Robot Has No Heart

Xavier Shay blogs here

A robot that does not have a heart

LDAP Address Book with FreeBSD and SSL

First you need to install and configure the OpenLDAP server. Clearly you won’t want to use rhnh.net – just substitute in your own domain.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
sudo pkg_add -r openldap24-server
sudo pkg_add -r openssl

sudo cp /usr/local/openssl/openssl.cnf.sample /usr/local/openssl/openssl.cnf 
# Generate a self signed certificate
sudo openssl req -newkey rsa:1024 -x509 -nodes -out server.pem -keyout server.pem -days 3650
sudo mkdir /usr/local/etc/ldap
sudo mv server.pem /usr/local/etc/ldap

# /etc/rc.conf
slapd_enable="YES"
slapd_flags='-h "ldaps://rhnh.net/"'

# /usr/local/etc/openldap/ldap.conf
# Add these same settings not just on the server but for each client
BASE dc=rhnh, dc=net
URI ldaps://rhnh.net/
TLS_REQCERT allow

# /usr/local/etc/openldap/slapd.conf:
# Add
include     /usr/local/etc/openldap/schema/cosine.schema
include     /usr/local/etc/openldap/schema/inetorgperson.schema

TLSCipherSuite HIGH:MEDIUM:-SSLv2
TLSCACertificateFile /usr/local/etc/ldap/server.pem
TLSCertificateFile /usr/local/etc/ldap/server.pem
TLSCertificateKeyFile /usr/local/etc/ldap/server.pem

require authc

# Modify these properties from their defaults
suffix          "dc=rhnh,dc=net"
rootdn          "cn=xavier,dc=rhnh,dc=net"
# Use slappasswd to generate your own password
rootpw          {SSHA}Iogj+Awafoj9FP5IdLVy1DmFaASDw1P5 # secret

Start up the server to make sure everything is apples

1
2
sudo /usr/local/etc/rc.d/slapd start
openssl s_client -connect rhnh.net:636 -showcerts

Load up a schema to hold your address book entries, and here is also an example entry.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
# directory.ldif
dn: dc=rhnh, dc=net
objectClass: top
objectClass: dcObject
objectClass: organization
dc: rhnh
o:  Robot Has No Heart

dn: ou=people, dc=rhnh, dc=net
objectClass: top
objectClass: organizationalUnit
ou: people

# contact.ldif
dn: cn=Xavier Shay, ou=people, dc=rhnh, dc=net
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: Xavier Shay
gn: Xavier
sn: Shay
mail: contact@rhnh.net
ou: people
mobile: 0400-123-456
1
2
ldapadd -D 'cn=xavier,dc=rhnh,dc=net' -f directory.ldif -W
ldapsearch -D 'cn=xavier,dc=rhnh,dc=net' -w -x # Check everything worked

To configure Thunderbird to use your address book, go to Edit - Preferences... - Composition - Edit Directories... and follow the bouncing ball. Thunderbird can’t write to the directory, which is kind of a pain. Maybe you could use Evolution, which I think works. Maybe you could write an app that monitors a drop box and updates your directory for you. Maybe you could assume I’ve already done what I suggested and wait for me to release it in the very near future.

Tested on FreeBSD 6.2-stable

References

  1. volte says:

    Hmm. I'm having trouble with this. I finally got all my ports configured to work together (more complicated because I had apache and other dependancies) but now I get this in my logs.

    1
    2
    3
    4
    
    Mar 28 11:24:42 November slapd[9636]: @(#) $OpenLDAP: slapd 2.4.8 (Mar 28 2008 10:32:38) $         root@November:/usr/ports/net/openldap24-server/work/openldap-2.4.8/servers/slapd
    Mar 28 11:24:42 November slapd[9636]: daemon: bind(6) failed errno=49 (Can't assign requested address)
    Mar 28 11:24:42 November slapd[9636]: slapd stopped.
    Mar 28 11:24:42 November slapd[9636]: connections_destroy: nothing to destroy.
    
    Any help?

  2. Xavier Shay says:

    I'm just guessing ... maybe double check the hostname/IP and port your are trying to start on aren't already in use or somehow restricted. Check it's not already running.

  3. chmick says:

    Interesting , thanks for the howo.

    But did you try this method with the new slapd package which uses a cn=config file instead of slapd.conf ?
    I'm having some hard time with it .

    In this case I would be very interested in your config files :-)

  4. Xavier Shay says:

    Sorry, I have not tried with the updated package. I'm actually not running slapd anymore because it was using too much memory on my slice :(

Post a comment


(lesstile enabled - surround code blocks with ---)

A pretty flower Another pretty flower