OpenLDAP installation and configuration: Difference between revisions
m (using an external editor) |
m (using an external editor) |
||
Line 73: | Line 73: | ||
You may want to put the data and schema files in some other place than the default, since you may by mistake kill them after an upgrade of the system. e.g. I used /var/openldap instead of /open/sfw/var/ | You may want to put the data and schema files in some other place than the default, since you may by mistake kill them after an upgrade of the system. e.g. I used /var/openldap instead of /open/sfw/var/ | ||
=== The Root DSE === | |||
The LDAP protocol assumes there are one or more servers that jointly provide access to a Directory Information Tree (DIT). At the root of the DIT is a DSA-specific Entry (DSE) and it is not part of any naming context. The root DSE (DSA-specific Entry) data can be retrieved from an LDAPv3 server by doing a base-level search with a null BaseDN and with filter ObjectClass=*. The root DSE publishes information about the LDAP server including which LDAP versions it supports, any supported SASL mechanisms, supported controls as well as the DN for its subschemaSubentry. In addition to server information, operational attributes may be exposed that allow for extended administration functionality. | |||
Bascially, if you use client software such as an LDAP browser, it will access this information. | |||
=== Importing an LDIF file === | === Importing an LDIF file === | ||
/opt/sfw/sbin/slapadd -v -l your-ldif-file.ldif | /opt/sfw/sbin/slapadd -v -l your-ldif-file.ldif | ||
=== Testing === | |||
* you can test your LDAP through an LDPA client like [http://directory.apache.org/studio/ Apache Directory Studio] | |||
* Else, you may have the command line [http://docs.sun.com/source/816-6400-10/lsearch.html ldapsearch] installed. More difficult, but a better bet for debugging. | |||
ldapsearch -b <starting point> -D <user dn for connecting> -w - filter | |||
Example: | |||
ldapsearch -b "o=tecfa.unige.ch" -D "uid=root,o=tecfa.unige.ch" -w - "uid=joemiller" | |||
''-w -'' will have it prompt for a password. | |||
=== The startup script === | === The startup script === | ||
Line 321: | Line 340: | ||
* [http://www.openldap.org/faq OpenLDAP FAQ] | * [http://www.openldap.org/faq OpenLDAP FAQ] | ||
* [http://www.openldap.org/doc | * [http://www.zytrax.com/books/ldap/apd/ LDAP Glossary] | ||
* [http://www.zytrax.com/books/ LDAP for Rocket Scientists] | |||
* [http://www.openldap.org/doc/ OpenLDAP Software 2.0 - 2.4 Administrator's Guides] | |||
** tip: Use the 1HTML version to search through the page... | |||
* [http://www.bind9.net/manual/openldap/2.3/slapdconf2.html Configuring slapd] (version 2.3 on Feb 2008). | * [http://www.bind9.net/manual/openldap/2.3/slapdconf2.html Configuring slapd] (version 2.3 on Feb 2008). |
Revision as of 16:40, 9 September 2008
Introduction
OpenLDAP is the most popular free LDAP server. Documentation is not obvious for beginners, i.e. it takes some time learn how to install and configure a production server.
OpenLDAP 2.x software implements version 3 of LDAP (RFC 4510)
Configuration notes for solaris 10
There is an OpenLDAP version included in a typical installation. You can find it here:
/opt/sfw /opt/sfw/sbin - links to binaries /opt/sfw/libexec - binaries /opt/sfw/etc/openldap - configuration files /opt/sfw/var/openldap-data - default data /opt/sfw/var/run - PID of the server
- Binaires in /opt/sfw/sbin
slapadd -> ../libexec/slapd slapcat -> ../libexec/slapd slapdn -> ../libexec/slapd slapindex -> ../libexec/slapd slappasswd -> ../libexec/slapd slaptest -> ../libexec/slapd slapcat -> ../libexec/slapd slapdn -> ../libexec/slapd slapindex -> ../libexec/slapd slappasswd -> ../libexec/slapd slaptest -> ../libexec/slapd
The configuration file
Location:
/opt/sfw/etc/openldap/sladpd.conf
You will have to define
- What schemas to load in
- Where datafiles and pidfile etc. go
- What users are allowed to do
Here is a fictional example (comments taken away from the original):
include /opt/sfw/etc/openldap/schema/core.schema include /opt/sfw/etc/openldap/schema/cosine.schema include /opt/sfw/etc/openldap/schema/inetorgperson.schema include /opt/sfw/etc/openldap/schema/nis.schema # Add your own include /opt/sfw/etc/openldap/schema/tecfa.schema pidfile /opt/sfw/var/run/slapd.pid argsfile /opt/sfw/var/run/slapd.args security ssf=1 update_ssf=112 simple_bind=64 access to attr=userpassword by self write by anonymous auth access to * by self write by users read by anonymous read database bdb # Suffix and root dn, adjust to your own organization suffix "o=tecfa.unige.ch" rootdn "uid=root, o=tecfa.unige.ch" rootpw secret directory /opt/sfw/var/openldap-data index objectClass eq
You may want to put the data and schema files in some other place than the default, since you may by mistake kill them after an upgrade of the system. e.g. I used /var/openldap instead of /open/sfw/var/
The Root DSE
The LDAP protocol assumes there are one or more servers that jointly provide access to a Directory Information Tree (DIT). At the root of the DIT is a DSA-specific Entry (DSE) and it is not part of any naming context. The root DSE (DSA-specific Entry) data can be retrieved from an LDAPv3 server by doing a base-level search with a null BaseDN and with filter ObjectClass=*. The root DSE publishes information about the LDAP server including which LDAP versions it supports, any supported SASL mechanisms, supported controls as well as the DN for its subschemaSubentry. In addition to server information, operational attributes may be exposed that allow for extended administration functionality.
