Running OpenLDAP server on Red Hat Linux 9

Introduction

This page describes how to set up an LDAP server running on Linux.

It is based on the Sybex publishers 2 cd edition of Red Hat Linux 9.0. There may be slight differences compared to the Red Hat 3 cd edition.

Red Hat Linux 9, like some of the earlier versions, includes in the software bundle a version of OpenLDAP, packaged as an RPM file.

OpenLDAP does not appear as an option when installing Red Hat Linux, but it can be easily installed later.

Introduction to LDAP

Strictly speaking, LDAP is a protocol - Lightweight Directory Access Protocol - and is designed as a means of accessing directories based on X500.

However the term LDAP is often used to refer to a directory - and I am afraid that this bad practice is used on this webpage, which describes the setting up of a directory service, rather than a description of the protocol.

Installation

The OpenLDAP package is on CD 2, in the folder /RedHat/RPMS.

At the command line, after mounting the cdrom, the installation instructions are


    cd /mnt/cdrom/RedHat/RPMS

    rpm -i openldap-servers-2.0.27-8.i386.rpm

The installation sets up the ldap server configuration files in a folder /etc/openldap. The daemons are installed in /usr/sbin - there are two daemons installed :-

slapd - this is the stand alone ldap server daemon
slurpd - this is the daemon which is responsible for the interchange or updating of directory data with other ldap servers

Various other files are installed, as well, but I can`t provide a definitive list.

In Red Hat Linux, the LDAP server can be started with the command :-


    service ldap start

and it can then be seen running as a process.

However there is no point in running it until the directory has some information in it.

Configuring OpenLDAP

To configure a stand-alone LDAP server, the file "slapd.conf" needs to be modified - in its default state, it contains various settings which are really only examples of possible settings.

lines begining with "#" are comments
lines 6 to 12 define the schema to be used by the server - these can be left as they are
lines 42 to 57 are commented out, they can be utilised to define who has access to the database, and what kind of access - the default is for everyone to have Read access
line 60 defines this as an ldbm database - OpenLDAP can have a number of different kinds of databases - the default is ldbm
line 64 defines the domain that the database contains information for - this needs to be set to your domain. For the internet domain of "e-nor.net", this line would read
suffix "dc=e-nor,dc=net"
The abbreviation "dc" stands for "domain component"
line 65 is commented out, but shows a possible alternative way of defining the domain components - OpenLDAP can also be configured to use an organisational structure, instead of an internet domain structure. So components such as "Organisation", and "Organisational Units" can be specified instead. ( similar to a Novell NDS / e-Directory structure )
line 66 defines the identity of the person who has supervisory rights to the database
line 67 defines the same supervisory person, but in terms of the alternative organisational structure
line 71 should be uncommented, and then a password for the supervisory person should be put in, instead of "secret"
line 72 can be used instead, if an encrypted password is required
line 75 defines the name and location of the directory that will contain all the data in the database - this can be changed to suit your own directory structure, but the directory must exist

if a different directory is used, then, after creating it, change ownership to "ldap", and change access rights to 700

All the above is a fairly minimal configuration, and is unlikely to be sufficient for a live LDAP server - however it will produce a working server.

Adding some data

To add data, an LDAP client is used - for this webpage, the client to be used is the "ldapadd" tool.

An LDAP client is not installed on Red Hat Linux 9, either as part of the standard installation of Linux, or when the OpenLDAP server is installed - so it is neccessary to install it. The client is, like the server rpm file, on CD 2 of the Sybex set. The instructions are, as before,


    cd /mnt/cdrom/RedHat/RPMS

    rpm -i openldap-clients-2.0.27-8.i386.rpm

The "ldapadd" tool uses ldif files to input data - so as a start, an ldif file is created using a text editor.

I haven`t found this in any documentation, but it appears to be neccessary to define the domain component into which subsequent data is to be placed, even though this has already been defined throught the suffix line in the slapd.conf file.

So the first ldif file contains :-


    dn: dc=e-nor,dc=net

    objectClass: dcObject

    dc: e-nor

So type these lines into a new text file, then save it, any title will do, but use ".ldif" as the file extension - I have used "no-1.ldif" as the file name.

The directory into which it is saved is up to you, I used "/etc/openldap/data/" for convenience.

To put this data into the database, the "ldapadd" command is used. There are several options for this command, use "man ldapadd" to get the full list.

I used the following command :-


ldapadd -x -D "cn=Manager,dc=e-nor,dc=net" -W -f /etc/

                                     openldap/data/no-1.ldif

I have wrapped the text to fit into a browser window, in reality it is all one line.

