검색

이 콘텐츠는 선택한 언어로 제공되지 않습니다.

13.3. OpenLDAP Daemons and Utilities

download PDF
The suite of OpenLDAP libraries and tools are included within the following packages:
  • openldap — Contains the libraries necessary to run the OpenLDAP server and client applications.
  • openldap-clients — Contains command line tools for viewing and modifying directories on an LDAP server.
  • openldap-servers — Contains the servers and other utilities necessary to configure and run an LDAP server.
There are two servers contained in the openldap-servers package: the Standalone LDAP Daemon (/usr/sbin/slapd) and the Standalone LDAP Update Replication Daemon (/usr/sbin/slurpd).
The slapd daemon is the standalone LDAP server while the slurpd daemon is used to synchronize changes from one LDAP server to other LDAP servers on the network. The slurpd daemon is only used when dealing with multiple LDAP servers.
To perform administrative tasks, the openldap-servers package installs the following utilities into the /usr/sbin/ directory:
  • slapadd — Adds entries from an LDIF file to an LDAP directory. For example, the command /usr/sbin/slapadd -l ldif-input reads in the LDIF file, ldif-input, containing the new entries.

    Important

    Only the root user may use /usr/sbin/slapadd. However, the directory server runs as the ldap user. Therefore the directory server is unable to modify any files created by slapadd. To correct this issue, after using slapadd, type the following command:
    chown -R ldap /var/lib/ldap
  • slapcat — Pulls entries from an LDAP directory in the default format, Sleepycat Software's Berkeley DB system, and saves them in an LDIF file. For example, the command /usr/sbin/slapcat -l ldif-output outputs an LDIF file called ldif-output containing the entries from the LDAP directory.
  • slapindex — Re-indexes the slapd directory based on the current content. This tool should be run whenever indexing options within /etc/openldap/slapd.conf are changed.
  • slappasswd — Generates an encrypted user password value for use with ldapmodify or the rootpw value in the slapd configuration file, /etc/openldap/slapd.conf. Execute the /usr/sbin/slappasswd command to create the password.

Warning

You must stop slapd by issuing the /sbin/service ldap stop command before using slapadd, slapcat or slapindex. Otherwise, the integrity of the LDAP directory is at risk.
For more information on using these utilities, refer to their respective man pages.
The openldap-clients package installs tools into /usr/bin/ which are used to add, modify, and delete entries in an LDAP directory. These tools include the following:
  • ldapadd — Adds entries to an LDAP directory by accepting input via a file or standard input; ldapadd is actually a hard link to ldapmodify -a.
  • ldapdelete — Deletes entries from an LDAP directory by accepting user input at a shell prompt or via a file.
  • ldapmodify — Modifies entries in an LDAP directory, accepting input via a file or standard input.
  • ldappasswd — Sets the password for an LDAP user.
  • ldapsearch — Searches for entries in an LDAP directory using a shell prompt.
With the exception of ldapsearch, each of these utilities is more easily used by referencing a file containing the changes to be made rather than typing a command for each entry to be changed within an LDAP directory. The format of such a file is outlined in the man page for each utility.

13.3.1. NSS, PAM, and LDAP

In addition to the OpenLDAP packages, Red Hat Enterprise Linux includes a package called nss_ldap, which enhances LDAP's ability to integrate into both Linux and other UNIX environments.
The nss_ldap package provides the following modules:
  • /lib/libnss_ldap-<glibc-version>.so
  • /lib/security/pam_ldap.so
The nss_ldap package provides the following modules for Itanium or AMD64 architectures:
  • /lib64/libnss_ldap-<glibc-version>.so
  • /lib64/security/pam_ldap.so
The libnss_ldap-<glibc-version>.so module allows applications to look up users, groups, hosts, and other information using an LDAP directory via glibc's Nameservice Switch (NSS) interface (replace <glibc-version> with the version of libnss_ldap in use). NSS allows applications to authenticate using LDAP in conjunction with the NIS name service and flat authentication files.
The pam_ldap module allows PAM-aware applications to authenticate users using information stored in an LDAP directory. PAM-aware applications include console login, POP and IMAP mail servers, and Samba. By deploying an LDAP server on a network, all of these applications can authenticate using the same user ID and password combination, greatly simplifying administration.
For more about configuring PAM, refer to Chapter 16, Pluggable Authentication Modules (PAM) and the PAM man pages.
Red Hat logoGithubRedditYoutubeTwitter

자세한 정보

평가판, 구매 및 판매

커뮤니티

Red Hat 문서 정보

Red Hat을 사용하는 고객은 신뢰할 수 있는 콘텐츠가 포함된 제품과 서비스를 통해 혁신하고 목표를 달성할 수 있습니다.

보다 포괄적 수용을 위한 오픈 소스 용어 교체

Red Hat은 코드, 문서, 웹 속성에서 문제가 있는 언어를 교체하기 위해 최선을 다하고 있습니다. 자세한 내용은 다음을 참조하세요.Red Hat 블로그.

Red Hat 소개

Red Hat은 기업이 핵심 데이터 센터에서 네트워크 에지에 이르기까지 플랫폼과 환경 전반에서 더 쉽게 작업할 수 있도록 강화된 솔루션을 제공합니다.

© 2024 Red Hat, Inc.