Difference between revisions of "OpenLDAP Installation and Test"

From CDOT Wiki
Jump to: navigation, search
(More Resources)
 
(18 intermediate revisions by the same user not shown)
Line 1: Line 1:
== OpenLDAP Server and client Configuration File ==
+
= OpenLDAP Server and client Configuration =
# /etc/openldap/slapd.conf
+
 
## Standalone OpenLDAP server configuration file
+
== OpenLDAP Server Configuration directory ==
## You should set/modify the following directives
+
Please note that the following procedure only works for CentOS Linux starting from <font color='red'>version 7.0</font>.
### rootdn - DN of the LDAP server administrator account
+
* Top of the configure directory for the OpenLDAP server slapd: /etc/openldap/slapd.d/cn=config
### rootpw - password for the administrator account
+
<pre>
### database - what back end database to use
+
[root@localhost cn=schema]# ls -l /etc/openldap/slapd.d/cn\=config
### suffix - the DN of the base directory on the LDAP server
+
total 20
### directory - where to put the database
+
drwxr-x---. 2 ldap ldap 104 Nov 22 18:35 cn=schema
# /etc/openldap/ldap.conf
+
-rw-------. 1 ldap ldap 378 Dec 16  2015 cn=schema.ldif
## This is the configuration file for the ldap clients. The following are ldap client programs:
+
-rw-------. 1 ldap ldap 513 Dec 16  2015 olcDatabase={0}config.ldif
### ldapadd
+
-rw-------. 1 ldap ldap 443 Dec 16  2015 olcDatabase={-1}frontend.ldif
### ldapcompare
+
-rw-------. 1 ldap ldap 562 Dec 16  2015 olcDatabase={1}monitor.ldif
### ldapdelete
+
-rw-------. 1 ldap ldap 609 Dec 16  2015 olcDatabase={2}hdb.ldif
### ldapmodify
+
</pre>
### ldapmodrdn
+
* Some notes:
### ldappasswd
+
** cn=schema - contains the schema to be loaded by the slapd server.
### ldapsearch
+
** olcDatabase={2}hdb.ldif - the main configuration for the OpenLDAP server's database.
### ldapwhoami
+
* Initial contents in the "cn=schema" directory:
## You could set/modify the following directives:
+
<pre>[root@localhost cn=schema]# ls -l
### BASE
+
total 40
### URL
+
-rw-------. 1 ldap ldap 15578 Dec 16  2015 cn={0}core.ldif
# /etc/ldap.conf
+
</pre>
## This is the configuration file for the LDAP nameservice switch library and the LDAP PAM module
+
* Initial contents in the "olcDatabase={2}hdb.ldif" file:
## You could set/modify the following directives:
+
<pre>
### base
+
[root@localhost cn=config]# cat olcDatabase\=\{2\}hdb.ldif
### host - IP or hostname of the LDAP server. If you use hostname, it must be resolvable without using LDAP. Multiple hosts may be specified, each separated by a space.
+
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
 +
# CRC32 2e34fa34
 +
dn: olcDatabase={2}hdb
 +
objectClass: olcDatabaseConfig
 +
objectClass: olcHdbConfig
 +
olcDatabase: {2}hdb
 +
olcDbDirectory: /var/lib/ldap
 +
olcSuffix: dc=my-domain,dc=com
 +
olcRootDN: cn=Manager,dc=my-domain,dc=com
 +
olcDbIndex: objectClass eq,pres
 +
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
 +
structuralObjectClass: olcHdbConfig
 +
entryUUID: 356a18aa-384e-1035-958d-25b49e5bf54e
 +
creatorsName: cn=config
 +
createTimestamp: 20151216143659Z
 +
entryCSN: 20151216143659.541486Z#000000#000#000000
 +
modifiersName: cn=config
 +
modifyTimestamp: 20151216143659Z
 +
</pre>
 +
 
 +
To use OpenLDAP directory to host Linux user accounts, you need to import three more existing schema: cosine, nis, and inetorgperson for the slapd server. You also need to update the following fields in the "olcDatabase={2}hdb.ldif" file:
 +
* olcSuffix - update to reflect your base context (or naming context)
 +
* olcRootDN - update to match your naming context
 +
* olcRootPW - add password for authenticating the Directory Server Manager (i.e. olcRootDN)
 +
 
