Using SSH from a terminal, login as root to the virtual machine you have created for use as the LDAP provider, using the root password set at creation.

:~$ssh root@vm36.student.lab 
root@vm36.student.lab's password:NaNaKiNg

At the virtual machine prompt use pico to edit the /etc/hosts file to match:

127.0.0.1    localhost
10.80.3.36   vm36.student.lab vm36

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

And save the file with <Ctrl>+<X>.

1. Now, at the prompt, install the ssh nmap package using the command:

root@vm36:~#apt-get install ssh nmap

• Enter 'Y' when prompted and press <Enter>.

1. Next install the slapd and ldap-utils packages using the command:

root@vm36:~#apt-get install slapd ldap-utils

• Again, enter 'Y' and press <Enter> when prompted.
• When prompted enter an administrator password for slapd,(CaK30RD3aTH) and press <Enter>.
• Reenter the password to confirm and press <Enter>.

Confirm that slapd is running using the command:

~# nmap -p 389 localhost

The response received should look like:

Starting Nmap 5.00 ( http://nmap.org ) at 2010-10-27 15:05 CEST
Warning: Hostname localhost resolves to 2 IPs. Using 127.0.0.1.
Interesting ports on localhost (127.0.0.1):
PORT    STATE SERVICE
389/tcp open  ldap

Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds

1. Use pico to edit the file /etc/ldap/ldap.conf
   • Change the line “#BASE dc=example, dc=com” to read “BASE dc=student, dc=lab”
   • Change the line “#URI ldap://ldaps1.example.com” to read “URI ldap://vm36.student.lab ldap://vm36.student.lab:666”
   • Save the file using the <Ctrl>+<x> command.
2. Create and edit a file for configuration changes using the command '~/pico olc-mod1.ldif'. Entering the following content.

# 1.
dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: stats

# 2.1.
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: uid eq
-
# 2.2.
add: olcDbIndex
olcDbIndex: cn eq
-
# 2.3.
add: olcDbIndex
olcDbIndex: ou eq
-
# 2.4.
add: olcDbIndex
olcDbIndex: dc eq

• Use the <Ctrl>+<x> command to save and exit from pico.

1. Implement the changes with the fololowing command:

~# ldapmodify -QY EXTERNAL -H ldapi:/// -f ~/olc-mod1.ldif

If the changes are implemented the screen should display:

modifying entry "cn=config"

modifying entry "olcDatabase={1}hdb,cn=config"

~# 

1. Create and edit a file using 'pico ~/tree.ldif' so it contains the following:

dn: ou=people,dc=student,dc=lab
ou: people
objectClass: organizationalUnit

dn: ou=groups,dc=student,dc=lab
ou: groups
objectClass: organizationalUnit

• Save and Exit using the <Ctrl>+<x> command

1. implement the changes using the following command:

~# ldapadd -cxWD cn=admin,dc=student,dc=lab -f ~/tree.ldif
Enter LDAP Password:CaK30RD3aTH

The screen should display:

adding new entry "ou=people,dc=student,dc=lab"

adding new entry "ou=groups,dc=student,dc=lab"

~#

Perform a test. Run an ldapsearch with an anonymous bind (no DN specified) to check that the new organizational units have indeed been added to the database. Using the command:

~#ldapsearch -xLLL

Check that the output looks like the following and does not contain any obvious errors:

~# ldapsearch -xLLL
dn: dc=student,dc=lab
objectClass: top
objectClass: dcObject
objectClass: organization
o: student.lab
dc: student

dn: cn=admin,dc=student,dc=lab
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator

dn: ou=people,dc=student,dc=lab
ou: people
objectClass: organizationalUnit

dn: ou=groups,dc=student,dc=lab
ou: groups
objectClass: organizationalUnit

~#

1. Create a new user account, called genUsr. First create ane edit a file:
   • Use the command '~/genUsr.ldif'
   • Enter the following contents:

dn: cn=genUsr,ou=groups,dc=student,dc=lab
cn: genUsr
gidNumber: 20000
objectClass: top
objectClass: posixGroup

dn: uid=genUsr,ou=people,dc=student,dc=lab
uid: genUsr
uidNumber: 20000
gidNumber: 20000
cn: Generic
sn: User
objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
loginShell: /bin/bash
homeDirectory: /home/genUsr
userPassword: Guest1

1. Implement the account using the command:

ldapadd -cxWD cn=admin,dc=student,dc=lab -f ~/genUsr.ldif

1. Run a search for the new genUsr entry using the command:

ldapsearch -xLLL uid=genUsr

• The resulting output should look like:

dn: uid=genUsr,ou=people,dc=student,dc=lab
uid: genUsr
uidNumber: 20000
gidNumber: 20000
cn: General
sn: User
objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
loginShell: /bin/bash
homeDirectory: /home/genUsr

It is possible to test authentication for a LDAP account by using the 'whoami' command:

• Use the -w option followed by the assigned password specify the password in the command line.

ldapwhoami -xD uid=genUsr,ou=people,dc=student,dc=lab -w Guest1

• The same specification requirement is required for ldapsearch.
• In all such cases the principle is the same: authentication and authorization must take place before any such single commands are processed.

1. Tech Notes-OpenLDAP provider on Debian Squeeze