Setting up OpenLDAP with MySQL backend
author: TBONIUS
OpenLDAP is an X.500 Lightweight Directory Access Server used for centralized authentication and directory lookups. This article covers configuring this service to utilize SQL services in order to store its data object. Having these objects stored in a SQL database allow for third party applications access to manage these objects.
Ports that are needed:
MySQL 4.x server : /usr/ports/databases/mysql41-server
MySQL 4.x client : /usr/ports/databases/mysql41-client
LibIODBC 3.x : /usr/ports/databases/libiodbc
MyODBC 3.x : /usr/ports/databases/myodbc
OpenLDAP 2.x : /usr/ports/databases/openldap21-server WITH_ODBC="YES"
Configuring the MySQL server
OpenLDAP has the option to use many different kinds of databases, in this case we will use MySQL. The first step in setting this up is to create a MySQL database for which OpenLDAP will use.
root@host # mysqladmin create ldap
Next we will create a MySQL account that OpenLDAP will use for our newly created ldap database
root@host # mysql
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 10 to server version: 4.0.18
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql>grant all privileges on ldap.* to 'ldap'@'localhost'
->identified by 'password' with grant option;
Query OK, 0 rows affected (0.13 sec)
We of course want to substitute 'password' with the actual password we wish to use for this particular user account
Configuring LibIODBC to use the MyODBC driver
Quite simply we need to edit two file here to get LibODBC to use the MyODBC driver in accessing the MySQL server.
Take a look at the /usr/local/etc/libiodbc/odbcinst.ini file and make the following changes
[ODBC Drivers]
MySQL = Installed
[MySQL]
Description=ODBC for MySQL
Driver=/usr/local/lib/libmyodbc3.so
Take a look at the /usr/local/etc/libiodbc/odbc.ini and make the following changes
[ODBC Data Sources]
ldap = MySQL LDAP DSN
[ldap]
Driver = /usr/local/lib/libmyodbc3.so
Description = OpenLDAP Database
Host = localhost
ServerType = MySQL
Port = 3306
FetchBufferSize = 99
User = ldap
Password = password
Database = ldap
ReadOnly = no
Socket = /tmp/mysql.sock
[ODBC]
InstallDir=/usr/local/lib
Again, substitute password for the actual password we created for the ldap user of the MySQL database.
We can test our current configuration before installing and configuring OpenLDAP. LibIODBC provides a test utility to check DSN configurations.
Note from darxpryte: Upon following this tutorial I've found that iodbctest was not built automatically. This may be fixed later but if you find this to be the case you'll need to do the following:
cd /usr/ports/databases/libiodbc/
make extract
cd work/libiodbc-3.52.2/samples
make install
This will install iodbctest into /usr/local/bin/
Once you install iodbctest, you can do the following to test your connection:
root@host # iodbctest
iODBC Demonstration program
This program shows an interactive SQL processor
Driver Manager: 03.51.0001.0908
Enter ODBC connect string (? shows list): ?
DSN | Description
---------------------------------------------------------------
ldap | MySQL LDAP DSN
Enter ODBC connect string (? shows list):DSN=ldap
Driver: 03.51.06
SQL>show tables;
Tables_in_ldap
---------------------
authors_docs
documents
institutes
ldap_attr_mappings
ldap_entries
ldap_entry_objclasses
ldap_oc_mappings
ldap_referrals
persons
phones
result set 1 returned 10 rows.
This shows us that the DSN is configured correctly for LibIODBC to use the MyODBC driver in order to connect to our ldap database we set up on our MySQL Server
If you have problems displaying the DSN names defined in the odbc.ini file via the test program, try exporting the following shell environmental variable:
For csh or tcsh:
setenv ODBCINI /usr/local/etc/libiodbc/odbc.ini
For sh or bash:
export ODBCINI=/usr/local/etc/libiodbc/odbc.ini
Configuring OpenLDAP to use MySQL
During the build of OpenLDAP, we need to pass the WITH_ODBC="YES" option so that the server build the appropriate SQL configurations
After the make install process, we will copy over the slapd.conf file that is configured to use a SQL backend. This file is buried under the OpenLDAP ports directory in the following path:
work/openldap-2.1.30/servers/slapd/back-sql/rdbms_depend/mysql
Change to this directory, from the ports directory of OpenLDAP, and copy the configuration file over
> cp slapd.conf /usr/local/etc/openldap
Then we can import the back SQL file from this directory into our running MySQL server database
root@host # mysql < backsql_create.sql ldap
root@host # mysql < testdb_create.sql ldap
Optionally we can import the testdb_data and testdb_metadata files into the database so that we can have example data with which to work
Next we need to edit the /usr/local/etc/openldap/slapd.conf file and make the protper adjustments. We need to setup the slapd service to use a SQL backend under the "SQL database definitions" section
database sql
suffix "o=sql,c=RU"
rootdn "cn=root,o=sql,c=RU"
rootpw secret
dbname ldap
dbuser ldap
dbpasswd password
subtree_cond "ldap_entries.dn LIKE CONCAT('%',?)"
insentry_query "INSERT INTO ldap_entries (dn,oc_map_id,parent,keyval) VALUES (?,?,?,?)"
Go ahead and comment out or delete any other example configurations for alternate SQL connectors such as Postgres and/or MsSQL settings. (Unless of course you are using a Postgres or MsSQL server as your backend
Post installation configuration
Next, we need to edit the /etc/rc.conf and configure the OpenLDAP server to star on boot by making the following changes
slapd_enable="YES"
slapd_flags='-h "ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap://0.0.0.0/"'
slapd_sockets="/var/run/openldap/ldapi"
And finally we need to edit the OpenLDAP startup script and setup the ODBC path for the server to use. Edit /etc/rc.d/slapd file and add the following line:
export ODBCINI=/usr/local/etc/libiodbc/odbc.ini
Just as we performed the iodbctest, this variable is essential for OpenLDAP to know where the configuration file to use for ODBC connectivity
Now we are ready to try and bring up our OpenLDAP server. Let us start by running slapd manually in debug mode to see the output of startup:
root@host # /usr/local/libexec/slapd -d 1
We should see the following at the end of the debug output:
<==load_schema_map()
<==backsql_get_db_conn()
==>backsql_free_db_conn()
backsql_free_db_conn(): closing db connection
==>backsql_close_db_conn()
<==backsql_close_db_conn()
<==backsql_free_db_conn()
<==backsql_db_open(): test succeeded, schema map loaded
slapd starting
If this is the given output then it looks like our configuration is correct and we are ready to start up OpenLDAP normally for operation.
/etc/rc.d/slapd start
This will startup the OpenLDAP server and we can verify it is running with the following command:
root@host # sockstat |grep slapd
ldap slapd 71838 5 dgram -< /var/run/log
ldap slapd 71838 8 stream /var/run/openldap/ldapi
ldap slapd 71838 9 tcp4 *:389 *:*
From here, use any OpenLDAP Administration tool of your choice to add, edit and remove data from your LDAP server