2. 2 18 July 2014
Agenda
• Introduction to OpenLDAP
• Installing OpenLDAP
• Configuring OpenLDAP
• Populating an LDAP directory
• Basic searching
3. 3 18 July 2014
OpenLDAP
• OpenLDAP is one of the most popular LDAP
packages in use today.
• OpenLDAP is:
− Free
− Open source
− Standards-compliant (LDAPv3)
− Portable (runs pretty much anywhere)
4. 4 18 July 2014
Obtaining OpenLDAP
• OpenLDAP is available from
http://www.openldap.org/
• Always use the latest version available.
• As of now, 2.3.27 is latest.
5. 5 18 July 2014
Obtaining OpenLDAP
• Download OpenLDAP (and example LDIF):
$ ftp cheese.process.com
Name (cheese.process.com): hp
Password: hp
ftp> prompt
ftp> bi
ftp> mget *
ftp> quit
$
6. 6 18 July 2014
Installing OpenLDAP
• Uncompress and un-archive:
$ gzip -d openldap-2.3.27.tgz
$ tar xfv openldap-2.3.27.tar
7. 7 18 July 2014
Installing OpenLDAP
• Change directories to the distribution directory,
and run the configure script:
$ cd openldap-2.3.27
$ ./configure –-prefix=/usr/local/
8. 8 18 July 2014
Installing OpenLDAP
• Run make depend to build some internal programs
that the OpenLDAP build process depends on:
$ make depend
9. 9 18 July 2014
Installing OpenLDAP
• Build OpenLDAP by running make:
$ make
10. 10 18 July 2014
Installing OpenLDAP
• Run the OpenLDAP test suite to make sure
everything was built correctly:
$ make test
11. 11 18 July 2014
Installing OpenLDAP
• Run make install as root to install OpenLDAP:
$ su
Password: bill+dave
# make install
12. 12 18 July 2014
Configuring OpenLDAP
• Main configuration file is slapd.conf in
/usr/local/etc/openldap/
• Contains list of configuration variables and their
values.
• Detailed info about every configuration variable is
in OpenLDAP Administrator’s Guide.
13. 13 18 July 2014
Configuring OpenLDAP
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
• A schema describes objects that can exist in an
LDAP directory.
• core.schema and cosine.schema files include
definitions for basic LDAP objects.
• inetorgperson.schema describes inetOrgPerson
object that lots of LDAP-integrated software uses.
14. 14 18 July 2014
Configuring OpenLDAP
loglevel 264
pidfile /usr/local/var/run/slapd.pid
argsfile /usr/local/var/run/slapd.args
• loglevel is bitmask that sets the level of LDAP
debugging.
• OpenLDAP’s process ID is stored in pidfile -
used by scripts.
• argsfile contains command line arguments
that OpenLDAP will automatically use when
started.
15. 15 18 July 2014
Configuring OpenLDAP
database bdb
• The database variable specifies the backend
database used by OpenLDAP to store data.
• The bdb module supports the Berkeley DB,
which OpenLDAP uses by default.
16. 16 18 July 2014
Configuring OpenLDAP
suffix "dc=apes.example,dc=com"
• Specifies the name of the base entry in the
directory.
• All other directory entries descend from this
object.
• Should be based on the local domain name.
17. 17 18 July 2014
Configuring OpenLDAP
rootdn "cn=Directory Manager,dc=apes.example,dc=com"
rootpw secret
• The root Distinguished Name (DN) is the
directory administrator.
• Can read, write, and search any part of the
directory.
• Value of suffix should be part of DN.
• rootpw is the password used to access the
rootDN account.
18. 18 18 July 2014
Configuring OpenLDAP
directory /usr/local/var/openldap-data
index objectClass eq
• directory specifies where the directory
database files are located.
− Must exist
− Should only be accessible by user OpenLDAP runs as.
• index specifies attributes that OpenLDAP should
maintain indexes for.
• Indexes speed up searches that use an indexed
attribute.
19. 19 18 July 2014
Starting OpenLDAP
• Run slapd as root to start OpenLDAP:
# /usr/local/libexec/slapd
20. 20 18 July 2014
Starting OpenLDAP
• Run ps –ef and look for the slapd process to
verify that it’s running:
$ ps –ef | grep slapd
root 23932 1 09:52:03 ? 0:00 slapd
$
21. 21 18 July 2014
Stopping OpenLDAP
• Shut down OpenLDAP by sending slapd an
interrupt signal (SIGINT).
• This lets OpenLDAP shut down gracefully.
• NEVER use kill –9 to shut down OpenLDAP –
you can corrupt the directory databases.
# kill -INT
`cat /usr/local/var/run/slapd.pid`
22. 22 18 July 2014
Populating OpenLDAP
• An LDAP directory without any entries isn’t very
useful.
• ldapmodify is used to add or modify directory
entries.
• New entries are specified using an LDIF file.
• We’re going to use a sample LDIF file that
contains:
− A root entry
− A “people” organizational unit (ou)
− Two inetOrgPerson objects
27. 27 18 July 2014
LDIF File “Gotchas”
• Very important: each entry in LDIF file has to be
separated by exactly one blank line.
• Blank line can’t have spaces, tabs, or any other
kind of white space on it.
• “value provided more than once” errors will occur
if line isn’t completely blank.
28. 28 18 July 2014
Adding Entries To The Directory
• The ldapmodify command is used to add
entries to the directory.
• OpenLDAP has to be running for ldapmodify to
work.
• Supply ldapmodify with root DN and password,
since it needs write access to the directory.
$ ldapmodify –D
"cn=Directory Manager,dc=apes.example,dc=com”
-w secret -x -a -f hptf2006.ldif
29. 29 18 July 2014
Verify Entries Added
• The ldapsearch tool can be used to verify that
the new entries were added.
$ ldapsearch -x
-b "dc=apes.example,dc=com"
