make every effort to secure your server. This chapter gives specific instruction on pass-
word configuration for OpenLDAP, and we recommend you follow our instructions
Configuring the Server
If you have been using LDAP for years, you will be aware of its immense power and flexi-
bility. On the other hand, if you are just trying LDAP for the first time, it will seem like
the most broken component you could imagine. LDAP has specific configuration require-
ments, is vastly lacking in graphical tools, and has a large number of acronyms to remem-
ber. On the bright side, all the hard work you put in will be worth it because, when it
works, LDAP will hugely improve your networking experience.
The first step in configuring your LDAP server is to install the client and server applica-
tions. Start up Synaptic and install the
slapd and ldap-utils packages. You’ll be asked to
enter an administrator password for
Now, use sudo to edit /etc/ldap/slapd.conf in the text editor of your choice. This is the
primary configuration file for
slapd, the OpenLDAP server daemon. Scroll down until you
see the lines
database, suffix, and rootdn.
This is the most basic configuration for your LDAP system. What is the name of your
dc stands for domain component, which is the name of your domain as stored
in DNS—for example, example.com. For our examples, we used hudzilla.org. LDAP
considers each part of a domain name (separated by a period) to be a domain component,
so the domain hudzilla.org is made up of a domain component
hudzilla and a domain
Change the suffix line to match your domain components, separated by commas. For
The next line defines the root DN, which is another LDAP acronym meaning distinguished
name. A DN is a complete descriptor of a person in your directory: her name and the
domain in which she resides. For example
CN is yet another LDAP acronym, this time meaning common name. A common name is
just that—the name a person is usually called. Some people have several common names.
Andrew Hudson is a common name, but that same user might also have the common
name Andy Hudson. In our
rootdn line, we define a complete user: common name root
at domain hudzilla.org. These lines are essentially read backward. LDAP goes to org first,
org for hudzilla, and then searches hudzilla for root.
The rootdn is important because it is more than just another person in your directory.
The root LDAP user is like the root user in Linux. It is the person who has complete
control over the system and can make whatever changes he wants to.
CHAPTER 26 LDAP