Prerequisites: OpenlDAP is installed and pre configured on a Debian, Ubuntu or compliant system. cf. previous articles about OpenLDAP.
1. Avoid entering the administrator password at each command
Store the super administrator password (“admin” in the sample) in a file:echo -n "admin" > ~/pwdAdmin chmod 600 ~/pwdAdminThis creates the «pwdAdmin» file that contains the super administrator password. To test its use:
ldapsearch -x -H ldap://localhost -D cn=admin,dc=ldaptuto,dc=net -y ~/pwdAdmin -b dc=ldaptuto,dc=netThe advantage of using the server administrator account instead of the system administrator account (root) is that you can execute remote commands. Those commands may be launched from a desktop machine. in this case replace localhost with the DNS name of the remote machine or its IP address.
2. Super administrator access rights to server configuration
The configuration of the OpenLDAP server is located in the database under the DIT cn = config. It’s the equivalent of the configuration file slapd.conf content in the old-style work. By default the super administrator cannot access this configuration:ldapsearch -x -H ldap://localhost -D cn=admin,dc=ldaptuto,dc=net -y ~/pwdAdmin -b cn=configThe result of this command is empty. We will use the «root» system user’s extended rights to give the OpenLDAP server super administrator access to the configuration data. Create ths LDIF file «acces-admin.ldif» who has the content:
dn: olcDatabase={0}config,cn=config
changeType: modify
add: olcAccess
olcAccess: to * by dn.exact=cn=admin,dc=ldaptuto,dc=net manage by * break
Then, execute the modify command on the server:
sudo ldapmodify -Y external -H ldapi:/// -f acces-admin.ldifThis gives read and write rights on all configuration data of the server to the administrator (cn=admin,dc=ldaptuto,dc=net). It can easily be verified by running the previous query on this data and did not return any results.]]>