Preface Copyright Copyright 1998-2002, The Openldap Foundation, All Rights Reserved. Copyright 1992-1996, Regents of the University of Michigan, All Rights Reserved This document is part of the OpenLDAP project. It complies with the terms declared in OpenLDAP Software Copyright Notices and OpenLDAP Public License. Complete Notices and related license can be found in Appendix B and C, respectively. Scope of Application of this document This document provides a guide to OpenLDAP 2.1 on UNIX and class UNIX systems. It is a system administrator who has experience but has not been exposed to the LDAP directory. This document is also used to bring together the OpenLDAP software issued by binary package or other resources on the OpenLDAP official website (http://www.openldap.org/), there are many resources available on that site. OpenLDAP resource list Resource URL Document Catalog http://www.OpenLDAP.org/doc/ Frequently Asked Questions http://www.OpenLDAP.org/faq/ Issue Tracking System http://www.OpenLDAP.org/its/ Mailing Lists http://www.openldap.org/lists/ Software Pages http://www.openldap.org/software/ Support Pages http://www.openldap.org/support/ Statement OpenLDAP project consists of volunteers. There is no such document without their unpaid dedication in time and energy. The OpenLDAP project group also thanked the University of Michigan. This document also draws on the LDAP document of Michigan University: "SLAPD and SLURPD Administrator Guide". Revision of the reinforcement and revision of this document will be submitted through the issue tracking system (http://www.openldap.org/its/) of the OpenLADP project group. About this document This document is completed by the Simple Document Format (http://search.cpan.org/src/src/ianc/sdf-2.pan.org/src/src/ianc/sdf-2.001/doc/) developed by Ian Clatworth. The SDF tool can be obtained from cpan (http://search.cpan.org/search?query=sdf). OpenLDAP 2.2 Administrator's Guide OpenLDAP Project Group
Overview - Configuration Selection 3.1 Local Directory Services 3.2 Local Directory Services with References (RepliCed) Directory Services 3.4 Distributed Directory Services 4. Build and Install OpenLDAP Software 4.1 Get Recruitment Compression 4.2 Pre-installation (Prerequisite) 4.4 Running configure command 4.4 Generating 4.5 Test 4.6 Installing 5.SLAPD Profile 5.1 Profile Format 5.2 Profile Direction 5.3 Access Control 5.4 Profile Diagram 6. Run SLAPD 6.1 Command Row Option 6.2 Start SLAPD 6.3 Stop SLAPD 7 Database Creating and Maintenance Tools 7.2 Creating Database 7.2 Creating Database 7.3 Offline Creating Database 7.3 LDIF Text Entry Format 8. Scheme 8.1 Distributed Scheme Document 8.2 Scheme Extension 9. Safety Consideration 9.1 Network Security 9.2 Keeping Data Complete ( INTEGRITIALTY 9.3 Authentication method 10. Safety considerations for SASL 10.1 SASL 10.2 SASL certification 10.3 SASL proxy authentication 11. Using TLS 11.1 TLS Verification 11.2 Configuring TLS 12. Build distributed directory services (Distributed Directory) Service 12.1 Subordinate Knowledge Infomation 12.2 Parent Knowledge Infomation 12.3 ManageDSAIT Controller (Control) 13. Copying 13.1 Overview 13.2 Copying Log 13.3 Command Row Options 13.4 Configuring SLURPD and Slope Slapd Instance 13.5 Advanced SLURPD Options 14.LDAP Synchronization Copy 14.1 LDAP Content Synchronization Protocol 14.2 SyncRepl Detail 14.3 Configuring SyncREPL 15. Agent Cache Engine 15.1 Overview 15.2 Agent Cache Configuration Appendix A. General Configuration Description Appendix B.OpenLDAP Software Copyright Notice B.1 OpenLDAP Software Copyright Notice B.2 Additional Copyright Notice B. 3 Michigan University Copyright Notice Appendix C.OpenLDAP PR License 1.Openldap Directory Service Introduction This document explains how to build, match Set and operate OpenLDAP to provide directory services. These include details of the LDAP daemon SLAPD and the daemon SLURPD responsible for LDAP updates and replication. It is both a newcomer's road guide and a reference for experienced administrators. This section will make a brief introduction to the directory services provided by the directory service, especially the SLAPD. 1.1 What is a directory service? The directory is a class of databases for special optimizations in reading, browsing, and search. The directory contains attribute-based, descriptive information, and supports advanced filtering. Directory generally does not support high throughput and complex update operations supported by most transactional databases. Either a directory allows for updating operations, or all or not, the atomic operation. The length of the directory is to provide quick feedback for a large number of queries and search operations. In order to ensure the availability and reliability of data, they may have a wide range of replication information while focused on reducing the reaction time. When the directory information is replicated, the replication party is temporarily inconsistent with the replicated party, as long as they eventually remain synchronized. There are a variety of different ways to provide directory services. The information allowed by different directories is different, and there are many different directories on how to query, query, update, and prevent unauthorized access from issues.
