openldap - LDAP server, library, and tools ChangeLog

HOWTO


# OpenLDAP
# ========
# As I write this, version 2.6.6 is also available, but I'm short on time,
# and am not able to handle the major version upgrade-isms this time.
# So, I'm sticking with the latest 2.5.x for now (rather than having both
# here).  2.5.x is currently considered the LTS release and 2.6.x is the
# feature release.

# Slackware 14.0: openldap-client 2.4.31
# Slackware 14.1: openldap-client 2.4.31
# Slackware 14.2: openldap-client 2.4.42
# Slackware 15.0: openldap 2.4.59
# Always check patches for updates

# The first set of instructions below covers installing OpenLDAP for the
# libraries and utilities.  The second set covers installing the slapd
# server.

# If you need a NSS or PAM module for LDAP, see the nss_ldap and pam_ldap
# HOWTOS

# OpenLDAP documentation:
# Release Documents
# Administrator's Guide
# Faq-O-Matic
# Some of the man pages: slapd, slapd.conf, slapd.access

# Since at least 2002 or so, I let it use the default prefix of /usr/local
# but now use --prefix=/usr so everything goes to the same place as
# the Slackware package.  If you leave that off, it will end up under
# whatever the default prefix is currently.
#
# If you have one installed under /usr/local and want to put the new
# one under /usr, back up everything, then run "make uninstall" as root
# from the current/old version's source directory before you begin here.

## Be aware that if you're going from OpenLDAP 2.4.x to 2.5.x and other
## applications are linked with the 2.4.x version shared libraries, they
## may break when you do this until you recompile them.  This may or may
## not help:
# ln -s libldap.so libldap-2.4.so.0
# ln -s liblber.so liblber-2.4.so.0
# ldconfig

# Slackware uses /usr/man instead of /usr/share/man, OpenLDAP will install
# man pages in /usr/share/man by default.  So, either create a symlink:
#   su -c "ln -s /usr/man /usr/share/man"
# ...or add /usr/share/man to MANDIR
# ...or pass --mandir=/usr/man to configure below

# OpenLDAP 2.5.16. now available

# A list of download locations is on the download page:
# https://www.openldap.org/software/download/
# Or you can get the MIRRORS list from the FTP site (by HTTPS):
# https://www.openldap.org/software/download/OpenLDAP/MIRRORS


# OpenLDAP 2.5.16 - just the libraries and utilities (no slapd)
# ===============
# Go with this one if you only need the libraries and/or tools for
# other software to have LDAP support.  This does not include the
# slapd server.

# Prerequisites:
# OpenSSL or GnuTLS or Mozilla NSS
# ncurses or termcap
# readline

# I used to keep OpenLDAP, nss_ldap, and pam_ldap together
# If you did too, move them to the normal places
cd
test -d installed/ldap &&
mv -f installed/ldap/* installed/ && rmdir installed/ldap
test -d src/ldap &&
mv -f src/ldap/* src/ && rmdir src/ldap

# Get the source
cd
test -f installed/openldap-2.5.16.tgz &&
mv installed/openldap-2.5.16.tgz .
test ! -f openldap-2.5.16.tgz &&
wget https://www.openldap.org/software/download/OpenLDAP/openldap-release/\
openldap-2.5.16.tgz

# Verify tarball w/ sha256sum:
echo "546ba591822e8bb0e467d40c4d4a30f89d937c3a507fe83a578f582f6a2113\
27  openldap-2.5.16.tgz" | sha256sum -c

# Verify tarball w/ gpg:
wget -nc https://www.openldap.org/software/download/OpenLDAP/\
gpg-pubkey.txt &&
gpg --import gpg-pubkey.txt && rm gpg-pubkey.txt
wget -nc https://www.openldap.org/software/download/OpenLDAP/\
openldap-release/openldap-2.5.16.tgz.asc &&
gpg --verify openldap-2.5.16.tgz.asc && rm openldap-2.5.16.tgz.asc

# Extract the source
mkdir -p -m 0700 ~/src
cd ~/src
find -maxdepth 1 -type d -name "openldap-*" -exec rm -r {} \;
tar xzvf ~/openldap-2.5.16.tgz
cd openldap-2.5.16
test $UID = 0 && chown -R root:root .

