YoLinux LDAP Tutorial: Deploying OpenLDAP

LDAP Directory Installation and configuration (V2.x / V1.2)

Lightweight Directory Access Protocol (LDAP) is a means of serving data on individuals, system users, network devices and systems over the network for e-mail clients, applications requiring authentication or information. Using the LDAP server configuration example on this page will enable you to create an address book server for email clients. We have many useful links for other LDAP deployments. LDAP can also be distributed in a hierarchical fashion but my examples refer to a single LDAP server. This tutorial will cover the setup and configuration of an LDAP server on Linux, the loading of data and use. Once configured, I recommend "gq" as an admin tool. (Note: Red Hat no longer ship with gq.

Simply put, this tutorial will enable you to create an LDAP server to which your e-mail clients (Outlook, Netscape, etc) can connect with their address books. It will allow one to search the LDAP database for people's e-mail addresses which are then pulled into the address list. Try it out with Netscape on our LDAP site ldap.yo-linux.com for a demo. Cool eh! You can also try out authentication by pointing your application to authenticate at ldap.yo-linux.com.

Linux LDAP rolodex

LDAP Tutorial Table of Contents:

Related YoLinux LDAP Tutorials:

°slapd configuration

°Client Authentication

°Apache Web Site Authentication

°Bind Authentication

°Extending schemas

°Schema for MS/Outlook

°LDAP web client

°YoLinux Tutorials Index

Free Information Technology Magazine Subscriptions and Document Downloads

Try it out now. Connect to our LDAP server with your email client:
Try out your email client with our LDAP server. (Fake address book with the Three Stooges. Don't bother e-mailing them, they are not real people.)

 

Try Mozilla email client with ldap server ldap.yo-linux.com:
  1. Open the Address Book: "Window" + "Address Book"
  2. Select from the tool bar: "File" + "New" + "LDAP Directory ..."
    "General" Tab
    • Name: YoLinux Demo
    • Hostname: ldap.yo-linux.com
    • Base DN: o=stooges
    • Port number: 389
    • Bind DN: Leave blank
    • Press "OK" (No encryption)
    "Advanced" tab will allow advanced queries.
  3. Close the Address Book: "File" + "Close"
  4. Mozilla must be restarted (bug) in order for the configuration to register. (Mozilla 1.2.1): "File" + "Quit" and relaunch Mozilla.
  5. Open e-mail client: "Window" + "Mail and News Groups"
    • Select the "Compose".
    • Open the Address Selection Box: Select the icon "Address"
      • Look in: "YoLinux Demo"
        Select from pull down menu.
      • for: @
        Put in name of any of the three stooges i.e. moe. or last name anderson to list all three or "@" to get everyone with an email address
      • Select address to send e-mail to. Of course this is a demo and the e-mail addresses are bogus but I think you get the point.
      Mozilla Address Book
Try Netscape 4.7x email client with ldap server ldap.yo-linux.com:
  1. Open the Address Book: "Communicator" + "Address Book"
  2. Enter Directory Info: "File" + "New Directory..."
    • Description: YoLinux Demo
    • LDAP Server: 208.188.34.109 or ldap.yo-linux.com Using the IP address reduces the number of errors because of the reduced network latency.
    • Server Root: o=stooges
    • Port Number: 389
    • Press "OK" (Not secure and no login)
  3. Close the Address Book: "File" + "Close"
  4. Open e-mail client: "Communicator" + "Messenger"
    • Open Composer ("File" + "New" + "Message"): Select "New Msg" icon.
    • Open the Address Selection Box: Select the icon "Address"
    • Populate Address List with e-mail addresses from LDAP server:
      • Select from the "Directory" pull down menu "YoLinux Demo"
      • Show names containing: Howard (Don't press enter. Just wait or enter "Tab")
      • Select address to send e-mail to. Of course this is a demo and the e-mail addresses are bogus but I think you get the point.

Tips:

  • To select all those with email addresses out of a database where not all entries have them, search on "@".

