210.4. Configuring an OpenLDAP server
Weight: 4
Description: Candidates should be able to configure a basic OpenLDAP server including knowledge of LDIF format and essential access controls.
Key Knowledge Areas:
    OpenLDAP
    Directory based configuration
    Access Control
    Distinguished Names
    Changetype Operations
    Schemas and Whitepages
    Directories
    Object IDs, Attributes and Classes
Terms and Utilities:
    slapd
    slapd-config
    LDIF
    slapadd
    slapcat
    slapindex
    /var/lib/ldap/
    loglevel
We begin this course by talking about basics of LDAP. What is LDAP? Where it is used and why ?

LDAP

LDAP is not a program, that is a protocol. LDAP stands for Lightweight Directory Access Protocol and consists in a set of protocols that allows a client to access centrally stored information (over a network). It can be used in numerous ways such as for authentication, shared directory (for mail clients), address book, etc. As LDAP different usages, it can store any kind of information.
The standard TCP ports for LDAP are 389 for unencrypted communication and 636 for LDAP over a TLS-encrypted channel, although it’s not uncommon for LDAP servers to listen on alternate ports for a variety of reasons.

LDAP Directory tree structure

An LDAP directory has a tree structure. All entries (called objects) of the directory have a defined position within this hierarchy. This hierarchy is called the directory information tree (DIT).
Entries at the higher level of hierarchy, represent larger groupings or organizations. Entries under the larger organizations represent smaller organizations that make up the larger ones. The leaf nodes (or entries) of the tree structure represent the individuals or resources.

Namig Model

The naming model defines how entries and data in the DIT are uniquely referenced.
There are some defination which we are expected to know about before start working with ldap:
Object: Sometimes reffered to as a record or an entry, reperesnt a single item in the direstory. This object provides a description based on the structure of the schema.
Schema: This is the structure that is built to define the characteristics (or attributes) of an object. It also defines what can be stored in each attributes.
Attribute: This is a part of an object. One or more attributes make up an object, as defined by schema.
LDIF: Stands for LDAP Interchange Format. It is used to create objects within the LDAP directory. These values are placed into a file and can be loaded into a directory with the slapadd command.
DC: Stands for Domain Component. And that is one of the domain that is reflected in hierarchy.
OU: Stands for Organizational Unit.
CN: Stands for Common Name and is the name of object(often a username, but not always)
DN: Stands for Distinguished Name. Each object in our directory has to have a unique name in order to provide structure. It is build with a CN and one or more DC (example: cn=user,dc=abc,dc=com)

SSSD

Stands for System Security Service Daemon. This provides authentication of user accounts for a LDAP Server(if we want we can use a different solutions)
Note: Configuration of this item is NOT an eaxm objective, Only that we know what it is.

OpenLDAP

OpenLDAP is a free, open source implementation of the Lightweight Directory Access Protocol (LDAP) developed by the OpenLDAP Project. It is released under its own BSD-style license called the OpenLDAP Public License.
OpenLDAP provides a distributed directory service. It stores information associated with users that can be used to authenticate them for login and can provide other information about those users.
OpenLDAP is most commonly used in Linux, but can be compared to Active Directory on Windows as a service provided hierarchical based user information much the same as OpenLDAP.

Installing OpenLDAP server

For demonstaration Lets install OpenLDAP server on a centOS system, we install both sever and client packages to work with that. We should install the following three packages:
    openldap-servers – This is the main LDAP server
    openldap-clients – This contains all required LDAP client utilities
    openldap – This packages contains the LDAP support libraries
1
[[email protected] ~]# yum install openldap openldap-servers openldap-clients.x86_64
Copied!
Next try to start slapd service(do not forget to disable selinux with setenforce 0 command):
1
[[email protected] ~]# systemctl status slapd.service
2
● slapd.service - OpenLDAP Server Daemon
3
Loaded: loaded (/usr/lib/systemd/system/slapd.service; disabled; vendor preset: disabled)
4
Active: inactive (dead)
5
Docs: man:slapd
6
man:slapd-config
7
man:slapd-hdb
8
man:slapd-mdb
9
file:///usr/share/doc/openldap-servers/guide.html
10
[[email protected] ~]# systemctl start slapd.service
11
[[email protected] ~]# systemctl status slapd.service
12
● slapd.service - OpenLDAP Server Daemon
13
Loaded: loaded (/usr/lib/systemd/system/slapd.service; disabled; vendor preset: disabled)
14
Active: active (running) since Sun 2018-08-26 04:48:47 EDT; 2min 29s ago
15
Docs: man:slapd
16
man:slapd-config
17
man:slapd-hdb
18
man:slapd-mdb
19
file:///usr/share/doc/openldap-servers/guide.html
20
Process: 2979 ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS (code=exited, status=0/SUCCESS)
21
Process: 2961 ExecStartPre=/usr/libexec/openldap/check-config.sh (code=exited, status=0/SUCCESS)
22
Main PID: 2981 (slapd)
23
CGroup: /system.slice/slapd.service
24
└─2981 /usr/sbin/slapd -u ldap -h ldapi:/// ldap:///
25
26
Aug 26 04:48:46 localhost.localdomain systemd[1]: Starting OpenLDAP Server Da...
27
Aug 26 04:48:46 localhost.localdomain runuser[2965]: pam_unix(runuser:session...
28
Aug 26 04:48:46 localhost.localdomain slapcat[2971]: DIGEST-MD5 common mech free
29
Aug 26 04:48:46 localhost.localdomain slapd[2979]: @(#) $OpenLDAP: slapd 2.4....
31
Aug 26 04:48:47 localhost.localdomain slapd[2979]: tlsmc_get_pin: INFO: Pleas...
32
Aug 26 04:48:47 localhost.localdomain slapd[2981]: hdb_db_open: warning - no ...
33
Expect poor performance fo...
34
Aug 26 04:48:47 localhost.localdomain slapd[2981]: slapd starting
35
Aug 26 04:48:47 localhost.localdomain systemd[1]: Started OpenLDAP Server Dae...
36
Hint: Some lines were ellipsized, use -l to show in full.
Copied!
and check whether it is listening or not:
1
[[email protected] ~]# netstat -tulpen | grep -i 389
2
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 0 33468 2981/slapd
3
tcp6 0 0 :::389 :::* LISTEN 0 33469 2981/slapd
Copied!