# In addition to the online documentation referred to above, read:
# ./README, ./INSTALL, and (if this is an upgrade) ./CHANGES

# You can select between OpenSSL, GnuTLS, and Mozilla NSS by using
# --with-tls= and then openssl, gnutls, or moznss
# Without specifying one, it should use them in that order

## As of OpenSSL 1.1.0, the default prefix is /usr/local  If yours is
## fully installed under /usr/local/ssl, add LDFLAGS and CPPFLAGS to
## the beginning of your configure line like so:
# LDFLAGS=-L/usr/local/ssl/lib64 CPPFLAGS=-I/usr/local/ssl/include \

# Configure the no-slapd build for 64-bit
test $(uname -m) = 'x86_64' &&
./configure --prefix=/usr --sysconfdir=/etc --libdir=/usr/lib64 \
--localstatedir=/var --mandir=/usr/man --without-cyrus-sasl --disable-slapd

# Configure the no-slapd build for anything else:
test $(uname -m) != 'x86_64' &&
./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var \
--mandir=/usr/man --without-cyrus-sasl --disable-slapd

# Build it
make depend
make

# Become root to install it
su

# If you have a /usr/local/etc/openldap and you've already backed it up
# as advised, zap it
test -d /usr/local/etc/openldap && rm -r /usr/local/etc/openldap

# Back up OpenLDAP configuration in /etc/openldap
test ! -d ~/backup && mkdir -m 0700 ~/backup
test -d /etc/openldap &&
( cd /etc/openldap
   tar cJvf ~/backup/openldap-$(date +%y%m%d).tar.xz . )

# Remove the Slackware package, if there is one
test -x /sbin/removepkg && /sbin/removepkg openldap-client

# The Slackware package may leave behind a /usr/lib*/liblber* and
# libldap* because they are also part of the aaa_elflibs|aaa_libraries
# package.  You may find running daemons like CUPS's cupsd, Samba's smbd &
# nmbd, and Cyrus SASL's saslauthd are using it.  Probably best to leave it
# there, but if those things are working OK with the new version installed
# here, zap the old ones later.

# If you're able (check with ldd, etc.), clean up old shared libraries
# The safe option is to skip this, then you may be left with old versions
# taking up disk space - after 'make install' look through the output of
# 'ls -l /usr/lib*/lib{ldap,lber}*'
# Only the old version library files should have a date other than today
for libdir in /usr/lib /usr/lib64;
do
  test -d $libdir &&
  ( cd $libdir
    rm -f libldap.* libldap_r.* liblber.* \
     libldap-2.*.so.* libldap_r-2.*.so.* liblber-2.*.so.* )
done

# Install it
make install
ldconfig

# Make sure your non-root user can remove the source later
chown -R $(logname) .
chmod -R u+w .

# Become yourself again
exit

# Save the source for later
cd
mkdir -p -m 0700 installed
rm -f installed/openldap-*.tgz
mv openldap-2.5.16.tgz installed/


# OpenLDAP 2.5.16
# ===============
# Prerequisites:
# OpenSSL or GnuTLS or Mozilla NSS
# Berkeley db4 >= 4.2 (for the BDB and HDB backends)
# Cyrus SASL (optional; if you don't pass --without-cyrus-sasl)
# GMP
# ncurses or termcap
# readline
# ICU (optional; Unicode library)

# I used to keep OpenLDAP, nss_ldap, and pam_ldap together
# If you did too, move them to the normal places
cd
test -d installed/ldap &&
mv -f installed/ldap/* installed/ && rmdir installed/ldap
test -d src/ldap && mv -f src/ldap/* src/ && rmdir src/ldap

# Get the source
cd
test -f installed/openldap-2.5.16.tgz &&
mv installed/openldap-2.5.16.tgz .
test ! -f openldap-2.5.16.tgz &&
wget https://www.openldap.org/software/download/OpenLDAP/openldap-release/\
openldap-2.5.16.tgz

# Verify tarball w/ sha256sum:
echo "546ba591822e8bb0e467d40c4d4a30f89d937c3a507fe83a578f582f6a2113\
27  openldap-2.5.16.tgz" | sha256sum -c

# Verify tarball w/ gpg:
wget -nc https://www.openldap.org/software/download/OpenLDAP/\
gpg-pubkey.txt &&
gpg --import gpg-pubkey.txt && rm gpg-pubkey.txt
wget -nc https://www.openldap.org/software/download/OpenLDAP/\
openldap-release/openldap-2.5.16.tgz.asc &&
gpg --verify openldap-2.5.16.tgz.asc && rm openldap-2.5.16.tgz.asc

# Extract the source
mkdir -p -m 0700 ~/src
cd ~/src
find -maxdepth 1 -type d -name "openldap-*" -exec rm -r {} \;
tar xzvf ~/openldap-2.5.16.tgz
cd openldap-2.5.16
test $UID = 0 && chown -R root:root .

