Wikislax: /* Creating Directory Entries */

2018-11-24T14:15:09Z

‎Creating Directory Entries

Wikislax: /* Creating Directory Entries */

2018-11-22T20:30:12Z

‎Creating Directory Entries

Wikislax: Created page with "{{RightTOC}} == What is OpenLDAP ? == [http://www.openldap.org OpenLdap] is an open source implementation of the '''Ligthweigth Directory Access Protocol''', a lightweight a..."

2017-12-06T21:29:46Z

Created page with "{{RightTOC}} == What is OpenLDAP ? == [http://www.openldap.org OpenLdap] is an open source implementation of the '''Ligthweigth Directory Access Protocol''', a lightweight a..."

New page

{{RightTOC}}

== What is OpenLDAP ? ==

[http://www.openldap.org OpenLdap] is an open source implementation of the '''Ligthweigth Directory Access Protocol''', a lightweight alternative to the '''X500 Directory Address Protocol'''. In our installation, we use it as an address book and authentication server. To keep it safe, ldap access is restricted to localhost (slapd daemon listening only on localhost, ldap and ldaps ports closed at firewall level). The referecence document to read is the [http://www.openldap.org/doc/admin24/index.html Open Ldap Admin Guide] but it's lengthy. [http://en.wikipedia.org/wiki/OpenLDAP Wikipedia] has a nice summary page that could help setting up the big view.

== Installing OpenLDAP ==

There is a chicken-and-egg problem with OpenLdap and CyrusSasl as they reference each other. So first install OpenLdap without '''--enable-spasswd --with-cyrus-sasl''', then after installing Cyrus-sasl (next chapter), reinstall OpenLdap with '''--enable-spasswd --with-cyrus-sasl''' (this will be reminded at next chapter). [http://www.openldap.org/software/download Download OpenLDAP], untar to /usr/local then compile and install as described below :

# tar -tvf openldap-x.y.z.tgz
# tar -C /usr/local -xvf openldap-x.y.z.tgz
# cd /usr/local
# chown -R root:root openldap-x.y.z
# cd openldap-x.y.z
# ./configure --help | less
# ./configure --libdir=/usr/local/lib64 --mandir=/usr/local/man \
--disable-ipv6 --with-tls
# make depend
# make
# make test
# make install
# make clean

To prepare running ldap as an unpriviledged user, execute the commands below. <u>Note</u> : it will also be a good idea to review the individual file permissions under the openldap directories and to restrict access to the ldap user :

# groupadd ldap
# mkdir /var/run/ldap
# useradd -s /bin/false -d /var/run/ldap -g ldap ldap
# chown -R ldap:ldap /etc/openldap /usr/local/etc/openldap /usr/local/var/openldap-data /var/run/ldap

== Configuring OpenLDAP ==

OpenLdap is made of two daemons but we will use only one. '''slapd''' is the stand-alone LDAP daemon and '''slurpd''' is the stand-alone LDAP update replication daemon, that we will not use. Below is a working example of a '''/usr/local/etc/openldap/slapd.conf''' configuration file that you can use, just replacing the '''domain''' and the '''rootpw''' value. The '''password-hash {CLEARTEXT}''' option is mandatory for SASL to use LDAP (the format is enforced when using the password). The '''authz-regexp''' maps an authentication request to a real entry in the directory. The reason why this mapping is useful is that it avoids knowing anything about the underlying directory structure to authenticate. See [http://www.openldap.org/software/man.cgi?query=slapd.conf&apropos=0&sektion=0&manpath=OpenLDAP+2.4-Release&format=html man slapd.conf] for more configuration details.

#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
# referral ldap://root.openldap.org

pidfile /var/run/ldap/slapd.pid
argsfile /var/run/ldap/slapd.args

# Load dynamic backend modules:
# modulepath /usr/local/libexec/openldap
# moduleload back_bdb.la
# moduleload back_hdb.la
# moduleload back_ldap.la

# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate

access to dn.base="" by * read
access to dn.base="cn=Subschema" by * read

access to *
by self write
by users read
by anonymous auth

access to attrs=userPassword
by self =dxw
by users none
by anonymous auth

# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!

