Skip to content

Install and Configure OpenLDAP

February 11, 2010

In my recent project,  I worked on OpenLDAP directory server. I would like to share my experience on it.

The OpenLDAP(The open source implementation of LDAP protocol) software suite consists of,

  1. openldap-server(Directory Server)
  2. openldap-clients(Provides tools to communitcate with server like ldapsearch, ldapadd, etc.)

Let’s see how to install and configure it on CentOS5.3.

Installing OpenLDAP Clients:

[root@localhost openldap]# yum install openldap-clients

This command will install the OpenLDAP clients on the system. It has one main configuration file can be found at /etc/openldap/ldap.conf

Installing  OpenLDAP Server :

[root@localhost openldap]# yum install openldap-servers

This command will install the OpenLDAP Server(slapd daemon) on Port 389.  SLAPD has one main configuration file can be found at /etc/openldap/slapd.conf and other auxiliary config files.

Configuring the LDAP Server :

Step 1. In order to use the slapd LDAP server, modify its main configuration file /etc/openldap/slapd.conf, to match your environment by specifing the correct domain and server.

- For Example :

# slapd.conf
database     bdb
suffix       "dc=example,dc=com"
rootdn       "cn=Manager,dc=example,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoided.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw       examplepasswd
# rootpw     {crypt}ijFYNcSNctBYg
# The database directory must exists prior to running slapd and should
# only be accessible by the slapd and slap tools.
# Mode 700 recommended
directory    /var/lib/ldap

Where,

  • database -> Defines the database backend used by openldap, here it is Berkeley DB backend.
  • suffix ->  Root of the directory tree
  • rootdn -> The Distinguish name of the superuser of the directory
  • rootpw -> Password for superuser
  • directory -> Database storage area

Step 2. Copy /etc/openldap/DB_CONFIG.example file in /var/lib/ldap directory.

- This file should be placed in the directory as specified by the directory configuration option in the slapd.conf file.

Step 3. Start the daemon

- Once we have setup the server, we need to start the LDAP daemon.The script for LDAP daemon is placed at /etc/init.d/ldap

- For Example:

[root@localhost openldap]# /etc/init.d/ldap start
Checking configuration files for slapd:  config file testing succeeded
[  OK  ]
Starting slapd:                                            [  OK  ]

Step 4. Check whether server is running or not.

[root@localhost openldap]# ldapsearch -x -h localhost -b "dc=example,dc=com"
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 32 No such object

Here the we are getting the result as “No such object” which indicates that our LDAP server is up and running but unable to locate the data.

Step 5. Create the base data for the LDAP server.

- Create the example.ldif file

dn: dc=example,dc=com
dc: example
objectClass: top
objectClass: domain

Step 6. Add the data to the directory

[root@localhost openldap]# ldapadd -x -D "cn=Manager,dc=example,dc=com" \
-W -f example.ldif
Enter LDAP Password:
adding new entry "dc=example,dc=com"

Where,

  • -D -> Specifies username
  • -W ->  Specified that the password will be prompted
  • -f -> Specifies the name of the LDIF file
  • -x -> Specifies simple authentication

Now we have successfully created the base of the directory, Lets do a test.

[root@localhost openldap]# ldapsearch -x -h localhost -b "dc=example,dc=com"
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# example.com
dn: dc=example,dc=com
dc: example
objectClass: top
objectClass: domain
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1

You’re Finished!!! :)

Till now we have added the base of our directory, further you can add more data using ldapadd command.

About these ads
22 Comments leave one →
  1. nitesh tiwari permalink
    February 16, 2010 9:04 am

    goooooooooooooddddddddddd one

  2. February 16, 2010 9:44 am

    Hey awesome article :) I was in search of this stuff.. Chaos Buddy :D

  3. kunalbharati permalink
    March 5, 2010 5:35 am

    Hey Mayank,
    Very well written. Thanx :)

  4. kunalbharati permalink
    March 5, 2010 5:40 am

    Hey wat about sldap?? ;)

    • Mayank Mishra permalink*
      March 5, 2010 10:32 am

      Its coming soon!! Just busy with my exams. :(

  5. jeffin permalink
    March 31, 2010 12:45 pm

    Hai can u help me this . …. when i add the data to the directory it is showing like this …….why this error occurring.

    #ldapadd -x -D “cn=Manager,dc=example,dc=com” -W -f example.ldif
    Enter LDAP Password:

    ldap_bind: Invalid credentials (49) ********

    can u please replay asap.