 

Note on email clients:

For other e-mail clients such as Outlook, see the University of Alabama (UAB) LDAP client tutorial. Note that Outlook Express and Outlook 2000 are configured differently than Outlook 2000 professional. For MS/Windows users I have found that the Qualcom Eudora mail client to be the most advanced at supporting LDAP functionality and searches. Also see the Megawebhost.com LDAP E-Mail Client Configuration tutorial

More on LDAP: LDAP data entries are organized in a "Directory Information Tree" (DIT) which may be divided among servers defined by their organizational association. When a request is made to an LDAP server and the information is not available locally, LDAP can use it's referral capability to seek this data from the other servers in the tree structure. In this way a global network of LDAP servers appear as a single server. This tutorial covers the use of a single LDAP server.

LDAP data can support more than address directory services. It can act as a DNS and propagate data to other servers. It supports a client server protocol to supply data for authentication (passwords) in support of apache, squid, sendmail, NFS/NIS, PAM, POP, IMAP or any client written to support the LDAP protocol. In this way one database can hold all of the login/authentication information for a unified login across the enterprise. The OpenLDAP server software includes two daemon server services:

  • slapd: A stand-alone LDAP server
  • slurpd: A stand-alone replication server (Used in hierarchical network of LDAP servers. Not covered in this tutorial.)
OpenLDAP also includes many command line tools, utilities and sample clients.

 

LDAP e-Mail clients:

There are a plethora of Linux e-mail clients which claim to support LDAP. I have had my best luck with Netscape 4.7x. Microsoft Outlook will support LDAP searches for an individual name or partial string. For the MS/Windows platform, Eudora seems to support LDAP the best by allowing very sophisticated queries. The Linux "Balsa" e-mail client supports LDAP but it downloads the entire address book with no search filters. This can be cumbersome if the LDAP address book has a large number of entries. (They obviously tested with a small address book). One can perform the same search in Netscape by entering a "*" to download everything. Most email clients support a search for email address containing "@" to get all email addresses.

The e-mail client has to be configured to point to the LDAP server (i.e. ldap.your-domain.org) and must be given a "root" in the directory tree from which to begin searches. From this information the e-mail client can search the LDAP server for e-mail addresses which can be pulled down to the local client.

Note that Microsoft Outlook Express and Outlook 2000 are configured differently than Outlook 2000 professional. For MS/Windows use the Qualcom Eudora mail client as it seems to be the most advanced at supporting LDAP functionality and searches.

LDAP e-Mail Clients:

LDAP Tutorial: Installation, Configuration, Loading data, Usage Overview.

The following steps will lead to an operational OpenLDAP 2.x server:

  1. Install packages:
    • Red Hat / Fedora RPM packages openldap, openldap-clints, openldap-servers and openldap12: openldap, openldap-clients, openldap-servers, openldap12
      (rpm -ivh openldap-2.x...rpm openldap-clients-2.x...rpm openldap-servers-2.x...rpm openldap12-1.2...rpm)
    • Ubuntu (dapper 6.06)/Debian: slapd, ldap-utils, libldap2, libldap2-dev
    • S.u.S.e.: openldap2, openldap2-client
  2. Edit configuration files:
    • slapd.conf - Holds configuration info, domain info, admin info and references "include files".
      • Red Hat / Fedora Core: /etc/openldap/slapd.conf
      • Ubuntu (dapper 6.06)/ Debian: /etc/ldap/slapd.conf
        (See example: /usr/share/slapd.slapd.conf)
    • /etc/default/slapd - (Ubuntu) Defaults should be ok.
    • Create the include file for the Object definition. This defines the data to be held by the LDAP server. (Use include file or add it to end of slapd.conf) It is easiest to use an existing LDAP object class that comes pre-defined with OpenLDAP. If this does not meet your requirements define a new object which inherits basic attributes from an existing and defined object class.
  3. Create an LDIF data file. This is the actual data you wish to store in the LDAP database. It follows an object model (data schema) defined in either a pre-existing object definition or in an object model definition you have defined in a slapd.conf include file.
  4. Start the LDAP database:
    • Red Hat / Fedora: service ldap start (or: /etc/init.d/ldap start)
    • Ubuntu (dapper 6.06)/ Debian: /etc/init.d/slapd start
    (Option: Starting LDAP manually (as root): /usr/sbin/slapd -u ldap -h '"ldap:/// ldaps:///"')
  5. Load the LDIF data file into the database:
    • ldapadd -f file-name.ldif -xv -D "CN-with-privileges" -h host-name-of-server -W
      you will be prompted for a password. or
    • ldapadd -f file-name.ldif -xv -D "CN-with-privileges" -h host-name-of-server -w password
  6. Test LDAP. Use an e-mail client such as Netscape or Outlook to access the data on the server.
  7. View, query and make changes to the data using the web front-end aWebDap (new version 1.7) or an admin tool like "gq". (or use LDAP command line interface) Try the online aWebDap demo.
Quick Start Example and Test:

(This will result in an operational LDAP server with data.)

