Openldap 2.1 administrator guide (1)

Source: Internet
Author: User
Tags ldap openldap

0. Preface
0.1 Copyright
Copyright 1998-2001, the OpenLDAP Foundation, All rights reserved.

Copyright 1992-1996, Regents of the University of Michigan, All rights reserved.

The Chinese version is translated by ntko. E-mail: To distribute this document, you must retain the translation information about the Chinese version and all other copyright information.

0.2 scope of this document
This document provides a guide for installing OpenLDAP 2.1 software ( on Unix or Unix-like systems. This document is intended for experienced system administrators. However, he does not have the experience of running an LDAP-based directory software.

This document should be used together with other OpenLDAP information resources provided along with the software package, as well as the information provided on the site ( of the project on www. This site provides a lot of resources.

Openldap Resources


Document Catalog

Frequently Asked Questions

Issue Tracking System

Mailing lists

Software pages

Support pages

0.3. Thank you
The OpenLDAP project consists of a volunteer group. This document is impossible without the time and effort they have contributed.

The OpenLDAP project also thanked the University of Michigan LDAP for creating the foundation of the LDAP software. In addition, OpenLDAP software is created on top of their software. This document is also based on the LDAP document of U-Mich: The slapd and slurpd administrators guide.

0.4. Error Correction
Any correction and improvement suggestions for this document should be submitted using the OpenLDAP issue tracking system (

0.5. About this document
This document is created using the simple document format document system ( developed by Ian clatworthy.

1. Introduction to OpenLDAP Directory Service
This document describes how to compile, configure, and run OpenLDAP to provide directory services. Including how to configure and run an independent LDAP daemon, slapd (8), and how to configure and run an independent LDAP update copy daemon, slurpd (8) details. This document is intended for beginners and experienced system administrators. This section provides a basic introduction to the directory service, especially the directory service provided by slapd (8.

1.1. What is a directory service?
A directory service is a special database that is optimized for reading, browsing, and searching. Directories can be used to store descriptive, attribute-based information and support complex filtering and search capabilities. Directories generally do not support complex transaction processing or rollback mechanisms supported in general database management systems-these mechanisms are designed to handle large-capacity complex update operations. Directory updates are simple "all or none" updates-if they are allowed. The directory is optimized to quickly respond to a large number of search or search operations. They can replicate information in a wide range to improve availability and reliability, while reducing response time.

When the information in the directory is copied, the temporary inconsistency between copies is allowed as long as they are eventually consistent.

There are many different ways to provide a directory service. Different methods allow different types of information to be stored in directories. Therefore, the query and update requirements for information to be referenced are different, information is protected and unauthorized access is denied. Some directory services are local and provide limited services (for example, a finger service running on a single machine ). Some services are global and provide services of a large scale (such as the entire Internet ). Global services are generally divided. This means that the data they store is distributed on many machines, all of which work together to provide directory services. In typical cases, a global service defines a unified namespace, which provides the same data view no matter where you start to associate with the data. The Internet Domain Name System is an instance of a globally distributed directory system service.

1.2. What is LDAP?
LDAP stands for the Lightweight Directory Access Protocol. As the name indicates, it is a lightweight protocol used to access the directory service, especially the X.500-based directory service. LDAP runs on the TCP/IP protocol or other connection-oriented transmission services. The detailed nature of LDAP is defined in rfc2133 "Lightweight Directory Access Protocol (V3. This section provides an overview of LDAP from the user's perspective.

What types of information can be saved in a directory? The LDAP information model is based on entries. An entry is a set of attributes and has a globally unique "Distinguished Name" DN. This dn is used to uniquely reference this entry. Each item has one type and one or more values. The type is usually a name that is easy to remember. For example, "cn" is a common name, or "mail" is an email address. The syntax of the entry value depends on the attribute type. For example, the CN attribute may have a value "Babs Jenkins ". A mail property may contain the value " ". A photo attribute may contain an image in JPEG (Binary) format.

