Difference between pages "OpenLDAP" and "Configuration files"

From Wikislax
(Difference between pages)
Jump to: navigation, search
(Created page with "{{RightTOC}} == What is OpenLDAP ? == [http://www.openldap.org OpenLdap] is an open source implementation of the '''Ligthweigth Directory Access Protocol''', a lightweight a...")
 
(Init configuration)
 
Line 1: Line 1:
{{RightTOC}}
+
The location of the configuration files depend on the specific distribution, but is usually subdirectories of, or files in <tt>'''/etc'''</tt>, <tt>'''/usr/etc'''</tt>, <tt>'''/usr/local/etc'''</tt>. The files are set up by installation but can be updated later. Applying the configuration change will then be a matter of restarting the corresponding daemon. The main Slackware configuration files are :
 +
<br/>
  
== What is OpenLDAP ? ==
+
== Init configuration ==
  
[http://www.openldap.org OpenLdap] is an open source implementation of the '''Ligthweigth Directory Access Protocol''', a lightweight alternative to the '''X500 Directory Address Protocol'''. In our installation, we use it as an address book and authentication server. To keep it safe, ldap access is restricted to localhost (slapd daemon listening only on localhost, ldap and ldaps ports closed at firewall level). The referecence document to read is the  [http://www.openldap.org/doc/admin24/index.html Open Ldap Admin Guide] but it's lengthy. [http://en.wikipedia.org/wiki/OpenLDAP Wikipedia] has a nice summary page that could help setting up the big view.
+
{| {{thead}}
 +
|-
 +
! {{chead}} width="200" | File
 +
! {{chead}} | Content
 +
|-
 +
| <tt>'''/etc/inittab'''</tt>||contains the default runlevel (3=multi-user, 4=graphical). On a live system, <tt>'''telinit n'''</tt> affords changing the level interactively.
 +
|-
 +
| <tt>'''/etc/fstab'''</tt>||contains descriptions on the filesystems used on this computer, including the device, the mount point, the filesystem type and the opening options. Use <tt>'''man fstab'''</tt>, copy, and try !
 +
|-
 +
| <tt>'''/etc/http'''</tt>||Directory containing the Apache configuration files such as httpd.conf.
 +
|-
 +
| <tt>'''/etc/lilo.conf'''</tt>||used by lilo to generate a boot sector on the device or on the MBR (master boot record). If on the device and using the Windows bootloader, don't forget to copy the boot sector on a disquette so as to be able to use it from Windows.
 +
|-
 +
| <tt>'''/etc/mail'''</tt>||Directory containing the Sendmail configuration files such as sendmail.mc and sendmail.cf. Spamassassin configuration also goes here as a subdirectory.
 +
|-
 +
| <tt>'''/etc/mail/aliases'''</tt>||File containing a list of users that do not exist on the server and whose mail is redirected to existing users. After modifying this file the command <tt>'''newaliases'''</tt> must be ran.
 +
# redirect news
 +
usenet:        news
 +
|-
 +
| <tt>'''/etc/ntp.conf'''</tt>||Configuration for the network time protocol. Add ntp servers for your region as below. After an update, restart using <tt>'''/etc/rc.d/rc.ntpd restart'''</tt>.
 +
# NTP server (list one or more) to synchronize with:
 +
server 0.fr.pool.ntp.org
 +
server 1.fr.pool.ntp.org
 +
server 2.fr.pool.ntp.org
 +
server 3.fr.pool.ntp.org
 +
|-
 +
| <tt>'''/etc/profile'''</tt>||don't forget to update the paths:
 +
  MANPATH=/usr/local/share/man:/usr/local/man:/usr/man
 +
|-
 +
| <tt>'''/etc/profile.d'''</tt>||the files contained in this directory are executed at login when executable. To remove the "Game of fortune" on user login :
 +
chmod a-x /etc/profile.d/bsd-games-login-fortune.*
 +
|-
 +
| <tt>'''/etc/ld.so.conf'''</tt>||list of additional libraries. Needs <tt>'''/sbin/ldconfig'''</tt> after adding new libraries. Add <tt>'''/usr/local/lib64'''</tt> here.
 +
|-
 +
| <tt>'''.bashrc'''</tt>||Specify <tt>'''. /etc/profile'''</tt> on a line of itself to use in <tt>'''konsole'''</tt> the same environment as in the command line. This will afford <tt>'''colorls'''</tt> to work in new <tt>'''konsole'''</tt> tabs.
 +
|}
 +
<br clear=all>
  
