LDAP
- What is it?
- Concepts
- Terminology
- Schemas
- LDAP URLs
- Client for connecting to LDAP
- References and links
- Apache DS
- OpenLDAP
- After installing (Initial Setup)
- Install slapd from source
- configuration
- Logging and OpenLDAP logs
- Overlays
- MemberOf Overlay
- Open LDAP Groups
- LDAP Search (Query)
- search from command line
- ldaps
- Password Overlay
- Corrupt berkely db
- adding ldap users to local groups
What is it?
Lightweight Directory Access Protocol Based on X.500
It's a "Directory" Service. Good when Data is read more than written to.
Concepts
ldapi is the protocol for ldap to communicate over unix sockets. The "i" stands for inter process communication.
Default port is 389.
Communicates over TLS which is an application layer cryptographic protocol. TLS allows client/server applications to talk privately and reliably.
You can also use SASL which is the simple authentication and security layer that, in theory, allows protocols (such as LDAP) to authenticate using variety of methods.
LDAP servers also often support LDAPS (Secure LDAP, commonly known as "LDAP over SSL"). By default this is on port 636.
There's a single Directory Information Tree (DIT). This data structrure can be distributed across one or more servers which are called "Directory System agents (DSA)". DSA is a LDAP Server.
The DIT contains tree of directory entries.
Entries consist of set of attributes
Each entry has a distinquished name (DN). Distinquished names are formed by combining an entry's relative distinquished name (RDN), one or more attributes of the entry, and the RDN's of each of the entries up to the root of the DIT. Think of DN as full (absolute) file path to a file. Think of the RDN as just the file name.
Attribute names are mnemonic strings like "cn" for common name, "dc" for domain component, "mail" for email address, "sn" for surname. Defined in See RFC2256.
So, Domain names must include at lease one attribute name from each level in the tree. A bunch of attribute names strung together identifies the entry as a DN.
LDAP supports a number of operations:
1) StartTLS - this operation establishes a TLS connection between client and server. 2) Bind - this operation authenticates a client against an LDAP server. You must pass a LDAP user dn and password, then the server typically checks the password against userPassword attribute in the named entry. 3) Search and compare operation - client passes a search request along with several paraters such as "baseObject" (DN of an entry), "scope" (whether to search only in DN or in subtree or whole tree), "derefAliases" (whether and how to follow alias entries (entries which refer to other entries), "attributes" (which attributes to return in response), "sizeLimit", timeLimit, typesOnly (return attribute types, not values). 4) Update Data
There are also extended operations like "Abandon", and "Unbind".
Terminology
- Schemas are packaging units. All attributes and objectClasses are defined in schemas
- Schemas are defined via include statements in openldap in slapd.conf
- attributes defined in one schema can be used by an objectclass defined in another schema
- entries group sets of objectclasses
Schemas
schemas
define which object classes and attributes are available in your ldap. In slapd 2.4, you can simply add schema ldif files under the /etc/ldap/schema
directory I think.
LDAP URLs
ldap://host:port/DN?attributes?scope?filter?extensions
- attributes is comma separated list
- scope is "base" (default), "one" or "sub"
- filter is a search filter like (objectClass=*)
- extensions are extensions to the LDAP URL format
Client for connecting to LDAP
Apache Directory Studio Download it here: http://directory.apache.org/studio/downloads.html
To connect to LDAP, go to "new", choose "LDAP Browser" and "LDAP Connection" Enter url and accept default port 389 Enter
- WCI DirectoryListens on port 389
To connect Apache Browser to LDAP, use "Simple Authentication" and the following for Bind DN or user: cn=Administrator,ou=users,dc=bea,dc=com (and Aministrator's password)
References and links
http://www.zytrax.com/books/ldap
http://www.openldap.org/doc/admin24
Apache DS
Java implementation of LDAP
OpenLDAP
What is it?
It's an implementation LDAP for *nix systems.
The server program is slapd
After installing (Initial Setup)
This is in a lot of online posts, but didn't work for me for some reason:
ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config
If you do a sudo dpkg-reconfigure slapd
, you can reconfigure default admin user and domain, etc.