 +
== Start slapd and add additional schema ==
 +
After installing the openldap-servers rpm package, you should be able to start the OpenLDAP server slapd with the following command:
 +
<pre>
 +
systemctl start slapd.service
 +
</pre>
 +
 
 +
To configure your system to start slapd.server at system boot, run the following command:
 +
<pre>
 +
systemctl enable slapd.service
 +
</pre>
 +
 
 +
You can now import the three required schema:
 +
<pre>
 +
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
 +
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
 +
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/inetorgperson.ldif
 +
</pre>
 +
 
 +
Check the directory content in "/etc/openldap/slapd.d/cn=config/cn=schema"
 +
<pre>
 +
[root@localhost cn=config]# ls -l cn\=schema
 +
total 40
 +
-rw-------. 1 ldap ldap 15578 Dec 16  2015 cn={0}core.ldif
 +
-rw-------. 1 ldap ldap 11455 Nov 22 18:34 cn={1}cosine.ldif
 +
-rw-------. 1 ldap ldap  6587 Nov 22 18:35 cn={2}nis.ldif
 +
-rw-------. 1 ldap ldap  2949 Nov 22 18:35 cn={3}inetorgperson.ldif
 +
</pre>
 +
 
 +
==Check current "naming context" of the OpenLDAP directory ==
 +
<pre>
 +
[root@localhost cn=config]# ldapsearch -x -b '' -s base namingContexts
 +
# extended LDIF
 +
#
 +
# LDAPv3
 +
# base <> with scope baseObject
 +
# filter: (objectclass=*)
 +
# requesting: namingContexts
 +
#
 +
 
 +
#
 +
dn:
 +
namingContexts: dc=my-domain,dc=com
 +
 
 +
# search result
 +
search: 2
 +
result: 0 Success
 +
 
 +
# numResponses: 2
 +
# numEntries: 1
 +
</pre>
 +
 
 +
== Changing the "naming context" i.e. olcSuffix, and update the olcRootDN and olcRootPW==
 +
Create the following LDIF file and name it "newbase.ldif:
 +
<pre>
 +
# cutomize domain name
 +
dn: olcDatabase={2}hdb,cn=config
 +
changetype: modify
 +
replace: olcSuffix
 +
olcSuffix: dc=ops535,dc=com
 +
 
 +
dn: olcDatabase={2}hdb,cn=config
 +
changetype: modify
 +
replace: olcRootDN
 +
olcRootDN: cn=Manager,dc=ops535,dc=com
 +
 
 +
dn: olcDatabase={2}hdb,cn=config
 +
changetype: modify
 +
add: olcRootPW
 +
olcRootPW: {SSHA}1Di4Suea6ojE2bFxJhLDScjQyQ97GSef
 +
</pre>
 +
 
 +
Run the following command to preform the update:
 +
<pre>
 +
ldapmodify -Y EXTERNAL -H ldapi:/// -f newbase.ldif
 +
</pre>
 +
 
 +
Check the content of the file /etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif to confirm.
  
 
== Important LDAP Commands and Sample LDIF files ==
 
== Important LDAP Commands and Sample LDIF files ==
* Base LDIF file
+
* LDIF file for the base entry
* POSIX User account file
+
* LDIF file for new POSIX User accounts
 
* ldapadd, ldapsearch, ldapdelete command
 
* ldapadd, ldapsearch, ldapdelete command
  
Line 181: Line 282:
 
  # numResponses: 2
 
  # numResponses: 2
 
  # numEntries: 1
 
  # numEntries: 1
 +
 +
== OpenLDAP client configuration ==
 +
# /etc/openldap/ldap.conf
 +
## This is the configuration file for the ldap clients. The following are ldap client programs:
 +
### ldapadd
 +
### ldapcompare
 +
### ldapdelete
 +
### ldapmodify
 +
### ldapmodrdn
 +
### ldappasswd
 +
### ldapsearch
 +
### ldapwhoami
 +
## You could set/modify the following directives:
 +
### BASE
 +
### URL
 +
# /etc/ldap.conf
 +
## This is the configuration file for the LDAP nameservice switch library and the LDAP PAM module
 +
## You could set/modify the following directives:
 +
### base
 +
### host - IP or hostname of the LDAP server. If you use hostname, it must be resolvable without using LDAP. Multiple hosts may be specified, each separated by a space.
  
