Differences

This shows you the differences between two versions of the page.

--- doc:appunti:linux:sa:sldap_2_5 [2023/12/02 11:15] – [Adding a second (new) database] niccolo
+++ doc:appunti:linux:sa:sldap_2_5 [2023/12/02 12:31] (current) – [Enable SSL] niccolo
@@ Line 14: / Line 14: @@
 FIXME La **[[https://discourse.ubuntu.com/t/service-migrating-from-openldap-2-4-x-to-2-5-x/23807|Service - Migrating from OpenLDAP 2.4.x to 2.5.x]]** non ha funzionato; fallisce quando si tenta di ricaricare il database **dc=rigacci,dc=org.ldif** con il comando **slapadd**.
+Per ripristinare il servizio si sono eseguite ex-nove tutte le operazoni necessarie, in particolare:
+  * Caricato lo schema **mozillaAbPersonAlpha**.
+  * Creato il database #2 per gestire il suffisso **ou=Addressbook,dc=rigacci,dc=org**.
+  * Creata la organizationalUnit **Addressbook**.
+  * Creata la inetOrgPerson **cn=guest**.
+  * Caricate tutte le entry objectClass **mozillaAbPersonAlpha**.
 ===== (Re)installation from scratch =====
@@ Line 34: / Line 42: @@
 Reading the dump of database #0, you can see that the **cn=config** database has the **olcRootDN: cn=admin,cn=config**, but it does not have an **olcRootPW**, so you cannot modify the config database connecting with a login/password pair. See below on how to modify the **cn=config** database (e.g. to add a new database backend).
+===== Enable SSL =====
+Create a self signed certificate or get it from some provider, like **[[https://letsencrypt.org/|Let's Encrypt]]**. Copy the files into **/etc/ldap/ssl/** and give them permissions for the //openldap// user.
+Create the following file **config-ssl.ldif**:
+<file>
+dn: cn=config
+changetype: modify
+replace: olcTLSCertificateFile
+olcTLSCertificateFile: /etc/ldap/ssl/fullchain.pem
+-
+replace: olcTLSCertificateKeyFile
+olcTLSCertificateKeyFile: /etc/ldap/ssl/privkey.pem
+-
+replace: olcTLSCACertificatePath
+olcTLSCACertificatePath: /etc/ssl/cert
+</file>
+and load it into the slapd 2.5 configuration:
+<code>
+ldapmodify -Y EXTERNAL -H ldapi:/// -f config-ssl.ldif
+</code>
+Enable ldaps into **/etc/default/slapd**:
+<file>
+SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"
+</file>
+Restart the slapd service.
 ===== Adding a second (new) database =====
@@ Line 155: / Line 196: @@
 The upgrade process created a backup of the existing LDAP database into the **/var/backups/slapd-2.4.57+dfsg-3+deb11u1/** directory. In our case there is a single file **dc=rigacci,dc=org.ldif** containing all the required entries. In the following examples we extracted from the file the logically different items to be restored.
-Beware that the restore will be not a perfect copy of the previous database. Several items must be purged from the backup file before feeding it back to the LDAP server because they are not allowed to be set directly. They are:
+Beware that the restore will be not a perfect copy of the previous database. Several tags must be purged from the backup file before feeding it back to the LDAP server because they are not allowed to be set directly. They are:
   * structuralObjectClass
@@ Line 170: / Line 211: @@
 ldapadd -x -W -D "cn=admin,ou=Addressbook,dc=rigacci,dc=org" -f file.ldif
 </code>
+In the following three paragraphs we will see what is needed for a full restore.
 ==== Create the Addressbook organizationalUnit ====
@@ Line 215: / Line 259: @@
 </file>
+==== Testing an ldapsearch ====
+Finally you can test if the LDAP database is working doing a full search with **ldapsearch**:
+<code bash>
+ldapsearch -W \
+    -H ldap://127.0.0.1/ \
+    -D "cn=guest,ou=Addressbook,dc=rigacci,dc=org" \
+    -b 'ou=Addressbook,dc=rigacci,dc=org'
+</code>
+The **ldap** protocol is on port **389/tcp**, **ldaps** is on **636/tcp**.
 ===== Web References =====