LDAP In 10.2 HOWTO, or "Hold on, this may get a bit bumpy..."
Disclaimer: this will work using the built-in LDAP and integrate with Address Book. I do not claim that its the best or most complete or most optimal setup. I will certainly try to answer any questions, though I am by no means an LDAP expert. I also make no claim that this won't wipe out your hard drive, though it hasn't happened to me yet.
Do you feel lucky? Let's go!
Major steps you need to do:
1) Create a usable "slapd.conf" file.
---a) We'll create this on your desktop first.
---b) Then copy it via the command shell to where it needs to go.
2) Create folder where LDAP database files will reside.
3) Start up slapd by hand.
4) Add "parent entry" that users will belong to.
---a) We'll create an "ldif" file on your desktop that contains the entry.
---b) We'll run a command line program to load the entry into the LDAP database.
5) Add a sample user or two.
---a) We'll create another "ldif" file on your deskto that contains the entries.
---b) We'll run a command line program to load the users into the LDAP database.
6) Configure Address Book.
7) Test Address Book.
Ok, here are the instructions for each step:
1a) Create a new file "slapd.conf" on your desktop. I use BBEdit, as this file MUST BE a UNIX style file (with LineFeed endings ONLY). You can use vi or emacs if you like. Word or TextEdit WILL NOT WORK!!! The file is below:
====== START OF slapd.conf. DO NOT INCLUDE THIS LINE =====
# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.7 2001/09/27 20:00:31 kurt Exp $
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /private/etc/openldap/schema/core.schema
include /private/etc/openldap/schema/cosine.schema
include /private/etc/openldap/schema/inetorgperson.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/slapd.pid
argsfile /var/run/slapd.args
# Load dynamic backend modules:
# modulepath %MODULEDIR%
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la
#
# Sample Access Control
# Allow read access of root DSE
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
#
#access to dn="" by * read
#access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default is:
# Allow read by all
#
# rootdn can always write!
################################################## #####################
# ldbm database definitions
################################################## #####################
database ldbm
suffix "dc=example,dc=com"
#suffix "o=My Organization Name,c=US"
rootdn "cn=Manager,dc=example,dc=com"
#rootdn "cn=Manager,o=My Organization Name,c=US"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw secret
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd/tools. Mode 700 recommended.
directory /usr/local/openldap-ldbm
# Indices to maintain
index objectClass eq
index cn,sn eq,sub,approx
====== END OF slapd.conf. DO NOT INCLUDE THIS LINE =====
1b) Open a terminal window. Assuming that slapd.conf (file name must be all lowercase) is on your desktop:
cd Desktop
sudo -s
(type your user password... if you have never done this before, also answer the question that comes up in the affirmative)
cp slapd.conf /etc/openldap/slapd.conf
2) Still in terminal? If not, open it back up and "sudo -s" to become root again, then:
cd /usr/local
mkdir openldap-ldbm
chmod 600 openldap-ldbm
3) You didn't close the terminal again, did you? If so, open it back up and "sudo -s" to become root again, then:
/usr/libexec/slapd
exit
4) Keep that terminal open! But you don't need to be root anymore, that's what the "exit" was for in step 3. It's always best to not be root if you can help it, though.
4a) Create a new file "first_time.ldif" on your desktop. Again, I use BBEdit, as this file MUST BE a UNIX style file (with LineFeed endings ONLY). Again, you can use vi or emacs if you like. Again, Word or TextEdit WILL NOT WORK!!! The file is below:
====== START OF first_time.ldif. DO NOT INCLUDE THIS LINE =====
dn: dc=example,dc=com
objectclass: dcObject
objectclass: organization
o: My Company Name
dc: example
====== END OF first_time.ldif. DO NOT INCLUDE THIS LINE =====
4b) In the terminal, run the following command (from anywhere, since the ldapadd program is in your path by default):
ldapadd -x -D "cn=Manager,dc=example,dc=com" -w secret -f first_time.ldif
5a) Create a new file "users.ldif" on your desktop. Again, I use BBEdit, as this file MUST BE a UNIX style file (with LineFeed endings ONLY). Again, you can use vi or emacs if you like. Again, Word or TextEdit WILL NOT WORK!!! The file is below: (feel free to add more entries, of course, and chose whatever actual data you like...) And that's a lowercase L in front of the city, not a "numeral one."
====== START OF users.ldif. DO NOT INCLUDE THIS LINE =====
dn: cn=Steve Jobs,dc=example,dc=com
objectclass: inetorgperson
cn: Steve Jobs
givenName: Steve
sn: Jobs
mail:
[email protected]
street: 123 Main Street
l: Beverly Hills
st: CA
postalCode: 90210
telephoneNumber: 123-456-7890
dn: cn=David Findley,dc=example,dc=com
objectclass: inetorgperson
cn: David Findley
givenName: David
sn: Findley
mail:
[email protected]
street: 123 Oak Street
l: Beverly Hills
st: CA
postalCode: 90210
telephoneNumber: 123-789-4560
====== END OF users.ldif. DO NOT INCLUDE THIS LINE =====
5b) In the terminal, run the following command (from anywhere, since the ldapadd program is in your path by default):
ldapadd -x -D "cn=Manager,dc=example,dc=com" -w secret -f users.ldif
6) Go to Address Book, Preferences, click on the LDAP tab, click the Add button, then fill in the top 3 fields as below:
Name: My LDAP Server (or whatever you want, really, this is just "cosmetic")
Server: 127.0.0.1
Search Base: dc=example,dc=com
Leave the rest of the fields alone, and click Save. Close the Preferences window.
7) In the Group column, click Directories. Click on "My LDAP Server" (or whatever you called it) in the Directories column. In the search field, type the first letter of either a first or last name of a user you loaded. If you didn't fiddle with the entries I made, D or F or S or J will work. If you have multiple users, more letters should narrow entries down.
Notice it'll spin and bring up an entry. Drag it to the All group in the Group column. Click on the All group in the Group column. Click on the name that you just dragged over there. You should see the populated info.
Ok, that's all for now. Have fun! And please visit
http://www.openldap.org/ and click on either the Documentation or the Quick Start Guide. (I read the Quick Start Guide first.)
David Findley
Top