/etc/openldap

There are number of diffrent things:
1
[[email protected] ~]# cd /etc/openldap/
2
[[email protected] openldap]# ll
3
total 12
4
drwxr-xr-x. 2 root root 90 Aug 25 01:01 certs
5
-rw-r--r--. 1 root root 121 May 16 05:56 check_password.conf
6
-rw-r--r--. 1 root root 363 May 16 05:56 ldap.conf
7
drwxr-xr-x. 2 root root 4096 Aug 25 01:01 schema
8
drwxr-x---. 3 ldap ldap 45 Aug 25 01:01 slapd.d
Copied!

ldap.conf

Used to set system-wide defaults to be applied when running LDAP client tools( likeldapsearchandldapadd).
1
[[email protected] openldap]# cat ldap.conf
2
#
3
# LDAP Defaults
4
#
5
6
# See ldap.conf(5) for details
7
# This file should be world readable but not world writable.
8
9
#BASE dc=example,dc=com
10
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
11
12
#SIZELIMIT 12
13
#TIMELIMIT 15
14
#DEREF never
15
16
TLS_CACERTDIR /etc/openldap/certs
17
18
# Turning this off breaks GSSAPI used with krb5 when rdns = false
19
SASL_NOCANON on
Copied!
Where
    SIZELIMIT <integer> : Specifies a size limit (number of entries) to use when performing searches.
    TIMELIMIT <integer> : Specifies a time limit (in seconds) to use when performing searches.
By default ldap.conf is world readable and there are no special setting to edit and it is not a part of exam objective.

/etc/openldap/schema/*

Directory that contains a set of default schema specifications which describe the different object classes that are available by default with the OpenLDAP Software. Each set is defined in a file (i.e. core.schema) suitable for inclusion using the include directive in the global definitions portion of the slapd.conf file. It is helpful to browse the contents of these files to determine the required and available attributes for a particular object class.
1
[[email protected] openldap]# ls schema
2
collective.ldif cosine.schema java.ldif openldap.schema
3
collective.schema duaconf.ldif java.schema pmi.ldif
4
corba.ldif duaconf.schema misc.ldif pmi.schema
5
corba.schema dyngroup.ldif misc.schema ppolicy.ldif
6
core.ldif dyngroup.schema nis.ldif ppolicy.schema
7
core.schema inetorgperson.ldif nis.schema
8
cosine.ldif inetorgperson.schema openldap.ldif
Copied!
Try to cat some of core.ldif files and see how they look like.This a part of that:
1
[[email protected] schema]# cat core.ldif
2
# OpenLDAP Core schema
3
# $OpenLDAP$
4
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
5
##
6
## Copyright 1998-2016 The OpenLDAP Foundation.
7
## All rights reserved.
8
##
9
## Redistribution and use in source and binary forms, with or without
10
## modification, are permitted only as authorized by the OpenLDAP
11
## Public License.
12
##
13
## A copy of this license is available in the file LICENSE in the
14
## top-level directory of the distribution or, alternatively, at
15
## <http://www.OpenLDAP.org/license.html>.
16
#
17
## Portions Copyright (C) The Internet Society (1997-2003).
18
## All Rights Reserved.
19
##
20
## This document and translations of it may be copied and furnished to
21
## others, and derivative works that comment on or otherwise explain it
22
## or assist in its implementation may be prepared, copied, published
23
## and distributed, in whole or in part, without restriction of any
24
## kind, provided that the above copyright notice and this paragraph are
25
## included on all such copies and derivative works. However, this
26
## document itself may not be modified in any way, such as by removing
27
## the copyright notice or references to the Internet Society or other
28
## Internet organizations, except as needed for the purpose of
29
## developing Internet standards in which case the procedures for
30
## copyrights defined in the Internet Standards process must be
31
## followed, or as required to translate it into languages other than
32
## English.
33
##
34
## The limited permissions granted above are perpetual and will not be
35
## revoked by the Internet Society or its successors or assigns.
36
##
37
## This document and the information contained herein is provided on an
38
## "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
39
## TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
40
## BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
41
## HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
42
## MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
43
#
44
#
45
#
46
# Includes LDAPv3 schema items from:
47
# RFC 2252/2256 (LDAPv3)
48
#
49
# Select standard track schema items:
50
# RFC 1274 (uid/dc)
51
# RFC 2079 (URI)
52
# RFC 2247 (dc/dcObject)
53
# RFC 2587 (PKI)
54
# RFC 2589 (Dynamic Directory Services)
55
#
56
# Select informational schema items:
57
# RFC 2377 (uidObject)
58
#
59
#
60
# Standard attribute types from RFC 2256
61
#
62
dn: cn=core,cn=schema,cn=config
63
objectClass: olcSchemaConfig
64
cn: core
65
#
66
# system schema
67
#olcAttributeTypes: ( 2.5.4.0 NAME 'objectClass'
68
# DESC 'RFC2256: object classes of the entity'
69
# EQUALITY objectIdentifierMatch
70
# SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
71
#
72
# system schema
73
#olcAttributeTypes: ( 2.5.4.1 NAME ( 'aliasedObjectName' 'aliasedEntryName' )
74
# DESC 'RFC2256: name of aliased object'
75
# EQUALITY distinguishedNameMatch
76
# SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE )
77
#
78
olcAttributeTypes: ( 2.5.4.2 NAME 'knowledgeInformation'
79
DESC 'RFC2256: knowledge information'
80
EQUALITY caseIgnoreMatch
81
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )
82
#
83
# system schema
84
#olcAttributeTypes: ( 2.5.4.3 NAME ( 'cn' 'commonName' )
85
# DESC 'RFC2256: common name(s) for which the entity is known by'
86
# SUP name )
87
#
88
olcAttributeTypes: ( 2.5.4.4 NAME ( 'sn' 'surname' )
89
DESC 'RFC2256: last (family) name(s) for which the entity is known by'
90
SUP name )
91
#
92
olcAttributeTypes: ( 2.5.4.5 NAME 'serialNumber'
93
DESC 'RFC2256: serial number of the entity'
94
EQUALITY caseIgnoreMatch
95
SUBSTR caseIgnoreSubstringsMatch
96
SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{64} )
97
#
98
# RFC 4519 definition ('countryName' in X.500 and RFC2256)
99
olcAttributeTypes: ( 2.5.4.6 NAME ( 'c' 'countryName' )
100
DESC 'RFC4519: two-letter ISO-3166 country code'
101
SUP name
102
SYNTAX 1.3.6.1.4.1.1466.115.121.1.11
103
SINGLE-VALUE )
104
#
105
olcAttributeTypes: ( 2.5.4.7 NAME ( 'l' 'localityName' )
106
DESC 'RFC2256: locality which this object resides in'
107
SUP name )
108
#
109
olcAttributeTypes: ( 2.5.4.8 NAME ( 'st' 'stateOrProvinceName' )
110
DESC 'RFC2256: state or province which this object resides in'
111
SUP name )
112
#
113
olcAttributeTypes: ( 2.5.4.9 NAME ( 'street' 'streetAddress' )
114
DESC 'RFC2256: street address of this object'
115
EQUALITY caseIgnoreMatch
116
SUBSTR caseIgnoreSubstringsMatch
117
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
118
#
119
olcAttributeTypes: ( 2.5.4.10 NAME ( 'o' 'organizationName' )
120
DESC 'RFC2256: organization this object belongs to'
121
SUP name )
122
#
123
olcAttributeTypes: ( 2.5.4.11 NAME ( 'ou' 'organizationalUnitName' )
124
DESC 'RFC2256: organizational unit this object belongs to'
125
SUP name )
126
#
127
olcAttributeTypes: ( 2.5.4.12 NAME 'title'
128
DESC 'RFC2256: title associated with the entity'
129
SUP name )
130
#
131
# system schema
132
#olcAttributeTypes: ( 2.5.4.13 NAME 'description'
133
# DESC 'RFC2256: descriptive information'
134
# EQUALITY caseIgnoreMatch
135
# SUBSTR caseIgnoreSubstringsMatch
136
# SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} )
137
#
138
........
139
.....
140
...
141
..
142
.
Copied!

slapd.conf

Main server configuration file that contains information needed by the slapd LDAP server. Lets take a look at it:
1
[[email protected] ~]# cd /etc/openldap/
2
[[email protected] openldap]# ll
3
total 12
4
drwxr-xr-x. 2 root root 90 Aug 25 01:01 certs
5
-rw-r--r--. 1 root root 121 May 16 05:56 check_password.conf
6
-rw-r--r--. 1 root root 363 May 16 05:56 ldap.conf
7
drwxr-xr-x. 2 root root 4096 Aug 25 01:01 schema
8
drwxr-x---. 3 ldap ldap 45 Aug 25 01:01 slapd.d
Copied!
Where is it?
1
[[email protected] openldap]# updatedb
2
3
[[email protected] openldap]# locate slapd.conf
4
/usr/lib/tmpfiles.d/slapd.conf
5
/usr/share/man/man5/slapd.conf.5.gz
6
7
[[email protected] openldap]# cat /usr/lib/tmpfiles.d/slapd.conf
8
# openldap runtime directory for slapd.arg and slapd.pid
9
d /var/run/openldap 0755 ldap ldap -
Copied!
Historically OpenLDAP has been statically configured, that is, to make a change to the configuration the slapd.conf file was modified and slapd stopped and started. In the case of larger users this could take a considerable period of time and had become increasingly unacceptable as an operational method.

slapd.conf or dynamic runtime configuration engine

Significant changes to slapd were introduced with version 2.3 and 2.4. The most significant change is that, while slapd.conf is still supported (as of 2.4), increasingly OpenLDAP is moving toward On-Line Configuration (OLC) - frequently also known as cn=config or slapd.d configuration. This method enables most configuration changes to be made without starting and stopping the LDAP server.
If you have got confused, in a simple world, it is like having a configuration data base for configuring a database and no more single configuration file slapd.conf.
Unfortunately LPIC2 exam objective is about Old OpenLDAP versions (perior v2.3 ) but here what we have is OpenLDAP v2.4:
1
[[email protected] openldap]# slapd -V
2
@(#) $OpenLDAP: slapd 2.4.44 (May 16 2018 09:55:53) $
3
[email protected]:/builddir/build/BUILD/openldap-2.4.44/openldap-2.4.44/servers/slapd
4
5
tlsmc_get_pin: INFO: Please note the extracted key file will not be protected with a PIN any more, however it will be still protected at least by file permissions.
6
7
[[email protected] openldap]# pwd
8
/etc/openldap
9
[[email protected] openldap]# ls -l
10
total 12
11
drwxr-xr-x. 2 root root 90 Aug 25 01:01 certs
12
-rw-r--r--. 1 root root 121 May 16 05:56 check_password.conf
13
-rw-r--r--. 1 root root 363 May 16 05:56 ldap.conf
14
drwxr-xr-x. 2 root root 4096 Aug 25 01:01 schema
15
drwxr-x---. 3 ldap ldap 45 Aug 25 01:01 slapd.d
Copied!
So lets stick to our modern OpenLDAP how ever we need to cover exam objectives .So i have prepared another system, with CentOS5 and OpenLDAP 2.3.x on it to show differences:
1
[[email protected] ~]# slapd -V
2
@(#) $OpenLDAP: slapd 2.3.43 (Sep 29 2015 06:22:05) $
3
[email protected]:/builddir/build/BUILD/openldap-2.3.43/openldap-2.3.43/build-servers/servers/slapd
4
5
[[email protected] ~]# ls -l /etc/openldap/
6
total 40
7
drwxr-xr-x 2 root root 4096 Sep 29 2015 cacerts
8
-rw-r----- 1 root ldap 921 Sep 29 2015 DB_CONFIG.example
9
-rw-r--r-- 1 root root 327 Aug 26 23:26 ldap.conf
10
drwxr-xr-x 3 root root 4096 Aug 27 01:31 schema
11
-rw-r----- 1 root ldap 3801 Sep 29 2015 slapd.conf
12
13
[[email protected] openldap]# cat ldap.conf
14
#
15
# LDAP Defaults
16
#
17
18
# See ldap.conf(5) for details
19
# This file should be world readable but not world writable.
20
21
#BASE dc=example, dc=com
22
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
23
24
#SIZELIMIT 12
25
#TIMELIMIT 15
26
#DEREF never
27
URI ldap://127.0.0.1/
28
BASE dc=example,dc=com
29
TLS_CACERTDIR /etc/openldap/cacerts
30
31
[[email protected] openldap]# cat slapd.conf
32
#
33
# See slapd.conf(5) for details on configuration options.
34
# This file should NOT be world readable.
35
#
36
include /etc/openldap/schema/core.schema
37
include /etc/openldap/schema/cosine.schema
38
include /etc/openldap/schema/inetorgperson.schema
39
include /etc/openldap/schema/nis.schema
40
41
# Allow LDAPv2 client connections. This is NOT the default.
42
allow bind_v2
43
44
# Do not enable referrals until AFTER you have a working directory
45
# service AND an understanding of referrals.
46
#referral ldap://root.openldap.org
47
48
pidfile /var/run/openldap/slapd.pid
49
argsfile /var/run/openldap/slapd.args
50
51
# Load dynamic backend modules:
52
# modulepath /usr/lib64/openldap
53
54
# Modules available in openldap-servers-overlays RPM package
55
# Module syncprov.la is now statically linked with slapd and there
56
# is no need to load it here
57
# moduleload accesslog.la
58
# moduleload auditlog.la
59
# moduleload denyop.la
60
# moduleload dyngroup.la
61
# moduleload dynlist.la
62
# moduleload lastmod.la
63
# moduleload pcache.la
64
# moduleload ppolicy.la
65
# moduleload refint.la
66
# moduleload retcode.la
67
# moduleload rwm.la
68
# moduleload smbk5pwd.la
69
# moduleload translucent.la
70
# moduleload unique.la
71
# moduleload valsort.la
72
73
# modules available in openldap-servers-sql RPM package:
74
# moduleload back_sql.la
75
76
# The next three lines allow use of TLS for encrypting connections using a
77
# dummy test certificate which you can generate by changing to
78
# /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on
79
# slapd.pem so that the ldap user or group can read it. Your client software
80
# may balk at self-signed certificates, however.
81
# TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
82
# TLSCertificateFile /etc/pki/tls/certs/slapd.pem
83
# TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem
84
85
# Sample security restrictions
86
# Require integrity protection (prevent hijacking)
87
# Require 112-bit (3DES or better) encryption for updates
88
# Require 63-bit encryption for simple bind
89
# security ssf=1 update_ssf=112 simple_bind=64
90
91
# Sample access control policy:
92
# Root DSE: allow anyone to read it
93
# Subschema (sub)entry DSE: allow anyone to read it
94
# Other DSEs:
95
# Allow self write access
96
# Allow authenticated users read access
97
# Allow anonymous users to authenticate
98
# Directives needed to implement policy:
99
# access to dn.base="" by * read
100
# access to dn.base="cn=Subschema" by * read
101
# access to *
102
# by self write
103
# by users read
104
# by anonymous auth
105
#
106
# if no access controls are present, the default policy
107
# allows anyone and everyone to read anything but restricts
108
# updates to rootdn. (e.g., "access to * by * read")
109
#
110
# rootdn can always read and write EVERYTHING!
111
112
#######################################################################
113
# ldbm and/or bdb database definitions
114
#######################################################################
115
116
database bdb
117
suffix "dc=my-domain,dc=com"
118
rootdn "cn=Manager,dc=my-domain,dc=com"
119
# Cleartext passwords, especially for the rootdn, should
120
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
121
# Use of strong authentication encouraged.
122
# rootpw secret
123
# rootpw {crypt}ijFYNcSNctBYg
124
125
# The database directory MUST exist prior to running slapd AND
126
# should only be accessible by the slapd and slap tools.
127
# Mode 700 recommended.
128
directory /var/lib/ldap
129
130
# Indices to maintain for this database
131
index objectClass eq,pres
132
index ou,cn,mail,surname,givenname eq,pres,sub
133
index uidNumber,gidNumber,loginShell eq,pres
134
index uid,memberUid eq,pres,sub
135
index nisMapName,nisMapEntry eq,pres,sub
136
137
# Replicas of this database
138
#replogfile /var/lib/ldap/openldap-master-replog
139
#replica host=ldap-1.example.com:389 starttls=critical
140
# bindmethod=sasl saslmech=GSSAPI
141
# authcId=host/[email protected]
Copied!

Configuring OpenLDAP v 2.4 :

OpenLDAP v2.4 servers configuration files are found in /etc/openldap/slapd.d/
1
[[email protected] openldap]# cd slapd.d/
2
3
[[email protected] slapd.d]# ls -l
4
total 4
5
drwxr-x---. 3 ldap ldap 182 Aug 25 01:01 cn=config
6
-rw-------. 1 ldap ldap 589 Aug 25 01:01 cn=config.ldif
7
[[email protected] slapd.d]# tree
8
.
9
├── cn=config
10
│ ├── cn=schema
11
│ │ └── cn={0}core.ldif
12
│ ├── cn=schema.ldif
13
│ ├── olcDatabase={0}config.ldif
14
│ ├── olcDatabase={-1}frontend.ldif
15
│ ├── olcDatabase={1}monitor.ldif
16
│ └── olcDatabase={2}hdb.ldif
17
└── cn=config.ldif
18
19
2 directories, 7 files
Copied!
Note : Although the slapd-config system stores its configuration as (text-based) LDIF files, you should never edit any of the LDIF files directly. Configuration changes should be performed via LDAP operations, e.g. ldapadd, ldapdelete, or ldapmodify.

slapcat

Slapcat is used to generate an LDAP Directory Interchange Format (LDIF) output based upon the contents of a slapd database. It opens the given database determined by the database number or suffix and writes the corresponding LDIF to standard output or the specified file.
1
[[email protected] ~]# slapcat
2
5b82165c The first database does not allow slapcat; using the first available one (2)
3
5b82165c hdb_db_open: warning - no DB_CONFIG file found in directory /var/lib/ldap: (2).
4
Expect poor performance for suffix "dc=my-domain,dc=com".
Copied!
By default slapcat in version 2.3 (and prior versions) shows default database .but here in version 2.4.x (and above) it shows nothing , so we define where configuration database is placed in slapd data base and it shows default configurations:
1
[[email protected] ~]# slapcat -b cn=config
2
dn: cn=config
3
objectClass: olcGlobal
4
cn: config
5
olcArgsFile: /var/run/openldap/slapd.args
6
olcPidFile: /var/run/openldap/slapd.pid
7
olcTLSCACertificatePath: /etc/openldap/certs
8
olcTLSCertificateFile: "OpenLDAP Server"
9
olcTLSCertificateKeyFile: /etc/openldap/certs/password
10
structuralObjectClass: olcGlobal
11
entryUUID: b08165de-3c6f-1038-830f-65a4f4479506
12
creatorsName: cn=config
13
createTimestamp: 20180825050137Z
14
entryCSN: 20180825050137.110276Z#000000#000#000000
15
modifiersName: cn=config
16
modifyTimestamp: 20180825050137Z
17
18
dn: cn=schema,cn=config
19
objectClass: olcSchemaConfig
20
cn: schema
21
structuralObjectClass: olcSchemaConfig
22
entryUUID: b081765a-3c6f-1038-8310-65a4f4479506
23
creatorsName: cn=config
24
createTimestamp: 20180825050137Z
25
entryCSN: 20180825050137.110757Z#000000#000#000000
26
modifiersName: cn=config
27
modifyTimestamp: 20180825050137Z
28
29
dn: cn={0}core,cn=schema,cn=config
30
objectClass: olcSchemaConfig
31
cn: {0}core
32
olcAttributeTypes: {0}( 2.5.4.2 NAME 'knowledgeInformation' DESC 'RFC2256: k
33
nowledge information' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.
34
121.1.15{32768} )
35
olcAttributeTypes: {1}( 2.5.4.4 NAME ( 'sn' 'surname' ) DESC 'RFC2256: last
36
(family) name(s) for which the entity is known by' SUP name )
37
olcAttributeTypes: {2}( 2.5.4.5 NAME 'serialNumber' DESC 'RFC2256: serial nu
38
mber of the entity' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMat
39
ch SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{64} )
40
olcAttributeTypes: {3}( 2.5.4.6 NAME ( 'c' 'countryName' ) DESC 'RFC4519: tw
41
o-letter ISO-3166 country code' SUP name SYNTAX 1.3.6.1.4.1.1466.115.121.1.
42
11 SINGLE-VALUE )
43
.....
44
.....
45
.....
46
olcObjectClasses: {0}( 2.5.6.2 NAME 'country' DESC 'RFC2256: a country' SUP
47
top STRUCTURAL MUST c MAY ( searchGuide $ description ) )
48
olcObjectClasses: {1}( 2.5.6.3 NAME 'locality' DESC 'RFC2256: a locality' SU
49
P top STRUCTURAL MAY ( street $ seeAlso $ searchGuide $ st $ l $ descriptio
50
n ) )
51
olcObjectClasses: {2}( 2.5.6.4 NAME 'organization' DESC 'RFC2256: an organiz
52
ation' SUP top STRUCTURAL MUST o MAY ( userPassword $ searchGuide $ seeAlso
53
$ businessCategory $ x121Address $ registeredAddress $ destinationIndicato
54
r $ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ tel
55
ephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $ street
56
$ postOfficeBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName
57
$ st $ l $ description ) )
58
olcObjectClasses: {3}( 2.5.6.5 NAME 'organizationalUnit' DESC 'RFC2256: an o
59
rganizational unit' SUP top STRUCTURAL MUST ou MAY ( userPassword $ searchG
60
uide $ seeAlso $ businessCategory $ x121Address $ registeredAddress $ desti
61
nationIndicator $ preferredDeliveryMethod $ telexNumber $ teletexTerminalId
62
entifier $ telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNu
63
mber $ street $ postOfficeBox $ postalCode $ postalAddress $ physicalDelive
64
ryOfficeName $ st $ l $ description ) )
65
.....
66
.....
67
.....
68
olcObjectClasses: {25}( 1.3.6.1.4.1.1466.344 NAME 'dcObject' DESC 'RFC2247:
69
domain component object' SUP top AUXILIARY MUST dc )
70
olcObjectClasses: {26}( 1.3.6.1.1.3.1 NAME 'uidObject' DESC 'RFC2377: uid ob
71
