OpenLDAP – Installation and Basic Configuration

This is part 2 of a multi-part blog post on using OpenLDAP for Net Service Name Resolution.  Part 1 can be found here.

Installation

Installing and configuring OpenLDAP on Oracle Linux 6 is a fairly simple and straightforward process.  (Note that I’m working with Oracle Linux 6.4, this process may differ on other Linux distributions and/or versions.)

Installation of OpenLDAP consists of simply executing the following command as root:

yum -y install openldap-servers openldap-clients

That’s it for installation.  Now, you’ll need to do the basic OpenLDAP configuration, and finally set it up to handle Oracle Net Service Names.

Configuration

First, you need a DB_CONFIG file in the /var/lib/ldap directory.  Fortunately, one can be found at /usr/share/openldap-servers/DB_CONFIG.example.  You’re free to peruse the contents of this file, but I won’t be getting into the details.  Also, I wouldn’t recommend changing anything in that file, unless you know exactly what you’re doing.

So, go ahead and copy that file into place:

cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

Now, you need to set up the administration password.  That can be done by executing the following:

slappasswd

Enter your password, then enter it again to verify it, and you’ll get an output that looks something like:

{SSHA}GUPTyXKIN6fAAU7yi9PFBVkCEu0gVWB+

Please make a note of this value (the one you got when you ran slappasswd on your server, not the one shown above!), as you’ll need it momentarily.

Next, you need to setup the slapd.conf file.  Before you can do that, you’ll need to decide if you’re planning to setup master/slave replication between two servers.  If you do want to setup replication, download slapd.conf.rep_master, otherwise, you’ll want to download slapd.conf.no_rep. Either way, you’ll want to save it to the root user’s $HOME (probably /root) and name it slapd.conf.  Now, open this file in your favorite text editor, and about 3/4 of the way through the file, you’ll find a section that looks like this:

#default searchbase
defaultsearchbase "dc=proquest,dc=com"
#######################################################################
# ldbm and/or bdb database definitions
#######################################################################

database bdb
suffix "dc=proquest,dc=com"
rootdn "cn=admin,dc=proquest,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw secret
# rootpw {crypt}ijFYNcSNctBYg
rootpw {SSHA}t4RCF9n3x7k5qAnMEMbXgG9mowJKitAg

You’ll want to update the defaultsearchbase, suffix, rootdn and rootpw sections to values that are appropriate for your environment.  For the defaultsearchbase, suffix and rootdn, you’ll want to replace the “dc=proquest,dc=com” string with your domain information.  The “dc” means “domain component”, so, for example, my domain, “proquest.com”, becomes “dc=proquest,dc=com”.  Note that this does NOT have to be a real domain.  Your domain could be “my.home”, and you could use “dc=my,dc=home”.  It really doesn’t matter, as long as you are consistent throughout.  The “rootpw” value, is the string you generated earlier, when you ran the ‘slappasswd’ command.

Ok, at this point, you should have a correctly configured slapd.conf.  So, copy it into place, thus:

cp $HOME/slapd.conf /etc/openldap

Finally, by default, you’ll have a directory, /etc/openldap/slapd.d, which you’ll need to move:

mv /etc/openldap/slapd.d /etc/openldap/slapd.d.disable

Ok, finally, you should be ready to start the slapd server, with the following command:

service slapd start

Hopefully, that command successfully started your LDAP server.  (If you have any errors, please double check the slapd.conf file for typos, errors, extraneous spaces, etc.)

