OpenLDAP V1.2 Example:
- slapd.conf:
File: /etc/openldap/slapd.conf (RH 6.x RPM: openldap-1.2.9-6)
include /etc/openldap/slapd.at.conf - Data Attribute definitions include file include /etc/openldap/slapd.oc.conf - Object Class definitions include file schemacheck on - Leave on pidfile /var/run/slapd.pid - Output file - process id argsfile /var/run/slapd.args - Output file - process running and its arguments defaultaccess read database ldbm - Define the database to be used by LDAP lastmod on suffix "o=domain-name.org" - Specify organization rootdn "cn=Manager,o=domain-name.org" - LDAP Administrator login name rootpw supersecretpw - LDAP Administrator login password directory /var/lib/ldap - Location of database filesNotes:
- For a full list of slapd directives see:
- the U of Michigan slapd manual
or
- the slapd.conf man page (V1.2).
- the U of Michigan slapd manual
- This file contains the LDAP admin password thus this file should NOT be world readable!!
- If adding "Object Classes" or "Data Attributes" add your own includes. It's best not to modify slapd.oc.conf or slapd.at.conf. You can also add new definitions directly to the end of this file (slapd.conf).
- If a line begins with a white space, it is considered a continuation of the previous line.
- Alternate style: directory /var/lib/ldap/your-domain.org
If you are supporting multiple domains you may want to place the databases in a unique directory. - A blank space separates the directive and the argument. If blanks are part of the argument, then the argument is defined in quotes.
- For a full list of slapd directives see:
- Object Class Definitions:
Include file example: my-slapd.oc.conf
objectclass orgEmployee Name of object class requires sn, Data attributes required to define object class cn, mail, objectclass All classes must inherit from a parent classes which eventually refer back to class "top" allows nickname, Data attributes which are allowed but optional. usehtmlmail, o, l, givenname, sn, st, description, title, streetaddress, postalcode, c, telephonenumber, homephone, facsimiletelephonenumber, ou, pager, mobile, seeAlsoIn this example a new object definition called "orgEmployee" is defined. I tried to incorporate most of the data entries from the Communicator ldif file. - Attribute Definitions:
List of LDAP attributes
These definitions reside at the end of the slapd.conf or in include files of their own. Note that the attributes are defined before being used in object definitions.
Include file example: my-slapd.at.conf
attribute nickname cis attribute usehtmlmail bool attribute givenname cisValid data type options for an attribute include:
Type/syntax Description dn Distinguished Name (Unique key) cn Common Name sn Surename (Last name) bin Binary boolean true/false yes/no on/off cis Case ignore string.
(Case ignored during string comparisons)ces Case exact string
(Case must match during a string comparison)tel Telephone number string.
("-" and spaces ignored)int Integer operational Not displayed in search results dc Domain component o Organization name ou Organization unit street Street l Locality st State/Province c Country aci Access control information.
(Netscape Directory server only)seeAlso URL of info mail e-Mail address Basic definitions are bin, ces, cis, tel, dn.
- LDIF file: Defining Data for the LDAP database: domain-name.ldif
The input ascii data file format required by LDAP is the ldif format.
dn: o=domain-name.org objectclass: top objectclass: organization o: domain-name o: Full Company Name o: Company nick name dn: cn=Manager,o=domain-name.org cn: Manager sn: Manager objectclass: top objectclass: person dn: ou=MemberGroupA,o=domain-name.org Use actual domain name. ou: MemberGroupA Use name of your group or department objectclass: top objectclass: organizationalUnit description: Members of MemberGroupA dn: cn=Larry Anderson,ou=MemberGroupA,o=domain-name.org cn: Larry Anderson Yes it is mentioned in the dn statement but it is repeated here objectclass: top These objectclass statements MUST go here for Open LDAP objectclass: person objectclass: orgEmployee mail: LAnderson@aol.com givenname: Larry sn: Anderson ou: MemberGroupA Yes it is mentioned in the dn statement but it is repeated here st: TX streetAddress: 14 Cherry St. postalcode: 78888 c: US telephoneNumber: (800)555-1212 homephone: 800-555-1313 facsimileTelephoneNumber: 800-555-1414 dn: cn=Moe Anderson,ou=MemberGroupA,o=domain-name.org cn: Moe Anderson Required by definition of orgEmployee objectclass: top All three objectclass statements are required objectclass: person objectclass: orgEmployee mail: MAnderson@aol.com Required by definition of orgEmployee givenname: Moe sn: Anderson Required by definition of orgEmployee ou: MemberGroupA ... .. .
The Messenger client is pre-configured to use the object schema definition for "inetOrgPerson". This is included in LDAP version 2 and is defined by the RFC 2798 as submitted by Netscape Communications. When using Open LDAP version 1 use the following definition:
objectclass inetOrgPerson
requires
objectClass,
sn,
cn
organizationalPerson - Inherits the attributes defined in file slapd.oc.conf for organizationalPerson
allows
audio,
businessCategory,
carLicense,
departmentNumber,
employeeNumber,
employeeType,
givenName,
homePhone,
homePostalAddress,
initials,
jpegphoto,
labeledURI,
mail,
manager,
mobile,
pager,
photo,
roomNumber,
secretary,
uid,
userCertificate,
x500uniqueIdentifier,
preferredLanguage,
userSMIMECertificate,
userPKCS12
See inetOrgPerson schema for more info and example.
Use the following attribute definition: (Defined in Red Hat LDAP for RH 6.1 tutorial by Alikins.)
attribute aliasedObjectName dn attribute associatedname dn attribute audio bin attribute dn dn attribute documentauthor dn attribute facsimiletelephonenumber fax tel attribute homephone tel attribute jpegphoto bin attribute labeledurl ces attribute lastmodifiedby dn attribute manager dn attribute member dn attribute mobiletelephonenumber mobile tel attribute naminglink dn attribute owner dn attribute pagertelephonenumber pager tel attribute personalsignature bin attribute photo bin attribute reciprocalnaminglink dn attribute ref ces attribute secretary dn attribute seealso dn attribute telephonenumber tel attribute userpassword ces
OpenLDAP.org web site:
- Open LDAP home page
- LDAP Version 1.2
Red Hat LDAP documentation (6.2): OpenLDAP V1.2
- Uses for LDAP
- LDAP Pros and Cons
- System configuration to use OpenLDAP
- OpenLDAP Files
- LDAP Terminology
- LDAP Quick start guide
- LDAP Daemons and Utilities
- LDAP modules for extra functionality
- LDAP links
- LDAP On Red Hat Linux 6.1 - Alikins
LDAP - Schema links:
Return to YoLinux LDAP Tutorial
