A Linux User Reference

Search tips
  • search ignores words that are less than 4 characters in length
  • searches are case insensitve
  • if a search does not return anything try it in Boolean mode then Query expansion mode by checking the appropriate radio button e.g. searching for 'cron' in just the Administration category returns nothing - presumably because the 50% threshold is reached. Boolean mode ignores this threshold so a search for 'cron' returns several hits
  • in Boolean mode preceding a word with a '+' means the result must include that word, a '-' means it must not
  • in Boolean mode '+crontab -anacron' means match articles about crontab that DO NOT mention anacron
  • to match a phrase e.g. 'manage system' check the Boolean mode radio button and enclose the phrase in quotes "some phrase ..."
  • in Query expansion mode the search context is expanded beyond the keywords you entered - relevancy of hits may well be degraded



  • Lightweight Directory Access Protocol (LDAP)
    • LDAP is an application protocol for querying and modifying X.500 directory services running over TCP/IP.
    • X.500 services were originally designed to be only accessible via OSI protocols such as ISO-TP3 and ISO-TP4 (overly complex some said but they were extremely configurable, tunable)
    • The examples come from the web.
    • I've installed the application and played around with it a bit but that is as far as it goes.
    • OpenLDAP Administrator's Guide

    OpenLDAP pre-requisites

    • The OpenSSL Transport Layer Security (TLS)
    • Kerberos Authentication Services
    • Simple Authentication and Security Layer
    • Sleepycat Software Berkeley DB
    • Posix threads and TCP wrappers

    See also OpenLDAP taq, software, installation for all build requisites.

    Directory storage

    should be suitable for information with a low mutation grade i.e. fairly static. Directories are optimised for read access.

    Directories, typically, contain employee data such as:

    surname, christian name, address, phone number, department, social security number, E-mail address

    Directories may also store:

    newsletters, company policies and procedures, templates supporting the house style of documents.

  • Install from source, binary

    OpenLDAP downloads

    Download, unpack into a 'build directory'

    $ cd 'build directory'
    $ ./configure                                (./configure --help)
    $ make depend     
    $ make
    $ make test
    $ su root -c make install

    'make depend' not really required these days ... read the README that comes with the source code.

    Installed to

    # ls -al /etc/ldap
    drwxr-xr-x   2 root root  ...   cacerts/
    -rw-r--r--   1 root root  ...   ldap.conf
    drwxr-xr-x   2 root root  ...   schema/
    -rw-r-----   1 root ldap  ...   DB_CONFIG.example
    -rw-r-----   1 root ldap  ...   slapd.conf

    Install the binary package

    Use your distro.'s package manager:

    On ubuntu based Mint

    ldap-utils - OpenLDAP utilities       Client programs to access a local or remote LDAP server
    slapd      - OpenLDAP server (slapd)  Provides standalone Directory Services
    $ sudo apt-get install slapd ldap-utils
  • Schemas, Object classes and attributes
    • A schema is a collection of object classes
    • An Object class is made up of, described by, a number of attributes

    Schemas can be created or selected from a collection of predefined schemas. Predefined schemas and core.schema are in /etc/ldap/schema/.

    For an employee, for example, the object class of person is predefined.

    (predefined) Object class attributes for - Person

    commonName (cn)
    surname (sn)


    For a company, for example, the following object classes are predefined, person, organization, organizationalUnit and country

    (predefined) Object class attributes for - Organization, organizationalUnit, country

    country (c)
    organization (o)
    organizationalUnit (ou)
    stateOrProvinceName (st)
    localityName (l)
  • Configuration and start up

    Main configuration file - /etc/ldap/slapd.conf

    include     /etc/ldap/schema/core.schema    # Schema and objectClass definitions
    schemacheck off                             # Enables forcing entries to match schemas 
                                                # for their objectClasses's.
    pidfile     /var/run/
    argsfile    /var/run/slapd.args             # List of arguments passed to the server
    loglevel    0
    database    ldbm                            # The backend type. Default=ldbm
    suffix      "o=MegaFix,c=NL"                # The base of your directory
    directory   "/var/ldap-test"                # Physical location of db files
    rootdn "cn=Manager,o=MegaFix,c=NL"          # Distinguished name, no access control
    rootpw blabla
    lastmod on                                  # Save entry modification time

    Create the directory where the databases will reside

    # mkdir /var/ldap-test

    Start the daemon

    # /etc/init.d/slapd start
    Starting ldap server(s): slapd

    Logs in /var/log/

    -rw-r-----    1 root     adm        934047 Jan 25 16:44 syslog
    -rw-r-----    1 root     adm         45275 Jan 25 16:44 debug
    -rw-r-----    1 root     adm        282043 Jan 25 16:45 auth.log

    Sample log entry - auth.log

    Jan 25 16:44:22 pug slapd[1373]: unable to open Berkeley db \
    /etc/sasldb: No such file or directory

    'sasl - "Simple Authentication and Security Layer" is a layer between OpenLDAP and Kerberos. As Kerberos is not being used can ignore the message.

  • LDIF files
    • LDAP Data Interchange Format have an extension of .ldif
    • Used for defining the organisation hierarchy

    Define the MegaFix organisation - /etc/ldap/MegaFix.ldif

    # The organisational structure
    # dn = distinguishedName
    # ou = organizationalUnit
    # o  = organizationName
    # c  = country
    dn: o=MegaFix, c=NL
    objectClass: organization
    description: The MegaFix Company Ltd.
    # The Sales department
    dn: ou=Sales, o=MegaFix, c=NL
    objectClass: organization
    description: Sales dept.
    # The persons in the organisation
    # cn = commonName
    # sn = surname
    # The Company's Manager
    dn: cn=Manager, o=MegaFix, c=NL
    objectClass: person
    cn: Manager
    cn: Gordon Gekko
    sn: Gekko
    description: General Manager - The Big Boss
    telephoneNumber: 555-1255
    # The engineers in London
    dn: cn=John Hughes, ou=London, ou=Engineering, o=MegaFix, c=NL
    objectClass: person
    cn: Engineer
    cn: John Hughes
    sn: Hughes
    description: Engineer
  • Update a directory using '.ldif' file

    Add the organisations heirarchy to the directory

    # ldapadd -f /etc/ldap/MegaFix.ldif -D 'cn=Manager,o=Megafix,c=NL' -W -x
    Enter LDAP Password: (which is 'blabla')
    adding new entry "o=MegaFix, c=NL"
    adding new entry "cn=Manager, o=MegaFix, c=NL"
    adding new entry "cn=John Hughes, ou=London, ou=Engineering, o=MegaFix, c=NL"

    '-D' use 'cn=Manager,o=Megafix,c=NL' distinguished name to bind to directory

    '-W' specify password, if blank prompt for password

    '-x' use simple authentication (not sasl)

    Add Mr. Poorten to directory - /etc/ldap/MegaFix.Amsterdam.Add.ldif

    dn: cn=Manager, o=MegaFix, c=NL
    objectClass: person
    cn: Manager
    cn: Simon Poorten
    sn: Poorten
    description: General Manager's twin - anoTher Big Boss
    telephoneNumber: 555-1222

    Two General Managers ...


    # ldapadd -f /etc/ldap/MegaFix.Amsterdam.Add.ldif -D 'cn=Manager,o=MegaFix,c=NL' -W -x
    Enter LDAP Password:

    List of all entries concerning the "engineering" organizationalUnit (ou)

    # ldapsearch -LLL -b 'ou=engineering,o=MegaFix,c=nl' -x cn description
    dn: ou=Engineering, o=MegaFix, c=NL
    description: Engineering dept.

    See the article below re. changing data for an explanation of the flags used with this command.

  • Change existing data

    The safest way to do this involves two steps

    • Get the existing entry and write it to a file in .ldif format
    • Modify that file to first delete the existing entry and then add a new one with the new location.

    Example: Change data to reflect John Hughes moving to Paris office.

    Search for directory entries and write results to

    # ldapsearch -LLL -b 'ou=london,ou=engineering,o=MegaFix,c=nl' -x >
    /* Options used:
     * -L                  Restricts the output to LDIFv1
     * -LL                 Disables comments
     * -LLL                Disables printing of the LDIF version.  Default is to
     *                     use an extended version of LDIF.
     * -b searchbase       Use searchbase as the starting point for the search 
     *                     instead of the default.
     * -x                  Use simple authentication instead of SASL


    1. Remove all entries (from ) except the one for John Hughes
    2. Delete the existing data for John Hughes
    3. Add new/modified data for John Hughes

    Resulting file -

    dn: cn=John Hughes, ou=London, ou=Engineering, o=MegaFix, c=NL
    changetype: delete
    dn: cn=John Hughes, ou=Paris, ou=Engineering, o=MegaFix, c=NL
    changetype: add
    objectClass: person
    cn: Engineer
    cn: John Hughes 
    sn: Hughes
    description: Engineer

    **Commit the changes to the database*

    # ldapmodify -r -f -D 'cn=Manager,o=MegaFix,c=NL' -W -x
    Enter LDAP Password:
    deleting entry "cn=John Hughes, ou=London, ou=Engineering, o=MegaFix, c=NL"
    adding new entry "cn=John Hughes, ou=Paris, ou=Engineering, o=MegaFix, c=NL"
    /* Options used:
     * -r                    Replaces existing value with the specified value - default
     * -f file               Read the entry modification information from file
     * -D bindDN             Uses the distinguished name 'bindDN' to bind to the directory
     * -W password           Specify the password, if not given then prompt for
     * -j file               Specify the file containing the password
  • Command summary

    Some commands

    ldapadd         Add data to directory
    ldapmodify      Opens a connection to an LDAP server, binds to it and modifies/adds entries
    ldapdelete      Deletes one or more entries in a db
    ldappasswd      Changes the passwd of an ldap entry
    ldapsearch      A powerful search tool