#######################################################################
# proxy user definitions - SASL requires CLEARTEXT
#######################################################################

password-hash {CLEARTEXT}

authz-regexp
uid=([^,]*),cn=digest-md5,cn=auth
cn=$1,dc=domain,dc=com

authz-policy to

access to attrs=authzTo
by self none
by users none
by anonymous none

#######################################################################
# Berkeley Data Base front end definitions
#######################################################################

database bdb
suffix "dc=domain,dc=com"
rootdn "cn=Manager,dc=domain,dc=com"

# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# To generate {SSHA} secret : slappasswd -s secret
rootpw {SSHA}16U2kC8+yDaWDtaKWsyvKSRHMWCUmcKg

# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /usr/local/var/openldap-data

# Indexing options for database #1
index objectClass eq
index cn,sn eq

#######################################################################
# TLS Certificates
#######################################################################

TLSCACertificateFile /etc/ssl/certs/cacert.pem
TLSCACertificatePath /etc/ssl/certs
TLSCertificateFile /etc/ssl/certs/mtacert.pem
TLSCertificateKeyFile /etc/ssl/private/ldap.mtakey.pem.unsecure

When using LDAP clients on the same host, the file '''/usr/local/etc/openldap/ldap.conf''' must include a TLS_CACERT directive specifiying the same certificate as in TLSCACertificateFile above :

#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE dc=example,dc=com
URI ldap://ldap.example.com

#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never

TLS_CACERT /etc/ssl/certs/cacert.pem
TLS_CACERTDIR /etc/ssl/certs

After that it is possible to listen on port ldaps and to use TLS to encapsulate the communications.

== Running OpenLDAP ==

Start the stand-alone LDAP server '''slapd''', then check to see if the server is running with '''ps -ef | grep slapd''' and if not use switch '''-d296''' to troubleshoot from '''slapd''' output (see [http://www.openldap.org/software/man.cgi?query=slapd&apropos=0&sektion=0&manpath=OpenLDAP+2.4-Release&format=html man slapd] for details). When OK try a '''ldapsearch'''.

# /usr/local/libexec/slapd -u ldap -g ldap -h ldap://localhost/
# ps -ef | grep slapd
# /usr/local/bin/ldapsearch -x -H ldap://localhost/ -b "" -s base "(objectclass=*)" namingContexts

Slapd runs as a daemon so must be launched at startup and stopped at shutdown. Update /etc/rc.d/rc.local and /etc/rc.d/rc.local_shutdown accordingly :

# vi /etc/rc.d/rc.local
. . .
# start slapd
if [ -x /usr/local/libexec/slapd ]; then
echo "Starting slapd daemon: /usr/local/libexec/slapd -u ldap -g ldap -h ldap://localhost/"
/usr/local/libexec/slapd -u ldap -g ldap -h ldap://localhost/
fi
<esc>
:x
# vi /etc/rc.d/rc.local_shutdown
. . .
# stop slapd
if [ -r /var/run/ldap/slapd.pid ]; then
echo "Stopping slapd: kill -INT `cat /var/run/ldap/slapd.pid`"
kill -INT `cat /var/run/ldap/slapd.pid`
fi
<esc>
:x

== Creating Directory Entries ==

To add entries to the directory, create an '''ldif''' file. Run '''ldapadd''' to add the entries, then run '''ldapsearch''' to make sure it worked.

# cd /usr/local/etc/openldap
# vi create.ldif
i
dn: dc=domain,dc=com
objectClass: dcObject
objectClass: organization
o: organization
dc: domain

dn: cn=Manager,dc=domain,dc=com
objectclass: organizationalRole
cn: Manager

dn: cn=proxyUser,dc=domain,dc=com
objectclass: person
cn: proxyUser
sn: proxyUser
userPassword: proxyPassword
authzTo: ldap:///dc=domain,dc=com??sub?(objectclass=person)

dn: cn=postmaster,dc=domain,dc=com
objectclass: person
cn: postmaster
sn: postmaster
userPassword: postmasterPassword

dn: cn=myUser,dc=domain,dc=com
objectclass: person
cn: myUser
sn: myUser
userPassword: myUserPassword

dn: cn=news,dc=domain,dc=com
objectclass: person
cn: news
sn: news
userPassword: newsPassword

dn: cn=xen,dc=domain,dc=com
objectclass: person
cn: xen
sn: xen
userPassword: xenPassword
<esc>
#vi delete.ldif
i
cn=xen,dc=domain,dc=com
cn=news,dc=domain,dc=com
cn=myUser,dc=domain,dc=com
cn=postmaster,dc=domain,dc=com
cn=proxyUser,dc=domain,dc=com
cn=Manager,dc=domain,dc=com
dc=domain,dc=com
<esc>

# ldapadd -x -H ldap://localhost/ -D "cn=Manager,dc=domain,dc=com" -W -f create.ldif
# ldapsearch -x -H ldap://localhost/ -D "cn=Manager,dc=domain,dc=com" -W -b "dc=domain,dc=com" "(objectclass=*)"
# ldapdelete -x -H ldap://localhost/ -D "cn=Manager,dc=domain,dc=com" -W -f delete.ldif

the '''authzTo:''' item above defines an OpenLdap proxy user. Once authenticated, an OpenLdap proxy user can impersonate other OpenLdap users. This affords e.g. checking passwords (needed by SASL) or updating data for other users.

<br>

{{pFoot|[[OpenSSL]]|[[Main Page]]|[[Cyrus-SASL]]}}

@@ Line 193: / Line 193: @@
   # vi create.ldif
+  i
-  dn: dc=domain,dc=com
+  dn: dc=studioware,dc=com
   objectClass: dcObject
   objectClass: organization
   o: organization
-  dc: domain
+  dc: studioware
-  dn: cn=Manager,dc=domain,dc=com
+  dn: cn=Manager,dc=studioware,dc=com
   objectclass: organizationalRole
   cn: Manager
-  dn: cn=proxyUser,dc=domain,dc=com
+  dn: cn=proxyUser,dc=studioware,dc=com
   objectclass: person
   cn: proxyUser
   sn: proxyUser
   userPassword: proxyPassword
-  authzTo: ldap:///dc=domain,dc=com??sub?(objectclass=person)
+  authzTo: ldap:///dc=studioware,dc=com??sub?(objectclass=person)
-  dn: cn=postmaster,dc=domain,dc=com
+  dn: cn=postmaster,dc=studioware,dc=com
   objectclass: person
   cn: postmaster
@@ Line 216: / Line 216: @@
   userPassword: postmasterPassword
-  dn: cn=myUser,dc=domain,dc=com
+  dn: cn=myUser,dc=studioware,dc=com
   objectclass: person
   cn: myUser
@@ Line 222: / Line 222: @@
   userPassword: myUserPassword
-  dn: cn=news,dc=domain,dc=com
+  dn: cn=news,dc=studioware,dc=com
   objectclass: person
   cn: news
@@ Line 228: / Line 228: @@
   userPassword: newsPassword
-  dn: cn=xen,dc=domain,dc=com
+  dn: cn=xen,dc=studioware,dc=com
   objectclass: person
   cn: xen
@@ Line 237: / Line 237: @@
   # vi delete.ldif
+  i
-  cn=xen,dc=domain,dc=com
+  cn=xen,dc=studioware,dc=com
-  cn=news,dc=domain,dc=com
+  cn=news,dc=studioware,dc=com
-  cn=myUser,dc=domain,dc=com
+  cn=myUser,dc=studioware,dc=com
-  cn=postmaster,dc=domain,dc=com
+  cn=postmaster,dc=studioware,dc=com
-  cn=proxyUser,dc=domain,dc=com
+  cn=proxyUser,dc=studioware,dc=com
-  cn=Manager,dc=domain,dc=com
+  cn=Manager,dc=studioware,dc=com
-  dc=domain,dc=com
+  dc=studioware,dc=com
   <esc>
-  # ldapadd -x -H ldap://localhost/ -D "cn=Manager,dc=domain,dc=com" -W -f create.ldif
+  # ldapadd -x -H ldap://localhost/ -D "cn=Manager,dc=studioware,dc=com" -W -f create.ldif
-  # ldapsearch -x -H ldap://localhost/ -D "cn=Manager,dc=domain,dc=com" -W -b "dc=domain,dc=com" "(objectclass=*)"
+  # ldapsearch -x -H ldap://localhost/ -D "cn=Manager,dc=studioware,dc=com" -W -b "dc=studioware,dc=com" "(objectclass=*)"
-  # ldapdelete -x -H ldap://localhost/ -D "cn=Manager,dc=domain,dc=com" -W -f delete.ldif
+  # ldapdelete -x -H ldap://localhost/ -D "cn=Manager,dc=studioware,dc=com" -W -f delete.ldif
 the '''authzTo:''' item above defines an OpenLdap proxy user. Once authenticated, an OpenLdap proxy user can impersonate other OpenLdap users. This affords e.g. checking passwords (needed by SASL) or updating data for other users.

@@ Line 234: / Line 234: @@
   userPassword: xenPassword
   <esc>
-  #vi delete.ldif
+ # chmod go-rx create.ldif
+  i
   cn=xen,dc=domain,dc=com

OpenLDAP - Revision history

Wikislax: /* Creating Directory Entries */

Wikislax: /* Creating Directory Entries */

Wikislax: Created page with "{{RightTOC}} == What is OpenLDAP ? == [http://www.openldap.org OpenLdap] is an open source implementation of the '''Ligthweigth Directory Access Protocol''', a lightweight a..."