Installation of OpenLDAP
Note
If you only need to install the client side ldap* binaries, corresponding man pages, libraries and header files (referred to as a “client-only” install), issue these commands instead of the following ones (no test suite available):
patch -Np1 -i ../openldap-2.6.6-consolidated-1.patch &&
autoconf &&
./configure --prefix=/usr \
--sysconfdir=/etc \
--disable-static \
--enable-dynamic \
--disable-versioning \
--disable-debug \
--disable-slapd &&
make depend &&
make
Then, as the root
user:
make install
There should be a dedicated user and group to take control of the slapd daemon after it is started. Issue the following commands as the root
user:
groupadd -g 83 ldap &&
useradd -c "OpenLDAP Daemon Owner" \
-d /var/lib/openldap -u 83 \
-g ldap -s /bin/false ldap
Install OpenLDAP by running the following commands:
patch -Np1 -i ../openldap-2.6.6-consolidated-1.patch &&
autoconf &&
./configure --prefix=/usr \
--sysconfdir=/etc \
--localstatedir=/var \
--libexecdir=/usr/lib \
--disable-static \
--disable-versioning \
--disable-debug \
--with-tls=openssl \
--with-cyrus-sasl \
--without-systemd \
--enable-dynamic \
--enable-crypt \
--enable-spasswd \
--enable-slapd \
--enable-modules \
--enable-rlookups \
--enable-backends=mod \
--disable-sql \
--disable-wt \
--enable-overlays=mod &&
make depend &&
make
The tests are fragile, and errors may cause the tests to abort prior to finishing. Some errors may happen due to timing problems. The tests take around an hour, and the time is CPU independent due to delays in the tests. On most systems, the tests will run up to the test065-proxyauth for mdb
test. To test the results, issue: make test.
Now, as the root
user:
make install &&
sed -e "s/\.la/.so/" -i /etc/openldap/slapd.{conf,ldif}{,.default} &&
install -v -dm700 -o ldap -g ldap /var/lib/openldap &&
install -v -dm700 -o ldap -g ldap /etc/openldap/slapd.d &&
chmod -v 640 /etc/openldap/slapd.{conf,ldif} &&
chown -v root:ldap /etc/openldap/slapd.{conf,ldif} &&
install -v -dm755 /usr/share/doc/openldap-2.6.6 &&
cp -vfr doc/{drafts,rfc,guide} \
/usr/share/doc/openldap-2.6.6
Command Explanations
--disable-static
: This switch prevents installation of static versions of the libraries.
--disable-debug
: This switch disables the debugging code in OpenLDAP.
--enable-dynamic
: This switch forces the OpenLDAP libraries to be dynamically linked to the executable programs.
--disable-versioning
: This switch disables symbol versioning in the OpenLDAP libraries.
--enable-crypt
: This switch enables using crypt(3) passwords.
--enable-spasswd
: This switch enables SASL password verification.
--enable-modules
: This switch enables dynamic module support.
--enable-rlookups
: This switch enables reverse lookups of client hostnames.
--enable-backends
: This switch enables all available backends.
--enable-overlays
: This switch enables all available overlays.
--disable-sql
: This switch explicitly disables the SQL backend. Omit this switch if a SQL server is installed and you are going to use a SQL backend.
--disable-wt
: This switch explicitly disables the WiredTiger backend. Omit this switch if WiredTiger is installed and you are going to use a WiredTiger backend.
--libexecdir=/usr/lib
: This switch controls where the /usr/lib/openldap
directory is installed. Everything in that directory is a library, so it belongs under /usr/lib
instead of /usr/libexec
.
--enable-slp
: This switch enables SLPv2 support. Use it if you have installed OpenSLP.
Note
You can run ./configure --help to see if there are other switch you can pass to the configure command to enable other options or dependency packages.
install ..., chown ..., and chmod ...: Having slapd configuration files and ldap databases in /var/lib/openldap readable by anyone is a SECURITY ISSUE, especially since a file stores the admin password in PLAIN TEXT. That's why mode 640 and root:ldap ownership were used. The owner is root, so only root can modify the file, and group is ldap, so that the group which owns slapd daemon could read but not modify the file in case of a security breach.
Configuring OpenLDAP
Config Files
-
For LDAP client: /etc/openldap/ldap.conf
and ~/.ldaprc
-
For LDAP server, two configuration mechanisms are used: a legacy /etc/openldap/slapd.conf
configuration file and the recommended slapd-config system, using an LDIF database stored in /etc/openldap/slapd.d
.
Configuration Information
Configuring the slapd servers can be complex. Securing the LDAP directory, especially if you are storing non-public data such as password databases, can also be a challenging task. In order to set up OpenLDAP, you'll need to modify either the /etc/openldap/slapd.conf
file (old method), or the /etc/openldap/slapd.ldif
file and then use ldapadd to create the LDAP configuration database in /etc/openldap/slapd.d
(recommended by the OpenLDAP documentation).
Warning
The instructions above install an empty LDAP structure and a default /etc/openldap/slapd.conf
file, which are suitable for testing the build and other packages using LDAP. Do not use them on a production server.
Resources to assist you with topics such as choosing a directory configuration, backend and database definitions, access control settings, running as a user other than root
and setting a chroot environment include:
Boot Script
To automate the startup of the LDAP server at system bootup, install the /etc/rc.d/init.d/slapd
init script included in the blfs-bootscripts-20231119 package using the following command:
make install-slapd
Note
You'll need to modify /etc/sysconfig/slapd
to include the parameters needed for your specific configuration. See the slapd man page for parameter information.
Testing the Configuration
Start the LDAP server using the init script:
/etc/rc.d/init.d/slapd start
Verify access to the LDAP server with the following command:
ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
The expected result is:
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: namingContexts
#
#
dn:
namingContexts: dc=my-domain,dc=com
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1