 
== Using OpenLDAD for Apache Basic Authentication ==
 
== Using OpenLDAD for Apache Basic Authentication ==
Line 233: Line 354:
 
* Using OpenLDAP for Apache authentication   
 
* Using OpenLDAP for Apache authentication   
 
* Turn on/off OpenLDAP syslog entries ==
 
* Turn on/off OpenLDAP syslog entries ==
 +
 +
== OpenLDAP Concepts/Configuration ==
 +
* [http://www.digitalocean.com/community/tutorials/understanding-the-ldap-protocol-data-hierarchy-and-entry-components Understanding the LDAP Protocol, Data Hierarchy, and Entry Components]
 +
* [http://www.digitalocean.com/community/tutorials/how-to-use-ldif-files-to-make-changes-to-an-openldap-system How to Use LDIF Files to Make Changes to an OpenLDAP System]
  
 
== More Resources ==
 
== More Resources ==
Line 247: Line 372:
  
 
[http://www.oracle.com/technology/documentation/berkeley-db/db/ref/toc.html Berkeley DB Reference Guide (Version: 4.6.21) ]
 
[http://www.oracle.com/technology/documentation/berkeley-db/db/ref/toc.html Berkeley DB Reference Guide (Version: 4.6.21) ]
 +
[[Category:OPS535]]
  
[[Category:LUX]][[Category:NAD810]][[Category:OPS535]]
+
<b>OID</b>
 +
* [http://www.iana.org/assignments/enterprise-numbers/enterprise-numbers Private Enterprise OID registry]

Latest revision as of 13:00, 23 November 2016

OpenLDAP Server and client Configuration

OpenLDAP Server Configuration directory

Please note that the following procedure only works for CentOS Linux starting from version 7.0.

  • Top of the configure directory for the OpenLDAP server slapd: /etc/openldap/slapd.d/cn=config
[root@localhost cn=schema]# ls -l /etc/openldap/slapd.d/cn\=config
total 20
drwxr-x---. 2 ldap ldap 104 Nov 22 18:35 cn=schema
-rw-------. 1 ldap ldap 378 Dec 16  2015 cn=schema.ldif
-rw-------. 1 ldap ldap 513 Dec 16  2015 olcDatabase={0}config.ldif
-rw-------. 1 ldap ldap 443 Dec 16  2015 olcDatabase={-1}frontend.ldif
-rw-------. 1 ldap ldap 562 Dec 16  2015 olcDatabase={1}monitor.ldif
-rw-------. 1 ldap ldap 609 Dec 16  2015 olcDatabase={2}hdb.ldif
  • Some notes:
    • cn=schema - contains the schema to be loaded by the slapd server.
    • olcDatabase={2}hdb.ldif - the main configuration for the OpenLDAP server's database.
  • Initial contents in the "cn=schema" directory:
[root@localhost cn=schema]# ls -l
total 40
-rw-------. 1 ldap ldap 15578 Dec 16  2015 cn={0}core.ldif
  • Initial contents in the "olcDatabase={2}hdb.ldif" file:
[root@localhost cn=config]# cat olcDatabase\=\{2\}hdb.ldif 
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 2e34fa34
dn: olcDatabase={2}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=my-domain,dc=com
olcRootDN: cn=Manager,dc=my-domain,dc=com
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
structuralObjectClass: olcHdbConfig
entryUUID: 356a18aa-384e-1035-958d-25b49e5bf54e
creatorsName: cn=config
createTimestamp: 20151216143659Z
entryCSN: 20151216143659.541486Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20151216143659Z

To use OpenLDAP directory to host Linux user accounts, you need to import three more existing schema: cosine, nis, and inetorgperson for the slapd server. You also need to update the following fields in the "olcDatabase={2}hdb.ldif" file:

  • olcSuffix - update to reflect your base context (or naming context)
  • olcRootDN - update to match your naming context
  • olcRootPW - add password for authenticating the Directory Server Manager (i.e. olcRootDN)

