Installing OpenLDAP, by doug@mscs.mu.edu

Installing OpenLDAP

what is OpenLDAP?

OpenLDAP is an implementation of the LDAP protocol. Our scope in this class will merely be to install the daemon slapd and provide a minimal configuration of it.

There is a variety of options available for the installation, and we will look at a few as much to give examples of more complex installations as to give examples of configuring LDAP servers.

the backend

Any LDAP server has a base of data. I prefer not to call it a "database" since it is usually not stored in a regular relational database, even if one is available, and in fact usually performs better if a database is not used.

You need to be careful about terminology, however. There are specialized databases, and in fact OpenLDAP as currently delivered expects to use the Berkeley database.

It also uses what they call a backend, which connects to the base of data. That base could just be a very plain file accessed through a shell script, although the performance would suck.

My experience in installing OpenLDAP on two of my machines at home was interesting. They are currently RedHat Linux, modified slightly as things have been installed for this USA course.

On missouri and on kansas it found that the existing Berkeley database was not appropriate and the install failed. I went to the trouble of installing a current version of the Berkeley database on missouri (and it was a bit of trouble, needed some tweaking to remove the old versions of things since the install does not do this and gets confused).

On kansas I decided to just tell it not to use the Berkeley database, and then the install failed because it could not find the correct version of the Cyrus SASL libraries, which are used for a particular kind of login. So I told kansas not to install those either!

the configure command

On most of the software we have installed this semester we have counted on having a configure script, which is part of a general GNU autoconfiguration system. We have not done anything special with it, but just told it to go and accepted what it did.

However once things start failing as they did in this case you need to learn more about the many many many options that a typical configure makes available. You can give the command configure --help to learn about those options, at least as far as their syntax. What you learn about their meaning will be done painfully in my experience.

Here is what I obtained from the command configure --help inside the OpenLDAP install directory:


Copyright 1998-2004 The OpenLDAP Foundation. All rights reserved.
	Restrictions apply, see COPYRIGHT and LICENSE files.
Usage: configure [options] [host]
Options: [defaults in brackets after descriptions]
Configuration:
  --cache-file=FILE       cache test results in FILE
  --help                  print this message
  --no-create             do not create output files
  --quiet, --silent       do not print `checking...' messages
  --version               print the version of autoconf that created configure
Directory and file names:
  --prefix=PREFIX         install architecture-independent files in PREFIX
                          [/usr/local]
  --exec-prefix=EPREFIX   install architecture-dependent files in EPREFIX
                          [same as prefix]
  --bindir=DIR            user executables in DIR [EPREFIX/bin]
  --sbindir=DIR           system admin executables in DIR [EPREFIX/sbin]
  --libexecdir=DIR        program executables in DIR [EPREFIX/libexec]
  --datadir=DIR           read-only architecture-independent data in DIR
                          [PREFIX/share]
  --sysconfdir=DIR        read-only single-machine data in DIR [PREFIX/etc]
  --sharedstatedir=DIR    modifiable architecture-independent data in DIR
                          [PREFIX/com]
  --localstatedir=DIR     modifiable single-machine data in DIR [PREFIX/var]
  --libdir=DIR            object code libraries in DIR [EPREFIX/lib]
  --includedir=DIR        C header files in DIR [PREFIX/include]
  --oldincludedir=DIR     C header files for non-gcc in DIR [/usr/include]
  --infodir=DIR           info documentation in DIR [PREFIX/info]
  --mandir=DIR            man documentation in DIR [PREFIX/man]
  --srcdir=DIR            find the sources in DIR [configure dir or ..]
  --program-prefix=PREFIX prepend PREFIX to installed program names
  --program-suffix=SUFFIX append SUFFIX to installed program names
  --program-transform-name=PROGRAM
                          run sed PROGRAM on installed program names
Host type:
  --build=BUILD           configure for building on BUILD [BUILD=HOST]
  --host=HOST             configure for HOST [guessed]
  --target=TARGET         configure for TARGET [TARGET=HOST]
Features and packages:
  --disable-FEATURE       do not include FEATURE (same as --enable-FEATURE=no)
  --enable-FEATURE[=ARG]  include FEATURE [ARG=yes]
  --with-PACKAGE[=ARG]    use PACKAGE [ARG=yes]
  --without-PACKAGE       do not use PACKAGE (same as --with-PACKAGE=no)
  --x-includes=DIR        X include files are in DIR
  --x-libraries=DIR       X library files are in DIR
--enable and --with options recognized:
  --with-subdir=DIR       change default subdirectory used for installs
  --enable-debug 	  enable debugging [yes]
  --enable-dynamic	  enable linking built binaries with dynamic libs [no]
  --enable-syslog	  enable syslog support [auto]
  --enable-proctitle	  enable proctitle support [yes]
  --enable-ipv6 	  enable IPv6 support [auto]
  --enable-local	  enable AF_LOCAL (AF_UNIX) socket support [auto]
  --with-cyrus-sasl	  with Cyrus SASL support [auto]
  --with-fetch		  with fetch(3) URL support [auto]
  --with-threads	  with threads [auto]
  --with-tls		  with TLS/SSL support [auto]
  --with-yielding-select  with implicitly yielding select [auto]

SLAPD (Standalone LDAP Daemon) Options:
  --enable-slapd	  enable building slapd [yes]
    --enable-aci	  enable per-object ACIs (experimental) [no]
    --enable-cleartext	  enable cleartext passwords [yes]
    --enable-crypt	  enable crypt(3) passwords [no]
    --enable-lmpasswd	  enable LAN Manager passwords [no]
    --enable-spasswd	  enable (Cyrus) SASL password verification [no]
    --enable-modules	  enable dynamic module support [no]
    --enable-rewrite	  enable DN rewriting in back-ldap and the rwm overlay [auto]
    --enable-rlookups	  enable reverse lookups of client hostnames [no]
    --enable-slapi        enable SLAPI support (experimental) [no]
    --enable-slp          enable SLPv2 support [no]
    --enable-wrappers	  enable tcp wrapper support [no]

SLAPD Backend Options:
    --enable-bdb	  enable Berkeley DB backend no|yes|mod [yes]
    --enable-dnssrv	  enable dnssrv backend no|yes|mod [no]
    --enable-hdb	  enable Hierarchical DB backend no|yes|mod [no]
    --enable-ldap	  enable ldap backend no|yes|mod [no]
    --enable-ldbm	  enable ldbm backend no|yes|mod [no]
      --with-ldbm-api     with LDBM API auto|berkeley|bcompat|mdbm|gdbm [auto]
      --with-ldbm-type	  use LDBM type auto|btree|hash [auto]
    --enable-meta	  enable metadirectory backend no|yes|mod [no]
    --enable-monitor	  enable monitor backend no|yes|mod [yes]
    --enable-null	  enable null backend no|yes|mod [no]
    --enable-passwd	  enable passwd backend no|yes|mod [no]
    --enable-perl	  enable perl backend no|yes|mod [no]
    --enable-shell	  enable shell backend no|yes|mod [no]
    --enable-sql	  enable sql backend no|yes|mod [no]

SLAPD Overlay Options:
    --enable-dyngroup	  Dynamic Group overlay no|yes|mod [no]
    --enable-proxycache	  Proxy Cache overlay no|yes|mod [no]

SLURPD (Replication Daemon) Options:
  --enable-slurpd	  enable building slurpd [auto]

Library Generation & Linking Options
  --enable-static[=PKGS]  build static libraries [default=yes]
  --enable-shared[=PKGS]  build shared libraries [default=yes]
  --enable-fast-install[=PKGS]  optimize for fast installation [default=yes]
  --with-gnu-ld           assume the C compiler uses GNU ld [default=no]
  --disable-libtool-lock  avoid locking (might break parallel builds)
  --with-pic              try to use only PIC/non-PIC objects [default=use both]

See INSTALL file for further details.

so you can see there are a few decisions to make. Here is my openldap-install so you can see the choices I made and how to specify your choices:


cd /opt
wget ftp://ftp.openldap.org/pub/openldap/openldap-stable/openldap-stable-20040923.tgz
tar zxf openldap-stable-20040923.tgz
ln -s /opt/openldap-2.2.17 /opt/openldap
cd openldap 
ls
read line
./configure --enable-ldbm --disable-bdb --with-cyrus-sasl=no
make depend
make
sudo make install

telling it to use a backend called ldbm, not to use the bdb system, and not to use the cyrus-sasl library. Notice in the list of options it showed that the ocnfigure would automatically decide whether or not to use the cyrus stuff, so I had to just tell it (like a naughty child) not to do so even if seemed like a good idea. In the bdb case I just told it not to even try. It is interesting if you watch the configure output go by that even in this case it actually does look to see what Berkeley stuff is available on the system!

Running it

OK, we have it all installed, after running our openldap-install script as usual. This installation is very complete, and even comes with a variety of real old-fashioned solid man pages.

SASL

Since I wiped out our SASL to be fair I will tell you a bit about it, or at least refer you to a couple of documents that tell you perhaps more than you want to know.

Cyrus SASL for System Administrators,: explains what the Simple Authentication and Security Layer (SASL) is for.
Using SASL: CMU's Cyrus SASL Library,: by Marshall T. Rose on the O'Reilly Network, explains what the library is all about.
SMTP Authentication,: explains how it can be used with a mail server such as qmail.