Some directory services are local, only limited services (for example, the finger service on stand-alone). Other services are large-scale (Global), providing a wide range of services (such as facing the entire Internet). Large-range services are usually distributed, which means that data is distributed on multiple machines, these machines come together to provide directory services. A typical large-scale service defines a unified namespace (Namespace) to give an identical data view, regardless of your location relative to the data. DNS is an example of a typical large-range distributed directory service. 1.2 What is LDAP? LDAP is an abbreviation for Lightweight Directory Access Protocol (Lightweight Directory Access Protocol). As its name is indicated, it is a lightweight directory access protocol, which refers to the micridden version of the X.500 directory access protocol. LDAP runs above TCP / IP or other-oriented transport services. The LDAP complete technical specification consists of RFC2251 "The Lightweight Directory Access Protocol (V3)" and several other documents defined in RFC3377. This section will make a general understanding of LDAP from the user's angle. What kind of information can be stored in the directory? The LDAP information model is based on entry. An entry is a collection of properties with global unique identification names (DSTISHED NAME, DN). DN is used to refer to a unique entry. Each attribute of an entry has a type (Type), one or more values. Type (TYPE) is often a shorthand of a particular string, such as "CN" refers to "common name", or "mail" refers to the email address. The grammar of the value is dependent on the type (TYPE). For example, the attribute of type CN may contain a value Babs Jensen. The attribute of type Mail may contain value "babs@example.com". The attribute of type JPEGPHOTO may contain JPEG images in binary format. How does information organize in the directory? In LDAP, the entry is tissue in a tree hierarchy. Traditionally, this structure is often reflected in geographic boundaries or tissue boundaries. The entry representing the country is located on the top of the entire directory tree. The entry under behalf of each state and a national organization. Then the following entry represents organizational units, individuals, printers, files, or other things you can think of. Figure 1.1 shows the LDAP directory information tree organized according to the traditional naming manner. Figure 1.1: LDAP directory tree (traditional nomenclature) directory tree can also be organized in accordance with the Internet domain name structure. Because it allows directory services to be positioned in accordance with DNS, this naming method is becoming more popular. Figure 1.2 shows an example of an LDAP directory tree that is organized according to the domain name. Figure 1.2: LDAP directory tree (domain name naming) Additionally, LDAP allows you to control which properties are entries by using a special attribute called ObjectClass, which attributes are entries. The value of the ObjectClass property is defined by the scheme that must be followed by the entry. How is information? A entry is referenced by its identification. The identification name is constructed by the relative identification name (Relative Distinguished Name or RDN) and its parent stem name.
