I had to get a dummy openldap setup that had “mail” as one of it’s attributes for the records. I specifically needed all the records to live in the root ou, meaning no Organizational Units, just the root, then all the records. Like this:
dn: cn=1,dc=example,dc=com cn: 1 objectClass: top objectClass: dkuser mail: someemail1@somedomain1.com mailHost: somesmtphostname1:25 dn: cn=2,dc=example,dc=com cn: 2 objectClass: top objectClass: dkuser mail: someemail2@somedomain2.com mailHost: somesmtphostname2:25
…. and so on.
It was hard to find a step by step instruction set. So, in this tutorial, I’ll give you command by command steps to install, configure and load openldap on a CentOS5 OS.
First, install the packages with Yum:
yum install openldap openldap-clients openldap-servers nss_ldap python-ldap
Next, set ldap to run at system startup time:
/sbin/chkconfig ldap on
Next, get your password for slapd.conf:
cd /etc/openldap/ /usr/sbin/slappasswd
…. it’ll prompt you for a new password, type it twice. All it does is spit out a password that you can copy paste into slapd. Looks like this:
New password:
Re-enter new password:
{SSHA}zskkuz1hd90SyXA4y+zN4AA0FBQorVEd
Note put this into your slapd.conf. Only do three things:
Include this:
include /etc/openldap/schema/dkuser.schema
Set the rootpw:
rootpw {SSHA}bGqb+qzQfXHiQ/e9pCNSpc11Sxbb9qf3
Set the suffix and rootdn:
suffix "dc=example,dc=com" rootdn "cn=Manager,dc=example,dc=com"
Here is the whole slapd.conf file:
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/dkuser.schema
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# Load dynamic backend modules:
# modulepath /usr/lib64/openldap
# moduleload back_bdb.la
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la
# The next three lines allow use of TLS for encrypting connections using a
# dummy test certificate which you can generate by changing to
# /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on
# slapd.pem so that the ldap user or group can read it. Your client software
# may balk at self-signed certificates, however.
# TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
# TLSCertificateFile /etc/pki/tls/certs/slapd.pem
# TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#######################################################################
# ldbm and/or bdb database definitions
#######################################################################
database bdb
suffix "dc=example,dc=com"
rootdn "cn=Manager,dc=example,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw {SSHA}bGqb+qzQfXHiQ/e9pCNSpc11Sxbb9qf3
# rootpw {crypt}ijFYNcSNctBYg
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
# Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 starttls=critical
# bindmethod=sasl saslmech=GSSAPI
# authcId=host/ldap-master.example.com@EXAMPLE.COM
I made up my own object class. This is because I had a very specific use care. There are other schemas out there for qmail, postfix, and other things. In my case, I wanted a very narrow objectclass.
/etc/openldap/schema/dkuser.schema
# Attribute Type Definitions
attributetype ( 1.3.6.1.4.1.7914.1.2.1.6 NAME 'mailHost'
DESC 'Which mail server the to relay mail to'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256}
SINGLE-VALUE )
# Object Class Definitions
objectclass ( 1.3.6.1.4.1.7914.1.2.2.1 NAME 'dkUser'
DESC 'Pseudo Email User'
SUP top STRUCTURAL
MUST ( cn $ mail $ mailHost )
MAY ( ) )
Now, to start up openldap for the first time:
[]# /etc/init.d/ldap start
Checking configuration files for slapd: bdb_db_open: Warning - No DB_CONFIG file found in directory /var/lib/ldap: (2)
Expect poor performance for suffix dc=example,dc=com.
config file testing succeeded
[ OK ]
Starting slapd: [ OK ]
Oops, forgot the DB_CONFIG. There are some specific instructions here: http://www.openldap.org/faq/data/cache/1072.html. I just used the defaults:
cd /etc/openldap
cp DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[]# /etc/init.d/ldap restart
Stopping slapd: [ OK ]
Checking configuration files for slapd: bdb_db_open: DB_CONFIG for suffix dc=example,dc=com has changed.
