H1: The Big Picture - Configuration Choices
This section gives a brief overview of various LDAP directory
-configurations, and how your LDAP server (either {{I:slapd}} or
-{{I:ldapd}}) fits in with the rest of the world.
+configurations, and how your stand-alone LDAP server {{I:slapd}}
+fits in with the rest of the world.
+H2: Local Directory Service
-H2: LDAP as a local service only
-
-In this configuration, you run a {{I:slapd}} which provides directory service
-for your local domain only. It does not interact with other directory
-servers in any way. This configuration is shown in Figure 2.
+In this configuration, you run a {{I:slapd}} which provides directory
+service for your local domain only. It does not interact with other
+directory servers in any way. This configuration is shown in Figure 3.1.
!import "config_local.gif"; align="center"; title="Local service via slapd configuration"
-FT[align="Center"] Figure 2: Local service via slapd configuration.
+FT[align="Center"] Figure 3.1: Local service configuration.
Use this configuration if you are just starting out (it's the one the
quick-start guide makes for you) or if you want to provide a local
It's easy to upgrade to another configuration later if you want.
-
-H2: Local service with X.500 referrals
+H2: Local Directory Service with Referrals
In this configuration, you run a slapd which provides directory service
-for your local domain and an ldapd which provides access to the
-X.500 world (you don't have to run the ldapd yourself - you can just
-point to somebody else who does and doesn't mind you pointing to
-their service). This configuration is shown in Figure 3.
-
-!import "config_x500ref.gif"; align="center"; title="Local service via slapd + X.500 referrals configuration"
-FT[align="Center"] Figure 3: Local service via slapd + X.500 referrals configuration
-
-Use this configuration if you want to provide local service but still want
-to be connected to the rest of the X.500 world. Remember, you don't
-necessarily have to be running the ldapd in this picture; you just need
-to find one you can point to.
-
+for your local domain and configure it to return referrals to a
+{{superior}} service capable of requests outside your local domain.
+You may run this service yourself or use one provided to you.
+This configuration is shown in Figure 3.2.
+!import "config_ref.gif"; align="center"; title="Local service with referrals"
+FT[align="Center"] Figure 3.2: Local service with referrals
-H2: LDAP as a front end to X.500
+Use this configuration if you want to provide local service and
+participate in the Global Directory.
-In this configuration, you run an X.500 service which provides
-directory service for your local domain and gatewaying service to the
-rest of the X.500 world. LDAP clients gain access to the directory
-through an ldapd which runs at your site. This configuration is shown
-in Figure 4.
-!import "config_x500fe.gif"; align="center"; title="Local service via X.500 and ldapd configuration"
-FT[align="Center"] Figure 4: Local service via X.500 and ldapd configuration
-
-Use this configuration if you are already running an X.500 service.
-Slapd is not involved in this configuration, so you can probably stop
-reading this guide.
+H2: Replicated Directory Service
+The slurpd daemon is used to propagate changes from a master slapd
+to one or more slave slapds. An example master-slave configuration
+is shown in figure 3.3.
+!import "config_repl.gif"; align="center"; title="Replicated Directory Services"
+FT[align="Center"] Figure 3.3: Replicated Directory Services
-H2: Replicated slapd service
+This configuration can be used in conjunction with either of first
+two configurations in situations where a single slapd does not
+provide the required reliability or availability.
-The slurpd daemon is used to propagate changes from a master slapd
-to one or more slave slapds. An example master-slave configuration
-is shown in figure 5.
+H2: Distributed Local Directory Service
-!import "config_repl.gif"; align="center"; title="Master slapd with two slaves replicated with slurpd"
-FT[align="Center"] Figure 5: Master slapd with two slaves replicated with slurpd
+In this configuration, the local service is partitioned into smaller
+services, each which may be replicated, and {{glued}} together with
+{{superior}} and {{subordinate}} referrals. An example of this
+configuration is shown in Figure 3.4.
-This configuration can be used in conjunction with the first two
-configurations in situations where a single slapd does not provide the
-required reliability or availability.
+!import "config_dist.gif"; align="center"; title="Distributed Local Directory Services"
+FT[align="Center"] Figure 3.4: Distributed Local Directory Services
appeared at the top of the tree. Below them are entries representing
states and national organizations. Below them might be entries
representing organizational units, people, printers, documents,
-or just about anything else you can think of. Figure 1 shows an
+or just about anything else you can think of. Figure 1.1 shows an
example LDAP directory tree using traditional naming.
!import "intro_tree.gif"; align="center"; title="LDAP directory tree (traditional naming)"
FT[align="Center"] Figure 1.1: LDAP directory tree (traditional naming)
The tree may also be arranged based upon Internet domain names.
-Figure 2 shows an example using this increasing popular naming approach.
+Figure 1.2 shows an example using this increasing popular naming approach.
!import "intro_dctree.gif"; align="center"; title="LDAP directory tree (Internet naming)"
FT[align="Center"] Figure 1.2: LDAP directory tree (Internet naming)
name, or RDN) and concatenating the names of its ancestor entries. For
example, the entry for Barbara Jensen in the Internet naming example
above has an RDN of {{EX:uid=babs}} and a DN of
-{{EX:uid=babs, dc=OpenLDAP, dc=com}}". The full DN format is
+{{EX:uid=babs, ou=People, dc=OpenLDAP, dc=com}}". The full DN format is
described in RFC 2253, "Lightweight Directory Access Protocol (v3):
UTF-8 String Representation of Distinguished Names."
clients being developed. As with full X.500 DAP clients, a full X.500
DAP server is no small piece of software to run.
-The stand-alone LDAP daemon, or {{I:slapd}}, is meant to remove much
+The stand-alone LDAP daemon, or {{I:slapd}}(8), is meant to remove much
of the burden from the server side just as LDAP itself removed much of
the burden from clients. If you are already running an X.500 DAP service
and you want to continue to do so, you can probably stop reading this
H2: What is slurpd and what can it do?
-{{I:Slurpd}} is a daemon that helps {{I:slapd}} provide
+{{I:Slurpd}}(8) is a daemon that helps {{I:slapd}} provide
replicated service. It is responsible for distributing changes made
to the master {{I:slapd}} database out to the various {{I:slapd}}
replicas. It frees {{I:slapd}} from having to worry that some
..{{EX:gunzip -c openldap-release.tgz | tar xvfB -}}
..{{EX:cd openldap-release}}
-. You'll have to replace {{FILE:openldap-release}} with the full
+. You'll have to replace {{F:openldap-release}} with the full
name of the release.
..{{EX:make}}
. Once OpenLDAP is compiled you need to install it. By default OpenLDAP
-is installed into {{FILE:/usr/local}}. This is typically done as root.
+is installed into {{F:/usr/local}}. This is typically done as root.
..{{EX:su root}}
..{{EX:make install}}
.Now we need to edit the default configuration file that was
installed earlier. By default the configuration file for slapd
-is located at {{FILE:/usr/local/etc/openldap/slapd.conf}}. If
+is located at {{F:/usr/local/etc/openldap/slapd.conf}}. If
you specified the {{EX:--prefix}} option when you ran configure,
-then replace {{FILE:/usr/local}} with the value you gave as the
+then replace {{F:/usr/local}} with the value you gave as the
prefix. For example, if you ran configure as
..{{EX:./configure --prefix=/opt/ldap}}
.You would find your configuration file in
-{{FILE:/opt/ldap/etc/openldap/slapd.conf}}.
+{{F:/opt/ldap/etc/openldap/slapd.conf}}.
Now look in the configuration file for a line that begins with
..{{EX:database ldbm}}
you will need to change for this example is located after this line.
.Listed below are the default settings for the database in
-{{FILE:slapd.conf}}(8). Lines that begin with a # are considered
+{{F:slapd.conf}}(8). Lines that begin with a # are considered
to be comments by slapd, they have been removed from the listing
below to save space. If a line starts with white space it is
considered a continuation of the preceeding line.
..{{EX:directory /usr/local/var/openldap-ldbm}}
. By default, the database files will be created in
-{{FILE:/usr/local/var/openldap-ldbm}}.
+{{F:/usr/local/var/openldap-ldbm}}.
You may specify an alternate directory via the directory option
-in the {{FILE:slapd.conf}} file. The directory must exist before
+in the {{F:slapd.conf}} file. The directory must exist before
you start the server.
+{{B:Starting the server}}.
any data in the directory. You can check to see if the server is
running and your naming context (the {{EX:suffix}} you specified above)
by searching it with {{I:ldapsearch}}(1). By default ldapsearch is
-installed as {{FILE:/usr/local/bin/ldapsearch}}.
+installed as {{F:/usr/local/bin/ldapsearch}}.
..{{EX:ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts}}
+{{B:Create a database}}.
. This is a two-step process. The first step is to create a file
-(we'll call it {{FILE:example.ldif}}) containing the entries you
+(we'll call it {{F:example.ldif}}) containing the entries you
want your database to contain. Use the following example as a
guide, or see Section 7.3 for more details.
your directory. We use the tool {{I:ldapadd}}(1) to populate the directory.
Again remember to replace {{EX:dc=example, dc=net}} with the correct values
for your site. By default ldapadd is installed as
-{{FILE:/usr/local/bin/ldapadd}}.
+{{F:/usr/local/bin/ldapadd}}.
..{{EX:ldapadd -x -D 'cn=Manager,dc=example,dc=net' -w secret -f example.ldif}}
-.Where {{FILE:example.ldif}} is the file you created above.
+.Where {{F:example.ldif}} is the file you created above.
+{{B:See if it works}}.
projects / openldap / commitdiff
