apache认为client传来的webdav请求是utf-8的编码，但对中文来说实际上更多是gb编码。

mod_encoding是日本人做的一个产品，解决了apache针对webdav的编码支持问题。

mod_encoding支持apache1.3和apache2，在debian上有对应的包libapache2-mod-encoding。配置参数包括：

EncodingEngine (on|off)
编码转换引擎开关
SetServerEncoding <enc>
设置服务器文件系统的编码
AddClientEncoding <agent> <enc> [<enc> ...]
设置某个客户端请求代理的编码

DefaultClientEncoding <enclist>
缺省的客户端编码清单

NormalizeUsername (on|off)
是否规范话用户名。Windows平台上（特别是WinXP）认证的适合传递的用户名格式是"hostname\\username"，这个不标准，自动去除hostname。
典型的配置如：

LoadModule encoding_module modules/mod_encoding.so
<Location /dav>
 EncodingEngine on
 NormalizeUsername on
</Location>
SetServerEncoding UTF-8
DefaultClientEncoding UTF-8 gb18030 big5
AddClientEncoding "Microsoft .* DAV 1.1" gb
AddClientEncoding "(Microsoft .* DAV $)" UTF-8 gb18030 big5
AddClientEncoding "Microsoft .* DAV" UTF-8 gb18030 big5
AddClientEncoding "(Microsoft .* DAV 1.1)" gb18030 big5
AddClientEncoding "Microsoft-WebDAV*" UTF-8 gb18030
AddClientEncoding "RMA/*" gb18030
AddClientEncoding "xdwin9x/" gb18030
AddClientEncoding "cadaver/" UTF-8 gb18030
AddClientEncoding "Mozilla/" gb18030

mod_encoding对中文用户很重要，但目前几乎没有中文资料。原始网站也是日文的，也没有太多英文文档，只有去看源代码，抓出这个文档 :-(

写这个帖子的同时，发现了一个中日文翻译工具，虽然翻译出来的东东实在不怎么样。

　　Scott Delap(SD):Hadoop已经作为正式产品服务于Yahoo的某些功能了吗?如果还没有，有什么计划让Hadoop从一个实验性的产品向核心基础组件迁移?

　　Doug Cutting(DC):Yahoo定期在搜索业务上使用Hadoop来提高其产品和服务，如排名功能和目标广告等。除此之外，也有一些直接使用 Hadoop进行数据生成的案例。Hadoop的长期目标是提供世界级的分布式计算工具，也是对下一代业务(如搜索结果分析等)提供支持的Web扩展 (web-scale)服务。

　　SD：Yahoo负责Hadoop项目的团队的规模有多大?除了Yahoo内部人员，其余还有多少活跃的代码贡献者?

　　DC：Yahoo有一个专项小组直接负责Hadoop的开发工作，而Apache开源项目的活跃贡献者一般都有自己的第一职业。即使如此，仍然有一些非Yahoo工作人员每月、每周甚至每天为Hadoop做出自己的贡献。

　　SD：相比Google，Yahoo坚持在可扩展的基础架构上采用不同途径。虽然Google已经发布了众多技术方面的论文，但其对普通大众意义并不十分明显。而为什么你觉得开源是正确的一个方向?

　　DC：开源项目得到最好的运行需要满足两个条件：第一，每个人对项目所能做的事有共同的认识。第二，有一套易理解的文档解决方案。由于基础架构软件在众多领域有广泛应用，所以此类开源软件发展的格外好。而Yahoo就在使用并支撑FreeBsd、Linux、Apache、PHP和MySQL等此类基础架构软件。让任何人都可以利用Hadoop来帮助Yahoo改善现状并提高目前建立大型分布式系统的水平。源代码仅仅只是难题的一小部分，除此之外，一个组织还需要有个非常强大的工程师团队来解决重大难题并使其付诸实践。有正确的发布和管理基础架构的能力也显得非常的重要。目前几乎没有哪家公司能拥有所有这些必需的资源。所以，软件工程师们都愿意为开源项目工作，他们能在巨大的社区中遇到许多志同道合的朋友，学到一些被共享的技巧并应用于今后的其他项目中。这样优秀的社区环境很容易培养出许多新的杰出工程师。Yahoo和Hadoop社区都受益于这种合作的机制，更加懂得大规模的分布式计算所需要的东西，并且把我们专家的意见和技术都共享出来建立一个人人都能使用和修改的解决方案.