OpenLDAP 2.x (shipped with Red Hat 7.1-9.0, Fedora Core): download and use the following two sample files:

Note for Fedora Core 3: (OpenLDAP 2.2.13) Add the statement "allow bind_v2" after the schema "include" directives in the file /etc/openldap/slapd.conf if you wish to allow the use of older clients.

Then execute the following commands as root:

  1. cd /var/lib/ldap
  2. mkdir stooges fraternity
  3. Update or replace /etc/openldap/slapd.conf with file supplied for this demo.
  4. chown ldap.ldap stooges fraternity /etc/openldap/slapd.conf
  5. /etc/rc.d/init.d/ldap start
  6. ldapadd -f stooges.ldif -xv -D "cn=StoogeAdmin,o=stooges" -h 127.0.0.1 -w secret1
    (or use the flag "-W" and get prompted for the password)

Test with an email client:

  • Mozilla:
    • Configure: Open the Address Book: "Window" + "Address Book" + "File" + "New" + "LDAP Directory ..."
      "General" Tab
      • Name: Stooges
      • Hostname: localhost
      • Base DN: o=stooges
      • Port Number: 389
    • Restart Mozilla, select "Window" + "Mail and News Groups" + "Compose".
    • Select icon "Address" + "Stooge" + Search for "&" to get all email addresses.
  • Netscape Messenger:
    • Configure: "Communicator" + "Address Book" + "File" + "New Directory..." +
      • Description: Stooges
      • LDAP Server: localhost
      • Server Root: o=stooges
      • Port Number: 389
    • Use: "Communicator" + "Messenger" + "New Msg" icon + "Address" icon + change pull-down menu from "Personal Address Book" to "Stooges". For all enter "*". To search for Moe, enter "moe". (you don't even need to press enter, just wait.) Try the "Search for.." with Name "*" and Department "MemberGroupA". Excellent!

Install the aWebDap CGI executable to provide a user web front-end for search and updates. [Demo]

If you wish to add a second domain try this file: fraternity.ldif
Use the command: ldapadd -f fraternity.ldif -xv -D "cn=DeanWormer,o=delta" -w secret2

Read the rest of this tutorial to see what it all means!
If this doesn't work check out the LDAP pitfall section.
To secure the LDAP database see the YoLinux LDAP Password Protection and Authentication Tutorial. (Note: This is authentication for the user to access the LDAP database and not using LDAP to authenticate applications)

To run a more complex example with an extended schema to optimally support MS/Outlook and Netscape Communicator see the YoLinux GILSE tutorial and example. If you are going to configure LDAP for your office, you will eventually want to follow this guide.

LDAP Data Schema:

LDAP uses an object oriented approach to data and data modeling which includes object definitions (collection of data attributes and rules) and object inheritance.

The data schema for LDAP is defined by the:
  • domain: (i.e. company name)
  • object classes
    • required attributes: Attributes which must be included to define the object. (i.e. person's last name)
    • allowed attributes: Additional attributes which may be included but are not requires. (i.e. fax number)
    • optional: "Superior" object (Defines a hierarchy by linking object to a parent object class)
  • attribute types
  • allowable comparison operation / filter

The statements which describe the object classes and attributes are different in Open LDAP versions 1.2 and 2.x. Unless you require a unique custom configuration it is easiest to use the pre-defined object inetOrgPerson (RFC 2798) included with OpenLDAP 2.x or to define an new object which inherits the inetOrgPerson object schema.

Each LDAP data entry has a "Distinguished Name" (DN) by which it is identified. Each component of the DN is called a "Relative Distinguished Name" (RDN). Operations against the LDAP data include adding, deleting, modifying and querying based on a query filter.

LDAP Configuration/Operation:
  1. Configuration Files for slapd: This LDAP daemon (slapd) configuration files define the data schema for the data it contains as well as system configurations (i.e. files and database type to use, etc...).

     

    slapd.conf:
    The main configuration file for the LDAP daemon is: /etc/openldap/slapd.conf (Ubuntu/Debian: /usr/share/slapd/slapd.conf)
    Two versions of OpenLDAP have been released and each has its' own method of configuration, schema definition and configuration statements. The file slapd.conf will reference other "include" files which will contain LDAP data schema definitions.

    The main difference between OpenLDAP Versions 1.2 and 2.x is in the object and attribute definitions. OpenLDAP 2.x objects and attributes use OID's while version 1.2 does not. The slapd and database directives are close to being the same with minor enhancements in version 2.x.

    Password Encryption and Security: See the OpenLDAP password FAQ
    To secure the LDAP database see the YoLinux LDAP Password Protection and Authentication Tutorial
    To create a custom data object by extending the inetOrgPerson object see the new LDAP Object/Attribute definition tutorial

  2. LDIF: Defining Data for the LDAP database
    The input ascii data file format required by LDAP is the ldif format.
    For a more complete example see: OpenLDAP Version 2.x slapd.conf configuration and LDIF example
    To create a new custom object by extending the inetOrgPerson schema see the new LDAP object/attribute definition tutorial

    The following LDIF example uses the inetOrgPerson object model: 

        dn: o=domain-name                    - Define the LDAP root
    objectClass: top
    objectClass: organization
    o: domain-name
    description: Full Company Name

    dn: cn=AdminManager,o=domain-name    - Data entries for the system administrator for the domain as defined in the file: slapd.conf
    objectClass: organizationalRole
    cn: AdminManager
    description: LDAP Directory Administrator

    dn: cn=Larry Fine,o=domain-name       - Great for address book support. For LDAP login authentication server support only, you may want to use the attribute uid, mail or employeeNumber.
    cn: Larry Fine          - Yes it is mentioned in the dn statement but it is repeated here
    objectClass: top        - These objectclass statements MUST go here for Open LDAP
    objectClass: person
    objectClass: organizationalPerson
    objectClass: inetOrgPerson
    mail: LFine@isp.com  
    givenname: Larry
    sn: Fine          
    postalAddress: 14 Cherry St.
    l: Dallas
    st: TX
    postalCode: 76888
    telephoneNumber: (800)555-1212
    seeAlso: dc=www,dc=domain-name,dc=org     - Correct method: DN must be previously defined in order to reference it. i.e. dn: dc=www,dc=domain-name,dc=org
                                                XX Wrong Way! XX seeAlso: http://www.domain-name.org/~larry/    - OpenLDAP object inetOrgPerson expects a DN and this entry cannot be added directly so DO NOT ADD THIS LINE!!!
    jpegPhoto: < file:///path/to/file.jpeg     - JPEG photo from file.
                                                OR
                                                jpegPhoto: < http://domain/path/to/file.jpeg   - It's in the documentation but I never got it to work.

    ...
    ..

    For a full list of allowable attributes see:

    The LDIF example above corresponds to the following slapd.conf entries for OpenLDAP 2.x: 

       database        ldbm                   - Define the database to be used by LDAP. Each database definition begins with a database statement.
                                         [Tutorial Update]: This tutorial defines ldbm to be the database. (RH 6-9 default) Many are now recomending bdb. FC-3 defaults to bdb.
   suffix          "o=domain-name"
                                         [Tutorial Update]: As of OpenLDAP 2.1.13, only one suffix is supported per database. Previously this example showed two suffixes defined.
   rootdn          "cn=AdminManager,o=domain-name"
   rootpw          super-secret-password
   directory       /var/lib/ldap/domain-directory
   defaultaccess   read
   schemacheck     on
   lastmod         on
   index           cn,sn,st                        pres,eq,sub

    An alternate style for a base "dn":

    Note: As of OpenLDAP 2.1.2.13, the default configuration will allow only one suffix to be defined for each bdb database. The C preprocessor directive #define BDB_MULTIPLE_SUFFIXES (file: servers/slapd/back-bdb/init.c) may be used if you want to compile in multiple suffix support. If you use it, subtree indexing will slow down by factor of 2. The use of suffixAlias is no longer supported by default in version 2.1.13.

