OpenLDAP tutorial – Remotly configuration management by the administrator

This Openldap tutorial aims to show how to grant configuration management access to the server administrator (rootDN). The server administrotor is created during installation procedure. It hasn’t sufficient rights to read/modify the configuration settings! This should make easy the management of this configuration by making possibile the remote modification.

Prerequisites: OpenlDAP is installed and pre configured on a Debian, Ubuntu or compliant system. cf. previous articles about OpenLDAP.

1. Avoid entering the administrator password at each command

Store the super administrator password (« admin » in the sample) in a file:

echo -n "admin" > ~/pwdAdmin
chmod 600 ~/pwdAdmin

This creates the «pwdAdmin» file that contains the super administrator password. To test its use:

ldapsearch -x -H ldap://localhost -D cn=admin,dc=ldaptuto,dc=net -y ~/pwdAdmin -b dc=ldaptuto,dc=net

The advantage of using the server administrator account instead of the system administrator account (root) is that you can execute remote commands. Those commands may be launched from a desktop machine. in this case replace localhost with the DNS name of the remote machine or its IP address.

2. Super administrator access rights to server configuration

The configuration of the OpenLDAP server is located in the database under the DIT cn = config. It’s the equivalent of the configuration file slapd.conf content in the old-style work. By default the super administrator cannot access this configuration:

ldapsearch -x -H ldap://localhost -D cn=admin,dc=ldaptuto,dc=net -y ~/pwdAdmin -b cn=config

The result of this command is empty.

We will use the «root» system user’s extended rights to give the OpenLDAP server super administrator access to the configuration data. Create ths LDIF file «acces-admin.ldif» who has the content:

dn: olcDatabase={0}config,cn=config
changeType: modify
add: olcAccess
olcAccess: to * by dn.exact=cn=admin,dc=ldaptuto,dc=net manage by * break

Then, execute the modify command on the server:

sudo ldapmodify -Y external -H ldapi:/// -f acces-admin.ldif

This gives read and write rights on all configuration data of the server to the administrator (cn=admin,dc=ldaptuto,dc=net). It can easily be verified by running the previous query on this data and did not return any results.