Linux
LDAP (Lightweight Directory Access Protocol) as its name, is a protocol to access to Directory Service. Well known LDAP is Active Directory that specific on Windows Server. But for the Linux one is OpenLDAP
Normally OpenLDAP will keep all the Directory data in LDIF File Format (sample) but version prior 2.0 OpenLDAP support back-sql that will keep data in RDBMS so we can import data directly from database to OpenLDAP.
This article will focus on install OpenLDAP with MySQL as backend data on Debian 6 64-bit. If I have time I will write more about how to create MySQL schema for OpenLDAP
- We start with Install Debian 6 64-bit
- slapd (OpenLDAP Server) that come with apt-get not supported back-sql. So we have to compile and install from source with these commands
apt-get install libssl-dev libdb-dev unixodbc-dev time wget ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/openldap-2.4.26.tgz tar xvfz openldap-*.tgz cd openldap-* ./configure --enable-sql make depend make make install
- And we will install MySQL Server and create user and database for OpenLDAP
apt-get install mysql-server libmyodbc # put mysql root password and confirm password that you want mysql -u root -p # put mysql root password
CREATE USER 'openldap'@'localhost' IDENTIFIED BY 'yourpassword'; CREATE DATABASE IF NOT EXISTS openldap; GRANT ALL PRIVILEGES ON openldap.* TO 'openldap'@'localhost'; FLUSH PRIVILEGES; exit
Don't forget to change yourpassword
- We will config ODBC that slapd can read from MySQL database. edit /etc/odbc.ini
[openldap] Description = Example for OpenLDAP's back-sql Driver = MySQL Trace = No Database = openldap Servername = localhost UserName = openldap Password = yourpassword ReadOnly = No RowVersioning = No ShowSystemTables = No ShowOidColumn = No FakeOidIndex = No ConnSettings = SOCKET = /var/run/mysqld/mysqld.sock
- and edit /etc/odbcinst.ini
[MySQL] Description = ODBC for MySQL Driver = /usr/lib/odbc/libmyodbc.so FileUsage = 1
- Try to import sample MySQL that come with openldap-2.4.26.tgz
cd servers/slapd/back-sql/rdbms_depend/mysql/ mysql -u openldap -p openldap < backsql_create.sql mysql -u openldap -p openldap < testdb_create.sql mysql -u openldap -p openldap < testdb_data.sql mysql -u openldap -p openldap < testdb_metadata.sql # put mysql openldap user
- edit /usr/local/etc/openldap/slapd.conf
# $OpenLDAP$
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /usr/local/var/slapd.pid
argsfile /usr/local/var/slapd.args
#######################################################################
# sql database definitions
#######################################################################
database sql
suffix "dc=example,dc=com"
rootdn "cn=root,dc=example,dc=com"
rootpw rootpassword
dbname openldap
dbuser openldap
dbpasswd yourpassword
subtree_cond "ldap_entries.dn LIKE CONCAT('%',?)"
insentry_stmt "INSERT INTO ldap_entries (dn,oc_map_id,parent,keyval) VALUES (?,?,?,?)"
has_ldapinfo_dn_ru noDon't forget to edit rootpassword to mysql openldap user password
- Try to test by run slapd in debug mode and use ldapsearch to searching data in another windows
/usr/local/libexec/slapd -d 1 ldapsearch -x -D cn=root,dc=example,dc=com -w rootpassword -s sub -b "dc=example,dc=com" "(objectClass=*)"
If ldapsearch found the data. it will return
# numResponses: 8 # numEntries: 6 # numReferences: 1
But if ldapsearch can't find the data it will return only # numResponses: 1
- Press Ctrl + c to exit slapd from debug mode. Then we will config slapd to start automatic when boot by create /etc/init.d/slapd24 file and put these lines
#!/bin/sh ### BEGIN INIT INFO # Provides: slapd24 # Required-Start: $remote_fs $network $syslog # Required-Stop: $remote_fs $network $syslog # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: OpenLDAP standalone server (Lightweight Directory Access Protocol) ### END INIT INFO # Specify path variable PATH=/sbin:/usr/sbin:/bin:/usr/bin . /lib/lsb/init-functions # Kill me on all errors set -e # Set the paths to slapd as a variable so that someone who really # wants to can override the path in /etc/default/slapd. SLAPD=/usr/local/libexec/slapd # Stop processing if slapd is not there [ -x $SLAPD ] || exit 0 # debconf may have this file descriptor open and it makes things work a bit # more reliably if we redirect it as a matter of course. db_stop will take # care of this, but this won't hurt. exec 3>/dev/null # Source the init script configuration if [ -f "/etc/default/slapd" ]; then . /etc/default/slapd fi # Load the default location of the slapd config