openldap-2.3 on CentOS5 Tutorial

I had to get a dummy openldap setup that had “mail” as one of it’s attributes for the records. I specifically needed all the records to live in the root ou, meaning no Organizational Units, just the root, then all the records. Like this:

dn: cn=1,dc=example,dc=com
cn: 1
objectClass: top
objectClass: dkuser
mail: someemail1@somedomain1.com
mailHost: somesmtphostname1:25

dn: cn=2,dc=example,dc=com
cn: 2
objectClass: top
objectClass: dkuser
mail: someemail2@somedomain2.com
mailHost: somesmtphostname2:25

…. and so on.

It was hard to find a step by step instruction set. So, in this tutorial, I’ll give you command by command steps to install, configure and load openldap on a CentOS5 OS.

First, install the packages with Yum:

yum install openldap openldap-clients openldap-servers nss_ldap python-ldap

Next, set ldap to run at system startup time:

/sbin/chkconfig ldap on

Next, get your password for slapd.conf:

cd /etc/openldap/
/usr/sbin/slappasswd

…. it’ll prompt you for a new password, type it twice. All it does is spit out a password that you can copy paste into slapd. Looks like this:

New password:
Re-enter new password:
{SSHA}zskkuz1hd90SyXA4y+zN4AA0FBQorVEd

Note put this into your slapd.conf. Only do three things:
Include this:

include         /etc/openldap/schema/dkuser.schema

Set the rootpw:

rootpw          {SSHA}bGqb+qzQfXHiQ/e9pCNSpc11Sxbb9qf3

Set the suffix and rootdn:

suffix          "dc=example,dc=com"
rootdn          "cn=Manager,dc=example,dc=com"

Here is the whole slapd.conf file:

#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/dkuser.schema

# Allow LDAPv2 client connections.  This is NOT the default.
allow bind_v2

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral       ldap://root.openldap.org

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

# Load dynamic backend modules:
# modulepath    /usr/lib64/openldap
# moduleload    back_bdb.la
# moduleload    back_ldap.la
# moduleload    back_ldbm.la
# moduleload    back_passwd.la
# moduleload    back_shell.la

# The next three lines allow use of TLS for encrypting connections using a
# dummy test certificate which you can generate by changing to
# /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on
# slapd.pem so that the ldap user or group can read it.  Your client software
# may balk at self-signed certificates, however.
# TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
# TLSCertificateFile /etc/pki/tls/certs/slapd.pem
# TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem

# Sample security restrictions
#       Require integrity protection (prevent hijacking)
#       Require 112-bit (3DES or better) encryption for updates
#       Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:
#       Root DSE: allow anyone to read it
#       Subschema (sub)entry DSE: allow anyone to read it
#       Other DSEs:
#               Allow self write access
#               Allow authenticated users read access
#               Allow anonymous users to authenticate
#       Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
#       by self write
#       by users read
#       by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!

#######################################################################
# ldbm and/or bdb database definitions
#######################################################################

database        bdb
suffix          "dc=example,dc=com"
rootdn          "cn=Manager,dc=example,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoided.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw          {SSHA}bGqb+qzQfXHiQ/e9pCNSpc11Sxbb9qf3
# rootpw                {crypt}ijFYNcSNctBYg

# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory       /var/lib/ldap

# Indices to maintain for this database
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub

# Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 starttls=critical
#     bindmethod=sasl saslmech=GSSAPI
#     authcId=host/ldap-master.example.com@EXAMPLE.COM

I made up my own object class. This is because I had a very specific use care. There are other schemas out there for qmail, postfix, and other things. In my case, I wanted a very narrow objectclass.