For example, in the example of the Internet Named, the Barbara Jensen entry has a relatively identified name uid = Babs and ID name uid = babs, ou = people, dc = example, DC = COM. The complete DN format is described in RFC2253, "Lightweight Directory Access Protocol": UTF-8 String Reperesentation Of Distinguished Names ". How is information accessed? LDAP defines a set of inquirys and update directories. Supported operations include adding and deleting entries from a directory, changing existing entries, and changes the name of the already entries. However, in most cases, LDAP is information used to search for the directory. By specifying a search filter, the LDAP can search for the entries in the relevant part of the directory. Each entry that satisfies the filter conditions can receive request information. For example, you may want to search for an entry called Barbara Jensen under DC = EXAMPLE, DC = COM directory sub-tree, and gets the Email address of each entry found. LDAP allows you to easily complete all. Or you want to search directly below ST = California, c = US subtree, and there is an Acme string in the name, and there is an entry of an organization of a fax number. LDAP also makes you easily finished all. The next section will describe more details about what you can do with LDAP and how it is useful for you. How to protect information is not unauthorized access? Some directory services do not provide protection, allowing information to be visible to anyone. LDAP provides a mechanism to confirm the customer, or let customers prove that he has the identity connected to the server, which is undoubtedly paving the way for all-round access control to the server, thus ensuring that the server contains information. Safety. LDAP also supports Privacy and Integrity's security services. 1.3 What is LDAP work? The LDAP directory service is based on customer-server mode. One or more LDAP servers contain data that make up the entire directory information tree (DIT). The client is connected to the server and issues a request. The server is then responded in an answer (Answer) or gives a pointer, and the customer can get the required data (usually, the pointer is to another LDAP server). Regardless of which LDAP server is connected, it is the same directory view (view). This is an important feature of LDAP's global directory services. 1.4 What is X.500? From a technical disclosure, LDAP is a directory access protocol to the X.500 directory service, and X.500 is an OSI directory protocol. Initially, the LDAP client accesses the X.500 directory service through the gateway. This gateway runs the LDAP and the X.500 Directory Access Protocol (DAP) between the client and gateways, and the X.500 Directory Access Protocol is between the gateway and the X.500 server. The DAP is a heavyweight protocol that operates on the entire OSI protocol and needs to take up a lot of computing resources. LDAP is designed to operate on TCP / IP layers to achieve most DAP functions with small cost. Although the LDAP can be sent to the X.500 directory server through the gateway, it is usually directly LDAP directly on the X.500 server. A separate LDAP daemon, SLAPD, can be seen as a lightweight X.500 directory server. That is, it does not implement the X.500 complete DAP protocol.
As a lightweight directory server, SLAPD is only a subset of the X.500 model. If you have already intended to run an X.500 DAP service and if you want to do this, you can read this guide again. This guide is all about running LDAP via SLAPD, rather than running the X.500 DAP. If you don't run the X.500 DAP, or want to stop running the X.500's DAP, or if you haven't immediately planned to run X.500, please read it. Copying data from the LDAP directory server to X.500 DAP DSA is possible. This requires the LDAP / DAP gateway. OpenLDAP does not provide such a gateway, but our copy daemon can be used to copy data to such a gateway. See the Replication With Slurpd chapter of this document to learn about the copy. 1.5 Differences between LDAPv2 and LDAPv3? LDAPv3 was developed in the 1990s to replace LDAPV2. LDAPV3 adds the following features for LDAP:. Strong Authentication Based on SASL. Data integrity and consistency protection based on TLS (SSL). Internationalization through Unicode. REFERRALS AND CONTINUATIONS. The solution found. Scalability (control, scalable operation, etc.) LDAPv2 is historic (RFC3494). Because most LDAPv2 implementations (including SLAPD () are not complied with LDAPv2 technical specifications, interoperability is limited in different LDAPv2 implementations. Because LDAPv2 and LDAPv3 have significant differences, the deployment LDAPv2 and LDAPv3 will be large. Trouble. You should avoid using ldapv2.ldapv2 by default is not supported. 1.6 What is SLAPD, what is it possible? SLAPD (8) is an LDAP directory server that can run on many platforms. You can use it to provide yourself Directory service. Your directory can contain quite a few things you want to put inside. You can connect it to a global directory server, you can also run it. Some other interesting features of Slapd are included: LDAPv3: SLAPD implements the third version of the lightweight directory access protocol. Slapd supports IPv4 and IPv6 and LDAP on UNIX IPC. Simple Authentication and Security Layer: SLAPD supports SASL implementation through SASL's strong type authentication service. Slapd SASL implementation Using Cyrus SASL - a software that supports Digest-MD5, External, and GSSAPI. Transport Layer Security: SLAPD provides OpenSSL by providing privacy and integrity protection. Slapd's TLS implementation Topology Control: SLAPD can be configured to restrict access to a tape word on network topology information. This feature is used to TCP Wrappers. Access Control: SLAPD provides a diverse and powerful access control feature, which allows you to control Access to the information in your database. You can control access. Slapd supports static and dynamic access control information via LDAP authentication information, IP address, domain name, or other rule, INTERNATIONALIZATION: SLAPD supports Unicode and language flags Choice of Database Backends: SLAPD provides a variety of backend databases that allow you to choose.
