Basic installation of an OpenLDAP server

Under FreeBSD

# cd /usr/ports/net/openldap
# make && make install && make clean
# cd /usr/local/etc/openldap
# vi slapd.conf
[Change suffix, rootdn, and rootpw]
suffix          "dc=wibble, dc=org"
rootdn          "cn=operator, dc=wibble, dc=org"
rootpw          secret

(rootdn and rootpw give a distinguished name/password pair which can do anything to the LDAP server. This is essential to solve the chicken-and-egg problem: the LDAP server authenticates using records in its database, but how do you authenticate to get the first record into the database?)

It is a good idea to use an encrypted password, and you can use ldappasswd to generate it for you, like this:

# ldappasswd -h ldap.itd.umich.edu -nvv -H md5 -D "rootpw"
New password: 
Re-enter new password: 
rootpw:{md5}Xr4ilOzQ4PCOq3aQ0qbuaQ==

Paste it into slapd.conf like this:
rootpw		{md5}Xr4ilOzQ4PCOq3aQ0qbuaQ==

In any case, you should make sure that slapd.conf is only readable by root (chmod 600) if it's not already.

Once that's done, continue like this to start the database:

# mkdir /var/db/openldap-ldbm
# chmod 700 /var/db/openldap-ldbm
# /usr/local/libexec/slapd -d 7

"-d 7" turns on some debugging and leaves slapd in the foreground; see /usr/local/include/ldap.h for details of the debugging values which you can add together. Once you're happy with the system, you can run slapd without the -d flag, and it will run in the background.

On another terminal:

# ldapsearch -h 127.0.0.1 -b "dc=wibble,dc=org" -s sub "(objectclass=*)"
ldap_search: No such object

(of course - there's nothing in there yet. To start with, you have to create the root of your directory tree)

# ldapadd -h 127.0.0.1 -D "cn=operator,dc=wibble,dc=org" -W
LDAP password: secret
dn: dc=wibble,dc=org
changetype: add
objectclass: organization
o: Wibble Systems Ltd
<Ctrl-D>
adding new entry dc=wibble,dc=org
#

You can use -w "secret" instead of -W, but this exposes your password to other users on the system.

Entering LDIF directly into stdin is a real pain, of course. You would be better advised to put the LDIF information into a text file, and then pipe it in:

# vi /tmp/ldifsrc
# ldapadd .... </tmp/ldifsrc

Now you can try the ldapsearch again, and this time it should work.

Setting client defaults

By editing ldap.conf (in /usr/local/etc/openldap or /etc) you can set the default host and baseDN for the ldap utilities. This saves you having to enter -h and -b parameters every time you run these commands.

# vi /usr/local/etc/openldap/ldap.conf
BASE	dc=wibble, dc=org
HOST	127.0.0.1

# ldapsearch "(objectclass=*)"
dc=wibble,dc=org
objectclass=organization
o=Wibble Systems Ltd

Maintaining operational attributes

If you want slapd to maintain modifytimestamp, modifiersname etc. then you need to add

lastmod    on

to slapd.conf

Additional documentation

The man pages refer you to the SLAPD and SLURPD Administrators Guide. This is actually a document for the Umich LDAP server, from which OpenLDAP is derived. The majority of it also applies to openldap, with the exception of the installation and quickstart notes.

See the FAQ section on the www.openldap.org site too.