Lightweight Directory Access Protocol

In computer networking, the Lightweight Directory Access Protocol, or LDAP ("ell-dap"), is a networking protocol for querying and modifying directory services running over TCP/IP. An LDAP directory usually follows the X.500 model: it is a tree of entries, each of which consists of a set of named attributes with values. While some services use a more complicated "forest" model, the vast majority use a simple starting point for their database organization.

An LDAP directory often reflects various political, geographic, and/or organizational boundaries, depending on the model chosen. LDAP deployments today tend to use Domain Name System (DNS) names for structuring the most simple levels of the hierarchy. Further into the directory might appear entries representing people, organizational units, printers, documents, groups of people or anything else which represents a given tree entry, or multiple entries.

Its current version is LDAPv3. LDAPv3 is specified in a series of IETF Standard Track RFCs as detailed in RFC 4510.

Interfaces

• Apache Directory Studio
• LAM (LDAP Account Manager)
• phpldapadmin

Tutorials and docs

• Pam-ldap
• http://www.zytrax.com/books/ldap/
• http://tuxick.net/ldap.html
• http://ldapadministrator.com
• Apache Authentication with Active Directory
• LDAP authentication on Gentoo (slightly outdated)
• LDAP Replication
• Common causes of LDAP errors
• Objectclasses
• LDAP for Rocket Scientists
• http://moduli.net/sysadmin/sarge-ldap-auth-howto.html

Access control

• Access Control
• http://www.zytrax.com/books/ldap/ch6/#access
• OLC access control

ldapmodify

• http://www.novell.com/documentation/nas4nw/usnas4nw/nasnwenu/ldapmod.html
• Delete an objectclass

Links

• http://www.openldap.org/
• Red Hat Directory Server documentation, worth reading
• Error messages

FAQ

additional info: structuralObjectClass: no user modification allowed

use slapadd instead of ldapadd, while slapd is NOT running:

slapadd -v < ldap.ldif

AttributeType inappropriate matching rule: "integerMatch"

duh

create a new database from ldif file

slapadd -f dump.ldif

Remember to set rights to the db storage!

add a record

ldapadd

modify a record

• http://docs.sun.com/source/816-6400-10/lmodify.html

ldapmodify -x -D "cn=admin, dc=bar, dc=com" -W << EOF
dn: cn=foo, dc=bar, dc=com
changetype: modify
replace: sn
sn: new name
EOF

Or

ldapmodify -D "cn=admin,dc=bar,dc=com" -Y EXTERNAL -H ldapi:/// << EOF
..
EOF

change olcAccess, olcSuffix etc

I managed this changing things in following order:

olcAccess{2}
olcAccess{0}
olcRootDN
olcSuffix

EOF

add an attribute

changetype: modify
add: objectClass
objectClass: qmailUser

search for a record

http://docs.sun.com/source/816-6400-10/lsearch.html

ldapsearch -x -b  -s base '(objectclass=*)' namingContexts
ldapsearch -x -b "dc=foo, dc=com" "uid=harry"

• scope?

ber_get_next on fd 12 failed errno=0 (Success)

You're probably trying to use ldapadd without -x

ber_get_next on fd 15 failed errno=11 (Resource temporarily Unavailable)

??

rootdn is always granted unlimited privileges

Error number: 0x50 (LDAP_OTHER)

Internal (implementation specific) error

You probably ran slapindex as wrong user. Set rights on the directory you find under 'directory' in slapd.conf for the user slapd runs as ( openldap on debian )

search filters

• http://www.faqs.org/rfcs/rfc2254.html

view configuration in OLC

slapcat -H "ldap:///cn=config??sub?(olcDatabase=*)"

Keywords

rootdn

The user/account with full access

Tools

• phpldapadmin
• ldapbrowser
• lam
• shelldap
• ldapvi