OpenLDAP is an open source implementation of the LDAP protocol. Its use allows us to have a full directory access for different kind of users, whose information and permissions are hierarchized and therefore contain profiles of each user and these in turn have access to certain directories, which is very useful for any large company or organization. To get started with OpenLDAP we will learn how to use it.
Instructions
Before using commands in OpenLDAP, we will show you how to install OpenLDAP on your server. Because the installation and configuration process is a bit complicated, especially for new users, we will show a simple way to configure it on your computer and thus take advantage of all the advantages that the protocol offers us.
It is important to know the license when using the software or when sharing content related to OpenLDAP (such as this tutorial). This license can be found here.
1. Download the software
Here are the instructions for users of Linux environment. You can obtain a copy of the software by following the instructions on the OpenLDAP software download page (http://www.openldap.org/software/download/). It is recommended that new users download the latest version.
2. Unzip the version
Choose a directory to unzip to the directory, go to the desired directory and unpack the distribution with the following commands:
gunzip -c openldap-VERSION.tgz | tar xvfB -
# Go to the distribution directory
cd openldap-VERSION
You will need to replace VERSION with the number of the downloaded version.
3. Review the documentation
You should now review the COPYRIGHT, LICENSE, README, and INSTALL documents provided with the distribution. COPYRIGHT and LICENSE provide information on the acceptable use, copying and limitation of the OpenLDAP software guarantee.
4. Compile and build openLDAP
To compile the contents of the package, we have a configuration script provided by OpenLDAP to configure the distribution to build on your system. The setup script accepts many command line options that enable or disable optional software features. Defaults are generally fine, but you may want to change them. For a complete list of the options that you set accepts, use the —help option:
./configure --help
However, it is generally sufficient in most cases to do a default configuration of openLDAP, which is done by executing the following command:
./configure
Then you have to build the software. This step has two parts, first we build dependencies and then compile, verifying that there are no errors during construction:
make depend
make
If you want to verify that a successful build has been performed, you must run the test suite (it only takes a few minutes):
make test
The tests that apply to your configuration will run and all should pass. However, some tests, such as the replication test, may be skipped.
5. Install the software
We are now ready to install the software; this requires superuser privileges, which you can do like this if you are not in root mode:
su root -c 'make install'
The default content is installed in the /usr/local directory, however in configure you can change the prefix to store the software content.
6. Edit the configuration file
Here begins the exciting. Use your favorite editor to edit the default example slapd.ldif (usually located at /usr/local/etc/openldap/slapd.ldif) to contain an MDB database definition according to the following form:
dn: olcDatabase = mdb, cn = config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: mdb
OlcDbMaxSize: 1073741824
olcSuffix: dc = [MY-DOMAIN], dc = [COM]
olcRootDN: cn = Manager, dc = [MY-DOMAIN], dc = [COM]
olcRootPW: secret
olcDbDirectory: /usr/local/var/openldap-data
olcDbIndex: objectClass eq
Be sure to replace [MY-DOMAIN] and [COM] with the appropriate domain components for your domain name. For example, if your domain is example.com, use the following configuration:
dn: olcDatabase = mdb, cn = config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: mdb
OlcDbMaxSize: 1073741824
olcSuffix: dc = example, dc = com
olcRootDN: cn = Manager, dc = example, dc = com
olcRootPW: secret
olcDbDirectory: /usr/local/var/openldap-data
olcDbIndex: objectClass eq
If your domain contains subdomains, for example: eng.uni.edu.eu, you have to apply the configuration:
dn: olcDatabase = mdb, cn = config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: mdb
OlcDbMaxSize: 1073741824
olcSuffix: dc = eng, dc = uni, dc = edu, dc = eu
olcRootDN: cn = Manager, dc = eng, dc = uni, dc = edu, dc = eu
olcRootPW: secret
olcDbDirectory: /usr/local/var/openldap-data
olcDbIndex: objectClass eq
Details about slapd configuration can be found in slapd-config. It is very important that the olcDbDirectory directory must exist before slapd is started.
7. Import the configuration database
At this time, the configuration database must be imported to be used by slapd. For this we execute:
su root -c /usr/local/sbin/slapadd -F /usr/local/etc/cn=config -l /usr/local/etc/openldap/slapd.ldif
8. Start SLAPD
You are now ready to start the LDAP daemon (slapd), which is going to run as a background service capable of catching user requests, for this we execute the command:
su root -c /usr/local/libexec/slapd -F /usr/local/etc/cn=config
To verify that the server is working and that it is configured correctly, it is sufficient to run a search on it with the ldapsearch command. By default, ldapsearch runs like this:
/usr/local/bin/ldapsearch:
ldapsearch -x -b '' -s base '(objectclass = *)' namingContexts
Note the use of single quotes around the command parameters to prevent special characters from interacting. The result should show as follows:
dn: namingContexts: dc=example, dc=com
9. Add initial entries to your directory
You can use ldapadd to add entries to your LDAP directory. ldapadd expects an entry in ldif format. To do this we must create an ldif file and run ldapadd on that file. The basic structure of an ldif file could be as follows:
dn: dc=[MY-DOMAIN], dc=[COM] objectclass: dcObject objectclass: organization or: [MY ORGANIZATION] dc: [MY-DOMAIN] dn: cn=Manager, dc=[MY-DOMAIN], dc=[COM] objectclass: organizationalRole cn: Manager
Where you have to replace [MY-DOMAIN] and [COM] with the components of your domain. [MY ORGANIZATION] must be replaced with the name of your organization. You will be prompted for the “secret” specified in the inslapd.conf file. For example, for the example.com domain it would be:
ldapadd -x -D "cn=Manager, dc=example, dc=com" -W -f example.ldif
Where example.ldif is the file that was created earlier.
10. Validate operations
Finally, to verify that the added entries are in your directory, any LDAP client can be used. As an example we use the ldapsearch tool. For the example example.com domain, we use the following query:
ldapsearch -x -b 'dc = example, dc = com' '(objectclass = *)'
This command will search and retrieve each entry in the existing database.
Now that you are ready to add more entries using ldapadd or another LDAP client, experiment with various configuration options, backend fixes, etc. Note that, by default, the slapd database grants read access to all records except the superuser (as specified in the rootdn configuration directive). It is recommended that you set permissions to restrict access to authorized users.