ject' SUP top AUXILIARY MUST uid )
72
structuralObjectClass: olcSchemaConfig
73
entryUUID: b0818bfe-3c6f-1038-8311-65a4f4479506
74
creatorsName: cn=config
75
createTimestamp: 20180825050137Z
76
entryCSN: 20180825050137.111311Z#000000#000#000000
77
modifiersName: cn=config
78
modifyTimestamp: 20180825050137Z
79
80
dn: olcDatabase={-1}frontend,cn=config
81
objectClass: olcDatabaseConfig
82
objectClass: olcFrontendConfig
83
olcDatabase: {-1}frontend
84
structuralObjectClass: olcDatabaseConfig
85
entryUUID: b081be26-3c6f-1038-8312-65a4f4479506
86
creatorsName: cn=config
87
createTimestamp: 20180825050137Z
88
entryCSN: 20180825050137.112594Z#000000#000#000000
89
modifiersName: cn=config
90
modifyTimestamp: 20180825050137Z
91
92
dn: olcDatabase={0}config,cn=config
93
objectClass: olcDatabaseConfig
94
olcDatabase: {0}config
95
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern
96
al,cn=auth" manage by * none
97
structuralObjectClass: olcDatabaseConfig
98
entryUUID: b081e6e4-3c6f-1038-8313-65a4f4479506
99
creatorsName: cn=config
100
createTimestamp: 20180825050137Z
101
entryCSN: 20180825050137.113635Z#000000#000#000000
102
modifiersName: cn=config
103
modifyTimestamp: 20180825050137Z
104
105
dn: olcDatabase={1}monitor,cn=config
106
objectClass: olcDatabaseConfig
107
olcDatabase: {1}monitor
108
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern
109
al,cn=auth" read by dn.base="cn=Manager,dc=my-domain,dc=com" read by * none
110
structuralObjectClass: olcDatabaseConfig
111
entryUUID: b081ed42-3c6f-1038-8314-65a4f4479506
112
creatorsName: cn=config
113
createTimestamp: 20180825050137Z
114
entryCSN: 20180825050137.113801Z#000000#000#000000
115
modifiersName: cn=config
116
modifyTimestamp: 20180825050137Z
117
118
dn: olcDatabase={2}hdb,cn=config
119
objectClass: olcDatabaseConfig
120
objectClass: olcHdbConfig
121
olcDatabase: {2}hdb
122
olcDbDirectory: /var/lib/ldap
123
olcSuffix: dc=my-domain,dc=com
124
olcRootDN: cn=Manager,dc=my-domain,dc=com
125
olcDbIndex: objectClass eq,pres
126
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
127
structuralObjectClass: olcHdbConfig
128
entryUUID: b081f3fa-3c6f-1038-8315-65a4f4479506
129
creatorsName: cn=config
130
createTimestamp: 20180825050137Z
131
entryCSN: 20180825050137.113973Z#000000#000#000000
132
modifiersName: cn=config
133
modifyTimestamp: 20180825050137Z
Copied!
-bsuffix Use the specified suffix to determine which database to generate output for.
To start with the configuration of LDAP, we would need to update the variables “olcSuffix” and “olcRootDN“.
    olcSuffix – Database Suffix, it is the domain name for which the LDAP server provides the information. In simple words, it should be changed to your domainname.
    olcRootDN – Root Distinguished Name (DN) entry for the user who has the unrestricted access to perform all administration activities on LDAP, like a root user.
    olcRootPW – LDAP admin password for the above RootDN.
The above entries need to be updated in /etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif file. Manually edit of LDAP configuration is not recommended as we will lose changes whenever you run ldapmodify command.
First lets generate an admin password:

slappasswd

OpenLDAP password utility, Slappasswd is used to generate an userPassword value suitable for use with ldapmodify, slapd.conf(5) rootpw configuration directive or the slapd-config olcRootPW configuration directive.
1
[[email protected] ~]# slappasswd
2
New password:
3
Re-enter new password:
4
{SSHA}un1ELmHXVCdBQOOx+eK0V9hWtGYj1RYF
Copied!
To add something to the LDAP directory, we need to first create a LDIF file.The ldif file should contain definitions for all attributes that are required for the entries that you want to create, modify or change.
Now lets create a ldif file define requiered changes inside that (include generated password for ldap admin user"ldapadm"):
1
[email protected] ~]# vim mydb.ldif
2
[[email protected] ~]# cat mydb.ldif
3
dn: olcDatabase={2}hdb,cn=config
4
changetype: modify
5
replace: olcSuffix
6
olcSuffix: dc=example,dc=com
7
8
dn: olcDatabase={2}hdb,cn=config
9
changetype: modify
10
replace: olcRootDN
11
olcRootDN: cn=ldapadm,dc=example,dc=com
12
13
dn: olcDatabase={2}hdb,cn=config
14
changetype: modify
15
replace: olcRootPW
16
olcRootPW: {SSHA}un1ELmHXVCdBQOOx+eK0V9hWtGYj1RYF
Copied!
Now send the configuration to the LDAP server:

ldapmodify

ldapmodify opens a connection to an LDAP server, binds, and modifies or adds entries. The entry information is read from standard input or from file through the use of the -f option.
1
[[email protected] ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f mydb.ldif
2
SASL/EXTERNAL authentication started
3
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
4
SASL SSF: 0
5
modifying entry "olcDatabase={2}hdb,cn=config"
6
7
modifying entry "olcDatabase={2}hdb,cn=config"
8
9
modifying entry "olcDatabase={2}hdb,cn=config"
Copied!
by default ldapmodify chekh our ldif file for syntax errors before inserting into ldap databas and it seems good.

