1 / 34

OpenLDAP: Building and Configuring

OpenLDAP: Building and Configuring. CNS 4650 Fall 2004 Rev. 2. OpenLDAP History. http://www.openldap.org Based off the Umich code Died ~ 1996 OpenLDAP started ~1998 OpenLDAP 1.0 - August 1998. Downloading OpenLDAP. Download http://www.openldap.org/software/download/

shira
Download Presentation

OpenLDAP: Building and Configuring

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. OpenLDAP: Building and Configuring CNS 4650 Fall 2004 Rev. 2

  2. OpenLDAP History • http://www.openldap.org • Based off the Umich code • Died ~ 1996 • OpenLDAP started ~1998 • OpenLDAP 1.0 - August 1998

  3. Downloading OpenLDAP • Download • http://www.openldap.org/software/download/ • 2.2.18 (~August 2004) • Software packaged in a “tar-ball” • Tar’ed and then gzip’ed • openldap-2.18.tgz

  4. Building OpenLDAP • Requirements • C/C++ compiler (gcc) • Posix REGEX (available on most modern Linux/UN*X systems) • Sleepycat Berkeley DB 4.2+ • Recommended • Cyrus SASL 2.1.18+ • OpenSSL 0.9.7+

  5. Building SLAPD • BDB Backend • Sleepycat Berkeley DB 4.2+ • LDBM Backend • Compatible database manager • Berkeley DB, GDBM, etc.

  6. Building SLURPD • Thread Library • Pthreads (POSIX), Cthreads (Mach)

  7. Enviroment Variables

  8. Environment Variables • Bash • export LDFLAGS=-L/usr/local/Berkeley4.2/lib • Tcsh (TC Shell/C Shell) • setenv LDFLAGS=-L/usr/local/Berkeley4.2/lib

  9. Building for Linux • Might have to add directories for SASL, SSL, Berkeley libraries to /etc/ld.so.conf • After run ldconfig -v • Set the LD_LIBRARY_PATH with the example from the previous slide • export LD_LIBRARY_PATH=/usr/local/Berkeley4.2/lib

  10. Building • cd openldap-2.2.18 • ./configure --enable-wrappers • --enable-wrappers allows slapd to be TCP wrappers aware • The configure script will warn you if dependencies cannot be found. If no errors then continue

  11. Building • make depend • make • make test • sudo -s • make install

  12. Troubleshooting Builds • Make for sure you have a valid network interface. (ifconfig -a) • Verify you have the proper environmental flags set (LD_LIBRARY_PATH, LDFLAGS, CPPFLAGS, etc.)

  13. What is Installed? • Servers • Client utilities • Developer libraries

  14. Servers

  15. Client Utilities

  16. Client Utilities

  17. Developer Libraries

  18. Configuration Files • Configuration files are located in /etc/openldap • slapd.conf • Configuration for the LDAP server • ldap.conf • Configuration for LDAP client utilities • Schema Directory • Contains schema for LDAP server

  19. slapd.conf # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/core.schema # Define global ACLs to disable default read access. # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org loglevel 296 pidfile /var/run/slapd.pid argsfile /var/run/slapd.args # Load dynamic backend modules: # modulepath /usr/local/libexec/modules # moduleload back_bdb.la # moduleload back_ldap.la # moduleload back_ldbm.la # moduleload back_passwd.la # moduleload back_shell.la

  20. Include Directive • The “include” section contains the schema files that should be included • If you extend schema for OpenLDAP, add path to your schema file in the include section • include /etc/openldap/schema/my.schema • By default core.schema is the only schema included. • The administrator should probably add more • Recommend adding the following • include /etc/openldap/schema/cosine.schema • include /etc/openldap/schema/inetorgperson.schema • include /etc/openldap/schema/nis.schema

  21. Loglevel Directive • You might need to add “loglevel” • Add levels together to achieve desired log • Example: 8 + 32 + 256 = 296 • See table on next slide for log levels and descriptions

  22. Loglevel Table

  23. slapd Logging • Logging happens at LOG_LEVEL4 of syslog • Add following to /etc/syslog.conf • Local4.log /var/log/slapd.log

  24. Modules Directive • The “modules” section allows for the LDAP server to talk to different backends or databases • Example: UNIX flat files, PERL, Monitor • Berkeley does not necessarily have to be uncommented • If you plan to use Monitor then you need to add directive • moduleload back_monitor.la • Make sure you uncomment the first line!!! • The path to the module directory

  25. slapd.conf Cont. # Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64 # Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # Directives needed to implement policy: # access to dn.base="" by * read # access to dn.base="cn=Subschema" by * read # access to * # by self write # by users read # by anonymous auth # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING!

  26. Access Control Lists • What • Regular expressions are used to define what can be accessed • access to dn.[targetstyle]=[regex] • targetstyle defines how far below the ACL applies (can contain subtree, base, one or nothing) • regex is a DN of the container you wish to control

  27. Access Control Lists • Sample “What”s • access to dn.base="cn=Subschema” • access to dn=“.*,dc=uvsc,dc=edu” • access to dn.one=“dc=uvsc,dc=edu”

  28. Access Control Lists • Who • Defines who can perform what operation in the defined context • by [who] [operation] • [who] defines who exactly can perform the operation (*, self, anonymous, users, [regex that matches a DN]) • [operation] defines what the defined user can do (read, write, search, compare, auth, none)

  29. Access Control Lists • Sample “Who”s • by * auth • by self write • by * read • by dn=“.*,ou=class,dc=uvsc,dc=edu”

  30. Access Control Lists access to attrs=userPassword by self write by * auth access to dn.subtree=cn=monitor by dn.exact=“cn=Manager,dc=uvsc,dc=edu” write by dn.subtree=“dc=uvsc,dc=edu” read by * read access to * by self write by * read

  31. slapd.conf Cont. ####################################################################### # BDB database definitions ####################################################################### database bdb suffix "dc=my-domain,dc=com" rootdn "cn=Manager,dc=my-domain,dc=com" # Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw secret # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /var/db/openldap-data # Indices to maintain index objectClass eq

  32. Database Directive • Berkeley is usually defined for you • database bdb • Suffix • Defines you directory domain, should be unique • Rootdn • Defines the “super user” for your LDAP server • Usually “cn=Manager, “ + the suffix • Rootpw • Use /usr/local/sbin/slappasswd to generate password • Include everything returned!! • Example: {SSHA}hwQhVL4hfn4p4HXvlgwOf1lFF/tppU6R

  33. Database Directive • For Monitor support • database monitor

  34. Resources • LDAP System Administration: O’Reilly and Associates. Gerald Carter • OpenLDAP website http://www.openldap.org

More Related