　　SD：回到技术的本身，近年随着Hadoop的不断发展，你觉得影响其速度和稳定性的要素是什么?我发现现在500条记录的排序基准比去年快上了20倍，这是由于某个部分巨大的提升所至还是由多个部分的共同优化所带来的结果?

　　DC：在处理Web扩展服类软件过程中，随着使用此解决方案的其它公司和组织的不断增加，Yahoo发现它们都获得相似的性能。Yahoo决定将其开源，而非以私有软件的形式继续发展。所以Yahoo雇佣了我来带领这个项目。至今，Yahoo已经贡献了绝大部分代码。

　　至于速度的提升，是过去几年努力成果的一个总和，并且已经经过了反复的试验。在给定规模的服务器集群中，我们能让系统非常平稳地运行，然后试验在两倍于这样规模的服务器集群中运行会发生什么情况。我们的目标是让性能随集群规模增长成线性增加。我们从这个过程中不断学习，并且再次增大集群的规模。每增大一次集群的规模，更多数量和更多种类的错误也将相应增加，因此稳定性将是个重大问题。

　　每一次这样做，我们都能明白哪些东西是可以达到的，哪些经验可以贡献给开源的网格计算公共知识库的。随着服务器集群规模的增大，各种新的故障不断产生，罕见的错误变为常见的错误，这些情况都是需要我们解决的。而这个过程所学到的又将影响到我们下一次这样反复的试验。

　　SD：去年起Hadoop就已经可以在Amazon EC2上运行了。这将使开发者可以快速搭建起他们自己的服务器集群。那么管理这样一个集群、HDFS以及MapReduce的处理还有什么额外的工作需要做吗?

　　DC：Yahoo有一个名为HOD(Hadoop on Demand)的项目，它可以让Mapreduce运行在很普通的机器上。这还是一个正处于建设过程中的开源项目。由于运行一个大型的集群是非常复杂和受资源限制的事，所以Amazon EC2对于普通民众来说，是一个非常不错的接触Hadoop的平台。

　　SD：在Hadoop功能上你如何客观地和Google已发布的产品进行比较?在从程序单元到数据单元的优化解决过程中，有什么新特性吗?

　　DC：近十年来，很多大型公司(包括Yahoo)和一些理论研究机构都在对大规模分布式计算软件进行开发和研究。而最近随着经济计算在消费市场的显现，这种开发和研究的兴趣更加高涨。与Google不同，Yahoo采取了开发完全开源的Hadoop，让任何人都可以免费使用和修改这个软件。 Hadoop的目标已经延伸到超越目前现存的任何技术复制品的地步。我们将致力于把Hadoop建立成一个对任何人都有用的系统。我们已经实现了大多数 Google已经发布的东西，而且还加上很多其它没有提及到的。Yahoo在这个项目中将扮演领导者的角色，因为它的目标和我们的需求是非常吻合的，并且我们明白共享这个技术给世界的意义。

　　SD：最新的官方版本是0.13.1。在未来会有什么重大的新特性吗?1.0版将完成什么样的一些工作。

　　DC：0.14.0版就将有多达218处的变化。其中对系统最大的改变是我们直接改良了数据的完整性。这是一个对用户来说看不见的变化，但是它对于整个系统的未来发展来说是很有效的。由于数据和集群的规模，无论是内存还是磁盘都很频繁地出现问题，这将是个危机。我们还添加了改变文件时间的功能，还有一些MapReduce的C++ API函数，还增加了主机的一些其它特性，以及bug的定位和修复。

　　Hadoop 0.15.0也正在成型，计划会有88处修改。这个版本会增加对文件系统的认证和授权，让同一服务器集群之间的信息访问变得更加安全。我们还计划修订大量的Mapreduce的API。0.15.0将是一个很有难度的版本，因为它需要用户对他们的应用做出修改，我们希望能一步到位。我们还希望0.15将是 1.0以前的最后一个版本。在1.0以后我们就将会非常保守了，不会再突然做出巨大的改变。我们同样也会非常关注向后兼容的问题，对于1.0版本来说，这将显得更加的重要。任何为1.0版编写的代码也将继续可运行在1.X以后的版本。所以我们需要保证我们现有的API能轻松地扩展到以后的版本。我们将试着在0.15版本就将这些落实。

　　查看英文原文：Yahoo's Doug Cutting on MapReduce and the Future of Hadoop

Starting with with IE7 and above, WinINet supports IPv6 literals in the hostname, and the authority component of the URI. WinINet also supports the use of IPv6 literals in relevant portions of the HTTP protocol, such as in the Location header.

