OpenLDAP compilation and installation and configuration, openldap compilation Configuration

Source: Internet
Author: User
Tags ldap ldapsearch openldap

OpenLDAP compilation and installation and configuration, openldap compilation Configuration

Original article published in cu:


I. Environment

Server: CentOS-7-x86_64-1511 based

Server IP:

2. The software obtains OpenLDAP

OpenLDAP Official Website:

OpenLDAP 2.4.44:


Berkeley-db-5.1.29(OpenLDAPThe current version is not compatible with version 6.x, and READEME explicitly states that it is compatible with version 4.4 ~ 4.8 or 5.0 ~ 5.1):


LDAP Administrtor

Ldapadmin 2015.2:

Official Website:


3. Preparation

1. Disable selinux;

2. Open the tcp 389/636 port of the firewall.

#Tcp 389 is the plaintext transmission port of openldap and tcp 636 is the port for ssl encrypted transmission.

# Centos7 comes with the firewalld service by default. You can disable it and install iptables.

4. Install the OpenLDAP1. dependency package
# Libtool-ltdl and libtool-ltdl-devel are involved. If this parameter is not installed, the following error occurs during compilation: configure: error: cocould not locate libtool ltdl. hyum install * ltdl *-y.
2. Install BDB
#Must be compiled and installed in the build_unix directory of the decompressed package, otherwise an error will be reported
[root @ localhost ~] # cd / usr / local / src /
[root @ localhost src] # tar -zxvf db-5.1.29.tar.gz
[root @ localhost src] # cd db-5.1.29 / build_unix /
[root @ localhost build_unix] # ../dist/configure --prefix = / usr / local / berkeleydb-5.1.29
[root @ localhost build_unix] # make
[root @ localhost build_unix] # make install
3. Update the lib Library
#Ensure that the libraries under lib and include can be found when compiling openldap later
[root @ localhost build_unix] # cd / usr / local / src /
[root @ localhost src] # echo "/usr/local/berkeleydb-5.1.29/lib/"> /etc/
[root @ localhost src] # ldconfig -v
4. Install OpenLDAP
#Compile options can be viewed through ./configure --help;
#Where make test takes a long time;
#If CPPFLAGS is not set, the configure process may prompt configure: error: BDB / HDB: BerkeleyDB not available or configure: error: BerkeleyDB version incompatible with BDB / HDB backends
[root @ localhost ~] # cd / usr / local / src /
[root @ localhost src] # tar -zxvf openldap-2.4.44.tgz
[root @ localhost src] # cd openldap-2.4.44
[root @ localhost openldap-2.4.44] # ./configure --prefix = / usr / local / openldap-2.4.44 --enable-syslog --enable-modules --enable-debug --with-tls CPPFLAGS = -I / usr / local / berkeleydb-5.1.29 / include / LDFLAGS = -L / usr / local / berkeleydb-5.1.29 / lib /
[root @ localhost openldap-2.4.44] # make depend
[root @ localhost openldap-2.4.44] # make
[root @ localhost openldap-2.4.44] # make test
[root @ localhost openldap-2.4.44] # make install
5. Set executable commands
#Add a soft link to the openldap client (bin) and server (sbin) related execution files, or you can set it by adding environment variables
[root @ localhost openldap-2.4.44] # cd /usr/local/openldap-2.4.44
[root @ localhost openldap-2.4.44] # ln -s /usr/local/openldap-2.4.44/bin/* / usr / local / bin /
[root @ localhost openldap-2.4.44] # ln -s /usr/local/openldap-2.4.44/sbin/* / usr / local / sbin /
5. simple configuration 1. Installed openldap-2.4.44 directory structure

After openldap is installed, the functions of the Directory are as follows:

Bin/-- client tools such as ldapadd and ldapsearch

Etc/-- contains the main configuration file slapd. conf, schema, DB_CONFIG, etc.



Libexec/-- server startup tool slapd

Sbin/-- server tools such as slappasswd


Var/-- directory for storing bdb data and logs

2. Configure the rootdn password (optional)
#Set the rootdn password, here set to 123456;
#This way the rootdn password is in cipher text. Copy the output cipher text to the corresponding location of the main configuration file rootdn.
[root @ localhost ~] # cd /usr/local/openldap-2.4.44/
[root @ localhost openldap-2.4.44] # slappasswd
New password:
Re-enter new password:
{SSHA} K9 + WK / t1e0V0K6pUMOyTsaTwkDBNEDiP
3. Master configuration file slapd. conf
[root @ localhost openldap-2.4.44] # cd /usr/local/openldap-2.4.44/etc/openldap/
[root @ localhost openldap] # vim slapd.conf
#The following modified purple font is the unmodified part, the red font is the modified part, and the blue font indicates the new part.

#schema defaults to only core.schema, which needs to be added at all levels. Here, some schema files in the schema directory of the same directory as the configuration file are added to the configuration file;
5 include /usr/local/openldap-2.4.44/etc/openldap/schema/core.schema
6 include /usr/local/openldap-2.4.44/etc/openldap/schema/collective.schema
7 include /usr/local/openldap-2.4.44/etc/openldap/schema/corba.schema
8 include /usr/local/openldap-2.4.44/etc/openldap/schema/cosine.schema
9 include /usr/local/openldap-2.4.44/etc/openldap/schema/duaconf.schema
10 include /usr/local/openldap-2.4.44/etc/openldap/schema/dyngroup.schema
11 include /usr/local/openldap-2.4.44/etc/openldap/schema/inetorgperson.schema
12 include /usr/local/openldap-2.4.44/etc/openldap/schema/java.schema
13 include /usr/local/openldap-2.4.44/etc/openldap/schema/misc.schema
14 include /usr/local/openldap-2.4.44/etc/openldap/schema/nis.schema
15 include /usr/local/openldap-2.4.44/etc/openldap/schema/openldap.schema
16 include /usr/local/openldap-2.4.44/etc/openldap/schema/pmi.schema
17 include /usr/local/openldap-2.4.44/etc/openldap/schema/ppolicy.schema

