Installation of OpenLDAP
Note
If you only need to install the client side ldap* binaries, corresponding
man pages, libraries and header files (referred to as a
“client-only” install), issue these
commands instead of the following ones (no test suite available):
patch -Np1 -i ../openldap-2.4.49-consolidated-1.patch &&
autoconf &&
./configure --prefix=/usr \
--sysconfdir=/etc \
--disable-static \
--enable-dynamic \
--disable-debug \
--disable-slapd &&
make depend &&
make
Then, as the root
user:
make install
ln -sf ../lib/slapd /usr/sbin/slapd
Warning
If upgrading from a previous installation that used Berkeley DB
as the backend, you will need to dump the database(s) using the
slapcat utility,
relocate all files in /var/lib/openldap
, change all instances of
bdb
to mdb
in /etc/openldap/slapd.conf
and any files in
/etc/openldap/slapd.d
, and import
using the slapadd
utility after the installation is completed.
There should be a dedicated user and group to take control of the
slapd daemon after it
is started. Issue the following commands as the root
user:
groupadd -g 83 ldap &&
useradd -c "OpenLDAP Daemon Owner" \
-d /var/lib/openldap -u 83 \
-g ldap -s /bin/false ldap
Install OpenLDAP by running the
following commands:
patch -Np1 -i ../openldap-2.4.49-consolidated-1.patch &&
autoconf &&
./configure --prefix=/usr \
--sysconfdir=/etc \
--localstatedir=/var \
--libexecdir=/usr/lib \
--disable-static \
--disable-debug \
--with-tls=openssl \
--with-cyrus-sasl \
--enable-dynamic \
--enable-crypt \
--enable-spasswd \
--enable-slapd \
--enable-modules \
--enable-rlookups \
--enable-backends=mod \
--disable-ndb \
--disable-sql \
--disable-shell \
--disable-bdb \
--disable-hdb \
--enable-overlays=mod &&
make depend &&
make
The tests appear to be fragile. Errors may cause the tests to abort
prior to finishing, apparently due to timing issues. The tests take
about 65 minutes and are processor independent. To test the
results, issue: make
test.
Now, as the root
user:
make install &&
sed -e "s/\.la/.so/" -i /etc/openldap/slapd.{conf,ldif}{,.default} &&
install -v -dm700 -o ldap -g ldap /var/lib/openldap &&
install -v -dm700 -o ldap -g ldap /etc/openldap/slapd.d &&
chmod -v 640 /etc/openldap/slapd.{conf,ldif} &&
chown -v root:ldap /etc/openldap/slapd.{conf,ldif} &&
install -v -dm755 /usr/share/doc/openldap-2.4.49 &&
cp -vfr doc/{drafts,rfc,guide} \
/usr/share/doc/openldap-2.4.49
Command Explanations
--disable-static
: This
switch prevents installation of static versions of the libraries.
--disable-debug
: This
switch disables the debugging code in OpenLDAP.
--enable-dynamic
: This
switch forces the OpenLDAP
libraries to be dynamically linked to the executable programs.
--enable-crypt
: This switch
enables using of crypt(3) passwords.
--enable-spasswd
: This
switch enables SASL password
verification.
--enable-modules
: This
switch enables dynamic module support.
--enable-rlookups
: This
switch enables reverse lookups of client hostnames.
--enable-backends
: This
switch enables all available backends.
--enable-overlays
: This
switch enables all available overlays.
--disable-ndb
: This switch
disables MySQL NDB Cluster backend
which causes configure to fail if MySQL is present.
--disable-sql
: This switch
explicitly disables the SQL backend. Omit this switch if a SQL
server is installed and you are going to use a SQL backend.
--libexecdir=/usr/lib
: This
switch controls where the /usr/lib/openldap
directory is installed.
Everything in that directory is a library, so it belongs under
/usr/lib
instead of /usr/libexec
.
--enable-slp
: This switch enables SLPv2
support. Use it if you have installed OpenSLP.
Note
You can run ./configure
--help to see if there are other switch you can
pass to the configure command to enable
other options or dependency packages.
install ...,
chown ..., and
chmod ...: Having
slapd configuration files and ldap databases in /var/lib/openldap
readable by anyone is a SECURITY ISSUE, especially since a file
stores the admin password in PLAIN TEXT. That's why mode 640 and
root:ldap ownership were used. The owner is root, so only root can
modify the file, and group is ldap, so that the group which owns
slapd daemon could read but not modify the file in case of a
security breach.
Configuring OpenLDAP
Config Files
-
For LDAP client: /etc/openldap/ldap.conf
and ~/.ldaprc
-
For LDAP server, two configuration mechanisms are used: a
legacy /etc/openldap/slapd.conf
configuration
file and the recommended slapd-config system, using an
LDIF database stored in /etc/openldap/slapd.d
.
Configuration Information
Configuring the slapd servers can be complex.
Securing the LDAP directory, especially if you are storing
non-public data such as password databases, can also be a
challenging task. In order to set up OpenLDAP, you'll need to modify either the
/etc/openldap/slapd.conf
file (old
method), or the /etc/openldap/slapd.ldif
file and then use
ldapadd to create
de LDAP configuration database in /etc/openldap/slapd.d
(recommended by the
OpenLDAP documentation).
Warning
The instructions above install an empty LDAP structure and a
default /etc/openldap/slapd.conf
file, which are suitable for testing the build and other
packages using LDAP. Do not use them on a production server.
Resources to assist you with topics such as choosing a directory
configuration, backend and database definitions, access control
settings, running as a user other than root
and setting a chroot environment include:
Mozilla
Address Directory
By default, LDAPv2 support is disabled in the slapd.conf
file. Once the database is properly
set up and Mozilla is configured
to use the directory, you must add allow
bind_v2
to the slapd.conf
file.
Systemd Unit
To automate the startup of the LDAP server at system bootup,
install the slapd.service
unit included in the
blfs-systemd-units-20191026 package
using the following command:
make install-slapd
Note
You'll need to modify /etc/default/slapd
to include the
parameters needed for your specific configuration. See the
slapd man page
for parameter information.
Testing
the Configuration
Start the LDAP server using systemctl:
systemctl start slapd
Verify access to the LDAP server with the following command:
ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
The expected result is:
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: namingContexts
#
#
dn:
namingContexts: dc=my-domain,dc=com
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1