OpenLDAP Installation and Configuration

This document will briefly explain how to install and configure OpenLDAP-2.0.11, how to insert entries in it and finally some examples will help to understand how use that directory service.

LDAP stands for Lightweight Directory Access Protocol. LDAP is a directory access protocol that runs over TCP/IP. The nitty-gritty details of LDAP are defined in RFC2251 "The Lightweight Directory Access Protocol (v3)." This section gives an overview of LDAP from a user's perspective.

First thing to do is to download the LDAP form the OpenLdap. The version used in this paper is the 2.0.11 Stable release (openldap-stable-20010524.tgz). Once downloaded the installation process is quite simple (see [1][2] for further details)

Run tar zxvf openldap-stable-20010524.tgz
Change to the created directory and run ./configure
Run make depend to setup the dependencies
Run make to build the components
As root, run make install to install server
As root, cd tests then make to execute the test (Note, this could fail with an error message like ‘nothing to do’, just go ahead)

From now on assume the following:

slapd executable file is in /usr/local/libexec directory
slapd.conf is in /usr/locatl/etc/openldap directory

And in general all the absolute path used in this document have to be considered depending on the different installation choice made by the user. Once the software has been built and installed, the LDAP daemon (slapd) is ready to be configured. The slapd runtime configuration is primarily accomplished through the slapd.conf file, normally installed in the /usr/local/etc/openldap directory. In the first section of the slapd.conf file there are the “include #file.schema” statements. This option specifies that slapd should read additional configuration information from the given file before continuing with the next line of the current file. The included file should follow the normal slapd config file format.

# See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema

Note: The first of this three file must be included the other two are optional. (more details see [4]) The next two lines tell slapd where to place its process id (pid) and arguments. The slapd.pid is useful especially to shout the server down. [3]

pidfile /usr/local/var/slapd.pid argsfile /usr/local/var/slapd.args

Into the next section we find the database option, where we can specify the database type, the database location, the access password and some other option (see [2]).

database ldbm suffix "o=valtech.co.uk, c=uk" rootdn "cn=root, o=valtech.co.uk,c=uk" # Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw secret # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd/tools. Mode 700 recommended. directory /usr/local/var/openldap-ldbm

The database option marks the beginning of a new database instance definition, it should be one of ldbm, shell, or passwd depending on the backend; The suffix option specifies the DN suffix of queries that will be passed to this backend database. Multiple suffix lines can be given, and at least one is required for each database definition; The rootdn/rootpw provide the login information for administration privileges on the server; directory tell to the server where place the database files

Now the server is configured and ready to be started. Supposing that /usr/local/libexec/ is the directory where the server is the following command should run it:

# /usr/local/libexec/slapd –f /usr/local/etc/openldap/slapd.conf

The server automatically will start in background. That process had to be killed using the slapd.pid file that contain the process id number:

# kill ‘cat /usr/local/var/slapd.pid

The OpenLDAP server could be started also from inetd [5].

LDIF Format The LDAP Data Interchange Format (LDIF) is used to represent LDAP entries in a simple text format. This section provides a brief description of the LDIF entry format which complements LDAP v3 (RFC 2251). The general form of an entry is:

: . . . : ]]> Here an example of an real entry:

dn: cn=Stefanog, ou=People, o=valtech.co.uk, c=uk description: Technical Consultant ObjectClass: top ObjectClass: person objectClass: organizationalPerson objectclass: inetOrgPerson mail: Stefano.Galdo@valtech.co.uk sn: Galdo cn: Stefanog userpassword: valtech

More information about syntax and LDAP schema can be found [3-chap 7] [5]

Command Line interfacing Some command line utilites came along with the server allowing to manage the entries in the ldap database performig the basic CRUD operation, namely ldapmodify, ldappadd, ldapdelete and ldapsearch. The slapd demon is now running but the database is empty.First thing to do is to insert some data into the database which could be done using the following command:

/usr/local/bin/ldapadd -x -h localhost –p 389 -D “cn=root, o=valtech.co.uk, c=uk” -w secret –f test.ldif

Where test.ldif contain one or more entities formatted as described above. Whenever an error occur the process will stop immediately leaving the remaining entries unprocessed. The ‘-c‘ flag forces the process to ‘continue’ on an error. For more details about ldapadd usage refer to the relative man page.

In order to check if the previous command has been executed successfully a query can be send to list all the entries:

/usr/local/bin/ldapsearch –x -h localhost -p 389 -D "cn=root, o=valtech.co.uk, c=uk" -w secret -b "o=valtech.co.uk, c=uk" ‘objectclass=*’

A more strict filter could refine the search, for instance ‘objectclass=person’ will return all the entries marked as person, instead a filter like ‘cn=Stefanog’ will return just the entry that have that particular cn.

The complementary operation of deleting an entries is performed by the ldapdelete command:

ldapdelete -h localhost -x -p 389 -D "cn=root, o=valtech.co.uk, c=uk" -w secret 'cn=stefanog'

Note that if the filter will have more than one match the delete operation will fail

Finally the update operation can be accoplished by ldapmodify commad:

ldapmodify -x -h localhost -p 389 -D "cn=root, o=valtech.co.uk, c=uk" -w secret -f test.ldif

where again test.ldif is a file containing entities in the format described above. If an entity in the file does not have a match into the database the process will try to add it.

Using Graphical Client Interface is a easier alternative to manage an OpenLDAP database. Here below a list of some Client for both Linux and Windows systems. All of them are free.

Name	Platform Description	Description	Vote
LDAP Browser/EditorVer. 2.8.2	Windows/Unix	It is very simple to install and to use. It is write in java, which means it is possible to run on both Unix an Windows platform. Source code is also available.	****
The LDAP Browser by Softerra	Windows	The LDAP Browser for Windows is an easy to use tool with a complete set of viewing, editing and exporting capabilities. It supports LDAP v2 and v3 servers. The data is displayed in a Windows Explorer-like style.	***
GQ LDAP client	Linux	Light C written LDAP client for GNOME environment.	***