The suite of OpenLDAP libraries and tools are included within
the following packages:
openldap — Contains the
libraries necessary to run the OpenLDAP server and client
openldap-clients — Contains
command line tools for viewing and modifying directories on an LDAP
openldap-servers — Contains the
servers and other utilities necessary to configure and run an LDAP
There are two servers contained in the openldap-servers package: the Standalone LDAP Daemon (/usr/sbin/slapd) and the Standalone LDAP Update Replication Daemon
The slapd daemon is the standalone LDAP
server while the slurpd daemon is used to
synchronize changes from one LDAP server to other LDAP servers on
the network. The slurpd daemon is only
used when dealing with multiple LDAP servers.
To perform administrative tasks, the openldap-servers package installs the following
utilities into the /usr/sbin/
slapadd — Adds entries from an
LDIF file to an LDAP directory. For example, the command /usr/sbin/slapadd -l ldif-input reads in the LDIF file,
ldif-input, containing the new
Only the root user may use /usr/sbin/slapadd. However, the directory server
runs as the ldap user. Therefore the
directory server is unable to modify any files created by
slapadd. To correct this issue, after
using slapadd, type the following
chown -R ldap /var/lib/ldap
slapcat — Pulls entries from an
LDAP directory in the default format, Sleepycat Software's Berkeley DB system, and saves
them in an LDIF file. For example, the command /usr/sbin/slapcat -l ldif-output outputs an LDIF file called
ldif-output containing the entries from
the LDAP directory.
slapindex — Re-indexes the
slapd directory based on the current
content. This tool should be run whenever indexing options within
/etc/openldap/slapd.conf are changed.
slappasswd — Generates an
encrypted user password value for use with ldapmodify or the rootpw
value in the slapd configuration file,
/etc/openldap/slapd.conf. Execute the
/usr/sbin/slappasswd command to create the
You must stop slapd by issuing the
/sbin/service ldap stop command before
using slapadd, slapcat or slapindex.
Otherwise, the integrity of the LDAP directory is at risk.
For more information on using these utilities, refer to their
respective man pages.
The openldap-clients package installs
tools into /usr/bin/ which are used to
add, modify, and delete entries in an LDAP directory. These tools
include the following:
ldapadd — Adds entries to an LDAP
directory by accepting input via a file or standard input;
ldapadd is actually a hard link to
ldapdelete — Deletes entries from
an LDAP directory by accepting user input at a shell prompt or via
ldapmodify — Modifies entries in
an LDAP directory, accepting input via a file or standard
ldappasswd — Sets the password
for an LDAP user.
ldapsearch — Searches for entries
in an LDAP directory using a shell prompt.
With the exception of ldapsearch, each
of these utilities is more easily used by referencing a file
containing the changes to be made rather than typing a command for
each entry to be changed within an LDAP directory. The format of
such a file is outlined in the man page for each utility.
In addition to the OpenLDAP packages, Red Hat Enterprise Linux
includes a package called nss_ldap, which
enhances LDAP's ability to integrate into both Linux and other UNIX
The nss_ldap package provides the
The nss_ldap package provides the
following modules for Itanium or AMD64 architectures:
The libnss_ldap-<glibc-version>.so module allows
applications to look up users, groups, hosts, and other information
using an LDAP directory via glibc's Nameservice Switch (NSS) interface (replace
<glibc-version> with the
version of libnss_ldap in use). NSS
allows applications to authenticate using LDAP in conjunction with
the NIS name service and flat authentication files.
The pam_ldap module allows PAM-aware
applications to authenticate users using information stored in an
LDAP directory. PAM-aware applications include console login, POP
and IMAP mail servers, and Samba. By deploying an LDAP server on a
network, all of these applications can authenticate using the same
user ID and password combination, greatly simplifying
For more about configuring PAM, refer to Chapter 16 Pluggable Authentication Modules
(PAM) and the PAM man pages.
Red Hat Enterprise Linux includes a package containing an LDAP
module for the PHP server-side scripting language.
The php-ldap package adds LDAP support
to the PHP4 HTML-embedded scripting language via the /usr/lib/php4/ldap.so module. This module allows
PHP4 scripts to access information stored in an LDAP directory.
Red Hat Enterprise Linux ships with the mod_authz_ldap module for the Apache HTTP Server.
This module uses the short form of the distinguished name for a
subject and the issuer of the client SSL certificate to determine
the distinguished name of the user within an LDAP directory. It is
also capable of authorizing users based on attributes of that
user's LDAP directory entry, determining access to assets based on
the user and group privileges of the asset, and denying access for
users with expired passwords. The mod_ssl
module is required when using the mod_authz_ldap module.
The mod_authz_ldap module does not
authenticate a user to an LDAP directory using an encrypted
password hash. This functionality is provided by the experimental
mod_auth_ldap module, which is not
included with Red Hat Enterprise Linux. Refer to the Apache
Software Foundation website online at https://www.apache.org/
for details on the status of this module.
There are graphical LDAP clients available which support
creating and modifying directories, but they are not included with Red Hat Enterprise Linux. One such
application is LDAP Browser/Editor
— A Java-based tool available online at https://www.iit.edu/~gawojar/ldap/.
Most other LDAP clients access directories as read-only, using
them to reference, but not alter, organization-wide information.
Some examples of such applications are Sendmail, Mozilla, Gnome
Meeting, and Evolution.