Difference between revisions of "OpenLDAP Installation and Test"
(→More Resources) |
|||
(20 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
− | + | = OpenLDAP Server and client Configuration = | |
− | # /etc/openldap/slapd. | + | |
− | + | == OpenLDAP Server Configuration directory == | |
− | # | + | Please note that the following procedure only works for CentOS Linux starting from <font color='red'>version 7.0</font>. |
− | ### | + | * Top of the configure directory for the OpenLDAP server slapd: /etc/openldap/slapd.d/cn=config |
− | ### | + | <pre> |
− | + | [root@localhost cn=schema]# ls -l /etc/openldap/slapd.d/cn\=config | |
− | + | total 20 | |
− | + | drwxr-x---. 2 ldap ldap 104 Nov 22 18:35 cn=schema | |
− | + | -rw-------. 1 ldap ldap 378 Dec 16 2015 cn=schema.ldif | |
− | # | + | -rw-------. 1 ldap ldap 513 Dec 16 2015 olcDatabase={0}config.ldif |
− | + | -rw-------. 1 ldap ldap 443 Dec 16 2015 olcDatabase={-1}frontend.ldif | |
− | + | -rw-------. 1 ldap ldap 562 Dec 16 2015 olcDatabase={1}monitor.ldif | |
− | + | -rw-------. 1 ldap ldap 609 Dec 16 2015 olcDatabase={2}hdb.ldif | |
− | + | </pre> | |
− | + | * Some notes: | |
− | + | ** cn=schema - contains the schema to be loaded by the slapd server. | |
− | + | ** olcDatabase={2}hdb.ldif - the main configuration for the OpenLDAP server's database. | |
− | ### | + | * Initial contents in the "cn=schema" directory: |
− | ## | + | <pre>[root@localhost cn=schema]# ls -l |
− | ### | + | total 40 |
− | ### | + | -rw-------. 1 ldap ldap 15578 Dec 16 2015 cn={0}core.ldif |
− | + | </pre> | |
− | + | * Initial contents in the "olcDatabase={2}hdb.ldif" file: | |
− | # | + | <pre> |
− | + | [root@localhost cn=config]# cat olcDatabase\=\{2\}hdb.ldif | |
− | + | # AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify. | |
+ | # CRC32 2e34fa34 | ||
+ | dn: olcDatabase={2}hdb | ||
+ | objectClass: olcDatabaseConfig | ||
+ | objectClass: olcHdbConfig | ||
+ | olcDatabase: {2}hdb | ||
+ | olcDbDirectory: /var/lib/ldap | ||
+ | olcSuffix: dc=my-domain,dc=com | ||
+ | olcRootDN: cn=Manager,dc=my-domain,dc=com | ||
+ | olcDbIndex: objectClass eq,pres | ||
+ | olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub | ||
+ | structuralObjectClass: olcHdbConfig | ||
+ | entryUUID: 356a18aa-384e-1035-958d-25b49e5bf54e | ||
+ | creatorsName: cn=config | ||
+ | createTimestamp: 20151216143659Z | ||
+ | entryCSN: 20151216143659.541486Z#000000#000#000000 | ||
+ | modifiersName: cn=config | ||
+ | modifyTimestamp: 20151216143659Z | ||
+ | </pre> | ||
+ | |||
+ | To use OpenLDAP directory to host Linux user accounts, you need to import three more existing schema: cosine, nis, and inetorgperson for the slapd server. You also need to update the following fields in the "olcDatabase={2}hdb.ldif" file: | ||
+ | * olcSuffix - update to reflect your base context (or naming context) | ||
+ | * olcRootDN - update to match your naming context | ||
+ | * olcRootPW - add password for authenticating the Directory Server Manager (i.e. olcRootDN) | ||
+ | |||
+ | == Start slapd and add additional schema == | ||
+ | After installing the openldap-servers rpm package, you should be able to start the OpenLDAP server slapd with the following command: | ||
+ | <pre> | ||
