1. What is it?
  2. Concepts
  3. Terminology
  4. Schemas
  5. LDAP URLs
  6. Client for connecting to LDAP
  7. References and links
  8. Apache DS
  9. OpenLDAP
    1. After installing (Initial Setup)
    2. Install slapd from source
      1. Setting up the client
    3. configuration
    4. Logging and OpenLDAP logs
    5. Overlays
    6. MemberOf Overlay
    7. Open LDAP Groups
  10. LDAP Search (Query)
    1. Search Filter Syntax
    2. Compare
  11. search from command line
  12. ldaps
  13. Password Overlay
  14. Corrupt berkely db
  15. adding ldap users to local groups

What is it?

Lightweight Directory Access Protocol Based on X.500

It's a "Directory" Service. Good when Data is read more than written to.

Concepts

ldapi is the protocol for ldap to communicate over unix sockets. The "i" stands for inter process communication.

Default port is 389.

Communicates over TLS which is an application layer cryptographic protocol. TLS allows client/server applications to talk privately and reliably.

You can also use SASL which is the simple authentication and security layer that, in theory, allows protocols (such as LDAP) to authenticate using variety of methods.

LDAP servers also often support LDAPS (Secure LDAP, commonly known as "LDAP over SSL"). By default this is on port 636.

There's a single Directory Information Tree (DIT). This data structrure can be distributed across one or more servers which are called "Directory System agents (DSA)". DSA is a LDAP Server.

The DIT contains tree of directory entries.

Entries consist of set of attributes

Each entry has a distinquished name (DN). Distinquished names are formed by combining an entry's relative distinquished name (RDN), one or more attributes of the entry, and the RDN's of each of the entries up to the root of the DIT. Think of DN as full (absolute) file path to a file. Think of the RDN as just the file name.

Attribute names are mnemonic strings like "cn" for common name, "dc" for domain component, "mail" for email address, "sn" for surname. Defined in See RFC2256.

So, Domain names must include at lease one attribute name from each level in the tree. A bunch of attribute names strung together identifies the entry as a DN.

LDAP supports a number of operations:

1) StartTLS - this operation establishes a TLS connection between client and server. 2) Bind - this operation authenticates a client against an LDAP server. You must pass a LDAP user dn and password, then the server typically checks the password against userPassword attribute in the named entry. 3) Search and compare operation - client passes a search request along with several paraters such as "baseObject" (DN of an entry), "scope" (whether to search only in DN or in subtree or whole tree), "derefAliases" (whether and how to follow alias entries (entries which refer to other entries), "attributes" (which attributes to return in response), "sizeLimit", timeLimit, typesOnly (return attribute types, not values). 4) Update Data

There are also extended operations like "Abandon", and "Unbind".

Terminology

  • Schemas are packaging units. All attributes and objectClasses are defined in schemas
  • Schemas are defined via include statements in openldap in slapd.conf
  • attributes defined in one schema can be used by an objectclass defined in another schema
  • entries group sets of objectclasses

Schemas

schemas define which object classes and attributes are available in your ldap. In slapd 2.4, you can simply add schema ldif files under the /etc/ldap/schema directory I think.

LDAP URLs

ldap://host:port/DN?attributes?scope?filter?extensions

  • attributes is comma separated list
  • scope is "base" (default), "one" or "sub"
  • filter is a search filter like (objectClass=*)
  • extensions are extensions to the LDAP URL format

Client for connecting to LDAP

Apache Directory Studio Download it here: http://directory.apache.org/studio/downloads.html

To connect to LDAP, go to "new", choose "LDAP Browser" and "LDAP Connection" Enter url and accept default port 389 Enter

  • WCI DirectoryListens on port 389

To connect Apache Browser to LDAP, use "Simple Authentication" and the following for Bind DN or user: cn=Administrator,ou=users,dc=bea,dc=com (and Aministrator's password)

References and links

http://www.zytrax.com/books/ldap

http://www.openldap.org/doc/admin24

Apache DS

Java implementation of LDAP

OpenLDAP

What is it?

It's an implementation LDAP for *nix systems.

The server program is slapd

After installing (Initial Setup)

This is in a lot of online posts, but didn't work for me for some reason:

 ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config

If you do a sudo dpkg-reconfigure slapd, you can reconfigure default admin user and domain, etc.

