NAD810 LDAP Server

From CDOT Wiki
Revision as of 14:36, 17 February 2009 by Cheping (talk | contribs) (More Resources)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Setup OpenLDAP server for User Authentication

Objectives

OpenLDAP Server and client Configuration File

  1. /etc/openldap/slapd.conf
    1. Standalone OpenLDAP server configuration file
    2. You should set/modify the following directives
      1. rootdn - DN of the LDAP server administrator account
      2. rootpw - password for the administrator account
      3. database - what back end database to use
      4. suffix - the DN of the base directory on the LDAP server
      5. directory - where to put the database
  2. /etc/openldap/ldap.conf
    1. This is the configuration file for the ldap clients. The following are ldap client programs:
      1. ldapadd
      2. ldapcompare
      3. ldapdelete
      4. ldapmodify
      5. ldapmodrdn
      6. ldappasswd
      7. ldapsearch
      8. ldapwhoami
    2. You could set/modify the following directives:
      1. BASE
      2. URL
  3. /etc/ldap.conf
    1. This is the configuration file for the LDAP nameservice switch library and the LDAP PAM module
    2. You could set/modify the following directives:
      1. base
      2. host - IP or hostname of the LDAP server. If you use hostname, it must be resolvable without using LDAP. Multiple hosts may be specified, each separated by a space.

Important LDAP Commands and Sample LDIF files

  • Base LDIF file
  • POSIX User account file
  • ldapadd, ldapsearch, ldapdelete command

Tools/Utilities for Testing OpenLDAP Server

  • ldapsearch
    • To display LDAP Protocol features and extensions supported by OpenLDAP, use the following ldapsearch examples:
[rchan@moodle ~]$ ldapsearch -x -b "" -s base supportedFeatures
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: supportedFeatures 
#

#
dn:
supportedFeatures: 1.3.6.1.1.14
supportedFeatures: 1.3.6.1.4.1.4203.1.5.1
supportedFeatures: 1.3.6.1.4.1.4203.1.5.2
supportedFeatures: 1.3.6.1.4.1.4203.1.5.3
supportedFeatures: 1.3.6.1.4.1.4203.1.5.4
supportedFeatures: 1.3.6.1.4.1.4203.1.5.5

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


[rchan@moodle ~]$ ldapsearch -x -b "" -s base supportedControl
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: supportedControl 
# 

#
dn:
supportedControl: 1.3.6.1.4.1.4203.1.9.1.1
supportedControl: 2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 1.3.6.1.4.1.4203.1.10.1
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.826.0.1.334810.2.3
supportedControl: 1.2.826.0.1.3344810.2.3
supportedControl: 1.3.6.1.1.13.2
supportedControl: 1.3.6.1.1.13.1
supportedControl: 1.3.6.1.1.12 

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


[rchan@moodle ~]$ ldapsearch -x -b "" -s base supportedExtension
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: supportedExtension 
# 

#
dn:
supportedExtension: 1.3.6.1.4.1.4203.1.11.1
supportedExtension: 1.3.6.1.4.1.4203.1.11.3

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
    • To display Supported Control, Extension, and Features
[rchan@moodle ~]$ ldapsearch -x -W -D 'cn=Manager,dc=ops535,dc=com' -b "" -s base '(objectclass=*)' +
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: + 
# 

#
dn:
structuralObjectClass: OpenLDAProotDSE
configContext: cn=config
namingContexts: dc=ops535,dc=com
supportedControl: 1.3.6.1.4.1.4203.1.9.1.1
supportedControl: 2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 1.3.6.1.4.1.4203.1.10.1
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.826.0.1.334810.2.3
supportedControl: 1.2.826.0.1.3344810.2.3
supportedControl: 1.3.6.1.1.13.2
supportedControl: 1.3.6.1.1.13.1
supportedControl: 1.3.6.1.1.12
supportedExtension: 1.3.6.1.4.1.4203.1.11.1
supportedExtension: 1.3.6.1.4.1.4203.1.11.3
supportedFeatures: 1.3.6.1.1.14
supportedFeatures: 1.3.6.1.4.1.4203.1.5.1
supportedFeatures: 1.3.6.1.4.1.4203.1.5.2
supportedFeatures: 1.3.6.1.4.1.4203.1.5.3
supportedFeatures: 1.3.6.1.4.1.4203.1.5.4
supportedFeatures: 1.3.6.1.4.1.4203.1.5.5
supportedLDAPVersion: 3
entryDN:
subschemaSubentry: cn=Subschema

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Tools to test the LDAP server

  • ldapsearch -x -W -D 'cn=Manager,dc=ops535,dc=com' -b "" -s base
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#

#
dn:
objectClass: top
objectClass: OpenLDAProotDSE 

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Using OpenLDAD for Apache Basic Authentication

  • In httpd.conf configure the directory for basic authentication for apache 2.0
 <Directory /var/www/html/openldap>
 AuthType Basic
 AuthName "Case Network ID"
 AuthLDAPURL "ldap://127.0.0.1/ou=people,dc=fedora,dc=directory,dc=server"
 AuthLDAPBindDN "uid=root,ou=people,dc=fedora,dc=directory,dc=server"
 AuthLDAPBindPassword "your-openldap-password"
 # All users in openldap
 require valid-user
 # Just the listed user
 # require user pma
 </Directory>
  • For apache 2.2
 <Location /var/www/html/openldap>
 AuthType Basic
 AuthBasicProvider ldap
 AuthName "Case Network ID"
 AuthzLDAPAuthoritative off
 AuthLDAPURL ldap://127.0.0.1/ou=people,dc=fedora,dc=directory,dc=server
 AuthLDAPBindDN "uid=root,ou=people,dc=fedora,dc=directory,dc=server"
 AuthLDAPBindPassword "your-openldap-password"
 Require valid-user
 </Location>

Reference: Apache Authentication and Authorization using LDAP

Possible Administrative Tasks for OpenLDAP

  • Installing OpenLDAP rpm packages or building from source
  • Configuring and verifying the LDAP server
  • Building an initial DIT (directory informationtree) with a LDIF file
  • Loading, modifying, and searching directory records
  • Setting passwords and authenticating against the directory
  • Configuring Access Control Lists (ACLs)
  • Configuring multiple database back ends
  • Securing network-based directory connections with SSL and TLS
  • Advanced configurations and performance tuning settings
  • Creating and implementing LDAP schemas
  • Creating custom schemas and sophisticated ACLs
  • Using OpenLDAP as a proxy for other LDAP servers
  • Adding caching with the Proxy Cache overlay
  • Using the transparency overlay to create a hybrid cache
  • Installing and configuring a web-base LDAP administration suite
  • Keeping multiple directory servers synchronized with SyncRepl
  • Using OpenLDAP for Apache authentication
  • Turn on/off OpenLDAP syslog entries ==

More Resources

Web site

An Enterprise Directory Solution with DB2

Directories vs. Relational Database Management Systems

Books

Mastering OpenLDAP: Configuring, Securing and Integrating Directory Services

Berkeley DB Reference Guide (Version: 4.6.21)