1 / 30

OpenLDAP Directory Administration OpenLDAP

OpenLDAP Directory Administration OpenLDAP. Table of Contents. Obtaining the OpenLDAP Distribution Software Requirements Compiling OpenLDAP 2 OpenLDAP Clients and Servers The slapd.conf Configuration File Access Control Lists (ACLs). Table of Contents. Obtaining the OpenLDAP Distribution

nituna
Download Presentation

OpenLDAP Directory Administration OpenLDAP

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. OpenLDAP Directory AdministrationOpenLDAP

  2. Table of Contents • Obtaining the OpenLDAP Distribution • Software Requirements • Compiling OpenLDAP 2 • OpenLDAP Clients and Servers • The slapd.conf Configuration File • Access Control Lists (ACLs)

  3. Table of Contents • Obtaining the OpenLDAP Distribution • Software Requirements • Compiling OpenLDAP 2 • OpenLDAP Clients and Servers • The slapd.conf Configuration File • Access Control Lists (ACLs)

  4. Obtaining the OpenLDAP Distribution • OpenLDAP ? • Popular, open source LDAP-v3-compliant server • Attractive for several reasons: • Source code is available for download • Compliant with the core LDAPv3 specifications • Available on multiple platforms, including Linux, Solaris, Mac OS 10.2, and Windows • Continuation of original University of Michigan LDAP server • Compiling OpenLDAP = lots of dependencies • Try to obtain binary packages (eg. http://www.symas.com/ for Solaris & HP/UX) • Source code: http://www.openldap.org/

  5. Table of Contents • Obtaining the OpenLDAP Distribution • Software Requirements • Compiling OpenLDAP 2 • OpenLDAP Clients and Servers • The slapd.conf Configuration File • Access Control Lists (ACLs)

  6. Software Requirements • OpenLDAP server will require several external software packages: • Support for POSIX threads (either by OS or an external library) It is possible to compile OpenLDAP without thread support, but slurpd requires it • SSL/TLS libraries, such as OpenSSL http://www.openssl.org/ • Database manager library that supports DBM type storage facilities. • Current library of choice is BerkeleyDB 4.1 http://www.sleepycat.com/ • ldbm can also be used http://www.fsf.org/ • Release 2.1 of the SASL libraries from Carnegie Mellon University http://asg.web.cmu.edu/sasl/sasl-library.html

  7. Table of Contents • Obtaining the OpenLDAP Distribution • Software Requirements • Compiling OpenLDAP 2 • OpenLDAP Clients and Servers • The slapd.conf Configuration File • Access Control Lists (ACLs)

  8. Compiling OpenLDAP • Compiling: (untar) ./configure --enable-wrappers make depend make make test make install • Things to check when encountering problems • (if your system supports it) Use ldd tool to verify that binaries (eg. slapd) have been compiled against correct libraries • Change /etc/ld.so.conf and run ldconfig -v or set LD_LIBRARY_PATH • Verify that DNS is configured correctly (reverse DNS!) • Verify network connectivity enables support for TCP wrappers

  9. Table of Contents • Obtaining the OpenLDAP Distribution • Software Requirements • Compiling OpenLDAP 2 • OpenLDAP Clients and Servers • The slapd.conf Configuration File • Access Control Lists (ACLs)

  10. OpenLDAP Clients and Servers

  11. Table of Contents • Obtaining the OpenLDAP Distribution • Software Requirements • Compiling OpenLDAP 2 • OpenLDAP Clients and Servers • The slapd.conf Configuration File • Access Control Lists (ACLs)

  12. The slapd.conf Configuration File • Central source of configuration information • Used by slapd, slurpd, and related tools, such as slapcat and slapadd • Tools like slapmodify and slapsearch use ldap.conf (not slapd.conf) for default settings • Can be broken into two sections • Parameters that affect overall behavior of the servers • Parameters that relate to a specific database backend used by the slapd daemon

  13. The slapd.conf Configuration File Schema Files include /etc/ldap/schema/... corba.schema Schema for storing Corba Objects in LDAP (RFC 2714) core.schema OpenLDAP required core schemas: basic LDAPv3 attributes and objects described in RFCs 2251-2256 cosine.schema For supporting COSINE and X.500 directory pilots (RFC 1274) inetorgperson.schema Defined inetOrgPerson object class & attributes (RFC 2798) java.schema For storing Java objects (RFC 2713) misc.schema Miscellaneous objects (eg LDAP-based mail routing with sendmail) nis.schema Attributes and objects necessary for using LDAP+NIS (RFC 2307) openldap.schema Miscelaneous objects used by the OpenLDAP project

  14. The slapd.conf Configuration File Logging loglevel 296 pidfile /var/run/slapd.pid argsfile /var/run/slapd.args loglevel is a set of bit flags that should be OR'ed together

  15. The slapd.conf Configuration File SASL Options • SASL is not needed if only simple binds will be used • However, often useful to allow a combination of simple binds and SASL mechanisms for user connections, eg.: • Normal users can do lookups via a simple bind • Administrators must authenticate via SASL • slapd.conf has three SASL-related global options: • sasl-host hostname • sasl-realm string • sasl-secprops properties • sasl-host and sasl-realm are respectively the FQDN and SASL domain used for authentication Use sasldblistusers to dump the /etc/sasldb database • sasl-secprops allows you to define conditions that affect SASL security properties (see next slide)

