Friday, 23 March 2012

LDAP (slapd) and GOsa on Debian Squeeze

First "Solve" for the blog.

How to install Open LDAP (slapd) and GOsa on Debian Squeeze.  Sometime in recent history, the previous configuration file setup for LDAP (slapd.conf) was deprecated and a new config structure was put in place.  As as today (24/03/2012) the instructions for configuring LDAP on the debian pages still say that their instructions need updating.

So as with all debian installs, I started with the following:
apt-get install slapd gosa gosa-schema

Use your domain name, or local / internal domain name for the slapd install.
Enter whatever you like for the organisation name, or just press enter to accept the default.

Enter an admin password.  Probably good (as with all passwords) not to make it easily guessable, and not the same as other passwords on the same machine.

Pick either type for the database backend. I chose HDB after a bit of searching about the differences.

Next step is the bit that really got me stumped, there wasn't a lot of help on Google for how to do this.

First create a file called /etc/ldap/convert.conf with the following contents:

#Exisiting ldap schemas
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema

#GOSA ldap schemas, order is important.
include /etc/ldap/schema/gosa/samba3.schema
include /etc/ldap/schema/gosa/gofon.schema
include /etc/ldap/schema/gosa/gosystem.schema
include /etc/ldap/schema/gosa/goto.schema
include /etc/ldap/schema/gosa/gosa-samba3.schema
include /etc/ldap/schema/gosa/gofax.schema
include /etc/ldap/schema/gosa/goserver.schema
include /etc/ldap/schema/gosa/goto-mime.schema
include /etc/ldap/schema/gosa/trust.schema

Then make an output directory
root@ldap:/etc/ldap# mkdir /tmp/convert_out

Then run the convert tool as follows:

root@ldap:/etc/ldap# slaptest -f convert.conf -F /tmp/convert_out
config file testing succeeded

This will have created some files in /tmp/convert_out.  We only want the schema files from this output, and we want them to end up in the directories for the new configuration files for slapd.  We also need to change the owner / group on these files so the slapd process can read them.

cp -p /tmp/convert_out/cn\=config/cn\=schema* /etc/ldap/slapd.d/cn\=config/
chown -R openldap.openldap /etc/ldap/slapd.d/ 

At this point, I restarted slapd, but I'm fairly certain this isn't required (your choice).

Next we get into the GOsa configuration...

Assuming Apache etc installed correctly on the machine, you should be able to go to
http://yourip/gosa/ or http://yourhostname/gosa
and see the GOsa administration pages.

At the bottom of the page, there's an "echo" command that you need to cut and paste into a terminal window.  It won't go past this step until you do.

Pick A Language

Hopefully you're all green here.  Mine was a fresh install on a clean debian install, so it looks like it should work out of the box.

On this screen you should see the "succeeded" text at the bottom, If not, something else is wrong, try re-starting slapd.

On this screen, enter "cn=admin" in the Admin DN field, and type the Admin password that you used during the LDAP install.  Then tick the auto append checkbox and click next.

Assuming you've done everything right, you should see this screen...

And that's where i'll end this post, after this the documentation all around is pretty good for GOsa and LDAP. 

Enjoy.   As always feedback / suggestions are welcome.


  1. Amazing! I have been struggling with this for hours until I came across your post. Well done and thanks!

  2. Hi,

    i get errors in step 5 of the installation of Gosa:
    Schema check failed The following object classes are missing:


    However, I'm running Debian wheezy system.

    What can do to solve this problem?

    1. Not sure if wheezy uses slapd.conf or if it uses the new schema directories?
      Try apt-get install slapd gosa gosa-schema
      If that doesn't work, try as per the instructions above.. :)

    2. Debian wheezy uses the new schema directories.
      I have installed debian packages:
      slapd, gosa, gosa-schema
      GOsa version: 2.7.4
      slapd version: 2.4.31-1

      However I have difficulties yet at step 4 of the installation of Gosa.
      At step 4 of the installation at http://localhost/gosa/setup.php

      the following is set:
      Connection URI: ldap://localhost:389
      TLS connection: No
      Base: dc=nodomain

      Administrator DN: empty field,dc=nodomain
      I checked the Automatically append LDAP base to administrator DN
      I give the Administrator password that I set when installed slapd.

      Use RFC 2307bis compliant groups: No

      But I get
      Current status
      Information Bind as user ',dc=nodomain' failed!

      How can I go further?

  3. I get help on Debian Bug Tracking System from Cajus.

    I run $ sudo slapcat

    and get the line: dn: cn=admin,dc=nodomain

    so when I write into Administrator DN field: cn=admin

    I get finally the message at bottom: Bind as user 'cn=admin,dc=nodomain' to server ' ldap://localhost:389' succeeded!

  4. Hi,

    Thanks for the howto, I couldn't have started GOsa without it. However, i've found a couple of bumps on the road while installing on Debian/jessie (GOsa ver. 2.7.4-4.4):

    - You NEED to restart slapd after converting the new schemas
    - By default, Debian doesn't enable GOsa's site in apache2, you need to:

    ln -s /etc/gosa/gosa-apache.conf /etc/apache2/sites-available
    a2enmod gosa-apache

    Hope this helps.