5.1. Creating a Database online
The OpenLDAP software package comes with an utility called ldapadd, used to add
entries while the LDAP server is running. If you choose to create the Database online, you can
use the ldapadd tool to add entries (you can also use other clients provided outside the OpenLDAP
package to add entries, like the Ldap Browser).
After adding the first entries, you can still use ldapadd to add more entries. You should be sure
to set the following configuration options on your sladp.conf file before starting slapd:
As described in the Section 3.4, this option says what
entries are to be held by this database. You should set this to the DN of the root of the
subtree you are trying to create. For example:
You should be sure to specify a directory where the index files should be
created:
directory /usr/local/tudelft |
You need to create this directory with appropriate permissions so that slapd can
write to it.
You need to configure slapd so that you can connect to it as a directory user with
permission to add entries. You can configure the directory to support a special super-user
or root user just for this purpose. This is done through the following two options in the
database definition:
rootdn <dn>
rootpw <passwd> /* Remember to use a SHA password here !!! */
|
These options specify a DN and password that can be used to authenticate as the
"superuser" entry of the database (i.e., the entry allowed to do anything).
The DN and password specified here will always work, regardless of whether the
entry named actually exists or has the password given. This solves the chicken-and-egg
problem of how to authenticate and add entries before any entries yet exist.
Slapd natively understands if you use a SHA-1 encrypted
password on the rootpw directive. I use a Java class that generates SHA-1 passwords, but it's
possible to use the command slappasswd to generate the passwords:
rootpw "{SHA}5en6G6MezRroT3XKqkdPOmY/BfQ=" |
For example:
rootdn "cn=Manager,dc=example,dc=com"
rootpw "{SHA}5en6G6MezRroT3XKqkdPOmY/BfQ=" |
The default output for slappasswd is to generate Secure Hash passwords {SSHA}, in this
case you don't need to pass the -h parameter, just call slappasswd directly.
If you are using SASL as a mechanism to authenticate against LDAP, the rootpw
line may be discarded. Take a look on the Section 3.4 and on the Section 6.2 for more details.
Finally, you should make sure that the database definition contains the index
definitions you want:
index {<attrlist> | default} [pres,eq,sub,none] |
For example, to index the cn, sn, uid and objectclass attributes, the following
index configuration lines could be used.
index cn,sn,uid pres,eq,sub
index objectClass pres,eq
|
Note: Note that not all index types are available with all attribute types.
Take a look on the Section 3.6 for examples.
Once you have configured things to your liking, start up slapd, connect with
your LDAP client, and start adding entries. For example, to add the TUDelft
entry followed by a Postmaster entry using the ldapadd tool, you could create
a file called /tmp/newentry with the contents:
o=TUDelft, c=NL
objectClass=organization
description=Technical University of Delft Netherlands
cn=Postmaster, o=TUDelft, c=NL
objectClass=organizationalRole
cn=Postmaster
description= TUDelft postmaster - [email protected] |
and then use a command like this to actually create the entry:
ldapadd -f /tmp/newentry -x -D "cn=Manager, o=TUDelft, c=NL" -w secret |
The above command assumes that you have set rootdn to
"cn=Manager, o=TUDelft, c=NL" and rootpw to "secret" (maybe SHA-1 encrypted in slapd.conf).
If you don't want to type the password on the command line, use the -W option for the
ldapadd command instead of -w "password". You will be prompted to enter the password:
ldapadd -f /tmp/newentry -x -D "cn=Manager, o=TUDelft, c=NL" -W
Enter LDAP Password: |