file if [ -z "$SLAPD_CONF" ]; then if [ -e /etc/ldap/slapd.d ]; then SLAPD_CONF=/etc/ldap/slapd.d else SLAPD_CONF=/usr/local/etc/openldap/slapd.conf fi fi # Stop processing if the config file is not there if [ ! -r "$SLAPD_CONF" ]; then log_warning_msg "No configuration file was found for slapd at $SLAPD_CONF." # if there is no config at all, we should assume slapd is not running # and exit 0 on stop so that unconfigured packages can be removed. [ "x$1" = xstop ] && exit 0 || exit 1 fi # extend options depending on config type if [ -f "$SLAPD_CONF" ]; then SLAPD_OPTIONS="-f $SLAPD_CONF $SLAPD_OPTIONS" elif [ -d "$SLAPD_CONF" ] ; then SLAPD_OPTIONS="-F $SLAPD_CONF $SLAPD_OPTIONS" fi # Find out the name of slapd's pid file if [ -z "$SLAPD_PIDFILE" ]; then # If using old one-file configuration scheme if [ -f "$SLAPD_CONF" ] ; then SLAPD_PIDFILE=`sed -ne 's/^pidfile[[:space:]]\+\(.\+\)/\1/p' \ "$SLAPD_CONF"` # Else, if using new directory configuration scheme elif [ -d "$SLAPD_CONF" ] ; then SLAPD_PIDFILE=`sed -ne \ 's/^olcPidFile:[[:space:]]\+\(.\+\)[[:space:]]*/\1/p' \ "$SLAPD_CONF"/'cn=config.ldif'` fi fi # XXX: Breaks upgrading if there is no pidfile (invoke-rc.d stop will fail) # -- Torsten if [ -z "$SLAPD_PIDFILE" ]; then log_failure_msg "The pidfile for slapd has not been specified" exit 1 fi # Make sure the pidfile directory exists with correct permissions piddir=`dirname "$SLAPD_PIDFILE"` if [ ! -d "$piddir" ]; then mkdir -p "$piddir" [ -z "$SLAPD_USER" ] || chown -R "$SLAPD_USER" "$piddir" [ -z "$SLAPD_GROUP" ] || chgrp -R "$SLAPD_GROUP" "$piddir" fi # Pass the user and group to run under to slapd if [ "$SLAPD_USER" ]; then SLAPD_OPTIONS="-u $SLAPD_USER $SLAPD_OPTIONS" fi if [ "$SLAPD_GROUP" ]; then SLAPD_OPTIONS="-g $SLAPD_GROUP $SLAPD_OPTIONS" fi # Check whether we were configured to not start the services. check_for_no_start() { if [ -n "$SLAPD_NO_START" ]; then echo 'Not starting slapd: SLAPD_NO_START set in /etc/default/slapd' >&2 exit 0 fi if [ -n "$SLAPD_SENTINEL_FILE" ] && [ -e "$SLAPD_SENTINEL_FILE" ]; then echo "Not starting slapd: $SLAPD_SENTINEL_FILE exists" >&2 exit 0 fi } # Tell the user that something went wrong and give some hints for # resolving the problem. report_failure() { log_end_msg 1 if [ -n "$reason" ]; then log_failure_msg "$reason" else log_failure_msg "The operation failed but no output was produced." if [ -n "$SLAPD_OPTIONS" -o \ -n "$SLAPD_SERVICES" ]; then if [ -z "$SLAPD_SERVICES" ]; then if [ -n "$SLAPD_OPTIONS" ]; then log_failure_msg "Command line used: slapd $SLAPD_OPTIONS" fi else log_failure_msg "Command line used: slapd -h '$SLAPD_SERVICES' $SLAPD_OPTIONS" fi fi fi } # Start the slapd daemon and capture the error message if any to # $reason. start_slapd() { if [ -z "$SLAPD_SERVICES" ]; then reason="`start-stop-daemon --start --quiet --oknodo \ --pidfile "$SLAPD_PIDFILE" \ --exec $SLAPD -- $SLAPD_OPTIONS 2>&1`" else reason="`start-stop-daemon --start --quiet --oknodo \ --pidfile "$SLAPD_PIDFILE" \ --exec $SLAPD -- -h "$SLAPD_SERVICES" $SLAPD_OPTIONS 2>&1`" fi # Backward compatibility with OpenLDAP 2.1 client libraries. if [ ! -h /var/run/ldapi ] && [ ! -e /var/run/ldapi ] ; then ln -s slapd/ldapi /var/run/ldapi fi } # Stop the slapd daemon and capture the error message (if any) to # $reason. stop_slapd() { reason="`start-stop-daemon --stop --quiet --oknodo --retry TERM/10 \ --pidfile "$SLAPD_PIDFILE" \ --exec $SLAPD 2>&1`" } # Start the OpenLDAP daemons start_ldap() { trap 'report_failure' 0 log_daemon_msg "Starting OpenLDAP" "slapd" start_slapd trap "-" 0 log_end_msg 0 } # Stop the OpenLDAP daemons stop_ldap() { trap 'report_failure' 0 log_daemon_msg "Stopping OpenLDAP" "slapd" stop_slapd trap "-" 0 log_end_msg 0 } case "$1" in start) check_for_no_start start_ldap ;; stop) stop_ldap ;; restart|force-reload) check_for_no_start stop_ldap start_ldap ;; status) status_of_proc -p $SLAPD_PIDFILE $SLAPD slapd ;; *) echo "Usage: $0 {start|stop|restart|force-reload|status}" exit 1 ;; esac
- Then run the command
update-rc.d slapd24 defaults
- Test by reboot one time and test with ldapsearch and it should return the data correctly.
Comments
Thank You winggundamth Nice
Thank You winggundamth Nice Article. i configured Successfully can u tell me How to create user in Mysql database (LDAP user)?
It depends on MySQL structure
It depends on MySQL structure. For this tutorial I'm just showing how to install with sample data.
I read how to create MySQL structure for OpenLDAP here http://www.flatmtn.com/article/setting-ldap-back-sql.