OpenLDAP Files

OpenLDAP configuration files are installed into the /etc/openldap directory. If you do an ls on /etc/openldap, you will see something like:

ldap.conf        ldapsearchprefs.conf  schema
ldapfilter.conf  ldaptemplates.conf    slapd.conf

Edit /etc/openldap/slapd.conf

The slapd.conf file, located in /etc/openldap, contains the configuration information needed by your slapd LDAP server. You will need to edit this file to make it specific to your domain and server.

The suffix line names the domain for which the LDAP server will provide information. The suffix line should be changed from:

suffix          "dc=your-domain, dc=com"

so that it reflects your domain name. For example:

suffix          "dc=acmewidgets, dc=com"

or

suffix          "dc=acmeuniversity, dc=edu"

The rootdn entry is the DN for a user who is unrestricted by the access control or administrative limit parameters set for operations on the LDAP directory. The rootdn user can be thought of as the root user for the LDAP directory. The rootdn line needs to be changed from:

rootdn          "cn=root, dc=your-domain, dc=com"

to something like:

rootdn          "cn=root, dc=redhat, dc=com"

or

rootdn          "cn=ldapmanager, dc=my_organization, dc=org"

Change the rootpw line from:

rootpw          secret

to something like

rootpw          {crypt}s4L9sOIJo4kBM

In the above example, you are using an encrypted root password, which is a much better idea than leaving a plain text root password in the slapd.conf file. To make this crypt string, you can use Perl:

perl -e "print crypt('passwd','a_salt_string');"

In the previous Perl line, salt_string is a two character salt, and passwd is the plain text version of the password.

You could also copy a passwd entry out of /etc/passwd, but this won't work if the passwd entry is an MD5 password (the default in Red Hat Linux 7.1).

The schema Directory

New to OpenLDAP version 2, the schema directory holds the various LDAP definitions, previously located in the slapd.at.conf and slapd.oc.conf files. All attribute syntax definitions and objectclass definitions are now located in the different schema files. The various schema files are referenced in /etc/openldap/slapd.conf using include lines, as shown in this example:

include		/etc/openldap/schema/core.schema
include		/etc/openldap/schema/cosine.schema
include		/etc/openldap/schema/inetorgperson.schema
include		/etc/openldap/schema/nis.schema
include		/etc/openldap/schema/rfc822-MailMember.schema
include		/etc/openldap/schema/autofs.schema
include		/etc/openldap/schema/kerberosobject.schema

CautionCaution
 

You should not modify any of the schema items defined in the schema files installed by OpenLDAP.

You can extend the schema used by OpenLDAP to support additional attribute types and object classes using the default schema files as a guide. To do this, create a local.schema file in the /etc/openldap/schema directory. Reference this new schema within slapd.conf by adding the following line below your default include schema lines:

include		/etc/openldap/schema/local.schema

Next, go about defining your new attribute types and object classes within the local.schema file. Many organizations use existing attribute types and object classes from the schema files installed by default and modify them for use in the local.schema file. This can help you to learn the schema syntax while meeting the immediate needs of your organization.

Extending schemas to match certain specialized requirements is quite involved and beyond the scope of this chapter. Visit http://www.openldap.org/doc/admin/schema.html for information on writing new schema files.