YoLinux LDAP Tutorial: slapd.conf LDIF Configuration - OpenLDAP V1.2

There have been two versions of Open LDAP (Version 1.x and 2.x) and the two are configured differently. This tutorial covers the configuration of Open LDAP Version 1.2 (RH 6.x RPM: openldap-1.2.9-6). Red Hat 6.x distributions shipped with OpenLDAP 1.x while Red Hat Linux version 7.x, 8.0, 9.0 and Fedora Core have shipped with OpenLDAP 2.x. This tutorial covers the older OpenLDAP 1.2. For a tutorial coverning the newer OpenLDAP 2.x see:

YoLinux LDAP Tutorial: Deploying OpenLDAP - Directory Installation and configuration (V2.x / 1.2)
YoLinux LDIF Tutorial: slapd.conf LDIF - OpenLDAP V2.0 - Updated version of this tutorial for OpenLDAP 2.0

Related YoLinux Tutorials:

°LDAP server configuration

°LDAP client authentication

°LDAP bind authentication

°Extending LDAP an schema

°LDAP schema for MS/Outlook

°AWebDap: LDAP web interface

°YoLinux Tutorials Index

OpenLDAP V1.2 Example:

slapd.conf:

File: /etc/openldap/slapd.conf (RH 6.x RPM: openldap-1.2.9-6)

    include         /etc/openldap/slapd.at.conf     - Data Attribute definitions include file
    include         /etc/openldap/slapd.oc.conf     - Object Class definitions include file
    schemacheck     on                              - Leave on

    pidfile         /var/run/slapd.pid              - Output file - process id
    argsfile        /var/run/slapd.args             - Output file - process running and its arguments

    defaultaccess   read
    database        ldbm                            - Define the database to be used by LDAP
    lastmod         on
    suffix          "o=domain-name.org"             - Specify organization
    rootdn          "cn=Manager,o=domain-name.org" - LDAP Administrator login name
    rootpw          supersecretpw                   - LDAP Administrator login password

    directory       /var/lib/ldap                   - Location of database files

Notes:

For a full list of slapd directives see:
- the U of Michigan slapd manual
  or
- the slapd.conf man page (V1.2).
This file contains the LDAP admin password thus this file should NOT be world readable!!
If adding "Object Classes" or "Data Attributes" add your own includes. It's best not to modify slapd.oc.conf or slapd.at.conf. You can also add new definitions directly to the end of this file (slapd.conf).
If a line begins with a white space, it is considered a continuation of the previous line.
Alternate style: directory /var/lib/ldap/your-domain.org
If you are supporting multiple domains you may want to place the databases in a unique directory.
A blank space separates the directive and the argument. If blanks are part of the argument, then the argument is defined in quotes.

Object Class Definitions: List of Objectclasses

Include file example: my-slapd.oc.conf

    objectclass orgEmployee         Name of object class
      requires      sn,             Data attributes required to define object class
                    cn,
                    mail,
                    objectclass     All classes must inherit from a parent classes which eventually refer back to class "top"
      allows        nickname,       Data attributes which are allowed but optional.
                    usehtmlmail,
                    o,
                    l,
                    givenname,
                    sn,
                    st,
                    description,
                    title,
                    streetaddress,
                    postalcode,
                    c,
                    telephonenumber,
                    homephone,
                    facsimiletelephonenumber,
                    ou,
                    pager,
                    mobile,
                    seeAlso

In this example a new object definition called "orgEmployee" is defined. I tried to incorporate most of the data entries from the Communicator ldif file.

Attribute Definitions: List of LDAP attributes

These definitions reside at the end of the slapd.conf or in include files of their own. Note that the attributes are defined before being used in object definitions.

Include file example: my-slapd.at.conf

    attribute nickname                      cis
    attribute usehtmlmail                   bool
    attribute givenname                     cis

Valid data type options for an attribute include:

Type/syntax	Description
dn	Distinguished Name (Unique key)
cn	Common Name
sn	Surename (Last name)
bin	Binary
boolean	true/false yes/no on/off
cis	Case ignore string. (Case ignored during string comparisons)
ces	Case exact string (Case must match during a string comparison)
tel	Telephone number string. ("-" and spaces ignored)
int	Integer
operational	Not displayed in search results
dc	Domain component
o	Organization name
ou	Organization unit
street	Street
l	Locality
st	State/Province
c	Country
aci	Access control information. (Netscape Directory server only)
seeAlso	URL of info
mail	e-Mail address

Basic definitions are bin, ces, cis, tel, dn.

