Chapter 4. OpenLDAP Win2k

• FreeBSD Install

• Fedora Core Install

• Windows Install (Win 2000 Server)

This section describes installation of OpenLDAP on Windows 2000 server (but should be identical for XP and Server 2003).

Note: The windows version used here is built by Lucas Bergman and Matthias Mohr. Our thanks to these guys. You can also build OpenLDAP under cygwin or obtain an older (2.0.27) packaged version from ILEX. The ILEX installer is in english but the modest instructions on how to use are in French. With the exception of the cygwin method none of the systems seems to be actively maintained and are therefore not production quality versions but are great for experimentation and learning. If you want to deploy an Open Source LDAPv3 compliant server in a Windows production mode use either cygwin or ApacheDS.

1. Download OpenLDAP as a packaged Windows installer from this location to a suitable temporary directory.

2. Double click the downloaded file openldap-2.2.29-db-4.3.29-openssl-0.9.8a-win32_Setup.exe to start the install process. The following instructions assume the default path for installation (in our case c:\Program Files\OpenLDAP) is used.

3. The install process starts with the usual license acceptance screen and selection of install paths which you can accept or modify determined by your configuration - then up pops this screen:

   

   The default screen does not install slurpd as a NT service. We chose to check the box labelled Install OpenLDAP-slurpd as an NT service (as shown), but this can always be done later from a command line.

4. The next screen simply requests what will appear on the start->programs menu and whether you want want it to appear in the start menu folder or not. Since we are running as an NT service we chose the defaults as shown below.

   

5. This screen asks whether to autostart the NT service at boot time. Since we would be using the service occasionally we unchecked the automatically start the OpenLDAP service(s) after reboot (default is checked). The service is installed in 'Manual' which means we have to start the service fom the command line or via the admin tools GUI . If you leave the box checked (default) the NT services that you installed (slapd/surpd) will be set to 'Auto' mode and start automatically.

   

6. The next screen is the standard windows installer confirmation of install parameters (not shown) - manually check the parameters and click the install button or use the back button to fix any errors. The final screen (shown) confirms the installation was successful and allows display of the readme file. This file contains some useful information.

   

7. The installer places a basic slapd.conf in the base directory (in a default install c:\Program Files\OpenLDAP) and creates a number of subdirectories:

   directory   function
   data        contains all the DBD (database) files
   docs        bdb contains documentation on the various 
               database backend and bdb utilities
   run         various run time files (.pid and .args)
   schema      standard openldap schema files
   ucdata      unicode data
   uninst      uninstall information
   

   A test load of the basic configuration will work - see gui start below.

8. To start the slapd NT service via a GUI interface use Start->programs->Administrative Tools->Services (or Start-Settings->Control Panel, double click Administrative Tools and then double click Services). In the services window navigate to OpenLDAP Directory Service as shown:

   

9. Double click OpenLDAP Directory Service which displays this window:

   

   Click the Start button to activate the service. If any errors occur use the the Event log to debug (Start-Programs->Administrative Tools->Event Viewer). To confirm that the service is running use Task Manager and search for slapd.exe. Alternatively load a command line window (Start->Run enter cmd, click OK) and enter the following command:

   netstat -an
   # this will list all the active ports and their
   # status. Confirm that port 389 is active.
   

   To stop the service - repeat the above process and click the Stop button.

   To start the Replication Service (slurpd) follow the above procedure but navigate to the service named OpenLDAP Replication Service.

10. To test the first example shown in Chapter 5.1.3 - Make sure the OpenLDAP Directory Service is stopped rename the installed slapd.conf to, say, slapd.conf.inst, then save the following file as slapd.conf into the base directory.

