Setup OpenLDAP Directory on CentOS 5

These notes assume the directory is for a fictional organization, Example Company Ltd, with domain name example.com.

These steps are written with no security in mind.

Edit the /etc/openldap/slapd.conf, include these lines:

include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
# optional, if you need to use samba:
include         /etc/openldap/schema/samba.schema

(A copy of samba.schema)

Enable logging of connections/operations/results:

loglevel 256

And these to create a special admin object of the tree:

suffix          "dc=example,dc=com"
rootdn          "cn=admin,dc=example,dc=com"
rootpw          {SSHA}VURhzY+1KIO1MFmEHw92KcYzoevdpKn/

The rootpw entry is created by:

slappasswd -h {SSHA} -s <password> 

Sample slapd.conf

Add these to /etc/syslog.conf to have separate log file:

# ldap
local4.*     -/var/log/ldap.log

We will init the directory like following diagram:

The root object, of course, is the organization itself. Its DN is dc=example,dc=com, it belongs to the dcObject and organization class.

cat <<EOT | ldapadd -x -D "cn=admin,dc=example,dc=com" -W
# root object
dn: dc=example,dc=com
objectclass: dcObject
objectclass: organization
o: Example Company Ltd
dc: example
EOT

cat <<EOT | ldapadd -x -D "cn=admin,dc=example,dc=com" -W
# directory administrator
dn: cn=admin,dc=example,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
userPassword: {SSHA}VURhzY+1KIO1MFmEHw92KcYzoevdpKn/
description: Directory administrator
EOT

1. The organizationalRole object class is used to define entries that represent roles held by people within an organization.

2. The simpleSecurityObject object class is used to require an entry to have a 'userPassword' attribute when the entry's structural object class does not require (or allow) the 'userPassword attribute'.

List all entries starting from the root object downward:

ldapsearch -x -b 'dc=example,dc=com'

Output:

# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# example.com
dn: dc=example,dc=com
objectClass: dcObject
objectClass: organization
o: Example Company Ltd
dc: example

# admin, example.com
dn: cn=admin,dc=example,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
userPassword:: {SSHA}VURhzY+1KIO1MFmEHw92KcYzoevdpKn/
description: Directory administrator

Install phpldapadmin to make life easier managing the directory.

Official site: http://www.phpldapadmin.org/

Edit the config/config.php, modify these:

$config->custom->appearance['language'] = 'en';
$config->custom->jpeg['tmpdir'] = '/tmp';
$config->custom->appearance['timezone'] = 'Asia/Hong_Kong';
$servers->setValue('server','name','Example Ltd - LDAP Server');