  16. The slapd.conf Configuration File SASL Options (cont.) • sasl-secprops parameter values and descriptions:

  17. The slapd.conf Configuration File SASL Options (cont.) • Various cyrus-sasl plugins:

  18. The slapd.conf Configuration File SASL Options (cont.) • If you had this in slapd.conf: • the following machanisms for authentication would be allowed: • DIGEST-MD5 • GSSAPI • KERBEROS_4 ## No PLAIN or ANONYMOUS mechanisms; use DES encryption sasl-secprops noplain,noanonymous,minssf=56

  19. The slapd.conf Configuration File SSL/TLS Options • Parameters: TLSCipherSuite cipher-suite-specification TLSCertificateFile filename TLSCertificateKeyFile filename

  20. The slapd.conf Configuration File Serving Up Data • After global section: one or more database sections, eachdefining directory partition • database directive, possible values: bdb: BerkeleyDB 4 database manager, makes extensive use of indexing and caching; recommended OpenLDAP backend ldbm: GNU Database Manager or Sleepycat BerkeleyDB; older implementation passwd: Quick and dirty means of providing directory interface to the system passwd file shell: Allows the use of alternative (external) databases

  21. The slapd.conf Configuration File Serving Up Data (cont.) • Example: # Begin a new database section database bdb # Define the root suffix you serve suffix “dc=plainjoe,dc=org” # Define root DN for superuser privileges rootdn “cn=Manager,dc=plainjoe,dc=org” # Define root DN's password: salted secure hash of 'secret' rootpw {SSHA}2aksIaicAvwc+DhCrXUFlhgWsbBJPLxy # Directory containing the database files directory /var/ldap/plainjoe.org # Files should be created rw for the owner *only* mode 0600

  22. Table of Contents • Obtaining the OpenLDAP Distribution • Software Requirements • Compiling OpenLDAP 2 • OpenLDAP Clients and Servers • The slapd.conf Configuration File • Access Control Lists (ACLs)

  23. Access Control Lists • OpenLDAP ACLs are simple in syntax, yet very flexible and powerful • Basic idea: WHO has ACCESS to WHAT ?

  24. Access Control Lists (cont.) WHO has ACCESS to WHAT ? WHO can be: * Any connected user, including anonymous connections self DN of currently connected user anonymous Nonauthenticated user connections users Authenticated user connections Regular expression Matches a DN or a SASL identity Note: login name can be DN (dn=“cn=gerald carter,ou=people,dc=plainjoe,dc=org”) or SASL identity (dn=“uid=jerry,cn=gssapi,cn=auth”)

  25. Access Control Lists (cont.) WHO has ACCESS to WHAT ? (cont.) ACCESS can be: write Access to update attribute values read Access to read search results (eg. show all entries with a telephoneNumber of 555*) search Access to apply search filters (eg. are there any entries with a telephoneNumber of 555*) compare Access to compare attributes auth Access to bind (authenticate). Requires that the client send a username (DN) and some type of credentials none No access

  26. Access Control Lists (cont.) WHO has ACCESS to WHAT ? (cont.) WHAT can be: Regular expression defining the DN of the proposed target of the ACL Syntax is dn.targetstyle=regex where: • targetstyle is one of base, subtree, one, or children • regex is a regular expresion representing a DN targetstyle is used to broaden or narrow the scope (default subtree) An LDAP search filter that confirms to RFC 2254 Syntax is filter=ldapFilter A comma-separated list of attribute names Syntax is attrs=attributeList

  27. Access Control Lists (cont.) Examples • Simple ACL granting read access to the world: • Restrict access to the userPassword attribute • User should be allowed to modify her own password: access to * by * read access to attrs=userPassword by * auth access to attrs=userPassword by self write by * auth

  28. Access Control Lists (cont.) Examples (cont.) • ACLs are evaluated on a first-match-wins basis: more restrictive ACLs should be listed prior to more general ones • eg. • better: access to attrs=userPassword by * auth access to attrs=userPassword by self write by * auth access to attrs=userPassword by self write by * auth access to attrs=userPassword by * auth

  29. Access Control Lists (cont.) Examples (cont.) • Assume: • Administrative accounts are located beneath the DN ou=admins,ou=eng,dc=plainjoe,dc=org • Normal user accounts are located beneath ou=users,ou=eng,dc=plainjoe,dc=org • Normal users should not be allowed to see other users' passwords • A user should be able to modify his password • Admin users should be able to modify any user's password • Gives: access to dn=”.*,ou=eng,dc=plainjoe,dc=org” attrs=userPassword by self write by * auth by dn=”.*,ou=admins,ou=eng,dc=plainjoe,dc=org” write

  30. Access Control Lists (cont.) Examples (cont.) • This example: • Can also be written as: access to dn=”.*,ou=eng,dc=plainjoe,dc=org” attrs=userPassword by self write by * auth by dn=”.*,ou=admins,ou=eng,dc=plainjoe,dc=org” write access to dn.children==”ou=eng,dc=plainjoe,dc=org” attrs=userPassword by self write by * auth by dn.children=”ou=admins,ou=eng,dc=plainjoe,dc=org” write

More Related