You will be asked for the ldap password - this is the password specified in the slapd.conf file, associated with the rootdn name ( ie, the rootpw line ).

If the data has been added, you will get the message


    adding new entry "dc=e-nor,dc=net"

Having done that, it is now possible to add other entries - an entry is all the data associated with one particular object, such as a person. So to add a person to the database, the next ldif file could look like :-


    dn: cn=Jo Nobody,dc=e-nor,dc=net

    cn: Jo Nobody

    sn: Nobody

    objectClass: person

Using the ldapsearch command enables you to check that the data has been added to the database :-


    ldapsearch -x -b dc=e-nor,dc=net `(objectClass=*)`

Again, there are a lot of options which can be used with the ldapsearch command, use the man pages to view them.

However the above string should provide a read-out of the data in the database.

An explanation of the data

This is a simple explanation of some of the expressions in the data :-

dn: cn=Jo Nobody,dc=e-nor,dc=net - this is the unique [name + location] of an object within the database - dn is an abbreviation for "Distinguished Name"
cn: Jo Nobody - this is the name of the person - cn is an abbreviation for "Common Name"
sn: Nobody - the surname of the person

These two items are known as attributes - there are hundreds of different kinds of attributes, however only quite a small number can be attached to any particular kind of object.

objectClass: person - this is the name given to the group of attributes ( objectClass ) that can be attached to a particular object (person )

For any given objectClass, some attributes are mandatory whilst others are optional.

For the "Person" objectClass, the cn and sn attributes are both mandatory, whilst userPassword and telephoneNumber are both optional.

Expanding the data

If now it is wanted to expand the data stored about a person, for example, to store an e-mail address, it is neccessary to use an attribute which stores the e-mail address.

However the "person" objectClass does not include an e-mail attribute as an allowable attribute, so it is neccessary to add another objectClass - the one required is the "inetOrgPerson" objectClass.

The "inetOrgPerson" objectClass has some 27 attributes in its group, including the e-mail attribute, which somewhat confusingly, is called "mail".

So now the ldif file looks like :-


    dn: cn=Jo Nobody,dc=e-nor,dc=net

    cn: Jo Nobody

    sn: Nobody

    mail: j.nobody@e-nor.net

    objectClass: person

    objectClass: inetOrgPerson

The information about what attributes can be used with each objectClass is contained within the schema for the ldap server - the schema is defined by a number of files in /etc/openldap/schema/, which have the file extension schema.

The .schema files that are used by any particular openldap server are defined in the slapd.conf file, as previously described. In Red Hat Linux 9, the default version of the slapd.conf has the schema defined in lines 6 to 12.

Some attributes can have more than one value - in which case there is a second or subsequent line put into the .ldif file - for example, if Jo Nobody has a nickname such as "jono", the .ldif file becomes :-


    dn: cn=Jo Nobody,dc=e-nor,dc=net

    cn: Jo Nobody

    cn: jono

    sn: Nobody

    mail: j.nobody@e-nor.net

    objectClass: person

    objectClass: inetOrgPerson

Using the LDAP service

There are several applications that are LDAP aware. As an example, here is how to set up Microsoft Outlook Express to use the server just set up.

Open Outlook Express, and on the menu bar, select "Tools / Accounts / Directory Service"
Select "Add / Directory Service"
In the box called "Internet directory (LDAP) server", type in the fully qualified name of the LDAP server
Don`t tick the box about logging on, then click on "Next"
On the next screen, select the "No" box, and click on "Next"
On the next screen, click on finish
This takes you back to the Directory Services screen
However you haven`t finished yet, highlight the entry just created, and select "Properties"
Click on the advanced tab
In the box headed "Search base", enter the domain that the LDAP server has the database for - note that this must be in LDAP format, that is
dc=e-nor,dc=net
Click on "Apply", then on "OK"
Click on "Close" to clear the screen
Now you are finished !

To do a search,

On the toolbar, go to "Edit / Find / People"
In the "Name" box, type in the name of the person information is required about, then click on "Find Now"
Another screen pops up with the e-mail address from the LDAP database
Cool !

Finally .....

There is a lot more to LDAP and to OpenLDAP than what is contained in this webpage - this is only a basic introduction to the version of OpenLDAP bundled with Red Hat Linux 9.

There is plenty of information available from the internet about LDAP, and the site www.openldap.org contains a host of documentation about OpenLDAP.

Return to the Index page