Mastering OpenLDAP: Configuring, Securing and Integrating Directory Services

Mastering OpenLDAP: Configuring, Securing and Integrating Directory Services
eBook: $29.99
Formats: PDF, PacktLib, ePub and Mobi formats
save 45%!
Print + free eBook + free PacktLib access to the book: $79.98    Print cover: $49.99
save 37%!
Free Shipping!
UK, US, Europe and selected countries in Asia.
Also available on:
Table of Contents
Sample Chapters
  • Up-to-date with the latest OpenLDAP release
  • Installing and configuring the OpenLDAP server
  • Synchronizing multiple OpenLDAP servers over the network
  • Creating custom LDAP schemas to model your own information
  • Integrating OpenLDAP with web applications


Book Details

Language : English
Paperback : 484 pages [ 235mm x 191mm ]
Release Date : August 2007
ISBN : 1847191029
ISBN 13 : 9781847191021
Author(s) : Matt Butcher
Topics and Technologies : All Books, Networking and Servers, Architecture & Analysis, Linux Servers, Open Source

Table of Contents

Chapter 1: Directory Servers and LDAP
Chapter 2: Installation and Configuration
Chapter 3: Using OpenLDAP
Chapter 4: Securing OpenLDAP
Chapter 5: Advanced Configuration
Chapter 6: LDAP Schemas
Chapter 7: Multiple Directories
Chapter 8: LDAP and the Web
Appendix A: Building OpenLDAP from Source
Appendix B: LDAP URLs
Appendix C: Useful LDAP Commands
  • Chapter 1: Directory Servers and LDAP
    • LDAP Basics
      • What is a Directory?
      • The Structure of a Directory Entry
      • A Unique Name: The DN
      • An Example LDAP Entry
        • The Object Class Attribute
        • Operational Attributes
      • The Directory Information Tree
      • What to Do with an LDAP Server
    • The History of LDAP and OpenLDAP
    • A Technical Overview of OpenLDAP
      • The Server
      • Clients
      • Utilities
      • Libraries
    • Summary
  • Chapter 2: Installation and Configuration
    • Before Getting Started
      • OpenLDAP Binaries for Operating Systems
        • Commercial OpenLDAP Distribution
        • Source Code Compilation
      • A Quick Note on Versions
    • Installation
      • Dependencies
      • Installing OpenLDAP
    • Configuring the SLAPD Server
      • Basics
        • Schemas
        • More Directives
        • Module Directives
      • Database Configuration
      • ACLs
      • Verifying a Configuration File
    • Starting and Stopping the Server
      • Using the Init Script
      • Running SLAPD Directly
    • Configuring the LDAP Clients
      • A Basic ldap.conf File
        • Size and Time Limits
    • Testing the Server
    • Summary
  • Chapter 3: Using OpenLDAP
    • A Brief Survey of the LDAP Suite
    • LDAP from the Server Side
      • SLAPD
        • The Binding Operation
        • The Search Operation
        • More Operations: Additions, Modifications, and Deletions
        • Infrequent Operations
        • SLAPD Summary
      • SLURPD
    • Creating Directory Data
      • The LDIF File Format
        • Anatomy of an LDIF File
        • Representing Attribute Values in LDIF
      • Example.Com in LDIF
        • Defining the Base DN Record
        • Structuring the Directory with Organizational Units
        • Adding User Records
        • Adding System Records
        • Adding Group Records
      • The Complete LDIF File
    • Using the Utilities to Prepare the Directory
      • slapadd
        • When Should slapadd be Used?
        • What Does slapadd Do?
        • Loading the LDIF File
      • slapindex
      • slapcat
        • Operational Attributes
      • slapacl
      • slapauth
      • slapdn
      • slappasswd
        • Storing and Using Passwords in OpenLDAP
        • Generating a Password with slappasswd
      • slaptest
    • Performing Directory Operations Using the Clients
      • Common Command-Line Flags
        • Common Flags
        • Setting Defaults in ldap.conf
      • ldapsearch
        • A Simple Search
        • Restricting Returned Fields
        • Requesting Operational Attributes
        • Searching Using a File
      • ldapadd
        • Adding Records from a File
      • ldapmodify
        • Adding a Record with ldapmodify
        • Modifying Existing Records
        • Modifying the Relative DN
        • Deleting Entire Records
      • ldapdelete
      • ldapcompare
      • ldapmodrdn
        • Modifying the Superior DN with ldapmodrdn
      • ldappasswd
      • ldapwhoami
    • Summary
  • Chapter 4: Securing OpenLDAP
    • LDAP Security: The Three Aspects
    • Securing Network-Based Directory Connections with SSL/TLS
      • The Basics of SSL and TLS
        • Authenticity
        • Encryption
        • StartTLS
      • Creating an SSL/TLS CA
      • Creating a Certificate
        • Creating a New Certificate Request
        • Signing the Certificate Request
        • Configuring and Installing the Certificates
      • Configuring StartTLS
      • Configuring Client TLS
      • Configuring LDAPS
        • Debugging with the OpenSSL Client
      • Using Security Strength Factors
        • The security Directive
    • Authenticating Users to the Directory
      • Simple Binding
        • Using an Authentication User for Simple Binding
      • SASL Binding
        • Configuring Cyrus SASL
        • Configuring SLAPD for SASL Support
      • Using Client SSL/TLS Certificates to Authenticate
        • Creating a New Client Certificate
        • Configuring the Client
        • Configuring the Server
        • Testing with ldapwhoami
        • Going Further with SASL
