Difference between revisions of "OpenLDAP Installation and Test"

From CDOT Wiki
Jump to: navigation, search
(OpenLDAP Server Configuration directory)
(OpenLDAP Server Configuration directory)
Line 15: Line 15:
 
</pre>
 
</pre>
 
* Some notes:
 
* Some notes:
** cn=schema - contains the schema to be loaded by the slapd server. Initial contents:
+
** cn=schema - contains the schema to be loaded by the slapd server.  
<pre> [root@localhost cn=schema]# ls -l
+
** olcDatabase={2}hdb.ldif - the main configuration for the OpenLDAP server's database.
 +
* Initial contents in the "cn=schema" directory:
 +
<pre>[root@localhost cn=schema]# ls -l
 
total 40
 
total 40
 
-rw-------. 1 ldap ldap 15578 Dec 16  2015 cn={0}core.ldif
 
-rw-------. 1 ldap ldap 15578 Dec 16  2015 cn={0}core.ldif
 
</pre>
 
</pre>
Standalone OpenLDAP server configuration file
+
* Initial contents in the "oldDatabase={2}hdb.ldif" file:
## You should set/modify the following directives
+
<pre>
### rootdn - DN of the LDAP server administrator account
+
[root@localhost cn=config]# cat olcDatabase\=\{2\}hdb.ldif
### rootpw - password for the administrator account
+
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
### database - what back end database to use
+
# CRC32 2e34fa34
### suffix - the DN of the base directory on the LDAP server
+
dn: olcDatabase={2}hdb
### directory - where to put the database
+
objectClass: olcDatabaseConfig
 +
objectClass: olcHdbConfig
 +
olcDatabase: {2}hdb
 +
olcDbDirectory: /var/lib/ldap
 +
olcSuffix: dc=my-domain,dc=com
 +
olcRootDN: cn=Manager,dc=my-domain,dc=com
 +
olcDbIndex: objectClass eq,pres
 +
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
 +
structuralObjectClass: olcHdbConfig
 +
entryUUID: 356a18aa-384e-1035-958d-25b49e5bf54e
 +
creatorsName: cn=config
 +
createTimestamp: 20151216143659Z
 +
entryCSN: 20151216143659.541486Z#000000#000#000000
 +
modifiersName: cn=config
 +
modifyTimestamp: 20151216143659Z
 +
</pre>
 +
 
 +
To use OpenLDAP directory to host Linux user account, you need to import three more existing schema: cosine, nis, and inetorgperson for the slapd server. You also need to update the following fields in the "olcDatabase={2}hdb.ldif" file:
 +
* olcSuffix - update to reflect your base context (or naming context)
 +
* olcRootDN - update to match your naming context
 +
* olcRootPW - add (for olcRootDN)
  
 
=== OpenLDAP client configuration ===
 
=== OpenLDAP client configuration ===

Revision as of 00:58, 23 November 2016

OpenLDAP Server and client Configuration File

OpenLDAP Server Configuration directory

Please note that the following procedure only works for CentOS Linux starting from version 7.0.

  • Top of the configure directory for the OpenLDAP server slapd: /etc/openldap/slapd.d/cn=config
[root@localhost cn=schema]# ls -l /etc/openldap/slapd.d/cn\=config
total 20
drwxr-x---. 2 ldap ldap 104 Nov 22 18:35 cn=schema
-rw-------. 1 ldap ldap 378 Dec 16  2015 cn=schema.ldif
-rw-------. 1 ldap ldap 513 Dec 16  2015 olcDatabase={0}config.ldif
-rw-------. 1 ldap ldap 443 Dec 16  2015 olcDatabase={-1}frontend.ldif
-rw-------. 1 ldap ldap 562 Dec 16  2015 olcDatabase={1}monitor.ldif
-rw-------. 1 ldap ldap 609 Dec 16  2015 olcDatabase={2}hdb.ldif
  • Some notes:
    • cn=schema - contains the schema to be loaded by the slapd server.
    • olcDatabase={2}hdb.ldif - the main configuration for the OpenLDAP server's database.
  • Initial contents in the "cn=schema" directory:
[root@localhost cn=schema]# ls -l
total 40
-rw-------. 1 ldap ldap 15578 Dec 16  2015 cn={0}core.ldif
  • Initial contents in the "oldDatabase={2}hdb.ldif" file:
[root@localhost cn=config]# cat olcDatabase\=\{2\}hdb.ldif 
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 2e34fa34
dn: olcDatabase={2}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=my-domain,dc=com
olcRootDN: cn=Manager,dc=my-domain,dc=com
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
structuralObjectClass: olcHdbConfig
entryUUID: 356a18aa-384e-1035-958d-25b49e5bf54e
creatorsName: cn=config
createTimestamp: 20151216143659Z
entryCSN: 20151216143659.541486Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20151216143659Z