Also, you can set it up as a service that will automatically startup at boot time, with this command:

chkconfig slapd on

Replication

If you are planning to setup replication, this is the time to do it.  Let’s assume that the server you just completed the initial setup on, will be the master server.  Now, you’ll need a second server, which will serve as the slave server.  To do so, just repeat the process you just followed, with one exception.  For the slave server, when it’s time to download the slapd.conf, you’ll want to download slapd.conf.rep_slave instead.  Once you’ve done that, you should rename it to slapd.conf, just like you did when you downloaded it for the master server.  There are a few edits you’ll need to make to this file.  First, make all the same edits you did to the master server slapd.conf file, to the defaultsearchbase, suffix, rootdn, and rootpw.  Once that’s done, at the end of the file, you’ll find a section of text that looks like this:

syncrepl rid=123
provider=ldap://einstein:389
type=refreshOnly
interval=00:00:03:00
retry="30 120 60 +"
searchbase="dc=proquest,dc=com"
filter="(objectClass=*)"
schemachecking=off
bindmethod=simple
binddn="cn=admin,dc=proquest,dc=com"
credentials=myadminpassword

You’ll need to modify the provider, which should point to the host and port of the master server you’d previously set up.  Then, the searchbase and binddn should be modified to match your specific domain, and finally, you’ll enter the master server’s admin password in the credentials parameter.  (Note that the ‘searchbase’ parameter in this section, and the previously seen ‘defaultsearchbase’ parameter, are different and distinct.)  Finally, the first line in the section shown above, the value for rid, the replica id, is 123.  This is fine, if you’re only setting up one slave server.  If you plan to have more than one slave, be sure to set rid to a unique value for each slave server.  (Note that rid can be any 1 to 3 digit number, as long as it’s unique among the slaves.)

Ok now, if you’re setting up replication, switch back to the master server.  All changes from here on out will be done on the master server, and the replication mechanism will propagate the changes to the slave.  (Obviously, if you’re not setting up replication, you have only the one server to update.)

You’ll want to download the initialize_ldap.ldif file.  The contents of that file will look like this:

dn: dc=proquest,dc=com
objectclass: dcObject
objectclass: organization
o: ProQuest LDAP Server for Net Service Names
dc: proquest

dn: cn=admin,dc=proquest,dc=com
objectclass: organizationalRole
cn: admin

As you may have guessed by now, you’ll need to modify the bolded text above, to be consistent with your domain, etc.  Once those edits are complete, you’ll need to load this data, using ldapadd.  To do that, execute the following command:

ldapadd -a -x -D 'cn=admin,dc=proquest,dc=com' -W -f initialize_ldap.ldif

If you’d like to do an initial query, to verify everything looks good, you can do it with this command:
ldapsearch -h 127.0.0.1 -x -b "dc=proquest,dc=com"

Also, if you have replication set up correctly, you should be able to run the above ldapsearch against the slave server as well.  Even though you didn’t run ldapadd on the slave server, the replication should propagate the change to the slave server.  (Note that, if you didn’t mess with any of the replication parameters on the slave server, it should take approximately 30 seconds for a change to replicate from master to slave.)

At this point, you should have an LDAP server up and running, optionally with a slave server also setup.  However, at this point, it’s very much an empty shell.  It’s been initialized with your domain, but that’s it.  It has no data, nor even any metadata that describes the type of data that l it will be storing.

Next, OpenLDAP configuration for Net Service Name resolution.

Advertisements

3 comments on “OpenLDAP – Installation and Basic Configuration

  1. […] In my next post, I’ll get into the specifics of installing and configuring OpenLDAP for Net Service Name resolution.  Stay tuned for part 2, OpenLDAP Installation and Configuration. […]

  2. tuxcomputers says:

    When I try and start the ldap server I get an error on line 106 of slapd.conf that the directory does not exist, that line is:

    directory /var/lib/ldap/proquest

    I deleted the proquest off the end. I then had an error on line 136, that line is

    directory /var/lib/ldap/rootoraclecontext

    I created that directory and changed the mode to 700. It then whines about being no DB_CONFIG in that directory but starts anyways.

    There are two locations of rootpw, should I change both of them?

    • tuxcomputers says:

      When I tried to start it with service slapd start there were error messages that the files were not owned by ldap. I changed owner of all the files, the rootoraclecontext directory and all the files in that directory.

      Now it gives errors about line 124 that the suffix DN empty and default search base provided and that line 136 is still an invalid directory.

      I deleted the rootoraclecontext directory, created it, changed the owner to ldap, set the mode to 700 and THEN started the service, it started fine, at last. Previously I had started the service with “slapd -d -i” as root for debug purposes.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s