Difference between revisions of "OpenLDAP Installation and Test"

From CDOT Wiki
Jump to: navigation, search
(New page: == OpenLDAP Server and client Configuration File == # /etc/openldap/slapd.conf ## Standalone OpenLDAP server configuration file ## You should set/modify the following directives ### rootdn...)
 
Line 205: Line 205:
 
   AuthzLDAPAuthoritative off
 
   AuthzLDAPAuthoritative off
 
   AuthLDAPURL ldap://127.0.0.1/ou=people,dc=fedora,dc=directory,dc=server
 
   AuthLDAPURL ldap://127.0.0.1/ou=people,dc=fedora,dc=directory,dc=server
  AuthLDAPBindDN "uid=root,ou=people,dc=fedora,dc=directory,dc=server"
 
  AuthLDAPBindPassword "your-openldap-password"== OpenLDAP Server and client Configuration File ==
 
# /etc/openldap/slapd.conf
 
## Standalone OpenLDAP server configuration file
 
## You should set/modify the following directives
 
### rootdn - DN of the LDAP server administrator account
 
### rootpw - password for the administrator account
 
### database - what back end database to use
 
### suffix - the DN of the base directory on the LDAP server
 
### directory - where to put the database
 
# /etc/openldap/ldap.conf
 
## This is the configuration file for the ldap clients. The following are ldap client programs:
 
### ldapadd
 
### ldapcompare
 
### ldapdelete
 
### ldapmodify
 
### ldapmodrdn
 
### ldappasswd
 
### ldapsearch
 
### ldapwhoami
 
## You could set/modify the following directives:
 
### BASE
 
### URL
 
# /etc/ldap.conf
 
## This is the configuration file for the LDAP nameservice switch library and the LDAP PAM module
 
## You could set/modify the following directives:
 
### base
 
### host - IP or hostname of the LDAP server. If you use hostname, it must be resolvable without using LDAP. Multiple hosts may be specified, each separated by a space.
 
 
== Important LDAP Commands and Sample LDIF files ==
 
* Base LDIF file
 
* POSIX User account file
 
* ldapadd, ldapsearch, ldapdelete command
 
 
== Tools/Utilities for Testing OpenLDAP Server ==
 
* ldapsearch
 
** To display LDAP Protocol features and extensions supported by OpenLDAP, use the following ldapsearch examples:
 
 
[rchan@moodle ~]$ ldapsearch -x -b "" -s base supportedFeatures
 
# extended LDIF
 
#
 
# LDAPv3
 
# base <> with scope baseObject
 
# filter: (objectclass=*)
 
# requesting: supportedFeatures
 
#
 
 
#
 
dn:
 
supportedFeatures: 1.3.6.1.1.14
 
supportedFeatures: 1.3.6.1.4.1.4203.1.5.1
 
supportedFeatures: 1.3.6.1.4.1.4203.1.5.2
 
supportedFeatures: 1.3.6.1.4.1.4203.1.5.3
 
supportedFeatures: 1.3.6.1.4.1.4203.1.5.4
 
supportedFeatures: 1.3.6.1.4.1.4203.1.5.5
 
 
# search result
 
search: 2
 
result: 0 Success
 
 
# numResponses: 2
 
# numEntries: 1
 
 
 
[rchan@moodle ~]$ ldapsearch -x -b "" -s base supportedControl
 
# extended LDIF
 
#
 
# LDAPv3
 
# base <> with scope baseObject
 
# filter: (objectclass=*)
 
# requesting: supportedControl
 
#
 
 
#
 
dn:
 
supportedControl: 1.3.6.1.4.1.4203.1.9.1.1
 
supportedControl: 2.16.840.1.113730.3.4.18
 
supportedControl: 2.16.840.1.113730.3.4.2
 
supportedControl: 1.3.6.1.4.1.4203.1.10.1
 
supportedControl: 1.2.840.113556.1.4.319
 
supportedControl: 1.2.826.0.1.334810.2.3
 
supportedControl: 1.2.826.0.1.3344810.2.3
 
supportedControl: 1.3.6.1.1.13.2
 
supportedControl: 1.3.6.1.1.13.1
 
supportedControl: 1.3.6.1.1.12
 
 
# search result
 
search: 2
 
result: 0 Success
 
 
# numResponses: 2
 
# numEntries: 1
 
 
 
