Whole document tree

Whole document tree

LDAP Linux HOWTO: Installing the LDAP Server Next Previous Contents

2. Installing the LDAP Server

Five steps are necessary to install the server: Install the pre-required packages (if not already installed), Download the server, Unpack the software, Configure the Makefiles and Build the server.

2.1 Pre-Requirements

To be fully LDAPv3 compliant, OpenLDAP clients and servers require installation of some aditional packages. In my particular case I also installed OpenLdap v2.0.11 on a out-of-box RedHat 2.2.15 distribution. My intention was to figure out if the build scripts would complain about the pre-required packages. They didn't ! Anyway, this is not the rule, you might still need to obtain and install these aditinal packages to successfully build OpenLDAP v2.xx:

OpenSSL TLS libraries

The OpenSSL TLS libraries are normally part of the base system or compose an optional software component. The official OpenSSL url is http://www.openssl.org

Kerberos Authentication Services

OpenLDAP clients and servers support Kerberos-based authentication services. In particular, OpenLDAP supports SASL/GSSAPI authentication mechanism using either Heimdal or MIT Kerberos V packages. If you desire to use Kerberos-based SASL/GSSAPI authentication, you should install either Heimdal or MIT Kerberos V. Heimdal Kerberos is available from http://www.pdc.kth.se/heimdal. MIT Kerberos is available from http://web.mit.edu/kerberos/www.

The use of strong authentication services, such as those provided by Kerberos, is highly recommended.

Cyrus's Simple Authentication and Security Layer Libraries

Cyrus's SASL libraries are normally part of the base system or compose an optional software component. Cyrus SASL is available from http://asg.web.cmu.edu/sasl/sasl-library.html. Cyrus SASL will make use of OpenSSL and Kerberos/GSSAPI libraries if preinstalled.

Database Software

OpenLDAP's slapd primary database backend, LDBM, requires a compatible database package for entry storage. LDBM is compatible with Sleepycat Software's BerkeleyDB (recommended) or with the Free Software Foundation's GNU Database Manager (GDBM). If neither of these packages are available at configure time, you will not be able build slapd with primary database backend support.

If your operating system doesn't provide one of these two packages, it's necessary to obtain one of them and install it.

BerkeleyDB is available from Sleepycat Software's download page http://www.sleepycat.com/download.html. There are several versions available. At the time of this writing, the latest release, version 3.1, is recommended.

GDBM is available from FSF's download site ftp://ftp.gnu.org/pub/gnu/gdbm. At the time of this writing, version 1.8 is the latest release.


OpenLDAP is designed to take advantage of threads. OpenLDAP supports POSIX pthreads, Mach CThreads, and a number of other varieties. configure script will complain if it cannot find a suitable thread subsystem. If this occurs, please consult the Software - Installation - Platform Hints section of the OpenLDAP FAQ http://www.openldap.org/faq.

TCP Wrappers

slapd supports TCP wrappers (IP level access control filters) if preinstalled. Use of TCP wrappers or other IP-level access filters (such as those provided by an IP-level firewall) is recommended for servers containing non-public information.

2.2 Downloading the package

There are two free distributed LDAP servers: University of Michigan LDAP server and OpenLDAP server. There's also the Netscape Directory Server, which is free only under some conditions (educational institutions get it free, for example). The OpenLDAP server is based on the latest version of the University of Michigan Server and there are mailing lists and additional documentation available for it. This document assumes that you are using the OpenLDAP server.

It's latest tar gzipped version is avaiable on the following address:


If you want to get the latest version of University of Michigan Server, go to this address:


To write this document, I used the 2.0.4 version of the OpenLDAP package. My operating system is a Slackware Linux with kernel 2.2.13.

On the OpenLDAP site you can always find the latest development and stable versions of the OpenLDAP server. By the time this document was updated, the latest stable version was openldap-stable-20000704.tgz. The latest development version was openldap-2.0.4.tgz.

2.3 Unpacking the server

Now that you have the tar gzipped package on your local machine, you can unpack it.

First copy the package to a desirable directory, for example /usr/local.

Then use the following command:

tar xvzf openldap-stable.tgz 

You can use this command too, as well:

gunzip openldap-stable.tgz | tar xvf - 

2.4 Configuring the software

There are several options that you would like to customize so you can build the best software for your site.

To configure the software you just need 2 steps:

  • Edit the file ldapconfig.h.edit, located on the subdirectory include beneath the directory where you unpacked the software.
  • Run the configure script (if you are a tough guy, you can also edit the Make-common file instead of running the configure script :^)

In the file include/ldapconfig.h.edit you can set options like the location of the slapd and slurpd daemons. The file itself is well commented and it's default settings also reflect the most common administrator choices so, if you are in a hurry you can skip this step:

vi include/ldapconfig.h.edit 

The OpenLDAP server sources are distributed with a configuration script for setting options like instalation directories, compiler and linker flags. Type the following command on the directory where you unpacked the software:

./configure --help 
This will print all options that you can customize with the configure script before you build the software. Some usefull options are --prefix=pref , --exec-prefix=eprefix and --bindir=dir, for setting instalation directories. Normally if you run configure without options, it will auto-detect the appropriate settings and prepar to build things on the default common location. So just type:
And watch the output to see if all went well

2.5 Building the server

After configuring the software you can start building it. First build the dependencies, using the command:

make depend 
After build the server, using the command:
If all goes well, the server will build as configured. If not, return to the previous step to review the configuration settings. You should check the platform specific hints, they are located in the path doc/install/hints under the directory you unpacked the software.

Now install the binaries and man pages. You may need to be superuser to do this (depending on where you are installing things):

make install 
That's all, now you have the binary of the server and the binaries of several other utilities. Go to the next section to see how to configure the operation of your LDAP server.

The binary of the OpenLdap 2.0 server is called slapd. OpenLdap 2.0 was officially released on August, 30th and it comprises Ldap protocol v3, as defined on the RFC 2251.

The main features of OpenLDAP 2.0 are:

  • LDAPv2 and LDAPv3 Support (RFC2251-2256,2829-2831)
  • Maintenance of interoperability with existing clients
  • IPv4 and IPv6 support
  • Strong Authentication (SASL) (RFC2829)
  • Start TLS (RFC2830)
  • Language Tags (RFC2596)
  • DNS-based service location (RFC2247+"locate" I-D)
  • Enhanced Standalone Server
  • Named References/ManageDsaIT ("nameref" I-D)
  • Enhanced Access Control subsystem
  • Thread pooling
  • Preemptive threading support
  • Multiple listener support
  • LDIFv1 (RFC2849)
  • Improved platform/subsystem detection

Note: There will be a document on the Linux Documentation Project (LDP) called LDAP Implementation HOWTO. This document will be a great resource for those who want to explore the new features of OpenLDAP 2.0. The date for it's release is around December 2000.

On the latest versions of the OpenLDAP package, it's also possible to test the recently built binaries. The package comes with a test script, which you can run using the command:

make test

If anything goes wrong with the script you can just abort it hitting Ctrl-C. In my case, the script stopped working before it's total completion. Anyway I still could see some successfull messages about my OpenLDAP configuration.

Next Previous Contents