29/8/2014 Chapter 4.1.

3 OpenLDAP Windows Install

http://www.zytrax.com/books/ldap/ch4/win2k.html 1/6
Chapter 4.1.3 OpenLDAP Windows
4.1.1 FreeBSD Install
4.1.2 Fedora Core Install
4.1.3 Windows Install
4.1.3 Windows Installation
If you want to deploy an Open Source LDAPv3 compliant server in Windows (XP,
Windows 7 or for the unfortunate among us, even Windows Vista) you have three
choices:
1. OpenLDAP under cygwin.
The cygwin installer has done a great job in making the installation a long-
winded but very simple process (it can take upwards of 30+ mins to get
everything installed) and they have done a terrific job of hiding OpenLDAP (it's
under the Libs category in the installer). The major downside is that the
OpenLDAP version may not be updated regularly. If you are going to do
development, or run other *nix packages under Windows this is the obvious
choice.
2. ApacheDS. Runs under Java and includes a great LDAP Client/Development
system called Apache Directory Studio. Superb tool as a client to any system
including OpenLDAP. Perhaps a tad complicated to install since it's embedded
into the Eclipse development environment (which always likes to complicate
things) but well worth the effort.
3. If you want a simple, single click installation of the current version of
OpenLDAP on Windows then you can do no better than OpenLDAP for
Windows. It is updated pretty frequently (OpenLDAP 2.4.35 July 2013). It
installs Berkley DB (OpenLDAPs database bdb or database hdb), OpenSSL
(provides OpenLDAP TLS support) and even Cyrus SASL (provides Kerberos
support). We describe its installation below. OpenLDAP does not run as a
Windows task but rather runs inside a dos box.
Installation of OpenLDAP for Windows
The following provides some notes about installing and using OpenLDAP for
Windows. The documentation seems to suggest it can do significantly more than
provide basic OpenLDAP services and discusses the use of Microsoft-SQL. We ignored
all that stuff (not being MS-SQL users) and still got an extremely useable, high
function OpenLDAP installation:
1. Download the software from this location to a suitable directory.
2. Unzip to a suitable location and double click to run OpenLDAP-2.y.xx-x86.exe
(y is the major version number and xx is the minor version number) and follow
the prompts of the install wizard. The installation can be run as a normal user
29/8/2014 Chapter 4.1.3 OpenLDAP Windows Install
http://www.zytrax.com/books/ldap/ch4/win2k.html 2/6
(it does not require administrator permissions). The following screens may be
a tad confusing and some additional explanation is provided.
3. This screen prompts you to enter your details but does not allow data entry.
Go figure. Ignore it and click 'Next'. There are no side effects.
4. This screen shows the default installation directory, change to suit your needs
or just click 'Next'.
5. Once the files are installed this screen shows some basic information about the
server configuration. Much of it is only useful if you are going to use the
default configuration.
29/8/2014 Chapter 4.1.3 OpenLDAP Windows Install
http://www.zytrax.com/books/ldap/ch4/win2k.html 3/6
The screen following this one ask if you want to read the readme.pdf
document. Our advice - don't. Uncheck the box and carry on reading these
instructions.
6. When the last install wizard screen has been dismissed and faded into the
night you have the following configuration (assumes you have installed to the
default c:\OpenLDAP path, adjust as appropriate if you are one of those folks
who hates to take defaults just because they are defaults):
1. The system is configured to use a slapd.conf file in \etc\openldap (there
is no slapd.d directory - see notes here on olc/cn=config). This
slapd.conf is perfectly serviceable and well worth looking at, in particular
it uses relative paths to contain them within the installation directory.
LDAP is supported on the standard port numbers (389 and 636 for
ldaps). If you are going to use your own slad.conf file look at the
standard location of any pidfile, argsfile (default \var\run) and logfile
(default \var\log) statements and adjust for simplicity, similarly check
the location of schema files (\etc\openldap\schema) and directory
(\var\db\openldap-data) statements in your database section(s) (use
and create new directories as appropriate).
2. One of the more confusing aspects of OpenLDAP installation these days
is whether or not they are built statically or dynamically. OpenLDAP for
Windows has built statically (smart) meaning that you do not need
loadmodule or loadpath statements.
For your delight and edification we shown the default OpenLDAP for
Windows slapd.conf file below:
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /schema/core.schema
# Define global ACLs to disable default read access.
29/8/2014 Chapter 4.1.3 OpenLDAP Windows Install
http://www.zytrax.com/books/ldap/ch4/win2k.html 4/6
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /run/slapd.pid
argsfile /run/slapd.args
# Load dynamic backend modules:
# modulepath
# moduleload back_bdb.la
# moduleload back_hdb.la
# moduleload back_ldap.la
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#######################################################################
# BDB database definitions
#######################################################################
database bdb
suffix "dc=my-domain,dc=com"
rootdn "cn=Manager,dc=my-domain,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw secret
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /openldap-data
# Indices to maintain
index objectClass eq
3. To start the server you can either do it from Start->All Programs-
>OpenLDAP->Start LDAP Server as shown below:.
29/8/2014 Chapter 4.1.3 OpenLDAP Windows Install
http://www.zytrax.com/books/ldap/ch4/win2k.html 5/6
Note: OpenLDAP for windows uses an .exe for installation rather than a
.msi file and therefore it can take up to 30 mins to appear on the All
Programs menu.
If you are impatient, navigate to the libexec directory and double click
the entry StartLDAP.cmd which immediately starts the LDAP Server.
Starting the server will open a dos box, generate buckets loads of
information and remain open (you must explicity terminate OpenLDAP
using CTL-C in this dos box window). If anything goes wrong the window
will immediately close. If you are using a logfile (default slapd.conf uses
\var\log\openldap.log) then inspect it for errors. If you are not using a
logfile statement - tough luck.
The volume of traffic in the dos box window can seriously slow down the
server. To reduce or eliminate the volume of data shown on the screen
simply edit (notepad will do it) the file \libexec\StartLDAP.cmd and on
the last line of this file remove the -d -1 arguments completely (to
eliminate the traffic except catasrophic errors) or change the -1 so some
other value (as defined here), for example, the value 8 will only show
connection information. This file is shown in its full glory so you can
figure out which is the last line.
@echo off
verify on
Rem SET HOME=
SET ODBCINI=..\etc\odbc.ini
SET ODBCSYSINI=..\etc
SET FREETDS=..\etc\freeTDS.conf
SET TDSVER=8.0
SET TDSDUMP=..\var\log\freetds.log
SET RANDFILE=..\bin\rfile.rnd
SET LDAPCONF=..\etc\openldap\ldap.conf
SET LDAPRC=..\bin\ldaprc
Rem Adjust accordingly
Rem SET KRB5_CONFIG=C:\Heimdal\etc\krb5-pkinit.conf
Rem SET KRB5_KTNAME=C:\Heimdal\etc\krb5.keytab
Rem SET KRB5CCNAME=FILE:C:/Heimdal/tmp/krb5cc_500
SET FQDN=localhost
29/8/2014 Chapter 4.1.3 OpenLDAP Windows Install
http://www.zytrax.com/books/ldap/ch4/win2k.html 6/6
slapd.exe -d -1 -h "ldap://%FQDN%/ ldaps://%FQDN%/" -f ..\etc\openldap\slapd.conf
4. The standard OpenLDAP ldap utilities (ldapsearch etc.) are located in the
bin directory. OpenLDAP for windows conveniently provides a command
line window pre-configured for this directory as shown below:
Alternatively open any dos box window and navigate to c:\openldap\bin
or place this in your path (start->control panel->system->advanced
system settings->advanced tab->environmental settings button->scroll
down in the lower pane to the path variable and add ;c:\openldap\bin)
Opening any dos box (Start->run->cmd) will allow you run the ldap
utilities. Note: the slap utilities (slapadd etc.) are in the sbin directory so
you may want to add ;c\openldap\sbin also to the path variable.
7. As previously mentioned to terminate the OpenLDAP server select the dos
window in which it is running and type CTRL-C, the server will stop and you
will be offfered a prompt Terminate Batch Job?, typing y to this prompt will
close the window.
If this procedure is not followed (for example you closed your PC without
terminating the LDAP server) the server will probably subsequently refuse to
start. If this is the case navigate to the directory c:\openldap\var\run and
delete any files in this directory (slapd.args and slapd.pid). The server should
now restart. Failing this look at the log file (default in \var\log). You do have a
logfile directive, don't you?
Copyright 1994 - 2014 ZyTrax, Inc.
All rights reserved. Legal and Privacy
site by zytrax web-master at zytrax
Page modified: July 26 2013.