Talk:Centralized authentication using OpenLDAP

LDAP in 2021

 * slapd.ldif does not work out of the box, incomplete beyond the red warnings of the text, e.g. modules are named .so and not .la, also schemas end with ldif and are not correctly migrated from slapd.conf
 * there will be no basic structure, e.g. an object of type organiation, phpldapadmin cannot deal with this situation
 * schemas in use are a little bit off, e.g. memberuid of type PosixGroup is supported by phpldapadmin after it was created once for a user but is not part of for example phpldapadmin-UI, it is not trivial to have secondary groups for PosixAccount
 * slapd.ldif contains sample blocks (ACLs) indented with tabs, slapadd sees this as syntax error, must be spaces instead
 * TLS configuration is not present in slapd.ldif and it is a bit tedious (with blank lines and order) to get it in there
 * the overall structure of the article does not yield a working and reliable/ secure configuration in finite time without deeper knowledge of the tools (not only LDAP itself)
 * security implications are not clearly outlined, server cert, CA, optional client certs (simply disabled in a side note), password algorithms, management role(s)

I suggest to clearly state a goal with a target structure and at least the role manager and a single user with multiple groups and a few additional elements like E-Mail and maybe one or two services.

Next section would work through the various stages: installation, configuration with TLS and basic structure, start of service, ldapadd a few basic things (posix groups, a user, secondary groups). Finally link to phpldapadmin (to be created) to have it basically working for what is was meant for: centralized authentication.

Current status: hard to get up and running at all. --Onkobu (talk) 21:12, 11 December 2021 (UTC)

Client notes
LAM (Ldap Account Manager) is a free (GPL-licensed) similiar with web client.

But it is still not in portage (gentoo overlay).

I'm not enough familiar with web-utils ebuilding. So, if anybody is interested in this tool, add it into tree first.


 * looks like not and  --Cronolio (talk) 18:17, 2 June 2017 (UTC)

Online Configuration
SwifT, why you've droped note about limitations of LDIF backend?

When using OLC-style configuration this may produce some unpleasant surprises.

This guide should be converted to make use of OpenLDAP's online configuration instead of using a slapd.conf. Upstream recommends not to use the slapd.conf file anymore since several years.

--Eliasp (talk) 00:10, 11 January 2014 (UTC)


 * Made the initial description of OLC (aka cn=config). Description will be enchanced. Please, review it, my English is… not well enough. To my mind, we should NOT try to make the guide shorter or easier, but first of all divide it into two (or even up to four, since OpenLDAP is not the only directory implementation in portage tree) parts:


 * 1) General Overview,
 * 2) Server setup and _mainatanance_ (!) (separate articles for OpenLDAP, 389 etc),
 * 3) Server's usage for authenfication purposes.
 * 4) Followed with descriptions of usage for certification distribution and so long

--Anarchist Oct 27 10:02:47 UTC 2014

I am willing to write a guide. Openldap is a Mountain of config that potentially could have pitfalls. I need someone to review my method.

To start a guide that uses the following.


 * 1) atest stable version of openldap.
 * 2) Using Start tls on port 389.
 * 3) Include an authenticatoin exacmple using sssd(as this seems like the nice way).
 * 4) Use LAM Ldap Account Manager in the guide. This seems sane and I believe will make any guide ten times shorter.

Let me know what do you think. --James.cordell (talk) 10:39, 16 April 2014 (UTC)


 * Anything that might make the guide shorter or easier to follow is greatly welcomed. I have no experience with LAM AM so by all means, go ahead. I was considering splitting things up in separate pages (the guide currently uses a multi-stage approach to end where it is, but that approach does make it less easy to follow). --SwifT (talk) 20:08, 16 April 2014 (UTC)

I have added lots of bits. Including the slaptest. The guide would be better with the simpler sssd for client authentication. This would be an alternative to pam_ldap nss_ldap etc. What do you think? maybe there should be seperate guides. Also should hdb be used instead of ldbm, hdb is the recommended one?

--James.cordell (talk) 15:58, 25 April 2014 (UTC)

I'm allot happier with that. It needs normal people to test it now :)

--James.cordell (talk) 01:09, 28 April 2014 (UTC)

Test help needed
Gentoo users of rsyslog and systemd — please contact me to verify some app-specific questions in article.

--Anarchist