APLawrence.com -  Resources for Unix and Linux Systems, Bloggers and the self-employed

LDAP

You've probably heard something about LDAP by now. You may even realize that it is a lightweight subset of the X.500 protocol, and it's possible that you may have even seen X.500 names used in such things as Microsoft Exchange. You may also know that Unixware 7 and Linux include a LDAP server but OSR5 doesn't.

If you are running Linux, LDAP is almost certainly installed. SCO's OSR5 products don't include LDAP. However, Skunkware does have an OSR5 LDAP server, and you can install it and learn LDAP basics in literally just a few minutes: LDAP is not at all difficult, and anyone capable of basic scripting can understand it and use it.

That said, most of the documentation and books I have read are pretty bad. I personally struggled for almost half a day just trying to get LDAP working at all. I bought two books (LDAP Programming and Implementing LDAP), scoured the net, read, did what they told me to do, and had complete and utter failure.

At first, I was blaming the SCO implementation, so I downloaded a Linux LDAP server thinking that would be easier to setup. Wrong. I spent another hour or two banging my head against the same walls there. I did Dejawin searches of the Linux newsgroups, and found that dozens or maybe even hundreds of other people have been just as frustrated. Worse, when I found answers that supposedly would solve these folks problems, the suggested procedures didn't work for me- and I bet they didn't work for most of the other people either. I closed down and went to bed feeling frustrated, incompetent and more than a little stupid.

But I don't give up easily. With the benefit of a good night's sleep and some more careful thinking about the problem, I had a working LDAP server in less than 5 minutes.

So what was wrong? It's simple: all of the documentation, books, and web articles mostly assume that you have a working LDAP server and give very little or no attention to how you get it set up to begin with. It turns out not to be all that difficult, in fact it's pretty simple- once you know the tricks.

Your LDAP Server

Linux users can skip ahead..

First you need to install the Skunkware LDAP. At the time of this article, that was version 3.3. You'll also need the GNU dbm package. Strangely, the Skunkware documentation tells you that you will need it, but if it is available from Skunkware, I couldn't find it, so I downloaded that from Celestial Systems, Inc FTP Site. This comes down as a gzipped tarball, so you need GNU unzip (again from Skunkware) if you don't already have it. Once you've unzipped and untarred it, you may feel despair at the fact that this obviously has source files. Don't panic- that's the way Celestial does everything: it's already been compiled, you don't need to do anything but install it. If you happen to have the GNU development tools, that's simple: just "make install". But if you don't, you can do it by hand: There's a file called "mk-install" that, while written for GNU ginstall, shows you the files you need to copy, where you need to copy them, and what their permissions should be. Once you've done that, you can just delete everything there if you don't want it.

SLAPD.CONF

Before you do anything else, add /usr/local/etc to your PATH. That's where all the LDAP tools get installed, and that's where you'll be working to begin with. Change to that directory, and do:

ln -s ldapmodify ldapadd
# this just makes things easier later
 

The next thing you need to do is to edit the /usr/local/etc/slapd.conf file. "slapd" is the LDAP server daemon- we aren't actually going to run it quite yet- in fact, DON'T run it yet. Here's my slapd.conf:

include         /usr/local/etc/slapd.at.conf
include         /usr/local/etc/slapd.oc.conf
schemacheck     off
referral        ldap://ldap.itd.umich.edu

#######################################################################
# ldbm database definitions
#######################################################################

database        ldbm
suffix          "o=APL, c=US"
directory       /u4/ldap
rootdn          "cn=root, o=APL, c=US"
rootpw          secret
 

The only change I made from the supplied file is to change "Your Organization" to "APL" (my initials) in two places, and to change the directory entry so it is not /usr/tmp (that would be a dumb place for database files, wouldn't it?).

