The Quick & Dirty Guide to OpenLDAP
This article will show you how to set up an OpenLDAP server that you can query from either the command-line ldapsearch utility, or any LDAP-capable application such as Eudora, Netscape, or Lotus Notes clients.

Setup

  1. Get the latest and greatest package, and install through rpm -Uvh openldap-1.2.9-4.rpm. Note: OpenLDAP 2.x packages moved utilities in other packages (eg. ldif2ldbm in openldap-utils.rpm and ldapadd in openldap-clients.rpm.)
  2. Edit /etc/openldap/slapd.conf. Here's a sample:

    database ldbm
    suffix"dc=acme,dc=com"

    rootdn"cn=manager,dc=acme,dc=com"
    rootpwsecret
    directory/var/lib/ldap

    As for the organization chart, on Fri, 18 Aug 2000 00:01:29 GMT, news@mscha.com (Michael Schaap) wrote:

    The old convention was to use organization and country in a DN. You could for instance use "o=Acme Inc, c=US". Because this may not always guarantee uniqueness, the new convention is to use domain components. In your case, that would be "dc=acme, dc=com".

    Although you can use a plain-text password as rootpw, according to a tip found in this document, you can copy/paste your hashed password from /etc/passwd or generate one using perl -e "print crypt('mypasswd', 'a_salt_string');". Note that copy/pasting your hashed password from /etc/passwd or /etc/shadow doesn't work if you are using MD5 hashing, which is the default in recent releases of Red Hat.

  3. Open your favorite editor, and create a couple of entries in an ASCII file, eg. /var/lib/ldap/mydomain.ldif. Here's a sample:

    dn: dc=acme,dc=com
    o: acme
    objectclass: organization

    dn: cn=Jane Doe,dc=acme,dc=com
    cn: Jane Doe
    objectclass: organizationalPersonAcme
    sn: Jane
    description: Tech support
    mail: jane.doe@acme.com
    telephoneNumber: (123) 123-4567

    dn: cn=John Doe,dc=acme,dc=com
    cn: John Doe
    objectclass: organizationalPersonAcme
    sn: John
    description: Marketing
    mail: john.doe@acme.com
    telephoneNumber: (321) 765-4321

  4. Import those entries with ldif2ldbm -i /var/lib/ldap/mydomain.ldif
  5. If you want to use the ldapsearch utility on the same host where the LDAP server is located, you will also need to edit /etc/openldap/ldap.conf. Here's a sample:

    BASE dc=acme,dc=com
    HOST ldapserver.acme.com

  6. Even though we will start slapd as a stand-alone server, make sure you either have an empty /etc/hosts.deny, or add slapd: .acme.com to /etc/hosts.allow, or you'll get ldap_bind: Can't contact LDAP server when trying the ldapsearch command
  7. Start slapd through /etc/rc.d/init.d/ldap start, and check for errors in /var/log/messages
  8. Send a query through eg. ldapsearch "objectclass=*".

A bit of theory

Each record in an LDAP database is structured according to an objectclass, is identified by its distinguished name (DN), and is a collection of attributes. Objectclasses are defined in /etc/openldap/slapd.oc.conf, and attributes are defined in /etc/openldap/slapd.at.conf. An LDAP database is structured like a tree. For instance, CN=Myself/O=Acme/C=com is the distinguished name of Myself who belongs to organization Acme located in the Com top-domain. Defining objectclasses is useful because this lets you enforce consistency, and reduce errors when creating new entries.

Records are indexed through their DN, which is a concatenation of the Relative Distinguished Name (RDN, a.k.a. CN) and the inherited tree. For instance, the DN for the above example is CN=Myself, dc=acme,dc=com.

Slurpd is used when you need to replicate data from your master LDAP server to remote salve LDAP servers, while ldapd is used to let slapd query an X.500 server.

Slapd can be launched through either /etc/rc.d/rcX.d to run as a stand-alone service, or on demand through Inetd. The former is recommended if you use LDBM files so as to take advantage of caching.

You can specify several different databases to be used by your LDAP server. Just edit /etc/openldap/slapd.conf, and add a whole database section.

