Home > CentOS > CentOS 6.x > LDAP servers > OpenLDAP > Basic OpenLDAP server configuration

LDAP Basics

Basic theory of LDAP is mentioned at Basic_theory_of_ldap. It is important to be familiar with basic terminology before trying simple LDAP server setup.

Setup basic LDAP server with base DN

1. Install required packages:

   yum -y install openldap-servers openldap-clients openldap

2. Create '/etc/openldap/slapd.conf' file with following contents:

   include          /etc/openldap/schema/core.schema
   include          /etc/openldap/schema/cosine.schema
   include          /etc/openldap/schema/inetorgperson.schema
   pidfile          /var/run/openldap/slapd.pid
   argsfile         /var/run/openldap/slapd.args
   defaultsearchbase  "dc=sbarjatiya,dc=com"
   
   database        bdb
   suffix           "dc=sbarjatiya,dc=com"
   rootdn           "cn=root,dc=sbarjatiya,dc=com"
   rootpw           rekall123
   directory        /var/lib/ldap

3. Start LDAP using 'slapd -f /etc/openldap/slapd.conf' command. Do not use 'service openldap start' as that would use '/etc/openldap/slapd.d' with 'cn=config' style configuration, which is not being used here.
4. Verify that slapd is running using 'ps aux | grep slapd'
5. Create an organization entry LDIF file named 'sbarjatiya.com.ldif' with following contents:

   #Main ldap base entry
   dn: dc=sbarjatiya,dc=com
   objectClass: dcObject
   objectClass: organization
   #dc is must for dcObject
   dc: sbarjatiya
   #o is must for organization
   o: Barjatiya Softwares
   description: This is main domain for sbarjatiya company

6. Add the entry to ldap database using:

   ldapadd -x -D 'cn=root,dc=sbarjatiya,dc=com' -f sbarjatiya.com.ldif -W

   and enter password 'rekall123' as mentioned in slapd.conf

7. Search for all entries in LDAP server using: 'ldapsearch -x'. You should see the organization entry that was added.
8. To see all entries in LDIF format use: 'ldapsearch -x -LLL'.
9. Note that the search command requires a base dn to work with. Since we have specified 'defaultsearchbase' in 'slapd.conf' configuration file, that base is being used when we have not specified base explicitly. To specify search base explicitly while searching use:

   ldapsearch -x -LLL -b 'dc=sbarjatiya,dc=com'

About LDIF files

LDIF files have following different types of lines:

1. Lines that start with # are treated as comment lines
2. Lines that start with space are treated as continuation of previous attribute line
3. Lines that start with - are used to terminate changetype:modify directive
4. Lines that are completely blank are treated as new lines (no-effect).
5. Lines that are not-blank and do not start with space, - or # are treated as attribute lines.

All modifications to LDAP database are performed using LDIF files and one among ldapadd, ldapmodify or ldapdelete commands.

Creating organisation units, users and groups

Creating organisation units (ou)

1. Create LDIF file 'people,groups.sbarjatiya.com.ldif' with following contents:

   dn: ou=people,dc=sbarjatiya,dc=com
   objectClass: organizationalUnit
   ou: people
   description: All people in organisation
   
   dn: ou=groups,dc=sbarjatiya,dc=com
   objectClass: organizationalUnit
   ou: groups
   description: All groups in organisation

2. Add both groups to database using:

   ldapadd -x -D 'cn=root,dc=sbarjatiya,dc=com' -f people,groups.sbarjatiya.com.ldif -W

3. Verify that things got added using 'ldapsearch -x -LLL'
4. To list only organizationUnit entries in search use:

   ldapsearch -x -LLL '(objectClass=organizationalUnit)'

Create user

1. Create LDIF file 'saurabh.people.sbarjatiya.com.ldif' with following contents:

   dn: cn=Saurabh Barjatiya,ou=people,dc=sbarjatiya,dc=com
   objectClass: inetOrgPerson
   #Must due to person
   cn: Saurabh Barjatiya
   #Must due to person
   sn: Barjatiya
   uid: saurabhb
   mail: saurabhb@sbarjatiya.co.in
   mail: barjatiya.saurabh@gmail.com
   ou: people
   homePhone: 040 6653 1293
   displayName: Saurabh Barjatiya
   telephoneNumber: 93939 14337
   postalAddress: Hyderabad, India
   userPassword: rekall123

2. Add user to LDAP using:

   ldapadd -x -D 'cn=root,dc=sbarjatiya,dc=com' -f saurabh.people.sbarjatiya.com.ldif -W

3. Verify that entry is added using:

   ldapsearch -x -LLL '(uid=sa*)'

Note dn for user could also have been

      dn: uid=saurabhb,ou=people,dc=sbarjatiya,dc=com

so that conversion from uid to dn or dn to uid can be done with simple string manipulation without requiring any directory search. In current case to find dn for 'uid=saurabhb' following search would be required:

 
     ldapsearch -x -LLL '(uid=saurabhb)' dn

Also note that this kind of user is not useful for authentication. For authentication posixAccount and shadowAccount objectclasses should be used as explained at Configuring authentication with openLDAP server

Create group

1. Create LDIF file 'admins.groups.sbarjatiya.com.ldif' with following contents:

   dn:cn=admins,ou=groups,dc=sbarjatiya,dc=com
   objectClass: groupOfNames
   cn: admins
   description: Set of administrators (system, network or desktop) for the organization.
   member: cn=Saurabh Barjatiya,ou=people,dc=sbarjatiya,dc=com

   Note that value for member is 'dn' for the member to be added to the group.

2. Add the group to LDAP database using:

   ldapadd -x -D 'cn=root,dc=sbarjatiya,dc=com' -f admins.groups.sbarjatiya.com.ldif -W

3. Verify that values got added using:

   ldapsearch -x -LLL '(cn=admins)'

Note that same as mentioned for user above, the groups created in this manner are not useful for authentication purposes

Modifying or deleting entries

Create some test entries

1. Create LDIF file with following contents:

   dn: cn=User One,ou=people,dc=sbarjatiya,dc=com
   objectClass: inetOrgPerson
   #Must due to person
   cn: User One
   #Must due to person
   sn: One
   uid: user1
   
   dn: cn=User Two,ou=people,dc=sbarjatiya,dc=com
   objectClass: inetOrgPerson
   #Must due to personOpenLDAP server configuratioOpenLDAP server configuration|n|
   cn: User Two
   #Must due to person
   sn: Two
   uid: user2
   
   dn: cn=User Three,ou=people,dc=sbarjatiya,dc=com
   objectClass: inetOrgPerson
   #Must due to person
   cn: User Three
   #Must due to person
   sn: Three
   uid: user3

2. Add entries to the database using:

   ldapadd -x -D "cn=root,dc=sbarjatiya,dc=com" -f <ldif_file> -W

3. Verify entries got added using:

   ldapsearch -x -LLL '(uid=user*)'

Modify test entries

Add attributes

1. To add attributes to an existing entry create LDIF file with following contents:

   dn: cn=User One,ou=people,dc=sbarjatiya,dc=com
   changeType: modify
   add: mobile
   mobile: 93939 14337
   mobile: 86865 99552

2. Add attribute entries for user1 to the database using:

   ldapmodify -x -D 'cn=root,dc=sbarjatiya,dc=com' -W -f <ldif-file>

3. Verify that attribute entries were added to user1 using:

   ldapsearch -x -LLL '(uid=user1)'

Replace attributes

1. To replace attributes of an existing entry create LDIF file with following contents:

   dn: cn=User One,ou=people,dc=sbarjatiya,dc=com
   changeType: modify
   replace: mobile
   mobile: 93297 33122
   mobile: 93000 33122

2. Replate attribute entries for user1 in the database using:

   ldapmodify -x -D 'cn=root,dc=sbarjatiya,dc=com' -W -f <ldif-file>

3. Verify that attribute entries were modified using:

   ldapsearch -x -LLL '(uid=user1)'

Removing attribute values

1. To remove attributes to an existing entry create LDIF file with following contents:

   dn: cn=User One,ou=people,dc=sbarjatiya,dc=com
   changeType: modify
   delete: mobile

2. Delete attribute entries for user1 in the database using:

   ldapmodify -x -D 'cn=root,dc=sbarjatiya,dc=com' -W -f <ldif-file>

3. Verify that attribute entries were deleted using:

   ldapsearch -x -LLL '(uid=user1)'

Multiple modifications

It is possible to do multiple modifications to same entry using LDIF file such as:

    dn: cn=User One,ou=People,dc=sbarjatiya,dc=com
    changeType: modify
    add: mobile
    mobile: 93939 14337
    mobile: 86865 99552
    -
    add: mail
    mail: saurabh.barjatiya@yahoo.com
    mail: saurabh.barjatiya@hotmail.com
    -
    replace: userPassword
    userPassword: rekall123
    -
    replace: postalAddress
    postalAddress: Hyderabad, India

Multiple entry modifications

It is also possible to modify attributes across DNs using LDIF file such as:

    dn: cn=User Two,ou=People,dc=sbarjatiya,dc=com
    changeType: modify
    add: mobile
    mobile: 93939 14337
    mobile: 86865 99552
    -
    replace: userPassword
    userPassword: rekall123

    dn: cn=User Three,ou=People,dc=sbarjatiya,dc=com
    changeType: modify
    add: mobile
    mobile: 93939 14337
    mobile: 86865 99552
    -
    replace: userPassword
    userPassword: rekall123

Syntax of modification LDIF files

Modification LDIF files use following syntax:

• 'changeType: modify' is used to indicate that entry will be modified
• 'add: <attribute>' is used to indicate that given attributes should be added or appended. Any existing attribute values will remain unaffected.
• 'delete: <attribute>' is used to indicate that all values for given attribute should be deleted
• 'replace: <attribute>' is used to indicate that delete all existing values for given attribute and add the given values in their place.
• Hypen '-' is required to terminate a changeType directive such as add, replace or delete. The last directive is not required to be followed by a hypen.
• If more than one entry is to be modified then two modification entries should be separated by a blank line.