Next, I created a file to initialize my database with. Here's what I used:

dn:o=APL,c=US
o:APL
objectclass:organization

dn: cn=Tony Lawrence, o=APL, c=US
cn: Tony
sn: Lawrence
telephoneNumber: 781 784 7547
mail: [email protected]
objectclass:person

dn: cn=Linda Lawrence, o=APL, c=US
cn: Linda
sn: Lawrence
telephoneNumber: 781 784 7547
mail: [email protected]
objectclass:person
 

I called this "/tmp/ldif". Note that there are no spaces at the beginning of any line, and that there are no blank lines after the last line. these little details are important. Particularly note that the very first lines reference my APL organization- it is critical that these match. If your slapd.conf looks like this:

database        ldbm
suffix          "o=Micro Managed Inc., c=US"
directory       /u4/ldap
rootdn          "cn=root, o=Micro Managed Inc., c=US"
rootpw          secret
 

then your /tmp/ldif starts off like this:

dn:o=Micro Managed Inc., c=US
o:Micro Managed Inc.
objectclass:organization

dn: cn=Tony Lawrence, o=Micro Managed Inc., c=US
 

and every other "o=APL" would be changed also.

You can put as many entries into this initial file as you want. The only critical lines are actually the first three. Note again that we HAVE NOT started the LDAP slapd server yet. Instead, we're going to use this command:

ldif2ldbm -i /tmp/ldif -f /usr/local/etc/slapd.conf
 

If you now look in /u4/ldap (or wherever you decided to put your database), you'll find something like this:

total 44
-rw-r--r--   1 root     sys            2 Jan 11 16:49 NEXTID
-rw-------   1 root     sys         4366 Jan 11 16:49 dn.gdbm
-rw-------   1 root     sys         3149 Jan 11 16:49 dn2id.gdbm
-rw-------   1 root     sys         3087 Jan 11 16:49 id2children.gdbm
-rw-------   1 root     sys         3264 Jan 11 16:49 id2entry.gdbm
-rw-------   1 root     sys         3150 Jan 11 16:49 objectclass.gdbm
 

Those files are your database, and now it's finally time to start the server:

slapd
 

Not very exciting, was it? No messages, no whirring of disks. But, if something did go wrong in your slapd.conf setup and you want to start over, just kill the slapd daemon (find it with "ps -e | grep slapd"), and then remove all those files above, fix your problem, and do the ldif2ldbm again.

Searching, adding, modifying

Let's try a search:

ldapsearch -L -b "o=APL, c=US" "(sn=lawrence)"
# or:
# ldapsearch -L -b "o=Micro Managed Inc., c=US" "(sn=lawrence)"
 

You should get:

dn: cn=Tony Lawrence, o=APL, c=US
cn: Tony
sn: Lawrence
telephonenumber: 781 784 7547
mail: [email protected]
objectclass: person

dn: cn=Linda Lawrence, o=APL, c=US
cn: Linda
sn: Lawrence
telephonenumber: 781 784 7547
mail: [email protected]
objectclass: person
 

You can probably see how it would be very easy to take this and filter it to present it in a friendlier format. The LDAP protocol itself has different ways of returning the data: I'm using -L, but notice that you get a slightly different output if you use "-u" instead. I'm not going to get into those details in this article, but as you read and learn more about LDAP you'll find that you do have much more control over its output.

Now we'll modify Linda to change her email address:

ldapmodify -r -D "cn=root, o=APL, c=US" -w secret
 

Note that the "-w secret" is the password we assigned in the slapd.conf. After pressing ENTER, type:

dn: cn=Linda Lawrence, o=APL, c=US
mail: [email protected]
CTRL-D
 

I'm using flags that I won't bother to explain here- you can check the man pages later and see that there are actually different methods you can use to modify data, depending upon how you want to treat items that don't yet exist, etc. But for now just try the same ldapsearch again and we get:

dn: cn=Tony Lawrence, o=APL, c=US
cn: Tony
sn: Lawrence
telephonenumber: 781 784 7547
mail: [email protected]
objectclass: person

dn: cn=Linda Lawrence, o=APL, c=US
cn: Linda
sn: Lawrence
objectclass: person
telephonenumber: 781 784 7547
mail: [email protected]
 

Now let's try something different: Let's add a new attribute to Linda:

ldapmodify -r -D "cn=root, o=APL, c=US" -w secret
 

and type:

dn: cn=Linda Lawrence, o=APL, c=US
auto: Toyota
CTRL-D
 

Don't like "auto"? You're right, maybe it should have been "automobile". So let's change it:

dn: cn=Linda Lawrence, o=APL, c=US
delete: auto

dn: cn=Linda Lawrence, o=APL, c=US
automobile : Toyota Corolla
CTRL-D
 

Do the search again and you'll see that "auto" is gone.

