OpenLDAP-2.4.39
Installation of OpenLDAP
Note
If you only need to install the client side ldap* binaries, corresponding
man pages, libraries and header files (referred to as a
“client-only” install),
issue these commands instead of the following ones (no test suite
available):
patch -Np1 -i ../openldap-2.4.39-blfs_paths-1.patch &&
patch -Np1 -i ../openldap-2.4.39-symbol_versions-1.patch &&
autoconf &&
./configure --prefix=/usr \
--sysconfdir=/etc \
--disable-static \
--enable-dynamic \
--disable-debug \
--disable-slapd &&
make depend &&
make
Then, as the root
user:
make install
There should be a dedicated user and group to take control of the
slapd daemon after it
is started. Issue the following commands as the root
user:
groupadd -g 83 ldap &&
useradd -c "OpenLDAP Daemon Owner" -d /var/lib/openldap -u 83 \
-g ldap -s /bin/false ldap
Install OpenLDAP by running the
following commands:
patch -Np1 -i ../openldap-2.4.39-blfs_paths-1.patch &&
patch -Np1 -i ../openldap-2.4.39-symbol_versions-1.patch &&
autoconf &&
./configure --prefix=/usr \
--sysconfdir=/etc \
--localstatedir=/var \
--libexecdir=/usr/lib \
--disable-static \
--disable-debug \
--enable-dynamic \
--enable-crypt \
--enable-spasswd \
--enable-modules \
--enable-rlookups \
--enable-backends=mod \
--enable-overlays=mod \
--disable-ndb \
--disable-sql &&
make depend &&
make
To test the results, issue: make -k
test.
Now, as the root
user:
make install &&
chmod -v 700 /var/lib/openldap &&
chown -v -R ldap:ldap /var/lib/openldap &&
chmod -v 640 /etc/openldap/{slapd.{conf,ldif},DB_CONFIG.example} &&
chown -v root:ldap /etc/openldap/{slapd.{conf,ldif},DB_CONFIG.example} &&
install -v -dm700 -o ldap -g ldap /etc/openldap/slapd.d &&
install -v -dm755 /usr/share/doc/openldap-2.4.39 &&
cp -vfr doc/drafts /usr/share/doc/openldap-2.4.39 &&
cp -vfr doc/rfc /usr/share/doc/openldap-2.4.39 &&
cp -vfr doc/guide /usr/share/doc/openldap-2.4.39
Having slapd configuration files and ldap databases in
/var/lib/openldap readable by anyone is a SECURITY ISSUE,
especially since a file stores admin password in PLAIN TEXT. That's
why mode 640 and root:ldap ownership were used. Owner is root, so
only root can modify the file, and group is ldap, so that the group
which owns slapd daemon could read but not modify the file in case
of a security breach.
Command Explanations
--disable-static
: This
switch prevents installation of static versions of the libraries.
--disable-debug
: This
switch disables the debugging code in OpenLDAP.
--enable-dynamic
: This
switch forces the OpenLDAP
libraries to be dynamically linked to the executable programs.
--enable-crypt
: This switch
enables using of crypt(3) passwords.
--enable-spasswd
: This
switch enables SASL password
verification.
--enable-modules
: This
switch enables dynamic module support.
--enable-rlookups
: This
switch enables reverse lookups of client hostnames.
--enable-backends
: This
switch enables all available backends.
--enable-overlays
: This
switch enables all available overlays.
--disable-ndb
: This switch
disables MySQL NDB Cluster backend
which causes configure to fail if MySQL is present.
--disable-sql
: This switch
explicitly disables the SQL backend. Omit this switch if a SQL
server is installed and you are going to use a SQL backend.
--libexecdir=/usr/lib
: This
switch controls where the /usr/lib/openldap
directory is installed.
Everything in that directory is a library, so it belongs under
/usr/lib
instead of /usr/libexec
.
--enable-slp
: This switch enables SLPv2
support. Use it if you have installed OpenSLP.
Note
You can run ./configure
--help to see if there are other switch you can
pass to the configure command to enable
other options or dependency packages.
Configuring OpenLDAP
Config Files
/etc/openldap/*
Configuration Information
Configuring the slapd servers can be complex.