This includes BDB, a high-performance transactional backend database; LDBM, a lightweight DBM backend database; shell, a database interface that can interact with any script; there is a Passwd, a PASSWD file Simple database interface interacting. The BDB backend database uses SleepyCat Berkeley DB. LDBM uses Berkeley DB or GDBM. Multiple Database Instances: SLAPD can be configured to support multiple database instances simultaneously. This means that a single SLAPD server can respond to multiple different logic parts on the LDAP tree, using the same or different backend databases. Generic Modules API: If you ask for more personalization, SLAPD allows you to easily write your own module. SLAPD contains two different parts: communication between front-end modules and LDAP customers; there are multiple modules to handle specific tasks such as database operations. Because these two parts are interacting by defining the C API, you can write your own personalized modules to extend the SLAPD in a variety of ways. Moreover, many programmable database modules are also available. This allows you to import external data sources into SLAPD (such as Perl, Shell, SQL, and TCL) using popular programming languages. Threads: For high performance SLAPD being threaded. By using a thread pool, you only need a SLAPD process that supports multi-threads You can handle all input requests. This reduces the overhead of the system when high load. Replication: SLAPD can be configured to maintain a shadow copy of a directory information. The copy scheme of this one of the SINGLE-MASTER / MULTIPLE-SLAVE is important in the environment of some large data, as a single SLAPD does not provide the necessary availability and reliability. SLAPD also supports multiple master copy schemes (for strong type ACID properties). SLAPD supports two copy options: LDAP sync-based and slurpd (-barated copy scheme. Proxy Cache: SLAPD can be configured to have an LDAP server with proxy cache function. Configuration: SLAPD is highly configurable, through a simple profile You can change everything you want to change. The configuration options have reasonable default values, which will make your work easier. 1.7 What is slurpd, what can it do? Slurpd (8) is a SLAPD With the help of the copy service. It is responsible for distributing changes to the main SLAPD database to each different SLAPD subordinates. It exempts the worries of SLAPD - some subordinates may be turned off when data changes. Down) or unreachable. Slurpd will automatically process the retransmission of the failure request. Slapd and SLURPD communicate through a simple text file that will change the logo log. View Replication With Slurpd chapter to get more about how to configure and run slurpd Information. In turn, ldap-sync-based copies can also be used to provide copy services. View the LDAP Sync Replication chapter to get more information. 2. Quick Starts will be a simple introduction to OpenLDAP 2.1, including LDAP daemons SLAPD (. It will take you with several basic steps to install and configure OpenLDAP. It should be with other chapters of this document, manual, and other materials issued together with the publisher (such as install document) or OpenLDAP site (Especially FAQ). If you plan to run OpenLDAP seriously, you should see all the chapters of this document prior to preparation installation.