slaptest

slaptest - Check the suitability of the OpenLDAP slapd.conf file. Although there is no slapd.conf in 2.4 version but it still works . We use -u switch to enable dry-run mode (i.e. don't fail if databases cannot be opened, but config is fine) and -v for verbrosity:
1
[[email protected] ~]# slaptest -u -v
2
config file testing succeeded
Copied!
and finally lets see what we have added:
1
[[email protected] ~]# slapcat -b "cn=config" | tail -n 18
2
dn: olcDatabase={2}hdb,cn=config
3
objectClass: olcDatabaseConfig
4
objectClass: olcHdbConfig
5
olcDatabase: {2}hdb
6
olcDbDirectory: /var/lib/ldap
7
olcDbIndex: objectClass eq,pres
8
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
9
structuralObjectClass: olcHdbConfig
10
entryUUID: 8b4fc7bc-3d58-1038-8a82-1b16564c9910
11
creatorsName: cn=config
12
createTimestamp: 20180826084827Z
13
olcSuffix: dc=example,dc=com
14
olcRootDN: cn=ldapadm,dc=example,dc=com
15
olcRootPW:: e1NTSEF9dW4xRUxtSFhWQ2RCUU9PeCtlSzBWOWhXdEdZajFSWUY=
16
entryCSN: 20180826091327.632638Z#000000#000#000000
17
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
18
modifyTimestamp: 20180826091327Z
Copied!

Configuring OpenLDAP v2.3.X (and perior) :

Configuting OpenLDAP v2.3.x is much easier. We need to configure Database-Specific Directives in slapd.conf:
1
database bdb
2
suffix "dc=my-domain,dc=com"
3
rootdn "cn=Manager,dc=my-domain,dc=com"
4
# Cleartext passwords, especially for the rootdn, should
5
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
6
# Use of strong authentication encouraged.
7
# rootpw secret
8
# rootpw {crypt}ijFYNcSNctBYg
9
# The database directory MUST exist prior to running slapd AND
10
# should only be accessible by the slapd and slap tools.
11
# Mode 700 recommended.
12
directory /var/lib/ldap
Copied!
    database: The type of database, a Berkeley database in this case, is determined in the first line of this section.
    suffix: The suffix line names the domain for which the LDAP server provides information and should be changed.
    rootdn:The rootdn entry is the Distinguished Name (DN) for a user who is unrestricted by access controls or administrative limit parameters set for operations on the LDAP directory. The rootdn user can be thought of as the root user for the LDAP directory. In the configuration file, change the rootdn line from its default value.
    rootpw : The administrator password is set with rootpw. Instead of using secret here, it is possible to enter the hash of the administrator password created by slappasswd.
    directory : The directory directive indicates the directory (in the file system) where the database directories are stored on the server. There is no need to change it.
and the slapd.conf file would be like this after doing changes:
1
database bdb
2
suffix "dc=example,dc=com"
3
rootdn "cn=ldapadm,dc=example,dc=com"
4
# Cleartext passwords, especially for the rootdn, should
5
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
6
# Use of strong authentication encouraged.
7
rootpw secret
8
# rootpw {crypt}ijFYNcSNctBYg
9
# The database directory MUST exist prior to running slapd AND
10
# should only be accessible by the slapd and slap tools.
11
# Mode 700 recommended.
12
directory /var/lib/ldap
Copied!
test configuration (we are using OpenLDAP server version before 2.3):
1
[[email protected] openldap]# slaptest -u -v -f slapd.conf
2
config file testing succeeded
Copied!
and done:
1
[[email protected] log]# service ldap stop
2
Stopping slapd: [ OK ]
3
[[email protected] log]# service ldap start
4
Starting slapd: [ OK ]
Copied!

/var/lib/ldap

Contains all files that make up the LDAP directory database( LDAP Background Data Bases and log files). None of the files contained in this directory should be manually edited. The LDAP directory database type and location will be defined in the/etc/openldap/slapd.conf
1
[[email protected] ~]# ls -l /var/lib/ | grep ldap
2
drwx------ 2 ldap ldap 126 Aug 26 08:11 ldap
3
[[email protected] ~]# ls -la /var/lib/ldap/
4
total 380
5
drwx------ 2 ldap ldap 126 Aug 26 08:11 .
6
drwxr-xr-x. 58 root root 4096 Aug 26 04:48 ..
7
-rw-r--r-- 1 ldap ldap 4096 Aug 26 08:11 alock
8
-rw------- 1 ldap ldap 303104 Aug 26 08:23 __db.001
9
-rw------- 1 ldap ldap 40960 Aug 26 08:23 __db.002
10
-rw------- 1 ldap ldap 49152 Aug 26 08:23 __db.003
11
-rw------- 1 ldap ldap 8192 Aug 26 04:48 dn2id.bdb
12
-rw------- 1 ldap ldap 32768 Aug 26 04:48 id2entry.bdb
13
-rw------- 1 ldap ldap 10485760 Aug 26 07:21 log.0000000001
Copied!
These files are reponsible for serving the context of our directory server once we start the service .
Note:slapd runs as ldap user by default, if you attempted to start it (or loaded ldif etc..) as root user, it'd create files with incorrect permission. Try chown -R ldap.ldap /var/lib/ldap to fix the permissions and start the service.
OpenLDAP v2.4:
1
[[email protected] ~]# chown -R ldap:ldap /var/lib/ldap
2
[[email protected] ~]# ls -la /var/lib/ldap/
3
total 380
4
drwx------ 2 ldap ldap 126 Aug 26 23:10 .
5
drwxr-xr-x. 58 root root 4096 Aug 26 04:48 ..
6
-rw-r--r-- 1 ldap ldap 4096 Aug 26 08:11 alock
7
-rw------- 1 ldap ldap 303104 Aug 26 08:23 __db.001
8
-rw------- 1 ldap ldap 40960 Aug 26 08:23 __db.002
9
-rw------- 1 ldap ldap 49152 Aug 26 08:23 __db.003
10
-rw------- 1 ldap ldap 8192 Aug 26 04:48 dn2id.bdb
11
-rw------- 1 ldap ldap 32768 Aug 26 04:48 id2entry.bdb
12
-rw------- 1 ldap ldap 10485760 Aug 26 07:21 log.0000000001
Copied!
But the way Where is the configuration data base in Version 2.4.X and higher?

