OpenLDAP Installation and Test
OpenLDAP Server and client Configuration File
OpenLDAP Server Configuration directory
Please note that the following procedure only works for CentOS Linux starting from version 7.0.
- Top of the configure directory for the OpenLDAP server slapd: /etc/openldap/slapd.d/cn=config
[root@localhost cn=schema]# ls -l /etc/openldap/slapd.d/cn\=config total 20 drwxr-x---. 2 ldap ldap 104 Nov 22 18:35 cn=schema -rw-------. 1 ldap ldap 378 Dec 16 2015 cn=schema.ldif -rw-------. 1 ldap ldap 513 Dec 16 2015 olcDatabase={0}config.ldif -rw-------. 1 ldap ldap 443 Dec 16 2015 olcDatabase={-1}frontend.ldif -rw-------. 1 ldap ldap 562 Dec 16 2015 olcDatabase={1}monitor.ldif -rw-------. 1 ldap ldap 609 Dec 16 2015 olcDatabase={2}hdb.ldif
- Some notes:
- cn=schema - contains the schema to be loaded by the slapd server.
- olcDatabase={2}hdb.ldif - the main configuration for the OpenLDAP server's database.
- Initial contents in the "cn=schema" directory:
[root@localhost cn=schema]# ls -l total 40 -rw-------. 1 ldap ldap 15578 Dec 16 2015 cn={0}core.ldif
- Initial contents in the "oldDatabase={2}hdb.ldif" file:
[root@localhost cn=config]# cat olcDatabase\=\{2\}hdb.ldif # AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify. # CRC32 2e34fa34 dn: olcDatabase={2}hdb objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {2}hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=my-domain,dc=com olcRootDN: cn=Manager,dc=my-domain,dc=com olcDbIndex: objectClass eq,pres olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub structuralObjectClass: olcHdbConfig entryUUID: 356a18aa-384e-1035-958d-25b49e5bf54e creatorsName: cn=config createTimestamp: 20151216143659Z entryCSN: 20151216143659.541486Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20151216143659Z
To use OpenLDAP directory to host Linux user account, you need to import three more existing schema: cosine, nis, and inetorgperson for the slapd server. You also need to update the following fields in the "olcDatabase={2}hdb.ldif" file:
- olcSuffix - update to reflect your base context (or naming context)
- olcRootDN - update to match your naming context
- olcRootPW - add (for olcRootDN)
After installing the openldap-servers rpm package, you should be able to start the OpenLDAP server slapd with the following command:
systemctl start slapd.service
To configure your system to start slapd.server at system boot, run the following command:
systemctl enable slapd.service
You can now import the three required schema:
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/inetorgperson.ldif
Check the directory content in "/etc/openldap/slapd.d/cn=config/cn=schema"
[root@localhost cn=config]# ls -l cn\=schema total 40 -rw-------. 1 ldap ldap 15578 Dec 16 2015 cn={0}core.ldif -rw-------. 1 ldap ldap 11455 Nov 22 18:34 cn={1}cosine.ldif -rw-------. 1 ldap ldap 6587 Nov 22 18:35 cn={2}nis.ldif -rw-------. 1 ldap ldap 2949 Nov 22 18:35 cn={3}inetorgperson.ldif
OpenLDAP client configuration
- /etc/openldap/ldap.conf
- This is the configuration file for the ldap clients. The following are ldap client programs:
- ldapadd
- ldapcompare
- ldapdelete
- ldapmodify
- ldapmodrdn
- ldappasswd
- ldapsearch
- ldapwhoami
- You could set/modify the following directives:
- BASE
- URL
- This is the configuration file for the ldap clients. The following are ldap client programs:
- /etc/ldap.conf
- This is the configuration file for the LDAP nameservice switch library and the LDAP PAM module
- You could set/modify the following directives:
- base
- host - IP or hostname of the LDAP server. If you use hostname, it must be resolvable without using LDAP. Multiple hosts may be specified, each separated by a space.
Important LDAP Commands and Sample LDIF files
- Base LDIF file
- POSIX User account file
- ldapadd, ldapsearch, ldapdelete command
Tools/Utilities for Testing OpenLDAP Server
- ldapsearch
- To display LDAP Protocol features and extensions supported by OpenLDAP, use the following ldapsearch examples:
[rchan@moodle ~]$ ldapsearch -x -b "" -s base supportedFeatures # extended LDIF # # LDAPv3 # base <> with scope baseObject # filter: (objectclass=*) # requesting: supportedFeatures # # dn: supportedFeatures: 1.3.6.1.1.14 supportedFeatures: 1.3.6.1.4.1.4203.1.5.1 supportedFeatures: 1.3.6.1.4.1.4203.1.5.2 supportedFeatures: 1.3.6.1.4.1.4203.1.5.3 supportedFeatures: 1.3.6.1.4.1.4203.1.5.4 supportedFeatures: 1.3.6.1.4.1.4203.1.5.5 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1
[rchan@moodle ~]$ ldapsearch -x -b "" -s base supportedControl # extended LDIF # # LDAPv3 # base <> with scope baseObject # filter: (objectclass=*) # requesting: supportedControl # # dn: supportedControl: 1.3.6.1.4.1.4203.1.9.1.1 supportedControl: 2.16.840.1.113730.3.4.18 supportedControl: 2.16.840.1.113730.3.4.2 supportedControl: 1.3.6.1.4.1.4203.1.10.1 supportedControl: 1.2.840.113556.1.4.319 supportedControl: 1.2.826.0.1.334810.2.3 supportedControl: 1.2.826.0.1.3344810.2.3 supportedControl: 1.3.6.1.1.13.2 supportedControl: 1.3.6.1.1.13.1 supportedControl: 1.3.6.1.1.12 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1
[rchan@moodle ~]$ ldapsearch -x -b "" -s base supportedExtension # extended LDIF # # LDAPv3 # base <> with scope baseObject # filter: (objectclass=*) # requesting: supportedExtension # # dn: supportedExtension: 1.3.6.1.4.1.4203.1.11.1 supportedExtension: 1.3.6.1.4.1.4203.1.11.3 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1
- To display Supported Control, Extension, and Features
[rchan@moodle ~]$ ldapsearch -x -W -D 'cn=Manager,dc=ops535,dc=com' -b "" -s base '(objectclass=*)' + Enter LDAP Password: # extended LDIF # # LDAPv3 # base <> with scope baseObject # filter: (objectclass=*) # requesting: + # # dn: structuralObjectClass: OpenLDAProotDSE configContext: cn=config namingContexts: dc=ops535,dc=com supportedControl: 1.3.6.1.4.1.4203.1.9.1.1 supportedControl: 2.16.840.1.113730.3.4.18 supportedControl: 2.16.840.1.113730.3.4.2 supportedControl: 1.3.6.1.4.1.4203.1.10.1 supportedControl: 1.2.840.113556.1.4.319 supportedControl: 1.2.826.0.1.334810.2.3 supportedControl: 1.2.826.0.1.3344810.2.3 supportedControl: 1.3.6.1.1.13.2 supportedControl: 1.3.6.1.1.13.1 supportedControl: 1.3.6.1.1.12 supportedExtension: 1.3.6.1.4.1.4203.1.11.1 supportedExtension: 1.3.6.1.4.1.4203.1.11.3 supportedFeatures: 1.3.6.1.1.14 supportedFeatures: 1.3.6.1.4.1.4203.1.5.1 supportedFeatures: 1.3.6.1.4.1.4203.1.5.2 supportedFeatures: 1.3.6.1.4.1.4203.1.5.3 supportedFeatures: 1.3.6.1.4.1.4203.1.5.4 supportedFeatures: 1.3.6.1.4.1.4203.1.5.5 supportedLDAPVersion: 3 entryDN: subschemaSubentry: cn=Subschema # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1
Tools to test the LDAP server
- ldapsearch -x -W -D 'cn=Manager,dc=ops535,dc=com' -b "" -s base
Enter LDAP Password: # extended LDIF # # LDAPv3 # base <> with scope baseObject # filter: (objectclass=*) # requesting: ALL # # dn: objectClass: top objectClass: OpenLDAProotDSE # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1
Using OpenLDAD for Apache Basic Authentication
- In httpd.conf configure the directory for basic authentication for apache 2.0
<Directory /var/www/html/openldap> AuthType Basic AuthName "Case Network ID" AuthLDAPURL "ldap://127.0.0.1/ou=people,dc=fedora,dc=directory,dc=server" AuthLDAPBindDN "uid=root,ou=people,dc=fedora,dc=directory,dc=server" AuthLDAPBindPassword "your-openldap-password" # All users in openldap require valid-user # Just the listed user # require user pma </Directory>
- For apache 2.2
<Location /var/www/html/openldap> AuthType Basic AuthBasicProvider ldap AuthName "Case Network ID" AuthzLDAPAuthoritative off AuthLDAPURL ldap://127.0.0.1/ou=people,dc=fedora,dc=directory,dc=server AuthLDAPBindDN "uid=root,ou=people,dc=fedora,dc=directory,dc=server" AuthLDAPBindPassword "your-openldap-password" Require valid-user </Location>
Reference:
Linux.com: Apache Authentication and Authorization using LDAP
Apache Authentication and Authorization using LDAP (blogger) <-- Nes: broken link??
Possible Administrative Tasks for OpenLDAP
- Installing OpenLDAP rpm packages or building from source
- Configuring and verifying the LDAP server
- Building an initial DIT (directory informationtree) with a LDIF file
- Loading, modifying, and searching directory records
- Setting passwords and authenticating against the directory
- Configuring Access Control Lists (ACLs)
- Configuring multiple database back ends
- Securing network-based directory connections with SSL and TLS
- Advanced configurations and performance tuning settings
- Creating and implementing LDAP schemas
- Creating custom schemas and sophisticated ACLs
- Using OpenLDAP as a proxy for other LDAP servers
- Adding caching with the Proxy Cache overlay
- Using the transparency overlay to create a hybrid cache
- Installing and configuring a web-base LDAP administration suite
- Keeping multiple directory servers synchronized with SyncRepl
- Using OpenLDAP for Apache authentication
- Turn on/off OpenLDAP syslog entries ==