Then, this should work:
ldapsearch -x -D "cn=admin,dc=your,dc=domain" -W -H ldap:/// -b cn=config
Start the service as openldap
os user:
/usr/sbin/slapd -h ldap:/// -u openldap -g openldap -d 0
Install slapd from source
see http://www.openldap.org/doc/admin24
If you install from source, it will install config files in /usr/local/etc, and binaries in /usr/local/libexec/slapd.
When installing from source, use ./configure --help
to see options. For example, one option I needed was --enable-memberof
In June 2011, I think I figured out how to use apt-get to install. see below.
Dec 2010 I tried using synaptic package manager to install openldap. Everything seemed to work, but it couldn't find schema defintions for "objectClass=olcBdbConfig" or "objectClass="olcDatabaseConfig". So, I tried building from source. ./configure complained that Berkeley Database libraries weren't avialble, so I installed libdb-dev using synaptic package manager.
When building use:
./configure --enable-overlays --with-tls
./configure --enable-memberof --with-tls
Some dependencies you might need: libnss3-dev libssl-dev libdb-dev
make depend
make
make test
sudo make install
## Install using apt-get (PREFERRED!!)http://www.opinsys.fi/en/setting-up-openldap-on-ubuntu-10-04-alpha2
apt-get install slapd ldap-utils
This will install so that you can use `service openldapstart/stop/restart`. The slapd process looks first at/usr/local/etc/openldap/slapd.conf
. This is where rootdn and rootpware specified. Or, the root pw and dn can also be specified in theconfig database. Look below for how to use ldapsearch to see configdatabaseThen, you configure the slapd server using ldapadd
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/misc.ldif
Next, we have to create the actual database (see example ldif file in samples/ldap folder)sudo ldapadd -Y EXTERNAL -H ldapi:/// -f ldap/create_database.ldif
Next, create groups and people ou. (see init_db.ldif in samples/ldap dir)sudo ldapadd -Y EXTERNAL -H ldapi:/// -f ldap/init_db.ldif
I tried importing acls.ldif, but got a malloc errror. Need to learn more about that. At this point, you should be able to connect and do searches:
ldapsearch -H ldap://<ip address> -D uid=admin,ou=people,dc=upgradingdave,dc=com -W -b dc=upgradingdave,dc=com *
Troubleshooting
# Show the current configuration:
sudo ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config
The -Y means to use sasl to authenticate. # Show the current data in the directory as anonymous user:
ldapsearch -x -h localhost -b dc=edu,dc=example,dc=org
# Dump the database with metadata:
sudo slapcat
/etc/default/slapd contains params to control the slapd process. I thought this is where I needed to open port 389:SLAPD_SERVICES="ldap:/// ldapi:/// ldap://127.0.0.1:389"
But it turned out to be iptablesSetting up the client
sudo apt-get install libnss-ldapd libpam-ldapd
Install ldapscripts for easy way to add users and groups from command line
sudo apt-get install ldapscripts
Edit /etc/ldapscripts/ldapscripts.conf and update with appropriate ldap connection info (including suffix, gsuffix, usuffix)Then you can use:
ldapaddgroup <groupname>
ldapadduser <username>
ldapsetpasswd <username>
## phpldapadminsudo apt-get phpldapadmin
It will install under /usr/share/phpldapadmin on ubuntu. Configuration file is inside /etc/phpldapadmin/config.php. configuration
Admin Manual for version 2.4:
http://www.openldap.org/doc/admin24/
Older versions of slapd use slapd.conf
to configure the server. more info using man slapd.conf
However, as of 2.4, slapd uses a new configuration convention that allows you to configure the ldap server whithout having to restart it. "OLC" stands for Online LDAP Configuration. find more info using man slapd-config
See insallation notes above, I figured out how to configure using slapd.d config in June 2011.
As of this writing, I couldn't figure out how to get slapd-config to create a new bdb database. But I was able to install from source, and then use slapd.conf to get a bdb up and running. Make sure to include the following in slapd.conf (so you have access to all objectclasses).
