OpenLDAP Daemons and Utilities

13.3. OpenLDAP Daemons and Utilities

The suite of OpenLDAP libraries and tools are found within the following packages:

  • openldap — Contains the libraries necessary to run the OpenLDAP server and client applications.

  • openldap-clients — Contains command line tools for viewing and modifying directories on an LDAP server.

  • openldap-servers — Contains the servers and other utilities necessary to configure and run an LDAP server.

There are two servers contained in the openldap-servers package: the Standalone LDAP Daemon (/usr/sbin/slapd) and the Standalone LDAP Update Replication Daemon (/usr/sbin/slurpd).

The slapd daemon is the standalone LDAP server while the slurpd daemon is used to synchronize changes from one LDAP server to other LDAP servers on the network. The slurpd daemon is only used when dealing with multiple LDAP servers.

To perform administrative tasks, the openldap-servers package installs the following utilities into the /usr/sbin/ directory:

  • slapadd — Adds entries from an LDIF file to an LDAP directory. For example, the command /usr/sbin/slapadd -l ldif-input reads in the LDIF file, ldif-input, containing the new entries.

  • slapcat — Pulls entries out of an LDAP directory in the default format, Berkeley DB, and saves them in an LDIF file. For example, the command /usr/sbin/slapcat -l ldif-output outputs an LDIF file called ldif-output containing the entries from the LDAP directory. This command works for directories created under Red Hat Enterprise Linux 3 and Red Hat Linux 9.

  • slapcat-gdbm — Pulls entries out of an LDAP directory in the gdbm format (the default in earlier versions of OpenLDAP) and saves them in an LDIF file. This command is provided solely as a means for migrating a directory from OpenLDAP implemented under Red Hat Enterprise Linux 2.1 and Red Hat Linux versions 7.x through 8. Refer to Section 13.8 Migrating Directories from Earlier Releases for information on how to use this command.

  • slapindex — Re-indexes the slapd directory based on the current content. This tool should be run whenever indexing options within /etc/openldap/slapd.conf are changed.

  • slappasswd — Generates an encrypted user password value for use with ldapmodify or the rootpw value in the slapd configuration file, /etc/openldap/slapd.conf. Execute the /usr/sbin/slappasswd command to create the password.

WarningWarning
 

Be sure to stop slapd by issuing /sbin/service ldap stop before using slapadd, slapcat or slapindex. Otherwise, the integrity of the LDAP directory is at risk.

For more information about how to use these utilities, refer to their respective man pages.

The openldap-clients package installs tools into /usr/bin/ which are used to add, modify, and delete entries in an LDAP directory. These tools include the following:

  • ldapadd — Adds entries to an LDAP directory by accepting input via a file or standard input; ldapadd is actually a hard link to ldapmodify -a.

  • ldapdelete — Deletes entries from an LDAP directory by accepting input via user input at a shell prompt or via a file.

  • ldapmodify — Modifies entries in an LDAP directory, accepting input via a file or standard input.

  • ldappasswd — Sets the password for an LDAP user.

  • ldapsearch — Searches for entries in an LDAP directory using a shell prompt.

With the exception of ldapsearch, each of these utilities is more easily used by referencing a file containing the changes to be made rather than typing a command for each entry to be changed within an LDAP directory. The format of such a file is outlined in the man page for each utility.

13.3.1. NSS, PAM, and LDAP

In addition to the OpenLDAP packages, Red Hat Enterprise Linux includes a package called nss_ldap, which enhances LDAP's ability to integrate into both Linux and other UNIX environments.

The nss_ldap package provides the following modules:

  • /lib/libnss_ldap-<glibc-version>.so

  • /lib/security/pam_ldap.so

The libnss_ldap-<glibc-version>.so module allows applications to look up users, groups, hosts, and other information using an LDAP directory via glibc's Nameservice Switch (NSS) interface (replace <glibc-version> with the version of libnss_ldap in use). NSS allows applications to authenticate using LDAP in conjunction with the Network Information Service (NIS) name service and flat authentication files.

The pam_ldap module allows PAM-aware applications to authenticate users using information stored in an LDAP directory. PAM-aware applications include console login, POP and IMAP mail servers, and Samba. By deploying an LDAP server on a network, all of these applications can authenticate using the same user ID and password combination, greatly simplifying administration.

13.3.2. PHP4, LDAP, and the Apache HTTP Server

Red Hat Enterprise Linux includes a package containing an LDAP module for the PHP server-side scripting language.

The php-ldap package adds LDAP support to the PHP4 HTML-embedded scripting language via the /usr/lib/php4/ldap.so module. This module allows PHP4 scripts to access information stored in an LDAP directory.

Red Hat Enterprise Linux ships with the mod_authz_ldap module for the Apache HTTP Server. This module uses the short form of the distinguished name for a subject and the issuer of the client SSL certificate to determine the distinguished name of the user within an LDAP directory. It is also capable of authorizing users based on attributes of that user's LDAP directory entry, determining access to assets based on the user and group privileges of the asset, and denying access for users with expired passwords. The mod_ssl module is required when using the mod_authz_ldap module.

ImportantImportant
 

The mod_authz_ldap module does not authenticate a user to an LDAP directory using an encrypted password hash. This functionality is provided by the experimental mod_auth_ldap module, which is not included with Red Hat Enterprise Linux. Refer to the Apache Software Foundation website online at http://www.apache.org/ for details on the status of this module.

13.3.3. LDAP Client Applications

There are graphical LDAP clients available which support creating and modifying directories, but they are not included with Red Hat Enterprise Linux. One such application is LDAP Browser/Editor — A Java-based tool available online at http://www.iit.edu/~gawojar/ldap/.

Most other LDAP clients access directories as read-only, using them to reference, but not alter, organization-wide information. Some examples of such applications are Sendmail, Mozilla, Gnome Meeting, and Evolution.