    #
    ###### SAMPLE 1 - SIMPLE DIRECTORY ############
    #
    # NOTES: inetorgperson picks up attributes and objectclasses
    #        from all three schemas
    #
    # NB: RH Linux schemas in /etc/openldap
    #
    ucdata-path	./ucdata
    include		./schema/core.schema
    include		./schema/cosine.schema
    include		./schema/inetorgperson.schema
    
    
    # NO SECURITY - no access clause
    # defaults to anonymous access for read
    # only rootdn can write
    
    # NO REFERRALS
    
    # DON'T bother with ARGS file unless you feel strongly
    # slapd scripts stop scripts need this to work
    pidfile ./run/slapd.pid
    argsfile	./run/slapd.args
    
    # enable a lot of logging - we might need it
    # but generates huge logs
    loglevel 	-1 
    
    # NO dynamic backend modules
    
    # NO TLS-enabled connections
    
    # backend definition not required
    
    #######################################################################
    # bdb database definitions
    # 
    # replace example and com below with a suitable domain
    # 
    # If you don't have a domain you can leave it since example.com
    # is reserved for experimentation or change them to my and inc
    #
    #######################################################################
    
    database bdb
    suffix "dc=example, dc=com"
    
    # root or superuser
    rootdn "cn=jimbob, dc=example, dc=com"
    rootpw dirtysecret
    # The database directory MUST exist prior to running slapd AND 
    # change path as necessary
    directory	./data/example-com
    
    # Indices to maintain for this directory
    # unique id so equality match only
    index	uid	eq
    # allows general searching on commonname, givenname and email
    index	cn,gn,mail eq,sub
    # allows multiple variants on surname searching
    index sn eq,sub
    # sub above includes subintial,subany,subfinal
    # optimise department searches
    index ou eq
    # if searches will include objectClass uncomment following
    # index objectClass eq
    # shows use of default index parameter
    index default eq,sub
    # indices missing - uses default eq,sub
    index telephonenumber
    
    # other database parameters
    # read more in slapd.conf reference section
    cachesize 10000
    checkpoint 128 15
    

    Important: The file above saves the database file in \data\example-com - this directory MUST exist before starting the OpenLDAP Directory Service.

11. Save the following file (or load this file and use Save As in your browser to save as, say, step-1.ldif in a suitable directory.

    ## DEFINE DIT ROOT/BASE/SUFFIX ####
    ## uses RFC 2377 format
    ## replace example and com as necessary below
    ## or for experimentation leave as is
    
    ## dcObject is an AUXILLIARY objectclass and MUST
    ## have a STRUCTURAL objectclass (organization in this case)
    # this is an ENTRY sequence and is preceded by a BLANK line
    
    dn: dc=example,dc=com
    dc: example
    description: My wonderful company as much text as you want to place 
     in this line up to 32K continuation data for the line above must 
     have <CR> or <CR><LF> i.e. ENTER works 
     on both Windows and *nix system - new line MUST begin with ONE SPACE
    objectClass: dcObject
    objectClass: organization
    o: Example, Inc.
    
    ## FIRST Level hierarchy - people 
    ## uses mixed upper and lower case for objectclass
    # this is an ENTRY sequence and is preceded by a BLANK line
    
    dn: ou=people, dc=example,dc=com
    ou: people
    description: All people in organisation
    objectclass: organizationalunit
    
    ## SECOND Level hierarchy
    ## ADD a single entry under FIRST (people) level
    # this is an ENTRY sequence and is preceded by a BLANK line
    # the ou: Human Resources is the department name
    
    dn: cn=Robert Smith,ou=people,dc=example,dc=com
    objectclass: inetOrgPerson
    cn: Robert Smith
    cn: Robert J Smith
    cn: bob  smith
    sn: smith
    uid: rjsmith
    userpassword: rJsmitH
    carlicense: HISCAR 123
    homephone: 555-111-2222
    mail: r.smith@example.com
    mail: rsmith@example.com
    mail: bob.smith@example.com
    description: swell guy
    ou: Human Resources
    

12. Start the OpenLDAP Directory Service using the procedure defined above. Load a command shell (Start->Run, enter cmd, click OK). At the prompt navigate to the OpenLDAP directory and issue the following commands:

    cd c:\program files\openldap
    ldapadd [-H ldap://ldaphost.example.com] -x -D "cn=jimbob,dc=example,dc=com" 
     -f c:\temp\step-1.ldif -w dirtysecret
    

    If the LDAP server is running on the same host the -H argument can be omitted. Change the -f argument to reflect the path of the ldif file saved above.

13. To verify the LDIF has worked successfully load an LDAP browser and either use an anonymous binding to dc=example,dc=com at the URL of localhost and port number of 389, or use secure login with a DN of cn=jimbob,dc=example,dc=com and a password of dirtysecret (shown below for LDAPBrowser/Editor using File->Connect).

    Secure connection:

    

    Anonymous connection: