User Tools

Site Tools


openldap

LDAP

LDAP is the “Lightweight Directory Access Protocol” and a successor of the X.500 directory services. It was created to be used on top of a TCP/IP stack and thus got more popular than the original X.500 that was based on an OSI stack.

The most common use for a directory service is surely user management. The following article shows you how to setup a minimal OpenLDAP directory which can be used as a starting point for a user directory.

Installing OpenLDAP

For your first experiments I recommend installing Debian Stable from the minimal net installation ISO in a virtual machine. This does not take a lot of space and is the perfect playground. Choose an installation without graphical user interface and laptop add-ons. A barebone server installation with Secure Shell daemon running is sufficient. Run the VM in bridged mode so that the server ports are reachable from outside the VM.

apt-get install slapd ldap-utils

You will be prompted for configuration options:

  1. Administrator password for the LDAP directory

After this the stand-alone LDAP daemon (slapd) will be started automatically.

Configuring the Directory

Edit /etc/ldap/ldap.conf

Example:

BASE    dc=olymp
URI     ldap://192.168.1.2/

Creating entries

Create an LDIF file like the following under /var/tmp/people.ldif:

dn: ou=People,dc=olymp
ou: People
objectClass: organizationalUnit
/etc/init.d/slapd stop
slapadd -c -v -l /var/tmp/people.ldif
/etc/init.d/slapd start
ldapsearch -x

You should now see an entry with the object class organization called People.

Next thing we will be adding is a person of class inetOrgPerson:

dn: uid=mustermann,ou=People,dc=olymp
cn: Max Mustermann
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
mail: noreply@example.org
initials: M. M.
surname: Mustermann
givenname: Max
ou: People
street: Musterstr. 1
l: Musterstadt
postalCode: 12345

We will use the ldapadd command this time:

ldapadd -D cn=admin,dc=olymp -x -W -f /var/tmp/users.ldif

The meaning of the command line switches is as follows:

-D <distinguished name> Distinguished name for binding to the service (consider this like login parameters)
-x Use simple authentication (meaning “provide a password”)
-W Prompt for password
-f <file> LDIF file from which to add data

You see in the command above that we bind as administrator. So privileges show up the first time here.

Seraching the directory

Run

ldapsearch -D cn=admin,dc=olymp -x -W

and compare the result to what you get with a ldapsearch where you are not using an administrative account. You will notice that the administrators entry is not visible.

What if we want to perform a search from a different machine? In our example that could be the host our virtual machine runs on.

ldapsearch -D cn=admin,dc=olymp -x -W -H ldap://192.168.1.2 -b dc=olymp

We added two new switches here:

-H <uri> URI of the LDAP server (ldap: and hostname or IP adress)
-b <base> Base in the directory where we start searching

Using the directory

Creating the directory is not much fun if you can't use it. So in our next step we will connect it to an application. Here I will show you how to use it from the Mac address book.

Open the address boock application, bring up the settings dialog and add a new LDAP based account: Using the Mac address book with your LDAP directory

Links

openldap.txt · Last modified: 2015/05/17 17:44 (external edit)