LDAP for Rocket Scientists

This Open Source Guide is about LDAP, OpenLDAP 2.x and ApacheDS on Linux (Fedora Core 5) and the BSD's (FreeBSD, OpenBSD and NetBSD). It is meant for newbies, Rocket Scientist wannabees and anyone in between.

LDAP is a complex subject. This Guide was born out of our pathetic attempts to understand LDAP, since it promised a veritable nirvana - common source for information, unlimited scalability using a replication model, inherent resilience, fast read performance, fine-grained control over who can do what to what data - the list goes on. Wonderful stuff.

That's the end of the good news.

The bad news is that IOHO never has so much been written so incomprehensibly about a single topic with the possible exceptions of BIND and ... and ... There are innumerable excellent HOWTOs scattered over the Internet, which are great if you need a tactical solution to a particular problem, and are happy to put up with the vaguely uncomfortable feeling that you are entirely dependent on something you don't really understand. We didn't want a tactical solution, we wanted a strategic solution to a whole set of problems, all of which all appeared to be ideally suited to LDAP, but we had to understand stuff ... we needed a WHYTO. This is our - perhaps pathetic - attempt to create it.

Once upon a time OpenLDAP was the only game in the Open Source LDAP town. It is still regarded as the LDAP reference implementation and remains an excellent system with many production implementations, is actively developed and ferociously complex to implement for other than trivial applications. It is, however, no longer the only game in town. There is now the Fedora Directory Server, another University of Michigan derivative, OpenDS a Sun led Java implementation, and the ApacheDS (Apache Directory Server) project. All appear excellent projects and together with OpenLDAP provide an embarrassment of riches in the Open Source LDAP space - driving forward capabilities and functionality. Some notes about the projects and our decision if you are interested in this kind of stuff.

All future versions of this guide will progessively introduce material describing the use of ApacheDS while continuing to document OpenLDAP.

<warning> This is very much a work in progress. If you find errors don't grumble - tell us. Look at our to do list and if you want to contribute something please do so. And for all that hard work we promise only a warm sense of well-being and an acknowledgment of your work in the licence. </warning>

What's new in Guide version 0.1.11

1. Boilerplate and Terminology

1.1 Objectives and Scope
1.2 How to read this Guide
1.3 Terminology and Conventions used
1.4 Acknowledgements
1.5 Copyright and License

Section 1 - Overview & Concepts

2. LDAP - Overview

2.1 A brief History of LDAP
2.2 LDAP Overview
2.3 LDAP vs. Database
2.3.1 LDAP Usage Summary
2.4 LDAP Data (Object) Model

2.4.1 Object Tree Structure
2.4.2 Attributes
2.4.3 Object Classes
2.4.4 Describing the Tree and Adding Data
2.4.5 Navigating the Tree (DNs and RDNs)

2.5 LDAP Replication and Referrals

2.5.1 Referrals
2.5.2 Replication

3. LDAP Schemas, ObjectClasses and Attributes

3.1 LDAP Stuff Overview
3.2 Schemas
3.3 ObjectClasses
3.4 Attributes
3.5 Matching Rules
3.6 LDAP Operational Attributes and Objects

Section 2 - Get Something Running

Section 3 - Reference

9. LDAP Functional Model

9.4 LDAP URL

10. LDAP API

Section 4 OpenLDAP Operations

11. OpenLDAP HowTos

Configuring Multiple DITs in OpenLDAP
Configuring Referrals in OpenLDAP
Configuring Referral chaining in OpenLDAP
Configuring slurpd style replication in OpenLDAP
Configuring syncrepl style replication in OpenLDAP
Configuring delta synchronization (syncrepl) in OpenLDAP
Configuring and using cn=config in OpenLDAP
Notes about running/initialising OpenLDAP
Notes about overlays in OpenLDAP (or when is an overlay an overlay)
OpenLDAP converting to use cn=config
Configuring Groups of Users in OpenLDAP

12. OpenLDAP Trouble Shooting & Errors

13. OpenLDAP Performance

14. LDAP Tools

OpenLDAP Tools

ldapadd - add LDIF entries to an LDAP directory
ldapauth - add LDIF entries to an LDAP directory
ldapdelete - delete LDAP entries
ldapmodify - modify existing LDAP entries
ldapmodrdn - modify an LDAP entry's DN
ldappasswd - modify an entry's password
ldapsearch - search LDAP entries
ldapwhoami - perform an LDAP Who Am I operation of a server
slapacl - verify access to attributes by inspecting the configuraion of a DIT
slapadd - add LDAP entries to a database - STOP SLAPD FIRST
slapauth - verify SASL data against a DIT
slapcat - export an LDIF from an LDAP database - STOP SLAPD FIRST
slapdn - verify a DN against a DIT configuration
slapindex - re-index an LDAP database - STOP SLAPD FIRST
slappasswd - generate password
slaptest - verify a slapd.conf file or a cn=config directory (slapd.d)

LDAP Browsers

LDAPBrowser/Editor - some notes on usage

ApacheDS Tools

ApacheDS Tools - tools and Utilities

Section 5 LDAP Security

15. LDAP Security

Appendices: Resources

Appendix A: LDAP Notes and Explanations
Appendix B: LDAP Resources
Appendix C: LDAP RFCs and Documentation
Appendix D: LDAP Glossary
Appendix E: LDAP Common Schemas, objectClasses and Attributes

Maintenance Information

To do list - Stuff that still needs to be done.

Change log.

Problems, comments, suggestions, corrections (including broken links) or something to add? Please take the time from a busy life to 'mail us' (at top of screen), the webmaster (below) or info-support at zytrax. You will have a warm inner glow for the rest of the day.