Hostname IPv6 Literals and URI Components

WinINet implements IPv6 literals according to the specifications in RFC 3513. As specified in this RFC, IPv6 literals in a URI must be enclosed in brackets. For example, http://[::1]/ is a valid IPv6 URI; the form without brackets (http://::1/) is not valid. Hostname IPv6 literals that are not part of the URI, however, do not need to be enclosed in the brackets; either form is acceptable to WinINet. For example, both "::1" and "[::1]" are acceptable forms of IPv6 hostname literals. Other APIs, such as the WinSock API, will also accept both forms. Thus applications should be prepared to handle both forms of IPv6 hostname literals.

Scope ID

The IPv6 literal address in the URI may include a scope ID. A scope ID can be an interface ID such as [FE80::1%1]. The URI standard, documented in RFC 3986, does not define the syntax for the scope ID, and the URI is considered non-uniform when the scope ID is present. However, WinINet accepts a scope ID in the authority component of the URI, and in the hostname IPv6 literal.

The percent character (%) in the IPv6 literal address must be percent escaped when present in the URI. For example, the scope ID FE80::2%3, must appear in the URI as "http://[FE80::2%253]/", where %25 is the hex encoded percent character (%). If the application retrieves the URI from a Unicode API, such as the Winsock WSAAddressToString API, the application must add the escaped version of the percent character (%) in the hostname of the URI. To create the escaped version of the URI, applications call InternetCreateUrl with the dwFlags parameter set to ICU_ESCAPE_AUTHORITY, and the IPv6 hostname specified in the URL components structure specified in the lpUrlComponents parameter.

For all sockets operations, WinINet uses the scope ID. However, because the scope ID has only local host significance, it is not sent as part of the HTTP protocol headers in the request. For example, the call to InternetOpenUrl is called with the following URL in the lpszUrl parameter.

http://[fec0::2%251]:80/path.htm

The scope ID portion of the URL is removed by WinINet when the HTTP request is sent for this URL. The request contains the following headers:

GET path.htm HTTP/1.1
Host: [fec0::2]

One of the benefits of creating a new URI parsing API for IE7 was that we were able to more easily add support for IPv6 addresses in URIs throughout IE7. This blog post will describe the use of IPv6 URIs in IE7.

IPv6 Syntax

One of the advantages of IPv6 over IPv4 is that IPv6 addresses are four times longer than IPv4 addresses (128 bits vs. 32 bits) allowing for about 3.402 * 10³⁸ unique IPv6 addresses. Due to the longer length, a new and more compact textual representation is used for IPv6 addresses. IPv6 addresses are written as groups of four hexadecimal digits delimited by colons. For the full details on IPv6 addresses and their textual representation, see the IPv6 Addressing standard. The following is an example of an IPv6 address:

fec0::abcd

The old URI syntax and the IPv6 address syntax conflicted so in accommodation, the URI syntax was modified. According to the latest URI standard, when you put an IPv6 address in the host, you must enclose it in square brackets. Thus, the previous example IPv6 address could appear as follows in a URI:

http://[fec0::abcd]/

URIs containing IPv6 addresses are not considered “special” in IE and they may be used anywhere IE accepts or displays a URI.

Scope-IDs

One explicit omission from the latest URI standard concerning IPv6 addresses is IPv6 scope-ids. IPv6 scope-ids specify which zone (a group of network connections) on a computer should be used when resolving a particular IPv6 address. See the IPv6 Scoped Address Architecture proposed standard for a full description of scope-ids. The scope-id appears after the IPv6 address delimited by a percent character. The previous IPv6 address example with a scope-id of 1 looks like this:

fec0::abcd%1

Non-encoded percents are not permitted in URIs, so in order to support scope-ids in IPv6 URIs, IE7 allows scope-ids following the IPv6 address when delimited by a percent-encoded percent character. Therefore, the previous example IPv6 address could appear in a URI in IE7 as follows:

http://[fec0::abcd%251]/

There is currently an IETF document describing an update to the URI standard to include scope-ids, however this is still in draft stage and so is not supported by IE7. MSDN has more details on IE7’s support for IPv6 scope-ids in URIs.

