LDAP Series Part IV - Installing OpenLDAP on Debian Plus Some LDAP Commentary

by Tom Adelstein

I can imagine the comments we'll see on this article. What about X distribution? And so on... I'm not going to justify my reasons for choosing Debian. You can use whatever distro you want. It's just a matter of preference.

Installing OpenLDAP in Debian

Let's start by getting OpenLDAP from the Debian stable repository. Use the commands:

#apt-get install slapd ldap-utils db4.2-util

As you install LDAP you'll see messages such as:

The DNS domain name is used to construct the base DN of your LDAP directory. Entering foo.bar.org will give you the base DN dc=foo, dc=bar, dc=org. DNS domain name:
centralsoft.org__________

Don't worry about the terminology at this time. Remember that LDAP uses a hierarchal file structure like your Linux directory. In the question above, the install script is asking you to define the root or top of the directory. It uses this strange way of stating it. We'll explain it later.

Whatever you enter here will be stored as the name of your organization in the base DN of your LDAP directory.

Name of your organization: centralsoft.org_

In the directory you will often find reference to the organization. You will see it as o=centralsoft.org or your domain name.

Please reenter the admin password for your LDAP directory for verification. Confirm password:***********

The administrator, admin executes the commands you'll use to put data into the directory.

The slapd daemon now disables the old LDAPv2 protocol by default.

Programs and users are generally expected to be upgraded to LDAPv3. If you have old programs which have not been moved to use LDAPv3 and you still need LDAPv2 support then select this option and 'allow bind_v2' will be added to your slapd.conf to tell slapd to accept LDAPv2 connections.
Allow LDAPv2 protocol?

standalone LDAP daemon

We don't want LDAPv2 protocol. But that's it. Next you will see a message saying slapd is configure and running.

Next, you should see the ending installation dialog:

Setting up slapd (2.2.23-8) ...
Creating initial slapd configuration... done.
Creating initial LDAP directory... done.
Starting OpenLDAP: running BDB recovery, slapd.

Setting up db4.2-util (4.2.52-18) ...
Setting up ldap-utils (2.2.23-8) ...
mail:/home/admin#

OpenLDAP uses slapd which stands for standalone LDAP daemon.

Some perspective

Note: You will see some repetition in these installments. I don't have any justification for that other than to to say sometimes readers drop by without having seen earlier articles. That's the nature of a series of articles.

In the next article, we plan to add data to your directory. But before we go there, I'd like to put a little spin on this Directory Service thing.

System administrators should have LDAP on the top of their priority list of skills to master. Using this Access Protocol becomes more critical to business every day. Why?

First, Information Technology has evolved from Local Area Networks in an isolated business to an open infrastructure. Where we once sent purchase orders to suppliers, we now have Supply Chain Management.

We also have customers setting up accounts on our computer systems so they can purchase products directly. When someone buys a product and pays by credit card, we have to run the transaction through a clearing house that issues an authorization. Then you have to batch those credit card purchases and send them to your bank for credit.

LDAP provides the common interface for interoperabilty between and amongst all those systems. We can build our own SQL databases and hope to interconnect with our customers and suppliers but unless we have a common specification, we can't work together.

LDAP provides an Internet standard that requires LDAP servers to communicate using the same Access Protocol. LDAP is the origin of unified identity management referred to in the industry as single sign-on.

LDAP terminology confuses many professionals. For example, sometimes people use LDAP to refer to the protocol, other times to the protocol and the data. In these articles when we use the term LDAP, we mean a server listening on port 389 providing data to an LDAP client and vice versa.

In computing, we use the word directory often and it can mean different things to different people. For example, to the average user a directory might mean catalogs or folders on his or her desktop.

To a system administrator the Linux file system provides a hierarchical group of directories. The vast majority of operating systems have directory structures and when plotted visually looks like a tree structure.

LDAP uses a hierarchical data structure with a root, limbs and branches. We call that a DIT or Directory Information Tree. When someone comes along and says, give me such and such information from port 389, they need to have an entry in the DIT. If not, they are rejected by OpenLDAP's authentication layer.

Miles to go

I hope you'll understand one thing about LDAP in the Linux environment: You need patience. For example, just because you have an administrator's account doesn't mean you can just enter data. We need to modify some configuration files. Then we need to learn how to authenticate and build the hierarchy

That's just skimming the tip of the iceberg. If you would like to speed up the process of learning this LDAP thing, you'll find plenty of information out on the web. I would start with the OpenLDAP administrator's guide.

You can get started with this link to the The Quick-Start Guide.

Thanks for dropping by and since it's Halloween, remember this: Don't let the turkeys get you down, man.

Load Disqus comments