Usefull defaults for LDAP provided by ldifs.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Denis Knauf 751d95336a fixes (clear-text-passwords on create, ...) 4 years ago
.gitignore init 4 years ago
00.suffix.ldif.sh suffix-change, simplified steps, password-recovery 4 years ago
10.acls.ldif init 4 years ago
20.passwordhash.ldif suffix-change, simplified steps, password-recovery 4 years ago
30.root.ldif.sh suffix-change, simplified steps, password-recovery 4 years ago
90.user.ldif.sh fixes (clear-text-passwords on create, ...) 4 years ago
99.passwordrecovery.ldif.sh fixes (clear-text-passwords on create, ...) 4 years ago
README.adoc fixes (clear-text-passwords on create, ...) 4 years ago

README.adoc

Pre
---

Install slapd and ldap-utils:

sudo aptitude install slapd ldap-utils

It will ask for eg. domain, password.
If your domain is `example.net`, your basedn will be `dc=example,dc=net`.
If you want to use an other basedn, for example `o=example,c=de`,
debian/ubuntu will not provide any way to do that.

Thats because while these steps your database will be lost and you can choose your basedn.

Add your basedn to file `basedn`:

echo dc=example,dc=net > basedn

Init
----

Usefull defaults for security (better Passwordhashes):

ldapmodify -H ldapi:// -Y EXTERNAL -f 10.acls.ldif
ldapmodify -H ldapi:// -Y EXTERNAL -f 20.passwordhash.ldif

BaseDN
------

These steps will erase your database.
If you do not want to change your BaseDN, skip this step.

The next step will print your new password on STDERR, so note it.
You can change it any time.

./00.suffix.ldif.sh | sudo ldapmodify -H ldapi:// -Y external
./30.root.ldif.sh | sudo -u openldap -i slapadd -vb `cat basedn`

Clientconfig
------------

Some lines should be added to `/etc/ldap/ldap.conf`.
These would set defaults, so you could omit `-H ldapi://` and `-b $DN`.

cat >> /etc/ldap/ldap.conf <<EOF
BASE `cat basedn`
URI ldapi://
EOF

Add an user
-----------

For adding an user run:

./90.user.ldif.sh "$username" "$givenname" "$surname" "$emailaddr" | ldapadd -H ldapi:// -Y external

It will print the password on STDERR.

The DN will be `uid=$username,ou=People,$basedn`.

Changing Passwords
------------------

For changing password use:

ldappasswd -xSWD $yourdn

If you forgot your password, the administator can change the password via:

./99.passwordrecovery.ldif.sh $yourdn| sudo ldapmodify -H ldapi:// -Y external