    • Controlling Authorization with ACLs
      • The Basics of ACLs
      • Access to [resources]
        • Access using DN
        • Access using attrs
        • Access using Filters
        • Combining Access Specifiers
      • By [who] [type of access granted] [control]
        • The Access Field
        • The who Field
        • The control Field
      • Getting More from Regular Expressions
      • Debugging ACLs
      • A Practical Example
    • Summary
  • Chapter 5: Advanced Configuration
    • Multiple Database Backends
      • The slapd.conf File
      • Creating and Importing a Second Directory
    • Performance Tuning
      • Performance Directives
        • Global Directives
        • Directives in the Database Section
      • The DB_CONFIG File
        • Setting the Cache Size
        • Configuring the Data Directory
        • Optimizing BDB/HDB Transaction Logging
        • Tuning Lock Files
        • More about Berkeley DB
    • Directory Overlays
      • A Brief Tour of the Official Overlays
      • Configuring an Overlay: denyop
        • Loading the module
        • Adding the Overlay
        • Adding Overlay-Specific Directives
      • Referential Integrity Overlay
        • Configuring the Overlay
        • Modifying the Records
        • Drawbacks
        • A Useful Note
    • The Uniqueness Overlay
    • Summary
  • Chapter 6: LDAP Schemas
    • Introduction to LDAP Schemas
      • Why Do They Look So Complicated?
      • Schema Definitions
      • Object Classes and Attributes
      • Object Class Definitions
      • Attribute Definitions
      • Object Identifier Definitions
      • DIT Content Rules
      • Retrieving the Schemas from SLAPD
    • The ObjectClass Hierarchy
      • Attribute Hierarchies
        • Subordinate Attributes and Searching
      • Object Class Types: Abstract, Structural, and Auxiliary
        • The Object Class Hierarchy: An Overview
        • Abstract Classes
        • Structural Object Classes
        • Auxiliary Object Classes
      • Moving Onward
    • Schemas: Accesslog and Password Policy Overlays
      • Logging with the Accesslog Overlay
        • Loading the accesslog Module
        • Configuring the Access Log Backend
        • Creating A Directory for the Access Log Files
        • Enabling Logging for the Main Backend
        • The Log Records
      • Implementing a Complex Overlay: Password Policy
        • Setting the Global Directives in slapd.conf: Schema and Module
        • Creating a Password Policy
        • Configure the Overlay Directives
        • Test the Overlay
        • Password Policy Operational Attributes
        • Summary of ppolicy Operational Attributes
    • Creating a Schema
      • Getting an OID
      • Giving Our OID a Name
      • Creating Object Classes
      • Creating Attributes
      • Loading the New Schema
        • Troubleshooting Schema Loading
      • A New Record
    • Summary
  • Chapter 7: Multiple Directories
    • Replication: An Overview
      • SyncRepl
    • Configuring SyncRepl
      • Configuring the Master Server
        • Creating a SyncRepl User
      • Configuring the Shadow Server
        • The syncrepl Directive
        • Configuring a Referral
      • Starting Replication
        • For Larger Directories...
      • Delta SyncRepl
        • The Master Server's Configuration
        • The Shadow Server's Configuration
      • Debugging SyncRepl
        • Starting Over
        • Strategic Logging
        • A Few Common Mistakes
    • Configuring an LDAP Proxy
      • Using the LDAP Backend
        • Using Identity Management Features
      • Turning the Simple Proxy into a Caching Proxy
        • Notes on the Attribute Sets and Templates
      • A Translucent Proxy
    • Summary
  • Chapter 8: LDAP and the Web
    • The LDAP-Aware Application
    • Apache and LDAP
      • A Short Guide to Installing Apache
      • Configuring LDAP Authentication
        • Loading the Modules
        • Editing the default Configuration File
        • Other Features of the Require Parameter
    • phpLDAPadmin
      • Prerequisites
      • Installing phpLDAPadmin
        • Is Your Package Broken?
      • Configuring phpLDAPadmin
        • A Basic Look at Configuration Parameters
        • Configuring the LDAP Server Settings
      • A First Look at phpLDAPadmin
        • Navigating phpLDAPadmin
        • Viewing and Modifying a Record
        • Adding a New Record
        • Searching with phpLDAPadmin
    • Summary
  • Appendix A: Building OpenLDAP from Source
    • Why Build from Source?
    • Getting the Code
    • The Tools for Compiling
      • Build Tools
      • Installing Dependencies
    • Compiling OpenLDAP
      • Configuring
      • Building with make
    • Installation
    • Building Everything
    • Summary
  • Appendix B: LDAP URLs
    • The LDAP URL
    • Common Uses of LDAP URLs
      • Not all LDAP URLs are for Searching
    • For More Information on LDAP URLs...
    • Summary
  • Appendix C: Useful LDAP Commands
    • Getting Information about the Directory
      • The Root DSE
      • The Subschema Record
      • The Configuration Record
    • Making a Directory Backup
      • A Backup Copy of the Directory Database
      • An LDIF Backup File
    • Rebuilding a Database (BDB, HDB)
      • Step 1: Stop the Server
      • Step 2: Dump the Database
      • Step 3: Delete the Old Database Files
      • Step 4: Create a New Database
      • Step 5: Restart SLAPD
      • Troubleshooting Rebuilds
    • Summary

Matt Butcher

Matt is a web developer and author. He has previously written five other books for Packt, including two others on Drupal. He is a senior developer for the New York Times Company, where he works on, one of the most traffic-heavy Drupal sites in the world. He is the maintainer of multiple Drupal modules and also heads QueryPath – a jQuery-like PHP library. He blogs occasionally at


Sorry, we don't have any reviews for this title yet.

Code Downloads

Download the code and support files for this book.

Submit Errata

Please let us know if you have found any errors not listed on this list by completing our errata submission form. Our editors will check them and add them to this list. Thank you.


- 27 submitted: last submission 29 Oct 2013

Errata type: Others | Page number: 38

If no ACLs are specified, the default rule used by SLAPD is access to * by * read. However, it is not advised that ACLs be omitted from the configuration file. You should almost always explicitly set ACLs in the slapd.conf file.


Errata type: Others | Page number: 98 

In OpenLDAP 2.3.39, the slapcat main page has been corrected to describe the behavior as explained in this book. A Perl example can be mentioned for base64: $ perl -MMIME::Base64 -e 'print "userPassword::".encode_base64("secret"); userPassword::c2VjcmV0. Also note the double colons (::) between the attribute name and the value. These are necessary when an attribute contains a base-64 encoded value.


Errata type: Others | Page number: 105 

CRYPT is very platform dependent, and is not enabled by default. A custom compile of OpenLDAP is done with: --enable-crypt to enable this password hashing scheme. Most implementations of CRYPT are less secure than other alternatives. If possible, one ought to use password hashing based on MD5 or SHA algorithms.


