OpenLDAP Directory Administration OpenLDAP: Building a Company White Pages

OpenLDAP Directory Administration

OpenLDAP: Building a

Company White Pages

Table of Contents● A Starting Point

● Defining the Schema

● Updating slapd.conf

● Starting slapd

● Adding the Initial Directory Entries

● Graphical Editors

A Starting Point● From previous chapter:

# Global section

# include minimum schema requiredinclude /etc/ldap/schema/core.schema

# Added logging parametersloglevel 296pidfile /var/run/slapd.pidargsfile /var/run/slapd.args

# TLS options for slapdTLSCipherSuite HIGHTLSCertificateFile /etc/ldap/slapd-cert.pemTLSCertificateKeyFile /etc/ldap/slapd-key.pem

# Misc settingspassword-hash {SSHA}

# Example databasedatabase bdb... (continued) ...

# Global section

# include minimum schema requiredinclude /etc/ldap/schema/core.schema

# Added logging parametersloglevel 296pidfile /var/run/slapd.pidargsfile /var/run/slapd.args

# TLS options for slapdTLSCipherSuite HIGHTLSCertificateFile /etc/ldap/slapd-cert.pemTLSCertificateKeyFile /etc/ldap/slapd-key.pem

# Misc settingspassword-hash {SSHA}

# Example databasedatabase bdb... (continued) ...

A Starting Point (cont.)... (continued) ...# Define the rot suffix you servesuffix “dc=plainjoe,dc=org”

# Define a root DN for superuser privilegesrootdn“cn=Manager,dc=plainjoe,dc=org”

# Define password used with rootdn (“secret”)rootpw{SSHA}2aksIaicAvwc+DhCrXUFlhgWsbBJPLxy

# Directory containing database filesdirectory /var/ldap/plainjoe.org

# Files should be created rw for the owner **only**mode 600

# Indexes to maintainindex objectClass eqindex cn pres,eq

# DB Tuning parameterscachesize 2000

# Simple ACLaccess to *

by * read

... (continued) ...# Define the rot suffix you servesuffix “dc=plainjoe,dc=org”

# Define a root DN for superuser privilegesrootdn“cn=Manager,dc=plainjoe,dc=org”

# Define password used with rootdn (“secret”)rootpw{SSHA}2aksIaicAvwc+DhCrXUFlhgWsbBJPLxy

# Directory containing database filesdirectory /var/ldap/plainjoe.org

# Files should be created rw for the owner **only**mode 600

# Indexes to maintainindex objectClass eqindex cn pres,eq

# DB Tuning parameterscachesize 2000

# Simple ACLaccess to *

by * read




● Starting slapd



Defining the Schema● First step in implementing a directory is determining

what information to store in the directory

● If you use standard schemas = widely supported by vendors

● inetOrgPerson schema (RFC 2798) in OpenLDAP's inetorgperson.schema file

– Is a descendent of the organizationalPerson, which was itself derived from the person object class

– Only required attributes for this object are cn and sn attributes

Defining the Schema (cont.)

objectClass:person

cn:sn:

userPassword:telephoneNumber:seeAlso:description:

objectClass:person

cn:sn:

userPassword:telephoneNumber:seeAlso:description:

optional attributes

required attributes

objectClass:organizationalPerson

title:facsimileTelephoneNumber:x121ddress: street:registerdAddress: postOfficeBox:destinationIndicator: postalCode:preferredDeliveryMethod: postalAddres:telexNumber:physicalDeliveryOfficeName:teletexTerminalIdentifier: ou:telephoneNumber: st:internaliSDNNumber: l:

objectClass:organizationalPerson

title:facsimileTelephoneNumber:x121ddress: street:registerdAddress: postOfficeBox:destinationIndicator: postalCode:preferredDeliveryMethod: postalAddres:telexNumber:physicalDeliveryOfficeName:teletexTerminalIdentifier: ou:telephoneNumber: st:internaliSDNNumber: l:

objectClass:inetOrgPerson

audio: manager:businessCategory:mobile:carLicense: o:departmentNumber:pager:displayName: photo:employeeNumber: roomNumber:employeeType: secretary:givenName: uid:homePhone:userCertificate:homePostalAddress:x500uniqueIdentifier:initials:preferredLangluage:jpegPhoto:userSMIMECertificate:labeledURI: userPKCS12:mail:

objectClass:inetOrgPerson

audio: manager:businessCategory:mobile:carLicense: o:departmentNumber:pager:displayName: photo:employeeNumber: roomNumber:employeeType: secretary:givenName: uid:homePhone:userCertificate:homePostalAddress:x500uniqueIdentifier:initials:preferredLangluage:jpegPhoto:userSMIMECertificate:labeledURI: userPKCS12:mail:

optional attributes

parent

parent

Defining the Schema (cont.)● Directory will use the cn attribute as the RDN for each

entry

● Reduce name collisions ?