Trying It Out

If you’re interested in trying this out yourself with your own web server, but aren’t connected to an IPv6 network, you can enable the IPv6 stack in Windows, and open the URI http://[::1]/ in IE7. The IPv6 address ::1 is the loopback address, similar to the IPv4 address 127.0.0.1. This will allow you to connect to your own computer’s web server via an IPv6 address.

Conclusion

I’ve described the use of and syntax of IPv6 URIs in IE7 at a high level, but if you’re interested in the nitty-gritty details, check out the provided links to documents that describe IPv6 addressing and URIs in greater detail and try out IPv6 URIs on your own. Additionally, I should mention that although support for IPv6 URIs is new to IE7 and not available in IE6, IE6 does support DNS names backed by IPv6 addresses. Please leave me any IPv6 URI related comments or questions.

• 单点传送：这种类型的地址是单个接口的地址。发送到一个单点传送地址的信息包只会送到地址为这个地址的接口。
• 任意点传送：这种类型的地址是一组接口的地址，发送到一个任意点传送地址的信息包只会发送到这组地址中的一个（根据路由距离的远近来选择）
• 多点传送：这种类型的地址是一组接口的地址，发送到一个多点传送地址的信息包会发送到属于这个组的全部接口。

IPv6地址表示

    我们知道，IPv4地址长度为32位（4个字节）。书写IPv4的地址是用一个字节来代表一个无符号十进制整数，四个字节写成由3个点分开的四个十进制数，例如：
     10.1.123.56

对于128位的IPv6地址，定义相似的表示方法是必要的。 考虑到IPv6地址的长度是原来的四倍，RFC1884规定的标准语法建议把IPv6地址的128位（16个字节）写成8个16位的无符号整数，每个整数用四个十六进制位表示，这些数之间用冒号（：）分开，例如：
    3ffe:3201:1401:1:280:c8ff:fe4d:db39

    从上面的例子我们看到了手工管理IPv6地址的难度，也看到了DHCP和DNS的必要性。为了进一步简化IPv6的地址表示，可以用0来表示0000，用1来表示0001，用20来表示0020， 用300来表示0300，只要保证数值不便，就可以将前面的0省略。比如：
.
    1080:0000:0000:0000:0008:0800:200C:417A
    0000:0000:0000:0000:0000:0000:0A00:0001

    可以简写为：

    1080:0:0:0:8:800:200C:417A
    0:0:0:0:0:0:A00:1

    另外，还规定可以用符号::表示一系列的0。那么上面的地址又可以简化为：
    1080::0:8:800:200C:417A
    ::A00:1

    IPv6地址的前缀（FP, Format Prefix）的表示和IPv4地址前缀在CIDR中的表示方法类似。比如 0020:0250:f002::/48表示一个前缀为48位的网络地址空间。

IPv6地址分配

    RFC1881规定， IPv6地址空间的管理必须符合Internet团体的利益，必须是通过一个中心权威机构来分配。目前这个权威机构就是IANA（Internet Assigned Numbers Authority，Internet分配号码权威机构）。 IANA会根据IAB（Internet Architecture Board）和IEGS的建议来进行IPv6地址的分配.

    目前IANA已经委派三个地方组织来执行IPv6地址分配的任务：

• 欧洲的RIPE-NCC （www.ripe.net）
• 北美的INTERNIC （www.internic.net）
• 亚太平洋地区的APNIC（www.apnic.net）

主要参考了FDS的官方文档：
http://directory.fedoraproject.org/wiki/Install_Guide
(如果没有特别说明，以下要求root权限安装)
(鱼漂，一直漂[admin.net#163.com]原创，转载请注明)

1.环境要求
Apache2
Java runtime
可以安装Fedora9光盘自带的httpd,openjdk包

2. 配置你的机器名
假设你的Domain为systemadmin.cn,你的DC名字为dc.systemadmin.cn，需要先将hostname设置为dc.systemadmin.cn
(运行hostname命令，并修改/etc/sysconfig/network, /etc/hosts)

3. 配置FDS的yum源
cd /etc/yum.repos.d
wget http://directory.fedoraproject.org/sources/idmcommon.repo
wget http://directory.fedoraproject.org/sources/dirsrv.repo

4. 安装FDS
yum install fedora-ds

安装Directory Server Gateway
yum install fedora-ds-dsgw

5.初始配置
运行/usr/sbin/setup-ds-admin.pl进行初始配置
记住配置的admin, directory manager的密码，以及控制面板的端口(假设端口配置为8088，后面需要用到)
配置完成后，自动启动了Fedora Directory Server