-------------------------------------------------- ----------------------------------------- Note: Quick Start does not mention strong type Identity certification, nor refers to the complete and confidentiality of data. These will be detailed in other chapters of this document -------------------------------------- -------------------------------------------------- --- 1. Get a package You can download a copy of the software as described by the OpenLDAP download page (http://www.openldap.org/software/download/). Recommend a novice to use the latest version. 2. Unzip the release package Select a directory to store the source code of the software, change the work directory to this directory, use the following command to develop the package: gunzip -c OpenLDAP-VERSION.TGZ | TAR XVFB - then enter the release package directory: CD OpenLDAP-VERSION You need to use your publishing to replace Version. 3. See the document Now you should first refer to the Copyright, License, Readme, and Install documents released with the release package. Copyright and license provide information about using OpenLDAP. You should also see other chapters of this document. In particular, the "Construction and Installing OpenLDAP Software" provides a pre-installation software and the details of the installation process. 4. Run configure scripts You need to run the configure configuration script to configure the release package to build OpenLDAP on your system. Configure scripts can accept a lot of command line options to enable or disable certain optional features. Usually the default is OK, but you might want to change them. To get a list of Configure scripts, you need to use - HELP options: ./configure --help Considering you are referring to this document, we assume that you have enough courage to make the configure script to decide everything: ./configure if The Configure script does not have something wrong on your system, you can continue to build the entire software now. If the configure script has a problem, you may need to go to the FAQ installation section to seek help (http://www.openldap.org/faq/), or carefully read the "Build and Install OpenLDAP Software" section of this document. . 5. Build Software The next step is to build the entire software. This step is divided into two parts. First we build a dependency, then we start compiling: Make depend make should be completed without errors. 6. Test Whether the construction is correct to ensure that the construction is correct, you should run the TEST kit (it will take a few minutes of time): make test works on the test above your configures will start running and all tests should by. Some tests, such as a replication test, may be ignored. 7. Installing the software Now you have to install it, which usually requires superuser: Su root -c 'make install' All things will be installed in / usr / local directory (or other you specified when running Configure position).
8. Edit Profile To edit the SLAPD.CONF sample (usually in /usr/local/tc/openldap/slapd.conf) to edit the SLAPD.CONF sample (usually located /usr/local/tc/openldap/slapd.conf): Database BDB SUFFIX "DC = < MY-DOMAIN>, DC =
We will complete it through two steps: 1. Create an LDIF file 2. Run LDAPADD to create a LDIF file containing the following editor: DN: DC =
Figure 3.1: Local configuration mode If you have just started to contact LDAP (that is, "Quick Start" teaches you), or if you just want to provide local directory services, you don't want to have Guayuo with the outside world, you should use this mode. As long as you are willing, it can easily upgrade to other modes. 3.2 Local Directory Services with a pointer (REFERRALS) In this configuration mode, you run a LDAP server for your local domain and configure it to return it when the customer's request exceeds your local domain. A pointer, the pointer pointing to an address of a higher server with a higher level of servers with processing client requesting capabilities. You can run this service yourself or use one that has been provided. This configuration mode is shown in Figure 3.2. Figure 3.2: Running this mode if you want to run a local directory service and participate in the global directory. 3.3 Catalog Directory Services Slurpd daemon is used to propagate changes on the primary SLAPD to one or more slave SLAPDs. A configuration example of a Master-Slave type is shown in Figure 3.3. Figure 3.3: Directory Services of Copy Mode This configuration mode can be used with one of the two configuration modes, in the previous two cases, separate SLAPDs cannot provide sufficient availability and reliability. 3.4 Distributed Directory Service In this configuration mode, the local service is split into multiple smaller services, each of which may be copied and passed through the superior or subordinate pointer (Referral ) Bonded. 4. Build and install OpenLDAP Software This section explains how to build and install OpenLDAP, including SLAPD and SLURPD. Build and install OpenLDAP needs to pass several steps: Install the support software, configuration, compile, and finally install. The following sections will be described in detail. 4.1 Get reconciliation compression You can get the OpenLDAP / get OpenLDap from the official site http://www.openldap.org/software/download/ or the project's FTP site ftp://ftp.openldap.org/pub/openldap/ Copy. There are two types of packages (package). Releases contains new features and fixes bugs. Although the project team takes related measures to ensure Releases stability, the problem is often still appearing in Release. The Stable publishing is the latest version that is considered stable. Users can choose the version of the use of the new features or stability requirements. After downloading the OpenLDAP package to your local machine, you need to extract them from the archived compressed file and change your current work directory to the decompressed directory: gunzip -c OpenLDAP-VERSION.TGZ | TAR XF - CD OpenLDAP-VERSION You need to replace Version with your version number. Now you should first refer to the Copyright, License, Readme, and Install documentation released with the release package. Copyright and license provide information about using OpenLDAP. 4.2 Prerequisite OpenLDAP requires a few third-party software support. Depending on the function you want to implement, you may need to download and install some related packages. This section gives some details of some of the packages you may want to use. It should be noted that these third-party packages may also require some additional software support. Please follow the installation instructions in the package to install each package you need. 4.2.1 Transportation Layer Security OpenLDAP Customers and Servers need to install the OpenSSL TLS library to provide a safe service of the transport layer.