To use OpenLDAP directory to host Linux user account, you need to import three more existing schema: cosine, nis, and inetorgperson for the slapd server. You also need to update the following fields in the "olcDatabase={2}hdb.ldif" file:

  • olcSuffix - update to reflect your base context (or naming context)
  • olcRootDN - update to match your naming context
  • olcRootPW - add (for olcRootDN)

OpenLDAP client configuration

  1. /etc/openldap/ldap.conf
    1. This is the configuration file for the ldap clients. The following are ldap client programs:
      1. ldapadd
      2. ldapcompare
      3. ldapdelete
      4. ldapmodify
      5. ldapmodrdn
      6. ldappasswd
      7. ldapsearch
      8. ldapwhoami
    2. You could set/modify the following directives:
      1. BASE
      2. URL
  2. /etc/ldap.conf
    1. This is the configuration file for the LDAP nameservice switch library and the LDAP PAM module
    2. You could set/modify the following directives:
      1. base
      2. host - IP or hostname of the LDAP server. If you use hostname, it must be resolvable without using LDAP. Multiple hosts may be specified, each separated by a space.

Important LDAP Commands and Sample LDIF files

  • Base LDIF file
  • POSIX User account file
  • ldapadd, ldapsearch, ldapdelete command

Tools/Utilities for Testing OpenLDAP Server

  • ldapsearch
    • To display LDAP Protocol features and extensions supported by OpenLDAP, use the following ldapsearch examples:
[rchan@moodle ~]$ ldapsearch -x -b "" -s base supportedFeatures
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: supportedFeatures 
#

#
dn:
supportedFeatures: 1.3.6.1.1.14
supportedFeatures: 1.3.6.1.4.1.4203.1.5.1
supportedFeatures: 1.3.6.1.4.1.4203.1.5.2
supportedFeatures: 1.3.6.1.4.1.4203.1.5.3
supportedFeatures: 1.3.6.1.4.1.4203.1.5.4
supportedFeatures: 1.3.6.1.4.1.4203.1.5.5

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


[rchan@moodle ~]$ ldapsearch -x -b "" -s base supportedControl
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: supportedControl 
# 

#
dn:
supportedControl: 1.3.6.1.4.1.4203.1.9.1.1
supportedControl: 2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 1.3.6.1.4.1.4203.1.10.1
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.826.0.1.334810.2.3
supportedControl: 1.2.826.0.1.3344810.2.3
supportedControl: 1.3.6.1.1.13.2
supportedControl: 1.3.6.1.1.13.1
supportedControl: 1.3.6.1.1.12 

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


[rchan@moodle ~]$ ldapsearch -x -b "" -s base supportedExtension
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: supportedExtension 
# 

#
dn:
supportedExtension: 1.3.6.1.4.1.4203.1.11.1
supportedExtension: 1.3.6.1.4.1.4203.1.11.3

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
    • To display Supported Control, Extension, and Features
[rchan@moodle ~]$ ldapsearch -x -W -D 'cn=Manager,dc=ops535,dc=com' -b "" -s base '(objectclass=*)' +
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: + 
# 

