NAD810 LDAP Server
Setup OpenLDAP server for User Authentication
Objectives
OpenLDAP Server and client Configuration File
- /etc/openldap/slapd.conf
- Standalone OpenLDAP server configuration file
- You should set/modify the following directives
- rootdn - DN of the LDAP server administrator account
- rootpw - password for the administrator account
- database - what back end database to use
- suffix - the DN of the base directory on the LDAP server
- directory - where to put the database
- /etc/openldap/ldap.conf
- This is the configuration file for the ldap clients. The following are ldap client programs:
- ldapadd
- ldapcompare
- ldapdelete
- ldapmodify
- ldapmodrdn
- ldappasswd
- ldapsearch
- ldapwhoami
- You could set/modify the following directives:
- BASE
- URL
- This is the configuration file for the ldap clients. The following are ldap client programs:
- /etc/ldap.conf
- This is the configuration file for the LDAP nameservice switch library and the LDAP PAM module
- You could set/modify the following directives:
- base
- host - IP or hostname of the LDAP server. If you use hostname, it must be resolvable without using LDAP. Multiple hosts may be specified, each separated by a space.
Important LDAP Commands and Sample LDIF files
- Base LDIF file
- POSIX User account file
- ldapadd, ldapsearch, ldapdelete command
Tools/Utilities for Testing OpenLDAP Server
- ldapsearch
- To display LDAP Protocol features and extensions supported by OpenLDAP, use the following ldapsearch examples:
[rchan@moodle ~]$ ldapsearch -x -b "" -s base supportedFeatures # extended LDIF # # LDAPv3 # base <> with scope baseObject # filter: (objectclass=*) # requesting: supportedFeatures # # dn: supportedFeatures: 1.3.6.1.1.14 supportedFeatures: 1.3.6.1.4.1.4203.1.5.1 supportedFeatures: 1.3.6.1.4.1.4203.1.5.2 supportedFeatures: 1.3.6.1.4.1.4203.1.5.3 supportedFeatures: 1.3.6.1.4.1.4203.1.5.4 supportedFeatures: 1.3.6.1.4.1.4203.1.5.5 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1
[rchan@moodle ~]$ ldapsearch -x -b "" -s base supportedControl # extended LDIF # # LDAPv3 # base <> with scope baseObject # filter: (objectclass=*) # requesting: supportedControl # # dn: supportedControl: 1.3.6.1.4.1.4203.1.9.1.1 supportedControl: 2.16.840.1.113730.3.4.18 supportedControl: 2.16.840.1.113730.3.4.2 supportedControl: 1.3.6.1.4.1.4203.1.10.1 supportedControl: 1.2.840.113556.1.4.319 supportedControl: 1.2.826.0.1.334810.2.3 supportedControl: 1.2.826.0.1.3344810.2.3 supportedControl: 1.3.6.1.1.13.2 supportedControl: 1.3.6.1.1.13.1 supportedControl: 1.3.6.1.1.12 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1
[rchan@moodle ~]$ ldapsearch -x -b "" -s base supportedExtension # extended LDIF # # LDAPv3 # base <> with scope baseObject # filter: (objectclass=*) # requesting: supportedExtension # # dn: supportedExtension: 1.3.6.1.4.1.4203.1.11.1 supportedExtension: 1.3.6.1.4.1.4203.1.11.3 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1
- To display Supported Control, Extension, and Features
[rchan@moodle ~]$ ldapsearch -x -W -D 'cn=Manager,dc=ops535,dc=com' -b "" -s base '(objectclass=*)' + Enter LDAP Password: # extended LDIF # # LDAPv3 # base <> with scope baseObject # filter: (objectclass=*) # requesting: + # # dn: structuralObjectClass: OpenLDAProotDSE configContext: cn=config namingContexts: dc=ops535,dc=com supportedControl: 1.3.6.1.4.1.4203.1.9.1.1 supportedControl: 2.16.840.1.113730.3.4.18 supportedControl: 2.16.840.1.113730.3.4.2 supportedControl: 1.3.6.1.4.1.4203.1.10.1 supportedControl: 1.2.840.113556.1.4.319 supportedControl: 1.2.826.0.1.334810.2.3 supportedControl: 1.2.826.0.1.3344810.2.3 supportedControl: 1.3.6.1.1.13.2 supportedControl: 1.3.6.1.1.13.1 supportedControl: 1.3.6.1.1.12 supportedExtension: 1.3.6.1.4.1.4203.1.11.1 supportedExtension: 1.3.6.1.4.1.4203.1.11.3 supportedFeatures: 1.3.6.1.1.14 supportedFeatures: 1.3.6.1.4.1.4203.1.5.1 supportedFeatures: 1.3.6.1.4.1.4203.1.5.2 supportedFeatures: 1.3.6.1.4.1.4203.1.5.3 supportedFeatures: 1.3.6.1.4.1.4203.1.5.4 supportedFeatures: 1.3.6.1.4.1.4203.1.5.5 supportedLDAPVersion: 3 entryDN: subschemaSubentry: cn=Subschema # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1
Tools to test the LDAP server
- ldapsearch -x -W -D 'cn=Manager,dc=ops535,dc=com' -b "" -s base
Enter LDAP Password: # extended LDIF # # LDAPv3 # base <> with scope baseObject # filter: (objectclass=*) # requesting: ALL # # dn: objectClass: top objectClass: OpenLDAProotDSE # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1
Using OpenLDAD for Apache Basic Authentication
- In httpd.conf configure the directory for basic authentication for apache 2.0
<Directory /var/www/html/openldap> AuthType Basic AuthName "Case Network ID" AuthLDAPURL "ldap://127.0.0.1/ou=people,dc=fedora,dc=directory,dc=server" AuthLDAPBindDN "uid=root,ou=people,dc=fedora,dc=directory,dc=server" AuthLDAPBindPassword "your-openldap-password" # All users in openldap require valid-user # Just the listed user # require user pma </Directory>
- For apache 2.2
<Location /var/www/html/openldap> AuthType Basic AuthBasicProvider ldap AuthName "Case Network ID" AuthzLDAPAuthoritative off AuthLDAPURL ldap://127.0.0.1/ou=people,dc=fedora,dc=directory,dc=server AuthLDAPBindDN "uid=root,ou=people,dc=fedora,dc=directory,dc=server" AuthLDAPBindPassword "your-openldap-password" Require valid-user </Location>
Reference: Apache Authentication and Authorization using LDAP
Possible Administrative Tasks for OpenLDAP
- Installing OpenLDAP rpm packages or building from source
- Configuring and verifying the LDAP server
- Building an initial DIT (directory informationtree) with a LDIF file
- Loading, modifying, and searching directory records
- Setting passwords and authenticating against the directory
- Configuring Access Control Lists (ACLs)
- Configuring multiple database back ends
- Securing network-based directory connections with SSL and TLS
- Advanced configurations and performance tuning settings
- Creating and implementing LDAP schemas
- Creating custom schemas and sophisticated ACLs
- Using OpenLDAP as a proxy for other LDAP servers
- Adding caching with the Proxy Cache overlay
- Using the transparency overlay to create a hybrid cache
- Installing and configuring a web-base LDAP administration suite
- Keeping multiple directory servers synchronized with SyncRepl
- Using OpenLDAP for Apache authentication
- Turn on/off OpenLDAP syslog entries ==
More Resources
Web site
An Enterprise Directory Solution with DB2
Directories vs. Relational Database Management Systems
Books
Mastering OpenLDAP: Configuring, Securing and Integrating Directory Services