OpenLDAP Tutorial», we will feed the directory with useful data. This will make it possible to actually use the OpenLDAP server. Prerequisite:
- OpenlDAP is installed and preconfigured on a Debian, Ubuntu or compliant machine. cf the articles Installation and Modify the default settings
- The server administrator (rootDN) has sufficient rights to modify the configuration data. cf the articles Remotly configuration management by the administrator.
- Data types according the OpenLDAP is understood. cf. the article Organization and data types.
1. Creating a node for people.
A directory must be organized. In an organization concern, we will first create a node (container) that will receive the directory entries of people. Create an LDIF file for this node:vi people.ldifEnter in the editor and save:
dn: ou=People,dc=ldaptuto,dc=net objectClass: organizationalUnit ou: People
- People is a name of your choice.
- The type of this new entry is organizationalUnit (OU), which is the usual type of container nodes in OpenLDAP.
- OpenLDAP is case insensitive and does not differentiate between uppercase and lowercase, People or people are equivalent.
ldapmodify -a -x -H ldap://localhost -D cn=admin,dc=ldaptuto,dc=net -w admin -f people.ldif-a (to add) after ldapmodify means that you want to add the contents of the file.
2. Adding people to the directory
vi dupond.ldifEnter in the editor and save:
dn: uid=dupond,ou=People,dc=ldaptuto,dc=net objectClass: inetOrgPerson givenName: Jean sn: Dupond cn: Jean Dupond uid: dupond userPassword: dupondWe add this entry to the directory:
ldapmodify -a -x -H ldap://localhost -D cn=admin,dc=ldaptuto,dc=net -w admin -f dupond.ldifAnd we check this addition:
ldapsearch -x -H ldap://localhost -D cn=admin,dc=ldaptuto,dc=net -w admin -b ou=People,dc=ldaptuto,dc=netNotice that the password does not appear in plain text. however it is not encrypted.
3. Directory use
Now let’s look at what happens if Jean Dupond tries to connect to the directory and see the people referenced (among others himself).ldapsearch -x -H ldap://localhost -D uid=dupond,ou=people,dc=ldaptuto,dc=net -w dupond -b ou=people,dc=ldaptuto,dc=net -LLL ldap_bind: Invalid credentials (49)
- -D: DN of the user who authenticates, the request uses the read rights of this user.
- -w: The user password.
vi acces.ldifEnter in the editor and save:
dn: olcDatabase={1}mdb,cn=config
changeType: modify
add: olcAccess
olcAccess: to * by users read by anonymous auth by * none
This command adds authentication (by anonymous auth) and read permission to all people in the directory (by users read). Of course, it is not advisable to use such a configuration in real use. It is used here only for simple demonstration.
We add this setting to the directory:
ldapmodify -x -H ldap://localhost -D cn=admin,dc=ldaptuto,dc=net -w admin -f acces.ldifNow, a query to read the data of the people in the directory by Jean Dupond (same as the previous one) makes it possible to display them.
ldapsearch -x -H ldap://localhost -D uid=dupond,ou=people,dc=ldaptuto,dc=net -w dupond -b ou=people,dc=ldaptuto,dc=net -LLL dn: ou=People,dc=ldaptuto,dc=net objectClass: organizationalUnit ou: People dn: uid=dupond,ou=People,dc=ldaptuto,dc=net objectClass: inetOrgPerson givenName: Jean sn: Dupond cn: Jean Dupond uid: dupond userPassword:: e1NTSEF9Umk1d0QrWEtmNHRrSHBOelBEMkdqU3NNSUhtRmtNU28=Finally, the directory served by OpenLDAP allows Jean Dupond, who is referenced there, to authenticate and read all the data it contains. As an exercise you can add another person to the directory: Alain Durand. After that the contents of this directory will have this structure:
dc=ldaptuto,dc=net
├── cn=admin,dc=ldaptuto,dc=net
└── ou=People,dc=ldaptuto,dc=net
├── uid=dupond,ou=People,dc=ldaptuto,dc=net
└── uid=durand,ou=People,dc=ldaptuto,dc=net
]]>