I had to get a dummy openldap setup that had “mail” as one of it’s attributes for the records. I specifically needed all the records to live in the root ou, meaning no Organizational Units, just the root, then all the records. Like this:
dn: cn=1,dc=example,dc=com cn: 1 objectClass: top objectClass: dkuser mail: someemail1@somedomain1.com mailHost: somesmtphostname1:25 dn: cn=2,dc=example,dc=com cn: 2 objectClass: top objectClass: dkuser mail: someemail2@somedomain2.com mailHost: somesmtphostname2:25…. and so on.
It was hard to find a step by step instruction set. So, in this tutorial, I’ll give you command by command steps to install, configure and load openldap on a CentOS5 OS.
First, install the packages with Yum:
yum install openldap openldap-clients openldap-servers nss_ldap python-ldapNext, set ldap to run at system startup time:
/sbin/chkconfig ldap onNext, get your password for slapd.conf:
cd /etc/openldap/ /usr/sbin/slappasswd…. it’ll prompt you for a new password, type it twice. All it does is spit out a password that you can copy paste into slapd. Looks like this:
New password:
Re-enter new password:
{SSHA}zskkuz1hd90SyXA4y+zN4AA0FBQorVEd
Note put this into your slapd.conf. Only do three things:
Include this:include /etc/openldap/schema/dkuser.schemaSet the rootpw:
rootpw {SSHA}bGqb+qzQfXHiQ/e9pCNSpc11Sxbb9qf3Set the suffix and rootdn:
suffix "dc=example,dc=com" rootdn "cn=Manager,dc=example,dc=com"Here is the whole slapd.conf file:
# # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/dkuser.schema # Allow LDAPv2 client connections. This is NOT the default. allow bind_v2 # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args # Load dynamic backend modules: # modulepath /usr/lib64/openldap # moduleload back_bdb.la # moduleload back_ldap.la # moduleload back_ldbm.la # moduleload back_passwd.la # moduleload back_shell.la # The next three lines allow use of TLS for encrypting connections using a # dummy test certificate which you can generate by changing to # /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on # slapd.pem so that the ldap user or group can read it. Your client software # may balk at self-signed certificates, however. # TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt # TLSCertificateFile /etc/pki/tls/certs/slapd.pem # TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem # Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64 # Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # Directives needed to implement policy: # access to dn.base="" by * read # access to dn.base="cn=Subschema" by * read # access to * # by self write # by users read # by anonymous auth # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING! ####################################################################### # ldbm and/or bdb database definitions ####################################################################### database bdb suffix "dc=example,dc=com" rootdn "cn=Manager,dc=example,dc=com" # Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw {SSHA}bGqb+qzQfXHiQ/e9pCNSpc11Sxbb9qf3 # rootpw {crypt}ijFYNcSNctBYg # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /var/lib/ldap # Indices to maintain for this database index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub # Replicas of this database #replogfile /var/lib/ldap/openldap-master-replog #replica host=ldap-1.example.com:389 starttls=critical # bindmethod=sasl saslmech=GSSAPI # authcId=host/ldap-master.example.com@EXAMPLE.COMI made up my own object class. This is because I had a very specific use care. There are other schemas out there for qmail, postfix, and other things. In my case, I wanted a very narrow objectclass.
