Open main menu

CDOT Wiki β

Changes

OpenLDAP Installation and Test

2,808 bytes removed, 13:00, 23 November 2016
More Resources
== OpenLDAP Server and client Configuration File == OpenLDAP Server Configuration directory ==Please note that the following procedure only works for CentOS Linux starting from <font color='red'>version 7.0</font>. * Top of the configure directory for the OpenLDAP server slapd: /etc/openldap/slapd.d/cn=config<pre>[root@localhost cn=schema]# ls -l /etc/openldap/slapd.confd/cn\=configtotal 20drwxr-x---. 2 ldap ldap 104 Nov 22 18:35 cn=schema-rw-------. 1 ldap ldap 378 Dec 16 2015 cn=schema.ldif-rw-------. 1 ldap ldap 513 Dec 16 2015 olcDatabase={0}config.ldif-rw-------. 1 ldap ldap 443 Dec 16 2015 olcDatabase={-1}frontend.ldif-rw-------. 1 ldap ldap 562 Dec 16 2015 olcDatabase={1}monitor.ldif-rw-------. 1 ldap ldap 609 Dec 16 2015 olcDatabase={2}hdb.ldif</pre>* Some notes:** cn=schema - contains the schema to be loaded by the slapd server. ## Standalone ** olcDatabase={2}hdb.ldif - the main configuration for the OpenLDAP server configuration file's database.* Initial contents in the "cn=schema" directory:<pre>[root@localhost cn=schema]## You should setls -ltotal 40-rw-------. 1 ldap ldap 15578 Dec 16 2015 cn={0}core.ldif</modify pre>* Initial contents in the following directives"olcDatabase={2}hdb.ldif" file:<pre>[root@localhost cn=config]#cat olcDatabase\=\{2\}hdb.ldif #AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.# rootdn CRC32 2e34fa34dn: olcDatabase={2}hdbobjectClass: olcDatabaseConfigobjectClass: olcHdbConfigolcDatabase: {2}hdbolcDbDirectory: /var/lib/ldapolcSuffix: dc=my- DN of the LDAP server administrator accountdomain,dc=comolcRootDN: cn=Manager,dc=my-domain,dc=comolcDbIndex: objectClass eq,presolcDbIndex: ou,cn,mail,surname,givenname eq,pres,substructuralObjectClass: olcHdbConfigentryUUID: 356a18aa-384e-1035-958d-25b49e5bf54ecreatorsName: cn=configcreateTimestamp: 20151216143659ZentryCSN: 20151216143659.541486Z#000000#000# rootpw - password 000000modifiersName: cn=configmodifyTimestamp: 20151216143659Z</pre> To use OpenLDAP directory to host Linux user accounts, you need to import three more existing schema: cosine, nis, and inetorgperson for the administrator accountslapd server. You also need to update the following fields in the "olcDatabase={2}hdb.ldif" file:### database * olcSuffix - update to reflect your base context (or naming context)* olcRootDN - what back end database update to usematch your naming context### suffix * olcRootPW - add password for authenticating the DN of Directory Server Manager (i.e. olcRootDN) == Start slapd and add additional schema ==After installing the base directory on openldap-servers rpm package, you should be able to start the LDAP OpenLDAP serverslapd with the following command:<pre>systemctl start slapd.service</pre>### directory - where To configure your system to put start slapd.server at system boot, run the following command:<pre>systemctl enable slapd.service</pre> You can now import the databasethree required schema:<pre>ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldifldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldifldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/inetorgperson.ldif</pre> # Check the directory content in "/etc/openldap/ldapslapd.confd/cn=config/cn=schema"<pre>[root@localhost cn=config]## This is the configuration file for the ls -l cn\=schematotal 40-rw-------. 1 ldap ldap clients15578 Dec 16 2015 cn={0}core. The following are ldif-rw-------. 1 ldap ldap client programs11455 Nov 22 18:34 cn={1}cosine.ldif### ldapadd-rw-------. 1 ldap ldap 6587 Nov 22 18:35 cn={2}nis.ldif### ldapcompare-rw-------. 1 ldap ldap 2949 Nov 22 18:35 cn={3}inetorgperson.ldif### ldapdelete</pre>### ldapmodify### ldapmodrdn==Check current "naming context" of the OpenLDAP directory ==### ldappasswd<pre>##[root@localhost cn=config]# ldapsearch-x -b '' -s base namingContexts#extended LDIF## ldapwhoamiLDAPv3#base <> with scope baseObject# You could set/modify the following directivesfilter:(objectclass=*)#requesting: namingContexts # # BASEdn:namingContexts: dc=my-domain,dc=com #search resultsearch: 2result: 0 Success #numResponses: 2# URLnumEntries: 1# </etc/ldappre> == Changing the "naming context" i.e.confolcSuffix, and update the olcRootDN and olcRootPW==## This is Create the configuration following LDIF file for the LDAP nameservice switch library and the LDAP PAM modulename it "newbase.ldif:<pre>## You could setcutomize domain namedn: olcDatabase={2}hdb,cn=configchangetype: modifyreplace: olcSuffixolcSuffix: dc=ops535,dc=com dn: olcDatabase={2}hdb,cn=configchangetype: modifyreplace: olcRootDNolcRootDN: cn=Manager,dc=ops535,dc=com dn: olcDatabase={2}hdb,cn=configchangetype: modifyadd: olcRootPWolcRootPW: {SSHA}1Di4Suea6ojE2bFxJhLDScjQyQ97GSef</modify pre> Run the following directivescommand to preform the update:### base<pre>### host ldapmodify -Y EXTERNAL -H ldapi:/// - IP or hostname f newbase.ldif</pre> Check the content of the LDAP serverfile /etc/openldap/slapd. If you use hostname, it must be resolvable without using LDAPd/cn=config/olcDatabase={2}hdb. Multiple hosts may be specified, each separated by a spaceldif to confirm.
== Important LDAP Commands and Sample LDIF files ==
* Base LDIF filefor the base entry* LDIF file for new POSIX User account fileaccounts
* ldapadd, ldapsearch, ldapdelete command
# numEntries: 1
== Using OpenLDAD for Apache Basic Authentication ==* In httpd.conf configure the directory for basic authentication for apache 2.0  <Directory /var/www/html/openldap> AuthType Basic AuthName "Case Network ID" AuthLDAPURL "ldap://127.0.0.1/ou=people,dc=fedora,dc=directory,dc=server" AuthLDAPBindDN "uid=root,ou=people,dc=fedora,dc=directory,dc=server" AuthLDAPBindPassword "your-openldap-password" # All users in openldap require valid-user # Just the listed user # require user pma </Directory> * For apache 2.2  <Location /var/www/html/openldap> AuthType Basic AuthBasicProvider ldap AuthName "Case Network ID" AuthzLDAPAuthoritative off AuthLDAPURL ldap://127.0.0.1/ou=people,dc=fedora,dc=directory,dc=server AuthLDAPBindDN "uid=root,ou=people,dc=fedora,dc=directory,dc=server" AuthLDAPBindPassword "your-openldap-password"== OpenLDAP Server and client Configuration File configuration ==# /etc/openldap/slapd.conf## Standalone OpenLDAP server configuration file## You should set/modify the following directives### rootdn - DN of the LDAP server administrator account### rootpw - password for the administrator account### database - what back end database to use### suffix - the DN of the base directory on the LDAP server### directory - where to put the database
# /etc/openldap/ldap.conf
## This is the configuration file for the ldap clients. The following are ldap client programs:
### base
### host - IP or hostname of the LDAP server. If you use hostname, it must be resolvable without using LDAP. Multiple hosts may be specified, each separated by a space.
 
