This section provides a quick overview for installing and configuring
an OpenLDAP directory. For more details, refer to the following URLs:
Install the openldap,
openldap-servers, and
openldap-clients RPMs.
Edit the /etc/openldap/slapd.conf file
to specify the LDAP domain and server. Refer to Section 13.6.1 Editing /etc/openldap/slapd.conf for more information.
Start slapd with the command:
After configuring LDAP, use chkconfig,
ntsysv, or the
Services Configuration Tool to configure LDAP to
start at boot time. For more information about configuring services,
refer to the chapter titled Controlling Access to
Services in the Red Hat Enterprise Linux System Administration Guide.
Add entries to an LDAP directory with
ldapadd.
Use ldapsearch to determine if
slapd is accessing the information correctly.
At this point, the LDAP directory should be functioning properly
and can be configured with LDAP-enabled applications.
To use the slapd LDAP server, modify its
configuration file, /etc/openldap/slapd.conf, to
specify the correct domain and server.
The suffix line names the domain for
which the LDAP server provides information and should be changed from:
suffix "dc=your-domain,dc=com" |
so that it reflects a fully qualified domain name. For example:
suffix "dc=example,dc=com" |
The rootdn entry is the
Distinguished Name (DN)
for a user who is unrestricted by access controls or administrative
limit parameters set for operations on the LDAP directory. The
rootdn user can be thought of as the
root user for the LDAP directory. In the configuration file, change
the rootdn line from its default
value as in the following example:
rootdn "cn=root,dc=example,dc=com" |
When populating an LDAP directory over a network, change the
rootpw line — replacing the
default value with an encrypted password string. To create an
encrypted password string, type the following command:
When prompted, type and then re-type a password. The program
prints the resulting encrypted password to the shell prompt.
Next, copy the newly created encrypted password into the
/etc/openldap/slapd.conf on one of the
rootpw lines and remove the hash mark
(#).
When finished, the line should look similar to the following example:
rootpw {SSHA}vv2y+i6V6esazrIv70xSSnNAJE18bb2u |
 | Warning |
|---|
| | LDAP passwords, including the
rootpw directive specified in
/etc/openldap/slapd.conf, are sent over the
network unencrypted, unless TLS encryption is
enabled.
To enable TLS encryption, review the comments in
/etc/openldap/slapd.conf and refer to the man
page for slapd.conf.
|
For added security, the rootpw
directive should be commented out after populating the LDAP directory
by preceding it with a hash mark
(#).
When using the /usr/sbin/slapadd command line tool locally to
populate the LDAP directory, use of the
rootpw directive is not necessary.
 | Important |
|---|
| | Only the root user can use
/usr/sbin/slapadd. However, the directory server
runs as the ldap user. Therefore, the directory
server is unable to modify any files created by
slapadd. To correct this issue, after using
slapadd, type the following command:
chown -R ldap /var/lib/ldap |
|
