Install and Configure OpenLDAP
In my recent project, I worked on OpenLDAP directory server. I would like to share my experience on it.
The OpenLDAP(The open source implementation of LDAP protocol) software suite consists of,
- openldap-server(Directory Server)
- openldap-clients(Provides tools to communitcate with server like ldapsearch, ldapadd, etc.)
Let’s see how to install and configure it on CentOS5.3.
Installing OpenLDAP Clients:
[root@localhost openldap]# yum install openldap-clients
This command will install the OpenLDAP clients on the system. It has one main configuration file can be found at /etc/openldap/ldap.conf
Installing OpenLDAP Server :
[root@localhost openldap]# yum install openldap-servers
This command will install the OpenLDAP Server(slapd daemon) on Port 389. SLAPD has one main configuration file can be found at /etc/openldap/slapd.conf and other auxiliary config files.
Configuring the LDAP Server :
Step 1. In order to use the slapd LDAP server, modify its main configuration file /etc/openldap/slapd.conf, to match your environment by specifing the correct domain and server.
- For Example :
# slapd.conf
database bdb
suffix "dc=example,dc=com"
rootdn "cn=Manager,dc=example,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw examplepasswd
# rootpw {crypt}ijFYNcSNctBYg
# The database directory must exists prior to running slapd and should
# only be accessible by the slapd and slap tools.
# Mode 700 recommended
directory /var/lib/ldap
Where,
- database -> Defines the database backend used by openldap, here it is Berkeley DB backend.
- suffix -> Root of the directory tree
- rootdn -> The Distinguish name of the superuser of the directory
- rootpw -> Password for superuser
- directory -> Database storage area
Step 2. Copy /etc/openldap/DB_CONFIG.example file in /var/lib/ldap directory.
- This file should be placed in the directory as specified by the directory configuration option in the slapd.conf file.
Step 3. Start the daemon
- Once we have setup the server, we need to start the LDAP daemon.The script for LDAP daemon is placed at /etc/init.d/ldap
- For Example:
[root@localhost openldap]# /etc/init.d/ldap start Checking configuration files for slapd: config file testing succeeded [ OK ] Starting slapd: [ OK ]
Step 4. Check whether server is running or not.
[root@localhost openldap]# ldapsearch -x -h localhost -b "dc=example,dc=com" # extended LDIF # # LDAPv3 # base <dc=example,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 32 No such object
Here the we are getting the result as “No such object” which indicates that our LDAP server is up and running but unable to locate the data.
Step 5. Create the base data for the LDAP server.
- Create the example.ldif file
dn: dc=example,dc=com dc: example objectClass: top objectClass: domain
Step 6. Add the data to the directory
[root@localhost openldap]# ldapadd -x -D "cn=Manager,dc=example,dc=com" \ -W -f example.ldif Enter LDAP Password: adding new entry "dc=example,dc=com"
Where,
- -D -> Specifies username
- -W -> Specified that the password will be prompted
- -f -> Specifies the name of the LDIF file
- -x -> Specifies simple authentication
Now we have successfully created the base of the directory, Lets do a test.
[root@localhost openldap]# ldapsearch -x -h localhost -b "dc=example,dc=com" # extended LDIF # # LDAPv3 # base <dc=example,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL # # example.com dn: dc=example,dc=com dc: example objectClass: top objectClass: domain # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1
You’re Finished!!! 
Till now we have added the base of our directory, further you can add more data using ldapadd command.
goooooooooooooddddddddddd one
Hey awesome article
I was in search of this stuff.. Chaos Buddy 
Hey Mayank,
Very well written. Thanx
Hey wat about sldap??
Its coming soon!! Just busy with my exams.
Hai can u help me this . …. when i add the data to the directory it is showing like this …….why this error occurring.
#ldapadd -x -D “cn=Manager,dc=example,dc=com” -W -f example.ldif
Enter LDAP Password:
ldap_bind: Invalid credentials (49) ********
can u please replay asap.
Jeffin,
Can you post the content of slapd.conf and example.ldif file?
[Assuming you are using the same configuration used here]
Try to bind root user using encrypted password.
1. Generate encrypted password.
[root@localhost openldap]# slappasswd -s secret
{SSHA}ioGadl0574KxRPecJ7Pb5q33j2x/Fi3w
The default encryption used here is SSHA
2. Update slapd.conf file.
rootpw {SSHA}ioGadl0574KxRPecJ7Pb5q33j2x/Fi3w
3. Restart the server
Now try to the data to the directory using the password secret(used here)
Thankyou for your replay. I think the error occurred due to the unwanted space i put at the rootpw(*).After i removing that i can run it.
2. Update slapd.conf file.
* rootpw {SSHA}ioGadl0574KxRPecJ7Pb5q33j2x/Fi3w
It is great if you post the client configuration also.
hi , will u pls explane me about , steps to do SASL Authentication in OpenLDAP , When i try to search user using following command
ldapsearch -D”cn=Manager,dc=example,dc=com” -W
I am getting following error
Enter LDAP Password:
SASL/DIGEST-MD5 authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-13): user not found: no secret in database
hi Mayank Mishra,
Good luck for your exams,
very helpful tutorial, can you please further guide about the slapd with SASL.
secondly I want to integrate the windows Active Directory with the Postfix where Postfix pick the user information from the Windows Active Directory.
waiting for your reply
Hi Rashid and Deepthi,
I’m currently very occupied with my job. If I do get chance will write new post on OpenLDAP SASL configuration for sure.
Rashid,
Can explain me in detail what are you looking for in Active Directory?
Depthi,
Can post the content of slapd.conf?
~Mayank
Hi mayank.
Everything is fine acccording to your above document.
You have mentioned:
You’re Finished!!!
Till now we have added the base of our directory, further you can add more data using ldapadd command
This is what exactly I am looking for.Base file is added.But how to add more entries
Please do reply me
Thanks in advance
Mickey
Hi Mickey,
Please refer to the section 10.3 of the following document for adding more entries into openldap – http://www.openldap.org/doc/admin24/dbtools.html
I hope it will help understanding the ldif entry format. Let me know if you have any questions!!
~Mayank
Hi Mayank,
Thanks for your help.
I am using ubuntu 10.10.
Now i have created open ssl certificates.
I would like to enter those certificates into the LDAP server.
Please let me know if you have worked on this.
It would be great if you can help me on the same.
Mickey
Hi Mayank,
me again.
im using ubuntu 10.10
there is no file called slapd.conf in any of the ldap directories.
we have setup everything in ldap
we need only to put server certificate for ldap
but it should be basically loaded in slapd.conf
but in my case i do not find the file at all
please help me with this
thanks for your time
Hey Mickey,
The procedure for installing/configuring OpenLDAP on Ubuntu is bit different than that of CentOS.
I would recommend to read the following document –
https://help.ubuntu.com/10.10/serverguide/C/openldap-server.html
Check out the “TLS and SSL” section. I think this is what you are looking for.
!Mayank
Hey,I cant find slapd.conf too
Alex,
Which distro are you using?
If you are using CentOS then the path to slapd.conf should be /etc/openldap/slapd.conf
Thank you for this post. I just used this to get a server up and going in no time. I really appreciate it when programmers/admins take the time to write about what they work on.
what abt ldapseaarch using MD-5 authentication..???
Good One Men!!!