OpenLDAP installation and configuration: Difference between revisions

The educational technology and digital learning wiki
Jump to navigation Jump to search
Line 121: Line 121:


== Access control ==
== Access control ==
 
(not really complete)


OpenLDAP 2.0 contains two methods for specifying access control. The first is static, i.e. you define the rights in configuration files. wo other advantages of this method is that it should be more efficient in most cases and that the rules, being static, cannot be changed by external means using LDAP so it should be more secure. From an operational point of view, the problem of this method is that needs a server restart at every ACL change. (From the [http://www.openldap.org/faq/data/cache/448.html FAQ])
OpenLDAP 2.0 contains two methods for specifying access control. The first is static, i.e. you define the rights in configuration files. wo other advantages of this method is that it should be more efficient in most cases and that the rules, being static, cannot be changed by external means using LDAP so it should be more secure. From an operational point of view, the problem of this method is that needs a server restart at every ACL change. (From the [http://www.openldap.org/faq/data/cache/448.html FAQ])
Line 136: Line 136:
  olcAccess: to <what> [ by <who> <accesslevel> <control> ]+
  olcAccess: to <what> [ by <who> <accesslevel> <control> ]+


is a different way of doing it
is a different way of doing it. You should read these olcAccess statements as ldif notation of an LDAP attribute.


* Read [http://www.openldap.org/doc/admin24/slapdconf2.html#Access%20Control the Access Control Chapter] of the manual.
* Read [http://www.openldap.org/doc/admin24/slapdconf2.html#Access%20Control the Access Control Chapter] of the manual.

Revision as of 14:24, 27 February 2008

Draft

Introduction

OpenLDAP is the most popular free LDAP server. Documentation is not obvious for beginners, i.e. it takes some time learn how to install and configure a production server.

OpenLDAP 2.x software implements version 3 of LDAP (RFC 4510)

Configuration notes for solaris 10

There is an OpenLDAP version included in a typical installation. You can find it here:

/opt/sfw
/opt/sfw/sbin  - links to binaries
/opt/sfw/libexec - binaries
/opt/sfw/etc/openldap - configuration files
/opt/sfw/var/openldap-data - default data 
/opt/sfw/var/run - PID of the server
Binaires in /opt/sfw/sbin
slapadd -> ../libexec/slapd
slapcat -> ../libexec/slapd
slapdn -> ../libexec/slapd
slapindex -> ../libexec/slapd
slappasswd -> ../libexec/slapd
slaptest -> ../libexec/slapd
slapcat -> ../libexec/slapd
slapdn -> ../libexec/slapd
slapindex -> ../libexec/slapd
slappasswd -> ../libexec/slapd
slaptest -> ../libexec/slapd

The configuration file

Location:

/opt/sfw/etc/openldap/sladpd.conf

You will have to define

  • What schemas to load in
  • Where datafiles and pidfile etc. go
  • What users are allowed to do

Here is a fictional example (comments taken away from the original):

include		/opt/sfw/etc/openldap/schema/core.schema
include		/opt/sfw/etc/openldap/schema/cosine.schema
include		/opt/sfw/etc/openldap/schema/inetorgperson.schema
include		/opt/sfw/etc/openldap/schema/nis.schema
# Add your own
include		/opt/sfw/etc/openldap/schema/tecfa.schema

pidfile		/opt/sfw/var/run/slapd.pid
argsfile	/opt/sfw/var/run/slapd.args

security ssf=1 update_ssf=112 simple_bind=64

access to attr=userpassword
            by self write
            by anonymous auth
access to *
            by self write
            by users read
	    by anonymous read
database	bdb
# Suffix and root dn, adjust to your own organization
suffix		"o=tecfa.unige.ch"
rootdn		"uid=root, o=tecfa.unige.ch"
rootpw		secret
directory	/opt/sfw/var/openldap-data
index	objectClass	eq

You may want to put the data and schema files in some other place than the default, since you may by mistake kill them after an upgrade of the system. e.g. I used /var/openldap instead of /open/sfw/var/

Importing an LDIF file

/opt/sfw/sbin/slapadd -v -l your-ldif-file.ldif

The startup script

To start/stop automatically the server you can write a script like this, put it in /etc/init.d and then make links from /etc/rc3.d, /etc/rc0.d etc.

 ....


Notes for Ubuntu 4.1

OpenLDAP is distributed through the Synaptic Package Manager.

  • The installer will ask the rootdn password.
  • It also will automatically launch the LDAP server (use Menu System->Administration->Services to stop it again)

Configuration files are in:

/etc/ldap/

Operational attributes

There exist so-called operational attributes like "modifyTimestamp". They are not returned unless you specifically request it. You must also have the appropriate permission to view the attribute.

In OpenLDAP, you can ask for "+" to fetch all the operational attributes for an entry. That would look something like this:

   ldapsearch -LLL -W -D "cn=Manager,dc=example,dc=com" -b
   "cn=Christoph,ou=People,dc=dexample,dc=com" "(objectClass=*)" '+'

Or just ask for the "modifyTimestamp" attribute by name. The "+" is similar in concept to the "*" which returns all the non-operational attributes.

Testing with a client

To connect to your LDAP server, make sure that the port is open both on your client machine and the server machine. By default LDAP uses port 389.

We suggest to install "Apache Directory Studio". To configure a connection to an LDAP server: Menu->LDAP->New connection

In the Authentication tab enter:

Bind DN or user: <the root dn you defined above>

Access control

(not really complete)

OpenLDAP 2.0 contains two methods for specifying access control. The first is static, i.e. you define the rights in configuration files. wo other advantages of this method is that it should be more efficient in most cases and that the rules, being static, cannot be changed by external means using LDAP so it should be more secure. From an operational point of view, the problem of this method is that needs a server restart at every ACL change. (From the FAQ)

The second method for access control inserts access control information inside the directory itself. Unfortunately, the standard for doing this in a way that is interoperable between servers of different vendors (this did not matter in the static config case) has not been finished and exists only as an Internet Draft (i.e. no RFC has been published and the specification might not even get enough consensus for an RFC to be published ever). (From the FAQ)

Via the old method (static)

Via the new method (inside the LDAP)

olcAccess: to <what> [ by <who> <accesslevel> <control> ]+

is a different way of doing it. You should read these olcAccess statements as ldif notation of an LDAP attribute.

  • Type man slapd.access

Links