Securing the LDAP directory, especially if you are storing
non-public data such as password databases, can also be a
challenging task. You'll need to modify the /etc/openldap/slapd.conf
and /etc/openldap/ldap.conf
files to set up
OpenLDAP for your particular
needs.
Resources to assist you with topics such as choosing a directory
configuration, backend and database definitions, access control
settings, running as a user other than root
and setting a chroot environment include:
Mozilla Address Directory
By default, LDAPv2 support is disabled in the slapd.conf
file. Once the database is properly
set up and Mozilla is configured
to use the directory, you must add allow
bind_v2
to the slapd.conf
file.
Systemd Units
To start the slapd
daemon at boot, install the systemd unit from the blfs-systemd-units-20140907 package by
running the following command as the root
user:
make install-slapd
Note
You'll need to modify the /etc/default/slapd
to include the parameters
needed for your specific configuration. See the slapd man page for parameter
information.
Testing the Configuration
Start the LDAP server using systemctl:
systemctl start slapd
Verify access to the LDAP server with the following command:
ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
The expected result is:
# extended LDIF
#
# LDAPv3
# base <> with scope base
# filter: (objectclass=*)
# requesting: namingContexts
#
#
dn:
namingContexts: dc=my-domain,dc=com
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Contents
Installed Programs:
ldapadd, ldapcompare, ldapdelete,
ldapexop, ldapmodify, ldapmodrdn, ldappasswd, ldapsearch,
ldapurl, ldapwhoami, slapacl, slapadd, slapauth, slapcat,
slapd, slapdn, slapindex, slappasswd, slapschema, and
slaptest
Installed Libraries:
liblber.so, libldap.so, libldap_r.so, and
several under /usr/lib/openldap
Installed Directories:
/etc/openldap, /usr/lib/openldap,
/usr/share/doc/openldap-2.4.39, and /var/lib/openldap
Short Descriptions
ldapadd
|
opens a connection to an LDAP server, binds and adds
entries.
|
ldapcompare
|
opens a connection to an LDAP server, binds and performs
a compare using specified parameters.
|
ldapdelete
|
opens a connection to an LDAP server, binds and deletes
one or more entries.
|
ldapexop
|
issues the LDAP extended operation specified by oid or
one of the special keywords whoami, cancel, or refresh.
|
ldapmodify
|
opens a connection to an LDAP server, binds and modifies
entries.
|
ldapmodrdn
|
opens a connection to an LDAP server, binds and modifies
the RDN of entries.
|
ldappasswd
|
is a tool used to set the password of an LDAP user.
|
ldapsearch
|
opens a connection to an LDAP server, binds and performs
a search using specified parameters.
|
ldapurl
|
is a command that allows to either compose or decompose
LDAP URIs.
|
ldapwhoami
|
opens a connection to an LDAP server, binds and displays
whoami information.
|
slapacl
|
is used to check the behavior of slapd by verifying
access to directory data according to the access control
list directives defined in its configuration.
|
slapadd
|
is used to add entries specified in LDAP Directory
Interchange Format (LDIF) to an LDAP database.
|
slapauth
|
is used to check the behavior of the slapd in mapping
identities for authentication and authorization purposes,
as specified in slapd.conf.
|
slapcat
|
is used to generate an LDAP LDIF output based upon the
contents of a slapd database.
|
slapd
|
is the standalone LDAP server.
|
slapdn
|
checks a list of string-represented DNs based on schema
syntax.
|
slapindex
|
is used to regenerate slapd indexes based upon the
current contents of a database.
|
slappasswd
|
is an OpenLDAP password
utility.
|
slapschema
|
is used to check schema compliance of the contents of a
slapd database.
|
slaptest
|
checks the sanity of the slapd.conf file.
|
liblber.so
|
is a set of Lightweight Basic Encoding Rules routines.
These routines are used by the LDAP library routines to
encode and decode LDAP protocol elements using the
(slightly simplified) Basic Encoding Rules defined by
LDAP. They are not normally used directly by an LDAP
application program except in the handling of controls
and extended operations.
|
libldap.so
|
supports the LDAP programs and provide functionality for
other programs interacting with LDAP.
|
libldap_r.so
|
contains the functions required by the LDAP programs to
produce the results from LDAP requests.
|
Last updated on 2014-08-24 12:33:59 -0700