Start slapd and add additional schema

After installing the openldap-servers rpm package, you should be able to start the OpenLDAP server slapd with the following command:

systemctl start slapd.service

To configure your system to start slapd.server at system boot, run the following command:

systemctl enable slapd.service

You can now import the three required schema:

ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/inetorgperson.ldif

Check the directory content in "/etc/openldap/slapd.d/cn=config/cn=schema"

[root@localhost cn=config]# ls -l cn\=schema
total 40
-rw-------. 1 ldap ldap 15578 Dec 16  2015 cn={0}core.ldif
-rw-------. 1 ldap ldap 11455 Nov 22 18:34 cn={1}cosine.ldif
-rw-------. 1 ldap ldap  6587 Nov 22 18:35 cn={2}nis.ldif
-rw-------. 1 ldap ldap  2949 Nov 22 18:35 cn={3}inetorgperson.ldif

Check current "naming context" of the OpenLDAP directory

[root@localhost cn=config]# ldapsearch -x -b '' -s base namingContexts
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: namingContexts 
#

#
dn:
namingContexts: dc=my-domain,dc=com

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Changing the "naming context" i.e. olcSuffix, and update the olcRootDN and olcRootPW

Create the following LDIF file and name it "newbase.ldif:

# cutomize domain name
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=ops535,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=ops535,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}1Di4Suea6ojE2bFxJhLDScjQyQ97GSef

Run the following command to preform the update:

ldapmodify -Y EXTERNAL -H ldapi:/// -f newbase.ldif

Check the content of the file /etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif to confirm.

Important LDAP Commands and Sample LDIF files

  • LDIF file for the base entry
  • LDIF file for new POSIX User accounts
  • ldapadd, ldapsearch, ldapdelete command

Tools/Utilities for Testing OpenLDAP Server

  • ldapsearch
    • To display LDAP Protocol features and extensions supported by OpenLDAP, use the following ldapsearch examples:
[rchan@moodle ~]$ ldapsearch -x -b "" -s base supportedFeatures
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: supportedFeatures 
#

#
dn:
supportedFeatures: 1.3.6.1.1.14
supportedFeatures: 1.3.6.1.4.1.4203.1.5.1
supportedFeatures: 1.3.6.1.4.1.4203.1.5.2
supportedFeatures: 1.3.6.1.4.1.4203.1.5.3
supportedFeatures: 1.3.6.1.4.1.4203.1.5.4
supportedFeatures: 1.3.6.1.4.1.4203.1.5.5

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


[rchan@moodle ~]$ ldapsearch -x -b "" -s base supportedControl
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: supportedControl 
# 

#
dn:
supportedControl: 1.3.6.1.4.1.4203.1.9.1.1
supportedControl: 2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 1.3.6.1.4.1.4203.1.10.1
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.826.0.1.334810.2.3
supportedControl: 1.2.826.0.1.3344810.2.3
supportedControl: 1.3.6.1.1.13.2
supportedControl: 1.3.6.1.1.13.1
supportedControl: 1.3.6.1.1.12 

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


[rchan@moodle ~]$ ldapsearch -x -b "" -s base supportedExtension
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: supportedExtension 
# 

#
dn:
supportedExtension: 1.3.6.1.4.1.4203.1.11.1
supportedExtension: 1.3.6.1.4.1.4203.1.11.3

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
    • To display Supported Control, Extension, and Features
[rchan@moodle ~]$ ldapsearch -x -W -D 'cn=Manager,dc=ops535,dc=com' -b "" -s base '(objectclass=*)' +
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: + 
# 