– Group enmployees in some type of logical container

– We will use the ou=people container

● Example LDIF file:

dn: cn=Gerald W. Carter,ou=people,ou=plainjoe,ou=orgobjectClass: inetOrgPersoncn: Gerald W. Cartersn: Cartermail: [email protected]: [email protected]: http://www.plainjoe.org/roomNumber: 1234 Dudley HalldepartmentNumber: EngineeringtelephoneNumber: 222-555-2345pager: 222-555-6789mobile: 222-555-1011

dn: cn=Gerald W. Carter,ou=people,ou=plainjoe,ou=orgobjectClass: inetOrgPersoncn: Gerald W. Cartersn: Cartermail: [email protected]: [email protected]: http://www.plainjoe.org/roomNumber: 1234 Dudley HalldepartmentNumber: EngineeringtelephoneNumber: 222-555-2345pager: 222-555-6789mobile: 222-555-1011

Defining the Schema (cont.)Deep/narrow or wide/shallow directory ?

– Depends on two factors:● How likely is it for a change to force an entry (a person) to be

moved from one organization unit to another ?– Deeper directory trees = an entry ust meet more requirements

● Does the implementation of your LDAP directory server favor one design over another ?

– For OpenLDAP, the answer depends on the needs– Number of writes ?– slapd requires a lock on the parent entry for the requesting client– Depper tree = searches can be made more efficient by giving a

more detailed search base

– Read “Understanding and Deploying LDAP Directory Services” (MacMillan Technical Press)




● Starting slapd



Updating slapd.conf● Modify slapd.conf to select the supported attribute

types and object classes:

● To better support searches, modify the set of indexes to include a more complete list of attributes:

# Global section

# Minimum schema requiredinclude /etc/ldap/schema/core.schema

# inetOrgPerson objectinclude /etc/ldap/schema/cosine.schemainclude /etc/ldap/schema/inetorgperson.schema

# Global section

# Minimum schema requiredinclude /etc/ldap/schema/core.schema

# inetOrgPerson objectinclude /etc/ldap/schema/cosine.schemainclude /etc/ldap/schema/inetorgperson.schema

# Indexes to maintainindex objectClass eqindex cn,sn,mail eq,subindex departmentNumber eq

# Indexes to maintainindex objectClass eqindex cn,sn,mail eq,subindex departmentNumber eq

equality and substring matching




● Starting slapd



Starting slapd● Generally:

# /path/to/slapd

● Check with “ps -ef”, or use an init.d script !

● Commandline options:

-d integer (specifies log level (to console))

-f filename (specifies config file)

-h URI_list (URIs that LDAP server should serve, eg. ldap://)

-l syslog-local-user (specifies local user of syslog facility)

-n name (Defines service name to use when logging)

-r directory (Specifies a chroot() jail directory)

-s syslog-level (Defines syslog level other than default)

-u username/-g groupname (Effective UID/GID for slapd)




● Starting slapd



Adding the Initial Directory Entries

● Two ways to add information to directory

– slapadd & other slap* commands: work directly with database, don't interact with slapd at all!

● slapadd, slapcat, slapindex, slappasswd● Much faster!● Must be run locally on server (for version 2.0 or lower, slapd

must not be running)● God for getting server online

– Number of tools, like ldapmodify, distributed with OpenLDAP, to update a live directory

● More flexible, allow greater control● day-to-day administration

Adding the Initial Directory Entries (cont.)

