28.3. OpenLDAP Daemons and Utilities
openldap— Contains the libraries necessary to run the OpenLDAP server and client applications.
openldap-clients— Contains command line tools for viewing and modifying directories on an LDAP server.
openldap-servers— Contains the servers and other utilities necessary to configure and run an LDAP server.
openldap-serverspackage: the Standalone LDAP Daemon (
/usr/sbin/slapd) and the Standalone LDAP Update Replication Daemon (
slapddaemon is the standalone LDAP server while the
slurpddaemon is used to synchronize changes from one LDAP server to other LDAP servers on the network. The
slurpddaemon is only used when dealing with multiple LDAP servers.
openldap-serverspackage installs the following utilities into the
slapadd— Adds entries from an LDIF file to an LDAP directory. For example, the command
/usr/sbin/slapadd -l ldif-inputreads in the LDIF file,
ldif-input, containing the new entries.
ImportantOnly the root user may use
/usr/sbin/slapadd. However, the directory server runs as the
ldapuser. Therefore the directory server is unable to modify any files created by
slapadd. To correct this issue, after using
slapadd, type the following command:
chown -R ldap /var/lib/ldap
slapcat— Pulls entries from an LDAP directory in the default format, Sleepycat Software's Berkeley DB system, and saves them in an LDIF file. For example, the command
/usr/sbin/slapcat -l ldif-outputoutputs an LDIF file called
ldif-outputcontaining the entries from the LDAP directory.
slapindex— Re-indexes the
slapddirectory based on the current content. This tool should be run whenever indexing options within
slappasswd— Generates an encrypted user password value for use with
rootpwvalue in the
/etc/openldap/slapd.conf. Execute the
/usr/sbin/slappasswdcommand to create the password.
slapdby issuing the
/sbin/service ldap stopcommand before using
slapindex. Otherwise, the integrity of the LDAP directory is at risk.
openldap-clientspackage installs tools into
/usr/bin/which are used to add, modify, and delete entries in an LDAP directory. These tools include the following:
ldapadd— Adds entries to an LDAP directory by accepting input via a file or standard input;
ldapaddis actually a hard link to
ldapdelete— Deletes entries from an LDAP directory by accepting user input at a shell prompt or via a file.
ldapmodify— Modifies entries in an LDAP directory, accepting input via a file or standard input.
ldappasswd— Sets the password for an LDAP user.
ldapsearch— Searches for entries in an LDAP directory using a shell prompt.
ldapcompare— Opens a connection to an LDAP server, binds, and performs a comparison using specified parameters.
ldapwhoami— Opens a connection to an LDAP server, binds, and performs a
ldapmodrdn— Opens a connection to an LDAP server, binds, and modifies the RDNs of entries.
ldapsearch, each of these utilities is more easily used by referencing a file containing the changes to be made rather than typing a command for each entry to be changed within an LDAP directory. The format of such a file is outlined in the man page for each utility.
28.3.1. NSS, PAM, and LDAP
nss_ldap, which enhances LDAP's ability to integrate into both Linux and other UNIX environments.
nss_ldappackage provides the following modules (where <version> refers to the version of
nss_ldappackage provides the following modules for Itanium or AMD64 architectures:
libnss_ldap-<version>.somodule allows applications to look up users, groups, hosts, and other information using an LDAP directory via the Nameservice Switch (NSS) interface of
glibc. NSS allows applications to authenticate using LDAP in conjunction with the NIS name service and flat authentication files.
pam_ldapmodule allows PAM-aware applications to authenticate users using information stored in an LDAP directory. PAM-aware applications include console login, POP and IMAP mail servers, and Samba. By deploying an LDAP server on a network, all of these applications can authenticate using the same user ID and password combination, greatly simplifying administration.
28.3.2. PHP4, LDAP, and the Apache HTTP Server
php-ldappackage adds LDAP support to the PHP4 HTML-embedded scripting language via the
/usr/lib/php4/ldap.somodule. This module allows PHP4 scripts to access information stored in an LDAP directory.
mod_authz_ldapmodule for the Apache HTTP Server. This module uses the short form of the distinguished name for a subject and the issuer of the client SSL certificate to determine the distinguished name of the user within an LDAP directory. It is also capable of authorizing users based on attributes of that user's LDAP directory entry, determining access to assets based on the user and group privileges of the asset, and denying access for users with expired passwords. The
mod_sslmodule is required when using the
mod_authz_ldapmodule does not authenticate a user to an LDAP directory using an encrypted password hash. This functionality is provided by the experimental
mod_auth_ldapmodule, which is not included with Red Hat Enterprise Linux. Refer to the Apache Software Foundation website online at http://www.apache.org/ for details on the status of this module.