OpenLDAP is a cross-platform, free, and open source implementation of a Lightweight Directory Access Protocol (LDAP) server, released under a BSD license. It was started in 1998 and since then has had active development and constant releases, being widely adopted by many commercial-grade systems and applications.
Although WebLogic server includes its own embedded LDAP server for default security management, it's neither used nor recommended for application-specific security management. That's when third-party LDAP servers and products are recommended and offer much more flexibility and features for a real-world scenario.
In this section we're going to provide general guidelines for OpenLDAP configuration, but due to the way different operating systems package the software, some configuration files may not be present at the same paths. Such differences may not impact the ideas expressed in this section.
The OpenLDAP software is available to several operating systems: Microsoft Windows, Debian, SuSE Linux Enterprise Server, Red Hat, Solaris, Mac OS X, and so on.
It can easily be installed through package managers such as RPM, APT, or MacPorts on Linux and Mac using the following commands:
For Linux with APT:
sudo apt-get install slapd ldap-utils
For RPM-based systems:
sudo yum install openldap-servers openldap-clients nss_ldap
For Mac OSX:
sudo port install openldap
Windows users can download and install the executable package available at http://userbooster.de/en/download/openldap-for-windows.aspx.
The installation may ask for a password that will be used for the rootdn user, which is the main user for an OpenLDAP installation. Take note of this password as we're going to use it later.
We are currently using version 2.4.35 but any 2.4+ release of OpenLDAP will be sufficient for the features we're going to implement.
Under some distributions, OpenLDAP provides ldap.conf
and slapd.conf
files with standard values. There are cases where these files must be copied or renamed from default files that come as part of the distribution. For example, on a Mac OS X system, the following files must be copied or renamed:
/private/etc/openldap/ldap.conf.default
to ldap.conf
/private/etc/openldap/slapd.conf.default
to slapd.conf
/private/var/db/openldap/openldap-data/DB_CONFIG.example
to DB_CONFIG
On Ubuntu Linux, these steps can be skipped as the configuration files are already at the /etc/ldap
directory.
It's worth mentioning that there are even YouTube videos explaining how to do the basic setup of an LDAP server on Ubuntu and other popular Linux distributions. Refer to them if you have problems on performing the basic operations and check this section again in order to make the specific configurations for our usage.
Files ldap.conf
and slapd.conf
are the most important ones on an OpenLDAP configuration, with DB_CONFIG
being the file-based database that stores runtime configuration such as users and groups.
After copying or renaming the files, open the ldap.conf
(under /private/etc/openldap
on Mac or /etc/ldap/ldap.conf
on Ubuntu/Linux) so we can set or uncomment the BASE
value used for an LDAP tree. Note that we're going to use example.com
as our base domain values:
## Make sure you have the BASE uncommented BASE dc=example,dc=com #URI ldap://ldap.example.com ldap://ldap-master.example.com:666
Use the command slappasswd
to generate an encoded password or use the default password secret
when asked for a password on the next command. Depending on your OS you may have already set this password during the installation.
Example:
$ slappasswd -s welcome1 {SSHA}Pcvcy4CpSL4BVLA0MWLtKM9XbV3Tw3q+
Now we're going to use this hashed value on rootpw
variable in the configuration file. Also check or set suffix
and rootdn
values on slapd.conf
as follows:
suffix "dc=example,dc=com" rootdn "cn=Manager,dc=example,dc=com" # Use of strong authentication is encouraged rootpw {SSHA}Pcvcy4CpSL4BVLA0MWLtKM9XbV3Tw3q+
Still in slapd.conf
there is a section that includes schemas used by this instance of OpenLDAP. Enable additional schemas to store other commonly required information and structures under the directory service:
# # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /private/etc/openldap/schema/core.schema include /private/etc/openldap/schema/cosine.schema include /private/etc/openldap/schema/nis.schema include /private/etc/openldap/schema/inetorgperson.schema
In order to test what we have configured so far, we need to restart the OpenLDAP server by issuing a command like the following:
sudo /etc/init.d/slapd restart
Or as follows:
sudo /usr/libexec/slapd -d3
Now you can load the default entries from the export file provided with the book bundle using the following command:
sudo ldapadd -c -D "cn=Manager,dc=example,dc=com" -W -fldap_export.ldif
And after that you can list all the entries using a command like this:
ldapsearch -z 0 -b "dc=example,dc=com" -D "cn=Manager,dc=example,dc=com" -W "(objectclass=*)"
If you followed all the steps and imported the file we're providing with the book, the output should look like this:
Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=example,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL # # example.com dn: dc=example,dc=com objectClass: organizationalUnit objectClass: dcObject dc: example ou: example # people, example.com dn: ou=people,dc=example,dc=com objectClass: top objectClass: organizationalUnit ou: people # groups, example.com dn: ou=groups,dc=example,dc=com objectClass: top objectClass: organizationalUnit ou: groups # [email protected], people, example.com dn: [email protected],ou=people,dc=example,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson cn: [email protected] sn: Robert mail: [email protected] userPassword: XXXX # admin, groups, example.com dn: cn=admin,ou=groups,dc=example,dc=com objectClass: top objectClass: groupOfNames cn: admin member: [email protected],ou=people,dc=example,dc=com ou: admin # [email protected], people, example.com dn: [email protected],ou=people,dc=example,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson cn: [email protected] sn: john userPassword:: XXXX
And that's it, we now have every required piece of software installed and configured.