be fired by your boss after following it.
I am using the following base configuration:
We will be installing the following:
I am not aware of any practical alternative to LDAP/OpenLDAP for this use, and of all those I have tried, phpLDAPadmin was by far the best LDAP client application I have seen.
I used the following sources for writing this document (please refer to them in case something goes wrong):
outlook ldap :-)
I merely changed the setting names.$ cd /usr/ports/databases/openldap $ su # env FLAVOR="bdb" SUBPACKAGE="-server" make install
We'll be using the (default) bdb backend, and the -server subpackage
indicates we want the server part (slapd, ...) in addition to the client part (ldapadd, ...)
I got a report that the bdb backend is not available (at least not
directly) in older versions of OpenBSD. In this case you can use the
ldbm backend. Just don't put the FLAVOR assignment in the
above statement, AND replace "database bdb" by
"database ldbm" in the slapd.conf
configuration file
We first copy the default configuration files and create the data directory
# cp /usr/local/share/examples/openldap/slapd.conf /etc/openldap # mkdir /var/openldap-data # chmod 700 /var/openldap-data
Use your favourite editor on /etc/openldap/slapd.conf, and do the following changes:
include line for core.schema:
include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema
suffix line, my-domain and
com by whatever is relevant for you.dc=" items if required. In the remaining
of this documentation, dc=example,dc=com will be used.rootdn line to rootdn uid=Manager,ou=Users,dc=example,dc=com
inetorgperson is the type that we will use for addressbook entries, and these include
lines make that type available.
rootdn is the "root" user, i.e. a user that is always allowed to read and write anything
A sample "bootstrap" slapd.conf can be found here. Once the basic database structure has been built, we will do final changes to this file
Note that it does not hurt if access control directives are already there. So if you want
to save some time you can directly download the final file below BUT make
sure you have rootpw set to secret otherwise you won't be able to do anything.
We can now start the LDAP server:
# /usr/local/libexec/slapd
Because the LDAP users themselves are stored in the LDAP database itself we have that chicken-and-egg problem as we need to have a user that we can use for creating users.
This is solved by that rootpw line in slapd.conf.
Unlike with other users, you can bind to the LDAP database as rootdn even if there is no corresponding entry
in the database. The rootpw directive specifies the cleartext password of that user, which defaults to "secret".
We shall deactivate this cleartext passsword once having created the LDAP directory
In order to create an ldap entry (or a set of entries) one has to create an LDIF file,
then do the actual creation with the ldapadd command.
Our initial database will be structured as follows:
dc=example,dc=com)
ou=ABook,dc=example,dc=com)ou=Users,dc=example,dc=com)
uid=Manager,ou=Users,dc=example,dc=com)uid=AbkMgr,ou=Users,dc=example,dc=com)uid=Visitor,ou=Users,dc=example,dc=com)You can download the definition of this initial structure here.
You should of course feel free to modify names, structure etc. The structure can also be altered later though not very easily.
Add these entries
$ ldapadd -x -D "uid=Manager,ou=Users,dc=example,dc=com" -w secret -f initial.ldif
The -D option specifies the user through which the adding has to be
performed, which matches the rootdn line in slapd.conf.
The -w option specifies the password to use. When the system runs, you will
want to use -W instead, which prompts for a password instead of expecting
in on the command line
The ldif file given above initialised each user's password to the user name itself, lowercased (ie AbkMgr's password is abkmgr)
You may modify these passwords now if you want, or later using the web interface (in which case
you may skip this section, though you should at least read it as it explains the way passwords
are handled in LDAP.)
The command for updating AbkMgr's password is:
ldappasswd -x -D 'uid=AbkMgr,ou=Users,dc=example,dc=com' -W -S
Replacing AbkMgr by Manager or Visitor will of course let you change their passwords as well. You will be prompted twice for the new password and once for the old one. Usual guidelines about passwords apply.
You may now wonder if Manager's password is "secret" or "manager". The answer is: both!
