How to install OpenLDAP with MySQL as backend data on Debian 6 64-bit

Tags: 

Linux

LDAP (Lightweight Directory Access Protocol) as its name, is a protocol to access to Directory Service. Well known LDAP is Active Directory that specific on Windows Server. But for the Linux one is OpenLDAP

Normally OpenLDAP will keep all the Directory data in LDIF File Format (sample) but version prior 2.0 OpenLDAP support back-sql that will keep data in RDBMS so we can import data directly from database to OpenLDAP.

This article will focus on install OpenLDAP with MySQL as backend data on Debian 6 64-bit. If I have time I will write more about how to create MySQL schema for OpenLDAP

  • We start with Install Debian 6 64-bit
  • slapd (OpenLDAP Server) that come with apt-get not supported back-sql. So we have to compile and install from source with these commands
apt-get install libssl-dev libdb-dev unixodbc-dev time
wget ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/openldap-2.4.26.tgz
tar xvfz openldap-*.tgz
cd openldap-*
./configure --enable-sql
make depend
make
make install
  • And we will install MySQL Server and create user and database for OpenLDAP
apt-get install mysql-server libmyodbc
# put mysql root password and confirm password that you want
mysql -u root -p
# put mysql root password
CREATE USER 'openldap'@'localhost' IDENTIFIED BY 'yourpassword';
CREATE DATABASE IF NOT EXISTS openldap;
GRANT ALL PRIVILEGES ON openldap.* TO 'openldap'@'localhost';
FLUSH PRIVILEGES;
exit

Don't forget to change yourpassword

  • We will config ODBC that slapd can read from MySQL database. edit /etc/odbc.ini
[openldap]
Description         = Example for OpenLDAP's back-sql
Driver              = MySQL
Trace               = No
Database            = openldap
Servername          = localhost
UserName            = openldap
Password            = yourpassword
ReadOnly            = No
RowVersioning       = No
ShowSystemTables    = No
ShowOidColumn       = No
FakeOidIndex        = No
ConnSettings        =
SOCKET              = /var/run/mysqld/mysqld.sock
  • and edit /etc/odbcinst.ini
[MySQL]
Description     = ODBC for MySQL
Driver          = /usr/lib/odbc/libmyodbc.so
FileUsage       = 1
  • Try to import sample MySQL that come with openldap-2.4.26.tgz
cd servers/slapd/back-sql/rdbms_depend/mysql/
mysql -u openldap -p openldap < backsql_create.sql
mysql -u openldap -p openldap < testdb_create.sql
mysql -u openldap -p openldap < testdb_data.sql
mysql -u openldap -p openldap < testdb_metadata.sql
# put mysql openldap user
  • edit /usr/local/etc/openldap/slapd.conf
# $OpenLDAP$
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
 
# Define global ACLs to disable default read access.
 
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral       ldap://root.openldap.org
 
pidfile         /usr/local/var/slapd.pid
argsfile        /usr/local/var/slapd.args
 
#######################################################################
# sql database definitions
#######################################################################
 
database        sql
suffix          "dc=example,dc=com"
rootdn          "cn=root,dc=example,dc=com"
rootpw          rootpassword
dbname          openldap
dbuser          openldap
dbpasswd        yourpassword
subtree_cond    "ldap_entries.dn LIKE CONCAT('%',?)"
insentry_stmt   "INSERT INTO ldap_entries (dn,oc_map_id,parent,keyval) VALUES (?,?,?,?)"
has_ldapinfo_dn_ru      no

Don't forget to edit rootpassword to mysql openldap user password

  • Try to test by run slapd in debug mode and use ldapsearch to searching data in another windows
/usr/local/libexec/slapd -d 1
ldapsearch -x -D cn=root,dc=example,dc=com -w rootpassword -s sub -b "dc=example,dc=com" "(objectClass=*)"

If ldapsearch found the data. it will return

# numResponses: 8
# numEntries: 6
# numReferences: 1

But if ldapsearch can't find the data it will return only # numResponses: 1

  • Press Ctrl + c to exit slapd from debug mode. Then we will config slapd to start automatic when boot by create /etc/init.d/slapd24 file and put these lines
#!/bin/sh
### BEGIN INIT INFO
# Provides:          slapd24
# Required-Start:    $remote_fs $network $syslog
# Required-Stop:     $remote_fs $network $syslog
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: OpenLDAP standalone server (Lightweight Directory Access Protocol)
### END INIT INFO
 
# Specify path variable
PATH=/sbin:/usr/sbin:/bin:/usr/bin
 
. /lib/lsb/init-functions
 
# Kill me on all errors
set -e
 
# Set the paths to slapd as a variable so that someone who really
# wants to can override the path in /etc/default/slapd.
SLAPD=/usr/local/libexec/slapd
 
# Stop processing if slapd is not there
[ -x $SLAPD ] || exit 0
 
# debconf may have this file descriptor open and it makes things work a bit
# more reliably if we redirect it as a matter of course.  db_stop will take
# care of this, but this won't hurt.
exec 3>/dev/null
 
# Source the init script configuration
if [ -f "/etc/default/slapd" ]; then
        . /etc/default/slapd
fi
 
# Load the default location of the slapd config file
if [ -z "$SLAPD_CONF" ]; then
        if [ -e /etc/ldap/slapd.d ]; then
                SLAPD_CONF=/etc/ldap/slapd.d
        else
                SLAPD_CONF=/usr/local/etc/openldap/slapd.conf
        fi
fi
 
# Stop processing if the config file is not there
if [ ! -r "$SLAPD_CONF" ]; then
  log_warning_msg "No configuration file was found for slapd at $SLAPD_CONF."
  # if there is no config at all, we should assume slapd is not running
  # and exit 0 on stop so that unconfigured packages can be removed.
  [ "x$1" = xstop ] && exit 0 || exit 1
fi
 
# extend options depending on config type
if [ -f "$SLAPD_CONF" ]; then
        SLAPD_OPTIONS="-f $SLAPD_CONF $SLAPD_OPTIONS"
elif [ -d "$SLAPD_CONF" ] ; then
        SLAPD_OPTIONS="-F $SLAPD_CONF $SLAPD_OPTIONS"
fi
 
# Find out the name of slapd's pid file
if [ -z "$SLAPD_PIDFILE" ]; then
        # If using old one-file configuration scheme
        if [ -f "$SLAPD_CONF" ] ; then
                SLAPD_PIDFILE=`sed -ne 's/^pidfile[[:space:]]\+\(.\+\)/\1/p' \
                        "$SLAPD_CONF"`
        # Else, if using new directory configuration scheme
        elif [ -d "$SLAPD_CONF" ] ; then
                SLAPD_PIDFILE=`sed -ne \
                        's/^olcPidFile:[[:space:]]\+\(.\+\)[[:space:]]*/\1/p' \
                        "$SLAPD_CONF"/'cn=config.ldif'`
        fi
fi
 
# XXX: Breaks upgrading if there is no pidfile (invoke-rc.d stop will fail)
# -- Torsten
if [ -z "$SLAPD_PIDFILE" ]; then
        log_failure_msg "The pidfile for slapd has not been specified"
        exit 1
fi
 
# Make sure the pidfile directory exists with correct permissions
piddir=`dirname "$SLAPD_PIDFILE"`
if [ ! -d "$piddir" ]; then
        mkdir -p "$piddir"
        [ -z "$SLAPD_USER" ] || chown -R "$SLAPD_USER" "$piddir"
        [ -z "$SLAPD_GROUP" ] || chgrp -R "$SLAPD_GROUP" "$piddir"
fi
 
# Pass the user and group to run under to slapd
if [ "$SLAPD_USER" ]; then
        SLAPD_OPTIONS="-u $SLAPD_USER $SLAPD_OPTIONS"
fi
 
if [ "$SLAPD_GROUP" ]; then
        SLAPD_OPTIONS="-g $SLAPD_GROUP $SLAPD_OPTIONS"
fi
 
# Check whether we were configured to not start the services.
check_for_no_start() {
        if [ -n "$SLAPD_NO_START" ]; then
                echo 'Not starting slapd: SLAPD_NO_START set in /etc/default/slapd' >&2
                exit 0
        fi
        if [ -n "$SLAPD_SENTINEL_FILE" ] && [ -e "$SLAPD_SENTINEL_FILE" ]; then
                echo "Not starting slapd: $SLAPD_SENTINEL_FILE exists" >&2
                exit 0
        fi
}
 
# Tell the user that something went wrong and give some hints for
# resolving the problem.
report_failure() {
        log_end_msg 1
        if [ -n "$reason" ]; then
                log_failure_msg "$reason"
        else
                log_failure_msg "The operation failed but no output was produced."
 
                if [ -n "$SLAPD_OPTIONS" -o \
                     -n "$SLAPD_SERVICES" ]; then
                        if [ -z "$SLAPD_SERVICES" ]; then
                                if [ -n "$SLAPD_OPTIONS" ]; then
                                        log_failure_msg "Command line used: slapd $SLAPD_OPTIONS"
                                fi
                        else
                                log_failure_msg "Command line used: slapd -h '$SLAPD_SERVICES' $SLAPD_OPTIONS"
                        fi
                fi
        fi
}
 
# Start the slapd daemon and capture the error message if any to 
# $reason.
start_slapd() {
        if [ -z "$SLAPD_SERVICES" ]; then
                reason="`start-stop-daemon --start --quiet --oknodo \
                        --pidfile "$SLAPD_PIDFILE" \
                        --exec $SLAPD -- $SLAPD_OPTIONS 2>&1`"
        else
                reason="`start-stop-daemon --start --quiet --oknodo \
                        --pidfile "$SLAPD_PIDFILE" \
                        --exec $SLAPD -- -h "$SLAPD_SERVICES" $SLAPD_OPTIONS 2>&1`"
        fi
 
        # Backward compatibility with OpenLDAP 2.1 client libraries.
        if [ ! -h /var/run/ldapi ] && [ ! -e /var/run/ldapi ] ; then
                ln -s slapd/ldapi /var/run/ldapi
        fi
}
 
# Stop the slapd daemon and capture the error message (if any) to
# $reason.
stop_slapd() {
        reason="`start-stop-daemon --stop --quiet --oknodo --retry TERM/10 \
                --pidfile "$SLAPD_PIDFILE" \
                --exec $SLAPD 2>&1`"
}
 
# Start the OpenLDAP daemons
start_ldap() {
        trap 'report_failure' 0
        log_daemon_msg "Starting OpenLDAP" "slapd"
        start_slapd
        trap "-" 0
        log_end_msg 0
}
 
# Stop the OpenLDAP daemons
stop_ldap() {
        trap 'report_failure' 0
        log_daemon_msg "Stopping OpenLDAP" "slapd"
        stop_slapd
        trap "-" 0
        log_end_msg 0
}
 
case "$1" in
  start)
        check_for_no_start
        start_ldap ;;
  stop)
        stop_ldap ;;
  restart|force-reload)
        check_for_no_start
        stop_ldap
        start_ldap
        ;;
  status)
        status_of_proc -p $SLAPD_PIDFILE $SLAPD slapd
        ;;
  *)
        echo "Usage: $0 {start|stop|restart|force-reload|status}"
        exit 1
        ;;
esac
  • Then run the command
update-rc.d slapd24 defaults
  • Test by reboot one time and test with ldapsearch and it should return the data correctly.

Comments

Thank You winggundamth Nice

Thank You winggundamth Nice Article. i configured Successfully can u tell me How to create user in Mysql database (LDAP user)?