#
dn:
structuralObjectClass: OpenLDAProotDSE
configContext: cn=config
namingContexts: dc=ops535,dc=com
supportedControl: 1.3.6.1.4.1.4203.1.9.1.1
supportedControl: 2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 1.3.6.1.4.1.4203.1.10.1
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.826.0.1.334810.2.3
supportedControl: 1.2.826.0.1.3344810.2.3
supportedControl: 1.3.6.1.1.13.2
supportedControl: 1.3.6.1.1.13.1
supportedControl: 1.3.6.1.1.12
supportedExtension: 1.3.6.1.4.1.4203.1.11.1
supportedExtension: 1.3.6.1.4.1.4203.1.11.3
supportedFeatures: 1.3.6.1.1.14
supportedFeatures: 1.3.6.1.4.1.4203.1.5.1
supportedFeatures: 1.3.6.1.4.1.4203.1.5.2
supportedFeatures: 1.3.6.1.4.1.4203.1.5.3
supportedFeatures: 1.3.6.1.4.1.4203.1.5.4
supportedFeatures: 1.3.6.1.4.1.4203.1.5.5
supportedLDAPVersion: 3
entryDN:
subschemaSubentry: cn=Subschema

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Tools to test the LDAP server

  • ldapsearch -x -W -D 'cn=Manager,dc=ops535,dc=com' -b "" -s base
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#

#
dn:
objectClass: top
objectClass: OpenLDAProotDSE 

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

OpenLDAP client configuration

  1. /etc/openldap/ldap.conf
    1. This is the configuration file for the ldap clients. The following are ldap client programs:
      1. ldapadd
      2. ldapcompare
      3. ldapdelete
      4. ldapmodify
      5. ldapmodrdn
      6. ldappasswd
      7. ldapsearch
      8. ldapwhoami
    2. You could set/modify the following directives:
      1. BASE
      2. URL
  2. /etc/ldap.conf
    1. This is the configuration file for the LDAP nameservice switch library and the LDAP PAM module
    2. You could set/modify the following directives:
      1. base
      2. host - IP or hostname of the LDAP server. If you use hostname, it must be resolvable without using LDAP. Multiple hosts may be specified, each separated by a space.

Using OpenLDAD for Apache Basic Authentication

  • In httpd.conf configure the directory for basic authentication for apache 2.0
 <Directory /var/www/html/openldap>
 AuthType Basic
 AuthName "Case Network ID"
 AuthLDAPURL "ldap://127.0.0.1/ou=people,dc=fedora,dc=directory,dc=server"
 AuthLDAPBindDN "uid=root,ou=people,dc=fedora,dc=directory,dc=server"
 AuthLDAPBindPassword "your-openldap-password"
 # All users in openldap
 require valid-user
 # Just the listed user
 # require user pma
 </Directory>
  • For apache 2.2
 <Location /var/www/html/openldap>
 AuthType Basic
 AuthBasicProvider ldap
 AuthName "Case Network ID"
 AuthzLDAPAuthoritative off
 AuthLDAPURL ldap://127.0.0.1/ou=people,dc=fedora,dc=directory,dc=server
 AuthLDAPBindDN "uid=root,ou=people,dc=fedora,dc=directory,dc=server"
 AuthLDAPBindPassword "your-openldap-password"
 Require valid-user
 </Location>

Reference:
Linux.com: Apache Authentication and Authorization using LDAP
Apache Authentication and Authorization using LDAP (blogger) <-- Nes: broken link??

Possible Administrative Tasks for OpenLDAP

  • Installing OpenLDAP rpm packages or building from source
  • Configuring and verifying the LDAP server
  • Building an initial DIT (directory informationtree) with a LDIF file
  • Loading, modifying, and searching directory records
  • Setting passwords and authenticating against the directory
  • Configuring Access Control Lists (ACLs)
  • Configuring multiple database back ends
  • Securing network-based directory connections with SSL and TLS
  • Advanced configurations and performance tuning settings
  • Creating and implementing LDAP schemas
  • Creating custom schemas and sophisticated ACLs
  • Using OpenLDAP as a proxy for other LDAP servers
  • Adding caching with the Proxy Cache overlay
  • Using the transparency overlay to create a hybrid cache
  • Installing and configuring a web-base LDAP administration suite
  • Keeping multiple directory servers synchronized with SyncRepl
  • Using OpenLDAP for Apache authentication
  • Turn on/off OpenLDAP syslog entries ==

OpenLDAP Concepts/Configuration

More Resources

Web site

An Enterprise Directory Solution with DB2

Directories vs. Relational Database Management Systems

Books

Mastering OpenLDAP: Configuring, Securing and Integrating Directory Services

Berkeley DB Reference Guide (Version: 4.6.21)

OID