+ | systemctl start slapd.service | ||
+ | </pre> | ||
+ | |||
+ | To configure your system to start slapd.server at system boot, run the following command: | ||
+ | <pre> | ||
+ | systemctl enable slapd.service | ||
+ | </pre> | ||
+ | |||
+ | You can now import the three required schema: | ||
+ | <pre> | ||
+ | ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif | ||
+ | ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif | ||
+ | ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/inetorgperson.ldif | ||
+ | </pre> | ||
+ | |||
+ | Check the directory content in "/etc/openldap/slapd.d/cn=config/cn=schema" | ||
+ | <pre> | ||
+ | [root@localhost cn=config]# ls -l cn\=schema | ||
+ | total 40 | ||
+ | -rw-------. 1 ldap ldap 15578 Dec 16 2015 cn={0}core.ldif | ||
+ | -rw-------. 1 ldap ldap 11455 Nov 22 18:34 cn={1}cosine.ldif | ||
+ | -rw-------. 1 ldap ldap 6587 Nov 22 18:35 cn={2}nis.ldif | ||
+ | -rw-------. 1 ldap ldap 2949 Nov 22 18:35 cn={3}inetorgperson.ldif | ||
+ | </pre> | ||
+ | |||
+ | ==Check current "naming context" of the OpenLDAP directory == | ||
+ | <pre> | ||
+ | [root@localhost cn=config]# ldapsearch -x -b '' -s base namingContexts | ||
+ | # extended LDIF | ||
+ | # | ||
+ | # LDAPv3 | ||
+ | # base <> with scope baseObject | ||
+ | # filter: (objectclass=*) | ||
+ | # requesting: namingContexts | ||
+ | # | ||
+ | |||
+ | # | ||
+ | dn: | ||
+ | namingContexts: dc=my-domain,dc=com | ||
+ | |||
+ | # search result | ||
+ | search: 2 | ||
+ | result: 0 Success | ||
+ | |||
+ | # numResponses: 2 | ||
+ | # numEntries: 1 | ||
+ | </pre> | ||
+ | |||
+ | == Changing the "naming context" i.e. olcSuffix, and update the olcRootDN and olcRootPW== | ||
+ | Create the following LDIF file and name it "newbase.ldif: | ||
+ | <pre> | ||
+ | # cutomize domain name | ||
+ | dn: olcDatabase={2}hdb,cn=config | ||
+ | changetype: modify | ||
+ | replace: olcSuffix | ||
+ | olcSuffix: dc=ops535,dc=com | ||
+ | |||
+ | dn: olcDatabase={2}hdb,cn=config | ||
+ | changetype: modify | ||
+ | replace: olcRootDN | ||
+ | olcRootDN: cn=Manager,dc=ops535,dc=com | ||
+ | |||
+ | dn: olcDatabase={2}hdb,cn=config | ||
+ | changetype: modify | ||
+ | add: olcRootPW | ||
+ | olcRootPW: {SSHA}1Di4Suea6ojE2bFxJhLDScjQyQ97GSef | ||
+ | </pre> | ||
+ | |||
+ | Run the following command to preform the update: | ||
+ | <pre> | ||
+ | ldapmodify -Y EXTERNAL -H ldapi:/// -f newbase.ldif | ||
+ | </pre> | ||
+ | |||
+ | Check the content of the file /etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif to confirm. | ||
== Important LDAP Commands and Sample LDIF files == | == Important LDAP Commands and Sample LDIF files == | ||
− | * | + | * LDIF file for the base entry |
− | * POSIX User | + | * LDIF file for new POSIX User accounts |
* ldapadd, ldapsearch, ldapdelete command | * ldapadd, ldapsearch, ldapdelete command | ||
Line 181: | Line 282: | ||
# numResponses: 2 | # numResponses: 2 | ||
# numEntries: 1 | # numEntries: 1 | ||
+ | |||
+ | == OpenLDAP client configuration == | ||
+ | # /etc/openldap/ldap.conf | ||
+ | ## This is the configuration file for the ldap clients. The following are ldap client programs: | ||
+ | ### ldapadd | ||
+ | ### ldapcompare | ||
+ | ### ldapdelete | ||
+ | ### ldapmodify | ||
