Beyond Linux® From Scratch - Version 7.5

Chapter 23. Other Server Software

OpenLDAP-2.4.39

Introduction to OpenLDAP

The OpenLDAP package provides an open source implementation of the Lightweight Directory Access Protocol.

This package is known to build and work properly using an LFS-7.5 platform.

Package Information

Additional Downloads

OpenLDAP Dependencies

Required

Berkeley DB-6.0.20 (only if building server)

Recommended

Cyrus SASL-2.1.26 and OpenSSL-1.0.1f

Optional

ICU-52.1, MariaDB-10.0.8 or MySQL-5.6.16 or PostgreSQL-9.3.3, OpenSLP, Pth-2.0.7 and unixODBC-2.3.2

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/openldap

Installation of OpenLDAP

[Note]

Note

If you only need to install the client side ldap* binaries, corresponding man pages, libraries and header files (referred to as a “client-only” install), issue these commands instead of the following ones (no test suite available): 

patch -Np1 -i ../openldap-2.4.39-blfs_paths-1.patch &&
patch -Np1 -i ../openldap-2.4.39-symbol_versions-1.patch &&
autoconf &&
./configure --prefix=/usr     \
            --sysconfdir=/etc \
            --disable-static  \
            --enable-dynamic  \
            --disable-debug   \
            --disable-slapd &&
make depend &&
make &&
make install

There should be a dedicated user and group to take control of the slapd daemon after it is started. Issue the following commands as the root user: 

groupadd -g 83 ldap &&
useradd -c "OpenLDAP Daemon Owner" -d /var/lib/openldap -u 83 \
        -g ldap -s /bin/false ldap

Install OpenLDAP by running the following commands: 

patch -Np1 -i ../openldap-2.4.39-blfs_paths-1.patch &&
patch -Np1 -i ../openldap-2.4.39-symbol_versions-1.patch &&
autoconf &&
./configure --prefix=/usr         \
            --sysconfdir=/etc     \
            --localstatedir=/var  \
            --libexecdir=/usr/lib \
            --disable-static      \
            --disable-debug       \
            --enable-dynamic      \
            --enable-crypt        \
            --enable-spasswd      \
            --enable-modules      \
            --enable-rlookups     \
            --enable-backends=mod \
            --enable-overlays=mod \
            --disable-ndb         \
            --disable-sql &&
make depend &&
make

To test the results, issue: make test. Tests may fail after a long time (~ 5 SBU).

Now, as the root user: 

make install &&

chmod -v 700 /var/lib/openldap                                         &&
chown -v -R ldap:ldap /var/lib/openldap                                &&
chmod -v 640 /etc/openldap/{slapd.{conf,ldif},DB_CONFIG.example}       &&
chown -v root:ldap /etc/openldap/{slapd.{conf,ldif},DB_CONFIG.example} &&
install -v -dm700 -o ldap -g ldap /etc/openldap/slapd.d                &&

install -v -dm755  /usr/share/doc/openldap-2.4.39 &&
cp -vfr doc/drafts /usr/share/doc/openldap-2.4.39 &&
cp -vfr doc/rfc    /usr/share/doc/openldap-2.4.39 &&
cp -vfr doc/guide  /usr/share/doc/openldap-2.4.39

Having slapd configuration files and ldap databases in /var/lib/openldap readable by anyone is a SECURITY ISSUE, especially since a file stores admin password in PLAIN TEXT. That's why mode 640 and root:ldap ownership were used. Owner is root, so only root can modify the file, and group is ldap, so that the group which owns slapd daemon could read but not modify the file in case of a security breach.

Command Explanations

--disable-static: This switch prevents installation of static versions of the libraries.

--disable-debug: This switch disables the debugging code in OpenLDAP.

--enable-dynamic: This switch forces the OpenLDAP libraries to be dynamically linked to the executable programs.

--enable-crypt: This switch enables using of crypt(3) passwords.

--enable-spasswd: This switch enables SASL password verification.

--enable-modules: This switch enables dynamic module support.

--enable-rlookups: This switch enables reverse lookups of client hostnames.

--enable-backends: This switch enables all available backends.

--enable-overlays: This switch enables all available overlays.

--disable-ndb: This switch disables MySQL NDB Cluster backend which causes configure to fail if MySQL is present.

--disable-sql: This switch explicitly disables the SQL backend. Omit this switch if a SQL server is installed and you are going to use a SQL backend.

