Environment Configuration
To use the OpenLDAP command line utilities and man pages, several shell environment variables must be modified or added.
- This guide assumes that the Symas OpenLDAP Server and/or client utilities are installed in the default location, “/opt/symas”
- Root/Administrator privileges may be required for some changes.
Setting LDAP Executable Path
The PATH variable must be modified so that all command line utilities (ldap*, slap*, etc.) can be found by the shell.
The command line tools are located in “/opt/symas/bin” and “/opt/symas/sbin”. Many Linux distributions come with LDAP client utilities already installed, but they are often many revisions behind your Symas OpenLDAP installation. Because of this, it is best to prepend the Symas path to the PATH variable. To add the Symas executable path on a per-user basis, add or update the PATH variable in the appropriate user profile script (.profile, .bash_profile, .bashrc):
Execution Path
export PATH=/opt/symas/bin:/opt/symas/sbin:$PATHLDAP Client Configuration
The LDAP client tool configuration files contain directives and security certificate paths that will be applied as default settings for the ldap* (ldapsearch, ldapmodify, etc.) client utilities. User-level settings take precedence over system-level settings. At the user level, config files may be in two places: the current working directory and the user’s home directory. Settings in the config file that reside in the current working directory override any settings in the config file that resides in the user’s home directory. Config file locations are as follows:
Default System File (global settings): /opt/symas/etc/openldap/ldap.conf (may be placed elsewhere)
User Files (user level settings and default system setting overrides): ~/ldaprc ~/.ldaprc ./ldaprc
Global Settings
The settings in /opt/symas/etc/openldap/ldap.conf set default properties for all ldap* command line utilities for all users. The most common global settings for ldap.conf are URI, BASE and TLS_CACERT.
URI
The URI setting, equivalent to the ldap* command’s ‘-H <LDAP URI>’ switch, is the URI that the ldap* command line utilities should try to connect to by default This setting can be a list of URIs, and if the client is unable to connect to the first URI, it will continue down the list until a successful connection is made.
BASE
The BASE setting, equivalent to the ldap* command’s ‘-b <searchbase>’ switch, designates the default search base for the ldapsearch command
TLS_CACERT
The TLS_CACERT setting provides the path to the public CA certificate/key file (in .pem or .cer format) that is used by the ldap* (ldapadd, ldapsearch, etc.) command line utilities for establishing encrypted communications between hosts. Note: The TLS_CERT and TLS_KEY settings are not required if you are only connecting with simple binds (where you provide the bind dn and user password by using the -D and -w/W switches).
SASL_MECH
The SASL_MECH setting is equivalent to the ldap* command’s ‘-Y
User-Level Settings
Some ldap* client tool settings must be set at the user level, with the most common being BINDDN, TLS_CERT and TLS_KEY.
BINDDN
The BINDDN, setting, equivalent to to the ldap* commands’ ‘-D <binddn>’ switch, sets the default DN to bind with.
TLS_CERT
The TLS_CERT setting defines the path to a user/machine-level TLS public certificate (required SASL binds)
TLS_KEY
The TLS_KEY settings defines the path to the private key file (.pem, .cer) associated with the public certificate set in TLS_CERT (required for SASL binds)
Additional Client Config Settings
A full list of client configuration settings is available in the LDAP.CONF(5) man page.
Environment Configuration
Once the client configuration files are ready, the LDAPCONF environment variable must be set for clients to use the ldap.conf file:
Linux/Unix
The default location of the LDAPCONF file is in “/opt/symas/etc/openldap/ldap.conf” To add the LDAPCONF environment variable on a per-user basis, place the following in the appropriate user profile script (.profile, .bash_profile, .bashrc):
LDAPCONF Variable
export LDAPCONF=/opt/symas/etc/openldap/ldap.confExample Configuration Files
Example ldap.conf
# Global Unix/Linux Settings
URI ldap://<somehost>/ ldap://<anotherhost/ ldaps:/// ldapi:///
BASE dc=example,dc=com
TLS_CACERT /opt/openldap/etc/openldap/cacert.pem
# Global Windows Settings
URI ldap://<somehost>/ ldap://<anotherhost/ ldaps:/// ldapi:///
BASE dc=example,dc=com
TLS_CACERT C:\Program Files\symas-openldap\etc\openldap\cacert.pemExample ldaprc
# User Level Settings
BINDDN cn=foo,dc=example,dc=com
TLS_CERT /home/foo/.certs/user_cert.pem
TLS_KEY /home/foo/.certs/user_key.pemMANPATH
The MANPATH environment variable tells the “man” program (a Linux/Unix-specific help file reader) where to find the Symas OpenLDAP man pages. The Symas man pages are located in /opt/symas/share/man.
Linux/Unix
To add the MANPATH environment variable on a per-user basis, place the following in the appropriate user profile script (.profile, .bash_profile, .bashrc):
MANPATH Variable
export MANPATH=$MANPATH:/opt/symas/share/manLinux/Unix Global Configuration
If desired, the above environment variables may be set globally on Linux/Unix servers:
RHEL / CentOS / Debian / Ubuntu
/etc/profile.d/symas_env.sh
#############################################################
## SETS ENVIRONMENT VARIABLES FOR SYMAS OPENLDAP
## SAVE AS /etc/profile.d/symas_env.sh
## Make executable: chmod +x /etc/profile.d/symas_env.sh
#############################################################
if [ -d "/opt/symas" ]; then
# Gives /opt/symas/bin/ldap* utility CA cert path for TLS
export LDAPCONF=/opt/symas/etc/openldap/ldap.conf
# Add the path to the OpenLDAP utilities
export PATH=/opt/symas/bin:/opt/symas/sbin:$PATH
# Set the path to the OpenLDAP man pages
export MANPATH=$MANPATH:/opt/symas/share/man
fi