OpenLDAP Everywhere

Step-by-step instructions for sharing e-mail directories, having a unified login and sharing files in a mixed environment.
Create the Directory Structure

LDAP can be seen as a tree, with foo.com at the trunk. Branches are created as organizational units (ou), as shown in Figure 2.

Figure 2. Organizational units are branches on the LDAP tree.

Each entry in the directory is uniquely identified with a distinguished name (dn). The dn for the LDAP manager looks like dn: cn=manager, dc=foo, dc=com.

The ou provides a method for grouping entries, as shown in Table 1.

Table 1. ou Method for Grouping Entries

We create the individual entries in LDIF (LDAP Interchange Format) and save them to top.ldif:

dn: dc=foo, dc=com
objectclass: dcObject
objectclass: organization
o: Foo Company
dc: foo
dn: cn=manager, dc=foo, dc=com
objectclass: organizationalRole
cn: manager
dn: ou=people, dc=foo, dc=com
ou: people
objectclass: organizationalUnit
objectclass: domainRelatedObject
associatedDomain: foo.com
dn: ou=contacts, ou=people, dc=foo, dc=com
ou: contacts
ou: people
objectclass: organizationalUnit
objectclass: domainRelatedObject
associatedDomain: foo.com
dn: ou=group, dc=foo, dc=com
ou: group
objectclass: organizationalUnit
objectclass: domainRelatedObject

Add the top-level entries to the directory with ldapadd:

ldapadd -x -D 'cn=manager,dc=foo,dc=com' -W \
-f top.ldif
Then, test your work with ldapsearch to retrieve all entries:
ldapsearch -x -b 'dc=foo,dc=com'

Share E-Mail Contacts

At this point, we have enough structure in LDAP to put it to real use. We'll start by sharing our e-mail contacts, which also should be in LDIF.

To simplify the process, you may be able to export your e-mail address book in LDIF. For example, in Mozilla 1.0, you can export in LDIF from the Tools menu on the address book window. Microsoft Outlook Express also allows exporting the address book in LDIF. You will need to process the resulting file so it looks like our contacts example below; I suggest using Perl for the task.

Contacts are uniquely identified by their e-mail addresses. Here is the dn for a sample contact:

dn: uid=someone@somewhere.com,ou=contacts,
    ou=people, dc=foo,dc=com

With all of the attributes, the full entry for a contact looks like:

dn: uid=someone@somewhere.com,ou=contacts,
    ou=people, dc=foo,dc=com
cn: Someone Youknow
mail:
uid:
givenname: Someone
sn: Youknow
objectclass: person
objectClass: top
objectClass: inetOrgPerson
Separate each contact entry with a blank line, and save it to a file called contacts.ldif. Then you can add the contacts to the directory with ldapadd:
ldapadd -x -D 'cn=manager,dc=foo,dc=com' -W \
-f contacts.ldif
Once again, test your work with an ldapsearch that retrieves all entries:
ldapsearch -x -b 'dc=foo,dc=com'

Configure E-Mail Clients

Now it's time to configure Mozilla to use the new LDAP server (see Figure 3).

Figure 3. Directory Server Properties Dialog Box in Mozilla

From the Edit menu in the Mozilla Mail and News window, select Mail & Newsgroup Account Setting. In the Addressing tab, select Use a different LDAP server, then select Edit Directories and then Add. Fill in the Directory Server Properties dialog with:

Name: FOO
Server: ldapserver.foo.com
base DN: ou=people,dc=foo,dc=com

Next, tell Mozilla to look up addresses in your directory. Under Addressing in the Mail and Newsgroups preferences, select Address Autocompletion and fill in FOO for Directory Server.

Test your settings by composing a message to one of your contacts in your LDAP directory. The address should autocomplete as you type. Another test is to search the LDAP directory from within the Mozilla Mail Address Book. A search for Name or E-mail that contains * should return all of the contact entries. Similarly, you can also configure Microsoft Outlook Express to use the LDAP directory.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

If i want to use fstab to

Anonymous's picture

If i want to use fstab to mount homeDirectory. what i must do ?

(HOST ldapserver.foo.com
BASE dc=foo,dc=com)

automount using LDAP

sergeyK's picture

Hello guys,

It seems that RedHat automount uses cn property to identify username. Is there any way to change it to uid as authentication does?

Thank you in advance!

/SergeyK

Woo, using Perl for crypt and salting... WHY?

gfolkert's picture

perl -e "print crypt('passwd','salt_string',);"

Why would one do this, when slappasswd is available? It comes with openldap.

# slappasswd -h
slappasswd: option requires an argument -- h
Usage: slappasswd [options]
-h hash password scheme
-s secret new password
-c format crypt(3) salt format
-u generate RFC2307 values (default)
-v increase verbosity
-T file read file for new password

By default it uses SSHA. Easier and less prone to error.
--
greg@gregfolkert.net
REMEMBER ED CURRY! http://www.iwethey.org/ed_curry

Novell's Directory Services is a competitive product to Microsoft's Active Directory in much the same way that the Saturn V is a competitive product to those dinky little model rockets used at the local large parking lot.

--
greg@gregfolkert.net
REMEMBER ED CURRY! http://www.iwethey.org/ed_curry

Novell's Directory Services is a competitive product to Microsoft's Active Directory in much the same way that the Saturn V is a competitive product to those dinky little mod

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix