LDAP comes with a couple of configuration files, which are
/etc/openldap/ldap.conf
/usr/local/etc/openldap/slapd.conf
/usr/local/etc/openldap/slapd.at.conf
/usr/local/etc/openldap/slapd.oc.conf
ldap.conf does not have to be changed for our installation, so we continue with slapd.conf. We edit the file with vi by typing
vi /usr/local/etc/openldap/slapd.conf
and should have a slapd.conf file that will look like this
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/local/etc/openldap/slapd.at.conf
include /usr/local/etc/openldap/slapd.oc.conf
schemacheck off
#referral ldap://root.openldap.org/
pidfile /usr/local/var/slapd.pid
argsfile /usr/local/var/slapd.args
#######################################################################
# ldbm database definitions
#######################################################################
database ldbm
suffix ""
suffix "dc=organicbrownsugar, dc=com"
suffix "o=Organic Brown Sugar, c=US"
#rootdn "cn=Manager, dc=organicbrownsugar, dc=com "
rootdn "cn=Manager, o=Organic Brown Sugar, c=US"
# cleartext passwords, especially for the rootdn, should
# be avoid. See slapd.conf(5) for details.
rootpw secret
# database directory
# this directory MUST exist prior to running slapd AND
# should only be accessable by the slapd/tools Mode 700 recommended.
directory /usr/local/var/openldap-ldbm
index cn,sn,mail pres,eq,app
The first change we applied concerns the suffix value. The suffix determines to which kind of queries our ldap server will response. In order to use automatic name resolution from various email clients, we need to add the line
suffix ""
Since the email client does not include a search base (like o=Organic Brown Suger,c=US) we have to add this line. Otherwise our queries will always be unsuccessful. The next two line include two other search bases that might be used. The line rootdn specifies the LDAP administrator – the user who has the right to update and change the database. Please note the following password that goes with the username. At the end of the document we have a few indexes for searches.
Now we'll take a look at the next document with
vi /usr/local/etc/openldap/slapd.at.conf
where we will add an attribute for email addresses. We append the line
attribute mail dn
attribute ou dn
to the file. Now ldap knows about the mail attribute, but we have to tell ldap that we want to use it with the person objectclass. What is an objectclass? It's a collection of attributes, an objectclass person e.g. would need a lastname, firstname, email and so on. An organization objectclass would probably need attributes like street, telephone number, state and so on. Whenever we add an object to the ldap database, it has to be in an object class. Let's open the file slapd.oc.conf with
vi /usr/local/etc/openldap/slapd.oc.conf
and look for the line objectclass person which should look like this after our modifications:
objectclass person
requires
objectClass,
sn,
cn
allows
description,
seeAlso,
telephoneNumber,
userPassword,
mail,
ou
We now edited most of our configuration files and are now ready to move on and create our first entries. For this reason we will create a ldif file that contains the records in readable format. Let's type vi /tmp/root.ldif and create the following file:
dn: o=Organic Brown Sugar, c=US
objectclass: organization
o: Organic Brown Sugar
I choose to use an LDAP hirachy that is based on organzation and country rather than email domains. If I would want to add both, I could create a file that looks like this:
dn: o=Organic Brown Sugar, c=US
objectclass: organization
o: Organic Brown Sugar
dn: dc=organicbrownsugar,dc=com
objectclass: dcObject
dc: organicbrownsugar
Now we are almost in LDAP land. We will now configure ldap to automatically everytime we boot. For this reason we will create a file ldap in the directory /etc/rc.d/init.d/ by typing
cd /etc/rc.d/init.d/
And creating the /etc/rc.d/init.d/ldap file:
#!/bin/sh
#
# ldap This shell script takes care of starting and stopping
# ldap servers (slapd and slurpd).
#
# chkconfig: - 39 61
# description: LDAP stands for Lightweight Directory Access Protocol, used \
# for implementing the industry standard directory services.
# processname: slapd
# config: /usr/local/libexec/slapd.conf
# pidfile: /usr/local/var/slapd.pid
# Source function library.
. /etc/init.d/functions
# Source networking configuration and check that networking is up.
if [ -r /etc/sysconfig/network ] ; then
. /etc/sysconfig/network
[ ${NETWORKING} = "no" ] && exit 0
fi
slapd=/usr/local/libexec/slapd
slurpd=/usr/local/libexec/slurpd
[ -x ${slapd} ] || exit 0
[ -x ${slurpd} ] || exit 0
RETVAL=0
function start() {
# Start daemons.
echo -n "Starting slapd:"
daemon ${slapd}
RETVAL=$?
echo
if [ $RETVAL -eq 0 ]; then
if grep -q "^replogfile" /usr/local/etc/openldap/slapd.conf; then
echo -n "Starting slurpd:"
daemon ${slurpd}
RETVAL=$?
echo
fi
fi
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/ldap
return $RETVAL
}
function stop() {
# Stop daemons.
echo -n "Shutting down ldap: "
killproc ${slapd}
RETVAL=$?
if [ $RETVAL -eq 0 ]; then
if grep -q "^replogfile" /usr/local/etc/openldap/slapd.conf; then
killproc ${slurpd}
RETVAL=$?
fi
fi
echo
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/ldap /var/run/slapd.args
return $RETVAL
}
# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
status)
status ${slapd}
if grep -q "^replogfile" /usr/local/etc/openldap/slapd.conf ; then
status ${slurpd}
fi
;;
restart)
stop
start
;;
reload)
killall -HUP ${slapd}
RETVAL=$?
if [ $RETVAL -eq 0 ]; then
if grep -q "^replogfile" /usr/local/etc/openldap/slapd.conf; then
killall -HUP ${slurpd}
RETVAL=$?
fi
fi
;;
condrestart)
if [ -f /var/lock/subsys/ldap ] ; then
stop
start
fi
;;
*)
echo "Usage: $0 start|stop|restart|status|condrestart}"
RETVAL=1
esac
exit $RETVAL
Of course you can download this file from http://www.netikus.net/. Make sure this file has the same permissions assigned to it as all the other startup files in this directory. If it does not, enter
chmod 755 /etc/rc.d/init.d/ldap
However, this file does not start our ldap server by itself, we have to invoke it just like we did with our DNS service. So we create the necessary symbolic links with
ln –s /etc/rc.d/init.d/ldap /etc/rc.d/rc3.d/S54ldap
ln –s /etc/rc.d/init.d/ldap /etc/rc.d/rc5.d/S54ldap
for starting the service and with
ln –s /etc/rc.d/init.d/ldap /etc/rc.d/rc0.d/K41ldap
ln –s /etc/rc.d/init.d/ldap /etc/rc.d/rc6.d/K41ldap
we stop the services when our machine shuts down or reboots.
You should now reboot your system – I experienced some problems without doing a reboot. So type
shutdown –r now
and wait until our system is back up. Now login again as root.