LDAP Resources

  


Initialize a New LDAP Directory using OpenLDAP on CentOS 5

by Jeff Hunter, Sr. Database Administrator

Contents

Introduction

After installing a new LDAP directory using the OpenLDAP Software, it doesn't contain any data. The directory starts out completely empty, without even a root structure present. Initializing the directory with a root record and other supporting directory sub-structures (i.e., sub-directories) is required before you can add any user data, and that is the subject of this document.

To learn more on how to install and configure OpenLDAP Software on the Linux platform, refer to the following guides:

Initialize LDAP Directory

This section provides instructions on how to initialize a new LDAP directory by creating a root record and adding organization, organizationalUnit, and organizationalRole sub-directories. I'll discuss each record individually and then wrap them into a single LDIF file that will be loaded into the directory.

Root Record for New Directory

Let's look at the record that will be created for the root of the new directory.


dn: dc=idevelopment,dc=info dc: idevelopment o: iDevelopment.info LDAP Server description: Root entry for iDevelopment.info. iDevelopment.info is a public website that provides a professional forum to exchange information, ideas, and expertise on advanced topics in the IT and scientific fields. The audience for iDevelopment.info includes Database Administrators, System Administrators, Developers, Computer Scientists, Software Engineers, and Mathematicians. objectClass: top objectclass: dcObject objectclass: organization

This record defines the root of the LDAP directory for an organization (i.e., iDevelopment.info). The DN in the above example is just the root DN. The required attributes for the specified object classes (dc and o) are included. Notice in the description attribute how a line can be continued by starting the next line with a single space or tab character. After this record is added, your will have a root directory to work within.

Organizational Units

Next, we need to create the sub-directories we plan to put users, groups, and hosts in.


dn: ou=People,dc=idevelopment,dc=info ou: People description: All people in iDevelopment.info objectClass: top objectClass: organizationalUnit dn: ou=Group,dc=idevelopment,dc=info ou: Group description: All groups in iDevelopment.info objectClass: top objectClass: organizationalUnit dn: ou=Hosts,dc=idevelopment,dc=info ou: Hosts description: All hosts in iDevelopment.info objectClass: top objectClass: organizationalUnit

This will create the three sub-directories mentioned previously. The root directory was an objectClass organization, and each sub-directory is an organizationalUnit objectClass.

Organizational Roles

Lastly, add a record for the rootdn using the organizationalRole objectClass.


dn: cn=Manager,dc=idevelopment,dc=info cn: Manager description: Rootdn objectclass: organizationalRole

Initiate LDAP Directory Database

Using the above mentioned records, create an LDIF file named ldap-init.ldif that will be loaded into the new LDAP directory.


# vi ldap-init.ldif ## DEFINE DIT ROOT/BASE/SUFFIX #### ## uses RFC 2377 format ## replace idevelopment and info as necessary below ## or for experimentation, leave as is ## dcObject is an AUXILIARY objectclass and MUST ## have a STRUCTURAL objectclass (organization in this case) dn: dc=idevelopment,dc=info dc: idevelopment o: iDevelopment.info LDAP Server description: Root entry for iDevelopment.info. iDevelopment.info is a public website that provides a professional forum to exchange information, ideas, and expertise on advanced topics in the IT and scientific fields. The audience for iDevelopment.info includes Database Administrators, System Administrators, Developers, Computer Scientists, Software Engineers, and Mathematicians. objectClass: top objectclass: dcObject objectclass: organization ## FIRST Level hierarchy - People dn: ou=People,dc=idevelopment,dc=info ou: People description: All people in iDevelopment.info objectClass: top objectClass: organizationalUnit ## FIRST Level hierarchy - Group dn: ou=Group,dc=idevelopment,dc=info ou: Group description: All groups in iDevelopment.info objectClass: top objectClass: organizationalUnit ## FIRST Level hierarchy - Hosts dn: ou=Hosts,dc=idevelopment,dc=info ou: Hosts description: All hosts in iDevelopment.info objectClass: top objectClass: organizationalUnit ## FIRST Level hierarchy - Manager dn: cn=Manager,dc=idevelopment,dc=info cn: Manager description: Rootdn objectclass: organizationalRole

From the LDAP server or from another machine configured with the LDAP client utilities, initialize the LDAP database by running ldapadd using the LDIF initialization file to import the entries.


# ldapadd -x -W -D "cn=Manager,dc=idevelopment,dc=info" -f ldap-init.ldif Enter LDAP Password: xxxx adding new entry "dc=idevelopment,dc=info" adding new entry "ou=People,dc=idevelopment,dc=info" adding new entry "ou=Group,dc=idevelopment,dc=info" adding new entry "ou=Hosts,dc=idevelopment,dc=info" adding new entry "cn=Manager,dc=idevelopment,dc=info"

When prompted for credentials, enter the password you specified when setting rootpw for the rootdn user during the initial LDAP configuration.

When running this example, if you see additional info: objectclass: value #0 invalid per syntax, it is likely that there are trailing spaces in the LDIF file. This warning can be ignored. The LDIF format is very sensitive to white spaces. Make sure there are no trailing white spaces.

Verify Entries

After initializing the LDAP directory database, verify the new entries by using the ldapsearch client utility. Although there is still no user data yet in the directory, we can attempt to bind as cn=Manager,dc=idevelopment,dc=info and view the directory structure.


# ldapsearch -x # extended LDIF # # LDAPv3 # base <> with scope subtree # filter: (objectclass=*) # requesting: ALL # # idevelopment.info dn: dc=idevelopment,dc=info dc: idevelopment o: iDevelopment.info LDAP Server description: Root entry for iDevelopment.info. iDevelopment.info is a public w ebsite that provides a professional forum to exchange information, ideas, and expertise on advanced topics in the IT and scientific fields. The audience f or iDevelopment.info includes Database Administrators, System Administrators, Developers, Computer Scientists, Software Engineers, and Mathematicians. objectClass: top objectClass: dcObject objectClass: organization # People, idevelopment.info dn: ou=People,dc=idevelopment,dc=info ou: People description: All people in iDevelopment.info objectClass: top objectClass: organizationalUnit # Group, idevelopment.info dn: ou=Group,dc=idevelopment,dc=info ou: Group description: All groups in iDevelopment.info objectClass: top objectClass: organizationalUnit # Hosts, idevelopment.info dn: ou=Hosts,dc=idevelopment,dc=info ou: Hosts description: All hosts in iDevelopment.info objectClass: top objectClass: organizationalUnit # Manager, idevelopment.info dn: cn=Manager,dc=idevelopment,dc=info cn: Manager description: Rootdn objectClass: organizationalRole # search result search: 2 result: 0 Success # numResponses: 6 # numEntries: 5

Notice when running ldapsearch in the previous example that I didn't need to specify the host for the LDAP server using -h or a starting point (searchbase) using the -b command-line parameter. This is because the machine I ran the example from was configured with system-wide defaults in the /etc/openldap/ldap.conf file to specify the LDAP server URI and BASE:


# cat /etc/openldap/ldap.conf # # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. #BASE dc=example, dc=com #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never URI ldap://ldapsrv.idevelopment.info/ BASE dc=idevelopment,dc=info TLS_CACERTDIR /etc/openldap/cacerts

Had the machine not have been configured with system-wide defaults in /etc/openldap/ldap.conf, then I would have needed to specify the LDAP host and searchbase as command-line parameters to the ldapsearch command as follows:


# ldapsearch -x -h ldapsrv.idevelopment.info -b "dc=idevelopment,dc=info"

About the Author

Jeffrey Hunter is an Oracle Certified Professional, Java Development Certified Professional, Author, and an Oracle ACE. Jeff currently works as a Senior Database Administrator for The DBA Zone, Inc. located in Pittsburgh, Pennsylvania. His work includes advanced performance tuning, Java and PL/SQL programming, developing high availability solutions, capacity planning, database security, and physical / logical database design in a UNIX / Linux server environment. Jeff's other interests include mathematical encryption theory, tutoring advanced mathematics, programming language processors (compilers and interpreters) in Java and C, LDAP, writing web-based database administration tools, and of course Linux. He has been a Sr. Database Administrator and Software Engineer for over 20 years and maintains his own website site at: http://www.iDevelopment.info. Jeff graduated from Stanislaus State University in Turlock, California, with a Bachelor's degree in Computer Science and Mathematics.



Copyright (c) 1998-2017 Jeffrey M. Hunter. All rights reserved.

All articles, scripts and material located at the Internet address of http://www.idevelopment.info is the copyright of Jeffrey M. Hunter and is protected under copyright laws of the United States. This document may not be hosted on any other site without my express, prior, written permission. Application to host any of the material elsewhere can be made by contacting me at jhunter@idevelopment.info.

I have made every effort and taken great care in making sure that the material included on my web site is technically accurate, but I disclaim any and all responsibility for any loss, damage or destruction of data or any other property which may arise from relying on it. I will in no case be liable for any monetary damages arising from such loss, damage or destruction.

Last modified on
Tuesday, 04-Sep-2012 00:30:04 EDT
Page Count: 6564