Official Red Hat Linux Administrators Guide

OpenLDAP configuration files are installed into the /etc/openldap/ directory. The following list briefly highlights the most important directories and files:

slapd.conf

In order to use the slapd LDAP server, you need to modify its configuration file, /etc/openldap/slapd.conf, to make it specific to your domain and server. The suffix line names the domain for which the LDAP server will provide information. The suffix line should be changed from:

suffix "dc=your-domain,dc=com"

so that it reflects your domain name. For example:

suffix "dc=example,dc=com"

The rootdn entry is the Distinguished Name (DN) for a user who is unrestricted by access controls or administrative limit parameters set for operations on the LDAP directory. The rootdn user can be thought of as the root user for the LDAP directory. In the configuration file, change the rootdn line from its default value to something like the example below:

rootdn "cn=root,dc=example,dc=com"

Change the rootpw line to something like the example below:

rootpw {SSHA}vv2y+i6V6esazrIv70xSSnNAJE18bb2u

In the rootpw example, you are using an encrypted root password, which is a much better idea than leaving a plaintext root password in the slapd.conf file. To make this encrypted string, type the following command:

slappasswd

You will be prompted to type and then retype a password. The program prints the resulting encrypted password to the terminal.

Warning

LDAP passwords, including the rootpw directive specified in /etc/openldap/slapd.conf, are sent over the network in plaintext unless you enable TLS encryption. For added security, the rootpw directive should be used only if the initial configuration and population of the LDAP directory occur over a network. After the task is completed, it is best to comment out the rootpw directive by preceding it with a hash mark (#).
Tip

If you are using the slapadd command-line tool locally to populate the LDAP directory, using the rootpw directive is not necessary.

The /etc/openldap/schema/ Directory

The /etc/openldap/schema/ directory holds LDAP definitions, previously located in the slapd.at.conf and slapd.oc.conf files. All attribute syntax definitions and objectclass definitions are now located in the different schema files. The various schema files are referenced in /etc/openldap/slapd.conf using include lines, as shown in this example:

include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/rfc822-MailMember.schema include /etc/openldap/schema/autofs.schema include /etc/openldap/schema/kerberosobject.schema

Warning

You should not modify any of the schema items defined in the schema files installed by OpenLDAP.

You can extend the schema used by OpenLDAP to support additional attribute types and object classes using the default schema files as a guide. To do this, create a local.schema file in the /etc/openldap/schema directory. Reference this new schema within slapd.conf by adding the following line below your default include schema lines:

include /etc/openldap/schema/local.schema

Next, go about defining your new attribute types and object classes within the local.schema file. Many organizations use existing attribute types and object classes from the schema files installed by default and modify them for use in the local.schema file. This method can help you to learn the schema syntax while meeting the immediate needs of your organization.

Extending schema to match certain specialized requirements is quite involved and beyond the scope of this chapter. Visit http://www.openldap.org/doc/admin/schema.html for information on writing new schema files.

Related

Категории