Introduction to OpenLDAP

The OpenLDAP package provides an open source implementation of the Lightweight Directory Access Protocol.

Package Information

OpenLDAP Dependencies


Berkeley DB-4.3.28


Cyrus SASL-2.1.21 and OpenSSL-0.9.7g


tcpwrappers-7.6, GDBM-1.8.3, GNU Pth, and Heimdal-0.7 or MIT krb5-1.4.1

Installation of OpenLDAP

Install OpenLDAP by running the following commands:

./configure --prefix=/usr --libexecdir=/usr/sbin \
    --sysconfdir=/etc --localstatedir=/srv/ldap \
    --enable-ldbm --disable-debug &&
make depend &&
make &&
make test

Now, as the root user:

make install &&
chmod 755 /usr/lib/libl*

Command Explanations

--libexecdir=/usr/sbin: Installs the server executables in /usr/sbin instead of /usr/libexec.

--sysconfdir=/etc: Sets the configuration file directory to avoid the default of /usr/etc.

--localstatedir=/srv/ldap: Sets the directory to use for the LDAP directory database, replication logs and run-time variable data.

--enable-ldbm: Build slapd with the primary database back end using either Berkeley DB or GNU Database Manager.

--disable-debug: Disable debugging code.

make test: Validates the correct build of the package. If you've enabled tcp_wrappers, ensure you add to the slapd line in the /etc/hosts.allow file if you have a restrictive /etc/hosts.deny file. If you logged the output of the make test, an easy test to see if all the tests succeeded is to issue grep ">>>>> Test succeeded" [logfilename] | wc -l. You should have 39 returned.

chmod 755 /usr/lib/libl* This command adds the executable bit to the shared libraries.

Configuring OpenLDAP

Config Files


Configuration Information

Configuring the slapd and slurpd servers can be complex. Securing the LDAP directory, especially if you are storing non-public data such as password databases, can also be a challenging task. You'll need to modify the /etc/openldap/slapd.conf and /etc/openldap/ldap.conf files to set up OpenLDAP for your particular needs.

Resources to assist you with topics such as choosing a directory configuration, backend and database definitions, access control settings, running as a user other than root and setting a chroot environment include:

Utilizing GDBM

To utilize GDBM as the database backend, the “database” entry in /etc/openldap/slapd.conf must be changed from “bdb” to “ldbm”. You can use both by creating an additional database section in /etc/openldap/slapd.conf.

Mozilla Address Directory

By default, LDAPv2 support is disabled in the slapd.conf file. Once the database is properly set up and Mozilla is configured to use the directory, you must add allow bind_v2 to the slapd.conf file.

Boot Script

To automate the startup of the LDAP server at system bootup, install the /etc/rc.d/init.d/openldap init script included in the blfs-bootscripts-6.1 package using the following command:

make install-openldap1

Note: The init script you just installed only starts the slapd daemon. If you wish to also start the slurpd daemon at system startup, install a modified version of the script using this command:

make install-openldap2


The init script starts the daemons without any parameters. You'll need to modify the script to include the parameters needed for your specific configuration. See the slapd and slurpd man pages for parameter information.

Testing the Configuration

Start the LDAP server using the init script:

/etc/rc.d/init.d/openldap start

Verify access to the LDAP server with the following command:

ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts

The expected result is:

# extended LDIF
# LDAPv3
# base <> with scope base
# filter: (objectclass=*)
# requesting: namingContexts

namingContexts: dc=my-domain,dc=com

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


Installed Programs: ldapadd, ldapcompare, ldapdelete, ldapmodify, ldapmodrdn, ldappasswd, ldapsearch, ldapwhoami, slapadd, slapcat, slapd, slapdn, slapindex, slappasswd, slaptest, and slurpd
Installed Libraries: liblber.[so,a], libldap.[so,a], and libldap_r.[so,a]
Installed Directories: /etc/openldap, /srv/ldap, and /usr/share/openldap

Short Descriptions


opens a connection to an LDAP server, binds and adds entries.


opens a connection to an LDAP server, binds and performs a compare using specified parameters.


opens a connection to an LDAP server, binds and deletes one or more entries.


opens a connection to an LDAP server, binds and modifies entries.


opens a connection to an LDAP server, binds and modifies the RDN of entries.


is a tool to set the password of an LDAP user.


opens a connection to an LDAP server, binds and performs a search using specified parameters.


opens a connection to an LDAP server, binds and displays whoami information.


is used to add entries specified in LDAP Directory Interchange Format (LDIF) to an LDAP database.


is used to generate an LDAP LDIF output based upon the contents of a slapd database.


is the stand-alone LDAP server.


checks a list of string-represented DNs based on schema syntax.


is used to regenerate slapd indices based upon the current contents of a database.


is an OpenLDAP password utility.


checks the sanity of the slapd.conf file.


is the stand-alone LDAP replication server.


is a set of lightweight Basic Encoding Rules routines. These routines are used by the LDAP library routines to encode and decode LDAP protocol elements using the (slightly simplified) Basic Encoding Rules defined by LDAP. They are not normally used directly by an LDAP application program except in the handling of controls and extended operations.


supports the LDAP programs and provide functionality for other programs interacting with LDAP.


contains the functions required by the LDAP programs to produce the results from LDAP requests.

Last updated on 2005-08-01 13:29:19 -0600