1
edit
Changes
New page: Setup OpenLDAP server for User Authentication = Objectives = == OpenLDAP Server and client Configuration File == # /etc/openldap/slapd.conf ## Standalone OpenLDAP server configuration fi...
Setup OpenLDAP server for User Authentication
= Objectives =
== OpenLDAP Server and client Configuration File ==
# /etc/openldap/slapd.conf
## Standalone OpenLDAP server configuration file
## You should set/modify the following directives
### rootdn - DN of the LDAP server administrator account
### rootpw - password for the administrator account
### database - what back end database to use
### suffix - the DN of the base directory on the LDAP server
### directory - where to put the database
# /etc/openldap/ldap.conf
## This is the configuration file for the ldap clients. The following are ldap client programs:
### ldapadd
### ldapcompare
### ldapdelete
### ldapmodify
### ldapmodrdn
### ldappasswd
### ldapsearch
### ldapwhoami
## You could set/modify the following directives:
### BASE
### URL
# /etc/ldap.conf
## This is the configuration file for the LDAP nameservice switch library and the LDAP PAM module
## You could set/modify the following directives:
### base
### host - IP or hostname of the LDAP server. If you use hostname, it must be resolvable without using LDAP. Multiple hosts may be specified, each separated by a space.
== Important LDAP Commands and Sample LDIF files ==
* Base LDIF file
* POSIX User account file
* ldapadd, ldapsearch, ldapdelete command
== Tools/Utilities for Testing OpenLDAP Server ==
* ldapsearch
** To display LDAP Protocol features and extensions supported by OpenLDAP, use the following ldapsearch examples:
[rchan@moodle ~]$ ldapsearch -x -b "" -s base supportedFeatures
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: supportedFeatures
#
#
dn:
supportedFeatures: 1.3.6.1.1.14
supportedFeatures: 1.3.6.1.4.1.4203.1.5.1
supportedFeatures: 1.3.6.1.4.1.4203.1.5.2
supportedFeatures: 1.3.6.1.4.1.4203.1.5.3
supportedFeatures: 1.3.6.1.4.1.4203.1.5.4
supportedFeatures: 1.3.6.1.4.1.4203.1.5.5
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
[rchan@moodle ~]$ ldapsearch -x -b "" -s base supportedControl
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: supportedControl
#
#
dn:
supportedControl: 1.3.6.1.4.1.4203.1.9.1.1
supportedControl: 2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 1.3.6.1.4.1.4203.1.10.1
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.826.0.1.334810.2.3
supportedControl: 1.2.826.0.1.3344810.2.3
supportedControl: 1.3.6.1.1.13.2
supportedControl: 1.3.6.1.1.13.1
supportedControl: 1.3.6.1.1.12
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
[rchan@moodle ~]$ ldapsearch -x -b "" -s base supportedExtension
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: supportedExtension
#
#
dn:
supportedExtension: 1.3.6.1.4.1.4203.1.11.1
supportedExtension: 1.3.6.1.4.1.4203.1.11.3
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
** To display Supported Control, Extension, and Features
[rchan@moodle ~]$ ldapsearch -x -W -D 'cn=Manager,dc=ops535,dc=com' -b "" -s base '(objectclass=*)' +
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: +
#
#
dn:
structuralObjectClass: OpenLDAProotDSE
configContext: cn=config
namingContexts: dc=ops535,dc=com
supportedControl: 1.3.6.1.4.1.4203.1.9.1.1
supportedControl: 2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 1.3.6.1.4.1.4203.1.10.1
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.826.0.1.334810.2.3
supportedControl: 1.2.826.0.1.3344810.2.3
supportedControl: 1.3.6.1.1.13.2
supportedControl: 1.3.6.1.1.13.1
supportedControl: 1.3.6.1.1.12
supportedExtension: 1.3.6.1.4.1.4203.1.11.1
supportedExtension: 1.3.6.1.4.1.4203.1.11.3
supportedFeatures: 1.3.6.1.1.14
supportedFeatures: 1.3.6.1.4.1.4203.1.5.1
supportedFeatures: 1.3.6.1.4.1.4203.1.5.2
supportedFeatures: 1.3.6.1.4.1.4203.1.5.3
supportedFeatures: 1.3.6.1.4.1.4203.1.5.4
supportedFeatures: 1.3.6.1.4.1.4203.1.5.5
supportedLDAPVersion: 3
entryDN:
subschemaSubentry: cn=Subschema
