Quick Guide to LDAP

The dry theory	Populating the database	Give it a spin
Configuring OpenLDAP	Configuring PAM	LDAP client goodies

OpenLDAP version 2.0 has been released! The docs you will find below are for OpenLDAP version 1.2. Much has changed between versions, but the general concepts remain the same. You can find the latest software and documentation at the OpenLDAP website: http://www.openldap.org. I'm hoping to switch to version 2.0 during the Christmas break, I'll be sure to update this page then...

This is a quick, very quick, introduction to setting up centralized account management using OpenLDAP 1.2.x and pam_ldap included in Red Hat Linux version 6.1/6.2

LinuxFocus has published a great article that cover much of the same information that is presented here. Check it out: Introduction to LDAP under Linux.

If you are not using Red Hat 6.x, you can download and install OpenLDAP from http://www.openldap.org and pam_ldap from http://www.padl.com/pam_ldap.html

First, the dry theory

LDAP is similar to Novell's NDS, they both are derivatives of X500. If you are not familar with NDS or X500, here's a few documents I found to be helpful:

Configuring OpenLDAP

NOTE: Red Hat 6.2 now includes documentation on setting up OpenLDAP, pam_ldap, nss_ldap, and auth_ldap. Take a look at the Red Hat Linux Reference Guide: LDAP

For a basic configuration, the only file you will need to edit is /etc/openldap/slapd.conf
Here is a simple slapd.conf:

#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/slapd.at.conf
include /etc/openldap/slapd.oc.conf

schemacheck off
#referral ldap://ldap.itd.umich.edu

pidfile /var/run/slapd.pid
argsfile /var/run/slapd.args

#######################################################################
# ldbm database definitions
#######################################################################

database ldbm
directory /var/lib/ldap
# The suffix is the base of your LDAP hierarchy, I found it easiest to base it on our domain name
# Another popular choice is to use "o=your organization, c=us"
suffix "dc=mesd, dc=k12, dc=or, dc=us"

# This is the LDAP administration account:
rootdn "cn=admin, dc=mesd, dc=k12, dc=or, dc=us"
# The administration password must be hardcoded:
rootpw {crypt}OVe8hNe4ftavo
# note that the rootpw can be plain text (or a MD5 crypt lead by {md5})
# it is generally preferable not to use plain text, for obvious security reasons.
# Click here for a little perl script to crypt your password

# This line lists the attributes that users may change about themselves.
# Note that spaces are not permitted after the commas!

access to dn=".*,dc=mesd,dc=k12,dc=or,dc=us"
attr=carlicense,userpassword,telephonenumber,phone,facsimiletelephonenumber,description,givenname,homephone,l,initials,labeleduri,houseidentifier,loginshell,mail,mobile,pager,postofficebox,postaladdress,postalcode,roomnumber,seealso,sn,st,street,title
by self write

For more advananced configuration options, take a look at the Performance Tuning and High Availability pages.

Populating the database

This is section is particularly quick-n-dirty. Create a text file containing the structure of the database. In this example, I will make a two branches off the search root: one for people and one for departments.

sample-hierarchy.ldif

dn: dc=k12, dc=or, dc=us objectclass: top dn: dc=mesd, dc=k12, dc=or, dc=us o: mesd objectclass: organization dn: ou=people, dc=mesd, dc=k12, dc=or, dc=us objectclass: organizationalUnit ou: people dn: ou=departments, dc=mesd, dc=k12, dc=or, dc=us objectclass: organizationalUnit ou: departments

Next, start ldap and load sample-hierarchy.ldif:

/etc/rc.d/init.d/ldap start ldapadd -D "cn=admin,dc=mesd,dc=k12,dc=or,dc=us" -W -f sample-hierarchy.ldif

Once the database hierarchy is in place, you can use the same method to load data. See the LDAP Schema Viewer for a list of object classes and object attributes.