● slapadd command-line arguments:

● slapcat dumps the contents of an entire directory (including persistent operational attributes such as modifyTimestamp) in LDIF format

– Identical command-line options, except -l specifies an output file

– LDIF format = most portable format

Option Description-c Continues processing input in the event of errors

Specifies which configuration file to read

-v

-b suffix Specify which database in the configuration file to use by the directory's suffix (-b) or by its location (-n) in the slapd.conf file (first database is labeled 0); these options are mutually exclusive

-n integer

-d integer Specifies which debugging information to log. See the loglevel parameter in slapd.conf for a listing of log levels

- f filename- l filename Specifies the LDIF file to use for input. In the absense of this

options, slapadd reads data from standard inputEnables verbose mode. In this mode, slapd prints some additional messages on standard output


● slapindex can regenerate indexes for a bdb backend (-l options isn't used)

● Example of slapadd command:

# slapadd -v -l /tmp/top.ldifadded: “dc=plainjoe,dc=org” (00000001)added: “ou=people,dc=plainjoe,dc=org” (00000002)

# slapadd -v -l /tmp/top.ldifadded: “dc=plainjoe,dc=org” (00000001)added: “ou=people,dc=plainjoe,dc=org” (00000002)


Verifying the Directory's Contents

– (after bringing the directory online)

– Use ldapsearch to query the directory● In its simplest form, query requires

– LDAP server's hostname or IP address– The credentials (user DN and password)– Search base in the form of a DN– The scope of a directory search– A search filter– A list of attributes to return


Verifying the Directory's Contents (cont.)

– Example: (“show me everything” search)

$ ldapsearch -x -b “dc=plainjoe,dc=org” “(objectclass=*)”version: 2

# filter: (objectclass=*)# requesting: ALL## plainjoe,dc=orgdn: dc=plainjoe,dc=orgdc: plainjoe.orgobjectClass: organizationalUnitou: Plainjoe Dot Org

# people,dc=plainjoe,dc=orgdn: ou=people,dc=plainjoe,dc=orgou: peopleobjectClass: organizationalUnit

# Search resultsearch: 2result: 0 Success

# numResponses: 3# numEntries: 2

$ ldapsearch -x -b “dc=plainjoe,dc=org” “(objectclass=*)”version: 2

# filter: (objectclass=*)# requesting: ALL## plainjoe,dc=orgdn: dc=plainjoe,dc=orgdc: plainjoe.orgobjectClass: organizationalUnitou: Plainjoe Dot Org

# people,dc=plainjoe,dc=orgdn: ou=people,dc=plainjoe,dc=orgou: peopleobjectClass: organizationalUnit

# Search resultsearch: 2result: 0 Success

# numResponses: 3# numEntries: 2

“simple bind” (no SASL)

defines DN as search base suffix

search filter

- ldapsearch binds to localhost is server isn't specified (-h option)- no authentication required- default search scope: all entries- by default, all non-operational attributes are returned



Command-line options common to ldapsearch, ldapadd, ldapdelete, ldapmodify, and ldapmodrdn

Option Description

Specifies the DN to use for binding to the LDAP server-e [!]ctrl[=ctrlparam]

Specifies the file containing the LDIF entries to be used in the operations-H URI Defines the LDAP URI to be used in the connection request- l

-k Enables Kerberos 4 authentication-K Enables only the first step of the Kerberos 4 bind for authentication-M-MM

-n Does not perform the search, just displays what would be done-O security_properties

-d integer Specifies what debugging information to log (see the loglevel slapd.conf parameter for a listing of loglevels

-D binddnDefines an LDAP control to be used on the current operation. See also the -M option for the ManageDSAit control

- f filename

Enables the SASL “interactive” mode. By default, the client prompts for information only when necessary

Enable the Manager DSA IT control. This option is necessary when modifying an entry that is a referral or an alias. -MM requires that the Manager DSA IT control be supported by the server

Defines the SASL security properties for authentication. See previous information on the sasl-secprops parameter in slapd.conf



Command-line options common to ldapsearch, ldapadd, ldapdelete, ldapmodify, and ldapmodrdn (cont.)