--libexecdir=/usr/lib: This switch controls where the /usr/lib/openldap directory is installed. Everything in that directory is a library, so it belongs under /usr/lib instead of /usr/libexec.

--enable-slp: This switch enables SLPv2 support. Use it if you have installed OpenSLP.

[Note]

Note

You can run ./configure --help to see if there are other switch you can pass to the configure command to enable other options or dependency packages.

Configuring OpenLDAP

Config Files

/etc/openldap/*

Configuration Information

Configuring the slapd servers can be complex. Securing the LDAP directory, especially if you are storing non-public data such as password databases, can also be a challenging task. You'll need to modify the /etc/openldap/slapd.conf and /etc/openldap/ldap.conf files to set up OpenLDAP for your particular needs.

Resources to assist you with topics such as choosing a directory configuration, backend and database definitions, access control settings, running as a user other than root and setting a chroot environment include:

Mozilla Address Directory

By default, LDAPv2 support is disabled in the slapd.conf file. Once the database is properly set up and Mozilla is configured to use the directory, you must add allow bind_v2 to the slapd.conf file.

Boot Script

To automate the startup of the LDAP server at system bootup, install the /etc/rc.d/init.d/slapd init script included in the blfs-bootscripts-20140301 package using the following command: 

make install-slapd
[Note]

Note

You'll need to modify the /etc/sysconfig/slapd to include the parameters needed for your specific configuration. See the slapd man page for parameter information.

Testing the Configuration

Start the LDAP server using the init script: 

/etc/rc.d/init.d/slapd start

Verify access to the LDAP server with the following command: 

ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts

The expected result is: 

# extended LDIF
#
# LDAPv3
# base <> with scope base
# filter: (objectclass=*)
# requesting: namingContexts
#

#
dn:
namingContexts: dc=my-domain,dc=com

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Contents

Installed Programs: ldapadd, ldapcompare, ldapdelete, ldapexop, ldapmodify, ldapmodrdn, ldappasswd, ldapsearch, ldapurl, ldapwhoami, slapacl, slapadd, slapauth, slapcat, slapd, slapdn, slapindex, slappasswd, slapschema, and slaptest
Installed Libraries: liblber.so, libldap.so, libldap_r.so, and several under /usr/lib/openldap
Installed Directories: /etc/openldap, /usr/lib/openldap, /usr/share/doc/openldap-2.4.39, and /var/lib/openldap

Short Descriptions

ldapadd

opens a connection to an LDAP server, binds and adds entries.

ldapcompare

opens a connection to an LDAP server, binds and performs a compare using specified parameters.

ldapdelete

opens a connection to an LDAP server, binds and deletes one or more entries.

ldapexop

issues the LDAP extended operation specified by oid or one of the special keywords whoami, cancel, or refresh.

ldapmodify

opens a connection to an LDAP server, binds and modifies entries.

ldapmodrdn

opens a connection to an LDAP server, binds and modifies the RDN of entries.

ldappasswd

is a tool used to set the password of an LDAP user.

ldapsearch

opens a connection to an LDAP server, binds and performs a search using specified parameters.

ldapurl

is a command that allows to either compose or decompose LDAP URIs.

ldapwhoami

opens a connection to an LDAP server, binds and displays whoami information.

slapacl

is used to check the behavior of slapd by verifying access to directory data according to the access control list directives defined in its configuration.

slapadd

is used to add entries specified in LDAP Directory Interchange Format (LDIF) to an LDAP database.

slapauth

is used to check the behavior of the slapd in mapping identities for authentication and authorization purposes, as specified in slapd.conf.

slapcat

is used to generate an LDAP LDIF output based upon the contents of a slapd database.

slapd

is the standalone LDAP server.

slapdn

checks a list of string-represented DNs based on schema syntax.

slapindex

is used to regenerate slapd indexes based upon the current contents of a database.

slappasswd

is an OpenLDAP password utility.

slapschema

is used to check schema compliance of the contents of a slapd database.

slaptest

checks the sanity of the slapd.conf file.

liblber.so

is a set of Lightweight Basic Encoding Rules routines. These routines are used by the LDAP library routines to encode and decode LDAP protocol elements using the (slightly simplified) Basic Encoding Rules defined by LDAP. They are not normally used directly by an LDAP application program except in the handling of controls and extended operations.

libldap.so

supports the LDAP programs and provide functionality for other programs interacting with LDAP.

libldap_r.so

contains the functions required by the LDAP programs to produce the results from LDAP requests.

Last updated on 2014-03-03 16:39:21 -0800