redo headings, add See Also section, remove stub template
'''OpenLDAP''' is the LDAP server currently used to provide both NSS LDAP (on openldap1 and openldap2) as well as Iodine's student information database (on iodine-ldap). The actual OpenLDAP daemon is called slapd (Stand-alone LDAP daemon) and many of the OpenLDAP server management utilities begin with slap (eg, slapcat, slapadd) as a result.
We currently run OpenLDAP with Kerberos and SASL support to allow for GSSAPI passwordless authentication. To install this configuration on Gentoo, run:
<nowiki>echo "net-nds/openldap kerberos sasl overlays" >> /etc/portage/package.use
Note that at the time of this writing, OpenLDAP will only compile with Kerberos support using the MIT implementation. Therefore, if the system you are using for an OpenLDAP server is running the Heimdal implementation of Kerberos, you will need to uninstall it and install the MIT implementation before installing Cyrus-SASL and OpenLDAP.
/etc/openldap/slapd.conf is the primary configuration file for the OpenLDAP server. The config file is well-commented, however, the following configuration options are notable. For security reasons, the exact values for some options are not listed here.
*sasl-realm: This should be set to the kerberos realm that the server is in; in our case, almost certainly CSL.TJHSST.EDU.
*sasl-regexp: These lines are used to map Kerberos principals to LDAP DNs as part of the SASL binding process. They are processed in order and the first matching regex is used.
*index: These lines indicate which Indexes should be maintained by OpenLDAP to speed up searches. Note that if these options are changed, slapd must be stopped and slapindex must be used to regenerate the database indexes or searches that attempt to use the new Indexes may fail.
/etc/conf.d/slapd is used by Gentoo to setup the environment for running the OpenLDAP server.
#The keytab should contain the principal ldap/<Server FQDN> and should readable only by the user slapd runs as (by default, ldap)
#These options are used to tune the cache size and connection parameters
#will be difficult or impossible
We currently use one-way replication to propagate a copy of the NSS LDAP information from openldap1 (the master server or provider) to openldap2 (the slave server or consumer). To configure replication, first add the following lines to slapd.conf on the master server in the appropriate sections:
#This line redirects any ldapadd/ldapmodify commands made against openldap2 to openldap1