Deleting test entries

To delete entries use

    ldapdelete -x -D "cn=root,dc=sbarjatiya,dc=com" -W 'cn=User One,ou=people,dc=sbarjatiya,dc=com'
    ldapdelete -x -D "cn=root,dc=sbarjatiya,dc=com" -W 'cn=User Two,ou=people,dc=sbarjatiya,dc=com'
    ldapdelete -x -D "cn=root,dc=sbarjatiya,dc=com" -W 'cn=User Three,ou=people,dc=sbarjatiya,dc=com'

Searching in LDAP database

Use following to search for all entries in dc=sbarjatiya,dc=com:

ldapsearch -x -LLL -b "dc=sbarjatiya,dc=com"

Use following to search for all entries in ou people:

ldapsearch -x -LLL -b "ou=people,dc=sbarjatiya,dc=com"

Use following to search for all entries in ou people and list only dn, cn and sn attributes of the entries:

ldapsearch -x -LLL -b "ou=people,dc=sbarjatiya,dc=com" dn cn sn

Use following to search for all entries where 'cn=Saurabh Barjatiya':

ldapsearch -x -LLL -b "dc=sbarjatiya,dc=com" '(cn=Saurabh Barjatiya)'

Use following to search for all entries where 'cn=Saurabh Barjatiya': and list only sn attribute

ldapsearch -x -LLL -b "dc=sbarjatiya,dc=com" '(cn=Saurabh Barjatiya)' sn

Note: that dn will also get listed automatically.

Overall ldapsearch has following options:

• '-x' to bind to server for searching. Since we have not specified -D '<dn>' and -W or -w, the binding would be anonymous.
• '-LLL' to list in the ldif format.
• '-b' to speceify base from where search should start
• filter enclosed in () in filter format
• list of attributes to be displayed for matched entries

Bind mechanisms

Anonymous binding

To bind with ldap server anonymously use '-x' option in most ldap command such as:

ldapwhoami -x

Simple binding

To bind with ldap server with password use '-D' to specify bind dn and '-W' or '-w' to specify password:

ldapwhoami -x -D "cn=owner,dc=sbarjatiya,dc=com" -W

Disabling anonymous bind

To disable anonymous bind, use following line in 'slapd.conf' file:

disallow bind_anon

Disabling simple bind

To disable simple bind, use following line in 'slapd.conf' file:

disallow simple_bind

Configuring indexing

For configuring indexing for database bdb one can use configuration similar to:

index default eq,pres
index uid eq
index cn,gn,mail eq,sub
index sn eq,sub
index ou eq
index telephonenumber eq

These lines should be added to '/etc/openldap/slapd.conf' file after database specification. Here

eq

Index for equality tests without use of wildcard

sub

Index for substrings. There are three sub-categories of this index subinitial, subany and subfinal.

subinitail

Index for string starting with given part such as 'cn=abc*'

subany

Index for strings containing given part such as 'cn=*abc*'

subfinal

index for strings terminating with given part such as 'cn=*abc'

approx

Index for approximate searches for sound-line such as 'cn~=person'

pres

Index for checking whether particular attribute is present or whether entry belongs to a given objectClass or not. such as 'objectClass=person' or 'attribute=mail'

If the configuration is done while creating an ldap server then indexes will be maintained automatically when entries are added or modified. But if a index entry is modified in an existing ldap server, then:

1. ldap server should be stopped
2. 'slapindex -f /etc/openldap/slapd.conf' command should be used to generated index based on configuration file
3. Finally ldap server can be started again

ldap global configuration options

idleTimeout

Specify the number of seconds to wait before forcibly closing an idle client connection. An idletimeout of 0, the default, disables this feature.

Example:

idleTimeout 30

sizeLimit

This directive specifies the maximum number of entries to return from a search operation.

Default:

sizelimit 500

We can change limit for specific DNs using:

limits dn.exact="cn=Saurabh Barjatiya,ou=people,dc=sbarjatiya,dc=com" size=100000

Note that the limits do not apply to roodn.

timelimit

This directive specifies the maximum number of seconds (in real time) slapd will spend answering a search request. If a request is not finished in this time, a result indicating an exceeded timelimit will be returned.

Default:

timelimit 3600

We can create exception for specific DNs using:

limits dn.exact="cn=Saurabh Barjatiya,ou=people,dc=sbarjatiya,dc=com" time=3600

Note that the limits do not apply to roodn.

ldap database configuration options

checkpoint

This directive specifies how often to checkpoint the BDB transaction log. A checkpoint operation flushes the database buffers to disk and writes a checkpoint record in the log. The checkpoint will occur if either <kbyte> data has been written or <min> minutes have passed since the last checkpoint. Both arguments default to zero, in which case they are ignored. When the <min> argument is non-zero, an internal task will run every <min> minutes to perform the checkpoint.

checkpoint 1024 5

Home > CentOS > CentOS 6.x > LDAP servers > OpenLDAP > Basic OpenLDAP server configuration