# In addition to the online documentation referred to above, read:
# ./README, ./INSTALL, and (if this is an upgrade) ./CHANGES

# Add --with-wrappers to the configure line below if you want TCP wrappers
# support (/etc/hosts.allow, /etc/hosts.deny)

# If you DO need IPv6 support, leave off --disable-ipv6 below

## If you're building with a Berkeley DB 4.2.x, installed from
## source under /usr/local/BerkeleyDB.x.x, include the LDFLAGS and CPPFLAGS
## parts before the configure line
# LDFLAGS=-L/usr/local/BerkeleyDB.4.2/lib \
# CPPFLAGS=-I/usr/local/BerkeleyDB.4.2/include" \

# If you are building in SASL auxprop support, you need SASL with OpenLDAP
# support, and OpenLDAP with SASL support.  Generally, the best way of
# getting that seems to be to build SASL without LDAP support, then OpenLDAP
# with SASL support, then SASL again with LDAP support.  If you have SASL
# installed but do not want support for it built-in, pass
# --without-cyrus-sasl to configure.

# You can select between OpenSSL, GnuTLS, and Mozilla NSS by using
# --with-tls= and then openssl, gnutls, or moznss

# In the past, I had always had trouble building it with GnuTLS, but it
# succeeded with OpenLDAP 2.4.46 and GnuTLS 3.5.19

## If your OpenSSL is not installed under /usr/local/ssl, as was the
## default < 1.1.0, you can leave off the LDFLAGS/CPPFLAGS parts
# LDFLAGS=-L/usr/local/ssl/lib CPPFLAGS=-I/usr/local/ssl/include\

# Configure the build for 64-bit
test $(uname -m) = 'x86_64' &&
./configure --prefix=/usr --sysconfdir=/etc --libdir=/usr/lib64 \
--localstatedir=/var --mandir=/usr/man --without-cyrus-sasl \
--disable-ipv6

# Configure the build for anything else
test $(uname -m) != 'x86_64' &&
./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var \
--mandir=/usr/man --without-cyrus-sasl --disable-ipv6

# Build it
make depend
make

# Test the build, takes a while
make test

# Become root to install it
su

# If you have an old /usr/local/etc/openldap and you've already backed it up
# as advised, zap it
test -d /usr/local/etc/openldap && rm -r /usr/local/etc/openldap

# Back up OpenLDAP configuration in /etc/openldap
test ! -d ~/backup && mkdir -m 0700 ~/backup
test -d /etc/openldap &&
( cd /etc/openldap
   tar cJvf ~/backup/openldap-$(date +%y%m%d).tar.xz . )

# If you have a running slapd, dump the contents and back that up too
test -d ~/backup/ldap &&
slapcat -l ~/backup/ldap/ldap-backup-`date +%Y%m%d`.ldif

# Remove the Slackware package, if there is one
test -x /sbin/removepkg && /sbin/removepkg openldap-client

# The Slackware package may leave behind a /usr/lib*/liblber* and
# libldap* because they are also part of the 'aaa_elflibs' package.  You
# may find running daemons like CUPS's cupsd, Samba's smbd & nmbd, and
# Cyrus SASL's saslauthd are using it.  Probably best to leave it there,
# but if those things are working OK with the new version installed here,
# zap the old ones later.

# If you're able (check with ldd, etc.), clean up old shared libraries
for libdir in /usr/lib /usr/lib64;
do
  test -d $libdir &&
  ( cd $libdir
    rm -f libldap.* libldap_r.* liblber.* \
     libldap-2.*.so.* libldap_r-2.*.so.* liblber-2.*.so.* )
done

# If slapd is running, kill it
killall slapd

# This will zap the whole configuration directory - obviously only do this
# if you want to clean up old files and restore from your backup.
test -d /etc/openldap && rm -r /etc/openldap

# Install it
make install
ldconfig

# After 'make install', if this is an upgrade, your existing 'schema'
# directory will be renamed schema.nnnn, so you may need to move that back
# now if you have customizations in there.

# If this is a first-time installation, open up the sample
# /etc/openldap/slapd.conf

# To generate a password to include in slapd.conf that will be more secure
# than a clear-text one, run 'slappasswd' then put the output in slapd.conf
# for rootpw

# Restore the backed up files (if they exist)
# Everything will be in /etc/openldap/old, move it in place as necessary
# Use 'diff -u' to compare the old version with the new version
( cd /etc/openldap
  mkdir old
  cd old
  tar xJvf ~/backup/openldap-$(date +%y%m%d).tar.xz )

## Add these to /etc/services if they're not already in there (recent
## versions of Slackware, they are in there).  Only add ldaps if you're
## going to set that up, it won't use ldaps by default - it will use ldap
## + TLS though.
# ldap 389/tcp
# ldap 389/udp
# ldaps 636/tcp
# ldaps 636/udp
#
## If you're feeling lazy, this will do it for you if they're not already
## in there:
egrep -q "^ldap[[:space:]]+389/tcp" /etc/services ||
echo -e "ldap\t\t389/tcp" >> /etc/services
egrep -q "^ldap[[:space:]]+389/udp" /etc/services ||
echo -e "ldap\t\t389/udp" >> /etc/services
egrep -q "^ldaps[[:space:]]+636/tcp" /etc/services ||
echo -e "ldaps\t\t636/tcp" >> /etc/services
egrep -q "^ldaps[[:space:]]+636/udp" /etc/services ||
echo -e "ldaps\t\t636/udp" >> /etc/services

# If you need TLS support for slapd, you will need a certificate
# to use.  If you don't have a real one, you can get a Let's Encrypt
# or CAcert one for free..., create a self-signed cert
# with OpenSSL:
( cd /etc/openldap
  test ! -f $(hostname -f).pem &&
    openssl req -new -x509 -nodes -out \
     $(hostname -f).pem -keyout $(hostname -f).pem -days 9999
  chmod 600 $(hostname -f).pem )

# Add these lines to /etc/openldap/slapd.conf (replacing ldap.foo.org
# with whatever 'hostname -f' outputs (or whatever you used above):
TLSCertificateFile /etc/openldap/ldap.foo.org.pem
TLSCertificateKeyFile /etc/openldap/ldap.foo.org.pem
TLSCACertificateFile /etc/openldap/ldap.foo.org.pem

# Make sure your configuration file is only readable and writeable by root
# (or the chroot user if you set that up):
chmod 600 /etc/openldap/slapd.conf

# Nobody but root needs access to the DB files - unless you run slapd with
# -u and/or -g, then that user/group needs access
test -d /var/openldap-data && chmod 700 /var/openldap-data

# See /var/openldap-data/DB_CONFIG.example if you use the BDB or
# HDB backends.  If you want to use the sample:
( cd /var/openldap-data ; cp -a DB_CONFIG.example DB_CONFIG )

# Test the configuration file:
/usr/libexec/slapd -Tt

# If you want to run slapd in a chroot-jail, see 'man slapd.conf' about the
# -r, -u, and -g commandline options.  You might want to get it going the
# "normal" way first.

# With recent versions, running slapd by itself will first try to use the
# slapd.d configuration directory, then the slapd.conf file if that doesn't
# exist.  Run it like so, to skip the slapd.d attempt.
/usr/libexec/slapd -f /etc/openldap/slapd.conf

## If it did start up OK, add something like this to /etc/rc.d/rc.local
## to start it on boot-up:
# if [ -x /usr/libexec/slapd ]; then
#   echo "Starting slapd..."
#   /usr/libexec/slapd -f /etc/openldap/slapd.conf
# fi