[rchan@moodle ~]$ ldapsearch -x -b "" -s base supportedExtension
 
# extended LDIF
 
#
 
# LDAPv3
 
# base <> with scope baseObject
 
# filter: (objectclass=*)
 
# requesting: supportedExtension
 
#
 
 
#
 
dn:
 
supportedExtension: 1.3.6.1.4.1.4203.1.11.1
 
supportedExtension: 1.3.6.1.4.1.4203.1.11.3
 
 
# search result
 
search: 2
 
result: 0 Success
 
 
# numResponses: 2
 
# numEntries: 1
 
 
** To display Supported Control, Extension, and Features
 
[rchan@moodle ~]$ ldapsearch -x -W -D 'cn=Manager,dc=ops535,dc=com' -b "" -s base '(objectclass=*)' +
 
Enter LDAP Password:
 
# extended LDIF
 
#
 
# LDAPv3
 
# base <> with scope baseObject
 
# filter: (objectclass=*)
 
# requesting: +
 
#
 
 
#
 
dn:
 
structuralObjectClass: OpenLDAProotDSE
 
configContext: cn=config
 
namingContexts: dc=ops535,dc=com
 
supportedControl: 1.3.6.1.4.1.4203.1.9.1.1
 
supportedControl: 2.16.840.1.113730.3.4.18
 
supportedControl: 2.16.840.1.113730.3.4.2
 
supportedControl: 1.3.6.1.4.1.4203.1.10.1
 
supportedControl: 1.2.840.113556.1.4.319
 
supportedControl: 1.2.826.0.1.334810.2.3
 
supportedControl: 1.2.826.0.1.3344810.2.3
 
supportedControl: 1.3.6.1.1.13.2
 
supportedControl: 1.3.6.1.1.13.1
 
supportedControl: 1.3.6.1.1.12
 
supportedExtension: 1.3.6.1.4.1.4203.1.11.1
 
supportedExtension: 1.3.6.1.4.1.4203.1.11.3
 
supportedFeatures: 1.3.6.1.1.14
 
supportedFeatures: 1.3.6.1.4.1.4203.1.5.1
 
supportedFeatures: 1.3.6.1.4.1.4203.1.5.2
 
supportedFeatures: 1.3.6.1.4.1.4203.1.5.3
 
supportedFeatures: 1.3.6.1.4.1.4203.1.5.4
 
supportedFeatures: 1.3.6.1.4.1.4203.1.5.5
 
supportedLDAPVersion: 3
 
entryDN:
 
subschemaSubentry: cn=Subschema
 
 
# search result
 
search: 2
 
result: 0 Success
 
 
# numResponses: 2
 
# numEntries: 1
 
 
== Tools to test the LDAP server ==
 
* ldapsearch -x -W -D 'cn=Manager,dc=ops535,dc=com' -b "" -s base
 
 
Enter LDAP Password:
 
# extended LDIF
 
#
 
# LDAPv3
 
# base <> with scope baseObject
 
# filter: (objectclass=*)
 
# requesting: ALL
 
#
 
 
#
 
dn:
 
objectClass: top
 
objectClass: OpenLDAProotDSE
 
 
# search result
 
search: 2
 
result: 0 Success
 
 
# numResponses: 2
 
# numEntries: 1
 
 
== Using OpenLDAD for Apache Basic Authentication ==
 
* In httpd.conf configure the directory for basic authentication for apache 2.0
 
 
  <Directory /var/www/html/openldap>
 
  AuthType Basic
 
  AuthName "Case Network ID"
 
  AuthLDAPURL "ldap://127.0.0.1/ou=people,dc=fedora,dc=directory,dc=server"
 
 
   AuthLDAPBindDN "uid=root,ou=people,dc=fedora,dc=directory,dc=server"
 
   AuthLDAPBindDN "uid=root,ou=people,dc=fedora,dc=directory,dc=server"
 
   AuthLDAPBindPassword "your-openldap-password"
 
   AuthLDAPBindPassword "your-openldap-password"
  # All users in openldap
 
  require valid-user
 
  # Just the listed user
 
  # require user pma
 
  </Directory>
 
 
* For apache 2.2
 
 
  <Location /var/www/html/openldap>
 
  AuthType Basic
 
  AuthBasicProvider ldap
 
  AuthName "Case Network ID"
 
  AuthzLDAPAuthoritative off
 
  AuthLDAPURL ldap://127.0.0.1/ou=people,dc=fedora,dc=directory,dc=server
 
  AuthLDAPBindDN "uid=root,ou=people,dc=fedora,dc=directory,dc=server"
 
  AuthLDAPBindPassword "your-openldap-password"
 
  Require valid-user
 
  </Location>
 
 
Reference: [http://www.linux.com/feature/120050 Apache Authentication and Authorization using LDAP]
 
