Installing OpenLDAP on OpenBSD

Jurjen Bokma

January 2009

  1. export PKG_PATH=
    sudo pkg_add openldap-server
    cyrus-sasl-2.1.22p4: complete
    openldap-client-2.3.43: complete
    openldap-server-2.3.43: complete
    --- openldap-server-2.3.43 -------------------

    To start slapd, configure it in /etc/openldap/slapd.conf then add the following line to /etc/rc.conf.local:

    slapd_flags="-u _openldap"

    and to /etc/rc.local (be sure to start it _before_ any daemon that may need it):

    if [ "$slapd_flags" != "NO" -a -x /usr/local/libexec/slapd ]; then
        install -d -o _openldap /var/run/openldap
        /usr/local/libexec/slapd $slapd_flags
        echo -n ' slapd'

  2. Do as it says. Into /etc/rc.local goes:

    if [ "$slapd_flags" != "NO" -a -x /usr/local/libexec/slapd ]; then
        install -d -o _openldap /var/run/openldap
        /usr/local/libexec/slapd $slapd_flags -h "$slapd_URLs"
        echo -n ' slapd'

    And into /etc/rc.conf.local:

    slapd_URLs="ldap:// ldaps:// ldap:// ldaps:// ldap:// ldaps://"
    slapd_flags="-u _openldap -g _openldap -4"


    Note that the separation of flags and URLs is a trick to make slapd behave as it should. I haven't figured it out yet, but it seems to me that the routine used to parse the command line (optargs?) is a bit picky on OpenBSD. When started from the command line, slapd -h ldap:// ldap:// only starts a listener at the localhost interface, and the second URL is silently ignored. To start both listeners, slapd -h "ldap:// ldap://" should be used.

    However, when run fro a script, both versions fail. The first case hasn't changed, and in the second case, slapd rejects the parameters on the premise that a double quote is not recognized in an URL list. Only when quoted as in /etc/rc.local above does the command succeed, presumably because the shell expands the double quotes, but still delivers the string that contains the URLs as a single positional parameter to slapd.

  3. Now configure in /etc/openldap/slapd.conf:

    include         /etc/openldap/schema/core.schema
    pidfile         /var/run/openldap/
    argsfile        /var/run/openldap/slapd.args
    database        ldbm
    suffix          "dc=mydomain"
    rootdn          "cn=boss,dc=mydomain"
    rootpw          secret
    directory       /var/openldap-data
    index   objectClass     eq
    loglevel 239

  4. Edit /etc/pf.conf:

    pass in log on $intranet_if proto {tcp, udp} from $intranet to $intranet_if:0 port { ldap, ldaps }

    and restart the firewall: sudo pfctl -f /etc/pf.conf

  5. On the client:

    ldapsearch -x -H ldap://firewall
    # extended LDIF
    # LDAPv3
    # base <> (default) with scope subtree
    # filter: (objectclass=*)
    # requesting: ALL

    # search result
    search: 2
    result: 32 No such object

    # numResponses: 1

  6. On the client, try:

      ldapsearch -x -H ldap://firewall -D"cn=admin,dc=intranet" -W

    If that succeeds, pick the entry method of your choice. I'm using luma.