    For more inetOrgPerson data schema info see:

     

    inetOrgPerson object attributes:
    • Requires:
      • objectClass: organizationalPerson
      • objectClass: person (Inherited from object organizationalPerson)
      • objectClass: top (Inherited from object person)
      • sn (Surename/Last Name - Inherited from object person)
      • cn (Common Name - Inherited from object person)
    • May have:
      • o (Organization Name)
      • displayName (RFC2798: Preferred name of a person to be used when displaying entries)
      • audio
      • businessCategory
      • carLicense
      • departmentNumber
      • employeeNumber
      • employeeType (i.e. "Contractor", "Employee", "Intern", "Temp", "External", "Unknown", etc...)
      • givenName
      • homePhone
      • homePostalAddress (After street number and name use line separator "$" in LDIF file: street$ st postalCode)
      • initials (MS/Outlook considers this to be the middle name)
      • jpegPhoto (See the OpenLDAP FAQ: Turn a jpeg into ldif format)
      • labeledURI
      • mail (e-Mail address)
      • manager (Specify dn entry of manager)
      • mobile
      • pager
      • photo
      • roomNumber
      • secretary (Specify dn entry of secretary)
      • uid
      • userCertificate
      • x500uniqueIdentifier
      • preferredLanguage
      • userSMIMECertificate (RFC2633: A PKCS#7 [RFC2315] SignedData)
      • userPKCS12 (PKCS #12 [PKCS12] provides a format for exchange of personal identity information.)
      • Attributes inherited from object organizationalPerson:
        • ou (Organization unit)
        • title
        • x121Address
        • registeredAddress
        • destinationIndicator
        • preferredDeliveryMethod
        • telexNumber
        • teletexTerminalIdentifier
        • telephoneNumber (MS/Outlook considers this to be the "Business Phone")
        • internationaliSDNNumber
        • facsimileTelephoneNumber
        • postOfficeBox
        • postalAddress (MS/Outlook and Netscape both use this for the business address.)
        • physicalDeliveryOfficeName (MS/Outlook considers this to be the field "Office")
        • street (Don't use "street" because Netscape can't use it. Use "postalAddress".)
        • l (Locality/City/Town)
        • st (State/Province)
        • postalCode (Zip code)
      • Attributes inherited from object person:
        • userPassword
        • telephoneNumber (work phone)
        • seeAlso (URL for more info)
        • description

    Helpful LDIF links:

    Notes:

  3. Starting and stopping LDAP:
    LDAP interaction is with the slapd daemon. This can be invoked (on Redhat) by /etc/rc.d/init.d/ldap start. Upon startup the slapd daemon will read the /etc/openldap/slapd.conf file.

    To stop the slapd LDAP daemon: /etc/rc.d/init.d/ldap stop

    Note: Edit configuration files first and then start the system.

  4. Load LDAP with the following command:
  5. Test LDAP with the following command: OpenLDAP 2.x 
        ldapsearch -vLx -b "o=domain-name" "(objectclass=*)"
    or
    ldapsearch -vLx -h 127.0.0.1 -b "o=domain-name" "(objectclass=*)"

    Stooges example: ldapsearch -vLx -h 127.0.0.1 -b "o=stooges" "(sn=Fine)"
    The addition of the "-x" argument enables simple authentication (you are asked for the password specified as rootpw defined in the file /etc/openldap/slapd.conf) instead of SASL.
    The expression "-h 127.0.0.1" will specify localhost explicitly. (It's the only way I can get it to work.)

    OpenLDAP 1.2 

        ldapsearch -L -b "cn=AdminManager, o=domain-name" "(objectclass=*)"
    or
    ldapsearch -h "ldap.domain-name" -L -b "o=domain-name" "(sn=Fine)"

     

    Test LDAP with Your Netscape Browser: Use an LDAP enabled browser with an appropriate URL: 
      ldap://ldap.yo-linux.com/cn=Larry Fine,ou=MemberGroupA,o=stooges
    This method will display directory information in the Netscape browser. MS/Windows Explorer will defer the information to the MS/Outlook address book for display and data transfer.

    For more on LDAP URL's see RFC 2255: The LDAP URL Format.

     

    Test LDAP with an E-mail client: The true test is of course is with an e-mail client. See the list of clients and links to configuration notes at the top of this page.

