5.1. Creating a Database online

The OpenLDAP software package comes with an utility called ldapadd, used to add entries while the LDAP server is running. If you choose to create the Database online, you can use the ldapadd tool to add entries (you can also use other clients provided outside the OpenLDAP package to add entries, like the Ldap Browser). After adding the first entries, you can still use ldapadd to add more entries. You should be sure to set the following configuration options on your sladp.conf file before starting slapd:

suffix <dn> 

As described in the Section 3.4, this option says what entries are to be held by this database. You should set this to the DN of the root of the subtree you are trying to create. For example:

suffix "o=TUDelft, c=NL" 

You should be sure to specify a directory where the index files should be created:

directory /usr/local/tudelft 

You need to create this directory with appropriate permissions so that slapd can write to it.

You need to configure slapd so that you can connect to it as a directory user with permission to add entries. You can configure the directory to support a special super-user or root user just for this purpose. This is done through the following two options in the database definition:


rootdn <dn> 
rootpw <passwd>   /* Remember to use a SHA password here !!! */ 

These options specify a DN and password that can be used to authenticate as the "superuser" entry of the database (i.e., the entry allowed to do anything). The DN and password specified here will always work, regardless of whether the entry named actually exists or has the password given. This solves the chicken-and-egg problem of how to authenticate and add entries before any entries yet exist.

Slapd natively understands if you use a SHA-1 encrypted password on the rootpw directive. I use a Java class that generates SHA-1 passwords, but it's possible to use the command slappasswd to generate the passwords:

slappasswd -h {SHA}
rootpw    "{SHA}5en6G6MezRroT3XKqkdPOmY/BfQ="

For example:


        rootdn "cn=Manager,dc=example,dc=com"
        rootpw "{SHA}5en6G6MezRroT3XKqkdPOmY/BfQ="

The default output for slappasswd is to generate Secure Hash passwords {SSHA}, in this case you don't need to pass the -h parameter, just call slappasswd directly.

If you are using SASL as a mechanism to authenticate against LDAP, the rootpw line may be discarded. Take a look on the Section 3.4 and on the Section 6.2 for more details.

Finally, you should make sure that the database definition contains the index definitions you want:

index {<attrlist> | default} [pres,eq,sub,none] 

For example, to index the cn, sn, uid and objectclass attributes, the following index configuration lines could be used.


index cn,sn,uid pres,eq,sub
index objectClass pres,eq

Note: Note that not all index types are available with all attribute types. Take a look on the Section 3.6 for examples.

Once you have configured things to your liking, start up slapd, connect with your LDAP client, and start adding entries. For example, to add the TUDelft entry followed by a Postmaster entry using the ldapadd tool, you could create a file called /tmp/newentry with the contents:


o=TUDelft, c=NL 
objectClass=organization 
description=Technical University of Delft Netherlands 

cn=Postmaster, o=TUDelft, c=NL 
objectClass=organizationalRole 
cn=Postmaster 
description= TUDelft postmaster - [email protected] 

and then use a command like this to actually create the entry:

ldapadd -f /tmp/newentry -x -D "cn=Manager, o=TUDelft, c=NL" -w secret 

The above command assumes that you have set rootdn to "cn=Manager, o=TUDelft, c=NL" and rootpw to "secret" (maybe SHA-1 encrypted in slapd.conf). If you don't want to type the password on the command line, use the -W option for the ldapadd command instead of -w "password". You will be prompted to enter the password:


ldapadd -f /tmp/newentry -x -D "cn=Manager, o=TUDelft, c=NL" -W 
Enter LDAP Password: