All the software packages you need to set up an OpenLDAP server are included on the CDs or DVD that come with Fedora distributions. With those packages installed, you can start configuring your OpenLDAP server.
To configure your OpenLDAP server, you should start by installing all the openldap packages from your Fedora distribution. First, check which openldap packages are installed:
# rpm -qa "openldap*" openldap-2.2.13-2 openldap-servers-2.2.13-2 openldap-devel-2.2.13-2 openldap-clients-2.2.13-2
You only need the openldap-devel package if you are developing LDAP applications. Otherwise, you can install the openldap package, openldap-clients and openldap-servers packages from the DVD that comes with this book.
You configure the access and use of your OpenLDAP databases in the configuration file, /etc/openldap/slapd.conf.
Note | For a more complete description on features you can use in your slapd.conf file, refer to the slapd.conf man page. |
Edit slapd.conf. Open the /etc/openldap/slapd.conf file as root user, using any text editor. The following steps tell you some of the information you might want to change.
Review the schemas. In the slapd.conf file, schemas are included from the /etc/openldap/schema directory that are generally useful for creating LDAP directories. Other schemas you might use will often rely on these schemas being included. So, unless you know you don’t need them, don’t delete any of these schemas:
include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/redhat/autofs.schema
The core.schema file is required for all LDAP directories. The cosine.schema and inetorgperson.schema files are particularly useful (and needed for this procedure). The nis.schema file is used to provide Network Information System data in an LDAP directory.
Tip | The LDAP Schema Viewer (http://ldap.akbkhome.com) enables you to view object classes, attributes, syntaxes, and matching rules for common schemas for LDAP. Definitions also point to RFCs that more fully define each object class. |
Add backend database definitions. In the slapd.conf file, you need to define some backend database definitions. Each set of backend definitions applies to a group of databases of the same type.
Here’s an example of how the backend database definitions would appear for a computer in the domain named linuxtoys.net (of course, you would replace linuxtoys and net with those of your own domain):
################################################### # ldbm and/or bdb database definitions ################################################### database ldbm suffix "dc=linuxtoys,dc=net" directory /var/lib/ldap rootdn "cn=manager,dc=linuxtoys,dc=net" access to * by users read
This database is of the type ldbm (Lightweight Directory Access Protocol Proxy backend), which defines how that data for this database are stored. The bdb (Berkeley DB transactional backend) is another common backend database type you could use. The suffix specifies that queries to this slapd server for linuxtoys.net are directed to this database. The directory line identifies the /var/lib/ldap directory as the location for this LDAP directory.
The rootdn line indicates that root access can be granted to change data in databases associated with the linuxtoys.net distinguished name (provided the password is supplied with rootpw, as described in the next step). Access control and other restrictions you may put on the database do not apply to this user. However, access control is applied to all other users, who are given read-only permission.
Add a password. In the slapd.conf file, you need to enter the password that is required to modify your OpenLDAP backend database. By default, the rootpw line defines a clear-text string that is your password. The password will give you full control of the backend database. It will look something like the following:
rootpw mysecret
Note | If you are going to use a clear-text password, you should make sure that your slapd.conf file has read permissions closed to the world (chmod 640 /etc/openldap/slapd.conf). See the "Creating an encrypted password" sidebar for information on creating an encrypted password to access your OpenLDAP backend database. |
To create an encrypted password for the administrator of the OpenLDAP database you can use the slappasswd command. You can create the password using Crypt, SSHA, SMD5, MD5, or SSH encryption. Here’s an example of creating a password for OpenLDAP using MD5 encryption:
# slappasswd -h {md5} > /tmp/myslap New password: ******** Re-enter new password: ******** # cat /tmp/myslap {MD5}uBoM+LOQg5GHHJ2Z4NLu9A==
Enter a password (twice) to create an encrypted MD5 password. This example directs the encrypted password into the /tmp/myslap file, you can read into the slapd.conf file later. In this example, I had you "cat" the file so you could see what the encrypted password looks like. Your password will be different. Here’s what the rootpw line will look like with an encrypted, rather than a clear-text password:
rootpw {MD5}uBoM+LOQg5GHHJ2Z4NLu9A==
Save slapd.conf. Save your changes to the slapd.conf file and close it.
Check slapd.conf. You can check for syntax errors in your slapd.conf file by running the slaptest command, as follows:
# slaptest config file testing succeeded
If there were something wrong with the syntax of the file (for example, if you left off a quote or misplaced a comma), the message would say slaptest: bad configuration file! instead. Try to correct the problem and check the file again.
At this point, you can try starting the OpenLDAP
You start the OpenLDAP as you do most services in Fedora Core and other Red Hat Linux systems, using the service and chkconfig commands. The service name for OpenLDAP is ldap. To start the service immediately, type the following:
# service ldap start Starting slapd: [ OK ]
To set the ldap service to start each time the system is rebooted, type the following:
# chkconfig ldap on
By default, the ldap service will have read permissions open to everyone.