mail us  |  mail this page

products  |  company  |  support  |  training  |  contact us

ZYTRAX OPEN LOGO

LDAP for Rocket Scientists

This Open Source Guide is about LDAP, OpenLDAP 2.x and ApacheDS on Linux and the BSD's (FreeBSD, OpenBSD and NetBSD). It is meant for newbies, Rocket Scientist wannabees and anyone in between.

LDAP is a complex subject. This Guide was born out of our pathetic attempts to understand LDAP, since it promised a veritable nirvana - common source for information, unlimited scalability using a replication model, inherent resilience, fast read performance, fine-grained control over who can do what to what data - the list goes on. Wonderful stuff.

That's the end of the good news.

The bad news is that IOHO never has so much been written so incomprehensibly about a single topic with the possible exceptions of BIND and ... and ... There are innumerable excellent HOWTOs scattered over the Internet, which are great if you need a tactical solution to a particular problem, and are happy to put up with the vaguely uncomfortable feeling that you are entirely dependent on something you don't really understand. We didn't want a tactical solution, we wanted a strategic solution to a whole set of problems, all of which all appeared to be ideally suited to LDAP, but we had to understand stuff ... we needed a WHYTO. This is our - perhaps pathetic - attempt to create it.

Once upon a time OpenLDAP was the only game in the Open Source LDAP town. It is still regarded as the LDAP reference implementation and remains an excellent system with many production implementations, is actively developed and ferociously complex to implement for other than trivial applications. It is, however, no longer the only game in town. There is now the 389 Directory Server (ex-Fedora Directory Server), another University of Michigan derivative, OpenDS originally a Sun-led Java implementation (now in the tender care of Oracle), and the ApacheDS (Apache Directory) project. All appear excellent projects and together with OpenLDAP provide an embarrassment of riches in the Open Source LDAP space - driving forward capabilities and functionality. Some notes about the projects and our decision if you are interested in this kind of stuff.

All future versions of this guide will progressively introduce material describing the use of ApacheDS while continuing to document OpenLDAP.

<warning> This is very much a work in progress. If you find errors don't grumble - tell us. Look at our to do list and if you want to contribute something please do so. And for all that hard work we promise only a warm sense of well-being and an acknowledgment of your work in the licence. </warning>

Contents

What's new in Guide version 0.1.15

1. Boilerplate and Terminology

  1. 1.1 Objectives and Scope
  2. 1.2 How to read this Guide
  3. 1.3 Terminology and Conventions used
  4. 1.4 Acknowledgements
  5. 1.5 Copyright and License

Section 1 - Overview & Concepts

2. LDAP - Overview

  1. 2.1 A brief History of LDAP
  2. 2.2 LDAP Overview
  3. 2.3 LDAP vs. Database
    1. 2.3.1 LDAP Usage Summary
  4. 2.4 LDAP Data (Object) Model
    1. 2.4.1 Object Tree Structure
    2. 2.4.2 Attributes
    3. 2.4.3 Object Classes
    4. 2.4.4 Describing the Tree and Adding Data
    5. 2.4.5 Navigating the Tree (DNs and RDNs)
  5. 2.5 LDAP Replication and Referrals
    1. 2.5.1 Referrals
    2. 2.5.2 Replication

3. LDAP Schemas, ObjectClasses and Attributes

  1. 3.1 LDAP Stuff Overview
  2. 3.2 Schemas
  3. 3.3 ObjectClasses
  4. 3.4 Attributes
  5. 3.5 Matching Rules
  6. 3.6 LDAP Operational Attributes and Objects

Section 2 - Get Something Running

4. LDAP Installation

4.1 LDAP Installation
4.2 OpenLDAP on *NIX and Windows
4.3 ApacheDS on *NIX and Windows

5. OpenLDAP Sample Configurations

5.1 Simple Directory

5.1.1 Designing the DIT
5.1.2 Select the STRUCTURAL objectClass
5.1.3 slapd.conf File
5.1.4 LDIF File
5.1.5 Loading the LDIF
5.1.6 Adding New Entries using LDIF
5.1.7 Modifying Entries using LDIF
5.1.8 Just Fooling Around