#
dn:
structuralObjectClass: OpenLDAProotDSE
configContext: cn=config
namingContexts: dc=ops535,dc=com
supportedControl: 1.3.6.1.4.1.4203.1.9.1.1
supportedControl: 2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 1.3.6.1.4.1.4203.1.10.1
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.826.0.1.334810.2.3
supportedControl: 1.2.826.0.1.3344810.2.3
supportedControl: 1.3.6.1.1.13.2
supportedControl: 1.3.6.1.1.13.1
supportedControl: 1.3.6.1.1.12
supportedExtension: 1.3.6.1.4.1.4203.1.11.1
supportedExtension: 1.3.6.1.4.1.4203.1.11.3
supportedFeatures: 1.3.6.1.1.14
supportedFeatures: 1.3.6.1.4.1.4203.1.5.1
supportedFeatures: 1.3.6.1.4.1.4203.1.5.2
supportedFeatures: 1.3.6.1.4.1.4203.1.5.3
supportedFeatures: 1.3.6.1.4.1.4203.1.5.4
supportedFeatures: 1.3.6.1.4.1.4203.1.5.5
supportedLDAPVersion: 3
entryDN:
subschemaSubentry: cn=Subschema

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Tools to test the LDAP server

  • ldapsearch -x -W -D 'cn=Manager,dc=ops535,dc=com' -b "" -s base
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#

#
dn:
objectClass: top
objectClass: OpenLDAProotDSE 

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Using OpenLDAD for Apache Basic Authentication

  • In httpd.conf configure the directory for basic authentication for apache 2.0
 <Directory /var/www/html/openldap>
 AuthType Basic
 AuthName "Case Network ID"
 AuthLDAPURL "ldap://127.0.0.1/ou=people,dc=fedora,dc=directory,dc=server"
 AuthLDAPBindDN "uid=root,ou=people,dc=fedora,dc=directory,dc=server"
 AuthLDAPBindPassword "your-openldap-password"
 # All users in openldap
 require valid-user
 # Just the listed user
 # require user pma
 </Directory>
  • For apache 2.2
 <Location /var/www/html/openldap>
 AuthType Basic
 AuthBasicProvider ldap
 AuthName "Case Network ID"
 AuthzLDAPAuthoritative off
 AuthLDAPURL ldap://127.0.0.1/ou=people,dc=fedora,dc=directory,dc=server
 AuthLDAPBindDN "uid=root,ou=people,dc=fedora,dc=directory,dc=server"
 AuthLDAPBindPassword "your-openldap-password"
 Require valid-user
 </Location>

Reference:
Linux.com: Apache Authentication and Authorization using LDAP
Apache Authentication and Authorization using LDAP (blogger) <-- Nes: broken link??

Possible Administrative Tasks for OpenLDAP

  • Installing OpenLDAP rpm packages or building from source
  • Configuring and verifying the LDAP server
  • Building an initial DIT (directory informationtree) with a LDIF file
  • Loading, modifying, and searching directory records
  • Setting passwords and authenticating against the directory
  • Configuring Access Control Lists (ACLs)
  • Configuring multiple database back ends
  • Securing network-based directory connections with SSL and TLS
  • Advanced configurations and performance tuning settings
  • Creating and implementing LDAP schemas
  • Creating custom schemas and sophisticated ACLs
  • Using OpenLDAP as a proxy for other LDAP servers
  • Adding caching with the Proxy Cache overlay
  • Using the transparency overlay to create a hybrid cache
  • Installing and configuring a web-base LDAP administration suite
  • Keeping multiple directory servers synchronized with SyncRepl
  • Using OpenLDAP for Apache authentication
  • Turn on/off OpenLDAP syslog entries ==

OpenLDAP Concepts/Configuration

More Resources

Web site

An Enterprise Directory Solution with DB2

Directories vs. Relational Database Management Systems

Books

Mastering OpenLDAP: Configuring, Securing and Integrating Directory Services

Berkeley DB Reference Guide (Version: 4.6.21)