This blog post explains how to setup OpenLDAP under Mac OS X and I have tried this out successfully under OS X Lion.
First we need to install the correct Xcode version corresponding to the OS X and then the latest
MacPorts. Once this is done installing OpenLDAP via MacPorts is quite simple.
% sudo port -d selfupdate
% sudo port install openldap
The above will install OpenLDAP with Berkly DB back-end.
You will find the OpenLDAP configuration files at
/private/etc/openldap
We need to worry about two configuration files here - slapd.conf and ldap.conf. You will find these two config files as slapd.conf.default and ldap.conf.default, in that case rename those to be slapd.conf and ldap.conf. Also make sure you copy the /private/var/db/openldap/openldap-data/DB_CONFIG.example to /private/var/db/openldap/openldap-data/DB_CONFIG.
First let's open up ldap.conf. There you need set the BASE for LDAP tree - and also the URI for the LDAP server. That's all - change those settings and save the file.
BASE dc=wso2,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
URI ldap://192.168.1.83:389
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
TLS_REQCERT demand
Next we need to modify the slapd.con file. This is one of the main LDAP configuration files.
Please make sure all related schema includes are there.. un-commented..
Then you need to set suffix, rootdn and rootpw.
suffix needs to be the same as what you defined for BASE in ldap.conf.
rootdn is the DN of the OpenLDAP root user. Here I have it as cn=admin,dc=wso2,dc=com.
Then the rootpw...
This is bit tricky and most people get this wrong.
If you just put any clear text value to rootpw - then when you try do an ldapsearch and try to authenticate, it will fail with the following error.
ldap_bind: Invalid credentials (49)
The reason is, the default distribution which comes with MacPorts, is built with clear text passwords being disabled. So you need to generate the password in SHA first and then put it in to the slapd.conf. To generate the SHA password you can use the following command.
% slappasswd -s your-password
Also make sure that following two lines are un-commented...
modulepath /usr/libexec/openldap
moduleload back_bdb.la
Following is the complete slapd.conf file.
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /private/etc/openldap/schema/core.schema
include /private/etc/openldap/schema/cosine.schema
include /private/etc/openldap/schema/nis.schema
include /private/etc/openldap/schema/inetorgperson.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /private/var/db/openldap/run/slapd.pid
argsfile /private/var/db/openldap/run/slapd.args
# Load dynamic backend modules:
modulepath /usr/libexec/openldap
moduleload back_bdb.la
# moduleload back_hdb.la
# moduleload back_ldap.la
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#######################################################################
# BDB database definitions
#######################################################################
database bdb
suffix "dc=wso2,dc=com"
rootdn "cn=admin,dc=wso2,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw {SSHA}BqYQBS48EZlLu4XYJxEXaOlRdseW2D4Y
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /private/var/db/openldap/openldap-data
# Indices to maintain
index objectClass eq
Once the above is done - we can start our OpenLDAP server...
% sudo /usr/libexec/slapd -d3
Now, we need to build our LDAP tree structure...
Save the following in to a file called root-ou.ldif.
dn:dc=wso2,dc=com
objectClass:dcObject
objectClass:organizationalUnit
dc:wso2
ou:WSO2
Now run the following command...
% ldapadd -D "cn=admin,dc=wso2,dc=com" -W -x -f root-ou.ldif
"cn=admin,dc=wso2,dc=com" is the value of rootdn that we setup in slapd.conf. When prompted for password, you can give the rootpw.
Now, let's add a OU called people under this.
Once again, save the following to a file called people-ou.ldiff.
dn: ou=people,dc=wso2,dc=com
objectClass: organizationalUnit
ou: people
Now run the following command...
% ldapadd -D "cn=admin,dc=wso2,dc=com" -W -x -f people-ou.ldif
If your OpenLDAP instance is running on a different port than the default one - we need to use the following command instead of the above.
% ldapadd -D "cn=admin,dc=wso2,dc=com" -H ldap://localhost:389 -W -x -f people-ou.ldif
This will create a OU structure as shown in the image below.. Basically you can connect Apache Directory Studio to your running OpenLDAP instance to view it.
Everything should be fine by now...
OpenLDAP comes with set of default schema files, which you can find inside /private/etc/openldap/schema. If you want to have your own schema loaded in to OpenLDAP, what you have to do is, write your schema file and copy it to /private/etc/openldap/schema and edit the slapd.conf to add an include pointing to your schema file. Then you need to restart the OpenLDAP server.
To stop the OpenLDAP instance you can use the following command...
% sudo kill $(cat /private/var/db/openldap/run/slapd.pid)
/private/var/db/openldap/run/slapd.pid is the place where the process id of the OpenLDAP process being stored - and this location can be configured in slapd.conf.