Study Notes

Run “/usr/local/libexec/slapd” to start openldap service. In this article, I’ll configure this openldap service with OpenSSL(self signed certification). All the steps including the failure would be written here.

At first, edit the “/usr/loca/etc/openldap/slapd.conf”. Note, samba schema is not included as default, I copied the samba.schema form /Chengdu/build/smb/example/ldap/samba.schema. All these schema items must be added as the following sequence, or it will failed during running: core,cosine,inetorgperson,misc,openldap,nis,smb.
Also the following lines are added to slapd.conf:
database bdb
suffix dc=plasmon,dc=sit
rootdn “cn=root,dc=plasmon,dc=sit”
rootpw hello123 # root’s password
directory /usr/local/var/openldap.dat

I modified the path with adding “/usr/local/libexec” in the .bash_profile. then run the slapd directly like “slapd” in the command line. Check the ldap port,192.168.123.33 is my openldap server.
# nmap 192.168.123.33
or # netstat -ant | grep 389
Port 389 is default as ldap service. To check to see if the server is running and configured correctly, by issuing the following command:
# ldapsearch -x -b ” -s base ‘(objectclass=*)’ nameingContext
If the configuration is correct, there would show:
dn:
namingContexts: dc=plasmon,dc=sit
Yes, the openldap works well, and next step I will add entries by LAT and ldif. Here, I only want to say how to add “ou”.Create a file named “ou.ldif”:
dn: ou=People,dc=plasmon,dc=sit
ObjectClass: top
ObjectClass: organizationalUnit
ou: People
description: User info
Note, it must not have space in the end of line in ldif files. Hmm,I see why I failed to import those ldif files to Iplanet early. Save the “ou.ldif” and import to OpenLdap by LAT or by issuing on the “192.168.123.33”:
# ldapadd -x -D “cn=root,dc=plasmon,dc=sit” -W hello123 -f ou.ldif
As the result, ou=People was added to OpenLdap.
————————–
More attention here! Does this add ou operation could be done successfully as the above words? The answer is no. In the Sep 22nc, I reinstall OpenLDAP in other machine. I found this issue. The resolution is add “dc=plasmon,dc=sit” firstly. just as following:
dn: dc=plasmon, dc=sit
objectclass: dcObject
objectclass: organization
o: Exmaple Company
dc: plasmon
Save the file name “begin.ldif”, and then issue:
# ldapadd -x -D “cn=root,dc=plasmon,dc=sit” -W hello123 -f begin.ldif
The “dc=plasmon,dc=sit” RN is created. then would go to add ou.

Configure OpenSSL.
First, we need to create server.pem file.
# openssl req -newkey rsa:1024 -nodes –keyout server.pem -out server.pem
Please be very careful at setting the Common Name here! It must be server’s FQDN(fully qualified distinguished name). Run “hostname” will get the FQDN, for example, the “192.168.123.33” is “localhost.localdomain”. I tried to set another hostname by issuing “hostname plasmon.sit”. this new hostname only be used in the current session. If the system restart, the hostname will return to its original name “localhost.localdomain”. Steven said the hostname could be modified permanently in “/etc/host” even reboot, I have not tested this way. So, I would still identify the Common Name as “localhost.localdomain”. Then, a certificated file “sever.pem” was create, add the relative info to “slapd.conf” as its tips.

Restart system, and run :
# sldap -h “ldaps://:636”
As the above, use netstat and namp to check if the Port 636 is open.

In the client machine, configure the following file in order to access openldap:
1./etc/ldap.conf, the bindpw must be “hello123”. the root’s password.
2./etc/samba/smb.conf add the ldapserver
3./etc/nsswitch.conf add the “ldap” before password, user and group.
Then, “getent passwd” could return items both from ldapserver and local file.

Client’s “/etc/openldap/ldap.conf” is the only file decided the result from “ldapsearch -x”, just add the ldapserver to this file. Normally, “ldapsearch -x ” returns all the entries(Note, the “size limit” setting in ldapserver’s “slapd.conf” will limit the number of returned items, ‘-1’ means nolimitation. just as iPlanet “look though” parameter).