|Last modified: 14-11-2012|
The Quick & Dirty Guide to OpenLDAP
As for the organization chart, on Fri, 18 Aug 2000 00:01:29 GMT, email@example.com (Michael Schaap) wrote:
The old convention was to use organization and country in a DN. You could for instance use "o=Acme Inc, c=US". Because this may not always guarantee uniqueness, the new convention is to use domain components. In your case, that would be "dc=acme, dc=com".
Although you can use a plain-text password as rootpw, according to a tip found in this document, you can copy/paste your hashed password from /etc/passwd or generate one using perl -e "print crypt('mypasswd', 'a_salt_string');". Note that copy/pasting your hashed password from /etc/passwd or /etc/shadow doesn't work if you are using MD5 hashing, which is the default in recent releases of Red Hat.
dn: cn=Jane Doe,dc=acme,dc=com
cn: Jane Doe
description: Tech support
telephoneNumber: (123) 123-4567
dn: cn=John Doe,dc=acme,dc=com
cn: John Doe
telephoneNumber: (321) 765-4321
Records are indexed through their DN, which is a concatenation of the Relative Distinguished Name (RDN, a.k.a. CN) and the inherited tree. For instance, the DN for the above example is CN=Myself, dc=acme,dc=com.
Slurpd is used when you need to replicate data from your master LDAP server to remote salve LDAP servers, while ldapd is used to let slapd query an X.500 server.
Slapd can be launched through either /etc/rc.d/rcX.d to run as a stand-alone service, or on demand through Inetd. The former is recommended if you use LDBM files so as to take advantage of caching.
You can specify several different databases to be used by your LDAP server. Just edit /etc/openldap/slapd.conf, and add a whole database section.
Additional records can be added while your LDAP server is on- or off-line.
The way to do this while the server is off-line is shown at the beginning of
this tutorial. If the server is online, create a file with the different records
you want to add (example shown below), and run ldapadd -f mydatafile.ldif
-D "cn=manager, dc=acme,dc=com" -w secret:
# Save this as /var/lib/ldap/mydatafile.ldif
description=The Greatest Postmaster in the World!
And yes, I also wonder why the format of this file is different from the file used to input data while the server is offline...
If your LDAP clients need ObjectClasses and Attributes not included in the default slapd.oc.conf and slapd.at.conf , you should create your own two files instead of modifying those default files, and add include statements in slapd.conf .
An ObjectClass consists in required attributes, and allowed attributes, which are both defined in an .ac.conf file.
Interestingly enough, the OpenLDAP package that I installed when writing
this tutorial had no "mail" attribute, although that's probably the
piece of information for which users are most likely to query an LDAP server.
What I did, is copy /etc/openldap/slapd.oc.conf as slapd.acme.oc.conf, and slapd.at.conf
as slapd.acme.at.conf, add references to slapd.conf through INCLUDE lines, and
edit those files as follows:
Before using those scripts, and as explained in the README file, remember to first customize migrate_common.ph to reflect your organization as set in slapd.conf and ldap.conf.
By default, anyone can query your LDAP server, which is obviously a huge security risk. Access rights can be set up by editing /etc/openldap/slapd.conf, through options accessto, defaultaccess
Refer to "The SLAPD and SLURPD Administrator's Guide"
[root@linux ldap]# ldif2ldbm -d 5 -i ./offline.ldif
=> ldbm_cache_open( "/var/lib/ldap/id2entry.dbb", 524293, 600 )
ldbm_cache_open (blksize 4096) (maxids 1022) (maxindirect 4)
next_id_read: could not open "/var/lib/ldap/NEXTID"
Open Messenger, click on Communicator | Address Book. In the Address Book applet, File | New Directory, fill the Description, Server, and Search Root fields. The Search Root has to match your organization (eg. dc=acme,dc=com)
Eudora requires you to change the Search Base when adding a pointer to an OpenLDAP server, to match the organizational structure. FYI, I didn't have to do this with eg. Lotus Notes. In other words, you need to set that field to something like "dc=acme,dc=com", otherwise OpenLDAP returns no information.
On Thu, 17 Aug 2000 23:58:18 GMT, firstname.lastname@example.org (Michael Schaap) wrote:
I believe this is an OpenLDAP thing. (Feature, bug, what's in a name.) A search in OpenLDAP seems to return nothing if you don't provide a search base. This search base should normally be your top-level entity, in your case "dc=acme,dc=com".