1. Introduction The main purpose of this document is to set up and use a LDAP Directory Server on your Linux machine.You will learn how to install, configure, run and maintain the LDAP server. After you also learn how you can store, retrieve and update information on your Directory using the LDAP clients and utilities. The daemon for the LDAP directory server is called slapd and it runs on many different UNIX platforms.
There is another daemon that cares for replication between LDAP servers. It's called slurpd and for the moment you don't need to worry about it. In this document you run a slapd which provides directory service for your local domain only, without replication, so without slurpd.
This is a simple configuration for the server, good for starting but easy to upgrade to another configuration later if you want. The information presented on this document represents a nice initialization on using the LDAP protocol. Possibly after reading this document you would feel encouraged to expand the capabilities of your server and even write your own clients, using the already available C, C++ and Java Development Kits.
1.1 What's LDAP ? LDAP is a client-server protocol for accessing a directory service. It was initially used as a front-end to X.500, but can also be used with stand- alone and other kinds of directory servers.
1.2 What's a Directory Service ? A directory is similar to a database, but tends to contain more descriptive, attribute-based information. The information in a directory is generally read much more often than it is written. As a consequence, directories don't usually implement the complicated transaction or roll-back schemes that regular databases use for doing high-volume complex updates. Directory updates are typically simple all-or-nothing changes, if they are allowed at all.
Directories are tuned to give quick-response to high-volume lookup or search operations. They may have the ability to replicate information widely in order to increase availability and reliability, while reducing response time. When directory information is replicated, temporary inconsistencies between the replicas may be OK, as long as they get in sync eventually.
There are many different ways to provide a directory service. Different methods allow different kinds of information to be stored in the directory, place different requirements on how that information can be referenced, queried and updated, how it is protected from unauthorized access, etc. Some directory services are local, providing service to a restricted context (e.g., the finger service on a single machine). Other services are global, providing service to a much broader context.
1.3 How does LDAP work ? LDAP directory service is based on a client-server model. One or more LDAP servers contain the data making up the LDAP directory tree or LDAP backend database. An LDAP client connects to an LDAP server and asks it a question. The server responds with the answer, or with a pointer to where the client can get more information (typically, another LDAP server). No matter which LDAP server a client connects to, it sees the same view of the directory; a name presented to one LDAP server references the same entry it would at another LDAP server. This is an important feature of a global directory service, like LDAP.
2. Installing the LDAP Server Five steps are necessary to install the server: Install the pre-required packages (if not already installed), Download the server, Unpack the software, Configure the Makefiles and Build the server.
2.1 Pre-Requirements To be fully LDAPv3 compliant, OpenLDAP clients and servers require installation of some aditional packages. In my particular case I also installed OpenLdap v2.0.11 on a out-of-box RedHat 2.2.15 distribution. My intention was to figure out if the build scripts would complain about the pre-required packages. They didn't ! Anyway, this is not the rule, you might still need to obtain and install these aditinal packages to successfully build OpenLDAP v2.xx:
- OpenSSL TLS libraries
The OpenSSL TLS libraries are normally part of the base system or compose an optional software component. The official OpenSSL url is http://www.openssl.org
- Kerberos Authentication Services
OpenLDAP clients and servers support Kerberos-based authentication services. In particular, OpenLDAP supports SASL/GSSAPI authentication mechanism using either Heimdal or MIT Kerberos V packages. If you desire to use Kerberos-based SASL/GSSAPI authentication, you should install either Heimdal or MIT Kerberos V. Heimdal Kerberos is available from http://www.pdc.kth.se/heimdal. MIT Kerberos is available from http://web.mit.edu/kerberos/www.
The use of strong authentication services, such as those provided by Kerberos, is highly recommended.
- Cyrus's Simple Authentication and Security Layer Libraries
Cyrus's SASL libraries are normally part of the base system or compose an optional software component. Cyrus SASL is available from http://asg.web.cmu.edu/sasl/sasl-library.html. Cyrus SASL will make use of OpenSSL and Kerberos/GSSAPI libraries if preinstalled.
- Database Software
OpenLDAP's slapd primary database backend, LDBM, requires a compatible database package for entry storage. LDBM is compatible with Sleepycat Software's BerkeleyDB (recommended) or with the Free Software Foundation's GNU Database Manager (GDBM). If neither of these packages are available at configure time, you will not be able build slapd with primary database backend support.
If your operating system doesn't provide one of these two packages, it's necessary to obtain one of them and install it.
BerkeleyDB is available from Sleepycat Software's download page http://www.sleepycat.com/download.html. There are several versions available. At the time of this writing, the latest release, version 3.1, is recommended.
