I will describe here the installation of an addressbook for use with e-mail clients, and a web-interface for modifying it (as very few ldap clients seem to support ldap write access)
Installing OpenLDAP from ports
Configuring and Starting OpenLDAP
Adding initial entries
Configure Access Control
Changing password using the web interface
Adding entries using the web interface
Configuring Outlook to use the LDAP address book
The procedure described in this document worked for me but of course I can't guarrantee that it will for you, and that you won't lose data and be fired by your boss after following it.
I am using the following base configuration:
We will be installing the following:
I am not aware of any practical alternative to LDAP/OpenLDAP for this use, and of all those I have tried, phpLDAPadmin was by far the best LDAP client application I have seen.
I used the following sources for writing this document (please refer to them in case something goes wrong):
outlook ldap:-) I merely changed the setting names.
$ cd /usr/ports/databases/openldap $ su # env FLAVOR="bdb" SUBPACKAGE="-server" make install
We'll be using the (default) bdb backend, and the
indicates we want the server part (slapd, ...) in addition to the client part (ldapadd, ...)
I got a report that the bdb backend is not available (at least not
directly) in older versions of OpenBSD. In this case you can use the
ldbm backend. Just don't put the
FLAVOR assignment in the
above statement, AND replace "
database bdb" by
database ldbm" in the
We first copy the default configuration files and create the data directory
# cp /usr/local/share/examples/openldap/slapd.conf /etc/openldap # mkdir /var/openldap-data # chmod 700 /var/openldap-data
Use your favourite editor on
/etc/openldap/slapd.conf, and do the following changes:
include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema
comby whatever is relevant for you.
dc=" items if required. In the remaining of this documentation,
dc=example,dc=comwill be used.
inetorgperson is the type that we will use for addressbook entries, and these
lines make that type available.
rootdn is the "root" user, i.e. a user that is always allowed to read and write anything
A sample "bootstrap" slapd.conf can be found here. Once the basic database structure has been built, we will do final changes to this file
Note that it does not hurt if access control directives are already there. So if you want
to save some time you can directly download the final file below BUT make
sure you have
rootpw set to secret otherwise you won't be able to do anything.
We can now start the LDAP server:
Because the LDAP users themselves are stored in the LDAP database itself we have that chicken-and-egg problem as we need to have a user that we can use for creating users.
This is solved by that
rootpw line in
Unlike with other users, you can bind to the LDAP database as rootdn even if there is no corresponding entry in the database. The
rootpw directive specifies the cleartext password of that user, which defaults to "secret".
We shall deactivate this cleartext passsword once having created the LDAP directory
In order to create an ldap entry (or a set of entries) one has to create an LDIF file,
then do the actual creation with the
Our initial database will be structured as follows:
You can download the definition of this initial structure here.
You should of course feel free to modify names, structure etc. The structure can also be altered later though not very easily.
Add these entries
$ ldapadd -x -D "uid=Manager,ou=Users,dc=example,dc=com" -w secret -f initial.ldif
-D option specifies the user through which the adding has to be
performed, which matches the
rootdn line in
-w option specifies the password to use. When the system runs, you will
want to use
-W instead, which prompts for a password instead of expecting
in on the command line
The ldif file given above initialised each user's password to the user name itself, lowercased (ie AbkMgr's password is abkmgr)
You may modify these passwords now if you want, or later using the web interface (in which case
you may skip this section, though you should at least read it as it explains the way passwords
are handled in LDAP.)
The command for updating AbkMgr's password is:
ldappasswd -x -D 'uid=AbkMgr,ou=Users,dc=example,dc=com' -W -S
Replacing AbkMgr by Manager or Visitor will of course let you change their passwords as well. You will be prompted twice for the new password and once for the old one. Usual guidelines about passwords apply.
You may now wonder if Manager's password is "secret" or "manager". The answer is: both!
rootpw line allows to login using that password so until you change that line in
slapd.conf, the "secret" password will be usable for getting rootdn access. Additionally, the
userPassword attribute of the Manager entry holds the "manager" password, and allows to get
the same rootdn access.
ldappasswd is modifying the
so whatever you type at
ldappasswd's prompt will be changing the password "manager", not
Now that we have a rootdn password in the database we can deactivate the password secret
in the configuration file. In OpenLDAP, an empty password is considered inactive, so the
rootpw directive is made inactive by putting two double quotes
as its parameter.
We will now set up access control rules so that
We'll also put a rule to prevent a user from seeing other users' passwords. Even if passwords are scrambled that won't hurt.
Add these lines before the
access to dn.base="" by * read access to dn.base="dc=example,dc=com" by * read access to dn.base="ou=Users,dc=example,dc=com" by * read # abkmgr can read/write the address book, visitor can read, others nothing access to dn.subtree="ou=ABook,dc=example,dc=com" by dn.base="uid=AbkMgr,ou=Users,dc=example,dc=com" write by dn.base="uid=Visitor,ou=Users,dc=example,dc=com" read # let everyone know the list of users (but not their passwords etc) access to dn.children="ou=Users,dc=example,dc=com" attr=userPassword by self write by anonymous auth by * none access to dn.children="ou=Users,dc=example,dc=com" by self write by * read
This final slapd.conf file can be found here.
The official OpenLDAP documentation has quite a good explanation about access control so I advise you to read some of it there if you want to understand in more details the meaning of the above.
Now restart the ldap server to take these settings into account (
seem to work)
# kill `cat /var/run/slapd.pid` # /usr/local/libexec/slapd
$ cd /var/www/htdocs/ $ tar xvzf /path/to/downloaded/archive/phpldapadmin-0.9.4b.tar.gz $ cp config.php.example config.php
Now we need to configure
config.php for our setup.
$servers[$i]['name']: You probably want to put something that looks better here ..
$servers[$i]['host'] = 'localhost'(though you may want to put the web application and the LDAP server on two different machines)
$servers[$i]['base']: Change to your LDAP suffix. (I haven't tested auto-detection)
$servers[$i]['auth_type']: well, read the comment and choose what applies to you.
''if you chose
$servers[$i]['login_pass']: cleartext password if you chose
$servers[$i]['login_attr'] = 'uid'if you did not choose
*/) the second server specification
You are now ready to start using the web interface. Point your browser to http://localhost/path/to/phpldapadmin/, maybe changing localhost to something else if you're doing this remotely.
rootdn (uid=Manager) can change everybody's password, and everybody can change its own password.
At login prompt, put the user name (like AbkMgr, ie no
uid= or whatever)
and the password you have set for that account.
The password is stored in the
userPassword attribute. To change a user's password, browse
to it using the
+ boxes and clicking on the name. Then type the new password, being careful
with typos (as you aren't asked to type it twice for checking.) If you change a user's password through
that user itself, you will be required to login again.
To add/modify an entry in the addressbook, open the ABook node in the tree on the left and either
click on the item you want to modify or on the
When creating you should select the
Address Book Entry item. The create form doesn't let
you put more than one email address immediately, but you can do this later.
You can use the
import feature if you want to put many items at once.
You will need to have these items in LDIF format to do that, though.
If you want to import entries from another LDAP server, add the specifications of that
server in your
config.php file and use the
From inside Outlook, open
Add a new directory or address book and click
Internet Directory Service (LDAP)
Server Name to the hostname of the server where OpenLDAP is running
Check the logon required box and put as User Name
Put the visitor's password that you have set previously
More Settings and select the
Search Base to