Skip to content

OpenLDAP Quick Tips: Use the FAQ!

OpenLDAPOpen SourceSuretec Hi All,

Here's my 13th tip in the "OpenLDAP Quick Tips" series:

"You have a question, but you're sure someone has been there before":

That's what our FAQ-O-Matic is for!

Search it, browse it and check the common areas:

  1. Installation

  2. Configuration

  3. Integration

  4. Maintenance

  5. Common Errors

  6. When all else fails...


When all else fails, join our mailing lists.

Thanks,

Gavin.

If you have an entry for our "OpenLDAP Quick Tips" series, why not e-mail your tip to us.

P.S. For direct access to this section, you can click OpenLDAP Quick Tips.

OpenLDAP Quick Tips: Switch to the dynamic config backend (cn=config)

OpenLDAPOpen SourceSuretec Hi All,

Here's my 12th tip in the "OpenLDAP Quick Tips" series:

"You want to switch from slapd.conf to the configuration backend to slapd":

The config backend is backward compatible with the older slapd.conf(5)
file but provides the ability to change the configuration dynamically
at runtime. If slapd is run with only a slapd.conf file dynamic changes
will be allowed but they will not persist across a server restart.
Dynamic changes are only saved when slapd is running from a slapd.d
configuration directory.



The following should be getting you very excited:

provides the ability to change the configuration dynamically
at runtime.
Continue reading "OpenLDAP Quick Tips: Switch to the dynamic config backend (cn=config)"

Community Request: Real World OpenLDAP Deployments

OpenLDAPOpen SourceSuretec Dear All,

I'd like to get some examples written up for:

http://www.openldap.org/doc/admin24/appendix-deployments.html

If anyone is interested and allowed to share some information, I'd
love to hear from you.

The more strange the setup the better!

Many thanks,

Gavin.

P.S. This has also been sent to the openldap-technical@openldap.org mailing list, so if you are a subscriber please reply to that email. Thanks.

OpenLDAP Quick Tips: Check your indices

OpenLDAPOpen SourceSuretec Hi All,

Here's my 11th tip in the "OpenLDAP Quick Tips" series:

"You want to make sure you have the correct indices configured for the best performance":

It's easy to discover when you do not have the correct indices set by checking your ldap[?] log. If you see something similar to:

Continue reading "OpenLDAP Quick Tips: Check your indices"

OpenLDAP Quick Tips: Regularly upgrade OpenLDAP!

OpenLDAPOpen SourceSuretec Hi All,

Here's my 10th tip in the "OpenLDAP Quick Tips" series:

"You want to stay up to date with the latest version of OpenLDAP to benefit from bug fixes":

There's never been a better time to upgrade to the 2.4 series. It's actually very easy. If there haven't been any significant core changes between releases (excluding a 2.3.x to 2.4.x upgrade), then you can easily just install a new version on top of the existing one and restart.

If there has been a Berkeley DB change or any form data storage change (indexing etc.) then you should follow these steps:

1. Stop the current server when convenient
2. slapcat the current data out
3. Clear out the current data directory (/usr/local/var/openldap-data/) leaving DB_CONFIG in place
4. Perform the software upgrades
5. slapadd the exported data back into the directory
6. Start the server

It is recommended to do the above anyway, just to make sure as you can always start fresh with exported data.

Obviously this doesn't cater for any complicated deployments like MirrorMode or N-Way Multi-Master, but should you need advice or help, you can use either commercial support or community support to help you....or contact Suretec.

Thanks,

Gavin.

If you have an entry for our "OpenLDAP Quick Tips" series, why not e-mail your tip to us.

P.S. For direct access to this section, you can click OpenLDAP Quick Tips.

OpenLDAP Quick Tips: Use ldapvi!

OpenLDAPOpen SourceSuretec Hi All,

Here's my 9th tip in the "OpenLDAP Quick Tips" series:

"You want to edit data in your directory server, but only have command line access":

When you want to quickly edit some data and don't want to use the ldap[?]* command line tools that come with OpenLDAP, why not grab ldapvi:

ldapvi is an interactive LDAP[?] client for Unix terminals. Using it, you can update LDAP entries with a text editor.
Think of it as vipw(1) for LDAP.


Thanks,

Gavin.

If you have an entry for our "OpenLDAP Quick Tips" series, why not e-mail your tip to us.

P.S. For direct access to this section, you can click OpenLDAP Quick Tips.

OpenLDAP Quick Tips: Get Your Own Private Enterprise Number for LDAP Schemas

OpenLDAPOpen SourceSuretec Hi All,

Here's my 8th tip in the "OpenLDAP Quick Tips" series:

"You want to create your own LDAP[?] Schema for your directory server":

The golden rule:

Under no circumstances should you hijack name space belonging to others!

When you want to extend or create one yourself, get your own OID or PEN using the Private Enterprise Number (PEN) Request Template.

It takes around 2 weeks and you will then always be listed on the PRIVATE ENTERPRISE NUMBERS page if you forget the number and it means your namespace will never clash with others.

Anyone in the LDAP field that is worth their salt should be listed, we are (Suretec Systems Ltd.).

Thanks,

Gavin.

If you have an entry for our "OpenLDAP Quick Tips" series, why not e-mail your tip to us.