== Installing OpenLDAP ==
+
== The /etc/rc.d directory ==
  
There is a chicken-and-egg problem with OpenLdap and CyrusSasl as they reference each other. So first install OpenLdap without '''--enable-spasswd --with-cyrus-sasl''', then after installing Cyrus-sasl (next chapter), reinstall OpenLdap with '''--enable-spasswd --with-cyrus-sasl''' (this will be reminded at next chapter). [http://www.openldap.org/software/download Download OpenLDAP], untar to /usr/local then compile and install as described below :
+
The <tt>'''/etc/rc.d'''</tt> directory contains the scripts used to initialize the system services at the end of the boot.  To use a specific script at startup, make it user-executable. To stop using it, remove the execution rights. Depending on the situation, scripts are called with the <tt>'''start'''</tt>, <tt>'''stop'''</tt>, or <tt>'''restart'''</tt> parameter.
 +
<br/>
  
# tar -tvf openldap-x.y.z.tgz
+
== Network configuration ==
# tar -C /usr/local -xvf openldap-x.y.z.tgz
 
# cd /usr/local
 
# chown -R root:root openldap-x.y.z
 
# cd openldap-x.y.z
 
# ./configure --help | less
 
# ./configure --libdir=/usr/local/lib64 --mandir=/usr/local/man \
 
--disable-ipv6 --with-tls
 
# make depend
 
# make
 
# make test
 
# make install
 
# make clean
 
  
To prepare running ldap as an unpriviledged user, execute the commands below. <u>Note</u> : it will also be a good idea to review the individual file permissions under the openldap directories and to restrict access to the ldap user :
+
The network configuration is done during system installation but it is possible to change it later by editing the files and restarting the right daemon:
  
# groupadd ldap
+
{| {{thead}}
# mkdir /var/run/ldap
+
|-
# useradd -s /bin/false -d /var/run/ldap -g ldap ldap
+
! {{chead}} width="200" | File
# chown -R ldap:ldap /etc/openldap /usr/local/etc/openldap /usr/local/var/openldap-data /var/run/ldap
+
! {{chead}} | Content
 
+
|-
== Configuring OpenLDAP ==
+
| <tt>'''/etc/rc.d/rc.inet1.conf'''</tt>||configuration of the network. For Xen the standard configuration uses a bridge. A bridge gathers several physical network interfaces. The bridge is configured with an IP address while the physical network interfaces are left unconfigured. After an update, restart using <tt>'''/etc/rc.d/rc.inet1 restart'''</tt>.
 
+
  # Config information for eth0:
OpenLdap is made of two daemons but we will use only one. '''slapd''' is the stand-alone LDAP daemon and '''slurpd''' is the stand-alone LDAP update replication daemon, that we will not use. Below is a working example of a '''/usr/local/etc/openldap/slapd.conf''' configuration file that you can use, just replacing the '''domain''' and the '''rootpw''' value. The '''password-hash {CLEARTEXT}''' option is mandatory for SASL to use LDAP (the format is enforced when using the password). The '''authz-regexp''' maps an authentication request to a real entry in the directory. The reason why this mapping is useful is that it avoids knowing anything about the underlying directory structure to authenticate. See [http://www.openldap.org/software/man.cgi?query=slapd.conf&apropos=0&sektion=0&manpath=OpenLDAP+2.4-Release&format=html man slapd.conf] for more configuration details.
+
  IPADDR[0]=""
 
+
  NETMASK[0]=""
#
+
  USE_DHCP[0]=""
# See slapd.conf(5) for details on configuration options.
+
  DHCP_HOSTNAME[0]=""
# This file should NOT be world readable.
 
#
 
include        /usr/local/etc/openldap/schema/core.schema
 
include        /usr/local/etc/openldap/schema/cosine.schema
 
include        /usr/local/etc/openldap/schema/inetorgperson.schema
 
 
# Do not enable referrals until AFTER you have a working directory
 
# service AND an understanding of referrals.
 
# referral      ldap://root.openldap.org
 
 
pidfile        /var/run/ldap/slapd.pid
 
argsfile        /var/run/ldap/slapd.args
 
 
  # Load dynamic backend modules:
 
# modulepath    /usr/local/libexec/openldap
 
# moduleload    back_bdb.la
 
# moduleload    back_hdb.la
 
# moduleload    back_ldap.la
 
 
# Sample security restrictions
 
#      Require integrity protection (prevent hijacking)
 
#      Require 112-bit (3DES or better) encryption for updates
 
#      Require 63-bit encryption for simple bind
 
# security ssf=1 update_ssf=112 simple_bind=64
 
 
# Sample access control policy:
 
  #      Root DSE: allow anyone to read it
 
#      Subschema (sub)entry DSE: allow anyone to read it
 
#      Other DSEs:
 
#              Allow self write access
 
#              Allow authenticated users read access
 
#              Allow anonymous users to authenticate
 
 
access to dn.base="" by * read
 
  access to dn.base="cn=Subschema" by * read
 
 
access to *
 
        by self write
 
        by users read
 
        by anonymous auth
 
 
access to attrs=userPassword
 
        by self =dxw
 
        by users none
 
        by anonymous auth
 
 
# if no access controls are present, the default policy
 
# allows anyone and everyone to read anything but restricts
 
# updates to rootdn.  (e.g., "access to * by * read")
 
#
 
# rootdn can always read and write EVERYTHING!
 
   
 
#######################################################################
 
# proxy user definitions - SASL requires CLEARTEXT
 
#######################################################################
 
 
password-hash  {CLEARTEXT}
 
 
authz-regexp
 
                uid=([^,]*),cn=digest-md5,cn=auth
 
                cn=$1,dc=domain,dc=com
 
 
authz-policy    to
 
 
access to attrs=authzTo
 
        by self none
 
        by users none
 
        by anonymous none
 
 
#######################################################################
 
# Berkeley Data Base front end definitions
 
#######################################################################
 
 
database        bdb
 
suffix          "dc=domain,dc=com"
 
rootdn          "cn=Manager,dc=domain,dc=com"
 
   
 
# Cleartext passwords, especially for the rootdn, should
 
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
 
# To generate {SSHA} secret : slappasswd -s secret
 
rootpw          {SSHA}16U2kC8+yDaWDtaKWsyvKSRHMWCUmcKg
 
 
# The database directory MUST exist prior to running slapd AND
 
# should only be accessible by the slapd and slap tools.
 
# Mode 700 recommended.
 
directory      /usr/local/var/openldap-data
 
 
# Indexing options for database #1
 
index          objectClass    eq
 
index          cn,sn          eq
 
 
#######################################################################
 
# TLS Certificates
 
#######################################################################
 
 
TLSCACertificateFile    /etc/ssl/certs/cacert.pem
 
TLSCACertificatePath    /etc/ssl/certs
 
TLSCertificateFile      /etc/ssl/certs/mtacert.pem
 
TLSCertificateKeyFile  /etc/ssl/private/ldap.mtakey.pem.unsecure
 
 
 
When using LDAP clients on the same host, the file '''/usr/local/etc/openldap/ldap.conf''' must include a TLS_CACERT directive specifiying the same certificate as in TLSCACertificateFile above :
 
 
 
#
 
# LDAP Defaults
 
#
 
 
# See ldap.conf(5) for details
 
# This file should be world readable but not world writable.
 
 
BASE  dc=example,dc=com
 
URI    ldap://ldap.example.com
 
 
#SIZELIMIT      12
 
#TIMELIMIT      15
 
#DEREF          never
 
 
TLS_CACERT      /etc/ssl/certs/cacert.pem
 
TLS_CACERTDIR  /etc/ssl/certs
 
 
 
After that it is possible to listen on port ldaps and to use TLS to encapsulate the communications.
 
