2 18 July 2014
• Introduction to OpenLDAP
• Installing OpenLDAP
• Configuring OpenLDAP
• Populating an LDAP directory
• Basic searching
3 18 July 2014
• OpenLDAP is one of the most popular LDAP
packages in use today.
• OpenLDAP is:
− Open source
− Standards-compliant (LDAPv3)
− Portable (runs pretty much anywhere)
4 18 July 2014
• OpenLDAP is available from
• Always use the latest version available.
• As of now, 2.3.27 is latest.
5 18 July 2014
• Download OpenLDAP (and example LDIF):
$ ftp cheese.process.com
Name (cheese.process.com): hp
ftp> mget *
6 18 July 2014
• Uncompress and un-archive:
$ gzip -d openldap-2.3.27.tgz
$ tar xfv openldap-2.3.27.tar
7 18 July 2014
• Change directories to the distribution directory,
and run the configure script:
$ cd openldap-2.3.27
$ ./configure –-prefix=/usr/local/
8 18 July 2014
• Run make depend to build some internal programs
that the OpenLDAP build process depends on:
$ make depend
9 18 July 2014
• Build OpenLDAP by running make:
10 18 July 2014
• Run the OpenLDAP test suite to make sure
everything was built correctly:
$ make test
11 18 July 2014
• Run make install as root to install OpenLDAP:
# make install
12 18 July 2014
• Main configuration file is slapd.conf in
• Contains list of configuration variables and their
• Detailed info about every configuration variable is
in OpenLDAP Administrator’s Guide.
13 18 July 2014
• A schema describes objects that can exist in an
• core.schema and cosine.schema files include
definitions for basic LDAP objects.
• inetorgperson.schema describes inetOrgPerson
object that lots of LDAP-integrated software uses.
14 18 July 2014
• loglevel is bitmask that sets the level of LDAP
• OpenLDAP’s process ID is stored in pidfile -
used by scripts.
• argsfile contains command line arguments
that OpenLDAP will automatically use when
15 18 July 2014
• The database variable specifies the backend
database used by OpenLDAP to store data.
• The bdb module supports the Berkeley DB,
which OpenLDAP uses by default.
16 18 July 2014
• Specifies the name of the base entry in the
• All other directory entries descend from this
• Should be based on the local domain name.
17 18 July 2014
rootdn "cn=Directory Manager,dc=apes.example,dc=com"
• The root Distinguished Name (DN) is the
• Can read, write, and search any part of the
• Value of suffix should be part of DN.
• rootpw is the password used to access the
18 18 July 2014
index objectClass eq
• directory specifies where the directory
database files are located.
− Must exist
− Should only be accessible by user OpenLDAP runs as.
• index specifies attributes that OpenLDAP should
maintain indexes for.
• Indexes speed up searches that use an indexed
19 18 July 2014
• Run slapd as root to start OpenLDAP:
20 18 July 2014
• Run ps –ef and look for the slapd process to
verify that it’s running:
$ ps –ef | grep slapd
root 23932 1 09:52:03 ? 0:00 slapd
21 18 July 2014
• Shut down OpenLDAP by sending slapd an
interrupt signal (SIGINT).
• This lets OpenLDAP shut down gracefully.
• NEVER use kill –9 to shut down OpenLDAP –
you can corrupt the directory databases.
# kill -INT
22 18 July 2014
• An LDAP directory without any entries isn’t very
• ldapmodify is used to add or modify directory
• New entries are specified using an LDIF file.
• We’re going to use a sample LDIF file that
− A root entry
− A “people” organizational unit (ou)
− Two inetOrgPerson objects
27 18 July 2014
LDIF File “Gotchas”
• Very important: each entry in LDIF file has to be
separated by exactly one blank line.
• Blank line can’t have spaces, tabs, or any other
kind of white space on it.
• “value provided more than once” errors will occur
if line isn’t completely blank.
28 18 July 2014
Adding Entries To The Directory
• The ldapmodify command is used to add
entries to the directory.
• OpenLDAP has to be running for ldapmodify to
• Supply ldapmodify with root DN and password,
since it needs write access to the directory.
$ ldapmodify –D
-w secret -x -a -f hptf2006.ldif
29 18 July 2014
Verify Entries Added
• The ldapsearch tool can be used to verify that
the new entries were added.
$ ldapsearch -x