Installation of OpenLDAP
Note
If you only need to install the client side ldap*
binaries, corresponding man pages, libraries and header files (referred
to as a “client-only” install), issue these commands
instead of the following ones (no test suite available):
patch -Np1 -i ../openldap-2.6.6-consolidated-1.patch &&
autoconf &&
./configure --prefix=/usr \
--sysconfdir=/etc \
--disable-static \
--enable-dynamic \
--disable-versioning \
--disable-debug \
--disable-slapd &&
make depend &&
make
Then, as the root
user:
make install
There should be a dedicated user and group to take control
of the slapd daemon after it is
started. Issue the following commands as the
root
user:
groupadd -g 83 ldap &&
useradd -c "OpenLDAP Daemon Owner" \
-d /var/lib/openldap -u 83 \
-g ldap -s /bin/false ldap
Install OpenLDAP by
running the following commands:
patch -Np1 -i ../openldap-2.6.6-consolidated-1.patch &&
autoconf &&
./configure --prefix=/usr \
--sysconfdir=/etc \
--localstatedir=/var \
--libexecdir=/usr/lib \
--disable-static \
--disable-versioning \
--disable-debug \
--with-tls=openssl \
--with-cyrus-sasl \
--without-systemd \
--enable-dynamic \
--enable-crypt \
--enable-spasswd \
--enable-slapd \
--enable-modules \
--enable-rlookups \
--enable-backends=mod \
--disable-sql \
--disable-wt \
--enable-overlays=mod &&
make depend &&
make
The tests are fragile, and errors may cause the tests to abort
prior to finishing. Some errors may happen due to timing problems.
The tests take around an hour, and the time is CPU independent due
to delays in the tests. On most systems, the tests will run up to the
test065-proxyauth for mdb
test.
To test the results, issue: make test.
Now, as the root
user:
make install &&
sed -e "s/\.la/.so/" -i /etc/openldap/slapd.{conf,ldif}{,.default} &&
install -v -dm700 -o ldap -g ldap /var/lib/openldap &&
install -v -dm700 -o ldap -g ldap /etc/openldap/slapd.d &&
chmod -v 640 /etc/openldap/slapd.{conf,ldif} &&
chown -v root:ldap /etc/openldap/slapd.{conf,ldif} &&
install -v -dm755 /usr/share/doc/openldap-2.6.6 &&
cp -vfr doc/{drafts,rfc,guide} \
/usr/share/doc/openldap-2.6.6
Command Explanations
--disable-static
: This switch prevents
installation of static versions of the libraries.
--disable-debug
: This switch disables
the debugging code in OpenLDAP.
--enable-dynamic
: This switch forces the
OpenLDAP libraries to be dynamically
linked to the executable programs.
--enable-versioning
: This switch enables
symbol versioning in the OpenLDAP libraries.
Without this, some applications might generate a warning about missing symbol versions.
--enable-crypt
: This switch enables using
crypt(3) passwords.
--enable-spasswd
: This switch enables
SASL password verification.
--enable-modules
: This switch enables dynamic
module support.
--enable-rlookups
: This switch enables
reverse lookups of client hostnames.
--enable-backends
: This switch enables
all available backends.
--enable-overlays
: This switch enables
all available overlays.
--disable-sql
: This switch explicitly
disables the SQL backend. Omit this switch if a SQL server is
installed and you are going to use a SQL backend.
--disable-wt
: This switch explicitly
disables the WiredTiger backend. Omit this switch if WiredTiger is
installed and you are going to use a WiredTiger backend.
--libexecdir=/usr/lib
: This switch controls where
the /usr/lib/openldap
directory is
installed. Everything in that directory is a library, so it belongs under
/usr/lib
instead of
/usr/libexec
.
--enable-slp
: This switch enables
SLPv2 support. Use it if you have installed
OpenSLP.
Note
You can run ./configure --help to see if there
are other switch you can pass to the configure
command to enable other options or dependency packages.
install ..., chown ...,
and chmod ...:
Having slapd configuration files and ldap databases in /var/lib/openldap
readable by anyone is a SECURITY ISSUE, especially since a file stores the
admin password in PLAIN TEXT. That's why mode 640 and root:ldap ownership
were used. The owner is root, so only root can modify the file, and group is
ldap, so that the group which owns slapd daemon could read but not modify
the file in case of a security breach.
Configuring OpenLDAP
Config Files
For LDAP client: /etc/openldap/ldap.conf
and
~/.ldaprc
For LDAP server, two configuration mechanisms are used:
a legacy /etc/openldap/slapd.conf
configuration file and the recommended
slapd-config system, using an LDIF database
stored in
/etc/openldap/slapd.d
.
Configuration Information
Configuring the slapd servers can be complex.
Securing the LDAP directory, especially if you are storing non-public
data such as password databases, can also be a challenging task. In
order to set up OpenLDAP, you'll need to
modify either the /etc/openldap/slapd.conf
file (old method), or the /etc/openldap/slapd.ldif
file and then use ldapadd to create the LDAP
configuration database in
/etc/openldap/slapd.d
(recommended by the OpenLDAP documentation).
Warning
The instructions above install an empty LDAP structure and a default
/etc/openldap/slapd.conf
file, which are
suitable for testing the build and other packages using LDAP. Do not
use them on a production server.
Resources to assist you with topics such as choosing a directory
configuration, backend and database definitions, access control
settings, running as a user other than
root
and setting a chroot environment include:
Systemd Unit
To automate the startup of the LDAP server at system bootup,
install the
slapd.service
unit included in the
blfs-systemd-units-20230816
package using the following command:
make install-slapd
Note
You'll need to modify
/etc/default/slapd
to include the parameters needed for your specific configuration. See
the slapd man page for parameter information.
Testing the Configuration
Start the LDAP server using
systemctl:
systemctl start slapd
Verify access to the LDAP server with the following command:
ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
The expected result is:
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: namingContexts
#
#
dn:
namingContexts: dc=my-domain,dc=com
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1