Reference: [http://www.commandlinemac.com/article.php/2007121106103489 Apache Authentication and Authorization using LDAP]
 
 
== Possible Administrative Tasks for OpenLDAP ==
 
* Installing OpenLDAP rpm packages or building from source
 
* Configuring and verifying the LDAP server
 
* Building an initial DIT (directory informationtree) with a LDIF file
 
* Loading, modifying, and searching directory records
 
* Setting passwords and authenticating against the directory
 
* Configuring Access Control Lists (ACLs)
 
* Configuring multiple database back ends
 
* Securing network-based directory connections with SSL and TLS
 
* Advanced configurations and performance tuning settings
 
* Creating and implementing LDAP schemas
 
* Creating custom schemas and sophisticated ACLs
 
* Using OpenLDAP as a proxy for other LDAP servers
 
* Adding caching with the Proxy Cache overlay
 
* Using the transparency overlay to create a hybrid cache
 
* Installing and configuring a web-base LDAP administration suite
 
* Keeping multiple directory servers synchronized with SyncRepl
 
* Using OpenLDAP for Apache authentication 
 
* Turn on/off OpenLDAP syslog entries ==
 
 
== More Resources ==
 
 
<b>Web site</b>
 
 
[http://www.research.ibm.com/journal/sj/392/shi.html An Enterprise Directory Solution with DB2]
 
 
[http://www.openldap.org/faq/index.cgi?_highlightWords=backsql&file=378 Directories vs. Relational Database Management Systems]
 
 
<b>Books</b>
 
 
[http://www.packtpub.com/OpenLDAP-Developers-Server-Open-Source-Linux/book Mastering OpenLDAP: Configuring, Securing and Integrating Directory Services]
 
 
[http://www.oracle.com/technology/documentation/berkeley-db/db/ref/toc.html Berkeley DB Reference Guide (Version: 4.6.21) ]
 
 
[[FC10 OpenLDAP]]
 
 
   Require valid-user
 
   Require valid-user
 
   </Location>
 
   </Location>

Revision as of 13:11, 12 February 2009

OpenLDAP Server and client Configuration File

  1. /etc/openldap/slapd.conf
    1. Standalone OpenLDAP server configuration file
    2. You should set/modify the following directives
      1. rootdn - DN of the LDAP server administrator account
      2. rootpw - password for the administrator account
      3. database - what back end database to use
      4. suffix - the DN of the base directory on the LDAP server
      5. directory - where to put the database
  2. /etc/openldap/ldap.conf
    1. This is the configuration file for the ldap clients. The following are ldap client programs:
      1. ldapadd
      2. ldapcompare
      3. ldapdelete
      4. ldapmodify
      5. ldapmodrdn
      6. ldappasswd
      7. ldapsearch
      8. ldapwhoami
    2. You could set/modify the following directives:
      1. BASE
      2. URL
  3. /etc/ldap.conf
    1. This is the configuration file for the LDAP nameservice switch library and the LDAP PAM module
    2. You could set/modify the following directives:
      1. base
      2. host - IP or hostname of the LDAP server. If you use hostname, it must be resolvable without using LDAP. Multiple hosts may be specified, each separated by a space.

Important LDAP Commands and Sample LDIF files

  • Base LDIF file
  • POSIX User account file
  • ldapadd, ldapsearch, ldapdelete command

Tools/Utilities for Testing OpenLDAP Server

  • ldapsearch
    • To display LDAP Protocol features and extensions supported by OpenLDAP, use the following ldapsearch examples:
[rchan@moodle ~]$ ldapsearch -x -b "" -s base supportedFeatures
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: supportedFeatures 
#

#
dn:
supportedFeatures: 1.3.6.1.1.14
supportedFeatures: 1.3.6.1.4.1.4203.1.5.1
supportedFeatures: 1.3.6.1.4.1.4203.1.5.2
supportedFeatures: 1.3.6.1.4.1.4203.1.5.3
supportedFeatures: 1.3.6.1.4.1.4203.1.5.4
supportedFeatures: 1.3.6.1.4.1.4203.1.5.5

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


[rchan@moodle ~]$ ldapsearch -x -b "" -s base supportedControl
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: supportedControl 
# 

#
dn:
supportedControl: 1.3.6.1.4.1.4203.1.9.1.1
supportedControl: 2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 1.3.6.1.4.1.4203.1.10.1
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.826.0.1.334810.2.3
supportedControl: 1.2.826.0.1.3344810.2.3
supportedControl: 1.3.6.1.1.13.2
supportedControl: 1.3.6.1.1.13.1
supportedControl: 1.3.6.1.1.12 

