Red Hat Linux 8.0: The Official Red Hat Linux Reference Guide | ||
---|---|---|
Prev | Chapter 18. Lightweight Directory Access Protocol (LDAP) | Next |
OpenLDAP configuration files are installed into the /etc/openldap/ directory. The following is a brief list highlighting the most important directories and files:
/etc/openldap/schema/ directory — This subdirectory contains the schema used by the slapd daemon. See the Section called The /etc/openldap/schema/ Directory for more information about this directory.
/etc/openldap/ldap.conf — This is the configuration file for all client applications which use the OpenLDAP libraries. These include, but are not limited to, Sendmail, Pine, Balsa, Evolution, and Gnome Meeting.
/etc/openldap/slapd.conf — This is the configuration file for the slapd daemon. See the Section called slapd.conf for more information about this file.
Note | |
---|---|
If the nss_ldap package is installed, it will create a file named /etc/ldap.conf. This file is used by the PAM and NSS modules supplied by the nss_ldap package. See the Section called Configuring Your System to Authenticate Using OpenLDAP for more information about this configuration file. |
In order to use the slapd LDAP server, you will need to modify its configuration file, /etc/openldap/slapd.conf. You must to edit this file to make it specific to your domain and server.
The suffix line names the domain for which the LDAP server will provide information. The suffix line should be changed from:
suffix "dc=your-domain,dc=com" |
so that it reflects your domain name. For example:
suffix "dc=example,dc=com" |
The rootdn entry is the Distinguished Name (DN) for a user who is unrestricted by access controls or administrative limit parameters set for operations on the LDAP directory. The rootdn user can be thought of as the root user for the LDAP directory. In the configuration file, change the rootdn line from its default value to something like the example below:
rootdn "cn=root,dc=example,dc=com" |
Change the rootpw line to something like the example below:
rootpw {SSHA}vv2y+i6V6esazrIv70xSSnNAJE18bb2u |
In the rootpw example, you are using an encrypted root password, which is a much better idea than leaving a plain text root password in the slapd.conf file. To make this encrypted string, type the following command:
slappasswd |
You will be prompted to type and then re-type a password. The program prints the resulting encrypted password to the terminal.
Warning | |
---|---|
LDAP passwords, including the rootpw directive specified in /etc/openldap/slapd.conf, are sent over the network in plain text unless you enable TLS encryption. |
For added security, the rootpw directive should only be used if the initial configuration and population of the LDAP directory occurs over a network. After the task is completed, it is best to comment out the rootpw directive by preceding it with a pound sign (#).
Tip | |
---|---|
If you are using the slapadd command-line tool locally to populate the LDAP directory, using the rootpw directive is not necessary. |
The /etc/openldap/schema/ directory holds LDAP definitions, previously located in the slapd.at.conf and slapd.oc.conf files. All attribute syntax definitions and objectclass definitions are now located in the different schema files. The various schema files are referenced in /etc/openldap/slapd.conf using include lines, as shown in this example:
include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/rfc822-MailMember.schema include /etc/openldap/schema/autofs.schema include /etc/openldap/schema/kerberosobject.schema |
Caution | |
---|---|
You should not modify any of the schema items defined in the schema files installed by OpenLDAP. |
You can extend the schema used by OpenLDAP to support additional attribute types and object classes using the default schema files as a guide. To do this, create a local.schema file in the /etc/openldap/schema directory. Reference this new schema within slapd.conf by adding the following line below your default include schema lines:
include /etc/openldap/schema/local.schema |
Next, go about defining your new attribute types and object classes within the local.schema file. Many organizations use existing attribute types and object classes from the schema files installed by default and modify them for use in the local.schema file. This can help you to learn the schema syntax while meeting the immediate needs of your organization.
Extending schema to match certain specialized requirements is quite involved and beyond the scope of this chapter. Visit http://www.openldap.org/doc/admin/schema.html for information on writing new schema files.