LDIF file: Defining Data for the LDAP database: domain-name.ldif

The input ascii data file format required by LDAP is the ldif format.

    dn: o=domain-name.org
    objectclass: top
    objectclass: organization
    o: domain-name
    o: Full Company Name 
    o: Company nick name

    dn: cn=Manager,o=domain-name.org
    cn: Manager
    sn: Manager
    objectclass: top
    objectclass: person

    dn: ou=MemberGroupA,o=domain-name.org   Use actual domain name.
    ou: MemberGroupA      Use name of your group or department
    objectclass: top
    objectclass: organizationalUnit
    description: Members of MemberGroupA

    dn: cn=Larry Anderson,ou=MemberGroupA,o=domain-name.org
    cn: Larry Anderson    Yes it is mentioned in the dn statement but it is repeated here
    objectclass: top      These objectclass statements MUST go here for Open LDAP
    objectclass: person
    objectclass: orgEmployee
    mail: LAnderson@aol.com  
    givenname: Larry
    sn: Anderson          
    ou: MemberGroupA      Yes it is mentioned in the dn statement but it is repeated here
    st: TX
    streetAddress: 14 Cherry St.
    postalcode: 78888
    c: US
    telephoneNumber: (800)555-1212
    homephone: 800-555-1313
    facsimileTelephoneNumber: 800-555-1414

    dn: cn=Moe Anderson,ou=MemberGroupA,o=domain-name.org
    cn: Moe Anderson          Required by definition of orgEmployee
    objectclass: top          All three objectclass statements are required
    objectclass: person
    objectclass: orgEmployee
    mail: MAnderson@aol.com   Required by definition of orgEmployee
    givenname: Moe
    sn: Anderson              Required by definition of orgEmployee
    ou: MemberGroupA
    ...
    ..
    .

Optimal Configuration as an Address Directory for Use With Netscape e-Mail Client (Messenger):

The Messenger client is pre-configured to use the object schema definition for "inetOrgPerson". This is included in LDAP version 2 and is defined by the RFC 2798 as submitted by Netscape Communications. When using Open LDAP version 1 use the following definition:

objectclass inetOrgPerson
        requires
                objectClass,
                sn,
                cn
                organizationalPerson     - Inherits the attributes defined in file slapd.oc.conf for organizationalPerson
        allows
                audio,
                businessCategory,
                carLicense,
                departmentNumber,
                employeeNumber,
                employeeType,
                givenName,
                homePhone,
                homePostalAddress,
                initials,
                jpegphoto,
                labeledURI,
                mail,
                manager,
                mobile,
                pager,
                photo,
                roomNumber,
                secretary,
                uid,
                userCertificate,
                x500uniqueIdentifier,
                preferredLanguage,
                userSMIMECertificate,
                userPKCS12

See inetOrgPerson schema for more info and example.

Use the following attribute definition: (Defined in Red Hat LDAP for RH 6.1 tutorial by Alikins.)

attribute       aliasedObjectName                       dn
attribute       associatedname                          dn
attribute       audio                                   bin
attribute       dn                                      dn
attribute       documentauthor                          dn
attribute       facsimiletelephonenumber        fax     tel
attribute       homephone                               tel
attribute       jpegphoto                               bin
attribute       labeledurl                              ces
attribute       lastmodifiedby                          dn
attribute       manager                                 dn
attribute       member                                  dn
attribute       mobiletelephonenumber           mobile  tel
attribute       naminglink                              dn
attribute       owner                                   dn
attribute       pagertelephonenumber            pager   tel
attribute       personalsignature                       bin
attribute       photo                                   bin
attribute       reciprocalnaminglink                    dn
attribute       ref                                     ces
attribute       secretary                               dn
attribute       seealso                                 dn
attribute       telephonenumber                         tel
attribute       userpassword                            ces

LDAP V1.2 Links:

OpenLDAP.org web site:

Open LDAP home page
LDAP Version 1.2

Red Hat LDAP documentation (6.2): OpenLDAP V1.2

LDAP - Schema links:

Return to http://YoLinux.com for more Linux links, information and tutorials
Return to YoLinux Tutorial Index
Return to YoLinux LDAP Tutorial
Feedback Form