%general-entities; ]> $Date$ OpenLDAP The OpenLDAP package provides an open source implementation of the Lightweight Directory Access Protocol. &lfs101_checked; Package Information Download (HTTP): Download (FTP): Download MD5 sum: &openldap-md5sum; Download size: &openldap-size; Estimated disk space required: &openldap-buildsize; Estimated build time: &openldap-time; Additional Downloads Required patch: OpenLDAP Dependencies Recommended Optional , , , or or MySQL, OpenSLP, and (for slapd, but deprecated) User Notes: If you only need to install the client side ldap* binaries, corresponding man pages, libraries and header files (referred to as a client-only install), issue these commands instead of the following ones (no test suite available): patch -Np1 -i ../openldap-&openldap-version;-consolidated-1.patch && autoconf && ./configure --prefix=/usr \ --sysconfdir=/etc \ --disable-static \ --enable-dynamic \ --disable-debug \ --disable-slapd && make depend && make Then, as the root user: make install There should be a dedicated user and group to take control of the slapd daemon after it is started. Issue the following commands as the root user: groupadd -g 83 ldap && useradd -c "OpenLDAP Daemon Owner" \ -d /var/lib/openldap -u 83 \ -g ldap -s /bin/false ldap Install OpenLDAP by running the following commands: patch -Np1 -i ../openldap-&openldap-version;-consolidated-1.patch && autoconf && ./configure --prefix=/usr \ --sysconfdir=/etc \ --localstatedir=/var \ --libexecdir=/usr/lib \ --disable-static \ --disable-debug \ --with-tls=openssl \ --with-cyrus-sasl \ --enable-dynamic \ --enable-crypt \ --enable-spasswd \ --enable-slapd \ --enable-modules \ --enable-rlookups \ --enable-backends=mod \ --disable-ndb \ --disable-sql \ --disable-shell \ --disable-bdb \ --disable-hdb \ --enable-overlays=mod && make depend && make The tests appear to be fragile. Errors may cause the tests to abort prior to finishing, apparently due to timing issues. The tests take about 65 minutes and are processor independent. To test the results, issue: make test. Now, as the root user: make install && sed -e "s/\.la/.so/" -i /etc/openldap/slapd.{conf,ldif}{,.default} && install -v -dm700 -o ldap -g ldap /var/lib/openldap && install -v -dm700 -o ldap -g ldap /etc/openldap/slapd.d && chmod -v 640 /etc/openldap/slapd.{conf,ldif} && chown -v root:ldap /etc/openldap/slapd.{conf,ldif} && install -v -dm755 /usr/share/doc/openldap-&openldap-version; && cp -vfr doc/{drafts,rfc,guide} \ /usr/share/doc/openldap-&openldap-version; --disable-debug: This switch disables the debugging code in OpenLDAP. --enable-dynamic: This switch forces the OpenLDAP libraries to be dynamically linked to the executable programs. --enable-crypt: This switch enables using crypt(3) passwords. --enable-spasswd: This switch enables SASL password verification. --enable-modules: This switch enables dynamic module support. --enable-rlookups: This switch enables reverse lookups of client hostnames. --enable-backends: This switch enables all available backends. --enable-overlays: This switch enables all available overlays. --disable-ndb: This switch disables MySQL NDB Cluster backend which causes configure to fail if MySQL is present. --disable-sql: This switch explicitly disables the SQL backend. Omit this switch if a SQL server is installed and you are going to use a SQL backend. --libexecdir=/usr/lib: This switch controls where the /usr/lib/openldap directory is installed. Everything in that directory is a library, so it belongs under /usr/lib instead of /usr/libexec. --enable-slp: This switch enables SLPv2 support. Use it if you have installed OpenSLP. You can run ./configure --help to see if there are other switch you can pass to the configure command to enable other options or dependency packages. install ..., chown ..., and chmod ...: Having slapd configuration files and ldap databases in /var/lib/openldap readable by anyone is a SECURITY ISSUE, especially since a file stores the admin password in PLAIN TEXT. That's why mode 640 and root:ldap ownership were used. The owner is root, so only root can modify the file, and group is ldap, so that the group which owns slapd daemon could read but not modify the file in case of a security breach. For LDAP client: /etc/openldap/ldap.conf and ~/.ldaprc For LDAP server, two configuration mechanisms are used: a legacy /etc/openldap/slapd.conf configuration file and the recommended slapd-config system, using an LDIF database stored in /etc/openldap/slapd.d. /etc/openldap/ldap.conf ~/.ldaprc /etc/openldap/slapd.conf /etc/openldap/slapd.d/* Configuring the slapd servers can be complex. Securing the LDAP directory, especially if you are storing non-public data such as password databases, can also be a challenging