 
 
== Running OpenLDAP ==
 
 
 
Start the stand-alone LDAP server '''slapd''', then check to see if the server is running with '''ps -ef | grep slapd''' and if not use switch '''-d296''' to troubleshoot from '''slapd''' output (see [http://www.openldap.org/software/man.cgi?query=slapd&apropos=0&sektion=0&manpath=OpenLDAP+2.4-Release&format=html man slapd] for details). When OK try a '''ldapsearch'''.
 
 
 
# /usr/local/libexec/slapd -u ldap -g ldap -h ldap://localhost/
 
# ps -ef | grep slapd
 
# /usr/local/bin/ldapsearch -x -H ldap://localhost/ -b "" -s base "(objectclass=*)" namingContexts
 
 
 
Slapd runs as a daemon so must be launched at startup and stopped at shutdown. Update /etc/rc.d/rc.local and /etc/rc.d/rc.local_shutdown accordingly :
 
 
 
# vi /etc/rc.d/rc.local
 
 
  . . .
 
  . . .
  # start slapd
+
  # Example of how to configure a bridge:
  if [ -x /usr/local/libexec/slapd ]; then
+
# Note the added "BRNICS" variable which contains a space-separated list
        echo "Starting slapd daemon: /usr/local/libexec/slapd -u ldap -g ldap -h ldap://localhost/"
+
# of the physical network interfaces you want to add to the bridge.
        /usr/local/libexec/slapd -u ldap -g ldap -h ldap://localhost/
+
  IFNAME[0]="br0"
  fi
+
BRNICS[0]="eth0"
  <esc>
+
IPADDR[0]="192.168.0.1"
  :x
+
  NETMASK[0]="255.255.255.0"
# vi /etc/rc.d/rc.local_shutdown
+
USE_DHCP[0]=""
. . .
+
  DHCP_HOSTNAME[0]=""
# stop slapd
+
|-
if [ -r /var/run/ldap/slapd.pid ]; then
+
| <tt>'''/etc/rc.d/rc.networkmanager'''</tt>||is a script to allow network automatic configuration. If you manually set '''rc.inet1.conf''', make sure this scrit does not have execution rights.
        echo "Stopping slapd: kill -INT `cat /var/run/ldap/slapd.pid`"
+
|-
        kill -INT `cat /var/run/ldap/slapd.pid`
+
| <tt>'''/etc/rc.d/rc.ipforward'''</tt>||is a script to allow forwarding of packets between the interfaces. This is useful for a computer with several interfaces, for instance a firewall. To allow forwarding, just make the script executable.
fi
+
|-
<esc>
+
| <tt>'''/etc/ssh/sshd_config'''</tt>||ssh server configuration. '''PermitRootLogin yes''' affords login as root. To authorize X11Forwarding use '''ForwardX11 yes'''. After an update, restart using '''/etc/rc.d/rc.sshd restart'''.
:x
+
|-
 
+
| <tt>'''/etc/ssh/ssh_config'''</tt>||ssh client configuration. To authorize X11Forwarding use '''ForwardX11 yes''' and '''ForwardX11Trusted yes''' to avoid a warning using '''ssh''' and get better security.
== Creating Directory Entries ==
+
|-
 
+
| <tt>'''/etc/hosts'''</tt>||contains the addresses of the local hosts that bind cannot resolve, as they are in a private addressing plan. It is also possible to specify here addresses that will be chosen in lieu of their official address.
To add entries to the directory, create an '''ldif''' file. Run '''ldapadd''' to add the entries, then run '''ldapsearch''' to make sure it worked.
+
|-
 