== Important LDAP Commands and Sample LDIF files ==
* Base LDIF file
* POSIX User account file
* ldapadd, ldapsearch, ldapdelete command
 
== Tools/Utilities for Testing OpenLDAP Server ==
* ldapsearch
** To display LDAP Protocol features and extensions supported by OpenLDAP, use the following ldapsearch examples:
 
[rchan@moodle ~]$ ldapsearch -x -b "" -s base supportedFeatures
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: supportedFeatures
#
#
dn:
supportedFeatures: 1.3.6.1.1.14
supportedFeatures: 1.3.6.1.4.1.4203.1.5.1
supportedFeatures: 1.3.6.1.4.1.4203.1.5.2
supportedFeatures: 1.3.6.1.4.1.4203.1.5.3
supportedFeatures: 1.3.6.1.4.1.4203.1.5.4
supportedFeatures: 1.3.6.1.4.1.4203.1.5.5
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
 
 
[rchan@moodle ~]$ ldapsearch -x -b "" -s base supportedControl
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: supportedControl
#
#
dn:
supportedControl: 1.3.6.1.4.1.4203.1.9.1.1
supportedControl: 2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 1.3.6.1.4.1.4203.1.10.1
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.826.0.1.334810.2.3
supportedControl: 1.2.826.0.1.3344810.2.3
supportedControl: 1.3.6.1.1.13.2
supportedControl: 1.3.6.1.1.13.1
supportedControl: 1.3.6.1.1.12
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
 
 
[rchan@moodle ~]$ ldapsearch -x -b "" -s base supportedExtension
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: supportedExtension
#
#
dn:
supportedExtension: 1.3.6.1.4.1.4203.1.11.1
supportedExtension: 1.3.6.1.4.1.4203.1.11.3
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
 
