Initialize a New LDAP Directory using OpenLDAP on CentOS 5
by Jeff Hunter, Sr. Database Administrator
After installing a new LDAP directory using the OpenLDAP Software, it doesn't contain any data. The directory starts out completely empty, without even a root structure present. Initializing the directory with a root record and other supporting directory sub-structures (i.e., sub-directories) is required before you can add any user data, and that is the subject of this document.
To learn more on how to install and configure OpenLDAP Software on the Linux platform, refer to the following guides:
This section provides instructions on how to initialize a new LDAP directory by creating a root record and adding organization, organizationalUnit, and organizationalRole sub-directories. I'll discuss each record individually and then wrap them into a single LDIF file that will be loaded into the directory.
Let's look at the record that will be created for the root of the new directory.
This record defines the root of the LDAP directory for an organization (i.e., iDevelopment.info). The DN in the above example is just the root DN. The required attributes for the specified object classes (dc and o) are included. Notice in the description attribute how a line can be continued by starting the next line with a single space or tab character. After this record is added, your will have a root directory to work within.
Next, we need to create the sub-directories we plan to put users, groups, and hosts in.
This will create the three sub-directories mentioned previously. The root directory was an objectClass organization, and each sub-directory is an organizationalUnit objectClass.
Lastly, add a record for the rootdn using the organizationalRole objectClass.
Using the above mentioned records, create an LDIF file named ldap-init.ldif that will be loaded into the new LDAP directory.
From the LDAP server or from another machine configured with the LDAP client utilities, initialize the LDAP database by running ldapadd using the LDIF initialization file to import the entries.
When prompted for credentials, enter the password you specified when setting rootpw for the rootdn user during the initial LDAP configuration.
When running this example, if you see additional info: objectclass: value #0 invalid per syntax, it is likely that there are trailing spaces in the LDIF file. This warning can be ignored. The LDIF format is very sensitive to white spaces. Make sure there are no trailing white spaces.
After initializing the LDAP directory database, verify the new entries by using the ldapsearch client utility. Although there is still no user data yet in the directory, we can attempt to bind as cn=Manager,dc=idevelopment,dc=info and view the directory structure.
Notice when running ldapsearch in the previous example that I didn't need to specify the host for the LDAP server using -h or a starting point (searchbase) using the -b command-line parameter. This is because the machine I ran the example from was configured with system-wide defaults in the /etc/openldap/ldap.conf file to specify the LDAP server URI and BASE:
Had the machine not have been configured with system-wide defaults in /etc/openldap/ldap.conf, then I would have needed to specify the LDAP host and searchbase as command-line parameters to the ldapsearch command as follows:
Jeffrey Hunter is an Oracle Certified Professional, Java Development Certified Professional, Author, and an Oracle ACE. Jeff currently works as a Senior Database Administrator for The DBA Zone, Inc. located in Pittsburgh, Pennsylvania. His work includes advanced performance tuning, Java and PL/SQL programming, developing high availability solutions, capacity planning, database security, and physical / logical database design in a UNIX / Linux server environment. Jeff's other interests include mathematical encryption theory, tutoring advanced mathematics, programming language processors (compilers and interpreters) in Java and C, LDAP, writing web-based database administration tools, and of course Linux. He has been a Sr. Database Administrator and Software Engineer for over 20 years and maintains his own website site at: http://www.iDevelopment.info. Jeff graduated from Stanislaus State University in Turlock, California, with a Bachelor's degree in Computer Science and Mathematics.
Copyright (c) 1998-2017 Jeffrey M. Hunter. All rights reserved.
All articles, scripts and material located at the Internet address of http://www.idevelopment.info is the copyright of Jeffrey M. Hunter and is protected under copyright laws of the United States. This document may not be hosted on any other site without my express, prior, written permission. Application to host any of the material elsewhere can be made by contacting me at firstname.lastname@example.org.
I have made every effort and taken great care in making sure that the material included on my web site is technically accurate, but I disclaim any and all responsibility for any loss, damage or destruction of data or any other property which may arise from relying on it. I will in no case be liable for any monetary damages arising from such loss, damage or destruction.
Last modified on
Tuesday, 04-Sep-2012 00:30:04 EDT
Page Count: 6259