Errata type: Others | Page number: 153 

Using the TLSCACertificateFile directive, which points to just one SSL certificate, may be a more secure choice than using TLSCACertificatePath, if OpenLDAP is to accept connections only from clients with certificates signed by one particular certificate authority (CA). If clients connect with certificates signed by different certificate authorities then the TLSCACertificatePath may be the better way to go. In many cases, clients do not provide certificates at all. In some cases, like the case of SASL's EXTERNAL mechanism, though, the authenticity of the certificate is crucial. In such a case, one ought to be very careful about the CA authorities available to SLAPD.


Errata type: Others | Page number: 154

Take care when setting TLS_REQCERT to never or allow. It allows SLAPD to accept TLS/SSL connections with certificates that have not been verified against the signing chain. This does not impact encryption strength, but it does skip the verification of authenticity described on page 139. Again, this is very important when using SASL EXTERNAL as an authentication mechanism. There are documented cases where clients will send authentication information before StartTLS is initiated. This is incorrect behavior, but it occurs nonetheless. In such a case, the password may be transported unencrypted, which is a security risk. To mitigate the risk of this happening, you may want to use SASL or LDAPS. In fact, this is why LDAPS remains in broad use in spite of it's deprecation in LDAPv3.It is not recommended that peername.ip alone is used to grant write access. See the example on page 216 for a legitimate use of peername.ip. It is also not recommended that the domain specifier alone be used for providing write access. Domain information can be easily forged.


Errata type: Others | Page number: 207 

Changes to set syntax are in progress, and the functionality described here may or may not remain the same in OpenLDAP 2.4.


Errata type: Others | Page number: 222 

In practice, it is better to keep each set of database files in their own directory rather than create subdirectories inside of existing database directories. In the example in the text, the database files in /var/lib/ldap should probably be moved into /var/lib/ldap/


Errata type: Others | Page number: 223 

In some cases, it might be good to chown ldap:ldap. In the case described in the text, if root was the owner, then the original files would have ownership root:root. Whether the final files are left ldap:root or ldap:ldap is probably inconsequential. But there is a danger in setting ownership to ldap:ldap. If there are other users in the ldap group, it could be a security risk to chown ldap:ldap. Those other users would have whatever accesses to the files were granted by the files' mode settings.


Errata type: Others | Page number: 226 

Note that HDB is the default. Actually, BDB is considered by the OpenLDAP project to "the default," though HDB support is included by default.


Errata type: Others | Page number: 232 

Threads should be lowered to 8. Quanah Gibson-Mount, the OpenLDAP project's QA Release Engineer (and one of the technical reviewers for this book), showed that this setting almost always provides superior performance to the default 16. Users can test to see if further lowering would be better for their needs.


Errata type: Others | Page number: 235 

As with all other changes to the configuration file, after adding the read-only directive to slapd.conf, you will need to restart SLAPD for your changes to take.


Errata type: Others | Page number: 238 

For completeness, the pres index is discussed, though it is never used in this book, and is probably rarely used in production environments. One way to determine which values ought to be indexed is to examine your SLAPD log files. When SLAPD encounters a search filter using an attribute that is not indexed, it will report this in the logs. If the same attribute appears repeatedly in the logs, it is a good candidate for an index. The log message looks something like this bdb_equality_candidates: (employeeType) index_param failed (18);This might have occurred with a search filter like: (employeeType=*). This logmessage merely indicates that no index could be used to expedite the search. (It does not indicate an error.) Seeing these messages on occasion is fine. What to watch for are the numerous occurrences of this message, and always for the same attribute (be it employeeType or some other one). In such a case, it would probably bolster performance to index that attribute.


Errata type: Typo | Page number: 12 

The Tip box should read as "Most DNs are not case sensitive. Some parts of LDAP records are case sensitive, and others are not. Attributes that represent names are typically not. Most of the time, a DN is not case sensitive because it is made up of parts that are not case sensitive. (See section 4.2.15 of RFC 4517 for details).


Errata type: Typo | Page number: 27

In the Tip box, replace "Use find . -type f -name slapd.conf with"Use find / -type f -name slapd.conf".


Errata type: Typo | Page number: 28

In the Tip box replace "Look in the /usr/local portion of your file system to locate the correct location (for example, modulepath is in /usr/local/libexex/openldap/)" with "Look in the /usr/local portion of your file system to locate the correct location (for example, modulepath is in /usr/local/libexec/openldap/)".


