Home > ldap, Linux, Slackware > OpenLDAP in Slackware-13.0

OpenLDAP in Slackware-13.0

OpenLDAP Software is an open source implementation of the Lightweight Directory Access Protocol.
The suite includes:

* slapd – stand-alone LDAP daemon (server)
* libraries implementing the LDAP protocol, and
* utilities, tools, and sample clients.

There are a few things I’d like to mention about OpenLDAP in Slackware-13.0 and so I might as well deal with them all in one post.

Running an OpenLDAP Server

I can’t remember why, but Pat made the decision not to provide slapd, the OpenLDAP server daemon in Slackware by default. This has been the case for some time. Instead, what you get is openldap-client which is just the client libraries enabling you to use OpenLDAP code in LDAP client applications and LDAP-dependant software.

If you want to run an OpenLDAP server you are going to need slapd. Thankfully this is incredibly easy to do because all Pat did to remove slapd was to configure the OpenLDAP source with:

--disable-slapd --disable-slurpd

If you want slapd (and perhaps slurpd) then you just need to rebuild the openldap sources using the SlackBuild Pat provides in the Slackware source, but with the word disable replaced with enable. However, there is a catch. In Slackware-13.0 OpenLDAP will not build with the source and SlackBuild Pat shipped because the OpenLDAP package has not been rebuilt since 24/07/2008 and since then a change has been made to the C compiler that prevents OpenLDAP from building correctly unless you append the flag -D_GNU_SOURCE. This wasn’t detected early enough for it to be fixed for the 13.0 release. Normally this isn’t an issue because the package still works perfectly, but if you want to rebuild it you have to modify the source or the SlackBuild to do so.

Assuming your Slackware source is located at /mirror/slackware/slackware{64}-13.0:

cd /mirror/slackware/slackware{64}-13.0/source/n/openldap-client
vim openldap-client.SlackBuild

Working in vim so you can see what you’re doing.. (you could replace however you wanted, e.g. with sed, or manually, or whatever):

:%s/\ (clients\/libraries only\!)//g
:w openldap.SlackBuild
# or for Slackware64
# ARCH="x86_64" ./openldap.SlackBuild

Then go and have a sleep for half an hour as it builds and then tests just about every conceivable LDAP operation.
Once it’s done:

upgradepkg /var/log/packages/openldap-client-2.3.43-i486-1%/tmp/openldap-2.3.43-i486-1.txz

Job done.

Using OpenLDAP for User Authentication

In other distributions, setting up LDAP user authentication for the OS is done with Linux-PAM. While, mercifully, Slackware does not have Linux-PAM (and probably never will) it does mean that LDAP user authentication is harder or more impractical.

Note: I do not recommend doing LDAP user authentication for your Operating System. It’s not necessary in most cases. LDAP authentication should be done at the application level for specific services provided to users. The Operating System should only be authenticating users that actually log in to the system and in most cases LDAP is not needed for this. (Don’t argue if it is truly necessary in your case – you’re an exception).

If you are absolutely sure you definitely need LDAP user auth for Slackware, your options are:

Install PAM

This is an epic challenge and few succeed. Since PAM is evil anyway, do not bother. If you choose to take this route and succeed, then document your adventures and link to them.

Use nss_ldap

The resolution of the entities defined in RFC 2307 is generally performed by a set of UNIX C library calls (such as getpwnam() to return the attributes of a user). The nss_ldap module provides the means for Solaris and Linux workstations to this information (such as users, hosts, and groups) from LDAP directories. The module is the reference implementation of RFC 2307, and has been studied by vendors such as Sun (who developed the original Name Service Switch interface).

This basically allows you to use nsswitch.conf to redirect user entry queries to an LDAP server and seems the natural way to do LDAP auth in Slackware, but there is drawback. In normal circumstances LDAP authentication is done with a bind. The user supplies a username and password and the application submits a login request (a bind operation) to the LDAP server and the LDAP server returns success or failure depending on whether the credentials are valid. This is not possible with nss_ldap because nss_ldap doesn’t replace the authentication method, it just redirects it to a different storage back-end. The effect of this is that to use nss_ldap you have to store the users’ passwords in the LDAP server using the same hashing algorithm you would use in the passwd file (crypt()).

I’m not going to go into any further detail on this, you are going to have to do the research yourself, but suffice it to say nss_ldap is not ideal, but it is the cleanest method and probably the one I would use if I had to.

Use NIS and a ypldapd

The NIS/LDAP Gateway, or ypldapd, is a Network Information Service (NIS) server which uses LDAP as its information source. It permits existing NIS clients to transparently use LDAP to resolve user, group and host information. Enterprises can thus realize the benefits of LDAP, such as its distribution and being scalable, without upgrading clients.

I personally haven’t tried this and can give no reasoned opinion on it, but if you are migrating from NIS to LDAP it seems like a reasonable way to get going with it and may also cover the drawbacks of the nss_ldap solution – but it has it’s own drawbacks.

  1. You must have or implement a NIS network.
  2. It’s not free.
Be Sociable, Share!
Categories: ldap, Linux, Slackware Tags:
  1. Genk1
    October 29th, 2010 at 00:12 | #1

    you Zordrak.. this is an interesting article.. it was very useful to me thank you !

  2. September 23rd, 2011 at 22:40 | #2

    Very useful post!

    I just installed and ran openldap server on my brand new slack 13.37 server.

    As update, last slackbuild compiles without errors.

    many thanks

  3. ifo
    February 27th, 2012 at 12:42 | #3

    Thanks a lot for listing the options! In a test setup I’ve used the nss_ldap way which works fine (adding “bind_policy soft” to ldap.conf to work around long timeouts if the LDAP server is not available).

  4. May 6th, 2012 at 11:27 | #4

    Cheers for the info! I’d like to add one thing:

    /find.*-name sl\(ap\|urp\)\*/d

    My vim is pretty rusty but I think that will work. The idea is to remove two lines in the Slackbuild:

    find $PKG/usr/man -name slap* -exec rm -f {} \;
    find $PKG/usr/man -name slurp* -exec rm -f {} \;

    That way you’ll also have the server man pages in your openldap package.

  1. July 27th, 2010 at 07:05 | #1
  2. May 26th, 2012 at 03:06 | #2

Note: Commenter is allowed to use '@User+blank' to automatically notify your reply to other commenter. e.g, if ABC is one of commenter of this post, then write '@ABC '(exclude ') will automatically send your comment to ABC. Using '@all ' to notify all previous commenters. Be sure that the value of User should exactly match with commenter's name (case sensitive).