CHAPTER 24
LDAP
The Lightweight Directory Access Protocol (LDAP, pronounced
Most people find the concept of LDAP easier to grasp when they think of it as a highly specialized form of database server. Behind the scenes, Fedora uses a database for storing all its LDAP information; however, LDAP does not offer anything as straightforward as SQL for data manipulation!
OpenLDAP uses Sleepycat Software's Berkeley DB (BDB), and sticking with that default is highly recommended. That said, there are alternatives if you have specific needs.
This chapter looks at a relatively basic installation of an LDAP server, including how to host a companywide directory service that contains the names and email addresses of employees. LDAP is a client/server system, meaning that an LDAP server hosts the data and an LDAP client queries it. Fedora comes with OpenLDAP as its LDAP server, along with several LDAP-enabled email clients, including Evolution and Mozilla Thunderbird. This chapter covers all three of these applications.
Because LDAP data is usually available over the Internet — or at least your local network — it is imperative that you make every effort to secure your server. This chapter gives specific instruction on password configuration for OpenLDAP, and we recommend you follow our instructions closely.
Configuring the Server
If you have been using LDAP for years, you are aware of its immense power and flexibility. On the other hand, if you are just trying LDAP for the first time, it will seem like the most broken component you could imagine. LDAP has very specific configuration requirements, is vastly lacking in graphical tools, and has a large number of acronyms to remember. On the bright side, all the hard work you put in will be worth it because, when it works, LDAP will hugely improve your networking experience.
The first step in configuring your LDAP server is to install the client and server applications. Select Add/Remove Applications, click the Details button next to Network Servers, and check openldap- servers. Then click the Details button next to System Tools and select openldap-clients. After you have installed them, close the dialog box and bring up a terminal.
Now switch to the root user and edit /etc/openldap/slapd.conf in the text editor of your choice. This is the primary configuration file for slapd, the OpenLDAP server daemon. Scroll down until you see the lines database, suffix, and rootdn.
This is the most basic configuration for your LDAP system. What is the name of your server? The dc stands for domain component, which is the name of your domain as stored in DNS — for example, example.com. For our examples, we used hudzilla.org. LDAP considers each part of a domain name (separated by a period) to be a domain component, so the domain hudzilla.org is made up of a domain component hudzilla and a domain component org.
Change the suffix line to match your domain components, separated by commas. For example:
suffix 'dc=hudzilla,dc=org'
The next line defines the root DN, which is another LDAP acronym meaning
rootdn 'cn=root,dc=hudzilla,dc=org'
CN is yet another LDAP acronym, this time meaning common name. A common name is just that — the name a person is usually called. Some people have several common names. Andrew Hudson is a common name, but that same user might also have the common name Andy Hudson. In our rootdn line, we define a complete user: common name root at domain hudzilla.org. These lines are essentially read backward. LDAP goes to org first, searches org for hudzilla, and then searches hudzilla for root.
The rootdn is important because it is more than just another person in your directory. The root LDAP user is like the root user in Linux. It is the person who has complete control over the system and can make whatever changes he wants to.
Now comes a slightly more complex part: The LDAP root user needs to be given a pass word. The easiest way to do this is to open a new terminal window alongside your existing one. Switch to root in the new terminal also, and type slappasswd. This tool generates password hashes for OpenLDAP, using the SHA1 hash algorithm. Enter a password when it prompts you. When you have entered and confirmed your password, you should see output like this:
{SSHA}qMVxFT2K1UUmrA89Gd7z6EK3gRLDIo2W
That is the password hash generated from your password. Yours will be different from the one shown here, but what is important is that it has {SSHA} at the beginning to denote it uses SHA1. You now need to switch back to the other terminal (the one editing slapd.conf) and add this line below the rootdn line:
rootpw <
You should replace < with the full output from slappasswd, like this:
rootpw {SSHA}qMVxFT2K1UUmrA89Gd7z6EK3gRLDIo2W
That sets the LDAP root password to the one you just generated with slappasswd. That is the last change you need to make in the slapd.conf file, so save your changes and close your editor.
Back in the terminal, run the slaptest command. This checks your slapd.conf file for errors and ensures you edited it correctly. Presuming there are no errors, run these two commands:
chkconfig ldap on
service ldap start
These tell Fedora to start OpenLDAP each time you boot up, and to start it right now.
The final configuration step is to tell Fedora which DN it should use if none is specified. You do so by going to System Settings and selecting Authentication. In the dialog box that appears, check Enable LDAP Support in both the User Information tab and Authentication tab. Next, click the Configure LDAP button, enter your DCs (for example, dc=hudzilla,dc=org) for the LDAP Search Base DN, and enter 127.0.0.1 for the LDAP Server. Click OK and then click OK again.
Checking Enable LDAP Support does not actually change the way in which your users log in. Behind the scenes, this forces Fedora to set up the ldap.conf file in /etc/openldap so that
