13.6. OpenLDAP Setup Overview
This section provides a quick overview for installing and configuring an OpenLDAP directory. For more details, refer to the following URLs:
- http://www.openldap.org/doc/admin/quickstart.html — The Quick-Start Guide on the OpenLDAP website.
- http://www.redhat.com/mirrors/LDP/HOWTO/LDAP-HOWTO.html — The LDAP Linux HOWTO from the Linux Documentation Project, mirrored on Red Hat's website.
The basic steps for creating an LDAP server are as follows:
- Install the
- Edit the
/etc/openldap/slapd.conffile to specify the LDAP domain and server. Refer to Section 13.6.1, “Editing
/etc/openldap/slapd.conf” for more information.
slapdwith the command:
service ldap startAfter configuring LDAP, use
/usr/sbin/ntsysv, or the Services Configuration Tool to configure LDAP to start at boot time. For more information about configuring services, refer to the chapter titled Controlling Access to Services in the System Administrators Guide.
- Add entries to an LDAP directory with
ldapsearchto determine if
slapdis accessing the information correctly.
- At this point, the LDAP directory should be functioning properly and can be configured with LDAP-enabled applications.
To use the
slapdLDAP server, modify its configuration file,
/etc/openldap/slapd.conf, to specify the correct domain and server.
suffixline names the domain for which the LDAP server provides information and should be changed from:
so that it reflects a fully qualified domain name. For example:
rootdnentry is the Distinguished Name (DN) for a user who is unrestricted by access controls or administrative limit parameters set for operations on the LDAP directory. The
rootdnuser can be thought of as the root user for the LDAP directory. In the configuration file, change the
rootdnline from its default value as in the following example:
When populating an LDAP directory over a network, change the
rootpwline — replacing the default value with an encrypted password string. To create an encrypted password string, type the following command:
When prompted, type and then re-type a password. The program prints the resulting encrypted password to the shell prompt.
Next, copy the newly created encrypted password into the
/etc/openldap/slapd.confon one of the
rootpwlines and remove the hash mark (
When finished, the line should look similar to the following example:
LDAP passwords, including the
rootpwdirective specified in
/etc/openldap/slapd.conf, are sent over the network unencrypted, unless TLS encryption is enabled.
To enable TLS encryption, review the comments in
/etc/openldap/slapd.confand refer to the man page for
For added security, the
rootpwdirective should be commented out after populating the LDAP directory by preceding it with a hash mark (
When using the
/usr/sbin/slapaddcommand line tool locally to populate the LDAP directory, use of the
rootpwdirective is not necessary.
Only the root user can use
/usr/sbin/slapadd. However, the directory server runs as the
ldapuser. Therefore, the directory server is unable to modify any files created by
slapadd. To correct this issue, after using
slapadd, type the following command:
chown -R ldap /var/lib/ldap