task. In order to set up OpenLDAP, you'll need to modify either the /etc/openldap/slapd.conf file (old method), or the /etc/openldap/slapd.ldif file and then use ldapadd to create the LDAP configuration database in /etc/openldap/slapd.d (recommended by the OpenLDAP documentation). The instructions above install an empty LDAP structure and a default /etc/openldap/slapd.conf file, which are suitable for testing the build and other packages using LDAP. Do not use them on a production server. Resources to assist you with topics such as choosing a directory configuration, backend and database definitions, access control settings, running as a user other than root and setting a chroot environment include: The slapd(8) man page. The slapd.conf(5) and slapd-config(5) man pages. The OpenLDAP 2.4 Administrator's Guide (also installed locally in /usr/share/doc/openldap-&openldap-version;/guide/admin). Documents located at . To automate the startup of the LDAP server at system bootup, install the /etc/rc.d/init.d/slapd init script slapd.service unit included in the package using the following command: slapd make install-slapd You'll need to modify /etc/sysconfig/slapd /etc/default/slapd to include the parameters needed for your specific configuration. See the slapd man page for parameter information. Start the LDAP server using the init script: systemctl: /etc/rc.d/init.d/slapd start systemctl start slapd Verify access to the LDAP server with the following command: ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts The expected result is: # extended LDIF # # LDAPv3 # base <> with scope baseObject # filter: (objectclass=*) # requesting: namingContexts # # dn: namingContexts: dc=my-domain,dc=com # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 Installed Programs Installed Libraries Installed Directories ldapadd, ldapcompare, ldapdelete, ldapexop, ldapmodify, ldapmodrdn, ldappasswd, ldapsearch, ldapurl, ldapwhoami, slapacl, slapadd, slapauth, slapcat, slapd, slapdn, slapindex, slappasswd, slapschema, and slaptest liblber.so, libldap.so, libldap_r.so, and several under /usr/lib/openldap /etc/openldap, /{usr,var}/lib/openldap, and /usr/share/doc/openldap-&openldap-version; Short Descriptions ldapadd opens a connection to an LDAP server, binds and adds entries ldapadd ldapcompare opens a connection to an LDAP server, binds and performs a compare using specified parameters ldapcompare ldapdelete opens a connection to an LDAP server, binds and deletes one or more entries ldapdelete ldapexop issues the LDAP extended operation specified by oid or one of the special keywords whoami, cancel, or refresh ldapexop ldapmodify opens a connection to an LDAP server, binds and modifies entries ldapmodify ldapmodrdn opens a connection to an LDAP server, binds and modifies the RDN of entries ldapmodrdn ldappasswd is a tool used to set the password of an LDAP user ldappasswd ldapsearch opens a connection to an LDAP server, binds and performs a search using specified parameters ldapsearch ldapurl is a command that allows to either compose or decompose LDAP URIs ldapurl ldapwhoami opens a connection to an LDAP server, binds and displays whoami information ldapwhoami slapacl is used to check the behavior of slapd by verifying access to directory data according to the access control list directives defined in its configuration slapacl slapadd is used to add entries specified in LDAP Directory Interchange Format (LDIF) to an LDAP database slapadd slapauth is used to check the behavior of the slapd in mapping identities for authentication and authorization purposes, as specified in slapd.conf slapauth slapcat is used to generate an LDAP LDIF output based upon the contents of a slapd database slapcat slapd is the standalone LDAP server slapd slapdn checks a list of string-represented DNs based on schema syntax slapdn slapindex is used to regenerate slapd indexes based upon the current contents of a database slapindex slappasswd is an OpenLDAP password utility slappasswd slapschema is used to check schema compliance of the contents of a slapd database slapschema slaptest checks the sanity of the slapd.conf file slaptest liblber.so is a set of Lightweight Basic Encoding Rules routines. These routines are used by the LDAP library routines to encode and decode LDAP protocol elements using the (slightly simplified) Basic Encoding Rules defined by LDAP. They are not normally used directly by an LDAP application program except in the handling of controls and extended operations liblber.so libldap.so supports the LDAP programs and provide functionality for other programs interacting with LDAP libldap.so libldap_r.so contains the functions required by the LDAP programs to produce the results from LDAP requests libldap_r.so