Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Sign up!
EnGarde Community
What is the most important Linux security technology?
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Latest Newsletters
Linux Security Week: March 30th, 2015
Linux Advisory Watch: March 27th, 2015
LinuxSecurity Newsletters
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

Database Creation and Maintenance

Chapter 5. Database Creation and Maintenance

This section tells you how to create a slapd database from scratch. There are two ways to create a database. First, you can create the database on-line using LDAP. With this method, you simply start up slapd and add entries using the LDAP client of your choice. This method is fine for relatively small databases (a few hundred or thousand entries, depending on your requirements). This method works for database types which support updates.

The second method of database creation is to do it off-line using special utilities provided with slapd. This method is best if you have many thousands of entries to create, which would take an unacceptably long time using the LDAP method, or if you want to ensure the database is not accessed while it is being created. Note that not all database types support these utilitites.

5.1. Creating a Database online

The OpenLDAP software package comes with an utility called ldapadd, used to add entries while the LDAP server is running. If you choose to create the Database online, you can use the ldapadd tool to add entries (you can also use other clients provided outside the OpenLDAP package to add entries, like the Ldap Browser). After adding the first entries, you can still use ldapadd to add more entries. You should be sure to set the following configuration options on your sladp.conf file before starting slapd:

suffix <dn> 

As described in the Section 3.4, this option says what entries are to be held by this database. You should set this to the DN of the root of the subtree you are trying to create. For example:

suffix "o=TUDelft, c=NL" 

You should be sure to specify a directory where the index files should be created:

directory /usr/local/tudelft 

You need to create this directory with appropriate permissions so that slapd can write to it.

You need to configure slapd so that you can connect to it as a directory user with permission to add entries. You can configure the directory to support a special super-user or root user just for this purpose. This is done through the following two options in the database definition:

rootdn <dn> 
rootpw <passwd>   /* Remember to use a SHA password here !!! */ 

These options specify a DN and password that can be used to authenticate as the "superuser" entry of the database (i.e., the entry allowed to do anything). The DN and password specified here will always work, regardless of whether the entry named actually exists or has the password given. This solves the chicken-and-egg problem of how to authenticate and add entries before any entries yet exist.

Slapd natively understands if you use a SHA-1 encrypted password on the rootpw directive. I use a Java class that generates SHA-1 passwords, but it's possible to use the command slappasswd to generate the passwords:

slappasswd -h {SHA}
rootpw    "{SHA}5en6G6MezRroT3XKqkdPOmY/BfQ="

For example:

        rootdn "cn=Manager,dc=example,dc=com"
        rootpw "{SHA}5en6G6MezRroT3XKqkdPOmY/BfQ="

The default output for slappasswd is to generate Secure Hash passwords {SSHA}, in this case you don't need to pass the -h parameter, just call slappasswd directly.

If you are using SASL as a mechanism to authenticate against LDAP, the rootpw line may be discarded. Take a look on the Section 3.4 and on the Section 6.2 for more details.

Finally, you should make sure that the database definition contains the index definitions you want:

index {<attrlist> | default} [pres,eq,sub,none] 

For example, to index the cn, sn, uid and objectclass attributes, the following index configuration lines could be used.

index cn,sn,uid pres,eq,sub
index objectClass pres,eq

Note: Note that not all index types are available with all attribute types. Take a look on the Section 3.6 for examples.

Once you have configured things to your liking, start up slapd, connect with your LDAP client, and start adding entries. For example, to add the TUDelft entry followed by a Postmaster entry using the ldapadd tool, you could create a file called /tmp/newentry with the contents:

o=TUDelft, c=NL 
description=Technical University of Delft Netherlands 

cn=Postmaster, o=TUDelft, c=NL 
description= TUDelft postmaster - 

and then use a command like this to actually create the entry:

ldapadd -f /tmp/newentry -x -D "cn=Manager, o=TUDelft, c=NL" -w secret 

The above command assumes that you have set rootdn to "cn=Manager, o=TUDelft, c=NL" and rootpw to "secret" (maybe SHA-1 encrypted in slapd.conf). If you don't want to type the password on the command line, use the -W option for the ldapadd command instead of -w "password". You will be prompted to enter the password:

ldapadd -f /tmp/newentry -x -D "cn=Manager, o=TUDelft, c=NL" -W 
Enter LDAP Password: 


Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2015 Guardian Digital, Inc. All rights reserved.