====== Install and Configure OpenLDAP ======

Here is the slapd.conf afternet uses for reference:
<code>
# load syncrepl provider support, replacing slurpd
#moduleload syncprov

# This is the main slapd configuration file. See slapd.conf(5) for more
# info on the configuration options.

#######################################################################
# Global Directives:

# Features to permit
#allow bind_v2

# Schema and objectClass definitions
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema
include         /etc/ldap/schema/inetorganon.schema

# Schema check allows for forcing entries to
# match schemas for their objectClasses's
#schemacheck     on

# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile         /var/run/slapd/slapd.pid

# List of arguments that were passed to the server
argsfile        /var/run/slapd/slapd.args

# Read slapd.conf(5) for possible values
#                      1      trace function calls
#                      2      debug packet handling
#                      4      heavy trace debugging
#                      8      connection management
#                      16     print out packets sent and received
#                      32     search filter processing
#                      64     configuration file processing
#                      128    access control list processing
#                      256    stats log connections/operations/results
#                      512    stats log entries sent
#                      1024   print communication with shell backends
#                      2048   entry parsing
#loglevel        392
#loglevel         2043
#loglevel 0
#loglevel 64
#loglevel any
loglevel 14
#loglevel 184
# Where the dynamically loaded modules are stored
modulepath      /usr/lib/ldap
moduleload      back_bdb

#######################################################################
# SSL:
# Uncomment the following lines to enable SSL and use the default
# snakeoil certificates.
TLSCACertificateFile    /etc/ssl/certs/afternet.pem
TLSCertificateFile      /etc/ssl/certs/ssl-ldap1bare.pem
TLSCertificateKeyFile   /etc/ssl/private/ssl-ldap1.key

#######################################################################
# Specific Backend Directives for bdb:
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
backend         bdb
#cachesize    1000000
#dbcachesize 10000000

#######################################################################
# Specific Backend Directives for 'other':
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
#backend                <other>

#######################################################################
# Specific Directives for database #1, of type bdb:
# Database specific directives apply to this databasse until another
# 'database' directive occurs
database        bdb

modulepath /usr/lib/ldap
moduleload syncprov
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100


# The base of your directory in database #1
suffix          "dc=afternet,dc=org"
checkpoint   512 30

rootdn "cn=admin,dc=afternet,dc=org"
rootpw  *********

# Where the database file are physically stored for database #1
directory       "/var/lib/ldap"
# Indexing options for database #1
index           objectClass,uid,userPassword,mail eq

# Save the time that the entry gets modified, for database #1
lastmod         on

# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
# These access lines apply to database #1 only
access to attrs=userPassword
        by dn="cn=admin,dc=afternet,dc=org" write
        by dn="uid=rubin,ou=Users,dc=afternet,dc=org" write
        by dn="cn=replicator,dc=afternet,dc=org" read
        by anonymous auth
        by self write
        by * none

access to attrs=mail
        by dn="cn=admin,dc=afternet,dc=org" write
        by dn="cn=sympa,dc=afternet,dc=org" read
        by dn="uid=rubin,ou=Users,dc=afternet,dc=org" write
        by dn="cn=replicator,dc=afternet,dc=org" read
        by anonymous none
        by self write
        by * none

# Ensure read access to the base for things like
# supportedSASLMechanisms.  Without this you may
# have problems with SASL not knowing what
# mechanisms are available and the like.
# Note that this is covered by the 'access to *'
# ACL below too but if you change that as people
# are wont to do you'll still need this if you
# want SASL (and possible other things) to work 
# happily.
access to dn.base="" by * read
# The admin dn has full write access, everyone else
# can read everything.
access to *
        by dn="cn=admin,dc=afternet,dc=org" write
        by dn="uid=rubin,ou=Users,dc=afternet,dc=org" write
        by dn="cn=replicator,dc=afternet,dc=org" read
        by * read

TLSVerifyClient never

sizelimit unlimited
</code>


In /etc/default/slapd, varibles are defined for ubuntu's init scripts to run slapd with arguments. Mainly you need to tell it to listen on all interfaces for ldaps. We use something like this to make ldap available to localhost, and ldaps available everywhere. We then use IPTABLES to restrict the ldaps port to our trusted other hosts:
<code>
# slapd normally serves ldap only on all TCP-ports 389. slapd can also
# service requests on TCP-port 636 (ldaps) and requests via unix
# sockets.
# Example usage:
SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///"
</code>