How is information organized? In LDAP, directory entries are arranged in a hierarchical tree structure. Traditionally, this structure reflects the geographical or organizational boundaries. Entries represent the country and appear at the top of the tree. Below are entries representing the State or geographical organization. below may be entries representing the organizational unit, individual, printer, document or any other item that you can think. Figure 1.1 shows an example of using a traditional named LDAP directory tree:

Figure 1.1: LDAP directory tree (traditional naming method)

The tree can also be arranged based on the Internet domain name. This naming method is becoming more common because it allows the Directory Service to use the Domain Name System for location. Figure 1.2 shows an example of using the domain name-based LDAP directory tree.

In addition, LDAP uses a special attribute called objectclass to allow you to control which attribute must appear or be allowed to appear in an entry. The value of the objectclass attribute determines the schema rules that the entry must comply.

How is the information referenced? An entry is referenced through its DN. This dn is constructed in the following way: first obtain the name of the entry (relative DN, rdn), and then connect to the name of its ancestor. For example, the Barbara Jenkins entry in the Internet-based naming method in Figure 1.2 has an rdn: uid = Babs. And a DN: uid = Babs, ou = people, Dc = example, Dc = com. The full DN format is described in rfc2253 "Lightweight Directory Access Protocol (V3): UTF-8 string representation of distinguished names.

Figure 1.2: LDAP directory tree (Internet-based name)

How is the information accessed? LDAP defines the operations for querying and updating directories. It also provides operations to add and delete entries from the directory and change the entry name, although LDAP is used to search for information in the directory most of the time. The LDAP search operation allows you to search for a part of a directory to find entries that match the rules specified by a search filter. Then, you can obtain information from each entry that matches the rule.

For example, you need to search for the entire directory subtree in the DC = example, Dc = com entries, or below, and find a person named Barbara yansen, obtain the email address of each found entry. LDAP allows you to do this simply. Alternatively, you may need to search for entries that are directly under the ST = California, c = US entries and find an organization whose name contains the string Acme and has a fax number. LDAP also allows you to do this. The next section describes in detail what you can use LDAP to do and why it is useful to you.

How is information protected to deny unauthorized access? Some directory services provide Unprotected information that allows anyone to see. LDAP provides a mechanism for the client to authenticate, or to authenticate its identity to the Directory Server, paving the way for protecting the information contained by the server to provide rich access control. LDAP also supports confidentiality, integrity, and security services.

1.3. How does LDAP work?
LDAP directory is implemented based on the Client/Server mode. One or more LDAP servers contain data that forms the directory information tree (DIT. The client connects to the server and asks a question. The server returns an answer or a pointer to other information (usually another LDAP Server). No matter which LDAP server the client connects to, it will see the same directory view. The name submitted to an LDAP server will reference the same entry as the name of another LDAP server. This is a global directory service, such as an important feature of LDAP.

1.4. About X.500
Technically, LDAP is a Directory Access Protocol that accesses an X.500 Directory Service-OSI directory service. Initially, the LDAP client accesses the Directory Service through the gateway. The gateway runs LDAP (between the customer and the gateway) and X.500 Directory Access Protocol (DAP) (between the gateway and X.500 server ). Dap is a heavyweight protocol that runs on a secure OSI protocol stack and consumes a lot of computing resources. LDAP is designed to run on TCP/IP and provides the functions provided by most daps at a low cost.

Although LDAP can still be used to access the X.500 Directory Service through the gateway, LDAP is now more directly implemented on the X.500 server.

An independent LDAP daemon, or slapd (8), can be considered as a lightweight X.500 Directory Server. That is to say, it does not implement X.500 DAP. As a Lightweight Directory Server, slapd (8) only implements a subset of X.500 models.

If you have run an X.500 DAP server and want to continue, stop reading this guide. This Guide describes how to run LDAP through slapd (8) Without running X.500 DAP. If you do not run X.500 DAP, or want to stop running X.500 DAP, or you do not have a plan to run X.500 DAP immediately, continue to read.

It is feasible to copy data from an LDAP directory server to an X.500 dap dsa. This requires an LDAP/DAP gateway. Openldap does not provide such a gateway. However, our replication daemon can be used to replicate to such a gateway. See the "use slurpd for replication" section of this document for information on replication.

1.5. Differences between LDAP V2 and V3
Ldapv3 adds the following features:

¢ Use SASL for strength authentication;

Secret uses TLS (SSL) for integrity and security protection;

¢ Supports internationalization using Unicode;

References and persistence

¢ Scalability (Control and scaling operations)

Pipeline Support Mode discovery

It is problematic to support ldapv2 and V3 at the same time and should be avoided as much as possible. Ldapv3 contains all the features of ldapv2. Therefore, ldapv3 is recommended;

1.6 introduction and functions of slapd
Slapd (8) is a cross-platform LDAP server. You can use it to provide your own directory service. Your directory can contain any amount of information. You can connect it to a global LDAP directory service, or simply run a service on your own. Here are more features of slapd:

1.6.1 ldapv3:
Slapd implements LDAP v3. LDAP on IPv4 and IPv6 is also supported.

1.6.2. Simple authentication and security Layer
Slapd uses SASL to support the intensity authentication service. The SASL Implementation of slapd uses the Cyrus SASL software, which supports a large number of authentication mechanisms including DIGEST-MD5, external and gssapi.

1.6.3 Transport Layer Security
Slapd provides integrity and security protection by using TLS (or SSL. The TLS Implementation of slapd uses OpenSSL software.

1.6.4. Topology Control
Slapd allows the network topology to control access to the server. This feature uses TCP Wrappers.

1.6.5. Access Control
Slapd provides rich and powerful access control methods to control database information. You can control access to entries Based on LDAP authentication information, IP addresses, domain names, or other conditions. Slapd supports static and dynamic access control information.

1.6.6. Internationalization
Slapd supports Unicode and language markup.

1.6.7. Optional backend databases
Slapd can be integrated with different database backend support. Including bdb-high-performance transaction database, ldbm, lightweight DBM-based background database, Shell, background interface of various shell scripts, and passwd, a simple passwd (5) interface. Bdb uses the Berkeley DB 4 of sleepycat. Ldbm uses Berkeley dB or gdbm.

1.6.8. Multiple database instances
Slapd can be configured to use multiple databases at the same time. This means that a Server Load balancer can use the same or different background databases to respond to requests from multiple logically different LDAP part trees.

1.6.9. Common module APIs
If you need more customization, slapd allows you to easily write your own modules. Slapd consists of two clear parts: a front-end for Protocol Communication With LDAP clients, and some modules for processing specific tasks such as database operations. Because the two parts communicate with each other through a well-defined c api, you can write your own custom modules and use multiple methods to expand slapd. Slapd also provides multiple programmable database modules. These allow you to use a common programming language (Perl, Shell, SQL, and TCL) to open external data sources to slapd.

1.6.10. Thread
Slapd uses threads to achieve high performance. A single multi-threaded slapd process uses a thread pool to process all requests. This reduces the system load and shows high performance.

1.6.11. Copy
Slapd can be configured to maintain the copy of its database. This replication mode is required for a single primary server/multiple secondary servers in a high-throughput environment. At this time, a single slapd cannot provide the required availability and reliability. Slapd also includes an experimental support for replication of multiple master servers.

1.6.12. configurability
Slapd achieves high configuration through a single configuration file. This configuration file allows you to change anything you need. Configuration options have reasonable default options, which makes your work easier.

Of course, slapd also has its limitations. The main backend bdb databases cannot process range queries or nested queries well.

1.7. slurpd and its Functions
Slurpd (8) is a server daemon that helps slapd provide Replication Services. It is responsible for distributing modifications to the primary slapd database to copies of different slapd databases. It prevents Server Load balancer from considering that some copies may be down or inaccessible when changes occur. Slurpd automatically retries failed requests. Slapd and slurpd communicate with each other through a simple file used to record changes.

For more information about how to configure and run slurpd, see "Configure with slurpd.


 Original article addressHttp://


Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.