Before you start the OpenLDAP server, you need to set up a few things first.
Basic configuration
You need to set up a root user and password, along with defining your base DN. In slapd.conf
, look for the lines following lines, and set them to the values you want.
suffix "dc=example,dc=com"
rootdn "cn=root,dc=example,dc=com"
Usually your base DN (defined as suffix
in the file) is the components of your domain name, separated with commas and prefixed with dc=
. So, serverfault.com
might become dc=serverfault,dc=com
. Your rootdn
must be under that suffix.
You also need to change the line that defines the root password. You can set it to a plaintext value, or use slappasswd
to create a hash. You then need to put either the plaintext value or the hashed value out of slappasswd
in a line that looks like this:
rootpw myultrasecurepassword
Schemas
It is a good idea at this point to start thinking about the schemas you want to use. A schema defines the attributes an object can have, so you need to include the schemas that contain the attributes you need. These schemas are included at the top of slapd.conf
, and the ones here are usually the absolute basic schemas you will need:
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
These paths are the ones used in Arch Linux, so you may need to adjust them to fit Oracle Linux.
About slapd.conf
vs slapd.d
OpenLDAP has switched from offline configuration (done in slapd.conf
) to online configuration, storing data in a special cn=config
tree found in slapd.d
. Modifying the ldif
files in slapd.d
is a painful process however, so it is much easier to edit slapd.conf
as above, then convert that into the new slapd.d
format.
First, remove everything in slapd.d
. Next, run the following command, making sure to adjust the paths to Oracle Linux:
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
Then just set the owner to your LDAP user and group on that directory recursively, and you should be ready to go. This needs to be done every time you edit slapd.conf
- just remember to stop the OpenLDAP server before doing it!
Initial run
Before you can actually use the directory, you need to create the base DN (and root user). Create an .ldif
file, containing lines similar to the following:
dn: dc=example,dc=com
objectclass: dcObject
objectclass: organization
o: example.com
dc: example
dn: cn=root,dc=example,dc=com
objectclass: organizationalRole
cn: root
Now start the OpenLDAP server. We just need to push that information into the LDAP directory:
ldapadd -D "cn=root,dc=example,dc=com" -W -f initial.ldif
Obviously change the root DN and ldif filename to match what you have.
You should now have a working LDAP directory set up and ready to be populated!
The Arch Linux wiki is a great source of information about this topic - see https://wiki.archlinux.org/index.php/OpenLDAP and https://wiki.archlinux.org/index.php/LDAP_Authentication if you want to know more.