Then, this should work:

  ldapsearch -x -D "cn=admin,dc=your,dc=domain" -W -H ldap:/// -b cn=config

Start the service as openldap os user:

  /usr/sbin/slapd -h ldap:/// -u openldap -g openldap -d 0

Install slapd from source

see http://www.openldap.org/doc/admin24

If you install from source, it will install config files in /usr/local/etc, and binaries in /usr/local/libexec/slapd.

When installing from source, use ./configure --help to see options. For example, one option I needed was --enable-memberof

In June 2011, I think I figured out how to use apt-get to install. see below.

Dec 2010 I tried using synaptic package manager to install openldap. Everything seemed to work, but it couldn't find schema defintions for "objectClass=olcBdbConfig" or "objectClass="olcDatabaseConfig". So, I tried building from source. ./configure complained that Berkeley Database libraries weren't avialble, so I installed libdb-dev using synaptic package manager.

When building use:

./configure --enable-overlays --with-tls
./configure --enable-memberof --with-tls

Some dependencies you might need:

libnss3-dev libssl-dev libdb-dev

make depend

make

make test

sudo make install

## Install using apt-get (PREFERRED!!)

http://www.opinsys.fi/en/setting-up-openldap-on-ubuntu-10-04-alpha2

apt-get install slapd ldap-utils

This will install so that you can use `service openldapstart/stop/restart`. The slapd process looks first at/usr/local/etc/openldap/slapd.conf. This is where rootdn and rootpware specified. Or, the root pw and dn can also be specified in theconfig database. Look below for how to use ldapsearch to see configdatabase

Then, you configure the slapd server using ldapadd

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/misc.ldif

Next, we have to create the actual database (see example ldif file in samples/ldap folder)
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f ldap/create_database.ldif

Next, create groups and people ou. (see init_db.ldif in samples/ldap dir)
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f ldap/init_db.ldif

I tried importing acls.ldif, but got a malloc errror. Need to learn more about that.

At this point, you should be able to connect and do searches:

ldapsearch -H ldap://<ip address> -D uid=admin,ou=people,dc=upgradingdave,dc=com -W -b dc=upgradingdave,dc=com *

Troubleshooting

# Show the current configuration:
sudo ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config

The -Y means to use sasl to authenticate.
# Show the current data in the directory as anonymous user:
ldapsearch -x -h localhost -b dc=edu,dc=example,dc=org

# Dump the database with metadata:
sudo slapcat

/etc/default/slapd contains params to control the slapd process. I thought this is where I needed to open port 389:
SLAPD_SERVICES="ldap:/// ldapi:/// ldap://127.0.0.1:389"

But it turned out to be iptables

Setting up the client

sudo apt-get install libnss-ldapd libpam-ldapd

Install ldapscripts for easy way to add users and groups from command line

sudo apt-get install ldapscripts

Edit /etc/ldapscripts/ldapscripts.conf and update with appropriate ldap connection info (including suffix, gsuffix, usuffix)

Then you can use:

ldapaddgroup <groupname>
ldapadduser <username>
ldapsetpasswd <username>
    
## phpldapadmin
sudo apt-get phpldapadmin

It will install under /usr/share/phpldapadmin on ubuntu. Configuration file is inside /etc/phpldapadmin/config.php.

configuration

Admin Manual for version 2.4:

http://www.openldap.org/doc/admin24/

Older versions of slapd use slapd.conf to configure the server. more info using man slapd.conf

However, as of 2.4, slapd uses a new configuration convention that allows you to configure the ldap server whithout having to restart it. "OLC" stands for Online LDAP Configuration. find more info using man slapd-config

See insallation notes above, I figured out how to configure using slapd.d config in June 2011.

As of this writing, I couldn't figure out how to get slapd-config to create a new bdb database. But I was able to install from source, and then use slapd.conf to get a bdb up and running. Make sure to include the following in slapd.conf (so you have access to all objectclasses).

include		/usr/local/etc/openldap/schema/core.schema
include		/usr/local/etc/openldap/schema/cosine.schema
include		/usr/local/etc/openldap/schema/inetorgperson.schema

Also make sure to update slapd.conf with correct suffix, rootdn and rootpw.

Then, create ldif files, and use the ldapadd command to create new entries. Some example ldif files in ldap directory. Here's the ldapadd syntax:

ldapadd -x -D "cn=Manager,dc=paroulek,dc=com" -f users.ldif -w secret

Note that after editing the slapd.conf file and adding "cn=Manager,dc=paroulek,dc=com" as the rootdn, it won't show up as a entry.

Logging and OpenLDAP logs

How to setup OpenLDAP log file

[root@esker /etc]# man slapd.conf
   loglevel <integer>
          Specify the level at which debugging statements and
          operation statistics should be syslogged (currently
          logged to the syslogd(8) LOG_LOCAL4 facility).  Log
          levels are additive, and available levels are:
                  1      trace function calls
                  2      debug packet handling
                  4      heavy trace debugging
                  8      connection management
                  16     print out packets sent and received
                  32     search filter processing
                  64     configuration file processing
                  128    access control list processing
                  256    stats                            log
                         connections/operations/results
                  512    stats log entries sent
                  1024   print   communication   with   shell
                         backends
                  2048   entry parsing
[root@esker /etc]# cat /etc/openldap/slapd.conf
...
loglevel	4095
...

[root@esker /etc]# cat /etc/syslog.conf
...
# save OpenLDAP log
local4.*						/var/log/ldap.log

restart ldap server

Overlays

Overlays can be compiled statically or configured as modules.

The overlays are normally in [bsd] /usr/local/libexec/openldap and [fedoracore] /usr/libexec/openldap or /usr/sbin/openldap.

Similar to apache modules, they are either .la or .so files.

MemberOf Overlay

In order for this to work, I built ldap like so:

./configure --enable-memberof

This overlay allows automatic reverse group membership maintenance. Anytime a group entry is modified, it's members are modified to keep a "memberOf" attributed updated.

man slapo-memberof

Then, in slapd.conf, add the following:

Open LDAP Groups

# LDIF fragment to create group branch under root

dn: ou=groups,dc=example,dc=com
objectclass:organizationalunit
ou: groups
description: generic groups branch

# create the itpeople entry

dn: cn=itpeople,dc=groups,dc=example,dc=com
objectclass: groupofnames
cn: itpeople
description: IT security group
# add the group members all of which are 
# assumed to exist under people
member: cn=road runner,ou=people,dc=example,dc=com
member: cn=micky mouse,ou=people,dc=example,dc=com

Once the memberOf overlay is installed, and after adding this todirectory, then you can search for entries using "memberOf"attribute. Note that when you're browsing the directory (in apachestudio for example), the MemberOf attribute is not displayed unlessspecifically requested.

LDAP Search (Query)

All searches must specify

1) Base DN: defines starting point 2) Scope: how deep to search. Can be one of "baseObject", "singleLevel", or "wholeSubTree" 3) Search Filter 4) Attributes to return 5) Alias Dereferencing 6) Limits

Search Filter Syntax

Search filters are of the form:

attribute operator value

Operator can be one of: =,>=,<=,=*,~=

sn=* matches all entries that have a surname. ~= is a fuzzy match, for example, sn~=Dave will match entries where sn=dave.

You can use to match any characters. For example: sn=D

Filters can be combined using boolean operators: &,|. ! is negations and can be applied to a single filter. For example, find all entries with surname Miller or Smith: (|(sn=Smith)(sn=Miller))

Compare

There is a compare operation in addition to search operation. Compare will return TRUE or FALSE. For example, if you compare entry with sn=Smith against sn=Jones, you'll get FALSE as response.

search from command line

ldapsearch -H ldap:// -D cn=admin,dc=my,dc=domain -W -b dc=my,dc=domain (&(uid=dave.paroulek)(objectClass=*))

ldaps

Create cacert.pem, server_cert.pem, and server_key.pem

Copy them into /usr/local/etc/openldap

Build ldap

libssl-dev is required in order for it to work properly

--with-tls

After built and installed, start the server like this:

slapd -h "ldap:/// ldaps:///"

To get debugging start like this:

slapd -d127 -h "ldap:/// ldaps:///"

Password Overlay

You can use this to compile in the overlay:

./configure --enable-ppolicy

http://zrmt.com/2007/10/19/howto-ppolicy-openldap/

Corrupt berkely db

If ldap won't start, the db might be corrupt.

Start ldap to Troubleshoot like so:

sudo slapd -h 'ldap:/// ldapi:/// ldaps:///' -g openldap -u openldap -F /etc/ldap/slapd.d/ -d 16383

On ubunt, there's a package db4.8-utils that includes db4.8_recover. Use this:
sudo db4.8_recover -v -h /var/lib/ldap    

adding ldap users to local groups

You can do it simply using:

 usermod -a -G <group> <user>
 
!! Just remember to logout then log back in !!