+
| <tt>'''/etc/rc.d/rc.bind'''</tt>||setting this script as user-executable will afford running the local computer to be its own DNS.
# cd /usr/local/etc/openldap
+
|-
# vi create.ldif
+
| <tt>'''/etc/named.conf'''</tt>||uncomment the query-source directive to suppress the port-unreachable packets on '''lo'''.
i
+
|-
dn: dc=domain,dc=com
+
| <tt>'''/etc/resolv.conf'''</tt>||if using local bind, which is recommended, append a line with <tt>'''nameserver 127.0.0.1'''</tt>.
objectClass: dcObject
+
|-
objectClass: organization
+
| <tt>'''/etc/udev/rules.d/70-persistent-net.rules'''</tt>||affords changing which interface is eth0.
o: organization
+
|}
dc: domain
+
<br clear=all>
 
dn: cn=Manager,dc=domain,dc=com
 
objectclass: organizationalRole
 
cn: Manager
 
 
dn: cn=proxyUser,dc=domain,dc=com
 
objectclass: person
 
cn: proxyUser
 
sn: proxyUser
 
userPassword: proxyPassword
 
authzTo: ldap:///dc=domain,dc=com??sub?(objectclass=person)
 
 
dn: cn=postmaster,dc=domain,dc=com
 
objectclass: person
 
cn: postmaster
 
sn: postmaster
 
userPassword: postmasterPassword
 
 
dn: cn=myUser,dc=domain,dc=com
 
objectclass: person
 
cn: myUser
 
sn: myUser
 
userPassword: myUserPassword
 
 
dn: cn=news,dc=domain,dc=com
 
objectclass: person
 
cn: news
 
sn: news
 
userPassword: newsPassword
 
 
dn: cn=xen,dc=domain,dc=com
 
objectclass: person
 
cn: xen
 
sn: xen
 
userPassword: xenPassword
 
<esc>
 
#vi delete.ldif
 
i
 
cn=xen,dc=domain,dc=com
 
cn=news,dc=domain,dc=com
 
cn=myUser,dc=domain,dc=com
 
cn=postmaster,dc=domain,dc=com
 
cn=proxyUser,dc=domain,dc=com
 
cn=Manager,dc=domain,dc=com
 
dc=domain,dc=com
 
<esc>
 
 
# ldapadd -x -H ldap://localhost/ -D "cn=Manager,dc=domain,dc=com" -W -f create.ldif
 
# ldapsearch -x -H ldap://localhost/ -D "cn=Manager,dc=domain,dc=com" -W -b "dc=domain,dc=com" "(objectclass=*)"
 
# ldapdelete -x -H ldap://localhost/ -D "cn=Manager,dc=domain,dc=com" -W -f delete.ldif
 
  
the '''authzTo:''' item above defines an OpenLdap proxy user. Once authenticated, an OpenLdap proxy user can impersonate other OpenLdap users. This affords e.g. checking passwords (needed by SASL) or updating data for other users.
+
<u>Note</u> : In case of network issue, it can be a good idea to check the configuration using <tt>'''ifconfig -a'''</tt>, <tt>'''netstat -f inet -rn'''</tt>, and <tt>'''route'''</tt>. The routes are kept from one boot to the other and it may become necessary to delete the existing routes using <tt>'''route flush'''</tt>, then reboot.
  
<br>
+
<br/>
  
{{pFoot|[[OpenSSL]]|[[Main Page]]|[[Cyrus-SASL]]}}
+
{{pFoot|[[Linux basics]]|[[Main Page]]|[[IPTables]]}}

Revision as of 10:29, 16 December 2022

The location of the configuration files depend on the specific distribution, but is usually subdirectories of, or files in /etc, /usr/etc, /usr/local/etc. The files are set up by installation but can be updated later. Applying the configuration change will then be a matter of restarting the corresponding daemon. The main Slackware configuration files are :

