slapd.conf
In order to use the slapd LDAP server, you will
need to modify its configuration file,
/etc/openldap/slapd.conf. You must to edit
this file to make it specific to your domain and server.
The suffix line names the domain for
which the LDAP server will provide information. The
suffix line should be changed from:
suffix "dc=your-domain,dc=com" |
so that it reflects your domain name. For example:
suffix "dc=example,dc=com" |
The rootdn entry is the
Distinguished Name (DN)
for a user who is unrestricted by access controls or administrative
limit parameters set for operations on the LDAP directory. The
rootdn user can be thought of as the
root user for the LDAP directory. In the configuration file, change
the rootdn line from its default
value to something like the example below:
rootdn "cn=root,dc=example,dc=com" |
Change the rootpw line
to something like the example below:
rootpw {SSHA}vv2y+i6V6esazrIv70xSSnNAJE18bb2u |
In the rootpw example, you are using
an encrypted root password, which is a much better idea than leaving
a plain text root password in the slapd.conf
file. To make this encrypted string, type the following command:
You will be prompted to type and then re-type a password. The program
prints the resulting encrypted password to the terminal.
 | Warning |
|---|
| | LDAP passwords, including the
rootpw directive specified in
/etc/openldap/slapd.conf, are sent over the
network in plain text unless you enable TLS encryption.
|
For added security, the rootpw
directive should only be used if the initial configuration and
population of the LDAP directory occurs over a network. After the task
is completed, it is best to comment out the
rootpw directive by preceding it
with a pound sign (#).
 | Tip |
|---|
| | If you are using the slapadd command-line tool
locally to populate the LDAP directory, using the
rootpw directive is not necessary.
|
The /etc/openldap/schema/ Directory
The /etc/openldap/schema/ directory holds LDAP definitions,
previously located in the slapd.at.conf and
slapd.oc.conf files. All attribute
syntax definitions and objectclass
definitions are now located in the different schema
files. The various schema files are referenced in
/etc/openldap/slapd.conf using
include lines, as shown in this example:
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/rfc822-MailMember.schema
include /etc/openldap/schema/autofs.schema
include /etc/openldap/schema/kerberosobject.schema |
 | Caution |
|---|
| | You should not modify any of the schema items defined in the schema
files installed by OpenLDAP.
|
You can extend the schema used by OpenLDAP
to support additional attribute types and object classes using the
default schema files as a guide. To do this, create a
local.schema file in the
/etc/openldap/schema directory. Reference this
new schema within slapd.conf by adding the
following line below your default include schema
lines:
include /etc/openldap/schema/local.schema |
Next, go about defining your new attribute types and object classes
within the local.schema file. Many organizations
use existing attribute types and object classes from the schema files
installed by default and modify them for use in the
local.schema file. This can help you to learn the
schema syntax while meeting the immediate needs of your organization.
Extending schema to match certain specialized requirements is quite
involved and beyond the scope of this chapter. Visit http://www.openldap.org/doc/admin/schema.html
for information on writing new schema files.