The rootpw line allows to login using that password so until you change that line in
slapd.conf, the "secret" password will be usable for getting rootdn access. Additionally, the
userPassword attribute of the Manager entry holds the "manager" password, and allows to get
the same rootdn access. ldappasswd is modifying the userPassword attribute,
so whatever you type at ldappasswd's prompt will be changing the password "manager", not
"secret".
Now that we have a rootdn password in the database we can deactivate the password secret
in the configuration file. In OpenLDAP, an empty password is considered inactive, so the
rootpw directive is made inactive by putting two double quotes ""
as its parameter.
We will now set up access control rules so that
We'll also put a rule to prevent a user from seeing other users' passwords. Even if passwords are scrambled that won't hurt.
Add these lines before the database line:
access to dn.base="" by * read
access to dn.base="dc=example,dc=com" by * read
access to dn.base="ou=Users,dc=example,dc=com" by * read
# abkmgr can read/write the address book, visitor can read, others nothing
access to dn.subtree="ou=ABook,dc=example,dc=com"
by dn.base="uid=AbkMgr,ou=Users,dc=example,dc=com" write
by dn.base="uid=Visitor,ou=Users,dc=example,dc=com" read
# let everyone know the list of users (but not their passwords etc)
access to dn.children="ou=Users,dc=example,dc=com" attr=userPassword
by self write
by anonymous auth
by * none
access to dn.children="ou=Users,dc=example,dc=com"
by self write
by * read
This final slapd.conf file can be found here.
The official OpenLDAP documentation has quite a good explanation about access control so I advise you to read some of it there if you want to understand in more details the meaning of the above.
Now restart the ldap server to take these settings into account (SIGHUP doesn't
seem to work)
# kill `cat /var/run/slapd.pid` # /usr/local/libexec/slapd
$ cd /var/www/htdocs/ $ tar xvzf /path/to/downloaded/archive/phpldapadmin-0.9.4b.tar.gz $ cp config.php.example config.php
Now we need to configure config.php for our setup.
$servers[$i]['name']: You probably want to put something that looks better here ..$servers[$i]['host'] = 'localhost' (though you may want to put the web application and the
LDAP server on two different machines)$servers[$i]['base']: Change to your LDAP suffix. (I haven't tested auto-detection)$servers[$i]['auth_type']: well, read the comment and choose what applies to you.$servers[$i]['login_dn']: '' if you chose cookie or session above.
Probably 'uid=AbkMgr,ou=Users,dc=example,dc=com' otherwise.$servers[$i]['login_pass']: cleartext password if you chose config above$servers[$i]['login_attr'] = 'uid' if you did not choose config above/* and */) the second server specificationYou are now ready to start using the web interface. Point your browser to http://localhost/path/to/phpldapadmin/, maybe changing localhost to something else if you're doing this remotely.
rootdn (uid=Manager) can change everybody's password, and everybody can change its own password.
At login prompt, put the user name (like AbkMgr, ie no uid= or whatever)
and the password you have set for that account.
The password is stored in the userPassword attribute. To change a user's password, browse
to it using the + boxes and clicking on the name. Then type the new password, being careful
with typos (as you aren't asked to type it twice for checking.) If you change a user's password through
that user itself, you will be required to login again.
To add/modify an entry in the addressbook, open the ABook node in the tree on the left and either
click on the item you want to modify or on the Create link.
When creating you should select the Address Book Entry item. The create form doesn't let
you put more than one email address immediately, but you can do this later.
You can use the import feature if you want to put many items at once.
You will need to have these items in LDIF format to do that, though.
If you want to import entries from another LDAP server, add the specifications of that
server in your config.php file and use the copy feature.
From inside Outlook, open Tools->Email Accounts
Select the Add a new directory or address book and click Next
Select Internet Directory Service (LDAP)
Set Server Name to the hostname of the server where OpenLDAP is running
Check the logon required box and put as User Name uid=Visitor,ou=Users,dc=example,dc=com.
Put the visitor's password that you have set previously
Click More Settings and select the Search tab
Set the Search Base to dc=example,dc=com.
Click OK, Next and Finish.
