Installation of OpenLDAP
Install OpenLDAP by running the
following commands:
./configure --prefix=/usr \
--libexecdir=/usr/sbin \
--sysconfdir=/etc \
--localstatedir=/srv/ldap \
--disable-debug \
--enable-dynamic \
--enable-crypt \
--enable-modules \
--enable-rlookups \
--enable-backends \
--enable-overlays \
--disable-sql &&
make depend &&
make
To test the results, issue: make
test. If you've enabled tcp_wrappers, ensure you add 127.0.0.1 to the
slapd
line in the
/etc/hosts.allow
file if you have a
restrictive /etc/hosts.deny
file.
Now, as the root
user:
make install &&
for LINK in lber ldap ldap_r; do
chmod -v 0755 /usr/lib/$(readlink /usr/lib/lib${LINK}.so)
done &&
install -v -m755 -d /usr/share/doc/openldap-2.3.39/{drafts,guide,rfc} &&
install -v -m644 doc/drafts/* /usr/share/doc/openldap-2.3.39/drafts &&
install -v -m644 doc/rfc/* /usr/share/doc/openldap-2.3.39/rfc &&
cp -v -R doc/guide/* /usr/share/doc/openldap-2.3.39/guide
Command Explanations
--libexecdir=/usr/sbin
:
Installs the slapd
and slurpd daemon
programs in /usr/sbin
instead of
/usr/libexec
.
--sysconfdir=/etc
: Sets the
configuration file directory to avoid the default of /usr/etc
.
--localstatedir=/srv/ldap
:
Sets the directory to use for the LDAP directory database,
replication logs and run-time variable data.
--disable-debug
: Disable
debugging code.
--enable-dynamic
: This
forces the OpenLDAP libraries to
be dynamically linked to the executable programs.
--enable-crypt
: Enables
crypt(3) passwords.
--enable-modules
: Enables
dynamic module support.
--enable-rlookups
: This
parameter enables reverse lookups of client hostnames.
--enable-backends
: This
parameter enables all available backends.
--enable-overlays
: This
parameter enables all available overlays.
--disable-sql
: This
parameter explicity disables the sql backend. Omit this switch if a
SQL server is installed.
--disable-bdb --disable-hdb
--with-ldbm-api=gdbm
: Pass these parameters to the
configure command if
you wish to use GDBM instead of
Berkeley DB as the primary backend
database.
chmod -v 0755 ...:
This command adds the executable bit to the shared libraries.
Note
You can run ./configure
--help to see if there are other parameters you
can pass to the configure command to enable
other options or dependency packages.
Configuring OpenLDAP
Config Files
/etc/openldap/*
Configuration Information
Configuring the slapd and slurpd servers can be complex.
Securing the LDAP directory, especially if you are storing
non-public data such as password databases, can also be a
challenging task. You'll need to modify the /etc/openldap/slapd.conf
and /etc/openldap/ldap.conf
files to set up
OpenLDAP for your particular
needs.
Resources to assist you with topics such as choosing a directory
configuration, backend and database definitions, access control
settings, running as a user other than root
and setting a chroot environment include:
Utilizing GDBM
To utilize GDBM as the database
backend, the “database”
entry in /etc/openldap/slapd.conf
must be changed from “bdb”
to “ldbm”. You can use
both by creating an additional database section in /etc/openldap/slapd.conf
.
Mozilla Address Directory
By default, LDAPv2 support is disabled in the slapd.conf
file. Once the database is properly
set up and Mozilla is configured
to use the directory, you must add allow
bind_v2
to the slapd.conf
file.
Boot Script
To automate the startup of the LDAP server at system bootup,
install the /etc/rc.d/init.d/openldap
init script included
in the blfs-bootscripts-20080816 package
using the following command:
make install-openldap1
Note: The init script you
just installed only starts the slapd daemon. If you wish to
also start the slurpd daemon at system
startup, install a modified version of the script using this
command:
make install-openldap2
Note
The init script starts the daemons without any parameters.
You'll need to modify the script to include the parameters
needed for your specific configuration. See the slapd and slurpd man pages for
parameter information.
Testing the Configuration
Start the LDAP server using the init script:
/etc/rc.d/init.d/openldap start
Verify access to the LDAP server with the following command:
ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
The expected result is:
# extended LDIF
#
# LDAPv3
# base <> with scope base
# filter: (objectclass=*)
# requesting: namingContexts
#
#
dn:
namingContexts: dc=my-domain,dc=com
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1