====== OpenLDAP Server configuration ======

When doing some operations, dealing with OpenLDAP can be a pain in the butt, as the community did retarded choice (like the slapd.d configuration mess, which makes a root creation a real pain in the arse).

Therefore, if you don't read carefully the following instructions, you might lose your time while pissing off.

===== Slapd Installation =====

Well, it works pretty nicely on debian:

<code>apt-get install slapd ldap-utils</code>

Please notice that you may have conflicts with samba as debian implementation launches a LDAP directody by default.


===== Enable access to cn=config from PHPLdapAdmin =====
Hashing a password can be done with ''slappasswd''.

Put the following content in a file (update_adminpass.ldif in our case).
<code>
dn: cn=config
changetype: modify

# cn=admin,cn=config is already set in a fresh slapd install

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
</code>

Then execute the following command in your shell:

<code># ldapadd -Y EXTERNAL -H ldapi:/// -f update_adminpass.ldif</code>

===== Add a new root DN =====

For this part, let's assume we want to create a Root DN ''dc=acme''

==== Storage Backend Configuration ====

1st thing to do is to configure the backend to serve the root DN you want to create. To do so, the simplest way is to copy then edit the ''{1}hdb'' into a similar entry, without forgetting to increment the number between the brackets. Do not forget to change the following fields:
 * ''olcAccess'' Access rules
 * ''olcDbDirectory'' Data storage directory
 * ''olcRootDN'' Root user for your database (e.g. cn=admin,dc=acme)
 * ''olcRootPW'' Root password for your database
 * ''olcSuffix'' The RDN of the root DN you are to create.

==== Create the DN and populate the admin user ====

Put the following content in a file (add_dc_acme.ldif in our case).
<code># Entry 1: dc=acme
dn: dc=acme
objectclass: top
objectclass: dcObject
objectclass: organization
dc: acme
o: acme
description: Acme Corporation

# Entry 2: cn=admin,dc=acme
dn: cn=admin,dc=acme
objectclass: simpleSecurityObject
objectclass: organizationalRole
cn: admin
description: acme LDAP administrator
userPassword: {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX</code>

One again, ''slappasswd'' is your friend to generate a password hash. 

Then execute the following command in your shell: 
<code>ldapadd -x -D cn=admin,dc=acme -W -f add_dc_acme.ldif</code>

As far as I have understood, performing a basic authentication will use olcRootDN and olcRootPW from the backend data for authentication. If you screw up something with ''cn=admin,dc=acme'', you will still be able to repair your mess by performing a basic authentication.