/etc/openldap/schema/dkuser.schema
# Attribute Type Definitions attributetype ( 1.3.6.1.4.1.7914.1.2.1.6 NAME 'mailHost' DESC 'Which mail server the to relay mail to' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} SINGLE-VALUE ) # Object Class Definitions objectclass ( 1.3.6.1.4.1.7914.1.2.2.1 NAME 'dkUser' DESC 'Pseudo Email User' SUP top STRUCTURAL MUST ( cn $ mail $ mailHost ) MAY ( ) )Now, to start up openldap for the first time:
[]# /etc/init.d/ldap start Checking configuration files for slapd: bdb_db_open: Warning - No DB_CONFIG file found in directory /var/lib/ldap: (2) Expect poor performance for suffix dc=example,dc=com. config file testing succeeded [ OK ] Starting slapd: [ OK ]Oops, forgot the DB_CONFIG. There are some specific instructions here: http://www.openldap.org/faq/data/cache/1072.html. I just used the defaults:
cd /etc/openldap cp DB_CONFIG.example /var/lib/ldap/DB_CONFIG []# /etc/init.d/ldap restart Stopping slapd: [ OK ] Checking configuration files for slapd: bdb_db_open: DB_CONFIG for suffix dc=example,dc=com has changed. Performing database recovery to activate new settings. bdb_db_open: Recovery skipped in read-only mode. Run manual recovery if errors are encountered. config file testing succeeded [ OK ] Starting slapd: [ OK ] []# /etc/init.d/ldap restart Stopping slapd: [ OK ] Checking configuration files for slapd: config file testing succeeded [ OK ] Starting slapd: [ OK ]Ok, that’s better. Here’s what the file looks like for me:
/var/lib/ldap/DB_CONFIG# $OpenLDAP: pkg/ldap/servers/slapd/DB_CONFIG,v 1.1.2.3 2006/08/17 17:36:19 kurt Exp $ # Example DB_CONFIG file for use with slapd(8) BDB/HDB databases. # # See Sleepycat Berkeley DB documentation # <http://www.sleepycat.com/docs/ref/env/db_config.html> # for detail description of DB_CONFIG syntax and semantics. # # Hints can also be found in the OpenLDAP Software FAQ # <http://www.openldap.org/faq/index.cgi?file=2> # in particular: # <http://www.openldap.org/faq/index.cgi?file=1075> # Note: most DB_CONFIG settings will take effect only upon rebuilding # the DB environment. # one 0.25 GB cache set_cachesize 0 268435456 1 # Data Directory #set_data_dir db # Transaction Log settings set_lg_regionmax 262144 set_lg_bsize 2097152 #set_lg_dir logs # Note: special DB_CONFIG flags are no longer needed for "quick" # slapadd(8) or slapindex(8) access (see their -q option).Ok, now we’re ready to load up the root object. Create
/etc/openldap/root.ldifdn: dc=example,dc=com dc: example description: Root LDAP entry for example.com objectClass: dcObject objectClass: organizationalUnit ou: rootobjectAnd load it into openldap:
ldapadd -c -x -D "cn=Manager,dc=example,dc=com" -w password -f root.ldifAnd to populate it with a ton of entries. I created a file, UserAddresses_all.txt, with emails in it, one email after another. Then looped through that list, and created a users.ldif file:
let j=1; for i in `cat UserAddresses_all.txt`; do # Skip the first 1000, because I already did them: if [ $j -gt 1000 ]; then # log it first: echo "$j $i" >> sofar.log # add the ldif entry to the file: echo "dn: cn=$j,dc=example,dc=com cn: $j objectClass: top objectClass: dkuser mail: $i mailHost: somesmtphostname$j:25 " >> users.ldif fi let j=$j+1 doneAnd finally to load the users.ldif:
ldapadd -c -x -D cn=Manager,dc=example,dc=com -w password -f users.ldifAnd now, here is how to search it from a remote host:
ldapsearch -x -h 10.0.0.205 -p 389 -D "cn=Manager,dc=example,dc=com" -w password '(mail=foo@bar.com)'Resulted in:
# extended LDIF # # LDAPv3 # base <> with scope subtree # filter: (mail=dave@koopman.me) # requesting: ALL # # 0, example.com dn: cn=1,dc=example,dc=com cn: 1 objectClass: top objectClass: dkUser mail: foo@bar.com mailHost: somesmtphostname1:25 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1
After all the hours ( days ? ) I’ve put into learning OpenLDAP, this has to be the best laid-out and documented tutorial I’ve found !!
I’m currently unemployed and have been using just about every awake moment in my day, learning Ubuntu and MySQL and SAMBA and … yes … OpenLDAP is my latest project.
I want to be capable of going into a business and taking on the responsibility of liberating them, as much as possible, from M$ licenses and other related expenses ( like hiring “certified” job candidates, etc ).
If you know of other great OpenLDAP tutorials … OR … of any OpenLDAP GUI tools … your assistance will be greatly appreciated !
Glad it helped, you know openldap is a little painful. I’m a much bigger fan of MySQL. In this case, had to use ldap b/c I was working with an appliance that could do ldap queries only. I have no great ldap reference to recommend.