Finally, let's add "somebody" new: one of my computers:

ldapadd -D "cn=root, o=APL, c=US" -w secret < /tmp/addit
 

So we don't have to type so accurately at the command line, this time I've put the data into a file, /tmp/addit:

dn: cn=Old Pentium, o=APL, c=US
objectclass: device
cpuspeed: 233
harddrive: 4 MB
 

You've probably noticed that I did nothing ahead of time to tell LDAP that I want to store something called "cpuspeed". Sometimes that's just the kind of flexibility you want, but other times you want to be more rigorous. You might want to enforce, for example, that if we're adding a device, we MUST specify cpuspeed. Or we might want to be sure that cpuspeed is always a number. All these things and more are possible, but we're just sticking to the basics for now.

Let's do a little different search:

ldapsearch -L -b "o=APL, c=US" "(objectclass=device)"
 

which returns:

dn: cn=Old Pentium, o=APL, c=US
objectclass: device
cpuspeed: 233
harddrive: 4 MB
 

We can also do:

ldapsearch -L -b "o=APL, c=US" "(objectclass=*)"
 

which will spit out everything.

But I only want the phone number!

OK. That's not a problem:

ldapsearch -L -b "o=APL, c=US" "(sn=Lawrence)" telephonenumber
 

Netscape

Now for something even more fun. Open up your Netscape browser, and go to Address Book. Drag down file and tell it you want to add a New Directory . I called mine "Local LDAP". Enter the FQN (Fully Qualified Name- example: scobox.landc.com). of your server into the LDAP Server box. In the Server Root box, I'd enter "o=APL, c=US", and you'd enter the equivalent for your server. You don't need to change anything else; no login, no secure connection, leave the port (389) alone. Click OK to save it. Now, "Local LDAP" appears in the list. Highlight it, and type "*" in the search box- you'll see your entries. Even better, double click on one of the entries and you'll get all of the information that your server has- so Linda's "Toyota" gets listed in an HTML page.

Now go to create a new Email message. Choose "Address Book", and notice that you can choose addresses from your "Local LDAP", and that if you highlight and choose "Properties", you get the full information as before.

See Passwd to LDAP for another example of using LDAP for address books

I'm sure there's some way to tell Outlook Express to look at this also, but I couldn't find it in 15 minutes, so I gave up. If anyone knows, please tell me.

Juan Marcia sent me a screen shot showing that Outlook Express does have a place for this in an Advanced tab- this is what he says to do:

Run Outlook Express, open TOOLS menu, next, click on accounts, click on tab DIRECTORY SERVICES, click on NEW or ADD button and choose DIRECTORY SERVICES, WRITE THE NAME OF THE INTERNET DIRECTORY SERVER (f.i. mailhost.bbvseg.com.co)

Click on NEXT button twice. Then click on FINISH button.

Then click on PROPERTIES button. Then select ADVANCED tag:

Fill the blank on Search Base with the parameters of the configuration of your server. APPLY and OK and close all windows. Then try it.

There are many more things you can do with these tools, and the man pages are the place to look.

Man Pages

Of course you get man pages for all these things, but they won't work until you do two things:

  • Install the GNU text processing tools from Skunkware
  • Modify /etc/default/man so that the MANPATH reads:
    MANPATH=scohelp:/usr/man:/usr/local/man
     
    

I hope that you have fun with this. LDAP is a useful tool. It can be accessed through LDAP enabled browsers, through Perl scripts, by C programs, and, of course, the command line tools we've looked at here.


Got something to add? Send me email.





(OLDER)    <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

-> -> Implementing LDAP databases




Increase ad revenue 50-250% with Ezoic


More Articles by

Find me on Google+

© Tony Lawrence



Kerio Samepage


Have you tried Searching this site?

Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us





The nice thing about standards is that you have so many to choose from. (Andrew S. Tanenbaum)

The use of COBOL cripples the mind; its teaching should, therefore, be regarded as a criminal offence. (Edsger W. Dijkstra)












This post tagged: