openldap-2.3 on CentOS5 Tutorial

I had to get a dummy openldap setup that had “mail” as one of it’s attributes for the records. I specifically needed all the records to live in the root ou, meaning no Organizational Units, just the root, then all the records. Like this:

dn: cn=1,dc=example,dc=com
cn: 1
objectClass: top
objectClass: dkuser
mail: someemail1@somedomain1.com
mailHost: somesmtphostname1:25

dn: cn=2,dc=example,dc=com
cn: 2
objectClass: top
objectClass: dkuser
mail: someemail2@somedomain2.com
mailHost: somesmtphostname2:25

…. and so on.
It was hard to find a step by step instruction set.  So, in this tutorial, I’ll give you command by command steps to install, configure and load openldap on a CentOS5 OS.
First, install the packages with Yum:
yum install openldap openldap-clients openldap-servers nss_ldap python-ldap

Next, set ldap to run at system startup time:
/sbin/chkconfig ldap on

Next, get your password for slapd.conf:
cd /etc/openldap/
/usr/sbin/slappasswd

…. it’ll prompt you for a new password, type it twice.  All it does is spit out a password that you can copy paste into slapd.  Looks like this:
New password:

Re-enter new password:

{SSHA}zskkuz1hd90SyXA4y+zN4AA0FBQorVEd

Note put this into your slapd.conf.  Only do three things:

Include this:
include         /etc/openldap/schema/dkuser.schema
Set the rootpw:
rootpw          {SSHA}bGqb+qzQfXHiQ/e9pCNSpc11Sxbb9qf3
Set the suffix and rootdn:
suffix          "dc=example,dc=com"
rootdn          "cn=Manager,dc=example,dc=com"
Here is the whole slapd.conf file:
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/dkuser.schema


# Allow LDAPv2 client connections.  This is NOT the default.
allow bind_v2

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral       ldap://root.openldap.org

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

# Load dynamic backend modules:
# modulepath    /usr/lib64/openldap
# moduleload    back_bdb.la
# moduleload    back_ldap.la
# moduleload    back_ldbm.la
# moduleload    back_passwd.la
# moduleload    back_shell.la

# The next three lines allow use of TLS for encrypting connections using a
# dummy test certificate which you can generate by changing to
# /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on
# slapd.pem so that the ldap user or group can read it.  Your client software
# may balk at self-signed certificates, however.
# TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
# TLSCertificateFile /etc/pki/tls/certs/slapd.pem
# TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem

# Sample security restrictions
#       Require integrity protection (prevent hijacking)
#       Require 112-bit (3DES or better) encryption for updates
#       Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:
#       Root DSE: allow anyone to read it
#       Subschema (sub)entry DSE: allow anyone to read it
#       Other DSEs:
#               Allow self write access
#               Allow authenticated users read access
#               Allow anonymous users to authenticate
#       Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
#       by self write
#       by users read
#       by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!

#######################################################################
# ldbm and/or bdb database definitions
#######################################################################

database        bdb
suffix          "dc=example,dc=com"
rootdn          "cn=Manager,dc=example,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoided.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw          {SSHA}bGqb+qzQfXHiQ/e9pCNSpc11Sxbb9qf3
# rootpw                {crypt}ijFYNcSNctBYg

# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory       /var/lib/ldap

# Indices to maintain for this database
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub

# Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 starttls=critical
#     bindmethod=sasl saslmech=GSSAPI
#     authcId=host/ldap-master.example.com@EXAMPLE.COM

I made up my own object class.  This is because I had a very specific use care.   There are other schemas out there for qmail, postfix, and other things.  In my case, I wanted a very narrow objectclass.
/etc/openldap/schema/dkuser.schema
# Attribute Type Definitions

attributetype ( 1.3.6.1.4.1.7914.1.2.1.6 NAME 'mailHost'
  DESC 'Which mail server the to relay mail to'
  EQUALITY caseIgnoreIA5Match
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256}
  SINGLE-VALUE )

# Object Class Definitions

objectclass ( 1.3.6.1.4.1.7914.1.2.2.1 NAME 'dkUser'
  DESC 'Pseudo Email User'
  SUP top STRUCTURAL
  MUST ( cn $ mail $ mailHost )
  MAY ( ) )

Now, to start up openldap for the first time:
[]# /etc/init.d/ldap start

Checking configuration files for slapd:  bdb_db_open: Warning - No DB_CONFIG file found in directory /var/lib/ldap: (2)
Expect poor performance for suffix dc=example,dc=com.
config file testing succeeded
                                                           [  OK  ]
Starting slapd:                                            [  OK  ]

Oops, forgot the DB_CONFIG.  There are some specific instructions here: http://www.openldap.org/faq/data/cache/1072.html.  I just used the defaults:
cd /etc/openldap
cp DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[]# /etc/init.d/ldap restart
Stopping slapd:                                            [  OK  ]
Checking configuration files for slapd:  bdb_db_open: DB_CONFIG for suffix dc=example,dc=com has changed.
Performing database recovery to activate new settings.
bdb_db_open: Recovery skipped in read-only mode. Run manual recovery if errors are encountered.
config file testing succeeded
                                                           [  OK  ]
Starting slapd:                                            [  OK  ]
[]# /etc/init.d/ldap restart
Stopping slapd:                                            [  OK  ]
Checking configuration files for slapd:  config file testing succeeded
                                                           [  OK  ]
Starting slapd:                                            [  OK  ]

Ok, that’s better.  Here’s what the file looks like for me:

/var/lib/ldap/DB_CONFIG
# $OpenLDAP: pkg/ldap/servers/slapd/DB_CONFIG,v 1.1.2.3 2006/08/17 17:36:19 kurt Exp $
# Example DB_CONFIG file for use with slapd(8) BDB/HDB databases.
#
# See Sleepycat Berkeley DB documentation
#   <http://www.sleepycat.com/docs/ref/env/db_config.html>
# for detail description of DB_CONFIG syntax and semantics.
#
# Hints can also be found in the OpenLDAP Software FAQ
#       <http://www.openldap.org/faq/index.cgi?file=2>
# in particular:
#   <http://www.openldap.org/faq/index.cgi?file=1075>

# Note: most DB_CONFIG settings will take effect only upon rebuilding
# the DB environment.

# one 0.25 GB cache
set_cachesize 0 268435456 1

# Data Directory
#set_data_dir db

# Transaction Log settings
set_lg_regionmax 262144
set_lg_bsize 2097152
#set_lg_dir logs

# Note: special DB_CONFIG flags are no longer needed for "quick"
# slapadd(8) or slapindex(8) access (see their -q option).

Ok, now we’re ready to load up the root object.  Create

/etc/openldap/root.ldif
dn: dc=example,dc=com
dc: example
description: Root LDAP entry for example.com
objectClass: dcObject
objectClass: organizationalUnit
ou: rootobject

And load it into openldap:
ldapadd -c -x -D "cn=Manager,dc=example,dc=com" -w password -f root.ldif

And to populate it with a ton of entries.  I created a file, UserAddresses_all.txt, with emails in it, one email after another.  Then looped through that list, and created a users.ldif file:
let j=1; for i in `cat UserAddresses_all.txt`; do
  # Skip the first 1000, because I already did them:
  if [ $j -gt 1000 ]; then 
    # log it first:
    echo "$j $i" >> sofar.log
    # add the ldif entry to the file:
    echo "dn: cn=$j,dc=example,dc=com
cn: $j
objectClass: top
objectClass: dkuser
mail: $i
mailHost: somesmtphostname$j:25

" >> users.ldif
  fi
  let j=$j+1
done

And finally to load the users.ldif:
ldapadd -c -x -D cn=Manager,dc=example,dc=com -w password -f users.ldif

And now, here is how to search it from a remote host:
ldapsearch -x -h 10.0.0.205 -p 389 -D "cn=Manager,dc=example,dc=com" -w password '(mail=foo@bar.com)'  

Resulted in:
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: (mail=dave@koopman.me)
# requesting: ALL
#

# 0, example.com
dn: cn=1,dc=example,dc=com
cn: 1
objectClass: top
objectClass: dkUser
mail: foo@bar.com
mailHost: somesmtphostname1:25

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1