Init configuration

File Content
/etc/inittab contains the default runlevel (3=multi-user, 4=graphical). On a live system, telinit n affords changing the level interactively.
/etc/fstab contains descriptions on the filesystems used on this computer, including the device, the mount point, the filesystem type and the opening options. Use man fstab, copy, and try !
/etc/http Directory containing the Apache configuration files such as httpd.conf.
/etc/lilo.conf used by lilo to generate a boot sector on the device or on the MBR (master boot record). If on the device and using the Windows bootloader, don't forget to copy the boot sector on a disquette so as to be able to use it from Windows.
/etc/mail Directory containing the Sendmail configuration files such as sendmail.mc and sendmail.cf. Spamassassin configuration also goes here as a subdirectory.
/etc/mail/aliases File containing a list of users that do not exist on the server and whose mail is redirected to existing users. After modifying this file the command newaliases must be ran. 
# redirect news
usenet:         news
/etc/ntp.conf Configuration for the network time protocol. Add ntp servers for your region as below. After an update, restart using /etc/rc.d/rc.ntpd restart. 
# NTP server (list one or more) to synchronize with:
server 0.fr.pool.ntp.org
server 1.fr.pool.ntp.org
server 2.fr.pool.ntp.org
server 3.fr.pool.ntp.org
/etc/profile don't forget to update the paths: 
MANPATH=/usr/local/share/man:/usr/local/man:/usr/man
/etc/profile.d the files contained in this directory are executed at login when executable. To remove the "Game of fortune" on user login : 
chmod a-x /etc/profile.d/bsd-games-login-fortune.*
/etc/ld.so.conf list of additional libraries. Needs /sbin/ldconfig after adding new libraries. Add /usr/local/lib64 here.
.bashrc Specify . /etc/profile on a line of itself to use in konsole the same environment as in the command line. This will afford colorls to work in new konsole tabs.


The /etc/rc.d directory

The /etc/rc.d directory contains the scripts used to initialize the system services at the end of the boot. To use a specific script at startup, make it user-executable. To stop using it, remove the execution rights. Depending on the situation, scripts are called with the start, stop, or restart parameter.

Network configuration

The network configuration is done during system installation but it is possible to change it later by editing the files and restarting the right daemon:

File Content
/etc/rc.d/rc.inet1.conf configuration of the network. For Xen the standard configuration uses a bridge. A bridge gathers several physical network interfaces. The bridge is configured with an IP address while the physical network interfaces are left unconfigured. After an update, restart using /etc/rc.d/rc.inet1 restart. 
# Config information for eth0:
IPADDR[0]=""
NETMASK[0]=""
USE_DHCP[0]=""
DHCP_HOSTNAME[0]=""
. . .
# Example of how to configure a bridge:
# Note the added "BRNICS" variable which contains a space-separated list
# of the physical network interfaces you want to add to the bridge.
IFNAME[0]="br0"
BRNICS[0]="eth0"
IPADDR[0]="192.168.0.1"
NETMASK[0]="255.255.255.0"
USE_DHCP[0]=""
DHCP_HOSTNAME[0]=""
/etc/rc.d/rc.networkmanager is a script to allow network automatic configuration. If you manually set rc.inet1.conf, make sure this scrit does not have execution rights.
/etc/rc.d/rc.ipforward is a script to allow forwarding of packets between the interfaces. This is useful for a computer with several interfaces, for instance a firewall. To allow forwarding, just make the script executable.
/etc/ssh/sshd_config ssh server configuration. PermitRootLogin yes affords login as root. To authorize X11Forwarding use ForwardX11 yes. After an update, restart using /etc/rc.d/rc.sshd restart.
/etc/ssh/ssh_config ssh client configuration. To authorize X11Forwarding use ForwardX11 yes and ForwardX11Trusted yes to avoid a warning using ssh and get better security.
/etc/hosts contains the addresses of the local hosts that bind cannot resolve, as they are in a private addressing plan. It is also possible to specify here addresses that will be chosen in lieu of their official address.
/etc/rc.d/rc.bind setting this script as user-executable will afford running the local computer to be its own DNS.
/etc/named.conf uncomment the query-source directive to suppress the port-unreachable packets on lo.
/etc/resolv.conf if using local bind, which is recommended, append a line with nameserver 127.0.0.1.
/etc/udev/rules.d/70-persistent-net.rules affords changing which interface is eth0.


Note : In case of network issue, it can be a good idea to check the configuration using ifconfig -a, netstat -f inet -rn, and route. The routes are kept from one boot to the other and it may become necessary to delete the existing routes using route flush, then reboot.


Linux basics Main Page IPTables
Retrieved from "http://studioware.com/wikislax/index.php?title=OpenLDAP&oldid=82"