25 pidfile /usr/local/openldap-2.4.44/var/run/
26 argsfile /usr/local/openldap-2.4.44/var/run/slapd.args

#Add log file level and path, need to --enable-debug at compile time, otherwise log file output will not affect debug mode;
28 loglevel 256
29 logfile /usr/local/openldap-2.4.44/var/slapd.log

#Here mdb is used as the back-end database, and it can also be modified to "bdb" parameter. In the OpenLDAP official document "11.4. LMDB", it is introduced that mdb is the recommended back-end database;
67 database mdb

#When using mdb as the back-end database, you need to set a space value according to the official documentation, "In addition to the usual parameters that a minimal configuration requires, the mdb backend requires a maximum size to be set. This should be the largest that the database is ever anticipated to grow (in bytes). The filesystem must also provide enough free space to accommodate this size. "; If you use bdb as the back-end database, you need to comment this parameter;
68 maxsize 1073741824

#Modify the domain name and administrator account name;
69 suffix "dc = sys, dc = com"
70 rootdn "cn = admin, dc = sys, dc = com"

#Use cipher text password, that is, the cipher text previously generated by slappasswd;
74 rootpw {SSHA} K9 + WK / t1e0V0K6pUMOyTsaTwkDBNEDiP

#openldapData directory, when using mdb, generate "data.mdb" and "lock.mdb" files in the corresponding directory; when using bdb, generate "dn2id.bdb" and "id2entry.bdb" and multiple " __db.00 * "files.
78 directory /usr/local/openldap-2.4.44/var/openldap-data

80 index objectClass eq
4. initialize OpenLADP (optional)
#If mdb is used as the back-end database, this step can be ignored. DB_CONFIG is used by the bdb / hdb database;
#Related to the configuration in the main configuration file, the main configuration file determines the use of bdb and the data storage path.
[root @ localhost openldap] # cd /usr/local/openldap-2.4.44/var/openldap-data/
[root @ localhost openldap-data] # cp DB_CONFIG.example DB_CONFIG 
5. Start OpenLADP
#Work directly in the background;
# Non-root users cannot listen on ports 1 ~ 1024. If you are a non-root user, you may need to redefine the service port.
[root @ localhost ~] # /usr/local/openldap-2.4.44/libexec/slapd

#Work on the front end, output debug information
[root @ localhost ~] # /usr/local/openldap-2.4.44/libexec/slapd -d 256
6. Verify
[root @ localhost ~] # ldapsearch -x -b '' -s base '(objectclass = *)'
#Or [root @ localhost ~] # ldapsearch -x -b '' -s base '(objectclass = *)' namingContexts
#Or use netstat -tunlp | grep 389, ps -ef | grep slapd, ps aux | grep slapd and so on.
Indicates that openldap has been started successfully:

6. Simple use (example) 1. Create an administrator account to edit the ldif File
#Note that it is consistent with the slapd.conf file, the following command is the same,
#I have written "admin" as "amdin" in the following ldapadd command, which causes the error "ldap_bind: Invalid credentials (49)" is always reported. Just found out.
[root @ localhost ~] # vim test.ldif

dn: dc = sys, dc = com
objectclass: dcObject
objectclass: organization
o: SYS.Inc
dc: sys

dn: cn = admin, dc = sys, dc = com
objectclass: organizationalRole
cn: admin
Insert Database
[root@localhost ~]# ldapadd -x -D "cn=admin,dc=sys,dc=com" -W -f test.ldif

You can see that the account has been added to ldap:

[root@localhost ~]# ldapsearch -x -b 'dc=sys,dc=com' '(objectClass=*)'

2. Create an employee with department attributes to edit the ldif File
#Here is actually creating a department "it", and then creating an employee in the "it" department, actually two commands
[root @ localhost ~] # vim test2.ldif

dn: ou = it, dc = sys, dc = com
ou: it
objectClass: organizationalUnit

dn: cn = test1, ou = it, dc = sys, dc = com
ou: it
cn: test1
sn: t1
objectClass: inetOrgPerson
objectClass: organizationalPerson 
Insert Database
[root@localhost ~]# ldapadd -x -D "cn=admin,dc=sys,dc=com" -W -f test2.ldif

You can see that the employee account has been added to ldap:

[root@localhost ~]# ldapsearch -x -b 'dc=sys,dc=com' '(objectClass=*)'


3. ldapadmin run ldapadmin

Create Database Files

New-> New Profile, or Ctrl + P on the main interface;

Enter the Profile name. The name is arbitrary. Next step;

Enter the Host address. The default Port is 389 (Note whether Port 389 is enabled for iptables );

BaseDN is empty by default and marked on the root node. If you do not want to display the root node, you can select a specific level-1 database from the drop-down list at the rear. Next step;

Select "Other credenti ",

Select "Simple ",

Enter "cn = adminnnnn, dc = sys, dc = com ",

Enter the Password in the Password field, save the Password, and click "finish" to create the Password.


VII. Appendix 1. Common Object Attributes

LDAP has designed attributes (such as commonName and surname) for common objects in Personnel Organizations ). The following are some frequently used aliases:

Attribute name

Attribute alias



Value (example)



Directory String





Directory String

Last name




Directory String

Organization (department) Name




Directory String

Organization (company) Name



Telephone Number

Phone number



Built-in attributes


2. ldif file example


Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.