Notice: Undefined index: size in /usr/local/psa/home/vhosts/shinyblue.net/httpdocs/php/gizmos/discussion.php on line 268

Notice: Undefined index: title in /usr/local/psa/home/vhosts/shinyblue.net/httpdocs/php/gizmos/discussion.php on line 227
s h i n y b l u e Very basic how-to/introduction for Open LDAP (slapd) as addressbook
s h i n y b l u e
Very basic how-to/introduction for Open LDAP (slapd) as addressbook

LDAP is a server-client model address book (and then some). I looked into it as a solution to sharing addressbooks in small offices (or even at home). This page explains what I did to get open LDAP working on my Debian/testing system, and what I found I needed to know about how it works. This is a very basic level introduction because for some reason I found it really hard to get my head around it all.

Basic introduction to LDAP

Basic introduction to LDIF

Here’s an example, minimal LDIF entry:

dn: cn=Rich Lott,dc=shinyblue,dc=net
objectClass: person
sn: Lott
cn: Rich Lott

So this record says there’s a person called (cn) Rich Lott whose surname (sn) is Lott.

The first line (dn) is just a unique reference, and identifies where this record belongs in the hierarchy of the LDAP database. The dc=shinyblue,dc=net bit is explained below.

The objectClass line defines what kind of record this is. Each objectClass allows you or requires you to add more fields in. eg. The person objectClass requires the sn and cn fields. Note that cn is duplicated, in the first and last lines. I don’t get this at all, seems silly to me, but hey, I’m probably missing a very important point.

Basic introduction to structure of LDAP database

In the olden days, the top bit of an LDAP database was an organisation record, eg. Acme Coop. In this crazy modern world though it’s normally taken from the internet domain names broken down into their parts. So shinyblue.net becomes a net record with shinyblue as a record within that. This is how I’ve set mine up to get a feel for a standard set up. It’s completely unneccessary, you can just stick all your records in one big flat heap.

This is called base dn, and is set up in slapd.conf to tell the server that it is authoritative about stuff under here. You need to add a record with the dn of your base dn, before you start, eg. before I could add in the simple person’s record above.

Confusion Opportunity

Sounds obvious but the database must have a record for each part of the dn. The one exception to this is the base dn. So I don’t need a dn: dc=net record in order to have my dn: dc=shinyblue,dc=net record. But if I had a group of people called friends, I couldn’t start defining dn: cn=mate1,ou=friends,dc=shinyblue,dc=net before I’d defined dn: ou=friends,dc=shinyblue,dc=net

Here’s a minimal entry for my basedn:

dn: dc=shinyblue,dc=net
objectclass: dcObject
objectclass: organization
o: shinyblue
dc: shinyblue

There’s two parts (objectClasses) intermingled here:

  1. dcObject - you’d expect this perhaps with all those dc bits around. Note the last line repeats the shinyblue in the dn in the first line.

  2. organization - This insists on the o (organisation name) field. Also set to shinyblue. This is needed because of some technicality that I don’t understand: There are two (more?) types of objectClass, most of them are of the structure kind and you need each record to have one of these for it to work. (The other kind, which applies to dcObject is Auxiliary.)

Schemas

Schemas are what defines the details of the objectClasses. At the top of /etc/ldap/slapd.conf file there’s a load of include lines pulling in schemas. You can add definitions to this (eg. the Mozilla one used by Thunderbird).

Getting it working

Debian users can do:

$ su
$ apt-get install slapd ldap-utils

You’ll get asked loads of questions, most of them seem to default to nodomain. It sets up /etc/ldap/slapd.conf which you’re going to have to edit manually anyway…

Now edit /etc/ldap/slapd.conf and find the first line that starts with the word directory and underneath it, add these lines:

rootdn "cn=admin,dc=shinyblue,dc=net"
rootpw secret

If you stuck with the nodomain then the first one of these lines would have read:

rootdn "cn=admin,dc=nodomain"

rootdn is like an awkwardly long username that is used for accessing the ldap database. It looks like any other dn, but it doesn’t have to exist as a record in the database(!).

rootpw is the password for the rootdn. Here it’s literally set to the word secret, which is completely insecure. But I don’t care for the sake of getting it going.

I edited /etc/ldap/ldap.conf too uncommenting the BASE line as follows:

BASE    dc=shinyblue,dc=net

Now start the open LDAP server:

$ /etc/init.d/slapd start

Make a text file with the minimal basedn definition in it, and push it in with the following command (you’ll get asked for the password. It’s the word secret):

$ ldapadd -xv -D "cn=admin,dc=shinyblue,dc=net" -W -f nameOfYourFile.ldif
ldap_initialize( <DEFAULT> )
Enter LDAP Password:
add objectclass:
        dcObject
        organization
add o:
        shinyblue
add dc:
        shinyblue
adding new entry "dc=shinyblue,dc=net"
modify complete

Now you can add people in. Stick the first example in a text file, me.ldif and do:

$ ldapadd -xv -D "cn=admin,dc=shinyblue,dc=net" -W -f me.ldif
ldap_initialize( <DEFAULT> )
Enter LDAP Password:
add objectClass:
        person
add sn:
        Lott
add cn:
        Rich Lott
adding new entry "cn=Rich Lott,dc=shinyblue,dc=net"
modify complete

How do you know it’s working?

From the command line, do this:

$ ldapsearch -xv -D "cn=admin,dc=shinyblue,dc=net" -W

and it should print everything out. If it worked, great. You can now use the details to set up other more useful graphical interfaces, including Thunderbird’s address book. Other GUIs for administering LDAP are:

This web page is rubbish! Where’s a better one?

Here’s the pages that I needed to piece stuff together to obtain my low level of understanding!

For Thunderbird



Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 2.0 License.