sample-departments.ldif cn=Administration, ou=departments, dc=mesd, dc=k12, dc=or, dc=us objectclass=organizationalUnit telephonenumber=503-255-1841 facsimiletelephonenumber=503-255-1519 ou=Administration cn=Network and Information Services, ou=departments, dc=mesd, dc=k12, dc=or, dc=us objectclass=organizationalUnit facsimiletelephonenumber=503-257-1758 ou=Network and Information Services sample-people.ldif cn=Eric Harrison, ou=people, dc=mesd, dc=k12, dc=or, dc=us objectclass=organizationalPerson cn=Eric Harrison sn=Harrison givenname=Eric uid=eharrison userpassword={crypt}S3T.IVS3PaGoY mail=eric_harrison@mail.mesd.k12.or.us mobile=503-555-2222 telephonenumber=503-555-1234 facsimiletelephonenumber=503-257-1538 ou=Network and Information Services cn=John King, ou=people, dc=mesd, dc=k12, dc=or, dc=us objectclass=organizationalPerson cn=John King sn=King givenname=John uid=jking userpassword={crypt}ra65eKRcw2Hw2 mail=john_king@mail.mesd.k12.or.us telephonenumber=503-555-4321 facsimiletelephonenumber=503-257-1538 mobile=503-555-3333 ou=Network and Information Services

ldapadd -D "cn=admin,dc=mesd,dc=k12,dc=or,dc=us" -W -f sample-departments.ldif ldapadd -D "cn=admin,dc=mesd,dc=k12,dc=or,dc=us" -W -f sample-people.ldif

If you are adding a significant amount of data, you will probably want to investigate the ldif2ldbm utility; it is much faster than ldapadd but you must overwrite your existing database in order to use it. There is a brief description of how to use ldif2ldbm with existing data at the bottom of the Performance Tuning documentation.

Configuring PAM

First, you need to modify the PAM configuration files in /etc/pam.d/. The simplist way to do this is to copy the pam_ldap samples into this directory: (after making a backup of the existing files, of course!)

cp /usr/doc/pam_ldap*/pam.d/* /etc/pam.d/

--or--

cp /usr/doc/nss_ldap*/pam.d/* /etc/pam.d/

depending on the version of Red Hat

If you don't find examples in /usr/doc/pam_ldap*/pam.d/, here is a tarball of mine: pam_configs.tgz

Next, edit /etc/ldap.conf. Here is an example:

# Your LDAP server. Must be resolvable without using LDAP. host ldap.mesd.k12.or.us # The distinguished name of the search base. base dc=mesd,dc=k12,dc=or,dc=us # The search scope. scope sub # The hashing algorith your libc uses. # Optional: default is des crypt md5 # The user ID attribute (defaults to uid) pam_login_attribute uid

Give it a spin

Now, in theory, you should be able to able to authenticate yourself against the LDAP server. PAM will take your login name, query for that uid in the LDAP database and compare your password to that found in the userpassword field of your LDAP record.

Here is a mostly-functional perl CGI script that allows users to change their own passwords and other information in the LDAP database: ldap_info. Be forewarned, this is script is sloppy & buggy, I will do a proper rewrite one of these days....

LDAP client goodies

-> Central address book
As an added bonus, you now have a centralized address book. Take a look at this page for information on setting up Netscape Communicator's address book to use the LDAP database. Dave Pierce at Centennial School District was kind enough to write up some documentation on configuring Outlook Express to use an LDAP directory and using Outlook Express with an LDAP address book (these are Word .DOC files, I'll convert them to HTML when I get the chance). For you command line types, here is a little phonebook utility written in perl. I also created a Pine RPM which has a LDAP enabled address book (in Red Hat 6.2, LDAP support is enabled by default in Pine. Sweet!)

-> Mail routing/aliases
Most email servers support mail routing and aliases using information stored in a LDAP server.

Postfix Postfix is the only one I have used with LDAP
Sendmail versions 8.10 and latter
Qmail LDAP patches for Qmail
Exim no quick howto available
Sympa, an LDAP enabled majordomo-like mail list server.

Come back again

Things on my agenda:

write up a detailed explaination of schemas and the ldif format.
finish an add_ldap_user script to add new users rather than loading ldifs with the ldapadd utility. (working on it!)
I also have a phonebook cgi that I need to clean up & include here.
convert the outlook express word docs to HTML.
might as well throw in a section on Apache's auth_ldap. (in progress)

Feedback & additional documentation would be more than welcome!
Eric Harrison