YoLinux LDAP Tutorial: slapd.conf LDIF Configuration - OpenLDAP V1.2


There have been two versions of Open LDAP (Version 1.x and 2.x) and the two are configured differently. This tutorial covers the configuration of Open LDAP Version 1.2 (RH 6.x RPM: openldap-1.2.9-6). Red Hat 6.x distributions shipped with OpenLDAP 1.x while Red Hat Linux version 7.x, 8.0, 9.0 and Fedora Core have shipped with OpenLDAP 2.x. This tutorial covers the older OpenLDAP 1.2. For a tutorial coverning the newer OpenLDAP 2.x see:

Related YoLinux Tutorials:

°LDAP server configuration

°LDAP client authentication

°LDAP bind authentication

°Extending LDAP an schema

°LDAP schema for MS/Outlook

°AWebDap: LDAP web interface

°YoLinux Tutorials Index




Free Information Technology Magazines and Document Downloads
TradePub link image


OpenLDAP V1.2 Example:

  • slapd.conf:

    File: /etc/openldap/slapd.conf (RH 6.x RPM: openldap-1.2.9-6)

        include         /etc/openldap/slapd.at.conf     - Data Attribute definitions include file
        include         /etc/openldap/slapd.oc.conf     - Object Class definitions include file
        schemacheck     on                              - Leave on
    
        pidfile         /var/run/slapd.pid              - Output file - process id
        argsfile        /var/run/slapd.args             - Output file - process running and its arguments
    
        defaultaccess   read
        database        ldbm                            - Define the database to be used by LDAP
        lastmod         on
        suffix          "o=domain-name.org"             - Specify organization
        rootdn          "cn=Manager,o=domain-name.org" - LDAP Administrator login name
        rootpw          supersecretpw                   - LDAP Administrator login password
    
        directory       /var/lib/ldap                   - Location of database files
        

    Notes:

    • For a full list of slapd directives see:
    • This file contains the LDAP admin password thus this file should NOT be world readable!!
    • If adding "Object Classes" or "Data Attributes" add your own includes. It's best not to modify slapd.oc.conf or slapd.at.conf. You can also add new definitions directly to the end of this file (slapd.conf).
    • If a line begins with a white space, it is considered a continuation of the previous line.
    • Alternate style: directory /var/lib/ldap/your-domain.org
      If you are supporting multiple domains you may want to place the databases in a unique directory.
    • A blank space separates the directive and the argument. If blanks are part of the argument, then the argument is defined in quotes.

  • Object Class Definitions: List of Objectclasses

    Include file example: my-slapd.oc.conf

        objectclass orgEmployee         Name of object class
          requires      sn,             Data attributes required to define object class
                        cn,
                        mail,
                        objectclass     All classes must inherit from a parent classes which eventually refer back to class "top"
          allows        nickname,       Data attributes which are allowed but optional.
                        usehtmlmail,
                        o,
                        l,
                        givenname,
                        sn,
                        st,
                        description,
                        title,
                        streetaddress,
                        postalcode,
                        c,
                        telephonenumber,
                        homephone,
                        facsimiletelephonenumber,
                        ou,
                        pager,
                        mobile,
                        seeAlso
        
    In this example a new object definition called "orgEmployee" is defined. I tried to incorporate most of the data entries from the Communicator ldif file.

  • Attribute Definitions: List of LDAP attributes

    These definitions reside at the end of the slapd.conf or in include files of their own. Note that the attributes are defined before being used in object definitions.

    Include file example: my-slapd.at.conf

        attribute nickname                      cis
        attribute usehtmlmail                   bool
        attribute givenname                     cis
        

    Valid data type options for an attribute include:

    Type/syntaxDescription
    dnDistinguished Name (Unique key)
    cnCommon Name
    snSurename (Last name)
    binBinary
    booleantrue/false yes/no on/off
    cisCase ignore string.
    (Case ignored during string comparisons)
    cesCase exact string
    (Case must match during a string comparison)
    telTelephone number string.
    ("-" and spaces ignored)
    intInteger
    operationalNot displayed in search results
    dcDomain component
    oOrganization name
    ouOrganization unit
    streetStreet
    lLocality
    stState/Province
    cCountry
    aciAccess control information.
    (Netscape Directory server only)
    seeAlsoURL of info
    maile-Mail address

    Basic definitions are bin, ces, cis, tel, dn.