/etc/openldap/schema/dkuser.schema

# Attribute Type Definitions

attributetype ( 1.3.6.1.4.1.7914.1.2.1.6 NAME 'mailHost'
  DESC 'Which mail server the to relay mail to'
  EQUALITY caseIgnoreIA5Match
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256}
  SINGLE-VALUE )

# Object Class Definitions

objectclass ( 1.3.6.1.4.1.7914.1.2.2.1 NAME 'dkUser'
  DESC 'Pseudo Email User'
  SUP top STRUCTURAL
  MUST ( cn $ mail $ mailHost )
  MAY ( ) )

Now, to start up openldap for the first time:

[]# /etc/init.d/ldap start

Checking configuration files for slapd:  bdb_db_open: Warning - No DB_CONFIG file found in directory /var/lib/ldap: (2)
Expect poor performance for suffix dc=example,dc=com.
config file testing succeeded
                                                           [  OK  ]
Starting slapd:                                            [  OK  ]

Oops, forgot the DB_CONFIG. There are some specific instructions here: http://www.openldap.org/faq/data/cache/1072.html. I just used the defaults:

cd /etc/openldap
cp DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[]# /etc/init.d/ldap restart
Stopping slapd:                                            [  OK  ]
Checking configuration files for slapd:  bdb_db_open: DB_CONFIG for suffix dc=example,dc=com has changed.
Performing database recovery to activate new settings.
bdb_db_open: Recovery skipped in read-only mode. Run manual recovery if errors are encountered.
config file testing succeeded
                                                           [  OK  ]
Starting slapd:                                            [  OK  ]
[]# /etc/init.d/ldap restart
Stopping slapd:                                            [  OK  ]
Checking configuration files for slapd:  config file testing succeeded
                                                           [  OK  ]
Starting slapd:                                            [  OK  ]

Ok, that’s better. Here’s what the file looks like for me:
/var/lib/ldap/DB_CONFIG

# $OpenLDAP: pkg/ldap/servers/slapd/DB_CONFIG,v 1.1.2.3 2006/08/17 17:36:19 kurt Exp $
# Example DB_CONFIG file for use with slapd(8) BDB/HDB databases.
#
# See Sleepycat Berkeley DB documentation
#   
# for detail description of DB_CONFIG syntax and semantics.
#
# Hints can also be found in the OpenLDAP Software FAQ
#       
# in particular:
#   

# Note: most DB_CONFIG settings will take effect only upon rebuilding
# the DB environment.

# one 0.25 GB cache
set_cachesize 0 268435456 1

# Data Directory
#set_data_dir db

# Transaction Log settings
set_lg_regionmax 262144
set_lg_bsize 2097152
#set_lg_dir logs

# Note: special DB_CONFIG flags are no longer needed for "quick"
# slapadd(8) or slapindex(8) access (see their -q option).

Ok, now we’re ready to load up the root object. Create
/etc/openldap/root.ldif

dn: dc=example,dc=com
dc: example
description: Root LDAP entry for example.com
objectClass: dcObject
objectClass: organizationalUnit
ou: rootobject

And load it into openldap:

ldapadd -c -x -D "cn=Manager,dc=example,dc=com" -w password -f root.ldif

And to populate it with a ton of entries. I created a file, UserAddresses_all.txt, with emails in it, one email after another. Then looped through that list, and created a users.ldif file:

let j=1; for i in `cat UserAddresses_all.txt`; do
  # Skip the first 1000, because I already did them:
  if [ $j -gt 1000 ]; then
    # log it first:
    echo "$j $i" >> sofar.log
    # add the ldif entry to the file:
    echo "dn: cn=$j,dc=example,dc=com
cn: $j
objectClass: top
objectClass: dkuser
mail: $i
mailHost: somesmtphostname$j:25

" >> users.ldif
  fi
  let j=$j+1
done

And finally to load the users.ldif:

ldapadd -c -x -D cn=Manager,dc=example,dc=com -w password -f users.ldif

And now, here is how to search it from a remote host:

ldapsearch -x -h 10.0.0.205 -p 389 -D "cn=Manager,dc=example,dc=com" -w password '(mail=foo@bar.com)'

Resulted in:

# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: (mail=dave@koopman.me)
# requesting: ALL
#

# 0, example.com
dn: cn=1,dc=example,dc=com
cn: 1
objectClass: top
objectClass: dkUser
mail: foo@bar.com
mailHost: somesmtphostname1:25

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
June 26, 2009 | No Comments »

Leave a Reply