Although some operating systems may use OpenSSL as part of the basic system or as an optional component. OpenSSL still needs to be installed separately. OpenSSL can be obtained from http://www.openssl.org/. There is no authentic LDAPv3 version without using OpenLDAP. 4.2.2 Kerberos Authentication Service OpenLDAP Customer and Server can support Kerberos-based authentication services. In particular, the OpenLDAP can also support the SASL / GSSAPI authentication mechanism by using Heimdal or Mit Kerberos V. If you need to use Kerberos-based SASL / GSSAPI certification, you need to install Heimdal or Mit Kerberos V. Heimdal can be obtained from http://www.pdc.kth.se/heimdal/. Mit Kerberos V is available from http://web.mit.edu/kerberos/www/. It is highly recommended to use software such as Kerberos to provide strong type certification services. 4.2.3 Simple authentication and security layers OpenLDAP customers and servers need to install Cyrus's SASL library to provide simple authentication and security layer services. Although some operating systems may use Cyrus SASL as part of the basic system or as an optional component. Cyrus SASL usually needs to be installed separately. Cyrus SASL can be obtained from http://asg.Web.cmu.edu/sasl/sasl-library.html. Cyrus SASL will use the installed OpenSSL and Kerberos / GSSAPI libraries. Do not use the Cyrus SASL OpenLDAP to count the real LDAPv3 version. 4.2.2 Database Software OpenLDAP's preferred backend database is BDB, requiring 4.2 version of SleepyCat Software Berkeley DB. If you haven't installed BDB when you configure installation, you cannot use the preferred backend database to build SLAPD. Your operating system may use a 4.2 version of Berkeley DB as part of the basic system or as an optional component. Otherwise, you need to download and install it yourself. Berkeley DB can be obtained from http://www.sleepycat.com/download/. It has several different versions available. At the time of writing this document, its latest version, that is, version 4.2, is recommended for us. This package is required if you want to use BDB as a backend database. SLAPD's LDBM supports many different database management systems, including Berkeley DB and GDBM. GDBM can be obtained from the Site FTP: //ftp.gnu.org/pub/gnu/gdbm/ from the Free Software Foundation (FSF). 4.2.5 Thread OpenLDAP can utilize threads. OpenLDAP supports POSIX PTHREADS, MACH CTHREADS, and other varies. If you can't find a suitable thread system, Configure gives a warning. If this happens, please refer to FAQ (http://www.openldap.org/faq/) Software | Installation | Platform Hints section. 4.2.6 TCP Packaging (Wrapper) If installed, the SLAPD supports the TCP wrapper (IP level filtering). For servers that do not contain public information, use TCP wrappers or other IP level access filters (such as such a function provided by some IP levels). 4.3 Run the configure command Now you may need to run the Configure script that runs the --help parameter. This will give a list of options that you can do when you build OpenLDAP. Many of OpenLDAP can be used or disabled in this way. ./configure --Help configure scripts will also do some settings by viewing the environment variables.
These environment variables include: Table 4.1: Environment Variables Variable Description CC Specify alternative C Compiler CFLAGS Specify additional compiler flags CPPFLAGS Specify C Preprocessor flags LDFLAGS Specify linker flags LIBS Specify additional libraries now run the configure script with the required configuration options or environment variables. [[ENV] settings] ./configure [options] As an example, assume that we want to install an OpenLDAP with a BDB backend database and with TCP wrapper. By default, the BDB is on, and the TCP wrapper is not. So, we need to specify -with-wrappers to include support for TCP wrappers: ./configure --with-wrappers However, if the redeered software is not installed in the system directory, this will fail. For example, if the header file of the TCP wrapper and library files are installed in / usr / local / include and / usr / local / lib, the configure script should be like this: env cppflags = "- I / usr / local / Include "ldflags =" - l / usr / local / lib "/ ./configure --with-wrappers --------------------------------------------------------------------------------------------------------------------------------- -------------------------------------------------- ---------------- Note: Some shells, such as the shell from Bourne SH, do not need to use the ENV command. In some cases, environment variables need to be specified by other syntax. -------------------------------------------------- ------------------------------------------ 4.4 Construction once you have run configure Script, then the last line of the configure script output should be: please "make depend" to build dependendencies If it is not the above, the Configure script fails, you need to see its output to decide what is going out problem. Unless configure is completely successful, you can't enter the next step. To build a dependency, run the command: make Depend now builds the entire system, this step will actually compile OpenLDAP. Make You should carefully check the output of the command to ensure that all things have been constructed correctly. Note this command builds an LDAP library, the corresponding client and SLAPD, and slurpd. 4.5 Test Once the configuration and compiling are completed correctly, you should run the test suite to verify the build process is correct. Make Test's test on your configured configuration will begin running and all tests should pass. Some tests, such as a replication test, may be ignored. 4.6 Installation Once you have successfully tested the software, you have to install it. You need to have write permissions that have a write permission to the installation directory you specified when configure. By default, OpenLDAP is installed under the / usr / local directory. If you change this setting with the --prefix configuration option, it will be installed in the location you specified. Typically, you need to have superuser privileges.
On the top of the OpenLDAP source code, type: su root -c 'make install' and give a prompt to let you enter the correct password. You should carefully check the output of the command to ensure that all things have been installed correctly. By default, you will find SLAPD configuration files in the / usr / local / etc / OpenLDAP directory. See "SLAPD Profile" section for more information. 5. Slapd configuration file Once OpenLDAP is built correctly and installed, you have to configure SLAPD to use it on your site. SLAPD runtime profile is mainly slapd.conf, usually installed under the / usr / local / etc / OpenLDAP directory. You can also specify another profile through the command line option of SLAPD or SLURPD. This section describes the general format of the configuration file, followed by a detailed description of the commonly used configuration file instruction. 5.1 Profile Format The SLAPD.CONF file contains the configuration information of the three types: globally, a specific backend, a specific database. The overall information is first specified, followed by information related to a particular backend, which is then related to a particular database instance. The global instructions can be overridden by the back-end and / or database instructions, while the back-end instructions can also be overridden by the directive of the database. The annotation of the blanket and the beginning of "#" will be ignored. If a row begins with a space, it will be considered to be the next line (even if the previous line is comment). The general format of slapd.conf follows: # global configuration directives
This section will divide the configuration file instruction into three classes of a global, a particular backend, a specific database, give each instruction and its default value (if any), and give it an example of use. 5.2.1 Global Directive This section gives the instructions to all backends and databases unless they are rewritten in the definition of the backend and databases. The parameters that need to be replaced with actual text are used <>. 5.2.1.1 Access to
5.2.3. Universal Database Instructions This section will only act to define their database. They are supported by each database. 5.2.3.1. Database
