OpenLDAP on NetBSD

this is obsolete doc -- see http://doc.nethence.com/ instead

Setting up Sendmail & OpenLDAP on NetBSD 

draft to be continued (11/08/2014) 

 

Installation 

First, make sure Sendmail is [up and running on your NetBSD system] (http://pbraun.nethence.com/unix/mail/sendmail_netbsd.html). 

 

Then install OpenLDAP, 

echo $PKG_PATH
pkg_add openldap openldap-client openldap-server openldap-doc
pkg_info | grep ^openldap
cp /usr/pkg/share/examples/rc.d/slapd /etc/rc.d/
#  /usr/sbin/chown -R slapd:ldap /var/openldap/openldap-data/*
#  /usr/sbin/chown :ldap /usr/pkg/etc/openldap/slapd.conf
#  /bin/chmod 640 /usr/pkg/etc/openldap/slapd.conf
grep slapd /etc/passwd
grep ldap /etc/group

 

On x64 systems, 

ls -l /etc/rc.conf.d/slapd
cat > /etc/rc.conf.d/slapd <<EOF9
start_precmd="set_limits"

 

set_limits()
{
        ulimit -s 4096
}
EOF9
cat /etc/rc.conf.d/slapd

 

Base Configuration 

Configure the thing, 

ln -s /usr/pkg/etc/openldap /etc/openldap
cd /etc/openldap/
mv slapd.conf slapd.conf.dist
cat > slapd.conf <<EOF9
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/nis.schema
pidfile         /var/openldap/run/slapd.pid
argsfile        /var/openldap/run/slapd.args
database        bdb
suffix          "dc=example,dc=local"
rootdn          "cn=Manager,dc=example,dc=local"
password-hash   {CRYPT}

rootpw CHANGE_THIS_PASSWORD 

directory       /var/openldap/openldap-data
EOF9
chmod 640 /etc/openldap/slapd.conf
chgrp ldap slapd.conf

Note. CRYPT for Dovecot compatibility. 

Note. No need to crypt the rootpw password in the configuration file itself, it won't work. 

 

Initializing the directory 

Check the group ownership (root:ldap 640) on the configuration file, 

ls -l /etc/openldap/slapd.conf

 

Check the permissions (slapd:ldap 700) on the database folder, 

ls -ld /var/openldap/openldap-data/

 

Enable and start the daemon, 

echo "slapd=YES" >> /etc/rc.conf
ls -al /var/openldap/openldap-data/
/etc/rc.d/slapd start
ls -al /var/openldap/openldap-data/

Note. if you ever need to reinitialize the directory database at installation time only, 

#rm -rf /var/openldap/openldap-data/*

check that it is running as slapd user, 

ps aux | grep slapd

 

For the following example to be interesting to test, those UID should not exist, 

grep 1102 /etc/passwd
grep 1103 /etc/passwd

Note. and the users [100] group which exists, will be used. 

initialize the directory database, 

cd /etc/openldap/
cat > dovecot.init.ldif <<EOF9
dn: dc=example,dc=local
objectClass: top
objectClass: dcObject
objectClass: organization
o: Example Org
dc: example
description: bla bla

 

dn: ou=accounts,dc=example,dc=local
objectClass: top
objectClass: organizationalUnit
ou: accounts

 

# only necessary if you are NOT using 'bind' authentication
dn: cn=dovecot,ou=accounts,dc=example,dc=local
objectClass: top
objectclass: person
cn: dovecot
sn: dovecot

 

dn: uid=ole_wobble,ou=accounts,dc=example,dc=local
objectClass: top
objectclass: person
objectClass: posixAccount
cn: Ole Wobble Olson
sn: Olson
uid: ole_wobble
uidNumber: 1102
gidNumber: 100
homeDirectory: /home/ole_wobble

 

dn: uid=ole_wubble,ou=accounts,dc=example,dc=local
objectClass: top
objectclass: person
objectClass: posixAccount
cn: Ole Wubble Olson
sn: Olson
uid: ole_wubble
uidNumber: 1103
gidNumber: 100
homeDirectory: /home/ole_wubble

 

EOF9
#sed 's/^[[:space:]]*//' dovecot.init.ldif
ldapadd -W -D "cn=Manager,dc=example,dc=local" -f /etc/openldap/dovecot.init.ldif

 

You should get this output at initialization time, 

adding new entry "dc=example,dc=local"

 

adding new entry "ou=accounts,dc=example,dc=local"

 

adding new entry "cn=dovecot,ou=accounts,dc=example,dc=local"

 

adding new entry "uid=ole_wobble,ou=accounts,dc=example,dc=local"

 

adding new entry "uid=ole_wubble,ou=accounts,dc=example,dc=local"

 

Troubleshooting the directory initialization 

If you get this error, 

ldap_bind: Invalid credentials (49)

make sure you get the same dc domain for rootdn into slapd.conf and in the init ldif. Also make sure /etc/openldap is a symlink to /usr/pkg/etc/openldap and not a directory on its own. 

 

If you get this error, 

ldap_add: Protocol error (2)
        additional info: no attributes provided

it may be caused by the leading spaces in your init ldif. 

 

If you get this error, 

ldap_add: Undefined attribute type (17)
        additional info: dn: attribute type undefined

it may be because you forgot to provide the inetorgperson schema in slapd.conf. 

 

If you get this error, 

ldap_add: Type or value exists (20)
        additional info: objectClass: value #0 provided more than once

it is because a space is needed before each new dn: line, check line 9, and eventually a leading space at the end of file too... 

 

Configuration Tweak for Dovecot 

Add this to your LDAP daemon configuration for Dovecot to be able to get information about users, 

cd /etc/openldap/
cat >> slapd.conf <<EOF9
access to dn.children="ou=accounts,dc=example,dc=net"
        by dn="cn=dovecot,ou=accounts,dc=example,dc=net" read
        by anonymous auth
EOF9
/etc/rc.d/slapd restart

 

Setting up user passwords 

Setup a password for the dovecot user and mail accounts 

ldappasswd -W -S -D "cn=Manager,dc=example,dc=local" "cn=dovecot,ou=accounts,dc=example,dc=local"
ldappasswd -W -S -D "cn=Manager,dc=example,dc=local" "uid=ole_wobble,ou=accounts,dc=example,dc=local"
ldappasswd -W -S -D "cn=Manager,dc=example,dc=local" "uid=ole_wubble,ou=accounts,dc=example,dc=local"

and check the registry, 

ldapsearch -LLL -W -D "cn=Manager,dc=example,dc=local" -b "dc=example,dc=local" "(objectclass=*)"

 

References 

HowToDovecotOpenLdap: http://wiki2.dovecot.org/HowTo/DovecotOpenLdap 

Dovecot LDA with Sendmail: http://wiki2.dovecot.org/LDA/Sendmail