Setting Up the OpenLDAP Server

Installing OpenLDAP Packages

To configure your OpenLDAP server, you should start by installing all the openldap packages from your Fedora or RHEL distribution. First, check which openldap packages are installed:

 #  rpm -qa "openldap*"  openldap-2.3.27-4 openldap-servers-2.3.27-4 openldap- devel -2.3.27-4 openldap- clients -2.3.27-4 

You only need the openldap-devel package if you are developing LDAP applications. Otherwise, you can install the openldap, openldap-clients, and openldap-servers packages from the DVD that comes with this book.

Configuring the OpenLDAP Server (slapd.conf)

You configure the access and use of your OpenLDAP databases in the configuration file, /etc/openldap/slapd.conf .

1. Edit slapd.conf. Make a backup copy of the /etc/openldap/slapd.conf , then open the file as root user , using any text editor. The following steps tell you some of the information you might want to change.

2. Review the schemas. In the slapd.conf file, schemas that are generally useful for creating LDAP directories are included from the /etc/openldap/schema directory.

   Other schemas you might use will often rely on these schemas being included. So, unless you know you don't need them, don't delete any of these schemas:

    include /etc/openldap/schema/ core .schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema 

   The core.schema file is required for all LDAP directories. The cosine.schema and inetorgperson.schema files are particularly useful (and needed for this procedure). The nis.schema file is used to provide Network Information System data in an LDAP directory.

   Tip

   The LDAP Schema Viewer ( http://ldap.akbkhome.com ) enables you to view object classes, attributes, syntaxes, and matching rules for common schemas for LDAP. Definitions also point to RFCs that more fully define each object class.

3. Add backend database definitions. In the slapd.conf file, you need to define some backend database definitions. Each set of backend definitions applies to a group of databases of the same type.

   Here's an example of how the backend database definitions would appear for a computer in the domain named linuxtoys.net (of course, you would replace linuxtoys and net with those of your own domain):

    ################################################### # ldbm and/or bdb database definitions ################################################### database bdb suffix "dc=linuxtoys,dc=net" directory /var/lib/ldap rootdn "cn=Manager,dc=linuxtoys,dc=net" cachesize 10000 searchstack 8 dbnosync dirtyread 

   This database is of the type bdb (Berkeley DB transactional backend), which defines how that data for this database are stored. The ldbm (Lightweight Directory Access Protocol Proxy backend) database is another type you could use. The suffix specifies that queries to this slapd server for linuxtoys.net are directed to this database. The directory line identifies the /var/lib/ldap directory as the location for this LDAP directory.

   The rootdn line indicates that root access can be granted to change data in databases associated with the linuxtoys.net distinguished name (provided the password is supplied with rootpw , as described in the next step). The last four options are there to improve performance of the bdb database (type man slapd-bdb for details).

4. Add a password. In the slapd.conf file, you need to enter the password that is required to modify your OpenLDAP backend database. By default, the rootpw line defines a clear-text string that is your password. The password will give you full control of the backend database. It will look something like the following:

    rootpw mysecret 

   Note

   If you are going to use a clear-text password, you should make sure that your slapd.conf file has read permissions closed to the world ( chmod 640 /etc/openldap/slapd.conf ). See the "Creating an Encrypted Password" sidebar for information on creating an encrypted password to access your OpenLDAP backend database. Creating an Encrypted Password To create an encrypted password for the administrator of the OpenLDAP database you can use the slappasswd command. You can create the password using Crypt, SSHA, SMD5, MD5, or SSH encryption. Here's an example of creating a password for OpenLDAP using MD5 encryption: # slappasswd -h {md5} > /tmp/myslap New password: ******** Re-enter new password: ******** # cat /tmp/myslap {MD5}uBoM+LOQg5GHHJ2Z4NLu9A== Enter a password (twice) to create an encrypted MD5 password. This example directs the encrypted password into the /tmp/myslap file, you can read into the slapd.conf file later. In this example, I had you cat the file so you could see what the encrypted password looks like. Your password will be different. Here's what the rootpw line will look like with an encrypted, rather than a clear-text password: rootpw {MD5}uBoM+LOQg5GHHJ2Z4NLu9A==

5. Save slapd.conf. Save your changes to the slapd.conf file and close it.

6. Check slapd.conf. You can check for syntax errors in your slapd.conf file by running the slaptest command, as follows :

    #  slaptest -u  config file testing succeeded 

   If there were something wrong with the syntax of the file (for example, if you left off a quote or misplaced a comma), the message would say slaptest: bad configuration file! instead. Try to correct the problem and check the file again. Later, when the data bases are created, you can run slaptest again (without the -u option) to make sure that slapd.conf points to existing, properly-configured data bases.

At this point, you can try starting the OpenLDAP service.

Starting the OpenLDAP Service

You start the OpenLDAP as you do most services in Fedora Core and RHEL systems, using the service and chkconfig commands. The service name for OpenLDAP is ldap. To start the service immediately, type the following:

 #  service ldap start  Starting slapd: [ OK ] 

To set the ldap service to start each time the system is rebooted, type the following:

 #  chkconfig ldap on  

By default, the ldap service will have read permissions open to everyone.