Introduction to OpenLDAP

The OpenLDAP package provides an open source implementation of the Lightweight Directory Access Protocol.

Package Information



The OpenLDAP stable releases are packaged without version numbers in the tarball names. You can see the relationship between the version number and name of the tarball at

OpenLDAP Dependencies


Berkeley DB-4.5.20 is recommended (built in LFS) or GDBM-1.8.3



TCP Wrapper-7.6, unixODBC-2.2.12, GMP-4.2.2, OpenSLP, Pth-2.0.7, and one of MySQL-5.0.41, Oracle, or PostgreSQL-8.2.4

User Notes:

Installation of OpenLDAP

Install OpenLDAP by running the following commands:

./configure --prefix=/usr \
            --libexecdir=/usr/sbin \
            --sysconfdir=/etc \
            --localstatedir=/srv/ldap \
            --disable-debug \
            --enable-dynamic \
            --enable-crypt \
            --enable-modules \
            --enable-rlookups \
            --enable-backends \
            --enable-overlays \
            --disable-sql &&
make depend &&

To test the results, issue: make test. If you've enabled tcp_wrappers, ensure you add to the slapd line in the /etc/hosts.allow file if you have a restrictive /etc/hosts.deny file.

Now, as the root user:

make install &&

for LINK in lber ldap ldap_r; do
    chmod -v 0755 /usr/lib/$(readlink /usr/lib/lib${LINK}.so)
done &&

install -v -m755 -d /usr/share/doc/openldap-2.3.39/{drafts,guide,rfc} &&
install -v -m644 doc/drafts/* /usr/share/doc/openldap-2.3.39/drafts &&
install -v -m644 doc/rfc/*    /usr/share/doc/openldap-2.3.39/rfc &&
cp -v -R doc/guide/*          /usr/share/doc/openldap-2.3.39/guide

Command Explanations

--libexecdir=/usr/sbin: Installs the slapd and slurpd daemon programs in /usr/sbin instead of /usr/libexec.

--sysconfdir=/etc: Sets the configuration file directory to avoid the default of /usr/etc.

--localstatedir=/srv/ldap: Sets the directory to use for the LDAP directory database, replication logs and run-time variable data.

--disable-debug: Disable debugging code.

--enable-dynamic: This forces the OpenLDAP libraries to be dynamically linked to the executable programs.

--enable-crypt: Enables crypt(3) passwords.

--enable-modules: Enables dynamic module support.

--enable-rlookups: This parameter enables reverse lookups of client hostnames.

--enable-backends: This parameter enables all available backends.

--enable-overlays: This parameter enables all available overlays.

--disable-sql: This parameter explicity disables the sql backend. Omit this switch if a SQL server is installed.

--disable-bdb --disable-hdb --with-ldbm-api=gdbm: Pass these parameters to the configure command if you wish to use GDBM instead of Berkeley DB as the primary backend database.

chmod -v 0755 ...: This command adds the executable bit to the shared libraries.



You can run ./configure --help to see if there are other parameters you can pass to the configure command to enable other options or dependency packages.

Configuring OpenLDAP

Config Files


Configuration Information

Configuring the slapd and slurpd servers can be complex. Securing the LDAP directory, especially if you are storing non-public data such as password databases, can also be a challenging task. You'll need to modify the /etc/openldap/slapd.conf and /etc/openldap/ldap.conf files to set up OpenLDAP for your particular needs.

Resources to assist you with topics such as choosing a directory configuration, backend and database definitions, access control settings, running as a user other than root and setting a chroot environment include:

Utilizing GDBM

To utilize GDBM as the database backend, the “database” entry in /etc/openldap/slapd.conf must be changed from “bdb” to “ldbm”. You can use both by creating an additional database section in /etc/openldap/slapd.conf.

Mozilla Address Directory

By default, LDAPv2 support is disabled in the slapd.conf file. Once the database is properly set up and Mozilla is configured to use the directory, you must add allow bind_v2 to the slapd.conf file.

Boot Script

To automate the startup of the LDAP server at system bootup, install the /etc/rc.d/init.d/openldap init script included in the blfs-bootscripts-20080816 package using the following command:

make install-openldap1

Note: The init script you just installed only starts the slapd daemon. If you wish to also start the slurpd daemon at system startup, install a modified version of the script using this command:

make install-openldap2


The init script starts the daemons without any parameters. You'll need to modify the script to include the parameters needed for your specific configuration. See the slapd and slurpd man pages for parameter information.

Testing the Configuration

Start the LDAP server using the init script:

/etc/rc.d/init.d/openldap start

Verify access to the LDAP server with the following command:

ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts

The expected result is:

# extended LDIF
# LDAPv3
# base <> with scope base
# filter: (objectclass=*)
# requesting: namingContexts

namingContexts: dc=my-domain,dc=com

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


Installed Programs: ldapadd, ldapcompare, ldapdelete, ldapmodify, ldapmodrdn, ldappasswd, ldapsearch, ldapwhoami, slapadd, slapcat, slapd, slapdn, slapindex, slappasswd, slaptest, and slurpd
Installed Libraries: liblber.{so,a}, libldap.{so,a}, and libldap_r.{so,a}
Installed Directories: /etc/openldap, /srv/ldap, and /usr/share/openldap

Short Descriptions


opens a connection to an LDAP server, binds and adds entries.


opens a connection to an LDAP server, binds and performs a compare using specified parameters.


opens a connection to an LDAP server, binds and deletes one or more entries.


opens a connection to an LDAP server, binds and modifies entries.


opens a connection to an LDAP server, binds and modifies the RDN of entries.


is a tool to set the password of an LDAP user.


opens a connection to an LDAP server, binds and performs a search using specified parameters.


opens a connection to an LDAP server, binds and displays whoami information.


is used to add entries specified in LDAP Directory Interchange Format (LDIF) to an LDAP database.


is used to generate an LDAP LDIF output based upon the contents of a slapd database.


is the stand-alone LDAP server.


checks a list of string-represented DNs based on schema syntax.


is used to regenerate slapd indices based upon the current contents of a database.


is an OpenLDAP password utility.


checks the sanity of the slapd.conf file.


is the stand-alone LDAP replication server.


is a set of lightweight Basic Encoding Rules routines. These routines are used by the LDAP library routines to encode and decode LDAP protocol elements using the (slightly simplified) Basic Encoding Rules defined by LDAP. They are not normally used directly by an LDAP application program except in the handling of controls and extended operations.


supports the LDAP programs and provide functionality for other programs interacting with LDAP.


contains the functions required by the LDAP programs to produce the results from LDAP requests.

Last updated on 2008-05-10 09:35:39 -0500