yPass.net

Configuring OpenLDAP

The first thing to do after installing OpenLDAP is to rebuild the runtime linker configuration. Be warned, not doing this properly can severely screw up your system. To rebuild the library database, issue the following command:

# crle -i /usr/lib -i /usr/local/lib -l /usr/lib -l /usr/local/lib

Now change directory to the /usr/local/etc/openldap directory and open the slapd.conf file.

1. Modify the suffix. Typically, the suffix should be of the form: dc=domainname,dc=TLD.

   For example, my domain is viawest.net. ViaWest is the domain name, and Net is the top level domain name; therefore, my suffix is dc=viawest,dc=net.

2. Now modify the access directives with your suffix as well. Replace dc=example,dc=com with your suffix.

If you compiled OpenLDAP yourself, you will need to download the Solaris NIS Schema and install it into the /usr/local/etc/openldap/schema directory. Then you'll need to include this schema in your slapd.conf file.

Now you will need to create your LDAP server's SSL key. To do this, issue the following command:

# openssl req -rand /:/usr:/lib:/var -new -x509 -nodes \
    -out /usr/local/etc/openldap/server.pem \
    -keyout /usr/local/etc/openldap/server.pem -days 3650

OpenSSL will prompt you for the following information. Make sure that you enter the ACTUAL hostname of the machine you are installing for Common Name.

Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:

This will generate an SSL certificate that is good for 10 years.

Now you'll need to add entries into your database. To do this, you'll need to create an LDIF file. At minimum, you'll need your root entry, and the "ou=People" entry.

NOTE: Solaris doesn't require that you use "ou=People" for your posixAccounts, but there are bugs in Solaris8's ldap_cachemgr which make it a pain not to choose ou=People. See the Notes about ldap_cachemgr.

So, now you can create your LDIF file to create the LDAP database. Name the file base.ldif. It should look something like this:

dn: dc=viawest,dc=net
objectclass: top
objectclass: dcObject
objectclass: nisDomainObject
dc: viawest
nisDomain: viawest.net

dn: ou=People,dc=viawest,dc=net
objectclass: top
objectclass: organizationalUnit
ou: People

dn: ou=LDAPusers,dc=viawest,dc=net
objectclass: top
objectclass: organizationalUnit
ou: LDAPUsers

dn: cn=solaris,ou=LDAPusers,dc=viawest,dc=net
objectclass: top
objectclass: person
cn: solaris
sn: LDAP User
userPassword: {crypt}GYIC5lHgAsLhE

Obviously, you'll want to replace the "nisDomain" viawest.net with your domain name, and you'll want to modify the DNs to represent your domain as well.

Now save the base.ldif file.

Now, it's time to create the LDAP backend database (ldbm). Issue the following command:

# /etc/init.d/slapd stop
# slapadd -n 1 -l base.ldif
# /etc/init.d/slapd start

Now it's time to start OpenLDAP. Issue the following command:

# /usr/local/libexec/slapd

Now slapd should be running. Check by typing "ps -ef | grep slapd". If slapd is not running, it probably encountered a configuration error. You can start up slapd in debug by typing:

# /usr/local/libexec/slapd -d 65535

This will output a lot of information, and if there is a configuration error, it should tell you what it is.

Ok, you now have a fully functional OpenLDAP server. The only problem is that there is no user data in the directory.

You can populate the database with LDIF files, or by downloading the scripts I have provided in the Scripts Section of this document.

Previous: Getting the Software | Next: Populating OpenLDAP