Errata type: Typo | Page number: 29

In the section 'Schemas', inteorgperson.schema was misspelled. It should be inetorgperson.schema.


Errata type: Typo | Page number: 40

In the Tip box replace "$ slapd -T dest -f /etc/ldap/slapd.conf" with "$ slapd -T test -f /etc/ldap/slapd.conf".


Errata type: Typo | Page number: 52

In the paragraph under the heading, "SLAPD," the fourth sentence is missing a comma between the dependent and independent clauses. The sentence should read, "In the most common case, a client will send a query message to the server."


Errata type: Typo | Page number: 57

In the beginning of paragraph, "The search returns everything *in* appearing in..." should have the marked word "in" removed.


Errata type: Typo | Page number: 108

In the Information box replace "Most of the utilities in the last part required that the SLAPD server must not not be running" with "Most of the utilities in the last part required that the SLAPD server must not be running".


Errata type: Typo | Page number: 151

Replace "$ sudo mv cacert.pem /etc/ldap/" with "$ sudo mv newcert.pem /etc/ldap/".


Errata type: Typo | Page number: 154

Replace "To accomplish this, use the following directive in slapd.conf: TLS_REQCERT allow" with "To accomplish this, use the following directive in ldap.conf: TLS_REQCERT allow".


Errata type: Typo | Page number: 156

In the Information box replace "Like the StartTLSconfiguration, this configuration requires that the slapd.conf file have the TLSCertificateFile, TLSCertificateKeyFile, and TLSCACertificateDir directives set." with "Like the StartTLSconfiguration, this configuration requires that the slapd.conf file have the TLSCertificateFile, TLSCertificateKeyFile, and TLSCACertificatePath directives set."


Errata type: Typo | Page number: 219

Under the heading 'Multiple Database Backends', replace "This works well for most of the small directory servers" with "This works well for most of the simple directory servers"


Errata type: Typo | Page number: 220

Replace "How does a SLAPD with multiple backends works?" with "How does a SLAPD with multiple backends work?"


Errata type: Technical | Page number: 131 | Errata date: 22 July 11

Newer versions of Debian/Ubuntu use gnutls, Configuration using the options described on the following URL are more direct: Make sure that the hostname in /etc/hosts matches the cn configured in the /etc/ssl/ template used to generate the key. Not the dn name.


Errata type: code | Page number: 154 

3rd paragraph, the reader is instructed to enter 'TLS_REQCERT allow' in slapd.conf. This setting belongs in ldap.conf, since it is a client setting.

Sample chapters

You can view our sample chapters and prefaces of this title on PacktLib or download sample chapters in PDF format.

Frequently bought together

Mastering OpenLDAP: Configuring, Securing and Integrating Directory Services +    Oracle E-Business Suite R12 Integration and OA Framework Development and Extension Cookbook =
50% Off
the second eBook
Price for both: $43.05

Buy both these recommended eBooks together and get 50% off the cheapest eBook.

What you will learn from this book

  • Installing binary OpenLDAP packages and building from source
  • Configuring and verifying the LDAP server
  • Building an initial directory tree in an LDIF file
  • Loading, modifying, and searching directory records
  • Setting passwords and authenticating against the directory
  • Configuring Access Control Lists (ACLs)
  • Configuring multiple database back ends
  • Securing network-based directory connections with SSL and TLS
  • Advanced configurations and performance tuning settings
  • Creating and implementing LDAP schemas
  • Creating custom schemas and sophisticated ACLs
  • Using OpenLDAP as a proxy for other LDAP servers
  • Adding caching with the Proxy Cache overlay
  • Using the transparency overlay to create a hybrid cache
  • Installing and configuring a web-base LDAP administration suite
  • Keeping multiple directory servers synchronized with SyncRepl
  • Using OpenLDAP for Apache authentication

Chapter 1
constitutes the first section. In it we look at general concepts of directory servers and LDAP, cover the history of LDAP and the lineage of the OpenLDAP server, and finish up with a technical overview of OpenLDAP.

The second section (comprising Chapters 2-7) focuses on building directory services with OpenLDAP. In this section, we take a close look at the OpenLDAP server. We begin in Chapter 2 with the process of installing OpenLDAP on a GNU/Linux server. Once we have the server installed, we do the basic post-installation configuration necessary to have the server running.

