Initialize a New LDAP Directory using OpenLDAP on CentOS 5
by Jeff Hunter, Sr. Database Administrator
Contents
Introduction
After installing a new LDAP directory using the OpenLDAP Software, it doesn't contain any data. The directory starts out completely empty, without even a root structure present. Initializing the directory with a root record and other supporting directory sub-structures (i.e., sub-directories) is required before you can add any user data, and that is the subject of this document.
To learn more on how to install and configure OpenLDAP Software on the Linux platform, refer to the following guides:
Initialize LDAP Directory
This section provides instructions on how to initialize a new LDAP directory by creating a root record and adding organization, organizationalUnit, and organizationalRole sub-directories. I'll discuss each record individually and then wrap them into a single LDIF file that will be loaded into the directory.
Root Record for New Directory
Let's look at the record that will be created for the root of the new directory.
dn: dc=idevelopment,dc=info
dc: idevelopment
o: iDevelopment.info LDAP Server
description: Root entry for iDevelopment.info.
iDevelopment.info is a public website that provides a professional forum to exchange
information, ideas, and expertise on advanced topics in the IT and scientific fields.
The audience for iDevelopment.info includes Database Administrators, System Administrators,
Developers, Computer Scientists, Software Engineers, and Mathematicians.
objectClass: top
objectclass: dcObject
objectclass: organization
|
This record defines the root of the LDAP directory for an organization (i.e., iDevelopment.info). The DN in the above example is just the root DN. The required attributes for the specified object classes (dc and o) are included. Notice in thedescription attribute how a line can be continued by starting the next line with a single space or tab character. After this record is added, your will have a root directory to work within.
Organizational Units
Next, we need to create the sub-directories we plan to put users, groups, and hosts in.
dn: ou=People,dc=idevelopment,dc=info
ou: People
description: All people in iDevelopment.info
objectClass: top
objectClass: organizationalUnit
dn: ou=Group,dc=idevelopment,dc=info
ou: Group
description: All groups in iDevelopment.info
objectClass: top
objectClass: organizationalUnit
dn: ou=Hosts,dc=idevelopment,dc=info
ou: Hosts
description: All hosts in iDevelopment.info
objectClass: top
objectClass: organizationalUnit
|
This will create the three sub-directories mentioned previously. The root directory was an objectClass organization, and each sub-directory is an organizationalUnit objectClass.
Organizational Roles
Lastly, add a record for the rootdn using the organizationalRole objectClass.
dn: cn=Manager,dc=idevelopment,dc=info
cn: Manager
description: Rootdn
objectclass: organizationalRole
|
Initiate LDAP Directory Database
Using the above mentioned records, create an LDIF file named ldap-init.ldif that will be loaded into the new LDAP directory.
# vi ldap-init.ldif## DEFINE DIT ROOT/BASE/SUFFIX ###### uses RFC 2377 format## replace idevelopment and info as necessary below## or for experimentation, leave as is## dcObject is an AUXILIARY objectclass and MUST## have a STRUCTURAL objectclass (organization in this case)dn: dc=idevelopment,dc=infodc: idevelopmento: iDevelopment.info LDAP Serverdescription: Root entry for iDevelopment.info. iDevelopment.info is a public website that provides a professional forum to exchange information, ideas, and expertise on advanced topics in the IT and scientific fields. The audience for iDevelopment.info includes Database Administrators, System Administrators, Developers, Computer Scientists, Software Engineers, and Mathematicians.objectClass: topobjectclass: dcObjectobjectclass: organization## FIRST Level hierarchy - Peopledn: ou=People,dc=idevelopment,dc=infoou: Peopledescription: All people in iDevelopment.infoobjectClass: topobjectClass: organizationalUnit## FIRST Level hierarchy - Groupdn: ou=Group,dc=idevelopment,dc=infoou: Groupdescription: All groups in iDevelopment.infoobjectClass: topobjectClass: organizationalUnit## FIRST Level hierarchy - Hostsdn: ou=Hosts,dc=idevelopment,dc=infoou: Hostsdescription: All hosts in iDevelopment.infoobjectClass: topobjectClass: organizationalUnit## FIRST Level hierarchy - Managerdn: cn=Manager,dc=idevelopment,dc=infocn: Managerdescription: Rootdnobjectclass: organizationalRole
|
From the LDAP server or from another machine configured with the LDAP client utilities, initialize the LDAP database by running ldapadd using the LDIF initialization file to import the entries.