/etc/openldad/slapd.d (Ver 2.4.X and above)

1
[[email protected] ~]# tree /etc/openldap/slapd.d/
2
/etc/openldap/slapd.d/
3
├── cn=config
4
│ ├── cn=schema
5
│ │ └── cn={0}core.ldif
6
│ ├── cn=schema.ldif
7
│ ├── olcDatabase={0}config.ldif
8
│ ├── olcDatabase={-1}frontend.ldif
9
│ ├── olcDatabase={1}monitor.ldif
10
│ └── olcDatabase={2}hdb.ldif
11
└── cn=config.ldif
12
13
2 directories, 7 files
Copied!
OpenLDAP v2.3.x:
1
[[email protected] openldap]# ls -l /var/lib/ldap/
2
total 956
3
-rw-r--r-- 1 root root 4096 Aug 27 02:25 alock
4
-rw------- 1 root root 24576 Aug 27 02:25 __db.001
5
-rw------- 1 root root 368640 Aug 27 02:25 __db.002
6
-rw------- 1 root root 270336 Aug 27 02:25 __db.003
7
-rw------- 1 root root 98304 Aug 27 02:25 __db.004
8
-rw------- 1 root root 557056 Aug 27 02:25 __db.005
9
-rw------- 1 root root 24576 Aug 27 02:25 __db.006
10
-rw------- 1 root root 8192 Aug 27 02:12 dn2id.bdb
11
-rw------- 1 root root 32768 Aug 27 02:12 id2entry.bdb
12
-rw------- 1 root root 10485760 Aug 27 02:12 log.0000000001
13
-rw-r--r-- 1 root root 37 Aug 27 01:31 openldap-severs-update.log
14
[[email protected] openldap]# chown -R ldap:ldap /var/lib/ldap
Copied!
and restart the Open LDAP service to check:
OpenLDAP v2.4:
1
[[email protected] ~]# systemctl stop slapd.service
2
[[email protected] ~]# systemctl startp slapd.service
Copied!
OpenLDAP v2.3.x:
1
[[email protected] log]# service ldap stop
2
Stopping slapd: [ OK ]
3
[[email protected] log]# service ldap start
4
Starting slapd: [ OK ]
Copied!
to make sure every thing is okey lets do a search in our directory server:

ldapsearch

ldapsearch opens a connection to an LDAP server, binds, and performs a search using specified parameters. The filter should conform to the string representation for search filters:
OpenLDPA v2.4 :
1
[[email protected] ~]# ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
2
# extended LDIF
3
#
4
# LDAPv3
5
# base <> with scope baseObject
6
# filter: (objectclass=*)
7
# requesting: namingContexts
8
#
9
10
#
11
dn:
12
namingContexts: dc=example,dc=com
13
14
# search result
15
search: 2
16
result: 0 Success
17
18
# numResponses: 2
19
# numEntries: 1
Copied!
-x means use simple authentication ,-b for defining search base that we want to run search on (which is blank in our example because we want to search for every thing), -s indicates the base we want to use (we defined just our base with all object classes in our directory server) and finally we want all of the names (namingContext).
OpenLDAP v2.3.x:
1
[[email protected] ~]# ldapsearch -x -b 'dc=example,dc=com'
Copied!

Quick look at OpenLDAP Back-end Database:

The bdb backend to slapd uses the Oracle Berkeley DB (BDB) package to store data. It makes extensive use of indexing and caching to speed data access.
Note that BDB is deprecated and support will be dropped in future OpenLDAP releases. Installations should use the mdb backend instead.
hdb is a variant of the bdb backend that uses a hierarchical database layout which supports subtree renames. It is both more space-efficient and more execution-efficient than the bdb backend. It is otherwise identical to the bdb behavior, and all the same configuration options apply.
Please notice that these options are intended to complement Berkeley DB configuration options set in the environment's DB_CONFIG file. See Berkeley DB documentation for details on DB_CONFIG configuration options. Where there is overlap, settings in DB_CONFIG take precedence.

slapindex

slapindex - Reindex entries in a SLAPD database. It makes extensive use of indexing and caching to speed data access.
Unfortunately there are no usefull documentation for slapindex in OpenLDAP2.4 and its still show information for previous OpenLDAP versions and needs slapd.conf file!(try man slapindex on CentOS7 to see ).So lets try it using OpenLDAP v2.3.X:
1
[[email protected] openldap]# slapindex -f /etc/openldap/slapd.conf -b "dc=example,dc=com"
2
bdb_db_open: database already in use
3
backend_startup_one: bi_db_open failed! (-1)
4
slap_startup failed
5
6
[[email protected] openldap]# service ldap stop
7
Stopping slapd: [ OK ]
8
9
[[email protected] openldap]# slapindex -f /etc/openldap/slapd.conf -b "dc=example,dc=com"
10
bdb_db_open: Warning - No DB_CONFIG file found in directory /var/lib/ldap: (2)
11
Expect poor performance for suffix dc=example,dc=com.
Copied!
As you can see it nags about not founding DB_CONFIG file. Fortunately there is Example DB_CONFIG file for use in conjunction with slapd databases.We can simply copy this file to your LDAP directory's base directory.
1
[[email protected] openldap]# locate DB_CONFIG
2
/etc/openldap/DB_CONFIG.example
3
[[email protected] openldap]# cp /etc/openldap/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
4
[[email protected] openldap]# chown -R ldap:ldap /var/lib/ldap
5
[[email protected] openldap]# ls -l /var/lib/ldap/
6
total 9888
7
-rw-r--r-- 1 ldap ldap 4096 Aug 27 21:11 alock
8
-rw------- 1 root root 24576 Aug 27 21:11 __db.001
9
-rw------- 1 root root 104857600 Aug 27 21:11 __db.002
10
-rw------- 1 root root 335552512 Aug 27 21:11 __db.003
11
-rw------- 1 root root 2359296 Aug 27 21:11 __db.004
12
-rw------- 1 root root 557056 Aug 27 21:11 __db.005
13
-rw------- 1 root root 24576 Aug 27 21:11 __db.006
14
-rw-r----- 1 ldap ldap 921 Aug 27 21:10 DB_CONFIG
15
-rw------- 1 ldap ldap 8192 Aug 27 02:12 dn2id.bdb
16
-rw------- 1 ldap ldap 32768 Aug 27 02:12 id2entry.bdb
17
-rw------- 1 ldap ldap 10485760 Aug 27 21:11 log.0000000001
18
-rw-r--r-- 1 ldap ldap 37 Aug 27 01:31 openldap-severs-update.log
Copied!
and take look at it:
1
[[email protected] openldap]# cat /var/lib/ldap/DB_CONFIG
2
# $OpenLDAP: pkg/ldap/servers/slapd/DB_CONFIG,v 1.1.2.4 2007/12/18 11:51:46 ghenry Exp $
3
# Example DB_CONFIG file for use with slapd(8) BDB/HDB databases.
4
#
5
# See the Oracle Berkeley DB documentation
6
# <http://www.oracle.com/technology/documentation/berkeley-db/db/ref/env/db_config.html>
7
# for detail description of DB_CONFIG syntax and semantics.
8
#
9
# Hints can also be found in the OpenLDAP Software FAQ
10
# <http://www.openldap.org/faq/index.cgi?file=2>
11
# in particular:
12
# <http://www.openldap.org/faq/index.cgi?file=1075>
13
14
# Note: most DB_CONFIG settings will take effect only upon rebuilding
15
# the DB environment.
16
17
# one 0.25 GB cache
18
set_cachesize 0 268435456 1
19
20
# Data Directory
21
#set_data_dir db
22
23
# Transaction Log settings
24
set_lg_regionmax 262144
25
set_lg_bsize 2097152
26
#set_lg_dir logs
27
28
# Note: special DB_CONFIG flags are no longer needed for "quick"
29
# slapadd(8) or slapindex(8) access (see their -q option).
Copied!
and check again:
1
[[email protected] openldap]# slapindex -f /etc/openldap/slapd.conf -b "dc=example,dc=com"
2
bdb_db_open: DB_CONFIG for suffix dc=example,dc=com has changed.
3
Performing database recovery to activate new settings.
Copied!

