Setting up OpenLDAP (slapd deamon) and working with python-ldap
This is a short help on setting up OpenLDAP as a test environment for my project. Also I gave a brief tutorial on python-ldap module.
In this help I worked on Linux Ubuntu and slapd version 2.3.35:
# slapd -V @(#) $OpenLDAP: slapd 2.3.35 (Mar 5 2008 15:11:54) $ buildd@terranova:/build/buildd/openldap2.3-2.3.35/debian/build/servers/slapd
Setting up OpenLDAP
Installing slapd
Getting and installing slapd,ldap-utils db4.2-util package:
# apt-get install slapd ldap-utils db4.2-util
After typing upper commands you will be asked for some configuration informations:
- password for admin entry in LDAP directory (and a confirmation of a password)
If slapd is properly installed you should see something like:
Unpacking slapd (from .../slapd_2.3.35-1ubuntu0.2_i386.deb) ... Setting up slapd (2.3.35-1ubuntu0.2) ... Creating initial slapd configuration... done. Creating initial LDAP directory... done. Starting OpenLDAP: slapd.
OpenLDAP is started.
Configuring OpenLDAP
After installing OpenLDAP we need to do some more configuration before start playing with python-ldap. First, it's a good thing not tu use clear text password. We generate encrypted password with slappasswd command:
$ slappasswd
New password:
Re-enter new password:
{SSHA}Dv9AyLLtQ3fs0OKNfooseSSb4ErfCHPqYou need to put generated string into slapd configuration file /etc/ldap/slapd.conf. For editing configuration you need to have root permission. In /etc/ldap/slapd.conf you need add to the end of configuration file:
suffix "dc=example,dc=com"
directory "/var/lib/ldap"
rootdn "cn=admin,dc=example,dc=com"
rootpw {SSHA}d2BamRTgBuhC6SxC0vFGWol31ki8iq5mAlso you need to make some changes into ldap configuration file /etc/ldap/ldap.conf. Just uncomment the line below:
BASE dc=example, dc=com
After making changes we need to restart sldap:
# /etc/init.d/slapd restart Stopping OpenLDAP: slapd. Starting OpenLDAP: slapd.
Test if it works properly
To test if the configuration file is correct and if the server is started correctly, use command slaptest.
# slaptest -u config file testing succeeded
For more slaptest options check manual page SLAPTEST(8).
Adding entries to LDAP
There are two ways for manually adding entries to LDAP:
creating file init.ldif and adding new entries into it
after reconfiguring LDAP with dpkg-reconfigure slapd command , using ldap-utils command ldapadd :
$ ldapadd -x -W -c -D "cn=admin,dc=example,dc=com" -f init.ldif
We will show the first option. Crate file init.ldif and add to it:
dn: dc=example,dc=com
objectClass: dcObject
objectClass: organizationalUnit
dc: example
ou: Example Dot Com
dn: cn=admin,dc=example,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword: {SSHA}d2BamRTgBuhC6SxC0vFGWol31ki8iq5m
dn: ou=people,dc=example,dc=com
objectClass: organizationalUnit
ou: people
dn: ou=groups,dc=example,dc=com
objectClass: organizationalUnit
ou: groupsafter adding entries to LDAP, you need to stop slapd, and delete the content that was automatically added at installation:
# rm -rf /var/lib/ldap/*
Than add a new content with slapadd command:
# slapadd -l init.ldif
One more thing you need to do is to correct permissions on the database:
# chown -R openldap:openldap /var/lib/ldap
The last thing is just start up slapd again To see added entries to LDAP use command slapcat:
# slapcat dn: dc=example,dc=com objectClass: dcObject objectClass: organizationalUnit dc: example ou: Example Dot Com structuralObjectClass: organizationalUnit entryUUID: 8b2863ac-b0be-102c-9698-bd26c857a2f7 creatorsName: cn=admin,dc=example,dc=com modifiersName: cn=admin,dc=example,dc=com createTimestamp: 20080507201847Z modifyTimestamp: 20080507201847Z entryCSN: 20080507201847Z#000000#00#000000 ...
Working with python-ldap
The second part of this short tutorial shows how to work with python-ldap module. All examples are done in python console. Before using ldap module you need to install it:
# apt-get install python-ldap
Tip:
- to enable Python completition in python console type:
>>> import readline, rlcompleter
>>> readline.parse_and_bind("tab: complete")
Initializing LDAP object and binding to a server
Initializing and binding is done by serveral commands:
>>> import ldap
>>> ldapObject= ldap.initialize('ldap://localhost') #initializing ldapObject on uri: 'ldap://localhost'
>>> ldapObject.simple_bind("cn=admin,dc=example,dc=com", "secret")
1>>> ldapObject.result()
(97, [])First we need to import ldap module, then initialize ldap object to localhost uri, and then bind an object with simple_bind method onto a LDAP with named DN and password. The result number 97 means success. If a failure occured result method will raise an exception. An example if error occures is when we write wrong DN with exception ldap.INVALID_DN_SYNTAX - :
>>> ldapObject2= ldap.initialize('ldap://localhost')
>>> ldapObject2.simple_bind("DN:cn=admin,dc=example,dc=com", "secret") #the DN syntax is wrong
2
>>> ldapObject2.result()
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
...
File "/usr/lib/python2.5/site-packages/ldap/ldapobject.py", line 97, in _ldap_call
result = func(*args,**kwargs)
ldap.INVALID_DN_SYNTAX: {'info': 'invalid DN', 'desc': 'Invalid DN syntax'}Other LDAP exceptions you can find at - http://python-ldap.sourceforge.net/doc/html/ldap.html#exceptions