Revision 5 as of 2006-05-24 09:44:27

Clear message


LDAP means Lightweight Directory Access Protocol, it is a simplified version of X500 protocol. You will find a more detailed presentation [ on Wikipedia].

To describe quickly, all informations are stored in a tree. You have to determine by yourself the directory arborescence (the Directory Information Tree: the DIT). We will begin with a basic tree with two nodes above the root :

  • "People" node where your users will be stored
  • "Groups" node where your groups will be stored

You have to first determine what the root of your LDAP will be. By default, your tree will be determined by your internet domain. If your domain is (we will use it in the above example), your root will be dc=example,dc=com.


First of all, install ldap daemon on the server ; install the following packages: slapd (see InstallingSotware).

Enter your domain as asked and the password that you want for the directory administrator.

Only few changes will be operated on the default configuration. First set the root password in the configuration file (instead of in the directory):

suffix          "dc=example,dc=com"
directory       "/var/lib/ldap"
rootdn          "cn=admin,dc=example,dc=com"
rootpw          secret

Populating LDAP

The directory has been created at the installation, now it is time to populate. It will be populated with a "classical" entry that will be compatible with directory (for example for a shared directory), with classical accounts (for a web application) and with Unix accounts (posix).

LDAP directory can be feed with a ldif file (ldif means ldap directory interchange format). Here is an exemple :

dn: dc=example,dc=com
dc= example

dn: ou=people,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: people

dn: ou=groups,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: groups
dn: ou=admin,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: admin

dn: uid=lionel,ou=people,dc=example,dc=com
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: lionel
sn: Porcheron
givenName: Lionel
cn: Lionel Porcheron
displayName: Lionel Porcheron
uidNumber: 1000
gidNumber: 10000
gecos: Lionel Porcheron
loginShell: /bin/bash
homeDirectory: /home/lionel
shadowExpire: -1
shadowFlag: 0
shadowWarning: 7
shadowMin: 8
shadowMax: 999999
shadowLastChange: 10877
postalCode: 31000
l: Toulouse
o: Example
mobile: +33 (0)6 xx xx xx xx
homePhone: +33 (0)5 xx xx xx xx
title: System Administrator
initials: LP

dn: cn=example,ou=groups,dc=example,dc=com
objectClass: top
objectClass: posixGroup
cn: exemple
gidNumber: 10000
displayName: Exemple group

In the example above, the directory structure, a user and group have been setup. Now, add it to the LDAP :

  • stop LDAP daemon: sudo /etc/init.d/slapd stop

  • delete the content that has been automaticaly added: sudo rm -rf /var/lib/ldap/*

  • add the content sudo slapadd -l init.ldif 

We can check that the content has been correctly added, but first add the ldap-utils package in order to execute search in the LDAP directory :

sudo apt-get install ldap-utils
ldapsearch -xLLL uid=lionel sn givenName cn
dn: uid=lionel,ou=people,dc=example,dc=com
cn: Lionel Porcheron
sn: Porcheron
givenName: Lionel

Just a quick explanation :

  • -x is because we do not use SASL authentication method (by default)

  • -LLL disable printing LDIF informations

And after

You have setup your LDAP directory, and now you have to use it.

  • You can authenticate your users on the directory as explained in ["LDAPClientAuthentication"]
  • You can authenticate your users in a web application.
  • You can use it as a shared address directory for your mail agent.

Use of LDAP are infinite !

LDAP replication

LDAP service often becore quickly a hightly critical service in an information system: all is depending of LDAP: autentication, authorization, mail system, etc. It can be a good idea to setup a redundant system. It is easy to setup, here is a quick howto.


With OpenLDAP 2.2 (on Breezy and Dapper), replication is based on a master-slave relation.

attachment:IconsPage/IconWarning3.png You will have to remember that modifications should ALWAYS be done on the master ! If you modifies the slave, modifications will get lost.

LDAP master

On the master, you have to modify the database section of the /etc/ldap/slapd.conf to add a replica instruction. The following example shows a replica on with the Manager user with secret as password. The replication logfile is the place modifications are stored before to be send to the LDAP slave.

replica uri=ldap:// binddn="cn=Manager,dc=example,dc=com" bindmethod=simple credentials=secret

replogfile      /var/lib/ldap/replog

Restart your LDAP server.

LDAP slave

On the slave, you have to authorize your master to update LDAP database. Add the following lines to your /etc/ldap/slapd.conf file in the database section:

updatedn        cn=Manager,dc=example,dc=com
updateref       ldap://

Restart your LDAP server.