Fun with OpenLDAP on OS X


LDAP has always been very frustrating to me. But it is out there, and getting to play with it can be useful. So here are the steps I took to setup a local LDAP server on my OS X laptop running OpenLDAP (slapd).

*WARNING* – You may need to sudo many of the commands below.

First generate a password

slappasswd -s secret
This should give you {SSHA}… (where … is an encrypted string)
Copy the whole {SSHA}… to use it later.

Create a slapd configuration

Slapd is configured via a file in /etc/openldap. A sample configuration exists, which we will copy to be our configuration.
cd /etc/openldap/
cp slapd.conf.default slapd.conf
nano slapd.conf

And in the file look for the following entries and modify accordingly
database bdb
directory /var/db/openldap/openldap-data/
suffix "dc=somedomain,dc=org"
rootdn "cn=manager,dc=somedomain,dc=org"
rootpw (here you paste the {SSHA} ... from earlier)

Save your changes, then run:
/usr/libexec/slapd -d 255 Somehow the -d (debug level) seems to be required. 255 is very verbose and 0 would be completely quiet. At this point your slapd is running but your database is empty.

Loading your LDAP and viewing it

You first need to create a file containing your directory data (let’s call it initial.ldif). Something like this: initial.ldif

This sample file creates under our root structure rootdn "cn=manager,dc=somedomain,dc=org" an actual domain object, a people structure and a group structure. John Smith, Susan Adams and Bob Adams are our sample people. Their password is set to the MD5 hash for ‘test’ (which you’ll be able to change with the password changer below). It also creates the group registered_users with only Bob and John as members.

Now we’ll use the ldapadd command to load the data into our database:
ldapadd -x -D "cn=Manager,dc=somedomain,dc=org" -f initial.ldif -W

To see if it worked and view the data, you can use the command line and issue an LDAP search:
ldapsearch -x -b 'dc=somedomain,dc=org' '(objectclass=*)'
You can also use utilities like JXplorer (multi-platform) or LDAPManager (OS X).

You can use the following PHP code to check username password combos and group membership:
And this one to change passwords:


3 thoughts on “Fun with OpenLDAP on OS X

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.