OpenLDAP and Host Identity Protocol for Linux

This page discusses about OpenLDAP and its usage with HIPL i.e. to secure the communication between the server and the client.

Using OpenLDAP with HIP is pretty straight forward thing to do. This file is modified version of the quick start guide found from This file gathers only the most important steps of that guide and for further information on using OpenLDAP refer to the original guide. Tests were made with stable version openldap-2.3.38. I was using Ubuntu 7.04 and Ubuntu 8.04 for these tests, so if you are using different distro the locations of configuration files etc can be different.

In the last section there is a small guide for the ACL part of slapd but it requires a release version 2.4.11 to be compiled and installed (2.4.7 might work the code was already there, but I tested this with a newer version).

1. Compiling

Get the sources from Unpack the package and go into openldap-VERSION folder and start compiling. Compilation is done in the following way. See ./configure --help for extra options, but remember the IPv6 support must be on.

      make depend
      make test

Building and testing OpenLDAP can take a long time. If this succeeds, you can install OpenLDAP with 'sudo make install'.

2. Configuring

The main configuration file is usually located in '/usr/local/etc/openldap/slapd.conf'. This file contains section like

      database bdb
      suffix "dc=<MY-DOMAIN>,dc=<COM>"
      rootdn "cn=Manager,dc=<MY-DOMAIN>,dc=<COM>"
      rootpw secret
      directory /usr/local/var/openldap-data

This has to be modified. If you have a domain like, the configuration looks then like this

      database bdb
      suffix "dc=pc,dc=example,dc=com"
      rootdn "cn=Manager,dc=example,dc=com"
      rootpw secret
      directory /usr/local/var/openldap-data

For further information on configuring see 'man slapd'.

2.1. Defining a password

In the previous section we talked about configuring the slapd and showed part of the configuration file. The file has a line 'rootpw secret'. This line has to be changed before the database actually accepts any inserts. Changing the password can be made for instance like this, 'slappasswd -s secretword'. This returns you a string like, '{SSHA}+Ca5v5wgXGKR//tycdcH7VKbFderQbr8'. This has to be copied into the configuration file so the 'rootpw secret' should look similar to this 'rootpw {SSHA}+Ca5v5wgXGKR//tycdcH7VKbFderQbr8' after the modifications.

2.1 Starting the slapd

Slapd is started with command 'sudo /usr/local/libexec/slapd'.

2.2 Slapd and logging

Slapd can log its events and it may be usefull when playing around with the configuration or/and monitoring its behaviour. For this to happen you have to create a folder for the logs and the log file.

#sudo mkdir /var/log/openldap
#touch /var/log/openldap/ldap.log

After this you have to tell the logging daemon that it has to log openldap to the file we just created. So edit your '/etc/syslog.conf' to contain the following lines

#logging for openldap
local4.* /var/log/openldap/ldap.log

Remember that every time you change these values you have to restart slapd and syslogd ('#sudo /etc/init.d/syslogd restart'). Then you have to set the logging in the global part of the 'slapd.conf' to contain the following line.

loglevel 256

This is the most common option for this. If you want it to log all ACL related stuff you would put 128 instead of 256. The loglevels are powers of 2. So if you want for example to log connections, ldap operations and ACL events you would add 256 and 128 together and then your line would be.

loglevel 384

2.3. Slapd and Berkeley Database

To get the most out of the openldap installation you have to configure your BDB settings. DB_CONFIG can be found from '/usr/local/var/openldap-data/'. If it is not created yet there should be at least an example file that you can modify called 'DB_CONFIG.example'. Also some changes have to be made to 'slapd.conf' to the BDB part at the end. But I am not going to go into this issue. For more information see for example 'man 5 slapd-bdb'.

3. Inserting data

Inserting data to ldap can be done with ldif files.

      dn: dc=<MY-DOMAIN>,dc=<COM>
      objectclass: dcObject
      objectclass: organization
      dc: <MY-DOMAIN>

      dn: cn=Manager,dc=<MY-DOMAIN>,dc=<COM>
      objectclass: organizationalRole
      cn: Manager

For example if we are inserting 'Company' as organization to, the ldif file should look like this

      dn: dc=example,dc=com
      objectclass: dcObject
      objectclass: organization
      o: PC Example
      dc: example

      dn: cn=Manager,dc=example,dc=con
      objectclass: organizationalRole
      cn: Manager

Save this as example.ldfi and run next command 'ldapadd -x -D "cn=Manager,dc=<MY-DOMAIN>,dc=<COM>" -W -f example.ldif'. Changing of course the <MY-DOMAIN> and <COM> with the ones you are using. Then ldap asks the passwd set in earlier section.

4. Searching data

Search is simple also. Searching can be done with command "ldapsearch -x -b 'dc=<MY-DOMAIN>,dc=<COM>' '(objectclass=*)'" and it also has to be modified to "ldapsearch -x -b 'dc=example,dc=com' '(objectclass=*)'".

5. Searching from remote servers

Searching from remote servers just adds one ldapuri to the command. "ldapsearch -x -H <LDAPURI> -b 'dc=<MY-DOMAIN>,dc=<COM>' '(objectclass=*)'". This has to be changed as in the previous examples and also the ldapuri has to bechanged into "ldap://<IP>". If IPv6 the ldapuri has to be in format "ldap://[<IPv6>]".

6. Using OpenLDAP with HIP

Simplest way is to run hipd on both machines and just use command like "hipconf run normal ldapsearch -x -H ldap://<fqdn> -b 'dc=<MY-DOMAIN>,dc=<COM>' '(objectclass=*)'" The name can be something found from /etc/hosts and /etc/hip/hosts or you can use OpenDHT to resolve names to HIT and address. Search can also be done directly with HIT by command "ldapsearch -x -H ldap://[<HIT>] -b 'dc=<MY-DOMAIN>,dc=<COM>' '(objectclass=*)'". You can search also by using the opportunistic mode by using command "hipconf run opp ldapsearch -x -H ldap://<fqdn> -b 'dc=<MY-DOMAIN>,dc=<COM>' '(objectclass=*)'" Ldapadd can be used similarly with LDAPURI and HIP.

7. Using HITs in OpenLDAP ACL

Does not work in stable version openldap-2.3.38. Because there is no IPv6 support in the ACL part of the code. If you need the ACL part to work With HITs, compile and install release version 2.4.11 or later and it should work. You can define ACL rules that restrict the access to information to certain HITs. This has to be done on one rule per HIT bases. For example the rule can be like this

      access to *
            by self write
            by peername.ipv6=<HIT_1> anonymous read
            by * none

In this example we allow write/read/search to self, anonymous read/search permissions to any process, without authentication, from host from HIT_1 and others get no permissions what so ever. These rules have to be added to '/usr/local/etc/openldap/slapd.conf' or to the slapd.access (see man slapd.access for further information).

All of these manuals/tutorials are provided as is. They worked for me and that is all the help I give with them, so if I forgot something or there is a typo you can inform me but do not expect me to solve your problems :) Oh and almost forgot, use them at your own risk.