Performing database recovery to activate new settings.
bdb_db_open: Recovery skipped in read-only mode. Run manual recovery if errors are encountered.
config file testing succeeded
[ OK ]
Starting slapd: [ OK ]
[]# /etc/init.d/ldap restart
Stopping slapd: [ OK ]
Checking configuration files for slapd: config file testing succeeded
[ OK ]
Starting slapd: [ OK ]
Ok, that’s better. Here’s what the file looks like for me:
/var/lib/ldap/DB_CONFIG
# $OpenLDAP: pkg/ldap/servers/slapd/DB_CONFIG,v 1.1.2.3 2006/08/17 17:36:19 kurt Exp $ # Example DB_CONFIG file for use with slapd(8) BDB/HDB databases. # # See Sleepycat Berkeley DB documentation # <http://www.sleepycat.com/docs/ref/env/db_config.html> # for detail description of DB_CONFIG syntax and semantics. # # Hints can also be found in the OpenLDAP Software FAQ # <http://www.openldap.org/faq/index.cgi?file=2> # in particular: # <http://www.openldap.org/faq/index.cgi?file=1075> # Note: most DB_CONFIG settings will take effect only upon rebuilding # the DB environment. # one 0.25 GB cache set_cachesize 0 268435456 1 # Data Directory #set_data_dir db # Transaction Log settings set_lg_regionmax 262144 set_lg_bsize 2097152 #set_lg_dir logs # Note: special DB_CONFIG flags are no longer needed for "quick" # slapadd(8) or slapindex(8) access (see their -q option).
Ok, now we’re ready to load up the root object. Create
/etc/openldap/root.ldif
dn: dc=example,dc=com dc: example description: Root LDAP entry for example.com objectClass: dcObject objectClass: organizationalUnit ou: rootobject
And load it into openldap:
ldapadd -c -x -D "cn=Manager,dc=example,dc=com" -w password -f root.ldif
And to populate it with a ton of entries. I created a file, UserAddresses_all.txt, with emails in it, one email after another. Then looped through that list, and created a users.ldif file:
let j=1; for i in `cat UserAddresses_all.txt`; do
# Skip the first 1000, because I already did them:
if [ $j -gt 1000 ]; then
# log it first:
echo "$j $i" >> sofar.log
# add the ldif entry to the file:
echo "dn: cn=$j,dc=example,dc=com
cn: $j
objectClass: top
objectClass: dkuser
mail: $i
mailHost: somesmtphostname$j:25
" >> users.ldif
fi
let j=$j+1
done
And finally to load the users.ldif:
ldapadd -c -x -D cn=Manager,dc=example,dc=com -w password -f users.ldif
And now, here is how to search it from a remote host:
ldapsearch -x -h 10.0.0.205 -p 389 -D "cn=Manager,dc=example,dc=com" -w password '(mail=foo@bar.com)'
Resulted in:
# extended LDIF # # LDAPv3 # base <> with scope subtree # filter: (mail=dave@koopman.me) # requesting: ALL # # 0, example.com dn: cn=1,dc=example,dc=com cn: 1 objectClass: top objectClass: dkUser mail: foo@bar.com mailHost: somesmtphostname1:25 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1
After all the hours ( days ? ) I’ve put into learning OpenLDAP, this has to be the best laid-out and documented tutorial I’ve found !!
I’m currently unemployed and have been using just about every awake moment in my day, learning Ubuntu and MySQL and SAMBA and … yes … OpenLDAP is my latest project.
I want to be capable of going into a business and taking on the responsibility of liberating them, as much as possible, from M$ licenses and other related expenses ( like hiring “certified” job candidates, etc ).
If you know of other great OpenLDAP tutorials … OR … of any OpenLDAP GUI tools … your assistance will be greatly appreciated !
Glad it helped, you know openldap is a little painful. I’m a much bigger fan of MySQL. In this case, had to use ldap b/c I was working with an appliance that could do ldap queries only. I have no great ldap reference to recommend.