Difference between revisions of "OpenLDAP Installation and Test"

OpenLDAP Server and client Configuration File

Please note that the following procedure only works for CentOS Linux up to version 6.

1. /etc/openldap/slapd.conf
   1. Standalone OpenLDAP server configuration file
   2. You should set/modify the following directives
      1. rootdn - DN of the LDAP server administrator account
      2. rootpw - password for the administrator account
      3. database - what back end database to use
      4. suffix - the DN of the base directory on the LDAP server
      5. directory - where to put the database
2. /etc/openldap/ldap.conf
   1. This is the configuration file for the ldap clients. The following are ldap client programs:
      1. ldapadd
      2. ldapcompare
      3. ldapdelete
      4. ldapmodify
      5. ldapmodrdn
      6. ldappasswd
      7. ldapsearch
      8. ldapwhoami
   2. You could set/modify the following directives:
      1. BASE
      2. URL
3. /etc/ldap.conf
   1. This is the configuration file for the LDAP nameservice switch library and the LDAP PAM module
   2. You could set/modify the following directives:
      1. base
      2. host - IP or hostname of the LDAP server. If you use hostname, it must be resolvable without using LDAP. Multiple hosts may be specified, each separated by a space.

Important LDAP Commands and Sample LDIF files

• Base LDIF file
• POSIX User account file
• ldapadd, ldapsearch, ldapdelete command

Tools/Utilities for Testing OpenLDAP Server

• ldapsearch
  • To display LDAP Protocol features and extensions supported by OpenLDAP, use the following ldapsearch examples:

[rchan@moodle ~]$ ldapsearch -x -b "" -s base supportedFeatures
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: supportedFeatures 
#

#
dn:
supportedFeatures: 1.3.6.1.1.14
supportedFeatures: 1.3.6.1.4.1.4203.1.5.1
supportedFeatures: 1.3.6.1.4.1.4203.1.5.2
supportedFeatures: 1.3.6.1.4.1.4203.1.5.3
supportedFeatures: 1.3.6.1.4.1.4203.1.5.4
supportedFeatures: 1.3.6.1.4.1.4203.1.5.5

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

[rchan@moodle ~]$ ldapsearch -x -b "" -s base supportedControl
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: supportedControl 
# 

#
dn:
supportedControl: 1.3.6.1.4.1.4203.1.9.1.1
supportedControl: 2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 1.3.6.1.4.1.4203.1.10.1
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.826.0.1.334810.2.3
supportedControl: 1.2.826.0.1.3344810.2.3
supportedControl: 1.3.6.1.1.13.2
supportedControl: 1.3.6.1.1.13.1
supportedControl: 1.3.6.1.1.12 

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

[rchan@moodle ~]$ ldapsearch -x -b "" -s base supportedExtension
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: supportedExtension 
# 

#
dn:
supportedExtension: 1.3.6.1.4.1.4203.1.11.1
supportedExtension: 1.3.6.1.4.1.4203.1.11.3

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

• • To display Supported Control, Extension, and Features

[rchan@moodle ~]$ ldapsearch -x -W -D 'cn=Manager,dc=ops535,dc=com' -b "" -s base '(objectclass=*)' +
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: + 
# 

#
dn:
structuralObjectClass: OpenLDAProotDSE
configContext: cn=config
namingContexts: dc=ops535,dc=com
supportedControl: 1.3.6.1.4.1.4203.1.9.1.1
supportedControl: 2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 1.3.6.1.4.1.4203.1.10.1
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.826.0.1.334810.2.3
supportedControl: 1.2.826.0.1.3344810.2.3
supportedControl: 1.3.6.1.1.13.2
supportedControl: 1.3.6.1.1.13.1
supportedControl: 1.3.6.1.1.12
supportedExtension: 1.3.6.1.4.1.4203.1.11.1
supportedExtension: 1.3.6.1.4.1.4203.1.11.3
supportedFeatures: 1.3.6.1.1.14
supportedFeatures: 1.3.6.1.4.1.4203.1.5.1
supportedFeatures: 1.3.6.1.4.1.4203.1.5.2
supportedFeatures: 1.3.6.1.4.1.4203.1.5.3
supportedFeatures: 1.3.6.1.4.1.4203.1.5.4
supportedFeatures: 1.3.6.1.4.1.4203.1.5.5
supportedLDAPVersion: 3
entryDN:
subschemaSubentry: cn=Subschema

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Tools to test the LDAP server

• ldapsearch -x -W -D 'cn=Manager,dc=ops535,dc=com' -b "" -s base

Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#

#
dn:
objectClass: top
objectClass: OpenLDAProotDSE 

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Using OpenLDAD for Apache Basic Authentication

• In httpd.conf configure the directory for basic authentication for apache 2.0

 <Directory /var/www/html/openldap>
 AuthType Basic
 AuthName "Case Network ID"
 AuthLDAPURL "ldap://127.0.0.1/ou=people,dc=fedora,dc=directory,dc=server"
 AuthLDAPBindDN "uid=root,ou=people,dc=fedora,dc=directory,dc=server"
 AuthLDAPBindPassword "your-openldap-password"
 # All users in openldap
 require valid-user
 # Just the listed user
 # require user pma
 </Directory>

• For apache 2.2

 <Location /var/www/html/openldap>
 AuthType Basic
 AuthBasicProvider ldap
 AuthName "Case Network ID"
 AuthzLDAPAuthoritative off
 AuthLDAPURL ldap://127.0.0.1/ou=people,dc=fedora,dc=directory,dc=server
 AuthLDAPBindDN "uid=root,ou=people,dc=fedora,dc=directory,dc=server"
 AuthLDAPBindPassword "your-openldap-password"
 Require valid-user
 </Location>

Reference:
Linux.com: Apache Authentication and Authorization using LDAP
Apache Authentication and Authorization using LDAP (blogger) <-- Nes: broken link??

Possible Administrative Tasks for OpenLDAP

• Installing OpenLDAP rpm packages or building from source
• Configuring and verifying the LDAP server
• Building an initial DIT (directory informationtree) with a LDIF file
• Loading, modifying, and searching directory records
• Setting passwords and authenticating against the directory
• Configuring Access Control Lists (ACLs)
• Configuring multiple database back ends
• Securing network-based directory connections with SSL and TLS
• Advanced configurations and performance tuning settings
• Creating and implementing LDAP schemas
• Creating custom schemas and sophisticated ACLs
• Using OpenLDAP as a proxy for other LDAP servers
• Adding caching with the Proxy Cache overlay
• Using the transparency overlay to create a hybrid cache
• Installing and configuring a web-base LDAP administration suite
• Keeping multiple directory servers synchronized with SyncRepl
• Using OpenLDAP for Apache authentication
• Turn on/off OpenLDAP syslog entries ==

OpenLDAP Concepts/Configuration

• Understanding the LDAP Protocol, Data Hierarchy, and Entry Components
• How to Use LDIF Files to Make Changes to an OpenLDAP System

More Resources

Web site

An Enterprise Directory Solution with DB2

Directories vs. Relational Database Management Systems

Books

Mastering OpenLDAP: Configuring, Securing and Integrating Directory Services

Berkeley DB Reference Guide (Version: 4.6.21)