  • LDIF file: Defining Data for the LDAP database: domain-name.ldif

    The input ascii data file format required by LDAP is the ldif format.

        dn: o=domain-name.org
        objectclass: top
        objectclass: organization
        o: domain-name
        o: Full Company Name 
        o: Company nick name
    
        dn: cn=Manager,o=domain-name.org
        cn: Manager
        sn: Manager
        objectclass: top
        objectclass: person
    
        dn: ou=MemberGroupA,o=domain-name.org   Use actual domain name.
        ou: MemberGroupA      Use name of your group or department
        objectclass: top
        objectclass: organizationalUnit
        description: Members of MemberGroupA
    
        dn: cn=Larry Anderson,ou=MemberGroupA,o=domain-name.org
        cn: Larry Anderson    Yes it is mentioned in the dn statement but it is repeated here
        objectclass: top      These objectclass statements MUST go here for Open LDAP
        objectclass: person
        objectclass: orgEmployee
        mail: LAnderson@aol.com  
        givenname: Larry
        sn: Anderson          
        ou: MemberGroupA      Yes it is mentioned in the dn statement but it is repeated here
        st: TX
        streetAddress: 14 Cherry St.
        postalcode: 78888
        c: US
        telephoneNumber: (800)555-1212
        homephone: 800-555-1313
        facsimileTelephoneNumber: 800-555-1414
    
        dn: cn=Moe Anderson,ou=MemberGroupA,o=domain-name.org
        cn: Moe Anderson          Required by definition of orgEmployee
        objectclass: top          All three objectclass statements are required
        objectclass: person
        objectclass: orgEmployee
        mail: MAnderson@aol.com   Required by definition of orgEmployee
        givenname: Moe
        sn: Anderson              Required by definition of orgEmployee
        ou: MemberGroupA
        ...
        ..
        .
    


Optimal Configuration as an Address Directory for Use With Netscape e-Mail Client (Messenger):

The Messenger client is pre-configured to use the object schema definition for "inetOrgPerson". This is included in LDAP version 2 and is defined by the RFC 2798 as submitted by Netscape Communications. When using Open LDAP version 1 use the following definition:

objectclass inetOrgPerson
        requires
                objectClass,
                sn,
                cn
                organizationalPerson     - Inherits the attributes defined in file slapd.oc.conf for organizationalPerson
        allows
                audio,
                businessCategory,
                carLicense,
                departmentNumber,
                employeeNumber,
                employeeType,
                givenName,
                homePhone,
                homePostalAddress,
                initials,
                jpegphoto,
                labeledURI,
                mail,
                manager,
                mobile,
                pager,
                photo,
                roomNumber,
                secretary,
                uid,
                userCertificate,
                x500uniqueIdentifier,
                preferredLanguage,
                userSMIMECertificate,
                userPKCS12
See inetOrgPerson schema for more info and example.

Use the following attribute definition: (Defined in Red Hat LDAP for RH 6.1 tutorial by Alikins.)

attribute       aliasedObjectName                       dn
attribute       associatedname                          dn
attribute       audio                                   bin
attribute       dn                                      dn
attribute       documentauthor                          dn
attribute       facsimiletelephonenumber        fax     tel
attribute       homephone                               tel
attribute       jpegphoto                               bin
attribute       labeledurl                              ces
attribute       lastmodifiedby                          dn
attribute       manager                                 dn
attribute       member                                  dn
attribute       mobiletelephonenumber           mobile  tel
attribute       naminglink                              dn
attribute       owner                                   dn
attribute       pagertelephonenumber            pager   tel
attribute       personalsignature                       bin
attribute       photo                                   bin
attribute       reciprocalnaminglink                    dn
attribute       ref                                     ces
attribute       secretary                               dn
attribute       seealso                                 dn
attribute       telephonenumber                         tel
attribute       userpassword                            ces


LDAP V1.2 Links:

OpenLDAP.org web site:

Red Hat LDAP documentation (6.2): OpenLDAP V1.2

LDAP - Schema links:

Return to YoLinux LDAP Tutorial

Copyright © 2000, 2001 by Greg Ippolito