Option Description-P [2|3]

-Q

-R sasl_realm Defines the realm to be used by the SASL authentication mechanism-U username Defines the username to be used by the SASL authentication mechanism-v Enables Verbose mode-w password Specifies the password to be used for authentication-W Instructs the client to prompt for the password-x Enables simple authentication. The default is to use SASL authentication-X id

-y paswordfile-Y sasl_mechanism

-Z-ZZ

Defines which protocol version to use in the connection (Version 2 or 3).Default is LDAPv3Suppresses SASL-related messages such as the authentication mechanism use, username, and realm

Defines the SASL authorization identity. The identity has the form dn:dn or u:user. The default is to use the same authorization entity as the authenticated user

Instructs the ldap tool to read the password for a simple bind from the given Instructs the client as to which SASL mechanism should be used. The bind request will fail if the server does not support the chosen mechanismIssue a StartTLS request. Use of -ZZ makes the support of this request mandatory for a successful connection



Command-line options specific to ldapsearch

Option Description

-A For any entries found, returns the attribute names but not their values-b basedn Defines the base DN for the directory search-F prefix

- l limit Defines a time limit (in seconds) for the server in the search-L -LL-LLL

-S attribute Causes the ldapsearch client to sort the results by the value of attribute-t-tt-T directory

-u Includes user-friendly names in the output-z limit Specifies the maximum number of entries to return

-a [never|always|search|find]

Specifies how to handle aliases when located during a search. Possible values include never (the default), always, search, and find

Defines the URL prefix for filenames. The default is to use the value stored in $LDAP_FILE_URI_PREFIX

Print the resulting output in LDIFv1 format. -LL causes the result to be printed in LDIF format without comments. -LLL prints the resulting output in LDIF format without comments or version information

-s [sub|base|one] Defines the scope of the search to be base, one, or sub (the default)

Write binary values to files in a temporary directory defined by -T option. - tt specifies that all values should be written to files in a temporary directory defined by Defines the directory used to store the resulting output files. The default is the directory specified by $LDAP_TMPDIR


Updating What Is Already There

– Use ldapmodify to update the data in the directory

– (note that ldapmodify can also add entries)

– eg.

– Options:

-a Entries are to be added to the directory (default

for ldapmodify is to modify)

-f filename Reads new entries from given filename

-r Replaces entries and values

-F Forces all change records to be used from the

input

$ ldapmodify -D “cn=Manager,dc=plainjoe,dc=org” -w secret \> -x -a -f /tmp/users.diffadding new entry ...

$ ldapmodify -D “cn=Manager,dc=plainjoe,dc=org” -w secret \> -x -a -f /tmp/users.diffadding new entry ...


Updating What Is Already There (cont.)

– Example LDIF file that adds & deletes an attribute:

– changetype keyword values:● add● delete● modify● modrdn (changes RDN of an entry)● moddn (changes DN of an entry)

## /tmp/update.ldif

dn: cn=Jerry Carter,ou=people,dc=plainjoe,dc=orgchangetype: modifyadd: labeledURIlabeledURI: http://www.plainjoe.org/~jerry/

dn: cn=Gerald W. Carter,ou=people,dc=plainjoe,dc=orgchangetype: modifydelete: mailmail: [email protected]

## /tmp/update.ldif

dn: cn=Jerry Carter,ou=people,dc=plainjoe,dc=orgchangetype: modifyadd: labeledURIlabeledURI: http://www.plainjoe.org/~jerry/

dn: cn=Gerald W. Carter,ou=people,dc=plainjoe,dc=orgchangetype: modifydelete: mailmail: [email protected]

separated by blank line



– Running ldapmodify in verbose mode:

$ ldapmodify -D “cn=Manager,dc=plainjoe,dc=org” -w secret \> -x -v -f /tmp/update.ldif

ldap_initialize( <DEFAULT> )add labeledURI:

http://www.plainjoe.org/~jerry/modifying entry “cn=Jerry Carter,ou=people,dc=plainjoe,dc=org“modify complete

delete mail:[email protected]

modifying entry “cn=Gerald W. Carter,ou=people,dc=plainjoe,dc=org”modify complete

$ ldapmodify -D “cn=Manager,dc=plainjoe,dc=org” -w secret \> -x -v -f /tmp/update.ldif

ldap_initialize( <DEFAULT> )add labeledURI:

http://www.plainjoe.org/~jerry/modifying entry “cn=Jerry Carter,ou=people,dc=plainjoe,dc=org“modify complete

delete mail:[email protected]

modifying entry “cn=Gerald W. Carter,ou=people,dc=plainjoe,dc=org”modify complete



– Multiple changes to a single entry are separated by single dash (-) on a line by itself

