LDAP is the “Lightweight Directory Access Protocol” and a successor of the X.500 directory services. It was created to be used on top of a TCP/IP stack and thus got more popular than the original X.500 that was based on an OSI stack.
The most common use for a directory service is surely user management. The following article shows you how to setup a minimal OpenLDAP directory which can be used as a starting point for a user directory.
For your first experiments I recommend installing Debian Stable from the minimal net installation ISO in a virtual machine. This does not take a lot of space and is the perfect playground. Choose an installation without graphical user interface and laptop add-ons. A barebone server installation with Secure Shell daemon running is sufficient. Run the VM in bridged mode so that the server ports are reachable from outside the VM.
apt-get install slapd ldap-utils
You will be prompted for configuration options:
After this the stand-alone LDAP daemon (slapd) will be started automatically.
BASE dc=olymp URI ldap://192.168.1.2/
Create an LDIF file like the following under
dn: ou=People,dc=olymp ou: People objectClass: organizationalUnit
/etc/init.d/slapd stop slapadd -c -v -l /var/tmp/people.ldif /etc/init.d/slapd start ldapsearch -x
You should now see an entry with the object class
Next thing we will be adding is a person of class
dn: uid=mustermann,ou=People,dc=olymp cn: Max Mustermann objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson mail: email@example.com initials: M. M. surname: Mustermann givenname: Max ou: People street: Musterstr. 1 l: Musterstadt postalCode: 12345
We will use the
ldapadd command this time:
ldapadd -D cn=admin,dc=olymp -x -W -f /var/tmp/users.ldif
The meaning of the command line switches is as follows:
|-D <distinguished name>||Distinguished name for binding to the service (consider this like login parameters)|
|-x||Use simple authentication (meaning “provide a password”)|
|-W||Prompt for password|
|-f <file>||LDIF file from which to add data|
You see in the command above that we bind as administrator. So privileges show up the first time here.
ldapsearch -D cn=admin,dc=olymp -x -W
and compare the result to what you get with a
ldapsearch where you are not using an administrative account. You will notice that the administrators entry is not visible.
What if we want to perform a search from a different machine? In our example that could be the host our virtual machine runs on.
ldapsearch -D cn=admin,dc=olymp -x -W -H ldap://192.168.1.2 -b dc=olymp
We added two new switches here:
|-H <uri>|| URI of the LDAP server (
|-b <base>||Base in the directory where we start searching|
Creating the directory is not much fun if you can't use it. So in our next step we will connect it to an application. Here I will show you how to use it from the Mac address book.