    • Mayank Mishra permalink*
      April 1, 2010 4:42 pm

      Jeffin,

      Can you post the content of slapd.conf and example.ldif file?

    • Mayank Mishra permalink*
      April 3, 2010 7:15 pm

      [Assuming you are using the same configuration used here]

      Try to bind root user using encrypted password.

      1. Generate encrypted password.
      [root@localhost openldap]# slappasswd -s secret

      {SSHA}ioGadl0574KxRPecJ7Pb5q33j2x/Fi3w

      The default encryption used here is SSHA

      2. Update slapd.conf file.
      rootpw {SSHA}ioGadl0574KxRPecJ7Pb5q33j2x/Fi3w

      3. Restart the server

      Now try to the data to the directory using the password secret(used here)

      • jeffin permalink
        April 6, 2010 5:04 am

        Thankyou for your replay. I think the error occurred due to the unwanted space i put at the rootpw(*).After i removing that i can run it.

        2. Update slapd.conf file.
        * rootpw {SSHA}ioGadl0574KxRPecJ7Pb5q33j2x/Fi3w

        It is great if you post the client configuration also.

  6. deepthi permalink
    June 21, 2010 11:12 am

    hi , will u pls explane me about , steps to do SASL Authentication in OpenLDAP , When i try to search user using following command

    ldapsearch -D”cn=Manager,dc=example,dc=com” -W

    I am getting following error

    Enter LDAP Password:
    SASL/DIGEST-MD5 authentication started
    ldap_sasl_interactive_bind_s: Invalid credentials (49)
    additional info: SASL(-13): user not found: no secret in database

  7. Rashid Iqbal permalink
    July 20, 2010 5:30 am

    hi Mayank Mishra,

    Good luck for your exams,

    very helpful tutorial, can you please further guide about the slapd with SASL.

    secondly I want to integrate the windows Active Directory with the Postfix where Postfix pick the user information from the Windows Active Directory.

    waiting for your reply

  8. Mayank Mishra permalink*
    July 28, 2010 8:51 am

    Hi Rashid and Deepthi,

    I’m currently very occupied with my job. If I do get chance will write new post on OpenLDAP SASL configuration for sure.

    Rashid,

    Can explain me in detail what are you looking for in Active Directory?

    Depthi,

    Can post the content of slapd.conf?

    ~Mayank

  9. Mickey permalink
    November 13, 2010 11:55 pm

    Hi mayank.

    Everything is fine acccording to your above document.
    You have mentioned:

    You’re Finished!!! :)

    Till now we have added the base of our directory, further you can add more data using ldapadd command

    This is what exactly I am looking for.Base file is added.But how to add more entries

    Please do reply me

    Thanks in advance
    Mickey

  10. Mayank Mishra permalink*
    November 20, 2010 7:43 pm

    Hi Mickey,

    Please refer to the section 10.3 of the following document for adding more entries into openldap – http://www.openldap.org/doc/admin24/dbtools.html

    I hope it will help understanding the ldif entry format. Let me know if you have any questions!!

    ~Mayank

  11. Mickey permalink
    November 22, 2010 3:39 am

    Hi Mayank,

    Thanks for your help.
    I am using ubuntu 10.10.
    Now i have created open ssl certificates.
    I would like to enter those certificates into the LDAP server.

    Please let me know if you have worked on this.
    It would be great if you can help me on the same.

    Mickey

  12. mickey permalink
    December 17, 2010 10:15 pm

    Hi Mayank,

    me again.
    im using ubuntu 10.10
    there is no file called slapd.conf in any of the ldap directories.
    we have setup everything in ldap
    we need only to put server certificate for ldap
    but it should be basically loaded in slapd.conf
    but in my case i do not find the file at all

    please help me with this
    thanks for your time

  13. December 25, 2010 5:32 pm

    Hey,I cant find slapd.conf too

    • Mayank Mishra permalink*
      December 29, 2010 10:43 am

      Alex,

      Which distro are you using?

      If you are using CentOS then the path to slapd.conf should be /etc/openldap/slapd.conf

  14. January 14, 2011 3:09 pm

    Thank you for this post. I just used this to get a server up and going in no time. I really appreciate it when programmers/admins take the time to write about what they work on.

  15. shynu sivarajan permalink
    October 10, 2011 1:32 pm

    what abt ldapseaarch using MD-5 authentication..???

  16. February 9, 2012 12:30 pm

    Good One Men!!!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: