Linux HOWTOs

About | Home | Search


ERROR: Slooooow dooooown... this page load was delayed.

HOWTO: openldap
Description: LDAP server, library, and tools
Click here for ChangeLog
NOTE: I use GNU tar >= 1.13.25 so it's -j for .tar.bz2 files,
it's safe to assume that make, gcc, binutils, fileutils/coreutils, gawk, sed, and grep are prerequisites for almost everything


# OpenLDAP
# ========
# Slackware 13.37: openldap-client 2.4.23
# Slackware 14.0: openldap-client 2.4.31
# Slackware 14.1: openldap-client 2.4.31
# Slackware 14.2: openldap-client 2.4.42

# The first set of instructions below covers installing OpenLDAP for the
# libraries and utilities.  The second set covers installing the slapd
# server.

# If you need a NSS or PAM module for LDAP, see the nss_ldap and pam_ldap
# HOWTOS

# OpenLDAP documentation:
# Release Documents
# Administrator's Guide
# Faq-O-Matic
# Some of the man pages: slapd, slapd.conf, slapd.access

# Since at least 2002 or so, I let it use the default prefix of /usr/local
# but now use --prefix=/usr so everything goes to the same place as
# the Slackware package.  If you leave that off, it will end up under
# whatever the default prefix is currently.
#
# If you have one installed under /usr/local and want to put the new
# one under /usr, back up everything, then run "make uninstall" as root
# from the current/old version's source directory before you begin here.

## Be aware that if you're going from OpenLDAP 2.3.x to 2.4.x and other
## applications are linked with the 2.3.x version shared libraries, they
## may break when you do this until you recompile them.  This may or may
## not help:
# ln -s libldap.so libldap-2.3.so.0
# ln -s liblber.so liblber-2.3.so.0
# ldconfig

# Slackware uses /usr/man instead of /usr/share/man, OpenLDAP will install
# man pages in /usr/share/man by default.  So, either create a symlink:
#   su -c "ln -s /usr/man /usr/share/man"
# ...or add /usr/share/man to MANDIR
# ...or pass --mandir=/usr/man to configure below

# The 2.4.47 announcement is here:
# http://www.openldap.org/lists/openldap-announce/201812/msg00000.html


# OpenLDAP 2.4.47 - just the libraries and utilities (no slapd)
# ===============
# Go with this one if you only need the libraries and/or tools for
# other software to have LDAP support.  This does not include the
# slapd server.

# Prerequisites:
# OpenSSL or GnuTLS or Mozilla NSS
# ncurses or termcap
# readline

# I used to keep OpenLDAP, nss_ldap, and pam_ldap together
# If you did too, move them to the normal places
cd
test -d installed/ldap &&
 mv -f installed/ldap/* installed/ && rmdir installed/ldap
test -d src/ldap &&
 mv -f src/ldap/* src/ && rmdir src/ldap

# Get it
cd
test -f installed/openldap-2.4.47.tgz &&
 mv installed/openldap-2.4.47.tgz .
test ! -f openldap-2.4.47.tgz &&
 wget ftp://ftp.OpenLDAP.org/pub/OpenLDAP/openldap-release/\
openldap-2.4.47.tgz

# Verify tarball w/ sha1sum:
echo "c59d52dd75f7d1c7b02f83725da36c322d439674  openldap-2.4.47.tgz" | \
sha1sum -c

# Extract the source
mkdir -p -m 0700 ~/src
cd ~/src
find -maxdepth 1 -type d -name "openldap-*" -exec rm -r {} \;
tar xzvf ~/openldap-2.4.47.tgz
cd openldap-2.4.47
test $UID = 0 && chown -R root:root .

# In addition to the online documentation referred to above, read:
# ./README, ./INSTALL, and (if this is an upgrade) ./CHANGES

# You can select between OpenSSL, GnuTLS, and Mozilla NSS by using
# --with-tls= and then openssl, gnutls, or moznss
# Without specifying one, it should use them in that order

## As of OpenSSL 1.1.0, the default prefix is /usr/local  If yours is
## fully installed under /usr/local/ssl, add LDFLAGS and CPPFLAGS to
## the beginning of your configure line like so:
# LDFLAGS=-L/usr/local/ssl/lib64 CPPFLAGS=-I/usr/local/ssl/include \

# Configure the build for 64-bit
test $(uname -m) = 'x86_64' &&
./configure --prefix=/usr --sysconfdir=/etc --libdir=/usr/lib64 \
--localstatedir=/var --mandir=/usr/man --without-cyrus-sasl --disable-slapd

# Configure the build for anything else:
test $(uname -m) != 'x86_64' &&
./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var \
--mandir=/usr/man --without-cyrus-sasl --disable-slapd

# Build it
make depend
make

# Become root to install it
su

# If you have a /usr/local/etc/openldap and you've already backed it up
# as advised, zap it
test -d /usr/local/etc/openldap && rm -r /usr/local/etc/openldap

# Back up OpenLDAP configuration in /etc/openldap
test ! -d ~/backup && mkdir -m 0700 ~/backup
test -d /etc/openldap &&
 ( cd /etc/openldap
   tar cJvf ~/backup/openldap-$(date +%y%m%d).tar.xz . )

# Remove the Slackware package, if there is one
test -x /sbin/removepkg && /sbin/removepkg openldap-client

# The Slackware package may leave behind a /usr/lib*/liblber* and
# libldap* because they are also part of the 'aaa_elflibs' package.  You
# may find running daemons like CUPS's cupsd, Samba's smbd & nmbd, and
# Cyrus SASL's saslauthd are using it.  Probably best to leave it there,
# but if those things are working OK with the new version installed here,
# zap the old ones later.

# If you're able (check with ldd, etc.), clean up old shared libraries
for libdir in /usr/lib /usr/lib64;
do
  test -d $libdir &&
  ( cd $libdir
    rm -f libldap.* libldap_r.* liblber.* \
     libldap-2.*.so.* libldap_r-2.*.so.* liblber-2.*.so.* )
done

# Install it
make install
ldconfig

# Make sure your non-root user can remove the source later
chown -R $(logname) .
chmod -R u+w .

# Become yourself again
exit

# Save the source for later
cd
mkdir -p -m 0700 installed
rm -f installed/openldap-*.tgz
mv openldap-2.4.47.tgz installed/


# OpenLDAP 2.4.47
# ===============
# Prerequisites:
# OpenSSL or GnuTLS or Mozilla NSS
# Berkeley db4 >= 4.2 (for the BDB and HDB backends)
# Cyrus SASL (optional; if you don't pass --without-cyrus-sasl)
# GMP
# ncurses or termcap
# readline
# ICU (optional; Unicode library)

# I used to keep OpenLDAP, nss_ldap, and pam_ldap together
# If you did too, move them to the normal places
cd
test -d installed/ldap &&
 mv -f installed/ldap/* installed/ && rmdir installed/ldap
test -d src/ldap && mv -f src/ldap/* src/ && rmdir src/ldap

# Get it
cd
test -f installed/openldap-2.4.47.tgz &&
 mv installed/openldap-2.4.47.tgz .
test ! -f openldap-2.4.47.tgz &&
 wget ftp://ftp.OpenLDAP.org/pub/OpenLDAP/openldap-release/\
openldap-2.4.47.tgz

# Verify tarball w/ sha1sum:
echo "c59d52dd75f7d1c7b02f83725da36c322d439674  openldap-2.4.47.tgz" | \
sha1sum -c

# Extract the source
mkdir -p -m 0700 ~/src
cd ~/src
find -maxdepth 1 -type d -name "openldap-*" -exec rm -r {} \;
tar xzvf ~/openldap-2.4.47.tgz
cd openldap-2.4.47
test $UID = 0 && chown -R root:root .

# In addition to the online documentation referred to above, read:
# ./README, ./INSTALL, and (if this is an upgrade) ./CHANGES

# Add --with-wrappers to the configure line below if you want TCP wrappers
# support (/etc/hosts.allow, /etc/hosts.deny)

# If you DO need IPv6 support, leave off --disable-ipv6 below

## If you're building with a Berkeley DB 4.2.x, installed from
## source under /usr/local/BerkeleyDB.x.x, include the LDFLAGS and CPPFLAGS
## parts before the configure line
# LDFLAGS=-L/usr/local/BerkeleyDB.4.2/lib \
# CPPFLAGS=-I/usr/local/BerkeleyDB.4.2/include" \

# If you are building in SASL auxprop support, you need SASL with OpenLDAP
# support, and OpenLDAP with SASL support.  Generally, the best way of
# getting that seems to be to build SASL without LDAP support, then OpenLDAP
# with SASL support, then SASL again with LDAP support.  If you have SASL
# installed but do not want support for it built-in, pass
# --without-cyrus-sasl to configure.

# You can select between OpenSSL, GnuTLS, and Mozilla NSS by using
# --with-tls= and then openssl, gnutls, or moznss

# In the past, I had always had trouble building it with GnuTLS, but it
# succeeded with OpenLDAP 2.4.46 and GnuTLS 3.5.19

## If your OpenSSL is not installed under /usr/local/ssl, as was the
## default < 1.1.0, you can leave off the LDFLAGS/CPPFLAGS parts
# LDFLAGS=-L/usr/local/ssl/lib CPPFLAGS=-I/usr/local/ssl/include\

# Configure the build for 64-bit
test $(uname -m) = 'x86_64' &&
./configure --prefix=/usr --sysconfdir=/etc --libdir=/usr/lib64 \
--localstatedir=/var --mandir=/usr/man --without-cyrus-sasl \
--disable-ipv6

# Configure the build for anything else
test $(uname -m) != 'x86_64' &&
 ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var \
--mandir=/usr/man --without-cyrus-sasl --disable-ipv6

# Build it
make depend
make

# Test the build, takes a while
make test

# Become root to install it
su

# If you have an old /usr/local/etc/openldap and you've already backed it up
# as advised, zap it
test -d /usr/local/etc/openldap && rm -r /usr/local/etc/openldap

# Back up OpenLDAP configuration in /etc/openldap
test ! -d ~/backup && mkdir -m 0700 ~/backup
test -d /etc/openldap &&
 ( cd /etc/openldap
   tar cJvf ~/backup/openldap-$(date +%y%m%d).tar.xz . )

# If you have a running slapd, dump the contents and back that up too
test -d ~/backup/ldap &&
 slapcat -l ~/backup/ldap/ldap-backup-`date +%Y%m%d`.ldif

# Remove the Slackware package, if there is one
test -x /sbin/removepkg && /sbin/removepkg openldap-client

# The Slackware package may leave behind a /usr/lib*/liblber* and
# libldap* because they are also part of the 'aaa_elflibs' package.  You
# may find running daemons like CUPS's cupsd, Samba's smbd & nmbd, and
# Cyrus SASL's saslauthd are using it.  Probably best to leave it there,
# but if those things are working OK with the new version installed here,
# zap the old ones later.

# If you're able (check with ldd, etc.), clean up old shared libraries
for libdir in /usr/lib /usr/lib64;
do
  test -d $libdir &&
  ( cd $libdir
    rm -f libldap.* libldap_r.* liblber.* \
     libldap-2.*.so.* libldap_r-2.*.so.* liblber-2.*.so.* )
done

# If slapd is running, kill it
killall slapd

# This will zap the whole configuration directory - obviously only do this
# if you want to clean up old files and restore from your backup.
test -d /etc/openldap && rm -r /etc/openldap

# Install it
make install
ldconfig

# After 'make install', if this is an upgrade, your existing 'schema'
# directory will be renamed schema.nnnn, so you may need to move that back
# now if you have customizations in there.

# If this is a first-time installation, open up the sample
# /etc/openldap/slapd.conf

# To generate a password to include in slapd.conf that will be more secure
# than a clear-text one, run 'slappasswd' then put the output in slapd.conf
# for rootpw

# Restore the backed up files (if they exist)
# Everything will be in /etc/openldap/old, move it in place as necessary
# Use 'diff -u' to compare the old version with the new version
( cd /etc/openldap
  mkdir old
  cd old
  tar xJvf ~/backup/openldap-$(date +%y%m%d).tar.xz )

## Add these to /etc/services if they're not already in there (recent
## versions of Slackware, they are in there).  Only add ldaps if you're
## going to set that up, it won't use ldaps by default - it will use ldap
## + TLS though.
# ldap		389/tcp
# ldap		389/udp
# ldaps		636/tcp
# ldaps		636/udp
#
## If you're feeling lazy, this will do it for you if they're not already
## in there:
egrep -q "^ldap[[:space:]]+389/tcp" /etc/services ||
 echo -e "ldap\t\t389/tcp" >> /etc/services
egrep -q "^ldap[[:space:]]+389/udp" /etc/services ||
 echo -e "ldap\t\t389/udp" >> /etc/services
egrep -q "^ldaps[[:space:]]+636/tcp" /etc/services ||
 echo -e "ldaps\t\t636/tcp" >> /etc/services
egrep -q "^ldaps[[:space:]]+636/udp" /etc/services ||
 echo -e "ldaps\t\t636/udp" >> /etc/services

# If you need TLS support for slapd, you will need a certificate
# to use.  If you don't have a real one, you can get a Let's Encrypt
# or CAcert one for free..., create a self-signed cert
# with OpenSSL:
( cd /etc/openldap
  test ! -f $(hostname -f).pem &&
    openssl req -new -x509 -nodes -out \
     $(hostname -f).pem -keyout $(hostname -f).pem -days 9999
  chmod 600 $(hostname -f).pem )

# Add these lines to /etc/openldap/slapd.conf (replacing ldap.foo.org
# with whatever 'hostname -f' outputs (or whatever you used above):
TLSCertificateFile	/etc/openldap/ldap.foo.org.pem
TLSCertificateKeyFile	/etc/openldap/ldap.foo.org.pem
TLSCACertificateFile	/etc/openldap/ldap.foo.org.pem

# Make sure your configuration file is only readable and writeable by root
# (or the chroot user if you set that up):
chmod 600 /etc/openldap/slapd.conf

# Nobody but root needs access to the DB files - unless you run slapd with
# -u and/or -g, then that user/group needs access
test -d /var/openldap-data && chmod 700 /var/openldap-data

# See /var/openldap-data/DB_CONFIG.example if you use the BDB or
# HDB backends.  If you want to use the sample:
( cd /var/openldap-data ; cp -a DB_CONFIG.example DB_CONFIG )

# Test the configuration file:
/usr/libexec/slapd -Tt

# If you want to run slapd in a chroot-jail, see 'man slapd.conf' about the
# -r, -u, and -g commandline options.  You might want to get it going the
# "normal" way first.

# With recent versions, running slapd by itself will first try to use the
# slapd.d configuration directory, then the slapd.conf file if that doesn't
# exist.  Run it like so, to skip the slapd.d attempt.
/usr/libexec/slapd -f /etc/openldap/slapd.conf

## If it did start up OK, add something like this to /etc/rc.d/rc.local
## to start it on boot-up:
# if [ -x /usr/libexec/slapd ]; then
#   echo "Starting slapd..."
#   /usr/libexec/slapd -f /etc/openldap/slapd.conf
# fi

# Create an ldif.add file (name it whatever you want) with something like
# this in it (replacing foo, etc. with your actual info):
cat << EOF > ldif.add
dn: dc=foo,dc=org
objectclass: dcObject
objectclass: organization
o: The Foo Organization
dc: foo

dn: cn=Manager,dc=foo,dc=org
objectclass: organizationalRole
cn: Manager

dn: ou=people,dc=foo,dc=org
objectClass: organizationalUnit
ou: people

dn: ou=groups,dc=foo,dc=org
objectClass: organizationalUnit
ou: groups
EOF

# Then run this to add the entries in ldif.add to the LDAP db:
ldapadd -x -D "cn=Manager,dc=foo,dc=org" -W -f ldif.add

# Display all entries in your LDAP db:
ldapsearch -x -b 'dc=foo,dc=org' '(objectclass=*)'

# If you still have any questions/problems, read through the docs mentioned
# above again, and read/search the mailing list:
# http://www.openldap.org/lists/
# and/or the Issue Tracking System:
# http://www.openldap.org/its/

# Make sure your non-root user can remove the source later
chown -R $(logname) .
chmod -R u+w .

# Become yourself again
exit

# Save the source for later
cd
mkdir -p -m 0700 installed
rm -f installed/openldap-*.tgz
mv openldap-2.4.47.tgz installed/


# If you ever want to uninstall OpenLDAP, this should do it:
# ('make uninstall' as root should do it, the rest is just in case)
cd
su
test -d src/openldap-* && ( cd src/openldap-* ; make uninstall )
test -d /etc/openldap && rm -r /etc/openldap
( cd /usr/bin
  rm -f ldapsearch ldapmodify ldapdelete ldapmodrdn ldappasswd ldapwhoami \
   ldapcompare ldapexop ldapurl )
( cd /usr/include
  rm -f lber.h lber_types.h ldap.h ldap_cdefs.h ldap_schema.h ldap_utf8.h \
   slapi-plugin.h ldap_features.h ldif.h )
test -d /usr/include/openldap-1.0 && rm -r /usr/include/openldap-1.0
( cd /usr/lib
  rm -f liblber.* libldap.* libopenldap-1.* pkgconfig/openldap.pc )
test -d /usr/lib64 &&
 ( cd /usr/lib64
   rm -f liblber.* libldap.* libopenldap-1.* pkgconfig/openldap.pc )
( cd /usr/man/man1
  rm -f ldapcompare.1 ldapdelete.1 ldapexop.1 ldapmodify.1 ldapmodrdn.1 \
   ldappasswd.1 ldapsearch.1 ldapurl.1 ldapwhoami.1 )
( cd /usr/man/man3
  rm -f lber-decode.3 lber-encode.3 lber-memory.3 lber-sockbuf.3 \
   lber-types.3 ldap.3 ldap_abandon.3 ldap_add.3 ldap_bind.3 \
   ldap_compare.3 ldap_controls.3 ldap_delete.3 ldap_dup.3 ldap_error.3 \
   ldap_extended_operation.3 ldap_first_attribute.3 ldap_first_entry.3 \
   ldap_first_message.3 ldap_first_reference.3 ldap_get_dn.3 \
   ldap_get_option.3 ldap_get_values.3 ldap_memory.3 ldap_modify.3 \
   ldap_modrdn.3 ldap_open.3 ldap_parse_reference.3 ldap_parse_result.3 \
   ldap_parse_sort_control.3 ldap_parse_vlv_control.3 ldap_rename.3 \
   ldap_result.3 ldap_schema.3 ldap_search.3 ldap_sort.3 ldap_sync.3 \
   ldap_tls.3
   ldap_url.3 )
( cd /usr/man/man5 ; rm -f ldap.conf.5 ldif.5 slapd-*.5 slapo-*.5 )
( cd /usr/man/man8
  rm -f slapacl.8 slapadd.8 slapauth.8 slapcat.8 slapd.8 slapdn.8 \
   slapindex.8 slappasswd.8 slapschema.8 slaptest.8 )
test -d /usr/share/gtk-doc/html/openldap && rm -r /usr/share/gtk-doc/html/openldap
find /usr/share/locale -type f -name openldap10.mo -exec rm {} \;
ldconfig
exit
find ~/src -maxdepth 1 -type d -name "openldap-*" -exec rm -r {} \;
rm -f ~/installed/openldap-*.tar.*

Back to the list


Last updated: Tue, 07 Aug 2018 12:06:17 -0400
Jason Englander <jason at englanders dot us>