hi there,

i'm trying, very unsuccessfully to get my OpenLDAP server up and going on my RHEL box. i'm just wondering if anyone knows of maybe a program out there such as a setup wizard that will edit the conf files for me and then i can go back and have a look at them and see what it has done? or a web tool or something that can help me out anything with an interface would be great.

i dont know of anyting specific off hand, but im pretty sure webmin will have at least someting for it in there.

webmin does have an LDAP users and groups icon and i've spent the last weeks trying tog et that working but it requires the net::ldap program from cpan and trust me i've tryed every way i can think of to get it working and i can't .... if anyone can help me out there that'd be great.

http://www.linuxquestions.org/questi...01#post1682801

Hi,
I'm also trying to get to grips with OpenLDAP. There's a lot of stuff at their web-site http://www.openldap.org and on their mailing lists but it's not a lot of use to us newbies

I've got the O'Reilly book "LDAP system administration" which is helping - along with a great tool phpldapadmin from http://phpldapadmin.sourceforge.net (down side is that it needs to run through a web server, which means installing apache as well. Good learning curve though!).

It seems as though the process is -
1. define your database / directory structure
2. find or write a schema to suit
3. build a simple slapd.conf per the openLDAP quickstart guide, but include the above schema
4. Add to it with phpldapadmin and / or LDIF and CLI tools such as slapadd

Hope this helps, but it's a case of the blind leading the blind!
Richard.

Most of the time, you're using LDAP for a particular reason that's been used before. LDAP can be used to route email a certain way using Sendmail, it can replace (to an extent) the /etc/passwd file. LDAP can even store Kerberos prinicipals and spamassassin configuration. Or, perhaps you just want to use a dead simple Thunderbird or Outlook Express email address book. Any of these above uses already have a openldap-provided schema defination, so there's no need to write your own.

Writing your own schema is very difficult to do, especially for a noob, given all the checks and balances that are built into the current versions of OpenLDAP.

My advice is this: Figure out what you're going do store in LDAP, and make sure you have the right schema available. You can figure this out by looking at the files in /etc/openldap/schema, and by looking at the list of available ObjectClasses in phpLDAPadmin. Once the right schema has been added to the system, you can use one of the awesome wizards in phpLDAPadmin to create the objects you need, or you can use it's Custom wizard if phpLDAPadmin doesn't have what you're looking for.

For the webmin user: Webmin is Perl based and therefore needs the Perl module for LDAP in order to work. Installing this from CPAN should be a piece of cake:
1. su -
2. perl -MCPAN -e shell;
3. install Net::LDAP

If you've never used CPAN before, you may have to run through a battery of questions the first time you use it. Just hit enter everywhere to accept the defaults (minus the section that asks you what continent you live on). You will also need to make sure you've installed gcc (and friends) on your RHEL box, as I think there's some building required for Net::LDAP where you'd need the gcc compiler.

Quite honestly though, nothing beats phpLDAPadmin for administering a LDAP directory.

Good luck.

Thanks Bentz,

I'd completely agree that sticking to existing schemas is highly desirable and probably addresses 99% of applications.

However, somehow the project I'm doing (for a Masters degree, as a mature student (!)) increasingly looks as though it will centre on writing my own - I plan to use the 'local' OID arc 1.1.x as it will be confined to my LAN, at least for the foreseeable future.

Glad to see someone else is using phpLDAPadmin, as you say the wizards are just awesome. Wish I knew more php too...

Richard.

I see. That's a little different scenario from the average LDAP noob.

Remember a few things if you're going to write your own schema:

Only one structural objectclass will be allowed for a given object. This is a new requirement.
At least one structural objectclass must be provided for a given object.
MUST attributes have to be present
MAY attributes are optional
/usr/sbin/slaptest is your friend

Use examples heavily. I great example is the sendmail schema I mentioned earlier. Mostly because it's "small" (comparively) and simple, and isn't glued in with the standard OpenLDAP distribution, therefore it must be included separately from slapd.conf. Take a look at /usr/share/sendmail-cf/sendmail.schema (path taken from Red Hat/Fedora).

Also, you can always cheat. It's not recommended, but to get started you can always take an existing ObjectClass and glue a new MAY (or even MUST) attribute to it.

objectclass ( 2.5.6.6 NAME 'person'
DESC 'RFC2256: a person'
SUP top STRUCTURAL
MUST ( sn $ cn )
MAY ( userPassword $ telephoneNumber $ seeAlso $ description $ favoriteFood ) )

And then just add your own attribute and test.

attributetype ( 1.1.23.45 NAME 'favoriteFood'
DESC 'RFC2256: descriptive food information'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} )

Then move from there. Make you're own objectClass (which is preferred over mucking up an existing one like 'person'), then make you're own structural ObjectClass. Baby steps, you know? Pretty soon you'll have written the next release of IBM Tivoli Direcory Server 9.3 running on AS/400s everywhere.

Many thanks.

I was initially only trying to help the OP, but that looks like a great help for me! I was already considering hacking some existing objectclasses and attributes - it is quite a simple database and won't need many.

Sounds like I'll be better posting here if (when?) I get stuck rather than on the mailing lists - some of them aren't too tolerant of newbies unfortunately

It won't be long, I fear!

--
Cheers
Richard.

I don't know what it is, but you're right. The OpenLDAP mailing lists are totally unfriendly, even to the technically savvy...