Quick Guide to LDAP
Quick Guide to LDAP

The dry theory

Populating the database

Give it a spin
Configuring OpenLDAP Configuring PAM LDAP client goodies



OpenLDAP version 2.0 has been released! The docs you will find below are for OpenLDAP version 1.2. Much has changed between versions, but the general concepts remain the same. You can find the latest software and documentation at the OpenLDAP website: http://www.openldap.org. I'm hoping to switch to version 2.0 during the Christmas break, I'll be sure to update this page then...


This is a quick, very quick, introduction to setting up centralized account management using OpenLDAP 1.2.x and pam_ldap included in Red Hat Linux version 6.1/6.2

LinuxFocus has published a great article that cover much of the same information that is presented here. Check it out: Introduction to LDAP under Linux.

If you are not using Red Hat 6.x, you can download and install OpenLDAP from http://www.openldap.org and pam_ldap from http://www.padl.com/pam_ldap.html

First, the dry theory

LDAP is similar to Novell's NDS, they both are derivatives of X500. If you are not familar with NDS or X500, here's a few documents I found to be helpful:

Configuring OpenLDAP

NOTE: Red Hat 6.2 now includes documentation on setting up OpenLDAP, pam_ldap, nss_ldap, and auth_ldap. Take a look at the Red Hat Linux Reference Guide: LDAP

For a basic configuration, the only file you will need to edit is /etc/openldap/slapd.conf
Here is a simple slapd.conf:

For more advananced configuration options, take a look at the Performance Tuning and High Availability pages.

Populating the database

This is section is particularly quick-n-dirty. Create a text file containing the structure of the database. In this example, I will make a two branches off the search root: one for people and one for departments.

Next, start ldap and load sample-hierarchy.ldif:

Once the database hierarchy is in place, you can use the same method to load data. See the LDAP Schema Viewer for a list of object classes and object attributes.

If you are adding a significant amount of data, you will probably want to investigate the ldif2ldbm utility; it is much faster than ldapadd but you must overwrite your existing database in order to use it. There is a brief description of how to use ldif2ldbm with existing data at the bottom of the Performance Tuning documentation.

Configuring PAM

First, you need to modify the PAM configuration files in /etc/pam.d/. The simplist way to do this is to copy the pam_ldap samples into this directory: (after making a backup of the existing files, of course!)

If you don't find examples in /usr/doc/pam_ldap*/pam.d/, here is a tarball of mine: pam_configs.tgz

Next, edit /etc/ldap.conf. Here is an example:

Give it a spin

Now, in theory, you should be able to able to authenticate yourself against the LDAP server. PAM will take your login name, query for that uid in the LDAP database and compare your password to that found in the userpassword field of your LDAP record.

Here is a mostly-functional perl CGI script that allows users to change their own passwords and other information in the LDAP database: ldap_info. Be forewarned, this is script is sloppy & buggy, I will do a proper rewrite one of these days....

LDAP client goodies

-> Central address book
As an added bonus, you now have a centralized address book. Take a look at this page for information on setting up Netscape Communicator's address book to use the LDAP database. Dave Pierce at Centennial School District was kind enough to write up some documentation on configuring Outlook Express to use an LDAP directory and using Outlook Express with an LDAP address book (these are Word .DOC files, I'll convert them to HTML when I get the chance). For you command line types, here is a little phonebook utility written in perl. I also created a Pine RPM which has a LDAP enabled address book (in Red Hat 6.2, LDAP support is enabled by default in Pine. Sweet!)

-> Mail routing/aliases
Most email servers support mail routing and aliases using information stored in a LDAP server.

Come back again

Things on my agenda:

Feedback & additional documentation would be more than welcome!
Eric Harrison