OpenLDAP Setup Overview
The basic steps for creating an LDAP server are as follows:
1. Install the openldap, openldap-servers, and openldap-clients RPMs.
2. Edit the /etc/openldap/slapd.conf file to specify the LDAP domain and server. Refer to Section 24.6.1, “Editing /etc/openldap/slapd.conf” for more information.
3. Start slapd with the command:
/sbin/service ldap start
After configuring LDAP, use chkconfig, /usr/sbin/ntsysv, or the Services Configuration Tool to configure LDAP to start at boot time. For more information about configuring services, refer to Chapter 15, Controlling Access to Services.
4. Add entries to an LDAP directory with ldapadd.
5. Use ldapsearch to determine if slapd is accessing the information correctly.
6. At this point, the LDAP directory should be functioning properly and can be configured with LDAP-enabled applications.
To use the slapd LDAP server, modify its configuration file, /etc/openldap/slapd.conf, to specify the correct domain and server.
The suffix line names the domain for which the LDAP server provides information and should be changed from:
Edit it accordingly so that it reflects a fully qualified domain name. For example:
The rootdn entry is the Distinguished Name (DN) for a user who is unrestricted by access controls or administrative limit parameters set for operations on the LDAP directory. The rootdn user can be thought of as the root user for the LDAP directory. In the configuration file, change the rootdn line from its default value as in the following example:
When populating an LDAP directory over a network, change the rootpw line — replacing the default value with an encrypted password string. To create an encrypted password string, type the following command:
When prompted, type and then re-type a password. The program prints the resulting encrypted password to the shell prompt.
Next, copy the newly created encrypted password into the /etc/openldap/slapd.conf on one of the rootpw lines and remove the hash mark (#).
When finished, the line should look similar to the following example:
LDAP passwords, including the rootpw directive specified in /etc/openldap/slapd.conf, are sent over the network unencrypted, unless TLS encryption is enabled.
To enable TLS encryption, review the comments in /etc/openldap/slapd.conf and refer to the man page for slapd.conf.
For added security, the rootpw directive should be commented out after populating the LDAP directory by preceding it with a hash mark (#).
When using the /usr/sbin/slapadd command line tool locally to populate the LDAP directory, use of the rootpw directive is not necessary.
Only the root user can use /usr/sbin/slapadd. However, the directory server runs as the ldap user. Therefore, the directory server is unable to modify any files created by slapadd. To correct this issue, after using slapadd, type the following command:
chown -R ldap /var/lib/ldap
Configuring a System to Authenticate Using OpenLDAP
This section provides a brief overview of how to configure OpenLDAP user authentication. Unless you are an OpenLDAP expert, more documentation than is provided here is necessary. Refer to the references provided in Section 24.9, “Additional Resources” for more information.
Install the Necessary LDAP Packages.
First, make sure that the appropriate packages are installed on both the LDAP server and the LDAP client machines. The LDAP server needs the openldap-servers package.
The openldap, openldap-clients, and nss_ldap packages need to be installed on all LDAP client machines.
Edit the Configuration Files.
- On the server, edit the /etc/openldap/slapd.conf file on the LDAP server to make sure it matches the specifics of the organization. Refer to Section 24.6.1, “Editing /etc/openldap/slapd.conf” for instructions about editing slapd.conf.
- On the client machines, both /etc/ldap.conf and /etc/openldap/ldap.conf need to contain the proper server and search base information for the organization.
To do this, run the graphical Authentication Configuration Tool (system-config-authentication) and select Enable LDAP Support under the User Information tab.
It is also possible to edit these files by hand.
- On the client machines, the /etc/nsswitch.conf must be edited to use LDAP.
To do this, run the Authentication Configuration Tool (system-config-authentication) and select Enable LDAP Support under the User Information tab.
If editing /etc/nsswitch.conf by hand, add ldap to the appropriate lines.
passwd: files ldap shadow: files ldap group: files ldap
PAM and LDAP
To have standard PAM-enabled applications use LDAP for authentication, run the Authentication Configuration Tool (system-config-authentication) and select Enable LDAP Support under the the Authentication tab. For more about configuring PAM, refer to Section 42.4, “Pluggable Authentication Modules (PAM)” and the PAM man pages.
Migrating Old Authentication Information to LDAP Format
The /usr/share/openldap/migration/ directory contains a set of shell and Perl scripts for migrating authentication information into an LDAP format.
Perl must be installed on the system to use these scripts.
First, modify the migrate_common.ph file so that it reflects the correct domain. The default DNS domain should be changed from its default value to something like:
$DEFAULT_MAIL_DOMAIN = "example";
The default base should also be changed to something like:
$DEFAULT_BASE = "dc=example,dc=com";
The job of migrating a user database into a format that is LDAP readable falls to a group of migration scripts installed in the same directory. Using Table 24.1, “LDAP Migration Scripts”, decide which script to run to migrate the user database.
