Install and Configure OpenLDAP
Here is the slapd.conf afternet uses for reference:
# load syncrepl provider support, replacing slurpd
#moduleload syncprov
# This is the main slapd configuration file. See slapd.conf(5) for more
# info on the configuration options.
#######################################################################
# Global Directives:
# Features to permit
#allow bind_v2
# Schema and objectClass definitions
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/inetorganon.schema
# Schema check allows for forcing entries to
# match schemas for their objectClasses's
#schemacheck on
# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile /var/run/slapd/slapd.pid
# List of arguments that were passed to the server
argsfile /var/run/slapd/slapd.args
# Read slapd.conf(5) for possible values
# 1 trace function calls
# 2 debug packet handling
# 4 heavy trace debugging
# 8 connection management
# 16 print out packets sent and received
# 32 search filter processing
# 64 configuration file processing
# 128 access control list processing
# 256 stats log connections/operations/results
# 512 stats log entries sent
# 1024 print communication with shell backends
# 2048 entry parsing
#loglevel 392
#loglevel 2043
#loglevel 0
#loglevel 64
#loglevel any
loglevel 14
#loglevel 184
# Where the dynamically loaded modules are stored
modulepath /usr/lib/ldap
moduleload back_bdb
#######################################################################
# SSL:
# Uncomment the following lines to enable SSL and use the default
# snakeoil certificates.
TLSCACertificateFile /etc/ssl/certs/afternet.pem
TLSCertificateFile /etc/ssl/certs/ssl-ldap1bare.pem
TLSCertificateKeyFile /etc/ssl/private/ssl-ldap1.key
#######################################################################
# Specific Backend Directives for bdb:
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
backend bdb
#cachesize 1000000
#dbcachesize 10000000
#######################################################################
# Specific Backend Directives for 'other':
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
#backend <other>
#######################################################################
# Specific Directives for database #1, of type bdb:
# Database specific directives apply to this databasse until another
# 'database' directive occurs
database bdb
modulepath /usr/lib/ldap
moduleload syncprov
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
# The base of your directory in database #1
suffix "dc=afternet,dc=org"
checkpoint 512 30
rootdn "cn=admin,dc=afternet,dc=org"
rootpw *********
# Where the database file are physically stored for database #1
directory "/var/lib/ldap"
# Indexing options for database #1
index objectClass,uid,userPassword,mail eq
# Save the time that the entry gets modified, for database #1
lastmod on
# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
# These access lines apply to database #1 only
access to attrs=userPassword
by dn="cn=admin,dc=afternet,dc=org" write
by dn="uid=rubin,ou=Users,dc=afternet,dc=org" write
by dn="cn=replicator,dc=afternet,dc=org" read
by anonymous auth
by self write
by * none
access to attrs=mail
by dn="cn=admin,dc=afternet,dc=org" write
by dn="cn=sympa,dc=afternet,dc=org" read
by dn="uid=rubin,ou=Users,dc=afternet,dc=org" write
by dn="cn=replicator,dc=afternet,dc=org" read
by anonymous none
by self write
by * none
# Ensure read access to the base for things like
# supportedSASLMechanisms. Without this you may
# have problems with SASL not knowing what
# mechanisms are available and the like.
# Note that this is covered by the 'access to *'
# ACL below too but if you change that as people
# are wont to do you'll still need this if you
# want SASL (and possible other things) to work
# happily.
access to dn.base="" by * read
# The admin dn has full write access, everyone else
# can read everything.
access to *
by dn="cn=admin,dc=afternet,dc=org" write
by dn="uid=rubin,ou=Users,dc=afternet,dc=org" write
by dn="cn=replicator,dc=afternet,dc=org" read
by * read
TLSVerifyClient never
sizelimit unlimited
In /etc/default/slapd, varibles are defined for ubuntu's init scripts to run slapd with arguments. Mainly you need to tell it to listen on all interfaces for ldaps. We use something like this to make ldap available to localhost, and ldaps available everywhere. We then use IPTABLES to restrict the ldaps port to our trusted other hosts:
# slapd normally serves ldap only on all TCP-ports 389. slapd can also # service requests on TCP-port 636 (ldaps) and requests via unix # sockets. # Example usage: SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///"