Adding records online

Additional records can be added while your LDAP server is on- or off-line. The way to do this while the server is off-line is shown at the beginning of this tutorial. If the server is online, create a file with the different records you want to add (example shown below), and run ldapadd -f mydatafile.ldif -D "cn=manager, dc=acme,dc=com" -w secret:

# Save this as /var/lib/ldap/mydatafile.ldif
dn=postmaster,dc=acme,dc=com
cn=postmaster
objectClass=organizationalPersonAcme
sn=postmaster
description=The Greatest Postmaster in the World!
mail=postmaster@acme.com
telephoneNumber=(321) 765-4321

And yes, I also wonder why the format of this file is different from the file used to input data while the server is offline...

Adding new classes and attributes

If your LDAP clients need ObjectClasses and Attributes not included in the default slapd.oc.conf and slapd.at.conf , you should create your own two files instead of modifying those default files, and add include statements in slapd.conf .

An ObjectClass consists in required attributes, and allowed attributes, which are both defined in an .ac.conf file.

Interestingly enough, the OpenLDAP package that I installed when writing this tutorial had no "mail" attribute, although that's probably the piece of information for which users are most likely to query an LDAP server. What I did, is copy /etc/openldap/slapd.oc.conf as slapd.acme.oc.conf, and slapd.at.conf as slapd.acme.at.conf, add references to slapd.conf through INCLUDE lines, and edit those files as follows:

#slapd.conf
include/etc/openldap/slapd.at.conf
include/etc/openldap/slapd.oc.conf

include/etc/openldap/slapd.acme.at.conf
include/etc/openldap/slapd.acme.oc.conf

#slapd.acme.oc.conf
objectclass organizationalPersonAcme

requires

objectClass,
sn,
cn

allows

mail,
description,
l,
ou,
telephoneNumber

#slapd.acme.at.conf
attributemailmailces

Importing legacy data into LDAP

If you need to import data from existing lists, eg. /etc/passwd or NIS, the RPM should have installed a bunch of scripts in /usr/share/openldap/migration that you can use to get LDIF-formated files that you can then import into LDAP by using the ldif2dbm utility. For instance, use /usr/share/openldap/migration/migrate_passwd.pl /etc/passwd passwd.ldif to extract information that are found in /etc/passwd and /etc/shadow into an LDIF-formated ASCII file.

Before using those scripts, and as explained in the README file, remember to first customize migrate_common.ph to reflect your organization as set in slapd.conf and ldap.conf.

Security

By default, anyone can query your LDAP server, which is obviously a huge security risk. Access rights can be set up by editing /etc/openldap/slapd.conf, through options accessto, defaultaccess

Miscellaneous

Refer to "The SLAPD and SLURPD Administrator's Guide"

ldap://ldap.acme.com/??sub?sn=John

Troubleshooting

Something funny when using ldif2ldbm..

[root@linux ldap]# ldif2ldbm -d 5 -i ./offline.ldif
=> ldbm_cache_open( "/var/lib/ldap/id2entry.dbb", 524293, 600 )
ldbm_cache_open (blksize 4096) (maxids 1022) (maxindirect 4)
(snip)
next_id_read: could not open "/var/lib/ldap/NEXTID"

I can't make queries from Netscape Communicator 4.7

Open Messenger, click on Communicator | Address Book. In the Address Book applet, File | New Directory, fill the Description, Server, and Search Root fields. The Search Root has to match your organization (eg. dc=acme,dc=com)

Eudora doesn't return anything

Eudora requires you to change the Search Base when adding a pointer to an OpenLDAP server, to match the organizational structure. FYI, I didn't have to do this with eg. Lotus Notes. In other words, you need to set that field to something like "dc=acme,dc=com", otherwise OpenLDAP returns no information.

On Thu, 17 Aug 2000 23:58:18 GMT, news@mscha.com (Michael Schaap) wrote:

I believe this is an OpenLDAP thing. (Feature, bug, what's in a name.) A search in OpenLDAP seems to return nothing if you don't provide a search base. This search base should normally be your top-level entity, in your case "dc=acme,dc=com".

Resources