Open main menu

CDOT Wiki β

OpenLDAP Installation and Test

Revision as of 02:11, 23 November 2016 by Rchan (talk | contribs) (Check current "naming context" of the OpenLDAP directory)

OpenLDAP Server and client Configuration File

OpenLDAP Server Configuration directory

Please note that the following procedure only works for CentOS Linux starting from version 7.0.

  • Top of the configure directory for the OpenLDAP server slapd: /etc/openldap/slapd.d/cn=config
[root@localhost cn=schema]# ls -l /etc/openldap/slapd.d/cn\=config
total 20
drwxr-x---. 2 ldap ldap 104 Nov 22 18:35 cn=schema
-rw-------. 1 ldap ldap 378 Dec 16  2015 cn=schema.ldif
-rw-------. 1 ldap ldap 513 Dec 16  2015 olcDatabase={0}config.ldif
-rw-------. 1 ldap ldap 443 Dec 16  2015 olcDatabase={-1}frontend.ldif
-rw-------. 1 ldap ldap 562 Dec 16  2015 olcDatabase={1}monitor.ldif
-rw-------. 1 ldap ldap 609 Dec 16  2015 olcDatabase={2}hdb.ldif
  • Some notes:
    • cn=schema - contains the schema to be loaded by the slapd server.
    • olcDatabase={2}hdb.ldif - the main configuration for the OpenLDAP server's database.
  • Initial contents in the "cn=schema" directory:
[root@localhost cn=schema]# ls -l
total 40
-rw-------. 1 ldap ldap 15578 Dec 16  2015 cn={0}core.ldif
  • Initial contents in the "oldDatabase={2}hdb.ldif" file:
[root@localhost cn=config]# cat olcDatabase\=\{2\}hdb.ldif 
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 2e34fa34
dn: olcDatabase={2}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=my-domain,dc=com
olcRootDN: cn=Manager,dc=my-domain,dc=com
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
structuralObjectClass: olcHdbConfig
entryUUID: 356a18aa-384e-1035-958d-25b49e5bf54e
creatorsName: cn=config
createTimestamp: 20151216143659Z
entryCSN: 20151216143659.541486Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20151216143659Z

To use OpenLDAP directory to host Linux user account, you need to import three more existing schema: cosine, nis, and inetorgperson for the slapd server. You also need to update the following fields in the "olcDatabase={2}hdb.ldif" file:

  • olcSuffix - update to reflect your base context (or naming context)
  • olcRootDN - update to match your naming context
  • olcRootPW - add (for olcRootDN)

Start slapd and add additional schema

After installing the openldap-servers rpm package, you should be able to start the OpenLDAP server slapd with the following command: 

systemctl start slapd.service

To configure your system to start slapd.server at system boot, run the following command: 

systemctl enable slapd.service

You can now import the three required schema: 

ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/inetorgperson.ldif

Check the directory content in "/etc/openldap/slapd.d/cn=config/cn=schema" 

[root@localhost cn=config]# ls -l cn\=schema
total 40
-rw-------. 1 ldap ldap 15578 Dec 16  2015 cn={0}core.ldif
-rw-------. 1 ldap ldap 11455 Nov 22 18:34 cn={1}cosine.ldif
-rw-------. 1 ldap ldap  6587 Nov 22 18:35 cn={2}nis.ldif
-rw-------. 1 ldap ldap  2949 Nov 22 18:35 cn={3}inetorgperson.ldif

Check current "naming context" of the OpenLDAP directory

[root@localhost cn=config]# ldapsearch -x -b '' -s base namingContexts
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: namingContexts 
#

#
dn:
namingContexts: dc=my-domain,dc=com

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

OpenLDAP client configuration

  1. /etc/openldap/ldap.conf
    1. This is the configuration file for the ldap clients. The following are ldap client programs:
      1. ldapadd
      2. ldapcompare
      3. ldapdelete
      4. ldapmodify
      5. ldapmodrdn
      6. ldappasswd
      7. ldapsearch
      8. ldapwhoami
    2. You could set/modify the following directives:
      1. BASE
      2. URL
  2. /etc/ldap.conf
    1. This is the configuration file for the LDAP nameservice switch library and the LDAP PAM module
    2. You could set/modify the following directives:
      1. base
      2. host - IP or hostname of the LDAP server. If you use hostname, it must be resolvable without using LDAP. Multiple hosts may be specified, each separated by a space.

