Monday, July 26, 2010


LDAP (Lightweight Directory Access PROTOCOL) is a protocol for querying and modifying directory services that act on TCP / IP. LDAP uses X.500 model structure, ie, tree structure entries each of which consists of a set of named attributes and values stored in turn.

Software required minimum.

authconfig-gtk-04/06/1910 (optional)

Installing via yum.

yum-y install openldap openldap-clients openldap-servers authconfig authconfig-gtk

Installing via up2date.
up2date-i openldap openldap-clients openldap-servers authconfig authconfig-gtk

For purposes of organization will create a specific directory for this directory and configure access permissions only to the user and group ldap.

mkdir / var / lib / ldap / authenticate chmod 700 / var / lib / ldap / authentication ldap.ldap chown / var / lib / ldap / authentication

Create the password to be assigned to the user in the LDAP directory administrator. Just run from a terminal:


This should give as output a ciphertext as shown below:


The output text will be used later in the file / etc / openldap / slapd.conf and defined the user Administrator as used for access with full privileges to the directory.

Edit the file / etc / openldap / slapd.conf and verifies that the minimum required schema files are present. Thus, it should be something like:

# # See slapd.conf (5) for details on configuration options. # This file should NOT be world readable. # Include / etc / openldap / schema / core.schema include / etc / openldap / schema / cosine.schema include / etc / openldap / schema / inetorgperson.schema include / etc / openldap / schema / nis.schema

Regardless of what you already have configured, and will not be touched, is appended to the file / etc / openldap / slapd.conf as follows in order to define the new directory which will henceforth be used to authenticate all the web local:

database bdb suffix "dc = codigolibre, dc = local" rootdn "cn = admin, dc = codigolibre, dc = local" (SSHA) XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX rootpw directory / var / lib / ldap / authentication # Indices to Maintain for this database index objectClass eq , pres index ou, cn, mail, surname, givenname eq, pres, sub index uidNumber, gidNumber, loginShell eq, pres index uid, memberUid eq, pres, sub index nisMapName, nisMapEntry eq, pres, sub

Start the LDAP service and add it to the rest of the services that start with the system:

service ldap start chkconfig ldap on

Edit the file / usr / share / openldap / migration / and modify the values of the variables $ DEFAULT_MAIL_DOMAIN and $ DEFAULT_BASE so that they are as follows:

# Default DNS domain $ DEFAULT_MAIL_DOMAIN = "codigolibre.local" # Default base $ DEFAULT_BASE = "dc = codigolibre, dc = local;

Then you must create the object which in turn contain the rest of the data in the directory. Create a file base.ldif follows:

/ Usr / share / openldap / migration /> base.ldif

Ldapadd is used to insert the necessary data. The options used with this command are:

-X-W request simple authentication password-D binddn Distinguished Name (dn) to use-h host LDAP server to access file-f file to use

Once understood the above, we proceed to insert the information generated in the directory using the following:

ldapadd-x-W-D 'cn = admin, dc = codigolibre, dc = local'-h base.ldif

Once done, it can begin to populate the directory with data. The first will import the existing users and groups in the system. Perform the import using the scripts for users as follows:

/ Usr / share / openldap / migration / / etc / group group.ldif
/ Usr / share / openldap / migration / / etc / passwd passwd.ldif

This will create the files and passwd.ldif group.ldif, which include group information and accounts on the system, including passwords. The data can be inserted into the LDAP directory using the following:

ldapadd-x-W-D 'cn = Administrator, dc = your-network-local, dc = com "-h group.ldif
ldapadd-x-W-D 'cn = Administrator, dc = your-network-local, dc = com "-h passwd.ldif

Before you configure the system to use LDAP to authenticate, but check that everything works correctly.

The following command verifies that there are directories available on the server

ldapsearch-h''-s base '(objectclass =*)' namingContexts 

This should return output similar to the following:

# Extended LDIF
# LDAPv3
# Base <> with scope base
# Filter: (objectclass =*)
# Requesting: namingContexts

namingContexts: codigolibre dc =, dc = local

# Search result
search: 2
result: 0 Success

# NumResponses: 2
# NumEntries: 1

The following command should return all the information of all the requested directory (dc = your-network-local, dc = com).
ldapsearch-x-b 'dc = codigolibre, dc = local' '(objectclass =*)' 

Another example is to perform a specific search for a particular user. Assuming that the system has a user named guy, can be implemented:

ldapsearch-x-b 'uid = guy, ou = People, dc = codigolibre, dc = local' 

This should return something like the following:

# Extended LDIF
# LDAPv3
# Base with scope sub
# Filter: (objectclass =*)
# Requesting: ALL

# Guy, People, codigolibre.local
dn: uid = guy, ou = People, dc = codigolibre, dc = local
uid: guy
cn: John Doe
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: xxxxxxxxxxxx
shadowLastChange: 12 594
shadowMax: 99999
shadowWarning: 7
loginShell: / bin / bash
uidNumber: 505
gidNumber: 505
HomeDirectory: / home / guy

# Search result
search: 2
result: 0 Success 

# NumResponses: 2
# NumEntries: 1

Configuring clients.

Define the values for the parameters and base host to establish to what server and what directory to connect. For practical purposes, the value of basic parameters must be the same as specified in the file / etc / openldap / slapd.conf for the parameter suffix

# Your LDAP server. Must be resolvable Without using LDAP.
# Multiple hosts May be specified, separated by a Each
# Space. How long nss_ldap Takes to failover depends on
# Whether your LDAP client library Supports configurable
# Network or connect timeouts (see bind_timelimit).

# The distinguished name of the search base.
codigolibre base dc =, dc = local

What follows is to use either or authconfig authconfig-gtk to configure the system so as to use the LDAP server to authenticate. 

authconfig (text mode)
Enable the check boxes and Using LDAP Authentication Using LDAP and press Tab to Next and press Enter and verify data and directory server to use are correct.

Authconfig, main screen.


There are a lot of programs to access and manage LDAP servers. One of the most comprehensive currently phpldapadmin.

Simply download the phpldapadmin and place it in your apache root folder.

tar-xvzf phpldapadmin (version). tar.gz

Just rename the folder with the name phpldapadmin.

mv phpldapadmin (version) phpldapadmin

Then we go to the browser and type http://ipdelservidorweb/phpldapadmin.

In the login screen, type in the following

DN Login

dc = admin, cn = codigolibre, dc = local

And then the key.

Now with this we have the ldap server functional.

Data backup.

You must stop the LDAP service before proceeding with data backup.

service ldap stop

Then the tool is used slapcat, using the configuration file / etc / openldap / slapd.conf.

slapcat-v-f / etc / openldap / slapd.conf-l backup-$ (date +% Y% m% d). ldif

Upon completion of the data backup process can start again the ldap service.

service ldap start

Restoring data.

The procedure requires stopping the service.

service ldap stop

Should be removed to restore directory data.

rm-f / var / lib / ldap / authentication / *

Then slapadd tool is used to load data from a backup file *. dif.

slapadd-v-c-l-20061003.ldif backup-f / etc / openldap / slapd.conf

You must run the tool slapindex, which is used to regenerate the indexes LDAP.


Completed the process of restoring data, you can start again the ldap service.

service ldap start