如果安装了DSGW，运行/usr/sbin/setup-ds-dsgw 配置DSGW

6.验证安装
访问 http://localhost:8088/ 如果无法访问，说明没有启动FDS的dirsrv-admin服务

使用以下命令查询：
/usr/lib/mozldap/ldapsearch [-h <your host>] [-p <your port>] -s base -b "" "objectclass=*"

如果是openldap的ldapsearch：
/usr/bin/ldapsearch -x [-h <your host>] [-p <your port>] -s base -b "" "objectclass=*"
如果没有输出错误，说明FDS运行成功.

检查是否可以执行java -version，如果不可以，需要安装java runtime，并将配置java环境，使得可以执行java命令(export JAVA_HOME, export PATH=$JAVA_HOME/bin:$PATH)
运行/usr/bin/fedora-idm-console启动管理终端
用户为admin，密码为前面设置的密码，址址为: http://localhost:8088/
如果能看到管理界面，说明配置和运行成功．

7.自动启动Fedora Directory Server
chkconfig dirsrv on
chkconfig dirsrv-admin on

从管理界面上看，FDS比openldap易用很多

RedHat的官方文档: http://www.redhat.com/docs/manuals/dir-server/

The MigrationTools are a set of Perl scripts for migrating users, groups, aliases, hosts, netgroups, networks, protocols, RPCs, and services from existing nameservices (flat files, NIS, and NetInfo) to LDAP.

The tools require the ldapadd and ldif2dbm commands, which are distributed with most LDAP servers derived from the University of Michigan LDAP distribution. The source code for these is available with OpenLDAP. Additionally, Netscape provide an implementation of ldapmodify which subsumes the functionality of ldapadd. If you are using Netscape's Directory Server, you should set the $NSHOME and $serverId environment variables to assist the MigrationTools in locating your LDAP database and LDIF tools; they will use ldapmodify instead of ldapadd.  

These tools are freely redistributable according to the license included with the source files. They may be bundled with NIS/LDAP migration products. See RFC 2307 for more information on the schema used by these scripts. THIS SOFTWARE IS PROVIDED "AS IS" WITHOUT EXPRESS OR IMPLIED WARRANTY AND WITHOUT SUPPORT.

Scripts  

• migrate_base.pl creates naming context entries, including subordinate contexts such as ou=people and ou=devices.  
• migrate_aliases.pl migrates aliases in /etc/aliases to entries conforming to the rfc822MailGroup schema. Organizations who have deployed LDAP-based messaging solutions, such as Netscape's Messaging Server, may wish to use a different schema for representing mail aliases. Ypldapd does not use X.500 groups (such as groupOfUniqueNames) for mail alias expansion because flattening an arbitrarily nested group at runtime may be expensive. (It is possible to write a ypldapd plug-in to support such a schema, however.)
• migrate_group.pl migrates groups in /etc/group  
• migrate_hosts.pl migrates hosts in /etc/hosts  
• migrate_networks.pl migrates networks in /etc/networks  
• migrate_passwd.pl migrates users in /etc/passwd. Note that if users are allowed read the userPassword attribute, and your LDAP server doesn't support authenticating against hashed passwords then anyone may read the userPassword attribute's value and authenticate as that user. Modern LDAP servers, such as Netscape Directory Server, support authenticating against hashed passwords, so this is not an issue. The OpenLDAP LDAP server also supports such authentication.  
• migrate_protocols.pl migrates protocols in /etc/protocols  
• migrate_services.pl migrates services in /etc/services  
• migrate_netgroup.pl migrates netgroups in /etc/netgroup  
• migrate_netgroup_byuser.pl migrates the netgroup.byuser map. It requires revnetgroup.  
• migrate_netgroup_byhost.pl migrates the netgroup.byhost map. It requires revnetgroup.  
• migrate_rpc.pl migrates RPCs in /etc/rpc

Configuration  

The configuration for these Perl scripts is contained at the head of migrate_common.ph:  

The following environment variables control the behavior of the migration shell scripts:  

You will probably wish to use a shell script or makefile to automate population of your LDAP database, either off-lien (with ldif2ldbm) or on-line (with ldapadd). The migrate_all_*.sh shell scripts do this, but you may wish to customize their behaviour. The following table explains which migration scripts to use:

使用 OpenLDAP 集中管理用户帐号

Red Hat 上的 OpenLDAP 提供了安全、可靠的帐号管理


使用轻量级目录访问协议（LDAP）构建集中的身份验证系统可以减少管理成本，增强安全性，避免数据复制的问题，并提高数据的一致性。随着 Linux® 的不断成熟，已经出现了很多工具用来简化用户帐号信息到 LDAP 目录的迁移。还开发了一些工具用来在客户机和目录服务器之间启用加密通信配置，并通过复制提供容错性。本文将向您展示如何配置服务器和客户机在 Red Hat Linux 上使用 OpenLDAP。

[鱼漂]补充说明:此文中提到的Migration Tools现在并没有包在openLDAP-Servers里面,需要从下面的地址下载:
http://www.padl.com/OSS/MigrationTools.html
此外, 配置完成后, 暂时还未发现合适的管理工具, 比如添加用户, 复制用户等操作还比较麻烦.


文档来源自IBM, 点击此处下载PDF版本:
[file]attachment/200810/linuxopenldap.zip[/file]

相文文档:OpenLDAP Admin Guide
[file]attachment/200810/openldap-admin-guide.zip[/file]

相文文档:LDAP System Administration
[file]attachment/200810/ldapsystemadministration.zip[/file]

Openldap + pam_ldap 在RHEL上的安装文档:
1. Installing and configuring OpenLDAP for RedHat Enterprise Linux3
2. Installing and configuring OpenSSH with pam_ldap for RedHat Enterprise Linux3

http://www.linux.com/feature/114074

When you have to administer a network of many machines, you quickly find out how much duplication of effort is involved with normal administrative tasks. Routine operations like changing passwords, canceling accounts, and modifying groups become time-consuming if repeated on many individual machines. Centralizing user and authentication information can solve these issues. The former king of centralized authentication systems was NIS, or Network Information System. NIS is a simple and well-supported technology, but it's also insecure. LDAP, short for Lightweight Directory Access Protocol, is now the preferred way of managing centralized user accounts.

LDAP's purpose is to describe how directory data should be presented and how it should travel across networks. LDAP servers typically allow information to be read very quickly at the expense of writing. The basic functionality of an LDAP server is similar to that of a database, but more like a database designed for fast reads of relatively static information. Passwords and groups are good examples of relatively static information that needs to be read quickly. OpenLDAP is a free software implementation of the LDAP protocol. Installing OpenLDAP gives you everything needed to present and store data through LDAP.

Learning LDAP can be a frustrating experience. LDAP is complicated, and centralized authentication is only one of its many legitimate uses. As a result, the task of making Linux machines consult an LDAP server for authentication is a black art. Documentation tends to be spotty and confusing. But learning about LDAP authentication, despite its difficulty, is worth the time and effort. LDAP can provide a scalable and secure approach to network management.

Setting up an LDAP-based network

We will setup a simple LDAP-based authentication system. Our example will use two Debian 3.1 (Sarge) machines, one acting as client and one as a server. To make the process even simpler, use User Mode Linux to create virtual Linux boxes that you can break and abuse to your heart's content. For simplicity, we will not be encrypting communication and will stick to basic examples.

First we will cover the server configuration. On your "server" Debian system, issue the following command:

apt-get install slapd ldap-utils

This will install OpenLDAP and related utilities. Debian will prompt you for slapd (the name of the OpenLDAP daemon) configuration values. The "Admin password" will be the password you want to use when adding or deleting from LDAP and for certain client tasks. "DNS domain name" is important and must be a domain name resolvable to your LDAP server.

Omit OpenLDAP server configuration? no
DNS domain name: example.org
Name of your organization: example_organization
Admin password: ldap
Database backend to use: BDB
Do you want your database to be removed when slapd is purged? no
Allow LDAPv2 protocol? no

With slapd configured, you can test if your installation is working correctly. After running the following command, you should see LDAP information:

ldapsearch -x -b dc=example,dc=org

We now have a functioning LDAP server, but it is of no use until we populate it with basic information. Make a file called base.ldif and populate it with the following values:

dn: ou=People,dc=example,dc=org
ou: People
objectClass: top
objectClass: organizationalUnit

dn: ou=Group,dc=example,dc=org
ou: Group
objectClass: top
objectClass: organizationalUnit

Save the file and add the data in it to the running LDAP server with the following command:

ldapadd -x -D "cn=admin,dc=example,dc=org" -W -f base.ldif

You will be prompted for the password you chose during the configuration of slapd. If your password was correct and your ldif file was in good order, you will see a line beginning with "adding new entry."