+ | ### ldapmodrdn | ||
+ | ### ldappasswd | ||
+ | ### ldapsearch | ||
+ | ### ldapwhoami | ||
+ | ## You could set/modify the following directives: | ||
+ | ### BASE | ||
+ | ### URL | ||
+ | # /etc/ldap.conf | ||
+ | ## This is the configuration file for the LDAP nameservice switch library and the LDAP PAM module | ||
+ | ## You could set/modify the following directives: | ||
+ | ### base | ||
+ | ### host - IP or hostname of the LDAP server. If you use hostname, it must be resolvable without using LDAP. Multiple hosts may be specified, each separated by a space. | ||
== Using OpenLDAD for Apache Basic Authentication == | == Using OpenLDAD for Apache Basic Authentication == | ||
Line 210: | Line 331: | ||
</Location> | </Location> | ||
− | Reference: [http://www.linux.com/feature/120050 Apache Authentication and Authorization using LDAP] | + | Reference: <br> |
− | + | [http://www.linux.com/feature/120050 Linux.com: Apache Authentication and Authorization using LDAP]<br> | |
+ | [http://www.commandlinemac.com/article.php/2007121106103489 Apache Authentication and Authorization using LDAP (blogger)] <-- Nes: broken link?? | ||
== Possible Administrative Tasks for OpenLDAP == | == Possible Administrative Tasks for OpenLDAP == | ||
Line 232: | Line 354: | ||
* Using OpenLDAP for Apache authentication | * Using OpenLDAP for Apache authentication | ||
* Turn on/off OpenLDAP syslog entries == | * Turn on/off OpenLDAP syslog entries == | ||
+ | |||
+ | == OpenLDAP Concepts/Configuration == | ||
+ | * [http://www.digitalocean.com/community/tutorials/understanding-the-ldap-protocol-data-hierarchy-and-entry-components Understanding the LDAP Protocol, Data Hierarchy, and Entry Components] | ||
+ | * [http://www.digitalocean.com/community/tutorials/how-to-use-ldif-files-to-make-changes-to-an-openldap-system How to Use LDIF Files to Make Changes to an OpenLDAP System] | ||
== More Resources == | == More Resources == | ||
Line 246: | Line 372: | ||
[http://www.oracle.com/technology/documentation/berkeley-db/db/ref/toc.html Berkeley DB Reference Guide (Version: 4.6.21) ] | [http://www.oracle.com/technology/documentation/berkeley-db/db/ref/toc.html Berkeley DB Reference Guide (Version: 4.6.21) ] | ||
+ | [[Category:OPS535]] | ||
− | [ | + | <b>OID</b> |
+ | * [http://www.iana.org/assignments/enterprise-numbers/enterprise-numbers Private Enterprise OID registry] |
Latest revision as of 13:00, 23 November 2016
Contents
- 1 OpenLDAP Server and client Configuration
- 1.1 OpenLDAP Server Configuration directory
- 1.2 Start slapd and add additional schema
- 1.3 Check current "naming context" of the OpenLDAP directory
- 1.4 Changing the "naming context" i.e. olcSuffix, and update the olcRootDN and olcRootPW
- 1.5 Important LDAP Commands and Sample LDIF files
- 1.6 Tools/Utilities for Testing OpenLDAP Server
- 1.7 Tools to test the LDAP server
- 1.8 OpenLDAP client configuration
- 1.9 Using OpenLDAD for Apache Basic Authentication
- 1.10 Possible Administrative Tasks for OpenLDAP
- 1.11 OpenLDAP Concepts/Configuration
- 1.12 More Resources
OpenLDAP Server and client Configuration
OpenLDAP Server Configuration directory
Please note that the following procedure only works for CentOS Linux starting from version 7.0.
