engineering/System Eng.

Setting Up the OpenLDAP Server

theYoungman 2007. 2. 9. 09:32
etting Up the OpenLDAP Server

All the software packages you need to set up an OpenLDAP server areincluded on the CDs or DVD that come with Fedora distributions. Withthose packages installed, you can start configuring your OpenLDAPserver.
Installing OpenLDAP packages

To configure your OpenLDAP server, you should start by installingall the openldap packages from your Fedora distribution. First, checkwhich openldap packages are installed:

# rpm -qa "openldap*"
openldap-2.2.13-2
openldap-servers-2.2.13-2
openldap-devel-2.2.13-2
openldap-clients-2.2.13-2

You only need the openldap-devel package if you are developing LDAPapplications. Otherwise, you can install the openldap package,openldap-clients and openldap-servers packages from the DVD that comeswith this book.
Configuring the OpenLDAP server (slapd.conf)

You configure the access and use of your OpenLDAP databases in the configuration file, /etc/openldap/slapd.conf.
Note

For a more complete description on features you can use in your slapd.conf file, refer to the slapd.conf man page.

1.

Edit slapd.conf. Open the /etc/openldap/slapd.conf file as rootuser, using any text editor. The following steps tell you some of theinformation you might want to change.
2.

Review the schemas. In the slapd.conf file, schemas are includedfrom the /etc/openldap/schema directory that are generally useful forcreating LDAP directories. Other schemas you might use will often relyon these schemas being included. So, unless you know you don’t needthem, don’t delete any of these schemas:

include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/redhat/autofs.schema

The core.schema file is required for all LDAP directories. Thecosine.schema and inetorgperson.schema files are particularly useful(and needed for this procedure). The nis.schema file is used to provideNetwork Information System data in an LDAP directory.
Tip

The LDAP Schema Viewer (http://ldap.akbkhome.com) enables you toview object classes, attributes, syntaxes, and matching rules forcommon schemas for LDAP. Definitions also point to RFCs that more fullydefine each object class.
3.

Add backend database definitions. In the slapd.conf file, you needto define some backend database definitions. Each set of backenddefinitions applies to a group of databases of the same type.

Here’s an example of how the backend database definitions wouldappear for a computer in the domain named linuxtoys.net (of course, youwould replace linuxtoys and net with those of your own domain):

###################################################
# ldbm and/or bdb database definitions
###################################################

database ldbm
suffix "dc=linuxtoys,dc=net"
directory /var/lib/ldap
rootdn "cn=manager,dc=linuxtoys,dc=net"
access to * by users read

This database is of the type ldbm (Lightweight Directory AccessProtocol Proxy backend), which defines how that data for this databaseare stored. The bdb (Berkeley DB transactional backend) is anothercommon backend database type you could use. The suffix specifies thatqueries to this slapd server for linuxtoys.net are directed to thisdatabase. The directory line identifies the /var/lib/ldap directory asthe location for this LDAP directory.

The rootdn line indicates that root access can be granted tochange data in databases associated with the linuxtoys.netdistinguished name (provided the password is supplied with rootpw, asdescribed in the next step). Access control and other restrictions youmay put on the database do not apply to this user. However, accesscontrol is applied to all other users, who are given read-onlypermission.
4.

Add a password. In the slapd.conf file, you need to enter thepassword that is required to modify your OpenLDAP backend database. Bydefault, the rootpw line defines a clear-text string that is yourpassword. The password will give you full control of the backenddatabase. It will look something like the following:

rootpw mysecret

Note

If you are going to use a clear-text password, you should makesure that your slapd.conf file has read permissions closed to the world(chmod 640 /etc/openldap/slapd.conf). See the "Creating an encryptedpassword" sidebar for information on creating an encrypted password toaccess your OpenLDAP backend database.
Image from book
Creating an encrypted password

To create an encrypted password for the administrator of theOpenLDAP database you can use the slappasswd command. You can createthe password using Crypt, SSHA, SMD5, MD5, or SSH encryption. Here’s anexample of creating a password for OpenLDAP using MD5 encryption:

# slappasswd -h {md5} > /tmp/myslap
New password: ********
Re-enter new password: ********
# cat /tmp/myslap
{MD5}uBoM+LOQg5GHHJ2Z4NLu9A==

Enter a password (twice) to create an encrypted MD5 password. Thisexample directs the encrypted password into the /tmp/myslap file, youcan read into the slapd.conf file later. In this example, I had you"cat" the file so you could see what the encrypted password looks like.Your password will be different. Here’s what the rootpw line will looklike with an encrypted, rather than a clear-text password:

rootpw {MD5}uBoM+LOQg5GHHJ2Z4NLu9A==

Image from book
5.

Save slapd.conf. Save your changes to the slapd.conf file and close it.
6.

Check slapd.conf. You can check for syntax errors in your slapd.conf file by running the slaptest command, as follows:

# slaptest
config file testing succeeded

If there were something wrong with the syntax of the file (forexample, if you left off a quote or misplaced a comma), the messagewould say slaptest: bad configuration file! instead. Try to correct theproblem and check the file again.

At this point, you can try starting the OpenLDAP
Starting the OpenLDAP service

You start the OpenLDAP as you do most services in Fedora Core and otherRed Hat Linux systems, using the service and chkconfig commands. Theservice name for OpenLDAP is ldap. To start the service immediately,type the following:

# service ldap start
Starting slapd: [ OK ]

To set the ldap service to start each time the system is rebooted, type the following:

# chkconfig ldap on

By default, the ldap service will have read permissions open to everyone.