Openldap directory administration openldap
This presentation is the property of its rightful owner.
Sponsored Links
1 / 30

OpenLDAP Directory Administration OpenLDAP PowerPoint PPT Presentation


  • 78 Views
  • Uploaded on
  • Presentation posted in: General

OpenLDAP Directory Administration OpenLDAP. Table of Contents. Obtaining the OpenLDAP Distribution Software Requirements Compiling OpenLDAP 2 OpenLDAP Clients and Servers The slapd.conf Configuration File Access Control Lists (ACLs). Table of Contents. Obtaining the OpenLDAP Distribution

Download Presentation

OpenLDAP Directory Administration OpenLDAP

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Openldap directory administration openldap

OpenLDAP Directory AdministrationOpenLDAP


Openldap directory administration openldap

Table of Contents

  • Obtaining the OpenLDAP Distribution

  • Software Requirements

  • Compiling OpenLDAP 2

  • OpenLDAP Clients and Servers

  • The slapd.conf Configuration File

  • Access Control Lists (ACLs)


Openldap directory administration openldap

Table of Contents

  • Obtaining the OpenLDAP Distribution

  • Software Requirements

  • Compiling OpenLDAP 2

  • OpenLDAP Clients and Servers

  • The slapd.conf Configuration File

  • Access Control Lists (ACLs)


Openldap directory administration openldap

Obtaining the OpenLDAP Distribution

  • OpenLDAP ?

    • Popular, open source LDAP-v3-compliant server

    • Attractive for several reasons:

      • Source code is available for download

      • Compliant with the core LDAPv3 specifications

      • Available on multiple platforms, including Linux, Solaris, Mac OS 10.2, and Windows

      • Continuation of original University of Michigan LDAP server

  • Compiling OpenLDAP = lots of dependencies

  • Try to obtain binary packages (eg. http://www.symas.com/ for Solaris & HP/UX)

  • Source code: http://www.openldap.org/


Openldap directory administration openldap

Table of Contents

  • Obtaining the OpenLDAP Distribution

  • Software Requirements

  • Compiling OpenLDAP 2

  • OpenLDAP Clients and Servers

  • The slapd.conf Configuration File

  • Access Control Lists (ACLs)


Openldap directory administration openldap

Software Requirements

  • OpenLDAP server will require several external software packages:

    • Support for POSIX threads (either by OS or an external library)

      It is possible to compile OpenLDAP without thread support, but slurpd requires it

    • SSL/TLS libraries, such as OpenSSL

      http://www.openssl.org/

    • Database manager library that supports DBM type storage facilities.

      • Current library of choice is BerkeleyDB 4.1

        http://www.sleepycat.com/

      • ldbm can also be used

        http://www.fsf.org/

    • Release 2.1 of the SASL libraries from Carnegie Mellon University

      http://asg.web.cmu.edu/sasl/sasl-library.html


Openldap directory administration openldap

Table of Contents

  • Obtaining the OpenLDAP Distribution

  • Software Requirements

  • Compiling OpenLDAP 2

  • OpenLDAP Clients and Servers

  • The slapd.conf Configuration File

  • Access Control Lists (ACLs)


Openldap directory administration openldap

Compiling OpenLDAP

  • Compiling:

    (untar)

    ./configure --enable-wrappers

    make depend

    make

    make test

    make install

  • Things to check when encountering problems

    • (if your system supports it) Use ldd tool to verify that binaries (eg. slapd) have been compiled against correct libraries

      • Change /etc/ld.so.conf and run ldconfig -v or set LD_LIBRARY_PATH

    • Verify that DNS is configured correctly (reverse DNS!)