5.2 Securing the Directory

5.2.1 Security Policy
5.2.2 Adding Groups
5.2.3 ACL slapd.conf Access Definitions
5.2.4 Testing the ACL

5.3 Expanded Hierarchy

5.3.1 Requirement
5.3.2 Implementation
5.3.3 LDIF
5.3.4 ACL slapd.conf Access Definitions
5.3.5 Testing the ACL

5.4 Creating & Adding Objects

5.4.1 Requirement
5.4.2 Implementation
5.4.3 Attribute Definitions
5.4.4 objectClass & Schema Definition
5.4.5 ACL slapd.conf Access Definitions
5.4.6 LDIF
5.4.7 Testing the Changes

5.5 Single Sign On
5.6 Referral and Replication

6. Configuration Files

6.1 slapd.conf Overview
6.1.1 Using OLC (cn=config)
6.1.1.1 OLC (cn=config) Overview
6.1.1.2 Converting from slapd.conf to OLC (cn=config)
6.1.1.3 OLC (cn=config) Layout
6.1.1.4 Using OLC (cn=config)(Read, Modify)
6.1.1.4.1 OLC (cn=config)General Notes
6.1.1.4.2 Add/Delete Schemas using OLC (cn=config)
6.1.1.4.3 Add/Delete ACPs/ACLs using OLC (cn=config)
6.1.1.4.4 Add/Delete Modules using OLC (cn=config)
6.1.1.4.5 Add/Delete Databases using OLC (cn=config)
6.2 List of Directives (OLC (cn=config) and slapd.conf)
6.3 Global Section Directives (OLC (cn=config) and slapd.conf)
6.3.1 TLS Directives (OLC (cn=config) and slapd.conf)
6.4 Backend Section Directives (OLC (cn=config) and slapd.conf)
6.5 Database Section Directives (OLC (cn=config) and slapd.conf)
6.5.1 Overlay Directives (OLC (cn=config) and slapd.conf)
6.6 ldap.conf Directives
6.7 ApacheDS Configuration

7. Replication and Referrals

7.1 Replication and Referral Overview
7.2 Replication
7.2.1 OpenLDAP Replication
7.2.1.1 OpenLDAP slurpd Style Replication
7.2.1.1.1 OpenLDAP slurpd Replication Errors
7.2.1.2 OpenLDAP sysncrepl Style Replication
7.2.1.2.1 OpenLDAP sysncrepl RefreshOnly
7.2.1.2.2 OpenLDAP sysncrepl RefreshAndPersist
7.2.1.2.3 OpenLDAP sysncrepl Multi-Master
7.2.1.2.4 OpenLDAP sysncrepl Access Logs and Delta-sync
7.2.2 ApacheDS Replication
7.3 Synching DIT before surpd Replication
7.3 Synching DIT before syncrepl Replication
7.4 Referrals
7.4.1 Referral Chaining

Section 3 - Reference

8. LDIF and DSML

8.1 LDIF Overview
8.2 LDIF Format & Directives

8.2.1 LDIF File Format

8.2.1.1 LDIF Terminology and Line Types
8.2.1.2 LDIF Sample

8.2.2 LDIF Directives

8.2.2.1 add Directive
8.2.2.2 attributename Directives
8.2.2.3 changetype Directives
8.2.2.4 control Directives
8.2.2.5 delete Directives
8.2.2.6 deleteoldrdn Directives
8.2.2.7 dn Directives
8.2.2.8 newrdn Directives
8.2.2.9 newsuperior Directives
8.2.2.10 objectclass Directives
8.2.2.11 replace Directives
8.2.2.12 version Directives