string should be enclosed in double quotes. The bindmethod is simple or kerberos or sasl, depending on whether simple password-based authentication or Kerberos authentication or SASL authentication is to be used when connecting to the slave slapd. Simple authentication should not be used unless adequate integrity and privacy protections are in place (eg TLS or IPSEC). Simple authentication requires specification of binddn and credentials parameters. Kerberos authentication is deprecated in favor of SASL authentication mechanisms, in particular the KERBEROS_V4 and GSSAPI mechanisms. Kerberos authentication requires binddn and srvtab parameters . SASL authentication is generally recommended. SASL authentication requires specification of a mechanism using the saslmech parameter. Depending on the mechanism, an authentication identity and / or credentials can be specified using authcid and credentials respectively. The authzid parameter may be used to specify an authorization Identity. See t he chapter entitled Replication with slurpd for more information on how to use this directive. 5.2.3.4. replogfile
Note:. When the backend to pass a query to is selected, slapd looks at the suffix line (s) in each database definition in the order they appear in the file Thus, if one database suffix is a prefix of another, it must appear After it in the config file. ------------------------------------------- -------------------------------------------------- -------------- 5.2.3.8. Syncrepl syncrepl rid =
replica ID> is non-negative and is no more than three decimal digits in length. The provider parameter specifies the replication provider site containing the master content as an LDAP URI. The provider parameter specifies a scheme, a host and optionally a port where the Provider slapd instance can be found. Either a domain name or ip address may be used for
refreshOnly and refreshAndPersist. The operation type is specified by the type parameter. In the refreshOnly operation, the next synchronization search operation is periodically rescheduled at an interval time after each synchronization operation finishes. The interval is specified by the interval parameter. It is set to one day by default. in the refreshAndPersist operation, a synchronization search remains persistent in the provider slapd. Further updates to the master replica will generate searchResultEntry to the consumer slapd as the search responses to the persistent synchronization search. The schema checking can be enforced at the LDAP Sync consumer site by turning on the schemachecking parameter. If it is turned on, every replicated entry will be checked for its schema as the entry is stored into the replica content. Every entry in the replica should contain those attributes required by the schema Definition. If IT IS TURNED OFF, ENTRIES WILL BE Stored Without Checking Schema conformance. The default is off. The updatedn parameter specifies the DN in the consumer site which is allowed to make changes to the replica. This DN is used locally by the syncrepl engine when updating the replica with the entries received from the provider site by using the internal operation mechanism. The update of the replica content is subject to the access control privileges of the DN. The DN should have read / write access to the replica database. Generally, this DN should not be the same as rootdn. The binddn parameter .
The bindmethod is simple or sasl, depending on whether simple password-based authentication or SASL authentication is to be used when connecting to the provider slapd. Simple authentication should not be used unless adequate integrity and privacy protections are in place (eg TLS or IPSEC) . Simple authentication requires specification of binddn and credentials parameters. SASL authentication is generally recommended. SASL authentication requires specification of a mechanism using the saslmech parameter. Depending on the mechanism, an authentication identity and / or credentials can be specified using authcid and credentials, respectively . The authzid parameter may be used to specify an authorization identity The realm parameter specifies a realm which a certain mechanisms authenticate the identity within The secprops parameter specifies Cyrus SASL security properties The syncrepl replication mechanism is supported by the three native backends:... back -BDB, Back-HDB, And Back-ldbm. See t he LDAP Sync Replication chapter of the admin guide for more information on how to use this directive. 5.2.3.9. updatedn
It specifies the URL to return to clients which submit update requests upon the replica If specified multiple times, each URL is provided Example:.. Updateref ldap: //master.example.net 5.2.4 BDB database command this type of instruction only. Will act on the BDB database. That is, they must follow the "Database BDB" line and appear before any subsequent "backend" or "Database" line. For a complete reference to the BDB configuration instruction, see SLAPD-BDB. 5.2.4.1. Directory
If the replica status is outdated too much and beyond the coverage of the history store, then the provider slapd will send the identities of the unchanged in-scope entries along with the changed in-scope entries. The consumer slapd will then remove those entries in The Replica Which Are Not Identified As present in the provider content. 5.2.5. LDBM Database Instruction This class is only acting on the LDBM database. That is, they must follow the "Database LDBM" line and appear before any subsequent "backend" or "Database" row. To get a complete reference for the LDBM configuration instruction, see SLAPD-LDBM. 5.2.5.1. Cachesize
IT is generally advised That Minimally An Equality Index Upon ObjectClass Be Maintained. INDEX ObjectClass EQ 5.2.5.7. Mode
OU = people, o = suffix 4: cn = addresses, uid = kdz, ou = people, o = suffix 5: uid = hyc, ou = people, o = suffix is then: DN.BASE = "OU = people, o = Suffix "Match 2; Dn.one =" OU = people, O = SUFFIX "matches 3, and 5; DN.Subtree =" ou = people, o = suffix "matches 2, 3, 4, and 5; Dn.Children = "OU = people, o = suffix" matches 3, 4, and 5. The entry can also be collected by a filter: to filter =