Next we will add a group that our LDAP users will be a part of. Add the following values to a file called group.ldap:

dn: cn=ldapusers,ou=Group,dc=example,dc=org
objectClass: posixGroup
objectClass: top
cn: ldapusers
userPassword: {crypt}x
gidNumber: 9000

Though in my example I chose "ldapusers," you can change this value to anything you like. You can also choose any gidNumber you like. Once you have a group.ldif you like, add it the same way as you added the base.ldif:

ldapadd -x -D "cn=admin,dc=example,dc=org" -W -f group.ldif

The final server step in this example is adding an LDAP user. Create an ldif file called myuser.ldif with the following values:

dn: cn=Myuser,ou=People,dc=example,dc=org
cn: Myuser
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
sn: User
uid: myuser
uidNumber: 1025
gidNumber: 9000
homeDirectory: /tmp

This will make a user called "myuser" with a uid of 1025 who lives in /tmp and is a member of the LDAP-only group "ldapusers." This user doesn't have a password yet, but we will save that task for the client machine.

Client configuration

The client steps provided here will work for any machine you wish to make authenticate via LDAP. Make sure your client can communicate with the server and that pinging "example.org" from the client returns the correct IP address of the server.

On the client machine, install OpenLDAP and PAM (Pluggable Authentication Modules) utilities, as well as NSCD, the Name Service Cache Daemon, with the command:

apt-get install ldap-utils libpam-ldap libnss-ldap nscd

One of the first packages Debian asks you to configure is libnss-ldap. Important values for your particular setup are the "LDAP server host" and the "distinguished name," or DN for short. The server host will be the IP address of the LDAP server, while the DN will be the server's host name. Also note the DN should be in the form of "dc=example,dc=org". The following is a typical libnss-ldap configuration:

LDAP Server host: 192.168.1.30
The distinguished name of the search base: dc=example,dc=org
LDAP version to use: 3
database requires login? no
make configuration readable/writeable by owner only? yes


The values for libpam-ldap will be similar to those of libnss-ldap. Note that the "Root login password" is the same password you chose during the server's slapd configuration. Enter the following when prompted:

The distinguished name of the search base: dc=example,dc=org
Make local root Database admin: yes
Database requires logging in: no
Root login account: cn=admin,dc=example,dc=org
Root login password: ldap
Local crypt to use when changing passwords: exop


Next, we need to tell the client's underlying authentication system to use LDAP to look for users. The first file to edit is /etc/nsswitch.conf. Make sure to add "ldap" to the passwd, group, and shadow lines:

passwd: ldap compat
group: ldap compat
shadow: ldap compat

We need to configure the client's PAM software to check LDAP for user authentication. There are three files to edit under /etc/pam.d: common-account, common-auth, and common-password. First,

/etc/pam.d/common-account should contain the following:

account sufficient pam_ldap.so
account required pam_unix.so try_first_pass

/etc/pam.d/common-auth should contain:

auth sufficient pam_ldap.so
auth required pam_unix.so nullok_secure try_first_pass

Finally, /etc/pam.d/common-password should contain:

password sufficient pam_ldap.so
password required pam_unix.so nullok obscure min=4 max=8 md5 try_first_pass


The changes we made to /etc/nsswitch.conf and the PAM configuration files allow the client to check LDAP before allowing a user on the system, but will also fall back on local authentication methods should LDAP fail or not have information about a given user.

The last file to edit is /etc/ldap/ldap.conf. Adding information about our LDAP server here makes issuing LDAP commands on the client easier. Add lines for your setup similar to the following:

BASE dc=example,dc=org
URI ldap://192.168.1.30

At this point, you should be able to change the password of the user you created earlier. First restart nscd, then change the ldap user's password:

/etc/init.d/nscd restart
password myuser

After changing the password, login as myuser on the client machine. Congratulations, you've just authenticated over LDAP.

Implementing LDAP on Linux isn't exactly difficult once you know the right changes to make. For reasons I cannot explain, however, most information I have read about LDAP seems to convey just how much trouble the author had implementing it. Finding the right changes in the first place is usually the most challenging part. Linux distributions could automate this process a little more; having front ends to server and client configuration would take Linux far in the LDAP world.