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
Also make sure to update slapd.conf with correct suffix, rootdn and rootpw. Then, create ldif files, and use the ldapadd command to create new entries. Some example ldif files in ldap directory. Here's the ldapadd syntax:
ldapadd -x -D "cn=Manager,dc=paroulek,dc=com" -f users.ldif -w secret
Note that after editing the slapd.conf file and adding "cn=Manager,dc=paroulek,dc=com" as the rootdn, it won't show up as a entry.Logging and OpenLDAP logs
How to setup OpenLDAP log file
[root@esker /etc]# man slapd.conf
loglevel <integer>
Specify the level at which debugging statements and
operation statistics should be syslogged (currently
logged to the syslogd(8) LOG_LOCAL4 facility). Log
levels are additive, and available levels are:
1 trace function calls
2 debug packet handling
4 heavy trace debugging
8 connection management
16 print out packets sent and received
32 search filter processing
64 configuration file processing
128 access control list processing
256 stats log
connections/operations/results
512 stats log entries sent
1024 print communication with shell
backends
2048 entry parsing
[root@esker /etc]# cat /etc/openldap/slapd.conf
...
loglevel 4095
...
[root@esker /etc]# cat /etc/syslog.conf
...
# save OpenLDAP log
local4.* /var/log/ldap.log
restart ldap server
Overlays
Overlays can be compiled statically or configured as modules.
The overlays are normally in [bsd] /usr/local/libexec/openldap and [fedoracore] /usr/libexec/openldap or /usr/sbin/openldap.
Similar to apache modules, they are either .la or .so files.
MemberOf Overlay
In order for this to work, I built ldap like so:
./configure --enable-memberof
This overlay allows automatic reverse group membership maintenance. Anytime a group entry is modified, it's members are modified to keep a "memberOf" attributed updated.
man slapo-memberof
Then, in slapd.conf, add the following: Open LDAP Groups
# LDIF fragment to create group branch under root
dn: ou=groups,dc=example,dc=com
objectclass:organizationalunit
ou: groups
description: generic groups branch
# create the itpeople entry
dn: cn=itpeople,dc=groups,dc=example,dc=com
objectclass: groupofnames
cn: itpeople
description: IT security group
# add the group members all of which are
# assumed to exist under people
member: cn=road runner,ou=people,dc=example,dc=com
member: cn=micky mouse,ou=people,dc=example,dc=com
Once the memberOf overlay is installed, and after adding this todirectory, then you can search for entries using "memberOf"attribute. Note that when you're browsing the directory (in apachestudio for example), the MemberOf attribute is not displayed unlessspecifically requested.LDAP Search (Query)
All searches must specify
1) Base DN: defines starting point 2) Scope: how deep to search. Can be one of "baseObject", "singleLevel", or "wholeSubTree" 3) Search Filter 4) Attributes to return 5) Alias Dereferencing 6) Limits
Search Filter Syntax
Search filters are of the form:
attribute operator value
Operator can be one of: =,>=,<=,=*,~=
sn=*
matches all entries that have a surname. ~=
is a fuzzy match, for example, sn~=Dave
will match entries where sn=dave.
You can use to match any characters. For example: sn=D
Filters can be combined using boolean operators: &,|. !
is negations and can be applied to a single filter. For example, find all entries with surname Miller or Smith: (|(sn=Smith)(sn=Miller))
Compare
There is a compare operation in addition to search operation. Compare will return TRUE or FALSE. For example, if you compare entry with sn=Smith against sn=Jones, you'll get FALSE as response.
search from command line
ldapsearch -H ldap://
ldaps
Create cacert.pem, server_cert.pem, and server_key.pem
Copy them into /usr/local/etc/openldap
Build ldap
libssl-dev is required in order for it to work properly
--with-tls
After built and installed, start the server like this:
slapd -h "ldap:/// ldaps:///"
To get debugging start like this:
slapd -d127 -h "ldap:/// ldaps:///"
Password Overlay
You can use this to compile in the overlay:
./configure --enable-ppolicy
http://zrmt.com/2007/10/19/howto-ppolicy-openldap/ Corrupt berkely db
If ldap won't start, the db might be corrupt.Start ldap to Troubleshoot like so:
sudo slapd -h 'ldap:/// ldapi:/// ldaps:///' -g openldap -u openldap -F /etc/ldap/slapd.d/ -d 16383
On ubunt, there's a package db4.8-utils
that includes db4.8_recover
. Use this: sudo db4.8_recover -v -h /var/lib/ldap
adding ldap users to local groups
You can do it simply using:
usermod -a -G <group> <user>
!! Just remember to logout then log back in !!