8.3 LDIF Handling Binary (including Passwords)
8.4 LDIF Importing Files
8.5 LDIF Samples
8.6 DSML

9. LDAP Functional Model

9.4 LDAP URL

10. LDAP API

Section 4 OpenLDAP Operations

11. OpenLDAP HowTos

Configuring Multiple DITs in OpenLDAP
Configuring Referrals in OpenLDAP
Configuring Referral chaining in OpenLDAP
Configuring slurpd style replication in OpenLDAP
Configuring syncrepl style replication in OpenLDAP
Configuring delta synchronization (syncrepl) in OpenLDAP
Configuring and using cn=config in OpenLDAP
Notes about running/initialising OpenLDAP
Notes about overlays in OpenLDAP (or when is an overlay an overlay)
OpenLDAP converting to OLC (cn=config)
Using OLC (cn=config)
Configuring Groups of Users in OpenLDAP

12. OpenLDAP Trouble Shooting & Errors

13. OpenLDAP Performance

14. LDAP Tools

OpenLDAP Tools

ldapadd - add LDIF entries to an LDAP directory
ldapauth - add LDIF entries to an LDAP directory
ldapdelete - delete LDAP entries
ldapmodify - modify existing LDAP entries
ldapmodrdn - modify an LDAP entry's DN
ldappasswd - modify an entry's password
ldapsearch - search LDAP entries
ldapwhoami - perform an LDAP Who Am I operation of a server
slapacl - verify access to attributes by inspecting the configuraion of a DIT
slapadd - add LDAP entries to a database - STOP SLAPD FIRST
slapauth - verify SASL data against a DIT
slapcat - export an LDIF from an LDAP database - STOP SLAPD FIRST
slapdn - verify a DN against a DIT configuration
slapindex - re-index an LDAP database - STOP SLAPD FIRST
slappasswd - generate password
slaptest - verify a slapd.conf file or a cn=config directory (slapd.d)

LDAP Browsers

LDAPBrowser/Editor - some notes on usage

ApacheDS Tools

ApacheDS Tools - tools and Utilities

Section 5 LDAP Security

15. LDAP Security

  1. 15.1 OpenLDAP Security Overview
  2. 15.4 OpenLDAP TLS/SSL Configuration

Appendices: Resources

  1. Appendix A: LDAP Notes and Explanations
  2. Appendix B: LDAP Resources
  3. Appendix C: LDAP RFCs and Documentation
  4. Appendix D: LDAP Glossary
  5. Appendix E: LDAP Schemas, objectClasses and Attributes

Document Maintenance Information

To do list - Stuff that still needs to be done.

Change log.



Problems, comments, suggestions, corrections (including broken links) or something to add? Please take the time from a busy life to 'mail us' (at top of screen), the webmaster (below) or info-support at zytrax. You will have a warm inner glow for the rest of the day.

Copyright © 1994 - 2014 ZyTrax, Inc.
All rights reserved. Legal and Privacy
site by zytrax
Hosted by super.net.sg
web-master at zytrax
Page modified: December 31 2013.

Contents

tech info
guides home
intro
contents
1 objectives
big picture
2 concepts
3 ldap objects
quickstart
4 install ldap
5 samples
6 configuration
7 replica & refer
reference
8 ldif
9 protocol
10 ldap api
operations
11 howtos
12 trouble
13 performance
14 ldap tools
security
15 security
appendices
notes & info
ldap resources
rfc's & x.500
glossary
ldap objects
change log

Creative Commons License
This work is licensed under a Creative Commons License.

If you are happy it's OK - but your browser is giving a less than optimal experience on our site. You could, at no charge, upgrade to a W3C STANDARDS COMPLIANT browser such as Firefox

web zytrax.com

Share Page

share page via facebook tweet this page submit page to stumbleupon submit page to reddit.com

Page Features

Page comment feature Send to a friend feature print this page Decrease font size Increase font size

RSS Feed Icon RSS Feed

Resources

Systems

FreeBSD
NetBSD
OpenBSD
DragonFlyBSD
Linux.org
Debian Linux

Applications

LibreOffice
OpenOffice
Mozilla
SourceForge
GNU-Free SW Foundation

Organisations

Open Source Initiative
Creative Commons

Misc.

Ibiblio - Library
Open Book Project
Open Directory
Wikipedia

SPF Resources

Draft RFC
SPF Web Site
SPF Testing
SPF Testing (member only)

Display full width page Full width page

Print this page Print this page

SPF Record Conformant Domain Logo