Important LDAP Commands and Sample LDIF files

  • Base LDIF file
  • POSIX User account file
  • ldapadd, ldapsearch, ldapdelete command

Tools/Utilities for Testing OpenLDAP Server

  • ldapsearch
    • To display LDAP Protocol features and extensions supported by OpenLDAP, use the following ldapsearch examples: 
[rchan@moodle ~]$ ldapsearch -x -b "" -s base supportedFeatures
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: supportedFeatures 
#

#
dn:
supportedFeatures: 1.3.6.1.1.14
supportedFeatures: 1.3.6.1.4.1.4203.1.5.1
supportedFeatures: 1.3.6.1.4.1.4203.1.5.2
supportedFeatures: 1.3.6.1.4.1.4203.1.5.3
supportedFeatures: 1.3.6.1.4.1.4203.1.5.4
supportedFeatures: 1.3.6.1.4.1.4203.1.5.5

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1



[rchan@moodle ~]$ ldapsearch -x -b "" -s base supportedControl
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: supportedControl 
# 

#
dn:
supportedControl: 1.3.6.1.4.1.4203.1.9.1.1
supportedControl: 2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 1.3.6.1.4.1.4203.1.10.1
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.826.0.1.334810.2.3
supportedControl: 1.2.826.0.1.3344810.2.3
supportedControl: 1.3.6.1.1.13.2
supportedControl: 1.3.6.1.1.13.1
supportedControl: 1.3.6.1.1.12 

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1



[rchan@moodle ~]$ ldapsearch -x -b "" -s base supportedExtension
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: supportedExtension 
# 

#
dn:
supportedExtension: 1.3.6.1.4.1.4203.1.11.1
supportedExtension: 1.3.6.1.4.1.4203.1.11.3

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
    • To display Supported Control, Extension, and Features
[rchan@moodle ~]$ ldapsearch -x -W -D 'cn=Manager,dc=ops535,dc=com' -b "" -s base '(objectclass=*)' +
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: + 
# 

#
dn:
structuralObjectClass: OpenLDAProotDSE
configContext: cn=config
namingContexts: dc=ops535,dc=com
supportedControl: 1.3.6.1.4.1.4203.1.9.1.1
supportedControl: 2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 1.3.6.1.4.1.4203.1.10.1
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.826.0.1.334810.2.3
supportedControl: 1.2.826.0.1.3344810.2.3
supportedControl: 1.3.6.1.1.13.2
supportedControl: 1.3.6.1.1.13.1
supportedControl: 1.3.6.1.1.12
supportedExtension: 1.3.6.1.4.1.4203.1.11.1
supportedExtension: 1.3.6.1.4.1.4203.1.11.3
supportedFeatures: 1.3.6.1.1.14
supportedFeatures: 1.3.6.1.4.1.4203.1.5.1
supportedFeatures: 1.3.6.1.4.1.4203.1.5.2
supportedFeatures: 1.3.6.1.4.1.4203.1.5.3
supportedFeatures: 1.3.6.1.4.1.4203.1.5.4
supportedFeatures: 1.3.6.1.4.1.4203.1.5.5
supportedLDAPVersion: 3
entryDN:
subschemaSubentry: cn=Subschema

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Tools to test the LDAP server

  • ldapsearch -x -W -D 'cn=Manager,dc=ops535,dc=com' -b "" -s base
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#

#
dn:
objectClass: top
objectClass: OpenLDAProotDSE 

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Using OpenLDAD for Apache Basic Authentication

  • In httpd.conf configure the directory for basic authentication for apache 2.0
 <Directory /var/www/html/openldap>
 AuthType Basic
 AuthName "Case Network ID"
 AuthLDAPURL "ldap://127.0.0.1/ou=people,dc=fedora,dc=directory,dc=server"
 AuthLDAPBindDN "uid=root,ou=people,dc=fedora,dc=directory,dc=server"
 AuthLDAPBindPassword "your-openldap-password"
 # All users in openldap
 require valid-user
 # Just the listed user
 # require user pma
 </Directory>
  • For apache 2.2
 <Location /var/www/html/openldap>
 AuthType Basic
 AuthBasicProvider ldap
 AuthName "Case Network ID"
 AuthzLDAPAuthoritative off
 AuthLDAPURL ldap://127.0.0.1/ou=people,dc=fedora,dc=directory,dc=server
 AuthLDAPBindDN "uid=root,ou=people,dc=fedora,dc=directory,dc=server"
 AuthLDAPBindPassword "your-openldap-password"
 Require valid-user
 </Location>

Reference:
Linux.com: Apache Authentication and Authorization using LDAP
Apache Authentication and Authorization using LDAP (blogger) <-- Nes: broken link??

Possible Administrative Tasks for OpenLDAP

  • Installing OpenLDAP rpm packages or building from source
  • Configuring and verifying the LDAP server
  • Building an initial DIT (directory informationtree) with a LDIF file
  • Loading, modifying, and searching directory records
  • Setting passwords and authenticating against the directory
  • Configuring Access Control Lists (ACLs)
  • Configuring multiple database back ends
  • Securing network-based directory connections with SSL and TLS
  • Advanced configurations and performance tuning settings
  • Creating and implementing LDAP schemas
  • Creating custom schemas and sophisticated ACLs
  • Using OpenLDAP as a proxy for other LDAP servers
  • Adding caching with the Proxy Cache overlay
  • Using the transparency overlay to create a hybrid cache
  • Installing and configuring a web-base LDAP administration suite
  • Keeping multiple directory servers synchronized with SyncRepl
  • Using OpenLDAP for Apache authentication
  • Turn on/off OpenLDAP syslog entries ==

OpenLDAP Concepts/Configuration

More Resources

Retrieved from "https://wiki.cdot.senecapolytechnic.ca/w/index.php?title=OpenLDAP_Installation_and_Test&oldid=120913"