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
== Tools to test the LDAP server ==
* ldapsearch -x -W -D 'cn=Manager,dc=ops535,dc=com' -b "" -s base
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#
#
dn:
objectClass: top
objectClass: OpenLDAProotDSE
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
== Using OpenLDAD for Apache Basic Authentication ==
* In httpd.conf configure the directory for basic authentication for apache 2.0
<Directory /var/www/html/openldap>
AuthType Basic
AuthName "Case Network ID"
AuthLDAPURL "ldap://127.0.0.1/ou=people,dc=fedora,dc=directory,dc=server"
AuthLDAPBindDN "uid=root,ou=people,dc=fedora,dc=directory,dc=server"
AuthLDAPBindPassword "your-openldap-password"
# All users in openldap
require valid-user
# Just the listed user
# require user pma
</Directory>
* For apache 2.2
<Location /var/www/html/openldap>
AuthType Basic
AuthBasicProvider ldap
AuthName "Case Network ID"
AuthzLDAPAuthoritative off
AuthLDAPURL ldap://127.0.0.1/ou=people,dc=fedora,dc=directory,dc=server
AuthLDAPBindDN "uid=root,ou=people,dc=fedora,dc=directory,dc=server"
AuthLDAPBindPassword "your-openldap-password"
Require valid-user
</Location>
Reference: [http://www.linux.com/feature/120050 Apache Authentication and Authorization using LDAP]
Reference: [http://www.commandlinemac.com/article.php/2007121106103489 Apache Authentication and Authorization using LDAP]
== Possible Administrative Tasks for OpenLDAP ==
* Installing OpenLDAP rpm packages or building from source
* Configuring and verifying the LDAP server
* Building an initial DIT (directory informationtree) with a LDIF file
* Loading, modifying, and searching directory records
* Setting passwords and authenticating against the directory
* Configuring Access Control Lists (ACLs)
* Configuring multiple database back ends
* Securing network-based directory connections with SSL and TLS
* Advanced configurations and performance tuning settings
* Creating and implementing LDAP schemas
* Creating custom schemas and sophisticated ACLs
* Using OpenLDAP as a proxy for other LDAP servers
* Adding caching with the Proxy Cache overlay
* Using the transparency overlay to create a hybrid cache
* Installing and configuring a web-base LDAP administration suite
* Keeping multiple directory servers synchronized with SyncRepl
* Using OpenLDAP for Apache authentication
* Turn on/off OpenLDAP syslog entries ==
== More Resources ==
<b>Web site</b>
[http://www.research.ibm.com/journal/sj/392/shi.html An Enterprise Directory Solution with DB2]
[http://www.openldap.org/faq/index.cgi?_highlightWords=backsql&file=378 Directories vs. Relational Database Management Systems]
<b>Books</b>
[http://www.packtpub.com/OpenLDAP-Developers-Server-Open-Source-Linux/book Mastering OpenLDAP: Configuring, Securing and Integrating Directory Services]
[http://www.oracle.com/technology/documentation/berkeley-db/db/ref/toc.html Berkeley DB Reference Guide (Version: 4.6.21) ]
= Objectives =
== OpenLDAP Server and client Configuration File ==
# /etc/openldap/slapd.conf
## Standalone OpenLDAP server configuration file
## You should set/modify the following directives
### rootdn - DN of the LDAP server administrator account
### rootpw - password for the administrator account
### database - what back end database to use
### suffix - the DN of the base directory on the LDAP server
### directory - where to put the database
# /etc/openldap/ldap.conf
## This is the configuration file for the ldap clients. The following are ldap client programs:
### ldapadd
### ldapcompare
### ldapdelete
### ldapmodify
### ldapmodrdn
### ldappasswd
### ldapsearch
### ldapwhoami
## You could set/modify the following directives:
### BASE
### URL
# /etc/ldap.conf
## This is the configuration file for the LDAP nameservice switch library and the LDAP PAM module
## You could set/modify the following directives:
### base
### host - IP or hostname of the LDAP server. If you use hostname, it must be resolvable without using LDAP. Multiple hosts may be specified, each separated by a space.