- Top of the configure directory for the OpenLDAP server slapd: /etc/openldap/slapd.d/cn=config
[root@localhost cn=schema]# ls -l /etc/openldap/slapd.d/cn\=config total 20 drwxr-x---. 2 ldap ldap 104 Nov 22 18:35 cn=schema -rw-------. 1 ldap ldap 378 Dec 16 2015 cn=schema.ldif -rw-------. 1 ldap ldap 513 Dec 16 2015 olcDatabase={0}config.ldif -rw-------. 1 ldap ldap 443 Dec 16 2015 olcDatabase={-1}frontend.ldif -rw-------. 1 ldap ldap 562 Dec 16 2015 olcDatabase={1}monitor.ldif -rw-------. 1 ldap ldap 609 Dec 16 2015 olcDatabase={2}hdb.ldif
- Some notes:
- cn=schema - contains the schema to be loaded by the slapd server.
- olcDatabase={2}hdb.ldif - the main configuration for the OpenLDAP server's database.
- Initial contents in the "cn=schema" directory:
[root@localhost cn=schema]# ls -l total 40 -rw-------. 1 ldap ldap 15578 Dec 16 2015 cn={0}core.ldif
- Initial contents in the "olcDatabase={2}hdb.ldif" file:
[root@localhost cn=config]# cat olcDatabase\=\{2\}hdb.ldif # AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify. # CRC32 2e34fa34 dn: olcDatabase={2}hdb objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {2}hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=my-domain,dc=com olcRootDN: cn=Manager,dc=my-domain,dc=com olcDbIndex: objectClass eq,pres olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub structuralObjectClass: olcHdbConfig entryUUID: 356a18aa-384e-1035-958d-25b49e5bf54e creatorsName: cn=config createTimestamp: 20151216143659Z entryCSN: 20151216143659.541486Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20151216143659Z
To use OpenLDAP directory to host Linux user accounts, you need to import three more existing schema: cosine, nis, and inetorgperson for the slapd server. You also need to update the following fields in the "olcDatabase={2}hdb.ldif" file:
- olcSuffix - update to reflect your base context (or naming context)
- olcRootDN - update to match your naming context
- olcRootPW - add password for authenticating the Directory Server Manager (i.e. olcRootDN)
Start slapd and add additional schema
After installing the openldap-servers rpm package, you should be able to start the OpenLDAP server slapd with the following command:
systemctl start slapd.service
To configure your system to start slapd.server at system boot, run the following command:
systemctl enable slapd.service
You can now import the three required schema:
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/inetorgperson.ldif
Check the directory content in "/etc/openldap/slapd.d/cn=config/cn=schema"
[root@localhost cn=config]# ls -l cn\=schema total 40 -rw-------. 1 ldap ldap 15578 Dec 16 2015 cn={0}core.ldif -rw-------. 1 ldap ldap 11455 Nov 22 18:34 cn={1}cosine.ldif -rw-------. 1 ldap ldap 6587 Nov 22 18:35 cn={2}nis.ldif -rw-------. 1 ldap ldap 2949 Nov 22 18:35 cn={3}inetorgperson.ldif
Check current "naming context" of the OpenLDAP directory
[root@localhost cn=config]# ldapsearch -x -b '' -s base namingContexts # extended LDIF # # LDAPv3 # base <> with scope baseObject # filter: (objectclass=*) # requesting: namingContexts # # dn: namingContexts: dc=my-domain,dc=com # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1
Changing the "naming context" i.e. olcSuffix, and update the olcRootDN and olcRootPW
Create the following LDIF file and name it "newbase.ldif:
# cutomize domain name dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcSuffix olcSuffix: dc=ops535,dc=com dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcRootDN olcRootDN: cn=Manager,dc=ops535,dc=com dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcRootPW olcRootPW: {SSHA}1Di4Suea6ojE2bFxJhLDScjQyQ97GSef
Run the following command to preform the update:
ldapmodify -Y EXTERNAL -H ldapi:/// -f newbase.ldif
Check the content of the file /etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif to confirm.