Bascially, if you use client software such as an LDAP browser, it will access this information.
Importing an LDIF file
/opt/sfw/sbin/slapadd -v -l your-ldif-file.ldif
Testing
- you can test your LDAP through an LDPA client like Apache Directory Studio
- Else, you may have the command line ldapsearch installed. More difficult, but a better bet for debugging.
ldapsearch -b <starting point> -D <user dn for connecting> -w - filter
Example:
ldapsearch -b "o=tecfa.unige.ch" -D "uid=root,o=tecfa.unige.ch" -w - "uid=joemiller"
-w - will have it prompt for a password.
The startup script
To start/stop automatically the server you can write a script like this, put it in /etc/init.d and then make links from /etc/rc3.d, /etc/rc0.d etc.
#!/bin/sh STARTCMD="/opt/sfw/libexec/slapd" LISTENPORTS="ldap:/// ldaps:///" STOPCMD="kill -INT `cat /var/openldap/run/slapd.pid`" # These are some string we reuse to give feedback. DESC="OpenLDAP standalone Deamon (slapd)" ERRORMSG="!!!! ERROR:" # This is used to see if slapd is running. Contains null if it doesn't # or a process description if it does. ISRUNNING=`cat /var/openldap/run/slapd.pid` # Now we check for the argument given on command line # and act unpon its value case "$1" in 'start') # We test if the server is not already running if [ -z "$ISRUNNING" ] ; then # We test if the server is effectively started when the command is issued. if $STARTCMD -h "$LISTENPORTS" ; then echo "$DESC started" ; else echo "$ERRORMSG $DESC could not be started" exit ; fi else echo "$ERRORMSG $DESC is already running" ; fi ;; 'stop') # We test if the server is already running if [ ! -z "$ISRUNNING" ] ; then # We test if the server is effectively stopped when the command is issued. if $STOPCMD ; then echo "$DESC stopped" ; else echo "$ERROR $DESC could not be stopped" ; fi else echo "$ERRORMSG $DESC is not running" exit ; fi ;; 'restart') # We test if the server is already running if [ ! -z "$ISRUNNING" ] ; then # We test if the server is effectively stopped when the command is issued. if $STOPCMD ; then # We test if the server is effectively started when the command is issued. if $STARTCMD -h "$LISTENPORTS" ; then echo "$DESC restarted" ; else echo "$ERRORMSG $DESC stopped but not restarted" exit ; fi else echo "$ERRORMSG $DESC could not be stopped (and hence not restarted)" exit ; fi else echo "$DESC is not running: Starting" ; if $STARTCMD -h "$LISTENPORTS" ; then echo "$DESC started" ; else echo "$ERRORMSG $DESC could not be started" exit ; fi fi ;; 'debug') # We test if the server is already running if [ ! -z "$ISRUNNING" ] ; then echo "Server was running: stopping" if $STOPCMD ; then echo "STOPPED" ; else echo "$ERRORMSG $DESC could not be stopped" exit ; fi fi # we look if a second argument is given for debug level if [ -z "$2" ] then LOGLEVEL="4095" ; else LOGLEVEL="$2" ; fi echo "attempting to start $DESC" echo "in debug mode with loglevel $LOGLEVEL" echo echo "terminal will remain open if it succeeds" echo "exit with CTRL-C" # Starting the server in debug mode if $STARTCMD -d $LOGLEVEL -h "$LISTENPORTS" ; then # this is a little tricky because the message outputs only # when Ctrl-C is issued. echo "$DESC STOPPED..." ; else echo echo echo "!!!!!!!!!!!!!!!!!!!!!!!!!!" echo "$ERRORMSG $DESC could not be started in debug mode" echo "$ERRORMSG or has exited abnormaly" echo "!!!!!!!!!!!!!!!!!!!!!!!!!!" echo "Check for error messages in the debug trace" echo exit ; fi ;; *) # We show how to use that script if the given argument is not recognized. echo "**************************************************************************" echo "* Usage : /etc/init.d/openldap.server {start|stop|restart [debug_level]} *" echo "**************************************************************************" ;; esac
See also on the Internet, e.g. OpenLDAP Start/stop script from LinAgora.org.
Notes for Ubuntu 4.1
OpenLDAP is distributed through the Synaptic Package Manager.
- The installer will ask the rootdn password.
- It also will automatically launch the LDAP server (use Menu System->Administration->Services to stop it again)
Configuration files are in:
/etc/ldap/
Operational attributes
There exist so-called operational attributes like "modifyTimestamp". They are not returned unless you specifically request it. You must also have the appropriate permission to view the attribute.
In OpenLDAP, you can ask for "+" to fetch all the operational attributes for an entry. That would look something like this:
ldapsearch -LLL -W -D "cn=Manager,dc=example,dc=com" -b "cn=Christoph,ou=People,dc=dexample,dc=com" "(objectClass=*)" '+'
Or just ask for the "modifyTimestamp" attribute by name. The "+" is similar in concept to the "*" which returns all the non-operational attributes.
Testing with a client
To connect to your LDAP server, make sure that the port is open both on your client machine and the server machine. By default LDAP uses port 389.
We suggest to install "Apache Directory Studio". To configure a connection to an LDAP server: Menu->LDAP->New connection
In the Authentication tab enter:
Bind DN or user: <the root dn you defined above>
Access control (ACL)
(not really complete)
OpenLDAP 2.0 contains two methods for specifying access control. The first is static, i.e. you define the rights in configuration files. wo other advantages of this method is that it should be more efficient in most cases and that the rules, being static, cannot be changed by external means using LDAP so it should be more secure. From an operational point of view, the problem of this method is that needs a server restart at every Access contol (ACL) change. (From the FAQ, Configuration / SLAPD Configuration)
The second method for access control inserts access control information inside the directory itself. Unfortunately, the standard for doing this in a way that is interoperable between servers of different vendors (this did not matter in the static config case) has not been finished and exists only as an Internet Draft (i.e. no RFC has been published and the specification might not even get enough consensus for an RFC to be published ever). (From the FAQ)
Ok, let's have a look at a few ACL patterns:
Firstly you need to know about two principles:
- The general rule is: write special access rules first, generic access rules last.
- Never write more than a single rule about something. E.g. you can't have two rules rules that define acces to *.
By default, anyone and everyone can read anything but but only the rootdn can make any updates (need to verify this). This implicit rule could be made explicit like this:
access to * by * read
First rule you may concerns the user passwords. Users can update but not read their password and anonymous users can authenticate (else no user can log in).
access to attrs=userpassword by self =xw by anonymous auth
"self" refers to the user.
The following rule means that the owners have full access to their entry and users can read everything. This is something you probably don't want, i.e. you might want to show some information (e.g. homepages or email addresses to a public at large (anonymous readers)
access to * by anonymous none by self write by users read
The following allows anonymous users to read
Via the old method (static)
access to <what> [ by <who> <access> [ <control> ] ]+
- Read 5.2 Securing the Directory (from the "Rocket scientist" manual).
- Read through the subcategories of More information about Access Control (scroll down the page and don't miss any links or examples ...)
Access directives seem to be examined in the order in which they appear in the config file. It stops with the first what and then the first who found. In other words, specific rules should come first.
Via the new method (inside the LDAP)
olcAccess: to <what> [ by <who> <accesslevel> <control> ]+
is a different way of doing it. You should read these olcAccess statements as ldif notation of an LDAP attribute.
- Read the Access Control Chapter of the manual.
- Type man slapd.access
Links
- OpenLDAP Software 2.0 - 2.4 Administrator's Guides
- tip: Use the 1HTML version to search through the page...
- Configuring slapd (version 2.3 on Feb 2008).
- LDAP Tutorial - Exercise with OpenLDAP v2.0.11 on Linux by P. Gietz and N. Klasen (2001)
- LDAP01, Sam Hart's classnotes