Beyond Linux® From Scratch - Version svn-20070421

Chapter 24. Other Server Software

OpenLDAP-2.3.34

Introduction to OpenLDAP

The OpenLDAP package provides an open source implementation of the Lightweight Directory Access Protocol.

Package Information

[Note]

Note

The OpenLDAP stable releases are packaged without version numbers in the tarball names. You can see the relationship between the version number and name of the tarball at http://www.openldap.org/software/download/. Currently, a version release is being used due to a mixup on the OpenLDAP download page.

OpenLDAP Dependencies

Required

Berkeley DB-4.5.20 is recommended (built in LFS) or GDBM-1.8.3

Recommended

Cyrus SASL-2.1.21 and OpenSSL-0.9.8e

Optional

TCP Wrapper-7.6, unixODBC-2.2.12, GMP-4.2.1, GNU Pth, and OpenSLP

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/openldap

Installation of OpenLDAP

Install OpenLDAP by running the following commands: 

./configure --prefix=/usr \
            --libexecdir=/usr/sbin \
            --sysconfdir=/etc \
            --localstatedir=/srv/ldap \
            --disable-debug \
            --enable-dynamic \
            --enable-crypt \
            --enable-modules \
            --enable-rlookups \
            --enable-backends \
            --enable-overlays &&
make depend &&
make

To test the results, issue: make test. If you've enabled tcp_wrappers, ensure you add 127.0.0.1 to the slapd line in the /etc/hosts.allow file if you have a restrictive /etc/hosts.deny file.

Now, as the root user: 

make install &&
chmod -v 755 /usr/lib/libl*-2.3.so.0.2.22 &&
install -v -m755 -d /usr/share/doc/openldap-2.3.34/{drafts,guide,rfc} &&
install -v -m644 doc/drafts/* /usr/share/doc/openldap-2.3.34/drafts &&
install -v -m644 doc/rfc/*    /usr/share/doc/openldap-2.3.34/rfc &&
cp -v -R doc/guide/*          /usr/share/doc/openldap-2.3.34/guide

Command Explanations

--libexecdir=/usr/sbin: Installs the slapd and slurpd daemon programs in /usr/sbin instead of /usr/libexec.

--sysconfdir=/etc: Sets the configuration file directory to avoid the default of /usr/etc.

--localstatedir=/srv/ldap: Sets the directory to use for the LDAP directory database, replication logs and run-time variable data.

--disable-debug: Disable debugging code.

--enable-dynamic: This forces the OpenLDAP libraries to be dynamically linked to the executable programs.

--enable-crypt: Enables crypt(3) passwords.

--enable-modules: Enables dynamic module support.

--enable-rlookups: This parameter enables reverse lookups of client hostnames.

--enable-backends: This parameter enables all available backends.

--enable-overlays: This parameter enables all available overlays.

--disable-bdb --disable-hdb --with-ldbm-api=gdbm: Pass these parameters to the configure command if you wish to use GDBM instead of Berkeley DB as the primary backend database.

chmod -v 755 /usr/lib/libl*-2.3.so.0.2.22: This command adds the executable bit to the shared libraries.

[Note]

Note

You can run ./configure --help to see if there are other parameters you can pass to the configure command to enable other options or dependency packages.

Configuring OpenLDAP

Config Files

/etc/openldap/*

Configuration Information

Configuring the slapd and slurpd servers can be complex. Securing the LDAP directory, especially if you are storing non-public data such as password databases, can also be a challenging task. You'll need to modify the /etc/openldap/slapd.conf and /etc/openldap/ldap.conf files to set up OpenLDAP for your particular needs.

Resources to assist you with topics such as choosing a directory configuration, backend and database definitions, access control settings, running as a user other than root and setting a chroot environment include:

Utilizing GDBM

To utilize GDBM as the database backend, the “database” entry in /etc/openldap/slapd.conf must be changed from “bdb” to “ldbm”. You can use both by creating an additional database section in /etc/openldap/slapd.conf.

Mozilla Address Directory

By default, LDAPv2 support is disabled in the slapd.conf file. Once the database is properly set up and Mozilla is configured to use the directory, you must add allow bind_v2 to the slapd.conf file.

Boot Script

To automate the startup of the LDAP server at system bootup, install the /etc/rc.d/init.d/openldap init script included in the blfs-bootscripts-20060910 package using the following command: 

make install-openldap1

Note: The init script you just installed only starts the slapd daemon. If you wish to also start the slurpd daemon at system startup, install a modified version of the script using this command: 

make install-openldap2
[Note]

Note

The init script starts the daemons without any parameters. You'll need to modify the script to include the parameters needed for your specific configuration. See the slapd and slurpd man pages for parameter information.

Testing the Configuration

Start the LDAP server using the init script: 

/etc/rc.d/init.d/openldap start

Verify access to the LDAP server with the following command: 

ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts

The expected result is: 

# extended LDIF
#
# LDAPv3
# base <> with scope base
# filter: (objectclass=*)
# requesting: namingContexts
#

#
dn:
namingContexts: dc=my-domain,dc=com

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Contents

Installed Programs: ldapadd, ldapcompare, ldapdelete, ldapmodify, ldapmodrdn, ldappasswd, ldapsearch, ldapwhoami, slapadd, slapcat, slapd, slapdn, slapindex, slappasswd, slaptest, and slurpd
Installed Libraries: liblber.{so,a}, libldap.{so,a}, and libldap_r.{so,a}
Installed Directories: /etc/openldap, /srv/ldap, and /usr/share/openldap

Short Descriptions

ldapadd

opens a connection to an LDAP server, binds and adds entries.

ldapcompare

opens a connection to an LDAP server, binds and performs a compare using specified parameters.

ldapdelete

opens a connection to an LDAP server, binds and deletes one or more entries.

ldapmodify

opens a connection to an LDAP server, binds and modifies entries.

ldapmodrdn

opens a connection to an LDAP server, binds and modifies the RDN of entries.

ldappasswd

is a tool to set the password of an LDAP user.

ldapsearch

opens a connection to an LDAP server, binds and performs a search using specified parameters.

ldapwhoami

opens a connection to an LDAP server, binds and displays whoami information.

slapadd

is used to add entries specified in LDAP Directory Interchange Format (LDIF) to an LDAP database.

slapcat

is used to generate an LDAP LDIF output based upon the contents of a slapd database.

slapd

is the stand-alone LDAP server.

slapdn

checks a list of string-represented DNs based on schema syntax.

slapindex

is used to regenerate slapd indices based upon the current contents of a database.

slappasswd

is an OpenLDAP password utility.

slaptest

checks the sanity of the slapd.conf file.

slurpd

is the stand-alone LDAP replication server.

liblber.{so,a}

is a set of lightweight Basic Encoding Rules routines. These routines are used by the LDAP library routines to encode and decode LDAP protocol elements using the (slightly simplified) Basic Encoding Rules defined by LDAP. They are not normally used directly by an LDAP application program except in the handling of controls and extended operations.

libldap.{so,a}

supports the LDAP programs and provide functionality for other programs interacting with LDAP.

libldap_r.{so,a}

contains the functions required by the LDAP programs to produce the results from LDAP requests.

Last updated on 2007-04-04 21:42:53 +0200