GDBM is available from FSF's download site ftp://ftp.gnu.org/pub/gnu/gdbm. At the time of this writing, version 1.8 is the latest release.
OpenLDAP is designed to take advantage of threads. OpenLDAP supports POSIX pthreads, Mach CThreads, and a number of other varieties. configure script will complain if it cannot find a suitable thread subsystem. If this occurs, please consult the Software - Installation - Platform Hints section of the OpenLDAP FAQ http://www.openldap.org/faq.
- TCP Wrappers
slapd supports TCP wrappers (IP level access control filters) if preinstalled. Use of TCP wrappers or other IP-level access filters (such as those provided by an IP-level firewall) is recommended for servers containing non-public information.
2.2 Downloading the package There are two free distributed LDAP servers: University of Michigan LDAP server and OpenLDAP server. There's also the Netscape Directory Server, which is free only under some conditions (educational institutions get it free, for example). The OpenLDAP server is based on the latest version of the University of Michigan Server and there are mailing lists and additional documentation available for it. This document assumes that you are using the OpenLDAP server.
It's latest tar gzipped version is avaiable on the following address:
If you want to get the latest version of University of Michigan Server, go to this address:
To write this document, I used the 2.0.4 version of the OpenLDAP package. My operating system is a Slackware Linux with kernel 2.2.13.
On the OpenLDAP site you can always find the latest development and stable versions of the OpenLDAP server. By the time this document was updated, the latest stable version was openldap-stable-20000704.tgz. The latest development version was openldap-2.0.4.tgz.
2.3 Unpacking the server Now that you have the tar gzipped package on your local machine, you can unpack it.
First copy the package to a desirable directory, for example /usr/local.
Then use the following command:
tar xvzf openldap-stable.tgz
You can use this command too, as well:
gunzip openldap-stable.tgz | tar xvf -
2.4 Configuring the software There are several options that you would like to customize so you can build the best software for your site.
To configure the software you just need 2 steps:
Edit the file ldapconfig.h.edit, located on the subdirectory include beneath the directory where you unpacked the software. Run the configure script (if you are a tough guy, you can also edit the Make-common file instead of running the configure script :^) In the file include/ldapconfig.h.edit you can set options like the location of the slapd and slurpd daemons. The file itself is well commented and it's default settings also reflect the most common administrator choices so, if you are in a hurry you can skip this step:
The OpenLDAP server sources are distributed with a configuration script for setting options like instalation directories, compiler and linker flags. Type the following command on the directory where you unpacked the software:
This will print all options that you can customize with the configure script before you build the software. Some usefull options are --prefix=pref , --exec-prefix=eprefix and --bindir=dir, for setting instalation directories. Normally if you run configure without options, it will auto-detect the appropriate settings and prepar to build things on the default common location. So just type: ./configure
And watch the output to see if all went well
2.5 Building the server After configuring the software you can start building it. First build the dependencies, using the command:
After build the server, using the command: make
If all goes well, the server will build as configured. If not, return to the previous step to review the configuration settings. You should check the platform specific hints, they are located in the path doc/install/hints under the directory you unpacked the software. Now install the binaries and man pages. You may need to be superuser to do this (depending on where you are installing things):
su make install
That's all, now you have the binary of the server and the binaries of several other utilities. Go to the next section to see how to configure the operation of your LDAP server. The binary of the OpenLdap 2.0 server is called slapd. OpenLdap 2.0 was officially released on August, 30th and it comprises Ldap protocol v3, as defined on the RFC 2251.
The main features of OpenLDAP 2.0 are:
LDAPv2 and LDAPv3 Support (RFC2251-2256,2829-2831) Maintenance of interoperability with existing clients IPv4 and IPv6 support Strong Authentication (SASL) (RFC2829) Start TLS (RFC2830) Language Tags (RFC2596) DNS-based service location (RFC2247+"locate" I-D) Enhanced Standalone Server Named References/ManageDsaIT ("nameref" I-D) Enhanced Access Control subsystem Thread pooling Preemptive threading support Multiple listener support LDIFv1 (RFC2849) Improved platform/subsystem detection Note: There will be a document on the Linux Documentation Project (LDP) called LDAP Implementation HOWTO. This document will be a great resource for those who want to explore the new features of OpenLDAP 2.0. The date for it's release is around December 2000.
On the latest versions of the OpenLDAP package, it's also possible to test the recently built binaries. The package comes with a test script, which you can run using the command:
If anything goes wrong with the script you can just abort it hitting Ctrl-C. In my case, the script stopped working before it's total completion. Anyway I still could see some successfull messages about my OpenLDAP configuration.