# Create an ldif.add file (name it whatever you want) with something like
# this in it (replacing foo, etc. with your actual info):
cat << EOF > ldif.add
dn: dc=foo,dc=org
objectclass: dcObject
objectclass: organization
o: The Foo Organization
dc: foo

dn: cn=Manager,dc=foo,dc=org
objectclass: organizationalRole
cn: Manager

dn: ou=people,dc=foo,dc=org
objectClass: organizationalUnit
ou: people

dn: ou=groups,dc=foo,dc=org
objectClass: organizationalUnit
ou: groups
EOF

# Then run this to add the entries in ldif.add to the LDAP db:
ldapadd -x -D "cn=Manager,dc=foo,dc=org" -W -f ldif.add

# Display all entries in your LDAP db:
ldapsearch -x -b 'dc=foo,dc=org' '(objectclass=*)'

# If you still have any questions/problems, read through the docs mentioned
# above again, and read/search the mailing list:
# http://www.openldap.org/lists/
# and/or the Issue Tracking System:
# http://www.openldap.org/its/

# Make sure your non-root user can remove the source later
chown -R $(logname) .
chmod -R u+w .

# Become yourself again
exit

# Save the source for later
cd
mkdir -p -m 0700 installed
rm -f installed/openldap-*.tgz
mv openldap-2.5.16.tgz installed/


# If you ever want to uninstall OpenLDAP, this should do it:
# ('make uninstall' as root should do it, the rest is just in case)
cd
su
test -d src/openldap-* && ( cd src/openldap-* ; make uninstall )
test -d /etc/openldap && rm -r /etc/openldap
( cd /usr/bin
  rm -f ldapsearch ldapmodify ldapdelete ldapmodrdn ldappasswd ldapwhoami \
   ldapcompare ldapexop ldapurl )
( cd /usr/include
  rm -f lber.h lber_types.h ldap.h ldap_cdefs.h ldap_schema.h ldap_utf8.h \
   slapi-plugin.h ldap_features.h ldif.h )
test -d /usr/include/openldap-1.0 && rm -r /usr/include/openldap-1.0
( cd /usr/lib
  rm -f liblber.* libldap.* libopenldap-1.* pkgconfig/openldap.pc )
test -d /usr/lib64 &&
( cd /usr/lib64
   rm -f liblber.* libldap.* libopenldap-1.* pkgconfig/openldap.pc )
( cd /usr/man/man1
  rm -f ldapcompare.1 ldapdelete.1 ldapexop.1 ldapmodify.1 ldapmodrdn.1 \
   ldappasswd.1 ldapsearch.1 ldapurl.1 ldapwhoami.1 )
( cd /usr/man/man3
  rm -f lber-decode.3 lber-encode.3 lber-memory.3 lber-sockbuf.3 \
   lber-types.3 ldap.3 ldap_abandon.3 ldap_add.3 ldap_bind.3 \
   ldap_compare.3 ldap_controls.3 ldap_delete.3 ldap_dup.3 ldap_error.3 \
   ldap_extended_operation.3 ldap_first_attribute.3 ldap_first_entry.3 \
   ldap_first_message.3 ldap_first_reference.3 ldap_get_dn.3 \
   ldap_get_option.3 ldap_get_values.3 ldap_memory.3 ldap_modify.3 \
   ldap_modrdn.3 ldap_open.3 ldap_parse_reference.3 ldap_parse_result.3 \
   ldap_parse_sort_control.3 ldap_parse_vlv_control.3 ldap_rename.3 \
   ldap_result.3 ldap_schema.3 ldap_search.3 ldap_sort.3 ldap_sync.3 \
   ldap_tls.3
   ldap_url.3 )
( cd /usr/man/man5 ; rm -f ldap.conf.5 ldif.5 slapd-*.5 slapo-*.5 )
( cd /usr/man/man8
  rm -f slapacl.8 slapadd.8 slapauth.8 slapcat.8 slapd.8 slapdn.8 \
   slapindex.8 slappasswd.8 slapschema.8 slaptest.8 )
test -d /usr/share/gtk-doc/html/openldap && rm -r /usr/share/gtk-doc/html/openldap
find /usr/share/locale -type f -name openldap10.mo -exec rm {} \;
ldconfig
exit
find ~/src -maxdepth 1 -type d -name "openldap-*" -exec rm -r {} \;
rm -f ~/installed/openldap-*.tar.*

List of HOWTOs

Web page itself last updated: 2023-12-20 8:06pm (EDT -0400)
HOWTO last updated: 2023-09-23 7:19pm
Copyright © 2001-2024 Jason Englander. All Rights reserved.
[HTML5]