LDAP is a solution to access centrally stored information over network. This centrally stored information is organized in a directory that follows X.500 standard.
The following are the two most commonly used objects in OpenLDAP:
- cn (common name) – This refers to the leaf entries, which are end objects (for example: users and groups)
- dc (domain component) – This refers to one of the container entries in the LDAP hierarchy. If in a setup the LDAP hierarchy is mapped to a DNS hierarchy, typically all DNS domains are referred to as DC objects.
- openldap-servers – This is the main LDAP server
- openldap-clients – This contains all required LDAP client utilities
- openldap – This packages contains the LDAP support libraries
LDAP Config Files
- config.ldif – The LDAP default configuration is stored under a file in /etc/openldap/slapd.d/cn=config.ldif that is created in the LDIF format. This is the LDAP Input Format (LDIF), a specific format that allows you to enter information in to the LDAP directory.
- olcDatabase{2}bdb.ldif – You can also modify the settings like number of connections the server can support, timeouts and other database settings under the file /etc/openldap/slapd.d/cn=config/olcDatabase{2}bdb.ldif. This is the file that also contains the parameters like LDAP root user and the base DN.
[root@LDAP ~]# yum install *openldap*
[root@LDAP ~]# yum install -y openldap openldap-clients openldap-servers
[root@LDAP ~]# netstat -tlpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2250/sshd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 2045/cupsd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2375/master
tcp 0 0 :::22 :::* LISTEN 2250/sshd
tcp 0 0 ::1:631 :::* LISTEN 2045/cupsd
tcp 0 0 ::1:25 :::* LISTEN 2375/master
[root@LDAP ~]# service slapd status
slapd is stopped
[root@LDAP ~]# service slapd start
Starting slapd: [ OK ]
[root@LDAP ~]# netstat -tlpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 3044/slapd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2250/sshd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 2045/cupsd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2375/master
tcp 0 0 :::389 :::* LISTEN 3044/slapd
tcp 0 0 :::22 :::* LISTEN 2250/sshd
tcp 0 0 ::1:631 :::* LISTEN 2045/cupsd
tcp 0 0 ::1:25 :::* LISTEN 2375/master
[root@LDAP ~]# chkconfig –list | grep slapd
slapd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
[root@LDAP ~]# chkconfig slapd –level 235 on
[root@LDAP ~]# chkconfig –list | grep slapd
slapd 0:off 1:off 2:on 3:on 4:off 5:on 6:off
[root@LDAP ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 24
Policy from config file: targeted
[root@LDAP ~]# cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing – SELinux security policy is enforced.
# permissive – SELinux prints warnings instead of enforcing.
# disabled – No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
# targeted – Targeted processes are protected,
# mls – Multi Level Security protection.
SELINUXTYPE=targeted
[root@LDAP ~]# vim /etc/selinux/config
[root@LDAP ~]# cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing – SELinux security policy is enforced.
# permissive – SELinux prints warnings instead of enforcing.
# disabled – No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
# targeted – Targeted processes are protected,
# mls – Multi Level Security protection.
SELINUXTYPE=targeted
[root@LDAP ~]# ls -l /etc/openldap/
total 20
drwxr-xr-x. 2 root root 4096 Mar 27 07:07 certs
-rw-r—–. 1 root ldap 121 Sep 30 03:54 check_password.conf
-rw-r–r–. 1 root root 282 Oct 24 05:52 ldap.conf
drwxr-xr-x. 2 root root 4096 Mar 27 07:07 schema
drwx——. 3 ldap ldap 4096 Mar 27 07:07 slapd.d
[root@LDAP ~]# slappasswd
New password:
Re-enter new password:
{SSHA}4CmU0AzDA1bkRjho9+cfrb5krz5X6aSZ
Take the hash output of the above command and add it to the oclRootPW parameter in the config.ldif file as shown below
[root@LDAP ~]# cat >> /etc/openldap/slapd.d/cn\=config.ldif
olcRootPW: {SSHA}4CmU0AzDA1bkRjho9+cfrb5krz5X6aSZ
[root@LDAP ~]# cat /etc/openldap/slapd.d/cn\=config.ldif |grep “olcRootPW:{SSHA}+MELoptjuhfYFC83pUB4nmBG67zhWo6n”
olcRootPW: {SSHA}4CmU0AzDA1bkRjho9+cfrb5krz5X6aSZ
[root@LDAP ~]# cat /etc/openldap/ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
TLS_CACERTDIR /etc/openldap/cacerts
[root@LDAP ~]# cd /etc/openldap/slapd.d/cn\=config
[root@LDAP cn=config]# ls -l
total 80
drwx——. 2 ldap ldap 4096 Mar 27 07:07 cn=schema
-rw——-. 1 ldap ldap 59366 Mar 27 07:07 cn=schema.ldif
-rw——-. 1 ldap ldap 663 Mar 27 07:07 olcDatabase={0}config.ldif
-rw——-. 1 ldap ldap 596 Mar 27 07:07 olcDatabase={-1}frontend.ldif
-rw——-. 1 ldap ldap 695 Mar 27 07:07 olcDatabase={1}monitor.ldif
-rw——-. 1 ldap ldap 1273 Mar 27 07:07 olcDatabase={2}bdb.ldif
Create olcSuffix Domain Name
Now setup the olcSuffix and to set the domain that you want. Simply modify the line that starts with olcSuffix in the file olcDatabase={2}bdb.ldif as shown below.
[root@LDAP ~]# cat /etc/openldap/slapd.d/cn\=config/olcDatabase={2}bdb.ldif |grep olcSuffix:
olcSuffix: dc=my-domain,dc=com
[root@LDAP ~]# nano /etc/openldap/slapd.d/cn\=config/olcDatabase={2}bdb.ldif
[root@LDAP ~]# cat /etc/openldap/slapd.d/cn\=config/olcDatabase={2}bdb.ldif |grep olcSuffix:
olcSuffix: dc=rafi,dc=com
/etc/openldap/ldap.conf
The configuration file for client applications that use the OpenLDAP libraries. This includes ldapadd, ldapsearch, Evolution, etc.
/etc/openldap/slapd.d/
The directory containing the slapd configuration.
Command Description
ldapadd Allows you to add entries to an LDAP directory, either from a file, or from standard input.It is a symbolic link to ldapmodify -a.
ldapcompare Allows you to compare given attribute with an LDAP directory entry.
ldapdelete Allows you to delete entries from an LDAP directory.
ldapexop Allows you to perform extended LDAP operations.
ldapmodify Allows you to modify entries in an LDAP directory, either from a file, or from standard input.
ldapmodrdn Allows you to modify the RDN value of an LDAP directory entry.
ldappasswd Allows you to set or change the password for an LDAP user.
ldapsearch Allows you to search LDAP directory entries.
ldapurl Allows you to compose or decompose LDAP URLs.
ldapwhoami Allows you to perform a whoami operation on an LDAP server.
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
slaptest -u
Command Description
slapacl Allows you to check the access to a list of attributes.
slapadd Allows you to add entries from an LDIF file to an LDAP directory.
slapauth Allows you to check a list of IDs for authentication and authorization permissions.
slapcat Allows you to pull entries from an LDAP directory in the default format and save them in an LDIF file.
slapdn Allows you to check a list of Distinguished Names (DNs) based on available schema syntax.
slapindex Allows you to re-index the slapd directory based on the current content. Run this utility whenever you change indexing options in the configuration file.
slappasswd Allows you to create an encrypted user password to be used with the ldapmodify utility, or in the slapd configuration file.
slapschema Allows you to check the compliance of a database with the corresponding schema.
slaptest Allows you to check the LDAP server configuration.
