1. Distributed directory service.
2. Plaintext is used by default, but can be configured to use TLS.
o openldap – Contains configuration files, libraries, and documentation needed for OpenLDAP to function.
o openldap-servers – Contains the slapd LDAP daemon and the slurpd replication daemon as well as several migration scripts.
o openldap-clients – Contains client programs needed for accessing and modifying openldap directories.
o nss_ldap – Contains two LDAP access clients, nss_ldap and pam_ldap.
o gq – Provides GUI LDAP client gq.
o slapd – TCP 389
o slurpd – ???
o Distinguished Name (DN) – Used to reference a specific entry in the directory service. Example DN:
o uid=steve, ou=People, dc=somedomain, dc=com
o BaseDN – A server is responsible for all DNs that are within it’s BaseDN. Example BaseDN:
o dc=somedomain, dc=com
26.2 LDAP Server
o Stand-alone LDAP Daemon.
1. Scripts to migrate existing system data to an LDAP server stored in /usr/share/openldap/migration.
2. migrate_common.ph – Contains common header information needed by migration scripts. Need to modify:
3. After changing defaults, modify /etc/openldap/slapd.conf (see below) and then run the appropriate migration script. For example:
* migrate_all_offline.sh – Migrates traditional UNIX flat files.
NOTE: Starting with RH 7.1, protocols and services were added that contain a + in their name. These must be commented out of /etc/protocols and /etc/services because they cause trouble with the migration scripts.
* migrate_all_nis_offline.sh – Migrates information from existing NIS services.
* See /usr/share/openldap/migration/README for an explanation of the various migration scripts.
4. Change the ownership of the ldap database files so slapd can access them:
5. chown -R ldap:ldap /var/lib/ldap
1. Edit /etc/openldap/slapd.conf and specify the following:
* suffix – The BaseDN
* rootdn – The DN for the administrator
* rootpw – The password for the administrator
* Default setup gives rootdn read/write access and read-only to all others.
* Highly Configurable.
* Compare, search, read, and write access can be configured for each entry.
26.3 LDAP Clients
1. Command Line
o Configured in /etc/openldap/ldap.conf.
1. Specify which server to bind to.
2. Specify the BaseDN to use.
3. Client utilities usually let you override these defaults.
o Utilities include:
1. ldapadd – Add directory entries.
2. ldapdelete – Delete directory entries.
3. ldapmodify – Modify directory entries.
4. ldappasswd – Change password of an entry.
5. ldapsearch – Searches directory entries.
o gq – Allows user to browse, search, modify, and display directory entries.
26.4 Using LDAP with NSS
1. Requires nss_ldap RPM.
o /etc/nsswitch.conf – Add “ldap” to the search order of the entries that will be provided by LDAP.
o /etc/ldap.conf – Configuration file for nss ldap. Note that this is different from the client configuration file /etc/openldap/ldap.conf.
host 192.168.1.5 # LDAP server
base dc=xyz,dc=com # Base DN of database
binddn cn=binduser,dc=xyz,dc=com # DN to bind to the server with. Default is anonymous access.
bindpw super_secret # Password for user to bind with
rootbinddn cn=root,dc=xyz,dc=com # DN to bind to the server with when the unix uid is 0.
# Password is stored in /etc/ldap.secret in plaintext (mode 600)
ssl # Use TLS instead of plaintext communication
The rootbinddn is the DN used to attach to the LDAP database when the userid = 0. It must be set to a DN with proper permissions (typically the rootdn specified in /etc/openldap/slapd.conf) in order for root to update user accounts using command line utilities like passwd, chsh, etc.
o /etc/pam.d/system-auth – PAM configuration file used for system authentication. This is configured by authconfig.
If, as root, you attempt to change the password of a user stored in the ldap database and you receive an error about the user being “Unknown”, verify the password in /etc/ldap.secret is correct. It must be in plain text. When the password is incorrect, root can’t bind to the LDAP database and therefor won’t be able to find the user.