# /tmp/changetypes.ldif

dn: cn=Peabody Soup,ou=people,dc=plainjoe,dc=orgchangetype: addcn: Peabody Soupsn: Soupobjectclass: inetOrgPerson

dn: cn=Jerry Carter,ou=people,dc=plainjoe,dc=orgchangetype: modifydelete: telephoneNumbertelephoneNumber: 555-123-1234-add: telephoneNumbertelephoneNumber: 234-555-6789

dn: cn=Peabody Soup,ou=people,dc=plainjoe,dc=orgchangetype: delete

# /tmp/changetypes.ldif

dn: cn=Peabody Soup,ou=people,dc=plainjoe,dc=orgchangetype: addcn: Peabody Soupsn: Soupobjectclass: inetOrgPerson

dn: cn=Jerry Carter,ou=people,dc=plainjoe,dc=orgchangetype: modifydelete: telephoneNumbertelephoneNumber: 555-123-1234-add: telephoneNumbertelephoneNumber: 234-555-6789

dn: cn=Peabody Soup,ou=people,dc=plainjoe,dc=orgchangetype: delete



– Modifying the RDN of an entry● If entry is not a leaf node, changing RDN orphans its children:

BAD!

– Or from the command-line:

# /tmp/modrdn.ldif

dn: cn=Jerry Carter,ou=people,dc=plainjoe,dc=orgchangetype: modrdnnewrdn: cn=Gerry Carterdeleteoldrdn: 1

# /tmp/modrdn.ldif

dn: cn=Jerry Carter,ou=people,dc=plainjoe,dc=orgchangetype: modrdnnewrdn: cn=Gerry Carterdeleteoldrdn: 1

$ ldapmodrdn \> “cn=Jerry Carter,ou=people,dc=plainjoe,dc=org” \> “cn=Gerry Carter”

$ ldapmodrdn \> “cn=Jerry Carter,ou=people,dc=plainjoe,dc=org” \> “cn=Gerry Carter”



– ldapmodrdn command-line options:

-c Continue if errors occur

-r Remove the old RDN value

-s new_superior_node Defines new superior, or parent,

entry under which the renamed entry should be

located

– ldapdelete: one new option: -r (recursive) (note that delete is not atomic)

$ ldapdelete -D “cn=Manager,dc=plainjoe,dc=org” -w secret -x \> -r -v “ou=people,dc=plainjoe,dc=org”

ldap_initialize ( <DEFAULT> )deleting entry “ou=people,dc=plainjoe,dc=org”deleting children of: ou=people,dc=plainjoe,dc=orgdeleting children of: cn=Gerald W. Carter,ou=people,dc=plainjoe,dc=org

removing cn=Gerald W. Carter,ou=people,dc=plainjoe,dc=org...

$ ldapdelete -D “cn=Manager,dc=plainjoe,dc=org” -w secret -x \> -r -v “ou=people,dc=plainjoe,dc=org”

ldap_initialize ( <DEFAULT> )deleting entry “ou=people,dc=plainjoe,dc=org”deleting children of: ou=people,dc=plainjoe,dc=orgdeleting children of: cn=Gerald W. Carter,ou=people,dc=plainjoe,dc=org

removing cn=Gerald W. Carter,ou=people,dc=plainjoe,dc=org...




● Starting slapd



Graphical Editors● GQ (http://biot.com/gq/)

– GPL, GTK+ based LDAPv3 client

– Supports browsing, searching, editing/deleting entries, creating template entries, exporting subtrees or directory to an LDIF file,

– Supports multiple server profiles, SASL authentication

● Java LDAP Browser/Editor (http://www.iit.edu/~gawojar/ldap/)

– Written in Java using JNDI classes

– Supports LDAPv2/3, including SSL, editing attribute values, searching, exporting and importing data using LDIF files, creating template entries, using multiple server profiles

● Softerra LDAP Browser (http://www.ldapbrowser.com/)

– Freely available, Win32-based

– Explorer-like interface, supports LDAPv2/3, SSL for v3 sessions, multiple server profiles, exporting entries and subtrees to an LDIF file

http://biot.com/gq/

http://www.iit.edu/~gawojar/ldap/

http://www.ldapbrowser.com/

OpenLDAP Directory Administration OpenLDAP: Building a Company White Pages

Documents

Transcript of OpenLDAP Directory Administration OpenLDAP: Building a Company White Pages