Giuseppe Parrello

 

How to install an LDAP server on a router


In this page I describe how to install an "LDAP server" on a router (Asus RT-AC56U) - we use some Entware packages, so please refer to this page on how to install Entware on a router.
We will install the "OpenLDAP server" using Entware packages.


How to install the OpenLDAP server

In order to install the "OpenLDAP server" with Entware packages, we have to execute the following line:
opkg install openldap-server openldap-utils
After this, make a backup of files "/opt/etc/openldap/ldap.conf" and "/opt/etc/openldap/slapd.conf".
This is the new file "/opt/etc/openldap/ldap.conf":

#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE dc=office,dc=data
URI ldap://192.168.1.4

Please refer to this page for further details about configuration file "ldap.conf".
In the above-mentioned example, the default base "dc=office,dc=data" will be used in this page, while the IP address "192.168.1.4" is the address of router where we install the "OpenLDAP server".
We also need to create a new file "/opt/etc/openldap/slapd.conf":

#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /opt/etc/openldap/schema/core.schema
include /opt/etc/openldap/schema/cosine.schema
include /opt/etc/openldap/schema/inetorgperson.schema

loglevel 296
pidfile /opt/var/run/slapd.pid
argsfile /opt/var/run/slapd.args

############################
# MDB database definitions
############################

database ldif
suffix "ou=Addressbook,dc=office,dc=data"
rootdn "cn=admin,ou=Addressbook,dc=office,dc=data"
#rootpw {SSHA}

# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /opt/var/openldap-data

# Simple ACL granting read access to the world
access to *
by * read

Please refer to this page for further details about configuration file "slapd.conf".
Note that we have included the administrator account "rootdn", but without password. I suggest to create a password for the administrator account, please read the following section "How to setup a password for administrator account".
We must create the database directory before starting the "OpenLDAP" daemon, with the following lines:
mkdir /opt/var/openldap-data
chmod 700 /opt/var/openldap-data
Then we must test if configuration file is correct or not:
slapd -T test
If it returns "config file testing succeeded", then the configuration file is correct. Otherwise something inside the configuration file is wrong.
To start the "OpenLDAP" daemon, we have to execute the following command line:
/opt/etc/init.d/S58slapd start


How to setup a password for administrator account

In the previous section we have included the administrator account "rootdn", but without password. In this section I briefly explain how to setup a password for the administrator account.
We must create a script file, for example named "generate.sh", with following content:

#!/bin/sh

PWD="$1"
NUMRAND="$(openssl rand 3)"
SHA1="$(printf "%s%s" "$PWD" "$NUMRAND" | openssl dgst -binary -sha1)"
printf "{SSHA}%s\n" "$(printf "%s%s" "$SHA1" "$NUMRAND" | openssl enc -base64)"

In above-mentioned script, we use the command "openssl". Normally a router should include this command, but if it is not included, we can install an Entware package with following command line:
opkg install openssl-util
To generate a password, we must execute the script, passing our password to it, for example if we want to use the password "secret" we must input:
./generate.sh secret
The output returned by this script is the value that we must put inside the configuration file "/opt/etc/openldap/slapd.conf", in line "rootpw" after "{SSHA}", in this way we have the following lines in above-mentioned configuration file:

rootdn "cn=admin,ou=Addressbook,dc=office,dc=data"
rootpw {SSHA}cF/RbPI0zOecojYc30UONVNBF2ke+Bg=

Finally we restart the "OpenLDAP" daemon with command line:
/opt/etc/init.d/S58slapd restart


How to initialize the database of OpenLDAP server

Now it is the time to initialize the database of the "OpenLDAP server", adding the first entries to it.
The first entry is the root entry of the database. We create a root .LDIF file, for example we call it "start.ldif" with following content:

dn: ou=Addressbook,dc=office,dc=data
objectclass: top
objectclass: organizationalUnit
ou: Addressbook

We insert the above-mentioned file into database using the command "ldapadd" (admin password may be required):
ldapadd -x -W -D "cn=admin,ou=Addressbook,dc=office,dc=data" -f start.ldif
Please refer to this page for further details about "ldapadd" command.
Then we can insert a test entry to the database, using a testing .LDIF file called "test.ldif" with following content:

dn: cn=Testing,ou=Addressbook,dc=office,dc=data
cn: Testing
givenname: Testing
objectclass: top
objectclass: person
objectclass: organizationalPerson
sn: Testing
telephonenumber: 9999999

We insert the above-mentioned file into database using the command "ldapadd" (admin password may be required):
ldapadd -x -W -D "cn=admin,ou=Addressbook,dc=office,dc=data" -f test.ldif


How to manage database entries through web server

In this page I describe how to manage database entries through the web server - before doing this, please refer to this page on how to install the web server.
To do this job, we will install a PHP application called "ABLdap". We download the latest compressed file and then we extract the compressed file directly on root folder of the web server, for example on folder "/opt/share/www/lighttpd/abldap" (the subfolder "abldap" must be created before extracting the files).
Inside folder "/opt/share/www/lighttpd/abldap", we have to setup the "config.php" file in order to use our database with the proper parameters.
This is the resulting content of file "config.php" according to the values included in "OpenLDAP" configuration file:

<?php

$config['locale'] = 'en_US';

// Insecure connection (LDAP data will be transmitted in clear text)
$config['ldaphost'] = 'localhost';
// Secure connection, using the ldaps protocol.
//$config['ldaphost'] = 'ldaps://127.0.0.1/';

// suffix: starting point for the search, as in ldapsearch -b
$config['suffix'] = 'ou=Addressbook,dc=office,dc=data';

// rootdn: Distinguished Name used to bind to the LDAP directory, as in ldapsearch -D
$config['rootdn'] = 'cn=admin,ou=Addressbook,dc=office,dc=data';

// IF you define the admin password, ABLdap will do an auto-logon.
//$config['rootpw'] = 'MySecret';

?>

Then we have to copy the file "/opt/share/www/lighttpd/abldap/doc/examples/mozillaabpersonalpha.schema" into the folder "/opt/etc/openldap/schema/".
Then we add the line "include /opt/etc/openldap/schema/mozillaabpersonalpha.schema" into configuration file "/opt/etc/openldap/slapd.conf", so to have:

include /opt/etc/openldap/schema/core.schema
include /opt/etc/openldap/schema/cosine.schema
include /opt/etc/openldap/schema/inetorgperson.schema
include /opt/etc/openldap/schema/mozillaabpersonalpha.schema

We have also to install some PHP modules for the web server, using the following command line:
opkg install php7-mod-gettext php7-mod-session php7-mod-ldap
And finally we can restart the web server with following command line:
/opt/etc/init.d/S80lighttpd restart
We open the browser and we go to subfolder "abldap". A PHP page will appear and we have simply to input the administrator password.
A list of entries will be shown by the PHP application, we can add other entries into database, change an entry or delete an entry.