P.S. For direct access to this section, you can click OpenLDAP Quick Tips.

OpenLDAP Quick Tips: Testing your Access Control Lists (ACLs)

OpenLDAPOpen SourceSuretec Hi All,

Here's my 7th tip in the "OpenLDAP Quick Tips" series:

"You want to check your Access Control Lists configured in your directory server":

Continue reading "OpenLDAP Quick Tips: Testing your Access Control Lists (ACLs)"

OpenLDAP Quick Tips: Creating encrypted passwords

OpenLDAPOpen SourceSuretec Hi All,

Here's my 6th tip in the "OpenLDAP Quick Tips" series:

"You want to encrypt the passwords that are stored in your directory server":

Previously we covered slaptest, so the next one we will cover in the slap* set of command lines tools is slappasswd

To create an encrypted password for a password "testing", we do:

CODE:
[root@suretec ~]# slappasswd  New password:  Re-enter new password:  {SSHA}4Q/jfwS2oPJtQDq7bmHozKOWkgDJNLEb


The default is SSHA encryption, which is the recommended. You can also generate a random password with the -g option:

CODE:
[ghenry@suretec ~]$ /usr/local/sbin/slappasswd -g t5e7xEJE


Thanks,

Gavin.

If you have an entry for our "OpenLDAP Quick Tips" series, why not e-mail your tip to us.

P.S. For direct access to this section, you can click OpenLDAP Quick Tips.

OpenLDAP Quick Tips: LDAP Schema Viewer

OpenLDAPOpen SourceSuretec Hi All,

Here's my 5th tip in the "OpenLDAP Quick Tips" series:

"You are not sure what LDAP[?] attributes to chose and what LDAP ObjectClasses they belong to":

The online LDAP Schema Viewer resource is great for quickly browsing what belongs to what.

You can of course use the LDAP Schema browser of any decent LDAP GUI

Thanks,

Gavin.

If you have an entry for our "OpenLDAP Quick Tips" series, why not e-mail your tip to us.

P.S. For direct access to this section, you can click OpenLDAP Quick Tips.

OpenLDAP Quick Tips: Always test your slapd configuration

OpenLDAPOpen SourceSuretec Hi All,

Here's my forth tip in the "OpenLDAP Quick Tips" series:

"You want to test your configuration for your directory server":

The OpenLDAP Software Suite comes with many great command line tools which we will cover in the OpenLDAP Quick Tips series. The first one you should always use is slaptest:

CODE:
[root@suretec src]# /usr/local/sbin/slaptest -f /usr/local/etc/openldap/slapd.conf config file testing succeeded


The above means our configuration is all good. If we are using dynamic configuration, we would use -F. For more information, always use the -d flag which we will cover in another tip.

For some errors like below, it's obvious what's wrong:

CODE:
[root@suretec src]# /usr/local/sbin/slaptest -f /usr/local/etc/openldap/slapd.conf could not stat config file "/usr/local/etc/openldap/schema/suretec.schema": No such file or directory (2) slaptest: bad configuration file!


Thanks,

Gavin.

If you have an entry for our "OpenLDAP Quick Tips" series, why not e-mail your tip to us.

P.S. For direct access to this section, you can click OpenLDAP Quick Tips.

OpenLDAP Quick Tips: Using syslog or syslog-ng with slapd for OpenLDAP logging

OpenLDAPOpen SourceSuretec Hi All,

Here's my third tip in the "OpenLDAP Quick Tips" series:

"You want to enable logging via syslog or syslog-ng for your directory server":

For syslog, depending on your distro, you would edit /etc/syslog.conf or /etc/rsyslog.conf:

Continue reading "OpenLDAP Quick Tips: Using syslog or syslog-ng with slapd for OpenLDAP logging"

OpenLDAP Quick Tips: Changing your rootdn password without slapd.conf

LinuxOpenLDAPOpen SourceSuretec Hi All,

Here's my second tip in the "OpenLDAP Quick Tips" series:

"You want to manage the rootdn users password using the same tools as you use for normal users in your OpenLDAP directory server":

You would normally set your rootpw in slapd.conf like so:

CODE:
database bdb directory /usr/local/var/openldap-data suffix "dc=example,dc=com" rootdn "cn=admin,dc=example,dc=com" rootpw testing


If you leave out the rootpw line and add the rootdn user as a normal user with a userPassword attribute:

CODE:
dn: cn=admin,dc=suretecsystems,dc=com objectClass: organizationalRole objectClass: simpleSecurityObject cn: admin description: rootdn user userPassword: {SSHA}my_encrypted_password_hash_using_slappasswd


This then means you can change the rootdn password with tools like ldappasswd etc.

Note: this example does not cover cn=config where you can change 99% of OpenLDAP settings and config on the fly. The equivalent rootdn entry in cn=config would look like:

CODE:
olcRootDN: cn=admin,dc=example,dc=com olcRootPW: testing


you could use ldapmodify or similar to change above.


If you have an entry for our "OpenLDAP Quick Tips" series, why not e-mail your tip to us.

Warning: Use of undefined constant CHARSET_NATIVE - assumed 'CHARSET_NATIVE' (this will throw an Error in a future version of PHP) in /home/suretecsystems/www/blog/serendipity_config.inc.php on line 182
tweetbackcheck