Contact Us

OpenLDAP

Installing and Configuring OpenLDAP on a Unix/Linux System

In general, OpenLDAP should be available for your system as an installable package within your distribution package repository. If you cannot find a package for your system, you may need to build OpenLDAP from source. If this is the case, we highly recommend that you read the installation guide at:


http://www.openldap.org/doc/admin24/install.html

Once OpenLDAP has been installed on your system, you will need to edit the configuration to set up a directory. In previous releases of OpenLDAP, the configuration was stored statically in a file named 'slapd.conf' (usually in /etc/). Unfortunately, this meant that the directory needed to be restarted for any changes that were made to the configuration. The current version of OpenLDAP (2.4.11), now stores the configuration in the backend database, which allows you to update the configuration while the LDAP server is live. The current version is backward compatible and can be configured to run using the old-style slapd.conf file.

If you need to create the old-style configuration file, either because you are installing an earlier version of OpenLDAP or because you are struggling with the newer dynamic configuration, it should look something like this:



# This is the main slapd configuration file. See slapd.conf for more
# info on the configuration options.

#######################################################################
# Global Directives:

# Features to permit
# allow bind_v2

# Schema and objectClass definitions
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema

# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile         /var/run/slapd/slapd.pid

# List of arguments that were passed to the server
argsfile        /var/run/slapd/slapd.args

# Read slapd.conf(5) for possible values
loglevel        none

# Where the dynamically loaded modules are stored
modulepath    /usr/lib/ldap
moduleload    back_hdb

# The maximum number of entries that is returned for a search operation
sizelimit 500

# The tool-threads parameter sets the actual amount of cpu's that is used
# for indexing.
tool-threads 1

#######################################################################
# Specific Backend Directives for hdb:
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
backend        hdb

# Specific Directives for database #1, of type hdb:
# Database specific directives apply to this database until another
# 'database' directive occurs
database        hdb

# The base of your directory in database #1
suffix          "dc=mycompany,dc=org"

# rootdn directive for specifying a superuser on the database. This is needed
# for syncrepl.
rootdn          "cn=admin,dc=mycompany,dc=org"

# Where the database file are physically stored for database #1
directory       "/var/lib/ldap"

# The dbconfig settings are used to generate a DB_CONFIG file the first
# time slapd starts.  They do NOT override existing an existing DB_CONFIG
# file.  You should therefore change these settings in DB_CONFIG directly
# or remove DB_CONFIG and restart slapd for changes to take effect.

# Cache size (currently set at 2MB)
dbconfig set_cachesize 0 2097152 0

# Number of objects that can be locked at the same time.
dbconfig set_lk_max_objects 1500
# Number of locks (both requested and granted)
dbconfig set_lk_max_locks 1500
# Number of lockers
dbconfig set_lk_max_lockers 1500

# Indexing options for database #1
index           objectClass eq

# Save the time that the entry gets modified, for database #1
lastmod         on

# Checkpoint the BerkeleyDB database periodically in case of system
# failure and to speed slapd shutdown.
checkpoint      512 30

access to attrs=userPassword,shadowLastChange
        by dn="cn=admin,dc=mycompany,dc=com" write
        by anonymous auth
        by self write
        by * none

access to *
        by dn="cn=admin,dc=mycompany,dc=com" write
        by * read

access to dn.base="" by * read



Note that you will need to substitute dc=mycompany,dc=com in the above file, with whatever you want your root DN to be.

The new approach to the configuration for OpenLDAP is, in some ways, much easier in that you can now use your standard LDAP tools or an LDAP browser to make changes to your configuration. Although distribution specific, an excellent set of instructions can be found at:

https://help.ubuntu.com/8.10/serverguide/C/openldap-server.html


Symlabs is now part of Quest Software. A leader in simplifying and reducing the cost of IT management, Quest’s innovative solutions make solving the toughest IT management problems easier, enabling more than 100,000 customers worldwide to save time and money across physical, virtual and cloud environments. The addition of Symlabs virtual directory and federation technology will enhance the overall architecture of the Quest® One Identity Solution and Quest migration products. Learn more at www.quest.com/symlabs.