OpenLDAP Configuration Files

OpenLDAP configuration files are installed into the /etc/openldap/ directory. The following list briefly highlights the most important directories and files:

• /etc/openldap/schema/ directory — This subdirectory contains the schema used by the slapd daemon. See the “/etc/open/dap/schema Directory” section of this chapter for more information about this directory.

• /etc/openldap/ldap.conf — This is the configuration file for all client applications that use the OpenLDAP libraries. These include Sendmail, Pine, Balsa, Evolution, and Gnome Meeting.

• /etc/openldap/slapd.conf — This is the configuration file for the slapd daemon.

  Note

  The nss_ldap package, if installed, will create a file named /etc/ldap.conf. This file is used by the PAM and NSS modules supplied by the nss_ldap package. See the section “Configuring Your System to Authenticate Using OpenLDAP” later in this chapter for more information about this configuration file.

slapd.conf

In order to use the slapd LDAP server, you need to modify its configuration file, /etc/openldap/slapd.conf, to make it specific to your domain and server. The suffix line names the domain for which the LDAP server will provide information. The suffix line should be changed from:

suffix                "dc=your-domain,dc=com"

so that it reflects your domain name. For example:

suffix              "dc=example,dc=com"

The rootdn entry is the Distinguished Name (DN) for a user who is unrestricted by access controls or administrative limit parameters set for operations on the LDAP directory. The rootdn user can be thought of as the root user for the LDAP directory. In the configuration file, change the rootdn line from its default value to something like the example below:

rootdn                "cn=root,dc=example,dc=com"

Change the rootpw line to something like the example below:

rootpw                {SSHA}vv2y+i6V6esazrIv70xSSnNAJE18bb2u

In the rootpw example, you are using an encrypted root password, which is a much better idea than leaving a plaintext root password in the slapd.conf file. To make this encrypted string, type the following command:

slappasswd

You will be prompted to type and then retype a password. The program prints the resulting encrypted password to the terminal.

The /etc/openldap/schema/ Directory

The /etc/openldap/schema/ directory holds LDAP definitions, previously located in the slapd.at.conf and slapd.oc.conf files. All attribute syntax definitions and objectclass definitions are now located in the different schema files. The various schema files are referenced in /etc/openldap/slapd.conf using include lines, as shown in this example:

include       /etc/openldap/schema/core.schema include       /etc/openldap/schema/cosine.schema include       /etc/openldap/schema/inetorgperson.schema include       /etc/openldap/schema/nis.schema include       /etc/openldap/schema/rfc822-MailMember.schema include       /etc/openldap/schema/autofs.schema include       /etc/openldap/schema/kerberosobject.schema

You can extend the schema used by OpenLDAP to support additional attribute types and object classes using the default schema files as a guide. To do this, create a local.schema file in the /etc/openldap/schema directory. Reference this new schema within slapd.conf by adding the following line below your default include schema lines:

include                  /etc/openldap/schema/local.schema

Next, go about defining your new attribute types and object classes within the local.schema file. Many organizations use existing attribute types and object classes from the schema files installed by default and modify them for use in the local.schema file. This method can help you to learn the schema syntax while meeting the immediate needs of your organization.

Extending schema to match certain specialized requirements is quite involved and beyond the scope of this chapter. Visit http://www.openldap.org/doc/admin/schema.html for information on writing new schema files.