In this page I describe how to install an "LDAP server" on a router (Asus RT-AC56U)
- we use some Entware packages, so please
refer to this page on how to install Entware on a router.
We will install the "OpenLDAP
server" using Entware packages.
In order to install the "OpenLDAP server" with Entware
packages, we have to execute the following line:
opkg install openldap-server openldap-utils
After this, make a backup of files "/opt/etc/openldap/ldap.conf" and
"/opt/etc/openldap/slapd.conf".
This is the new file "/opt/etc/openldap/ldap.conf":
# # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. BASE dc=office,dc=data URI ldap://192.168.1.4
Please
refer to this
page for further details about configuration file "ldap.conf".
In the above-mentioned example, the default base "dc=office,dc=data" will be
used in this page, while the IP address "192.168.1.4" is the address
of router where we
install the "OpenLDAP server".
We also need to create a new file "/opt/etc/openldap/slapd.conf":
# # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /opt/etc/openldap/schema/core.schema include /opt/etc/openldap/schema/cosine.schema include /opt/etc/openldap/schema/inetorgperson.schema loglevel 296 pidfile /opt/var/run/slapd.pid argsfile /opt/var/run/slapd.args ############################ # MDB database definitions ############################ database ldif suffix "ou=Addressbook,dc=office,dc=data" rootdn "cn=admin,ou=Addressbook,dc=office,dc=data" #rootpw {SSHA} # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /opt/var/openldap-data # Simple ACL granting read access to the world access to * by * read
Please
refer to this
page for further details about configuration file "slapd.conf".
Note that we have included the administrator account "rootdn", but without
password. I suggest to create a password for the administrator account, please
read the following section "How to setup a password for administrator account".
We must create the database directory before starting the
"OpenLDAP" daemon, with the following lines:
mkdir /opt/var/openldap-data
chmod 700 /opt/var/openldap-data
Then we must test if configuration file is correct or not:
slapd -T test
If it returns "config file testing succeeded", then the configuration file
is correct. Otherwise something inside the configuration file is wrong.
To start the "OpenLDAP" daemon, we have to execute the following command line:
/opt/etc/init.d/S58slapd start
In the previous section we have included the administrator
account "rootdn", but without password. In this section I briefly explain how to
setup a password for the administrator account.
We must create a script file, for example named "generate.sh", with following
content:
#!/bin/sh PWD="$1" NUMRAND="$(openssl rand 3)" SHA1="$(printf "%s%s" "$PWD" "$NUMRAND" | openssl dgst -binary -sha1)" printf "{SSHA}%s\n" "$(printf "%s%s" "$SHA1" "$NUMRAND" | openssl enc -base64)"
In above-mentioned script, we use the command "openssl".
Normally a router should include this command, but if it is not included, we can
install an Entware package with following command line:
opkg install openssl-util
To generate a password, we must execute the script, passing our password to it,
for example if we want to use the password "secret" we must input:
./generate.sh secret
The output returned by this script is the value that we must put inside the
configuration file "/opt/etc/openldap/slapd.conf", in line "rootpw" after "{SSHA}",
in this way we have the following lines in above-mentioned configuration file:
rootdn "cn=admin,ou=Addressbook,dc=office,dc=data" rootpw {SSHA}cF/RbPI0zOecojYc30UONVNBF2ke+Bg=
Finally we restart the "OpenLDAP" daemon with command line:
/opt/etc/init.d/S58slapd restart
Now it is the time to initialize the database of the "OpenLDAP
server", adding the first entries to it.
The first entry is the root entry of the database. We create a root .LDIF file,
for example we call it "start.ldif" with following content:
dn: ou=Addressbook,dc=office,dc=data objectclass: top objectclass: organizationalUnit ou: Addressbook
We insert the above-mentioned file into database using the
command "ldapadd" (admin password may be required):
ldapadd -x -W -D "cn=admin,ou=Addressbook,dc=office,dc=data" -f start.ldif
Please refer to this
page for further details about "ldapadd" command.
Then we can insert a test entry to the database, using a testing .LDIF file called "test.ldif"
with following content:
dn: cn=Testing,ou=Addressbook,dc=office,dc=data cn: Testing givenname: Testing objectclass: top objectclass: person objectclass: organizationalPerson sn: Testing telephonenumber: 9999999
We insert the above-mentioned file into database using the
command "ldapadd" (admin password may be required):
ldapadd -x -W -D "cn=admin,ou=Addressbook,dc=office,dc=data" -f test.ldif
In this page I describe how to manage database entries
through the web server - before doing this, please
refer to this page on how to install the web server.
To do this job, we will install a PHP application called "ABLdap". We
download the
latest compressed file and then we extract the compressed file directly on
root folder of the web server, for example on folder "/opt/share/www/lighttpd/abldap"
(the subfolder "abldap" must be created before extracting the files).
Inside folder "/opt/share/www/lighttpd/abldap", we have to setup the
"config.php" file in order to use our database with the proper parameters.
This is the resulting content of file "config.php" according to the values
included in "OpenLDAP" configuration file:
<?php $config['locale'] = 'en_US'; // Insecure connection (LDAP data will be transmitted in clear text) $config['ldaphost'] = 'localhost'; // Secure connection, using the ldaps protocol. //$config['ldaphost'] = 'ldaps://127.0.0.1/'; // suffix: starting point for the search, as in ldapsearch -b $config['suffix'] = 'ou=Addressbook,dc=office,dc=data'; // rootdn: Distinguished Name used to bind to the LDAP directory, as in ldapsearch -D $config['rootdn'] = 'cn=admin,ou=Addressbook,dc=office,dc=data'; // IF you define the admin password, ABLdap will do an auto-logon. //$config['rootpw'] = 'MySecret'; ?>
Then we have to copy the file "/opt/share/www/lighttpd/abldap/doc/examples/mozillaabpersonalpha.schema"
into the folder "/opt/etc/openldap/schema/".
Then we add the line "include /opt/etc/openldap/schema/mozillaabpersonalpha.schema"
into configuration file "/opt/etc/openldap/slapd.conf", so to have:
include /opt/etc/openldap/schema/core.schema include /opt/etc/openldap/schema/cosine.schema include /opt/etc/openldap/schema/inetorgperson.schema include /opt/etc/openldap/schema/mozillaabpersonalpha.schema
We have also to install some PHP modules for the web server, using the following
command line:
opkg install php7-mod-gettext php7-mod-session php7-mod-ldap
And finally we can restart the web server with following command line:
/opt/etc/init.d/S80lighttpd restart
We open the browser and we go to subfolder "abldap". A PHP page will appear and
we have simply to input the administrator password.
A list of entries will be shown by the PHP application, we can add other entries
into database, change an entry or delete an entry.