     

    Netscape Messenger 4.5+:
    Adding custom search boxes: File: $HOME/.netscape/preferences.js
    (MS/Windows clients: C:\ProgramFiles\Netscape\Users\user-name\prefs.js)
    (This step is not required, it just makes for a more intuitive presentation within the client) 
       user_pref("ldap_2.servers.domain-name.attributes.ou", "Attribute-Display-Name:LDAP-Database-Attribute");
   user_pref("ldap_2.servers.domain-name.filter1", "(&(objectclass=LDAP-Object-Schema-Name)(LDAP-Database-Attribute=%s))");
   pref("ldap_2.servers.domain-name.maxHits", 400);
    If your organization has an attribute you wish employees to use as a searchable item, you can configure Netscape Messenger to display an advanced search box with the appropriate label by using the Javascript configuration statements above. The display changes will only apply to the domain specified. Substitute the bold italic entries with the appropriate data for your application. (i.e. LDAP-Object-Schema-Name could be inetOrgPerson and the LDAP-Database-Attribute could be any of that objects' attributes you wish to search such as "carLicense") By default Netscape 4.7x only displays the search items "Name", "Email", "Organization" and "Department".

    Example - Allow a search by State: 

       user_pref("ldap_2.servers.Stooges.attributes.ou", "State:st");
   user_pref("ldap_2.servers.Stooges.filter1", "(&(objectclass=inetOrgPerson)(st=%s))");
    Note:
    • Terminate the Netscape program before editing the file, then edit the file and then re-start Netscape.
    • The domain is specified without the "." and is the same as the "Description" name.
Performance considerations:

 

Backup LDAP database:

 

Backup LDAP database with the following command: OpenLDAP 2.x OpenLDAP 1.2 
    /usr/sbin/ldbmcat -n /var/lib/ldap/id2entry.dbb > /opt/BACKUP/ldap.ldif

Note that this backup may not be suitable for re-loading. The order is random if it has been modified. The object definition for the domain itself must be the first definition. If it is not then move it there manually so that it can reload successfully.

Using LDAP slapd slapcat method: slapcat -v -n 2 -l delta.ldif

This method is no better or worse than using ldbmcat. The LDIF files generated by ldbmcat and slapcat are identical.

Also see: Scripts and software tools to convert LDIF files to the useful ".csv" backup form. - (Some helpful tools I wrote)

 

Adding an entry to an existing LDAP directory:

File: schemp.ldif 

dn: cn=Schemp Anderson,ou=MemberGroupB,o=stooges
ou: MemberGroupB
o: stooges
cn: Schemp Anderson
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
givenName: Schemp
sn: Anderson
uid: schemp
homePostalAddress: 20 Cherry Ln.$Plano TX 78888
pager: 800-555-1320
title: Development Engineer
facsimileTelephoneNumber: 800-555-3320
mail: SAnderson@isp.com
homePhone: 800-555-1320
telephoneNumber: (800)555-1220
mobile: 800-555-1320
postalAddress: 20 Fitzhugh Ave.
l: Dallas
st: TX
postalCode: 76888

Command: ldapadd -f schemp.ldif -h 127.0.0.1 -xv -D "cn=StoogeAdmin,o=stooges" -W

 

Notes: LDAP on Red Hat/Fedora Core distribution:

 

OpenLDAP 1.2:

 

[Potential Pitfall]: PAM misconfiguration:

File (default): /etc/hosts.deny 
   ALL:ALL
This set-up will deny everyone including localhost!!!
Remove this line which is often default.

Be sure to at least add the following to: /etc/hosts.allow 

   ALL:127.0.0.1

[Potential Pitfall]: Ipchains/Iptables misconfiguration:

The Red Hat 7.1-9.0 and Fedora Core installations will have you configure firewall rules which may conflict with access to the LDAP server. To flush all firewall rules: 
  iptables -F
OR
  ipchains -F

[Potential Pitfall]: LDAP won't start

Check log file /var/log/messages 
slaptest: sql_select option missing
slaptest: auxpropfunc error no mechanism available
ldap:  succeeded
slapd[4200]: sql_select option missing
slapd[4200]: auxpropfunc error no mechanism available
If the config files /etc/openldap/ldap.conf or /etc/openldap/slapd.conf are owned by root it will cause this error.
Fix: chown ldap.ldap /etc/openldap/ldap.conf /etc/openldap/slapd.conf

[Potential Pitfall]: Directory access

The Red Hat 7.1-9.0 and Fedora Core versions of Open LDAP runs the LDAP server "slapd" under the user id "ldap". Thus all directories and files that the LDAP server must access must be accessible by the user "ldap". (preferably owned by user "ldap"). This is a configuration change between Red Hat 6.x, which used root, and Red Hat 7.1.

