. .

openldap building and configuration

Written by at February 13, 2012

Try to config an openldap (2.4.29) as nss backend & pam backend for Linux, NIS replacement, as well as SAMBA PDC.

Building & Installation

./configure --prefix=/usr/local/openldap --enable-modules --enable-overlays=mod --enable-crypt
make depend
make
make install

Configuration

slapd.d & slapd.conf

The configuration of openldap has changed to completely stored in ldap itself, under the cn=config.  The best way to have a quick start to adopt the new configuration change is convert the slapd.conf to ldif config entries under slapd.d directory.

> slaptest -f slapd.conf -F slapd.d

In case, you would like to access cn=config tree thru ldapsearch or other ldap browser client, you need to assign the olcRootDN & olcRootPW to the cn=config backend.

  • open your slapd.d/cn=config/olcDatabase={0}config.ldif
  • insert olcRootDN: cn=Manager,cn=config
  • insert olcRootPW and it’s password value

(ref: doing OpenLDAP config changes in RHEL 6)

db backend

database        bdb
suffix          "dc=xyz,dc=xxx"
rootdn          "cn=Manager,dc=xyz,dc=xxx"
rootpw          {SSHA}xxyyzzddeeffgghhiijjkkll

Schema

include         /usr/local/openldap/etc/openldap/schema/core.schema
include         /usr/local/openldap/etc/openldap/schema/cosine.schema
include         /usr/local/openldap/etc/openldap/schema/nis.schema

In case you would like to add it into cn=config, you may

> ldapadd -h localhost -x -D 'cn=Manager,cn=config' -W -f cosine.ldif
> ldapadd -h localhost -x -D 'cn=Manager,cn=config' -W -f nis.ldif

where cosine.ldif & nis.ldif are included in the openldap.

Index

index   objectClass     eq,pres
index   cn,uid,mail        pres,eq,sub

ACL

dn: olcDatabase={1}bdb,cn=config
olcAccess: {0}to * by self write by * read

Setup using slapd.d

Convert the slapd.conf to slapd.d

> slaptest -f slapd.conf -F slapd.d

The 1st base entry

> ldapmodify -h localhost -D 'cn=Manager,dc=xyz,dc=xxx' -w password -x
dn: dc=xyz, dc=xxx
changetype: add
objectclass: top
objectclass: dcObject
objectclass: organization
dc: xyz
o: xyz company

The whole DIT

dn: dc=xyz,dc=xxx
changetype: add
objectclass: top
objectclass: dcObject
objectclass: organization
dc: xyz
o: xyz.xxx Inc

dn: ou=group,dc=xyz,dc=xxx
changetype: add
objectclass: organizationalunit
ou: group
description: generic groups branch

dn: ou=people,dc=xyz,dc=xxx
changetype: add
objectclass: organizationalunit
ou: people
description: generic people branch

Further reading: Configuring OpenLDAP as a replacement for NIS