Starting OpenLDAP on Mac OS X Client

LDAP is included, by default, installed on every copy of Mac OS X. For Mac OS X Servers its easiest to get LDAP up and running, given that you have a nice handy graphical means of manipulating LDAP in the Open Directory features of Server Admin and Workgroup Manager. But what about Mac OS X Client. It may be easier than you think…

To setup OpenLDAP in Mac OS X, we’ll do three quick tasks. The first is to set a password and the second is to put the password into the configuration file and the third is to start the daemon. To create that password, we’re going to use the slappasswd. Simply use the command and then enter the password twice in order to get a hash that will be representative of your password:

Krypted:~ cedge$ slappasswd
New password:
Re-enter new password:
{SSHA}GxYuEziafPAUJNwP17BRTAlubfPKDRUG

Copy that output into your clipboard. Now cd into the /etc/openldap directory. From there, cp the slapd.conf.default file to the slapd.conf file:

cp slapd.conf.default slapd.conf

Then edit the file. To do so, scroll down to the bottom. Here, you’ll see three things we’re going to change (you can change more if you want and you really only HAVE to change the first). The first is the password. This is the line that begins with rootpw. Delete secret from there and paste in that SHA1 password you created with slappasswd previously. The second and third are the suffix and rootdn information. Here, change company to whatever domain you would like to use and change cn=Manager in the rootdn line where Manager becomes, well, something else (or leave that part). Save your changes to the file.

Now you’re ready to start up the daemon:

slapd -d 255

slapd -d 255

Port scan yourself. If port 389 is running then you are now an OpenLDAP server! Happy LDAPing (with or without slapconfig).

8 Comments

  • Arjen
    December 16, 2009 - 1:00 pm | Permalink

    Maybe good to notice is that slapd is residing in /usr/libexec, which is not in everyone’s path. Using

    /usr/libexec/slapd -d 255

    should work for everyone.

  • gman
    July 3, 2010 - 1:58 am | Permalink

    On my install (Snow Leopard 10.6.3) the “slapd.conf.default” is completely empty. What data does it usually contain? Would be great if you could provide the contents of that default file. Cheers.

    • June 28, 2012 - 9:36 pm | Permalink

      Contents in Lion:

      —————-

      #
      # See slapd.conf(5) for details on configuration options.
      # This file should NOT be world readable.
      #
      include /private/etc/openldap/schema/core.schema

      # Define global ACLs to disable default read access.

      # Do not enable referrals until AFTER you have a working directory
      # service AND an understanding of referrals.
      #referral ldap://root.openldap.org

      pidfile /private/var/db/openldap/run/slapd.pid
      argsfile /private/var/db/openldap/run/slapd.args

      # Load dynamic backend modules:
      # modulepath /usr/libexec/openldap
      # moduleload back_bdb.la
      # moduleload back_hdb.la
      # moduleload back_ldap.la

      # Sample security restrictions
      # Require integrity protection (prevent hijacking)
      # Require 112-bit (3DES or better) encryption for updates
      # Require 63-bit encryption for simple bind
      # security ssf=1 update_ssf=112 simple_bind=64

      # Sample access control policy:
      # Root DSE: allow anyone to read it
      # Subschema (sub)entry DSE: allow anyone to read it
      # Other DSEs:
      # Allow self write access
      # Allow authenticated users read access
      # Allow anonymous users to authenticate
      # Directives needed to implement policy:
      # access to dn.base=”" by * read
      # access to dn.base=”cn=Subschema” by * read
      # access to *
      # by self write
      # by users read
      # by anonymous auth
      #
      # if no access controls are present, the default policy
      # allows anyone and everyone to read anything but restricts
      # updates to rootdn. (e.g., “access to * by * read”)
      #
      # rootdn can always read and write EVERYTHING!

      #######################################################################
      # BDB database definitions
      #######################################################################

      database bdb
      suffix “dc=my-domain,dc=com”
      rootdn “cn=Manager,dc=my-domain,dc=com”
      # Cleartext passwords, especially for the rootdn, should
      # be avoid. See slappasswd(8) and slapd.conf(5) for details.
      # Use of strong authentication encouraged.
      rootpw secret
      # The database directory MUST exist prior to running slapd AND
      # should only be accessible by the slapd and slap tools.
      # Mode 700 recommended.
      directory /private/var/db/openldap/openldap-data
      # Indices to maintain
      index objectClass eq

  • Matt Connolly
    April 19, 2011 - 2:06 pm | Permalink

    On my mac, slapd.conf.default is an empty file. And when I run slapd it exits straight away. Any idea where I can get that file?

    • April 19, 2011 - 2:28 pm | Permalink

      Matt, I’m not sure why yours is empty, but if you email me at krypted@me.com I’ll email you a good one.

  • Andrew Westwood
    May 17, 2011 - 2:59 pm | Permalink

    if slapd.conf is empty, it is likely that you did not open it as root. try sudo vi slapd.conf

  • January 26, 2012 - 7:49 am | Permalink

    I did exactly the same, and it works great! But as soon as I start it without the debug mode, it stops itself after 1 or 2 seconds… Any idea?

    (PS : I’ve asked the question on http://stackoverflow.com/questions/8856697/slapd-not-launching but I stille have no answer…)

    • June 28, 2012 - 9:10 pm | Permalink

      Any logs, dumps or dtrace output? Sad when you have to use debugging tools for debug mode… #irony

  • Comments are closed.