    • Verify network connectivity

enables support for TCP wrappers


Openldap directory administration openldap

Table of Contents

  • Obtaining the OpenLDAP Distribution

  • Software Requirements

  • Compiling OpenLDAP 2

  • OpenLDAP Clients and Servers

  • The slapd.conf Configuration File

  • Access Control Lists (ACLs)


Openldap directory administration openldap

OpenLDAP Clients and Servers


Openldap directory administration openldap

Table of Contents

  • Obtaining the OpenLDAP Distribution

  • Software Requirements

  • Compiling OpenLDAP 2

  • OpenLDAP Clients and Servers

  • The slapd.conf Configuration File

  • Access Control Lists (ACLs)


Openldap directory administration openldap

The slapd.conf Configuration File

  • Central source of configuration information

  • Used by slapd, slurpd, and related tools, such as slapcat and slapadd

  • Tools like slapmodify and slapsearch use ldap.conf (not slapd.conf) for default settings

  • Can be broken into two sections

    • Parameters that affect overall behavior of the servers

    • Parameters that relate to a specific database backend used by the slapd daemon


Openldap directory administration openldap

The slapd.conf Configuration File

Schema Files

include /etc/ldap/schema/...

corba.schema

Schema for storing Corba Objects in LDAP (RFC 2714)

core.schema

OpenLDAP required core schemas: basic LDAPv3 attributes and objects described in RFCs 2251-2256

cosine.schema

For supporting COSINE and X.500 directory pilots (RFC 1274)

inetorgperson.schema

Defined inetOrgPerson object class & attributes (RFC 2798)

java.schema

For storing Java objects (RFC 2713)

misc.schema

Miscellaneous objects (eg LDAP-based mail routing with sendmail)

nis.schema

Attributes and objects necessary for using LDAP+NIS (RFC 2307)

openldap.schema

Miscelaneous objects used by the OpenLDAP project


Openldap directory administration openldap

The slapd.conf Configuration File

Logging

loglevel296

pidfile/var/run/slapd.pid

argsfile/var/run/slapd.args

loglevel is a set of bit flags that should be OR'ed together


Openldap directory administration openldap

The slapd.conf Configuration File

SASL Options

  • SASL is not needed if only simple binds will be used

  • However, often useful to allow a combination of simple binds and SASL mechanisms for user connections, eg.:

    • Normal users can do lookups via a simple bind

    • Administrators must authenticate via SASL

  • slapd.conf has three SASL-related global options:

    • sasl-host hostname

    • sasl-realm string

    • sasl-secprops properties

  • sasl-host and sasl-realm are respectively the FQDN and SASL domain used for authentication

    Use sasldblistusers to dump the /etc/sasldb database

  • sasl-secprops allows you to define conditions that affect SASL security properties (see next slide)


Openldap directory administration openldap

The slapd.conf Configuration File

SASL Options (cont.)

  • sasl-secprops parameter values and descriptions:


Openldap directory administration openldap

The slapd.conf Configuration File

SASL Options (cont.)

  • Various cyrus-sasl plugins:


Openldap directory administration openldap

The slapd.conf Configuration File

SASL Options (cont.)

  • If you had this in slapd.conf:

  • the following machanisms for authentication would be allowed:

    • DIGEST-MD5

    • GSSAPI

    • KERBEROS_4

## No PLAIN or ANONYMOUS mechanisms; use DES encryption

sasl-secpropsnoplain,noanonymous,minssf=56


Openldap directory administration openldap

The slapd.conf Configuration File

SSL/TLS Options

  • Parameters:

    TLSCipherSuite cipher-suite-specification

    TLSCertificateFile filename

    TLSCertificateKeyFile filename


Openldap directory administration openldap

The slapd.conf Configuration File

Serving Up Data

  • After global section: one or more database sections, eachdefining directory partition

  • database directive, possible values:

    bdb: BerkeleyDB 4 database manager, makes extensive use of indexing and caching; recommended OpenLDAP backend

    ldbm: GNU Database Manager or Sleepycat BerkeleyDB; older implementation

    passwd: Quick and dirty means of providing directory interface to the system passwd file

    shell: Allows the use of alternative (external) databases


Openldap directory administration openldap

The slapd.conf Configuration File

Serving Up Data (cont.)

  • Example:

# Begin a new database section

databasebdb

# Define the root suffix you serve

suffix“dc=plainjoe,dc=org”

# Define root DN for superuser privileges

rootdn“cn=Manager,dc=plainjoe,dc=org”

# Define root DN's password: salted secure hash of 'secret'

rootpw{SSHA}2aksIaicAvwc+DhCrXUFlhgWsbBJPLxy

# Directory containing the database files

directory/var/ldap/plainjoe.org

# Files should be created rw for the owner *only*

mode0600


Openldap directory administration openldap

Table of Contents

  • Obtaining the OpenLDAP Distribution

  • Software Requirements

  • Compiling OpenLDAP 2

  • OpenLDAP Clients and Servers

  • The slapd.conf Configuration File

  • Access Control Lists (ACLs)


Openldap directory administration openldap

Access Control Lists

  • OpenLDAP ACLs are simple in syntax, yet very flexible and powerful

  • Basic idea:

    WHO has ACCESS to WHAT ?


Openldap directory administration openldap

Access Control Lists (cont.)

WHO has ACCESS to WHAT ?

WHO can be:

*

Any connected user, including anonymous connections

self

DN of currently connected user

anonymous

Nonauthenticated user connections

users

Authenticated user connections

Regular expression

Matches a DN or a SASL identity

Note: login name can be DN (dn=“cn=gerald carter,ou=people,dc=plainjoe,dc=org”) or SASL identity (dn=“uid=jerry,cn=gssapi,cn=auth”)


Openldap directory administration openldap

Access Control Lists (cont.)

WHO has ACCESS to WHAT ? (cont.)

ACCESS can be:

write

Access to update attribute values

read

Access to read search results (eg. show all entries with a telephoneNumber of 555*)

search

Access to apply search filters (eg. are there any entries with a telephoneNumber of 555*)

compare

Access to compare attributes

auth

Access to bind (authenticate). Requires that the client send a username (DN) and some type of credentials

none

No access


Openldap directory administration openldap

Access Control Lists (cont.)

WHO has ACCESS to WHAT ? (cont.)

WHAT can be:

Regular expression defining the DN of the proposed target of the ACL

Syntax is dn.targetstyle=regex

where:

  • targetstyle is one of base, subtree, one, or children

  • regex is a regular expresion representing a DN

    targetstyle is used to broaden or narrow the scope (default subtree)

    An LDAP search filter that confirms to RFC 2254

    Syntax is filter=ldapFilter

    A comma-separated list of attribute names

    Syntax is attrs=attributeList


Openldap directory administration openldap

Access Control Lists (cont.)

Examples

  • Simple ACL granting read access to the world:

  • Restrict access to the userPassword attribute

  • User should be allowed to modify her own password:

access to *

by * read

access to attrs=userPassword

by * auth

access to attrs=userPassword

by self write

by * auth


Openldap directory administration openldap

Access Control Lists (cont.)

Examples (cont.)

  • ACLs are evaluated on a first-match-wins basis: more restrictive ACLs should be listed prior to more general ones

  • eg.

  • better:

access to attrs=userPassword

by * auth

access to attrs=userPassword

by self write

by * auth

access to attrs=userPassword

by self write

by * auth

access to attrs=userPassword

by * auth


Openldap directory administration openldap

Access Control Lists (cont.)

Examples (cont.)

  • Assume:

    • Administrative accounts are located beneath the DN ou=admins,ou=eng,dc=plainjoe,dc=org

    • Normal user accounts are located beneath ou=users,ou=eng,dc=plainjoe,dc=org

    • Normal users should not be allowed to see other users' passwords

    • A user should be able to modify his password

    • Admin users should be able to modify any user's password

  • Gives:

access to dn=”.*,ou=eng,dc=plainjoe,dc=org”

attrs=userPassword

by self write

by * auth

by dn=”.*,ou=admins,ou=eng,dc=plainjoe,dc=org” write


Openldap directory administration openldap

Access Control Lists (cont.)

Examples (cont.)

  • This example:

  • Can also be written as:

access to dn=”.*,ou=eng,dc=plainjoe,dc=org”

attrs=userPassword

by self write

by * auth

by dn=”.*,ou=admins,ou=eng,dc=plainjoe,dc=org” write

access to dn.children==”ou=eng,dc=plainjoe,dc=org”

attrs=userPassword

by self write

by * auth

by dn.children=”ou=admins,ou=eng,dc=plainjoe,dc=org” write


  • Login