Run the appropriate script based on the existing name service.
The README and the migration-tools.txt files in the /usr/share/openldap/migration/ directory provide more details on how to migrate the information.
Existing name service Is LDAP running? Script to Use /etc flat files yes migrate_all_online.sh /etc flat files no migrate_all_offline.sh NetInfo yes migrate_all_netinfo_online.sh NetInfo no migrate_all_netinfo_offline.sh NIS (YP) yes migrate_all_nis_online.sh NIS (YP) no migrate_all_nis_offline.sh
Table 24.1. LDAP Migration Scripts
Migrating Directories from Earlier Releases
With Red Hat Enterprise Linux, OpenLDAP uses Sleepycat Software's Berkeley DB system as its on-disk storage format for directories. Earlier versions of OpenLDAP used GNU Database Manager (gdbm). For this reason, before upgrading an LDAP implementation to Red Hat Enterprise Linux 5, original LDAP data should first be exported before the upgrade, and then reimported afterwards. This can be achieved by performing the following steps:
1.Before upgrading the operating system, run the command /usr/sbin/slapcat -l ldif-output. This outputs an LDIF file called ldif-output containing the entries from the LDAP directory.
2. Upgrade the operating system, being careful not to reformat the partition containing the LDIF file.
3. Re-import the LDAP directory to the upgraded Berkeley DB format by executing the command /usr/sbin/slapadd -l ldif-output.
The following resources offer additional information on LDAP. It is highly recommended that you review these, especially the OpenLDAP website and the LDAP HOWTO, before configuring LDAP on your system(s).
- /usr/share/docs/openldap-<versionnumber>/ directory — Contains a general README document and miscellaneous information.
- LDAP related man pages — There are a number of man pages for the various applications and configuration files involved with LDAP. The following is a list of some of the more important man pages.
- man ldapadd — Describes how to add entries to an LDAP directory.
- man ldapdelete — Describes how to delete entries within an LDAP directory.
- man ldapmodify — Describes how to modify entries within an LDAP directory.
- man ldapsearch — Describes how to search for entries within an LDAP directory.
- man ldappasswd — Describes how to set or change the password of an LDAP user.
- man ldapcompare — Desribes how to use the ldapcompare tool.
- man ldapwhoami — Describes how to use the ldapwhoami tool.
- man ldapmodrdn — Describes how to modify the RDNs of entries.
- man slapd — Describes command line options for the LDAP server.
- man slurpd — Describes command line options for the LDAP replication server.
- man slapadd — Describes command line options used to add entries to a slapd database.
- man slapcat — Describes command line options used to generate an LDIF file from a slapd database.
- man slapindex — Describes command line options used to regenerate an index based upon the contents of a slapd database.
- man slappasswd — Describes command line options used to generate user passwords for LDAP directories.
- man ldap.conf — Describes the format and options available within the configuration file for LDAP clients.
- man slapd.conf — Describes the format and options available within the configuration file referenced by both the LDAP server applications (slapd and slurpd) and the LDAP administrative tools (slapadd, slapcat, and slapindex).
- http://www.openldap.org/ — Home of the OpenLDAP Project. This website contains a wealth of information about configuring OpenLDAP as well as a future roadmap and version changes.
- http://www.padl.com/ — Developers of nss_ldap and pam_ldap, among other useful LDAP tools.
- http://www.kingsmountain.com/ldapRoadmap.shtml — Jeff Hodges' LDAP Road Map contains links to several useful FAQs and emerging news concerning the LDAP protocol.
- http://www.ldapman.org/articles/ — Articles that offer a good introduction to LDAP, including methods to design a directory tree and customizing directory structures.
- OpenLDAP by Example by John Terpstra and Benjamin Coles; Prentice Hall.
- Implementing LDAP by Mark Wilcox; Wrox Press, Inc.
- Understanding and Deploying LDAP Directory Services by Tim Howes et al.; Macmillan Technical Publishing.
Problem & Solution
bdb_db_open: Warning - No DB_CONFIG file found in directory /var/lib/openldap-data: (2) Expect poor performance for suffix
1) cp /etc/openldap/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
2) chown ldap:ldap /var/lib/ldap/DB_CONFIG
3) service ldap restart Note, you will get this warning: bdb_db_open: Recovery skipped in read-only mode. Run manual recovery if errors are encountered. config file testing succeeded
4) service ldap restart
And now there will be no errors.
To change the password of a user:
ldappasswd -D "cn=admin,dc=domain,dc=com" -x -W -S "uid=user,ou=people,dc=domain,dc=com"
To view all records for base bind:
ldapsearch -x -b "dc=domain,dc=com" -D "cn=admin,dc=domain,dc=com" -W "(objectclass=*)"