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


[rchan@moodle ~]$ ldapsearch -x -b "" -s base supportedExtension
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: supportedExtension 
# 

#
dn:
supportedExtension: 1.3.6.1.4.1.4203.1.11.1
supportedExtension: 1.3.6.1.4.1.4203.1.11.3

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
    • To display Supported Control, Extension, and Features
[rchan@moodle ~]$ ldapsearch -x -W -D 'cn=Manager,dc=ops535,dc=com' -b "" -s base '(objectclass=*)' +
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: + 
# 

#
dn:
structuralObjectClass: OpenLDAProotDSE
configContext: cn=config
namingContexts: dc=ops535,dc=com
supportedControl: 1.3.6.1.4.1.4203.1.9.1.1
supportedControl: 2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 1.3.6.1.4.1.4203.1.10.1
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.826.0.1.334810.2.3
supportedControl: 1.2.826.0.1.3344810.2.3
supportedControl: 1.3.6.1.1.13.2
supportedControl: 1.3.6.1.1.13.1
supportedControl: 1.3.6.1.1.12
supportedExtension: 1.3.6.1.4.1.4203.1.11.1
supportedExtension: 1.3.6.1.4.1.4203.1.11.3
supportedFeatures: 1.3.6.1.1.14
supportedFeatures: 1.3.6.1.4.1.4203.1.5.1
supportedFeatures: 1.3.6.1.4.1.4203.1.5.2
supportedFeatures: 1.3.6.1.4.1.4203.1.5.3
supportedFeatures: 1.3.6.1.4.1.4203.1.5.4
supportedFeatures: 1.3.6.1.4.1.4203.1.5.5
supportedLDAPVersion: 3
entryDN:
subschemaSubentry: cn=Subschema

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Tools to test the LDAP server

  • ldapsearch -x -W -D 'cn=Manager,dc=ops535,dc=com' -b "" -s base
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#

#
dn:
objectClass: top
objectClass: OpenLDAProotDSE 

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Using OpenLDAD for Apache Basic Authentication

  • In httpd.conf configure the directory for basic authentication for apache 2.0
 <Directory /var/www/html/openldap>
 AuthType Basic
 AuthName "Case Network ID"
 AuthLDAPURL "ldap://127.0.0.1/ou=people,dc=fedora,dc=directory,dc=server"
 AuthLDAPBindDN "uid=root,ou=people,dc=fedora,dc=directory,dc=server"
 AuthLDAPBindPassword "your-openldap-password"
 # All users in openldap
 require valid-user
 # Just the listed user
 # require user pma
 </Directory>
  • For apache 2.2
 <Location /var/www/html/openldap>
 AuthType Basic
 AuthBasicProvider ldap
 AuthName "Case Network ID"
 AuthzLDAPAuthoritative off
 AuthLDAPURL ldap://127.0.0.1/ou=people,dc=fedora,dc=directory,dc=server
 AuthLDAPBindDN "uid=root,ou=people,dc=fedora,dc=directory,dc=server"
 AuthLDAPBindPassword "your-openldap-password"
 Require valid-user
 </Location>

Reference: Apache Authentication and Authorization using LDAP Reference: Apache Authentication and Authorization using LDAP

Possible Administrative Tasks for OpenLDAP

  • Installing OpenLDAP rpm packages or building from source
  • Configuring and verifying the LDAP server
  • Building an initial DIT (directory informationtree) with a LDIF file
  • Loading, modifying, and searching directory records
  • Setting passwords and authenticating against the directory
  • Configuring Access Control Lists (ACLs)
  • Configuring multiple database back ends
  • Securing network-based directory connections with SSL and TLS
  • Advanced configurations and performance tuning settings
  • Creating and implementing LDAP schemas
  • Creating custom schemas and sophisticated ACLs
  • Using OpenLDAP as a proxy for other LDAP servers
  • Adding caching with the Proxy Cache overlay
  • Using the transparency overlay to create a hybrid cache
  • Installing and configuring a web-base LDAP administration suite
  • Keeping multiple directory servers synchronized with SyncRepl
  • Using OpenLDAP for Apache authentication
  • Turn on/off OpenLDAP syslog entries ==

More Resources

Web site

An Enterprise Directory Solution with DB2

Directories vs. Relational Database Management Systems

Books

Mastering OpenLDAP: Configuring, Securing and Integrating Directory Services

Berkeley DB Reference Guide (Version: 4.6.21)