Important LDAP Commands and Sample LDIF files
- LDIF file for the base entry
- LDIF file for new POSIX User accounts
- ldapadd, ldapsearch, ldapdelete command
Tools/Utilities for Testing OpenLDAP Server
- ldapsearch
- To display LDAP Protocol features and extensions supported by OpenLDAP, use the following ldapsearch examples:
[rchan@moodle ~]$ ldapsearch -x -b "" -s base supportedFeatures # extended LDIF # # LDAPv3 # base <> with scope baseObject # filter: (objectclass=*) # requesting: supportedFeatures # # dn: supportedFeatures: 1.3.6.1.1.14 supportedFeatures: 1.3.6.1.4.1.4203.1.5.1 supportedFeatures: 1.3.6.1.4.1.4203.1.5.2 supportedFeatures: 1.3.6.1.4.1.4203.1.5.3 supportedFeatures: 1.3.6.1.4.1.4203.1.5.4 supportedFeatures: 1.3.6.1.4.1.4203.1.5.5 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1
[rchan@moodle ~]$ ldapsearch -x -b "" -s base supportedControl # extended LDIF # # LDAPv3 # base <> with scope baseObject # filter: (objectclass=*) # requesting: supportedControl # # dn: supportedControl: 1.3.6.1.4.1.4203.1.9.1.1 supportedControl: 2.16.840.1.113730.3.4.18 supportedControl: 2.16.840.1.113730.3.4.2 supportedControl: 1.3.6.1.4.1.4203.1.10.1 supportedControl: 1.2.840.113556.1.4.319 supportedControl: 1.2.826.0.1.334810.2.3 supportedControl: 1.2.826.0.1.3344810.2.3 supportedControl: 1.3.6.1.1.13.2 supportedControl: 1.3.6.1.1.13.1 supportedControl: 1.3.6.1.1.12 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1
[rchan@moodle ~]$ ldapsearch -x -b "" -s base supportedExtension # extended LDIF # # LDAPv3 # base <> with scope baseObject # filter: (objectclass=*) # requesting: supportedExtension # # dn: supportedExtension: 1.3.6.1.4.1.4203.1.11.1 supportedExtension: 1.3.6.1.4.1.4203.1.11.3 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1
- To display Supported Control, Extension, and Features
[rchan@moodle ~]$ ldapsearch -x -W -D 'cn=Manager,dc=ops535,dc=com' -b "" -s base '(objectclass=*)' + Enter LDAP Password: # extended LDIF # # LDAPv3 # base <> with scope baseObject # filter: (objectclass=*) # requesting: + # # dn: structuralObjectClass: OpenLDAProotDSE configContext: cn=config namingContexts: dc=ops535,dc=com supportedControl: 1.3.6.1.4.1.4203.1.9.1.1 supportedControl: 2.16.840.1.113730.3.4.18 supportedControl: 2.16.840.1.113730.3.4.2 supportedControl: 1.3.6.1.4.1.4203.1.10.1 supportedControl: 1.2.840.113556.1.4.319 supportedControl: 1.2.826.0.1.334810.2.3 supportedControl: 1.2.826.0.1.3344810.2.3 supportedControl: 1.3.6.1.1.13.2 supportedControl: 1.3.6.1.1.13.1 supportedControl: 1.3.6.1.1.12 supportedExtension: 1.3.6.1.4.1.4203.1.11.1 supportedExtension: 1.3.6.1.4.1.4203.1.11.3 supportedFeatures: 1.3.6.1.1.14 supportedFeatures: 1.3.6.1.4.1.4203.1.5.1 supportedFeatures: 1.3.6.1.4.1.4203.1.5.2 supportedFeatures: 1.3.6.1.4.1.4203.1.5.3 supportedFeatures: 1.3.6.1.4.1.4203.1.5.4 supportedFeatures: 1.3.6.1.4.1.4203.1.5.5 supportedLDAPVersion: 3 entryDN: subschemaSubentry: cn=Subschema # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1
Tools to test the LDAP server
- ldapsearch -x -W -D 'cn=Manager,dc=ops535,dc=com' -b "" -s base
Enter LDAP Password: # extended LDIF # # LDAPv3 # base <> with scope baseObject # filter: (objectclass=*) # requesting: ALL # # dn: objectClass: top objectClass: OpenLDAProotDSE # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1