[Potential Pitfall]: Can't access LDAP server with client
Note for Fedora Core 3: (OpenLDAP 2.2.13) Add the statement "allow bind_v2" after the schema "include" directives in the file /etc/openldap/slapd.conf if you wish to allow the use of older clients.

Debugging tips: To take a peak inside the database: 

   strings /var/lib/ldap/id2entry.gdbm | more

 

OpenLDAP Man Pages:

Open LDAP UNIX commands:

Configuration files:

Support programs/conversions:

LDAP processes/daemons:

LDAP Software development SDK man pages and RFC's

 

The Berkely BDB database:

The back-bdb is now the new preferred database format and the old back-ldbm code has been removed from OpenLDAP.

The Berkely database software tools have names which are Linux distribution dependant:

Example database recovery:

Links:

YoLinux.com LDAP Tutorials:

 

LDAP Links:

Public LDAP Servers on the Internet: Check out and try out other LDAP installations.

LDAP Desktop Admin tools and Clients:

LDAP Web Clients:

LDAP Clients: (authentication)

OpenLDAP.org web site:

LDAP - Information links:

Netscape Roaming:

LDAP - Schema links:

Also see RFC 2256 (User Schema for use with LDAPv3).

LDAP - Developer resources:

LDAP - Commercial Products:

LDAP Book ListBooks:

 

Understanding And Deploying LDAP Directory Services "Understanding And Deploying LDAP Directory Services",
by Timothy A. Howes,Phd, Mark C. Smith and Gordon S. Good,
ISBN 0672323168, Addison-Wesley Pub Co

Second edition. It is general in nature but complete in that it covers all concepts in depth. It is a good book for those wanting to understand everything about LDAP, schema development and its' capabilities.

Amazon.com
Understanding And Deploying LDAP Directory Services "Understanding And Deploying LDAP Directory Services",
by Timothy A. Howes,Phd, Mark C. Smith and Gordon S. Good,
ISBN 1-57870-070-1, MacMillan Technical Publishing

First edition out of print. (Used only) See second edition above. This is the largest LDAP book I own. It is general in nature but complete in that it covers all concepts in depth. It is NOT a good programmers reference but it is good for those wanting to understand everything about LDAP, schema development and its' capabilities. Netscape centric.

Amazon.com
Programming Directory-Enabled Applications with Lightweight Directory Access Protocol "Programming Directory-Enabled Applications with Lightweight Directory Access Protocol"
by Timothy A. Howes,Phd and Mark C. Smith
ISBN 1-57870-000-0, MacMillan Technical Publishing

Excellent programmers reference for those using the LDAP C language API. Also covers search filters and LDAP URL's. The OpenLDAP source code is so poorly commented that I found this book often was the only source for an explanation of what was happening in the code.

Amazon.com
Implementing LDAP "Implementing LDAP",
Mark Wilcok
ISBN 1-861002-21-1, WROK Press

This book covers all aspects of LDAP from LDIF to the LDAP SDK in C, PERL and JAVA. It has a strong Netscape Directory server bias.

Amazon.com
LDAP System Administration "LDAP System Administration",
Gerald Carter
ISBN 1565924916, O'Reilly & Associates

This book covers the use of OpenLDAP and the integration of services.

Amazon.com
LDAP Programming, Management and Integration "LDAP Programming, Management and Integration",
Clayton Donley
ISBN 1930110405, Manning Publications; 1st edition

This book covers LDAP administration as well as introductory information. It covers the directory services markup language (DSML), PERL LDAP module as well as JAVA JNDI.

Amazon.com
book image "Understanding LDAP" - IBM-Redbooks
Heinz Johner, Larry Brown, Franz-Stefan Hinner, Wolfgang Reis, Johan Westman
IBM Redbook #SG24-4986-00

A reference to ldap, available as PDF as well. This book has a bias towards IBM's E-network LDAP Directory server. Tight, terse, but covers everything.

IBM Redbook #SG24-5110-00 "LDAP Implementation Cookbook"
IBM Redbook #SG24-5110-00

 

 

Return to http://YoLinux.com for more Linux links, information and tutorials
Return to YoLinux Tutorial Index
Feedback Form
Copyright © 2000, 2001, 2002, 2003, 2004, 2006 by Greg Ippolito