In Chapter 3, we cover basic use of the OpenLDAP server. We use the OpenLDAP command-line tools to add records to our new directory, search the directory, and modify records. This chapter introduces many of the key concepts involved in working with LDAP data.

Chapter 4 covers security, including handling authentication to the directory, configuring Access Control Lists (ACLs), and securing network-based directory connections with Secure Sockets Layer (SSL) and Transport Layer Security (TLS).

In Chapter 5, we look at advanced configuration of the OpenLDAP server. Here, we take a close look at the various back-end database options and also look at performance tuning settings, as well as the recently introduced technology of directory overlays.

The focus of Chapter 6 is extending the directory structure by creating and implementing LDAP schemas. Schemas provide a procedure for defining new attributes and structures to extend the directory and provide records tailor-made to your needs.

Chapter 7 focuses on directory replication and different ways of getting directory servers to interoperate over a network. OpenLDAP can replicate its directory contents from a master server to any number of subordinate servers. In this chapter, we set up a replication process between two servers.

In the third section of the book, we look at how OpenLDAP is integrated with other applications and services on the network. In Chapter 8, we look at configuring other tools to interoperate with OpenLDAP. We begin with the Apache Web server, using LDAP as a source of authentication and authorization. Next, we install phpLDAPadmin, a web-based program for managing directory servers. Then we look at the main features, and do some custom tuning.

The appendices include a step-by-step guide to building OpenLDAP from source (Appendix A), a guide to using LDAP URLs (Appendix B), and a compendium of useful LDAP client commands (Appendix C).

In Detail

This book is the ideal introduction to using OpenLDAP for Application Developers and will also benefit System Administrators running OpenLDAP. It prepares the reader to build a directory using OpenLDAP, and then employ this directory in the context of the network, taking a practical approach that emphasizes how to get things done. On occasion, it delves into theoretical aspects of LDAP, but only where understanding the theory helps to answer practical questions. The reader requires no knowledge of OpenLDAP, but even readers already familiar with the technology will find new things and techniques.

This book is organized into three major sections: the first section covers the basics of LDAP directory services and the OpenLDAP server; the second focuses on building directory services with OpenLDAP; in the third section of the book, we look at how OpenLDAP is integrated with other applications and services on the network. This book not only demystifies OpenLDAP, but gives System Administrators and Application Developers a solid understanding of how to make use of OpenLDAP's directory services.

The OpenLDAP directory server is a mature product that has been around (in one form or another) since 1995. It is an open-source server that provides network clients with directory services. All major Linux distributions include the OpenLDAP server, and many major applications, both open-source and proprietary, are directory aware and can make use of the services provided by OpenLDAP.

The OpenLDAP directory server can be used to store organizational information in a centralized location, and make this information available to authorized applications. Client applications connect to OpenLDAP using the Lightweight Directory Access Protocol (LDAP) and can then search the directory and (if they have appropriate access) modify and manipulate records.

LDAP servers are most frequently used to provide network-based authentication services for users; but there are many other uses for an LDAP server, including using the directory as an address book, a DNS database, an organizational tool, or even as a network object store for applications.


This book has been written from the application developer's perspective, tackling the topics that will be most important to helping the application developer understand OpenLDAP, and get it set up as securely and quickly as possible. It shows how OpenLDAP interoperates with other UNIX/Linux services (DNS, NIS, Samba, etc.).

Who this book is for

The target audience will require basic Linux system administration knowledge, but no prior knowledge of LDAP or OpenLDAP is assumed. If you are web savvy and are interested in using OpenLDAP for web applications and services like client interaction then this is the book for you.

Mastering OpenLDAP: Configuring, Securing and Integrating Directory Services


Code Download and Errata
Packt Anytime, Anywhere
Register Books
Print Upgrades
eBook Downloads
Video Support
Contact Us
Awards Voting Nominations Previous Winners
Judges Open Source CMS Hall Of Fame CMS Most Promising Open Source Project Open Source E-Commerce Applications Open Source JavaScript Library Open Source Graphics Software
Open Source CMS Hall Of Fame CMS Most Promising Open Source Project Open Source E-Commerce Applications Open Source JavaScript Library Open Source Graphics Software