# ldapadd -x -W -D "cn=Manager,dc=idevelopment,dc=info" -f ldap-init.ldifEnter LDAP Password:xxxxadding new entry "dc=idevelopment,dc=info"adding new entry "ou=People,dc=idevelopment,dc=info"adding new entry "ou=Group,dc=idevelopment,dc=info"adding new entry "ou=Hosts,dc=idevelopment,dc=info"adding new entry "cn=Manager,dc=idevelopment,dc=info"
|
When prompted for credentials, enter the password you specified when setting rootpw for the rootdn user during the initial LDAP configuration.
When running this example, if you see additional info: objectclass: value #0 invalid per syntax, it is likely that there are trailing spaces in the LDIF file. This warning can be ignored. The LDIF format is very sensitive to white spaces. Make sure there are no trailing white spaces.
Verify Entries
After initializing the LDAP directory database, verify the new entries by using the ldapsearch client utility. Although there is still no user data yet in the directory, we can attempt to bind as cn=Manager,dc=idevelopment,dc=info and view the directory structure.
# ldapsearch -x# extended LDIF## LDAPv3# base <> with scope subtree# filter: (objectclass=*)# requesting: ALL## idevelopment.infodn: dc=idevelopment,dc=infodc: idevelopmento: iDevelopment.info LDAP Serverdescription: Root entry for iDevelopment.info. iDevelopment.info is a public w ebsite that provides a professional forum to exchange information, ideas, and expertise on advanced topics in the IT and scientific fields. The audience f or iDevelopment.info includes Database Administrators, System Administrators, Developers, Computer Scientists, Software Engineers, and Mathematicians.objectClass: topobjectClass: dcObjectobjectClass: organization# People, idevelopment.infodn: ou=People,dc=idevelopment,dc=infoou: Peopledescription: All people in iDevelopment.infoobjectClass: topobjectClass: organizationalUnit# Group, idevelopment.infodn: ou=Group,dc=idevelopment,dc=infoou: Groupdescription: All groups in iDevelopment.infoobjectClass: topobjectClass: organizationalUnit# Hosts, idevelopment.infodn: ou=Hosts,dc=idevelopment,dc=infoou: Hostsdescription: All hosts in iDevelopment.infoobjectClass: topobjectClass: organizationalUnit# Manager, idevelopment.infodn: cn=Manager,dc=idevelopment,dc=infocn: Managerdescription: RootdnobjectClass: organizationalRole# search resultsearch: 2result: 0 Success# numResponses: 6# numEntries: 5
|
Notice when running ldapsearch in the previous example that I didn't need to specify the host for the LDAP server using -h or a starting point (searchbase) using the -b command-line parameter. This is because the machine I ran the example from was configured with system-wide defaults in the /etc/openldap/ldap.conf file to specify the LDAP server URI and BASE:
# cat /etc/openldap/ldap.conf## LDAP Defaults## See ldap.conf(5) for details# This file should be world readable but not world writable.#BASE dc=example, dc=com#URI ldap://ldap.example.com ldap://ldap-master.example.com:666#SIZELIMIT 12#TIMELIMIT 15#DEREF neverURI ldap://ldapsrv.idevelopment.info/BASE dc=idevelopment,dc=infoTLS_CACERTDIR /etc/openldap/cacerts
|
Had the machine not have been configured with system-wide defaults in /etc/openldap/ldap.conf, then I would have needed to specify the LDAP host and searchbase as command-line parameters to the ldapsearch command as follows:
# ldapsearch -x -h ldapsrv.idevelopment.info -b "dc=idevelopment,dc=info"
|