OpenLDAP client configuration
- /etc/openldap/ldap.conf
- This is the configuration file for the ldap clients. The following are ldap client programs:
- ldapadd
- ldapcompare
- ldapdelete
- ldapmodify
- ldapmodrdn
- ldappasswd
- ldapsearch
- ldapwhoami
- You could set/modify the following directives:
- BASE
- URL
- This is the configuration file for the ldap clients. The following are ldap client programs:
- /etc/ldap.conf
- This is the configuration file for the LDAP nameservice switch library and the LDAP PAM module
- You could set/modify the following directives:
- base
- host - IP or hostname of the LDAP server. If you use hostname, it must be resolvable without using LDAP. Multiple hosts may be specified, each separated by a space.
Using OpenLDAD for Apache Basic Authentication
- In httpd.conf configure the directory for basic authentication for apache 2.0
<Directory /var/www/html/openldap> AuthType Basic AuthName "Case Network ID" AuthLDAPURL "ldap://127.0.0.1/ou=people,dc=fedora,dc=directory,dc=server" AuthLDAPBindDN "uid=root,ou=people,dc=fedora,dc=directory,dc=server" AuthLDAPBindPassword "your-openldap-password" # All users in openldap require valid-user # Just the listed user # require user pma </Directory>
- For apache 2.2
<Location /var/www/html/openldap> AuthType Basic AuthBasicProvider ldap AuthName "Case Network ID" AuthzLDAPAuthoritative off AuthLDAPURL ldap://127.0.0.1/ou=people,dc=fedora,dc=directory,dc=server AuthLDAPBindDN "uid=root,ou=people,dc=fedora,dc=directory,dc=server" AuthLDAPBindPassword "your-openldap-password" Require valid-user </Location>
Reference:
Linux.com: Apache Authentication and Authorization using LDAP
Apache Authentication and Authorization using LDAP (blogger) <-- Nes: broken link??
Possible Administrative Tasks for OpenLDAP
- Installing OpenLDAP rpm packages or building from source
- Configuring and verifying the LDAP server
- Building an initial DIT (directory informationtree) with a LDIF file
- Loading, modifying, and searching directory records
- Setting passwords and authenticating against the directory
- Configuring Access Control Lists (ACLs)
- Configuring multiple database back ends
- Securing network-based directory connections with SSL and TLS
- Advanced configurations and performance tuning settings
- Creating and implementing LDAP schemas
- Creating custom schemas and sophisticated ACLs
- Using OpenLDAP as a proxy for other LDAP servers
- Adding caching with the Proxy Cache overlay
- Using the transparency overlay to create a hybrid cache
- Installing and configuring a web-base LDAP administration suite
- Keeping multiple directory servers synchronized with SyncRepl
- Using OpenLDAP for Apache authentication
- Turn on/off OpenLDAP syslog entries ==
OpenLDAP Concepts/Configuration
- Understanding the LDAP Protocol, Data Hierarchy, and Entry Components
- How to Use LDIF Files to Make Changes to an OpenLDAP System
More Resources
Web site
An Enterprise Directory Solution with DB2
Directories vs. Relational Database Management Systems
Books
Mastering OpenLDAP: Configuring, Securing and Integrating Directory Services
Berkeley DB Reference Guide (Version: 4.6.21)
OID