loglevel

Although not included by default in the configuration file, logging can be setup using the loglevel directive. This directive specifies the level at which debugging statements and operation statistics should be logged. Log levels may be specified as integers or by keyword; however, most people stick to using loglevel integers.
1
loglevel number
Copied!
Log levels may be specified as integers or by keyword.
1
Level Keyword Description
2
-1 any enable all debugging
3
0 no debugging
4
1 (0x1 trace) trace function calls
5
2 (0x2 packets) debug packet handling
6
4 (0x4 args) heavy trace debugging
7
8 (0x8 conns) connection management
8
16 (0x10 BER) print out packets sent and received
9
32 (0x20 filter) search filter processing
10
64 (0x40 config) configuration processing
11
128 (0x80 ACL) access control list processing
12
256 (0x100 stats) stats log connections/operations/results
13
512 (0x200 stats2) stats log entries sent
14
1024 (0x400 shell) print communication with shell backends
15
2048 (0x800 parse) print entry parsing debugging
16
16384 (0x4000 sync) syncrepl consumer processing
17
32768 (0x8000 none) only messages that get logged whatever log level is set
Copied!
Multiple log levels may be used and the levels are additive.
1
# (1 + 8 + 128 + 256)=393
2
loglevel 393
Copied!
Another setting related to logging that is not included by default is thelogfiledirective. By default, log entries for LDAP are sent to syslog. While this has its benefits, I find it more convenient to direct log entries to a file using thelogfiledirective:
1
# Logging
2
# - trace function calls (1)
3
# - connection management (8)
4
# - ACL processing (128)
5
# - stats log connections/operations/results (256)
6
# (1 + 8 + 128 + 256)=393
7
loglevel 393
8
9
logfile /var/log/ldap.log
Copied!
When specifying thelogfiledirective, we need to make certain that the log file exists prior to starting the LDAP server.
1
touch /var/log/ldap.log
Copied!

LDAP implementations

Once upon a time OpenLDAP was the only game in the Open Source LDAP town. It is still regarded as the LDAP reference implementation and remains an excellent system with many production implementations, is actively developed and extremly complex to implement for other than trivial applications. It is, however, no longer the only game in town. There is now the 389 Directory Server (ex-Fedora Directory Server), another University of Michigan derivative, OpenDJ (a fork of OpenDS a Sun-led Java-based LDAP implementation which now appears inactive), and the ApacheDS (Apache Directory) project. All appear excellent projects and together with OpenLDAP provide an embarrassment of riches in the Open Source LDAP space - driving forward capabilities and functionality.
Now that we have our OpenLDAP up and running it is time to create some OU and Users inside it.

slapadd

slapadd: Adds entries to an LDAP directory by accepting input via a file or standard input; ldapadd is actually a hard link to ldapmodify -a
    slapdelete: Deletes entries from an LDAP directory by accepting user input at a shell prompt or via a file.
Now we have created our inital LDAP server, we have to create DN an the associated top levels DCs that we can add entries into.To get the best results and covering LPIC2 exam objectives, we have used OpenLDAP v2.3.x on CentOS 5 in this section. First we need to create LDIF file:
1
[[email protected] openldap]# vi mydc.ldif
2
[[email protected] openldap]# cat mydc.ldif
3
dn: dc=example,dc=com
4
dc: example
5
description: creating my dc
6
objectClass: dcObject
7
objectClass: organization
8
o: example,organization.
Copied!
Flash back: How it can realize dcObject consept or organization concept? From schema files! Try ls -l schema/ and cat schema/core.ldif | grep dcObject or grep for organization.
1
[[email protected] openldap]# cat schema/core.ldif | grep -i dcobject
2
# RFC 2247 (dc/dcObject)
3
olcObjectClasses: ( 1.3.6.1.4.1.1466.344 NAME 'dcObject'
Copied!
slapadd command writes directly into Ldap data base, so obviously it is not possible if the service is running :
1
[[email protected] openldap]# slapadd -l mydc.ldif
2
bdb_db_open: database already in use
3
backend_startup_one: bi_db_open failed! (-1)
4
slap_startup failed
5
6
[[email protected] openldap]# service ldap stop
7
Stopping slapd: [ OK ]
8
9
[[email protected] openldap]# slapadd -l mydc.ldif
Copied!
and lets check the result:
1
[[email protected] openldap]# slapcat
2
dn: dc=example,dc=com
3
dc: example
4
description:: Y3JlYXRpbmcgbXkgZGMg
5
objectClass: dcObject
6
objectClass: organization
7
o: example,com.
8
structuralObjectClass: organization
9
entryUUID: 59ef0b24-3ee8-1038-97d2-0fe81e362862
10
creatorsName: cn=ldapadm,dc=example,dc=com
11
modifiersName: cn=ldapadm,dc=example,dc=com
12
createTimestamp: 20180828083023Z
13
modifyTimestamp: 20180828083023Z
14
entryCSN: 20180828083023Z#000000#00#000000
Copied!
yes we actually modified ldap data base:
1
[[email protected] openldap]# ls /var/lib/ldap/
2
alock __db.003 __db.006 id2entry.bdb openldap-severs-update.log
3
__db.001 __db.004 DB_CONFIG log.0000000001
4
__db.002 __db.005 dn2id.bdb objectClass.bdb
Copied!
as slapadd and slapdelete access directly to the data base it is not possible to use them from a remote computer. In the next lesson we will learn how to use ldapadd and ldapdelete tools inorder to configure our Open LDAP server from a remote host.

Please go back to 210.3 course for more details. :-)

Any problem in install OpenLDAP 2.3.x on CentOS5? Look at here and here .
Last modified 2yr ago