== Important LDAP Commands and Sample LDIF files ==
* Base LDIF file
* POSIX User account file
* ldapadd, ldapsearch, ldapdelete command
== Tools/Utilities for Testing OpenLDAP Server ==
* ldapsearch
** To display LDAP Protocol features and extensions supported by OpenLDAP, use the following ldapsearch examples:
[rchan@moodle ~]$ ldapsearch -x -b "" -s base supportedFeatures
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: supportedFeatures
#
#
dn:
supportedFeatures: 1.3.6.1.1.14
supportedFeatures: 1.3.6.1.4.1.4203.1.5.1
supportedFeatures: 1.3.6.1.4.1.4203.1.5.2
supportedFeatures: 1.3.6.1.4.1.4203.1.5.3
supportedFeatures: 1.3.6.1.4.1.4203.1.5.4
supportedFeatures: 1.3.6.1.4.1.4203.1.5.5
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
[rchan@moodle ~]$ ldapsearch -x -b "" -s base supportedControl
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: supportedControl
#
#
dn:
supportedControl: 1.3.6.1.4.1.4203.1.9.1.1
supportedControl: 2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 1.3.6.1.4.1.4203.1.10.1
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.826.0.1.334810.2.3
supportedControl: 1.2.826.0.1.3344810.2.3
supportedControl: 1.3.6.1.1.13.2
supportedControl: 1.3.6.1.1.13.1
supportedControl: 1.3.6.1.1.12
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
[rchan@moodle ~]$ ldapsearch -x -b "" -s base supportedExtension
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: supportedExtension
#
#
dn:
supportedExtension: 1.3.6.1.4.1.4203.1.11.1
supportedExtension: 1.3.6.1.4.1.4203.1.11.3
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
** To display Supported Control, Extension, and Features
[rchan@moodle ~]$ ldapsearch -x -W -D 'cn=Manager,dc=ops535,dc=com' -b "" -s base '(objectclass=*)' +
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: +
#
#
dn:
structuralObjectClass: OpenLDAProotDSE
configContext: cn=config
namingContexts: dc=ops535,dc=com
supportedControl: 1.3.6.1.4.1.4203.1.9.1.1
supportedControl: 2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 1.3.6.1.4.1.4203.1.10.1
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.826.0.1.334810.2.3
supportedControl: 1.2.826.0.1.3344810.2.3
supportedControl: 1.3.6.1.1.13.2
supportedControl: 1.3.6.1.1.13.1
supportedControl: 1.3.6.1.1.12
supportedExtension: 1.3.6.1.4.1.4203.1.11.1
supportedExtension: 1.3.6.1.4.1.4203.1.11.3
supportedFeatures: 1.3.6.1.1.14
supportedFeatures: 1.3.6.1.4.1.4203.1.5.1
supportedFeatures: 1.3.6.1.4.1.4203.1.5.2
supportedFeatures: 1.3.6.1.4.1.4203.1.5.3
supportedFeatures: 1.3.6.1.4.1.4203.1.5.4
supportedFeatures: 1.3.6.1.4.1.4203.1.5.5
supportedLDAPVersion: 3
entryDN:
subschemaSubentry: cn=Subschema
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
== Tools to test the LDAP server ==
* ldapsearch -x -W -D 'cn=Manager,dc=ops535,dc=com' -b "" -s base
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#
#
dn:
objectClass: top
objectClass: OpenLDAProotDSE
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
== Using OpenLDAD for Apache Basic Authentication ==
* In httpd.conf configure the directory for basic authentication for apache 2.0
<Directory /var/www/html/openldap>
AuthType Basic
AuthName "Case Network ID"
AuthLDAPURL "ldap://127.0.0.1/ou=people,dc=fedora,dc=directory,dc=server"
AuthLDAPBindDN "uid=root,ou=people,dc=fedora,dc=directory,dc=server"
AuthLDAPBindPassword "your-openldap-password"
# All users in openldap
require valid-user
# Just the listed user
# require user pma
</Directory>
* For apache 2.2
<Location /var/www/html/openldap>
AuthType Basic
AuthBasicProvider ldap
AuthName "Case Network ID"
AuthzLDAPAuthoritative off
AuthLDAPURL ldap://127.0.0.1/ou=people,dc=fedora,dc=directory,dc=server
AuthLDAPBindDN "uid=root,ou=people,dc=fedora,dc=directory,dc=server"
AuthLDAPBindPassword "your-openldap-password"
Require valid-user
</Location>
Reference: [http://www.linux.com/feature/120050 Apache Authentication and Authorization using LDAP]
Reference: [http://www.commandlinemac.com/article.php/2007121106103489 Apache Authentication and Authorization using LDAP]
== Possible Administrative Tasks for OpenLDAP ==
* Installing OpenLDAP rpm packages or building from source
* Configuring and verifying the LDAP server
* Building an initial DIT (directory informationtree) with a LDIF file
* Loading, modifying, and searching directory records
* Setting passwords and authenticating against the directory
* Configuring Access Control Lists (ACLs)
* Configuring multiple database back ends
* Securing network-based directory connections with SSL and TLS
* Advanced configurations and performance tuning settings
* Creating and implementing LDAP schemas
* Creating custom schemas and sophisticated ACLs
* Using OpenLDAP as a proxy for other LDAP servers
* Adding caching with the Proxy Cache overlay
* Using the transparency overlay to create a hybrid cache
* Installing and configuring a web-base LDAP administration suite
* Keeping multiple directory servers synchronized with SyncRepl
* Using OpenLDAP for Apache authentication
* Turn on/off OpenLDAP syslog entries ==
== More Resources ==
<b>Web site</b>
[http://www.research.ibm.com/journal/sj/392/shi.html An Enterprise Directory Solution with DB2]
[http://www.openldap.org/faq/index.cgi?_highlightWords=backsql&file=378 Directories vs. Relational Database Management Systems]
<b>Books</b>
[http://www.packtpub.com/OpenLDAP-Developers-Server-Open-Source-Linux/book Mastering OpenLDAP: Configuring, Securing and Integrating Directory Services]
[http://www.oracle.com/technology/documentation/berkeley-db/db/ref/toc.html Berkeley DB Reference Guide (Version: 4.6.21) ]