** To display Supported Control, Extension, and Features
[rchan@moodle ~]$ ldapsearch -x -W -D 'cn=Manager,dc=ops535,dc=com' -b "" -s base '(objectclass=*)' +
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: +
#
#
dn:
structuralObjectClass: OpenLDAProotDSE
configContext: cn=config
namingContexts: dc=ops535,dc=com
supportedControl: 1.3.6.1.4.1.4203.1.9.1.1
supportedControl: 2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 1.3.6.1.4.1.4203.1.10.1
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.826.0.1.334810.2.3
supportedControl: 1.2.826.0.1.3344810.2.3
supportedControl: 1.3.6.1.1.13.2
supportedControl: 1.3.6.1.1.13.1
supportedControl: 1.3.6.1.1.12
supportedExtension: 1.3.6.1.4.1.4203.1.11.1
supportedExtension: 1.3.6.1.4.1.4203.1.11.3
supportedFeatures: 1.3.6.1.1.14
supportedFeatures: 1.3.6.1.4.1.4203.1.5.1
supportedFeatures: 1.3.6.1.4.1.4203.1.5.2
supportedFeatures: 1.3.6.1.4.1.4203.1.5.3
supportedFeatures: 1.3.6.1.4.1.4203.1.5.4
supportedFeatures: 1.3.6.1.4.1.4203.1.5.5
supportedLDAPVersion: 3
entryDN:
subschemaSubentry: cn=Subschema
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
 
== Tools to test the LDAP server ==
* ldapsearch -x -W -D 'cn=Manager,dc=ops535,dc=com' -b "" -s base
 
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#
#
dn:
objectClass: top
objectClass: OpenLDAProotDSE
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
== Using OpenLDAD for Apache Basic Authentication ==
</Location>
Reference: <br>[http://www.linux.com/feature/120050 Linux.com: Apache Authentication and Authorization using LDAP]<br>Reference: [http://www.commandlinemac.com/article.php/2007121106103489 Apache Authentication and Authorization using LDAP(blogger)] <-- Nes: broken link??
== Possible Administrative Tasks for OpenLDAP ==
* Turn on/off OpenLDAP syslog entries ==
== More Resources OpenLDAP Concepts/Configuration == <b>Web site</b> * [http://www.research.ibmdigitalocean.com/journalcommunity/sjtutorials/392/shi.html An Enterprise Directory Solution with DB2] [http://www.openldap.org/faq/index.cgi?_highlightWords=backsql&file=378 Directories vs. Relational Database Management Systems] <b>Books</b> [http://www.packtpub.com/OpenLDAPunderstanding-the-ldap-protocol-Developersdata-Serverhierarchy-Openand-Sourceentry-Linux/book Mastering OpenLDAP: Configuringcomponents Understanding the LDAP Protocol, Data Hierarchy, Securing and Integrating Directory ServicesEntry Components* [http://www.oracledigitalocean.com/technologycommunity/documentationtutorials/berkeleyhow-to-db/db/ref/toc.html Berkeley DB Reference Guide (Version: 4.6.21) ] [[FC10 OpenLDAP]] Require validuse-ldif-files-to-make-changes-to-user </Location> Reference: [http://www.linux.com/feature/120050 Apache Authentication and Authorization using LDAP]Reference: [http://www.commandlinemac.com/article.php/2007121106103489 Apache Authentication and Authorization using LDAP] == Possible Administrative Tasks for OpenLDAP ==* Installing OpenLDAP rpm packages or building from source* Configuring and verifying the LDAP server* Building an initial DIT (directory informationtree) with a -openldap-system How to Use LDIF file* Loading, modifying, and searching directory records * Setting passwords and authenticating against the directory* Configuring Access Control Lists (ACLs)* Configuring multiple database back ends* Securing network-based directory connections with SSL and TLS* Advanced configurations and performance tuning settings* Creating and implementing LDAP schemas* Creating custom schemas and sophisticated ACLs* Using OpenLDAP as a proxy for other LDAP servers* Adding caching with the Proxy Cache overlay* Using the transparency overlay Files to Make Changes to create a hybrid cache* Installing and configuring a web-base LDAP administration suite* Keeping multiple directory servers synchronized with SyncRepl* Using an OpenLDAP for Apache authentication * Turn on/off OpenLDAP syslog entries ==System]
== More Resources ==
[http://www.oracle.com/technology/documentation/berkeley-db/db/ref/toc.html Berkeley DB Reference Guide (Version: 4.6.21) ]
[[Category:OPS535]]
<b>OID</b>* [[Category:LUX]][[Categoryhttp:NAD810]//www.iana.org/assignments/enterprise-numbers/enterprise-numbers Private Enterprise OID registry]
1,760
edits