Setting Up OpenLDAP OS X

Home /
Blog Posts /
Setting up OpenLDAP OS X

For local development purpose, you many need an Identity system to organize and simulate your organization’s User Identity system. The widely used system like Windows Active Directory(AD) or LDAP protocol opensource implementation OpenLDAP. This guide is an abbreviated and revised version for setting up OpenLDAP on Mac OSX .

First of all, you need to have homebrew installed, the package installed gives you an easy to use utility for installing packages on MacOS.

OpenLDAP installation

Open the terminal and run the command

brew install berkeley-db@4 openldap

Configuration

Before we get started to configure OpenLDAP server, let’s go through some basic commands/utilities.

When we talking about OpenLDAP, essentially its meaning OpenLDAP server, and there’s a slapd binary which is Stand-alone LDAP Daemon for managing the service. ldap is the client for interacting with slapd LDAP daemon via ldap protocol.

Configuration Files

Open the termal and run the command to create a password for Administrator, follow the prompts and remember the generated password string

$ slappasswd
New password:
Re-enter new password:
{SSHA}3UB09MP5dzzfY++3u4ogbWI9IodH2Ksy

Create the /private/etc/openldap/slapd.conf file with the following content. You may need sudo previleges to create the file. Change the suffix and rootdn to fit your organization setup. Use generated encrypted password string for rootpw


include		/private/etc/openldap/schema/core.schema
include		/private/etc/openldap/schema/cosine.schema
include		/private/etc/openldap/schema/dyngroup.schema
include		/private/etc/openldap/schema/nis.schema
include		/private/etc/openldap/schema/inetorgperson.schema
include		/private/etc/openldap/schema/openldap.schema
allow bind_v2
pidfile		/private/var/db/openldap/run/slapd.pid
argsfile	/private/var/db/openldap/run/slapd.args
access to *  by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
access to attrs=userPassword by self write by * auth
access to dn.base=dc=mydomain.com by * search
 by * none
database monitor
access to *  by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
 by dn.base="cn=admin,dc=mydomain,dc=com" manage
 by * none
database config
access to *  by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
 by dn.base="cn=admin,dc=mydomain,dc=com" manage
 by * none
database	bdb
suffix		"dc=mydomain,dc=com"
rootdn		"cn=admin,dc=mydomain,dc=com"
rootpw		{SSHA}3UB09MP5dzzfY++3u4ogbWI9IodH2Ksy
directory	/private/var/db/openldap/openldap-data
index	objectClass	eq

Test the configuration file

# jiangytcn @ B-30HEQ05P-0226 in /etc/openldap  [16:31:27] C:1
$ sudo slaptest -f slapd.conf
config file testing succeeded

Init the cn=config database

cd /private/etc/openldap
sudo slapcat -f slapd.conf -F . -n 0 
sudo cp /private/etc/openldap/DB_CONFIG.example /private/var/db/openldap/openldap-data/DB_CONFIG

cn=config database will be created with following contents

# jiangytcn @ B-30HEQ05P-0226 in /private/etc/openldap  [16:55:40]
$ sudo ls cn=config*
cn=config.ldif

cn=config:
cn=schema			olcDatabase={-1}frontend.ldif	olcDatabase={1}monitor.ldif
cn=schema.ldif			olcDatabase={0}config.ldif	olcDatabase={2}bdb.ldif

Start the slapd

Open the termainl and run command

# jiangytcn @ B-30HEQ05P-0226 in /private/etc/openldap  [16:57:50] C:130
$ sudo /usr/libexec/slapd -F  /private/etc/openldap  -4 -d4 -s any
6272400f @(#) $OpenLDAP: slapd 2.4.28 (Feb 12 2022 02:50:30) $
	[email protected]:/AppleInternal/Library/BuildRoots/66382bca-8bca-11ec-aade-6613bcf0e2ee/Library/Caches/com.apple.xbs/Binaries/OpenLDAP/install/TempContent/Objects/servers/slapd
6272400f daemon_init: <null>
6272400f daemon: SLAP_SOCK_INIT: dtblsize=256
=> ldap_bv2dn(cn=config,0)
<= ldap_bv2dn(cn=config)=0
...
...

Create initial schema/objects

In this case, we defined an Admin group and adding an User to People organization unit and also adding user to the Admin group.

dn: dc=mydomain,dc=com
dc: mydomain
objectClass: dcObject
objectClass: organizationalUnit
ou: rootobject

dn: ou=People,dc=mydomain,dc=com
objectClass: organizationalUnit
ou: People


dn: ou=Groups,dc=mydomain,dc=COM
objectClass: organizationalUnit
ou: Groups


dn: cn=Admin,ou=Groups,dc=mydomain,dc=COM
objectClass: posixGroup
cn: Admin
gidNumber: 5000


dn: uid=jiangytcn_ldap,ou=People,dc=mydomain,dc=COM
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: jiangytcn_ldap
sn: jiangyitao.jyt
givenName: Yitao
cn: jiangytcn_ldap
displayName: Yitao Jiang
uidNumber: 10000
gidNumber: 5000
userPassword: PASSWORD
gecos: FULLNAME
loginShell: /bin/bash
homeDirectory: /home/users/jiangytcn_ldap

Using admin credential to add data, follow the prompts

ldapadd -D 'cn=admin,dc=mydomain,dc=com'  -f miscs/ldap_data.ldif  -W -x

Query the identities stored in OpenLDAP server


# jiangytcn @ B-30HEQ05P-0226 in ~/github.com/SecAccessManagement  [18:29:37] C:130
$ ldapsearch  -D 'cn=admin,dc=mydomain,dc=com' -b 'dc=mydomain,dc=com'  -W -x cn
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=mydomain,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: cn
#

# mydomain.com
dn: dc=mydomain,dc=com

# People, mydomain.com
dn: ou=People,dc=mydomain,dc=com

# Groups, mydomain.com
dn: ou=Groups,dc=mydomain,dc=com

# Admin, Groups, mydomain.com
dn: cn=Admin,ou=Groups,dc=mydomain,dc=com
cn: Admin

# jiangytcn_ldap, People, mydomain.com
dn: uid=jiangytcn_ldap,ou=People,dc=mydomain,dc=com
cn: jiangytcn_ldap

# search result
search: 2
result: 0 Success

# numResponses: 6
# numEntries: 5