Building an LDAP Server on Linux, Part 2
Welcome back! In Part 1 we learned basic concepts of LDAP and the uses for an LDAP server. Today we'll install and configure an OpenLDAP directory.
A quick note before we get started: this is LDAP 101. We are not installing any kind of encryption or strong authentication; we'll get to that in part 3. In my experience, learning LDAP in small chunks works best. (Then again, perhaps I'm just a bit dim.) So sit back, strap in, and keep your fingers away from the training wheels.
The Easy Way
The wise sysadmin will consult the documentation for their distro; it's quite possible that OpenLDAP will be packaged and ready to go in a pleasing manner (or ready to go in an odd manner — you never know). I'm all for easy — if your particular distribution provides an easy way, use it. RPMs can also be obtained from rpmfind.net, which thoughtfully lists all the required additional packages.
Debian of course goes its own merry way. apt-get does the job just fine; the tricky bit is finding out the package names. Debian users want ldap-utils; slapd, which is OpenLDAP; and libdb4.1, to get the Sleepycat DB. These three components are enough to get you up and running. apt-get will walk you through a minimal configuration and will automatically start up slapd, the LDAP server daemon.
Installing from Source
At the barest minimum, two tarballs are needed:
- Berkeley Sleepycat DB
- OpenLDAP tarball
The OpenLDAP tarball is under 2 megabytes, which means even us dial-up lusers can download it without pain. As of this writing, the stable edition is openldap-stable-20030709.tgz. I like to park the tarball and unpack it in /usr/src/:
root@windbag:/usr/src# tar xfz openldap-stable-20030709.tgz
This creates the openldap-2.1.22 directory:
root@windbag:/usr/src# cd openldap-2.1.22
Here there be README, INSTALL, LICENSE, ANNOUNCEMENT, and COPYRIGHT documents. Take the time to read these, as they contain important information. To take quick a look at compile-time options, type:
root@windbag:/usr/src# ./configure --help
This is interesting reading, with the defaults clearly marked and the options self-explanatory. For now let's just stick with the defaults. Do the magic three commands:
# make depend
Lots of things happen after each one; relax and wait. When it's all done, run the handy built-in test script to verify all is well:
# make test
If there are errors, I fear I must abandon you at this point, and refer you to OpenLDAP.org (See Resources). If all is well, the final step is to actually install the newly-created binaries and man pages. From the root of the OpenLDAP directory, run:
# make install
And you're done. Pay attention to the output of 'make install'; it contains a lot of useful information. Direct it to a file for leisurely perusal:
# make install | tee openldap-install.txt
This is the main config file for our shiny new OpenLDAP server. It can be in any number of imaginative locations — I personally like to run updatedb after installing software, so I can find things quickly. On my Libranet system, it's /etc/ldap/slapd.conf.
Guard this file carefully. Find yours and make a backup copy. The original contains useful defaults. For security reasons the default permissions are 600 (only root can read or write to this file).
slapd.conf defines three categories of information: global settings, settings pertinent to a specific backend, and settings pertinent to a specific database. This bit is important, and will save you many a headache if you get it correct now: backend and database directives can override global settings, and database directives can override backend directives.
Blank lines and comments are ignored. A line that begins with white space is a continuation of the previous line — this little nugget alone is responsible for much premature hair loss.
More white-space gotchas: directives can take arguments, and even multiple arguments. These are separated by white spaces. An argument with white space must be enclosed in double quotes: "loud argument." Arguments containing double-quotes or backslashes must be escaped with backslashes: "really \"loud\" argument," for example.
With our wee, simple setup here there is not much to configure in slapd.conf. The following should be enough to get the ball rolling. If your slapd.conf does not contain headings like "Global Directives" and "Backend Directives," you can add them. The important thing is to have three sections, in this order: global, backend, and database.
Under 'Global Directives,' add a logging level directive:
Under 'Backend Directives' for bdb:
Under 'Database Directives':
I think you can figure out the bits that need to be changed to fit your system. Note how the domain, carlasworld.net, is broken into two type/value pairs. This is planning for the future, in case either value ever needs to be changed or merged with another directory.
While LDAP is very flexible, there are certain types and values that are already defined, such as access levels, database backends, and debugging levels. Please refer to the essential (and excellent) "OpenLDAP 2.1 Administrator's Guide" (again, see Resources).
I B CN U!
Yes, now we have come to the point where we learn what all those weirdo abbreviations mean. Impress your friends by using them in casual conversations.
DN = distinguished name
O = organization
OU = organizational unit
DC = domain components
CN = common name
SN = surname
UID = user ID
Want to look like a real genius? Peek into the core.schema file, which identifies all of them (there are dozens more).
This is a good time to start up slapd. Depending on your installation, it may already be running — check with ps ax | grep slapd first. If it isn't running, type which slapd to find the executable, and then run it with no arguments. The installation program should have automatically configured startup files to start upon boot, so you'll never have to do this again. OpenLDAP is chock-full of self-tests; run <filepath>/slapd -t to confirm your slapd.conf contains no syntax errors.
A Peek Ahead
Well here we are at the end already. To get a jump on Part 3, peruse man ldapadd and man ldif. In Part 3 we'll populate the database and figure out how to use LDAP for single sign-on.