OpenLDAP Everywhere

Step-by-step instructions for sharing e-mail directories, having a unified login and sharing files in a mixed environment.
Create the Directory Structure

LDAP can be seen as a tree, with at the trunk. Branches are created as organizational units (ou), as shown in Figure 2.

Figure 2. Organizational units are branches on the LDAP tree.

Each entry in the directory is uniquely identified with a distinguished name (dn). The dn for the LDAP manager looks like dn: cn=manager, dc=foo, dc=com.

The ou provides a method for grouping entries, as shown in Table 1.

Table 1. ou Method for Grouping Entries

We create the individual entries in LDIF (LDAP Interchange Format) and save them to top.ldif:

dn: dc=foo, dc=com
objectclass: dcObject
objectclass: organization
o: Foo Company
dc: foo
dn: cn=manager, dc=foo, dc=com
objectclass: organizationalRole
cn: manager
dn: ou=people, dc=foo, dc=com
ou: people
objectclass: organizationalUnit
objectclass: domainRelatedObject
dn: ou=contacts, ou=people, dc=foo, dc=com
ou: contacts
ou: people
objectclass: organizationalUnit
objectclass: domainRelatedObject
dn: ou=group, dc=foo, dc=com
ou: group
objectclass: organizationalUnit
objectclass: domainRelatedObject

Add the top-level entries to the directory with ldapadd:

ldapadd -x -D 'cn=manager,dc=foo,dc=com' -W \
-f top.ldif
Then, test your work with ldapsearch to retrieve all entries:
ldapsearch -x -b 'dc=foo,dc=com'

Share E-Mail Contacts

At this point, we have enough structure in LDAP to put it to real use. We'll start by sharing our e-mail contacts, which also should be in LDIF.

To simplify the process, you may be able to export your e-mail address book in LDIF. For example, in Mozilla 1.0, you can export in LDIF from the Tools menu on the address book window. Microsoft Outlook Express also allows exporting the address book in LDIF. You will need to process the resulting file so it looks like our contacts example below; I suggest using Perl for the task.

Contacts are uniquely identified by their e-mail addresses. Here is the dn for a sample contact:

    ou=people, dc=foo,dc=com

With all of the attributes, the full entry for a contact looks like:

    ou=people, dc=foo,dc=com
cn: Someone Youknow
givenname: Someone
sn: Youknow
objectclass: person
objectClass: top
objectClass: inetOrgPerson
Separate each contact entry with a blank line, and save it to a file called contacts.ldif. Then you can add the contacts to the directory with ldapadd:
ldapadd -x -D 'cn=manager,dc=foo,dc=com' -W \
-f contacts.ldif
Once again, test your work with an ldapsearch that retrieves all entries:
ldapsearch -x -b 'dc=foo,dc=com'

Configure E-Mail Clients

Now it's time to configure Mozilla to use the new LDAP server (see Figure 3).

Figure 3. Directory Server Properties Dialog Box in Mozilla

From the Edit menu in the Mozilla Mail and News window, select Mail & Newsgroup Account Setting. In the Addressing tab, select Use a different LDAP server, then select Edit Directories and then Add. Fill in the Directory Server Properties dialog with:

Name: FOO
base DN: ou=people,dc=foo,dc=com

Next, tell Mozilla to look up addresses in your directory. Under Addressing in the Mail and Newsgroups preferences, select Address Autocompletion and fill in FOO for Directory Server.

Test your settings by composing a message to one of your contacts in your LDAP directory. The address should autocomplete as you type. Another test is to search the LDAP directory from within the Mozilla Mail Address Book. A search for Name or E-mail that contains * should return all of the contact entries. Similarly, you can also configure Microsoft Outlook Express to use the LDAP directory.



Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

If i want to use fstab to

Anonymous's picture

If i want to use fstab to mount homeDirectory. what i must do ?

BASE dc=foo,dc=com)

automount using LDAP

sergeyK's picture

Hello guys,

It seems that RedHat automount uses cn property to identify username. Is there any way to change it to uid as authentication does?

Thank you in advance!


Woo, using Perl for crypt and salting... WHY?

gfolkert's picture

perl -e "print crypt('passwd','salt_string',);"

Why would one do this, when slappasswd is available? It comes with openldap.

# slappasswd -h
slappasswd: option requires an argument -- h
Usage: slappasswd [options]
-h hash password scheme
-s secret new password
-c format crypt(3) salt format
-u generate RFC2307 values (default)
-v increase verbosity
-T file read file for new password

By default it uses SSHA. Easier and less prone to error.

Novell's Directory Services is a competitive product to Microsoft's Active Directory in much the same way that the Saturn V is a competitive product to those dinky little model rockets used at the local large parking lot.


Novell's Directory Services is a competitive product to Microsoft's Active Directory in much the same way that the Saturn V is a competitive product to those dinky little mod

Geek Guide
The DevOps Toolbox

Tools and Technologies for Scale and Reliability
by Linux Journal Editor Bill Childers

Get your free copy today

Sponsored by IBM

8 Signs You're Beyond Cron

Scheduling Crontabs With an Enterprise Scheduler
On Demand
Moderated by Linux Journal Contributor Mike Diehl

Sign up and watch now

Sponsored by Skybot