OpenLDAP Directory Administration OpenLDAP: Building a Company White Pages
description
Transcript of OpenLDAP Directory Administration OpenLDAP: Building a Company White Pages
OpenLDAP Directory Administration
OpenLDAP: Building a
Company White Pages
Table of Contents● A Starting Point
● Defining the Schema
● Updating slapd.conf
● Starting slapd
● Adding the Initial Directory Entries
● Graphical Editors
Table of Contents● A Starting Point
● Defining the Schema
● Updating slapd.conf
● Starting slapd
● Adding the Initial Directory Entries
● Graphical Editors
A Starting Point● From previous chapter:
# Global section
# include minimum schema requiredinclude /etc/ldap/schema/core.schema
# Added logging parametersloglevel 296pidfile /var/run/slapd.pidargsfile /var/run/slapd.args
# TLS options for slapdTLSCipherSuite HIGHTLSCertificateFile /etc/ldap/slapd-cert.pemTLSCertificateKeyFile /etc/ldap/slapd-key.pem
# Misc settingspassword-hash {SSHA}
# Example databasedatabase bdb... (continued) ...
# Global section
# include minimum schema requiredinclude /etc/ldap/schema/core.schema
# Added logging parametersloglevel 296pidfile /var/run/slapd.pidargsfile /var/run/slapd.args
# TLS options for slapdTLSCipherSuite HIGHTLSCertificateFile /etc/ldap/slapd-cert.pemTLSCertificateKeyFile /etc/ldap/slapd-key.pem
# Misc settingspassword-hash {SSHA}
# Example databasedatabase bdb... (continued) ...
A Starting Point (cont.)... (continued) ...# Define the rot suffix you servesuffix “dc=plainjoe,dc=org”
# Define a root DN for superuser privilegesrootdn“cn=Manager,dc=plainjoe,dc=org”
# Define password used with rootdn (“secret”)rootpw{SSHA}2aksIaicAvwc+DhCrXUFlhgWsbBJPLxy
# Directory containing database filesdirectory /var/ldap/plainjoe.org
# Files should be created rw for the owner **only**mode 600
# Indexes to maintainindex objectClass eqindex cn pres,eq
# DB Tuning parameterscachesize 2000
# Simple ACLaccess to *
by * read
... (continued) ...# Define the rot suffix you servesuffix “dc=plainjoe,dc=org”
# Define a root DN for superuser privilegesrootdn“cn=Manager,dc=plainjoe,dc=org”
# Define password used with rootdn (“secret”)rootpw{SSHA}2aksIaicAvwc+DhCrXUFlhgWsbBJPLxy
# Directory containing database filesdirectory /var/ldap/plainjoe.org
# Files should be created rw for the owner **only**mode 600
# Indexes to maintainindex objectClass eqindex cn pres,eq
# DB Tuning parameterscachesize 2000
# Simple ACLaccess to *
by * read
Table of Contents● A Starting Point
● Defining the Schema
● Updating slapd.conf
● Starting slapd
● Adding the Initial Directory Entries
● Graphical Editors
Defining the Schema● First step in implementing a directory is determining
what information to store in the directory
● If you use standard schemas = widely supported by vendors
● inetOrgPerson schema (RFC 2798) in OpenLDAP's inetorgperson.schema file
– Is a descendent of the organizationalPerson, which was itself derived from the person object class
– Only required attributes for this object are cn and sn attributes
Defining the Schema (cont.)
objectClass:person
cn:sn:
userPassword:telephoneNumber:seeAlso:description:
objectClass:person
cn:sn:
userPassword:telephoneNumber:seeAlso:description:
optional attributes
required attributes
objectClass:organizationalPerson
title:facsimileTelephoneNumber:x121ddress: street:registerdAddress: postOfficeBox:destinationIndicator: postalCode:preferredDeliveryMethod: postalAddres:telexNumber:physicalDeliveryOfficeName:teletexTerminalIdentifier: ou:telephoneNumber: st:internaliSDNNumber: l:
objectClass:organizationalPerson
title:facsimileTelephoneNumber:x121ddress: street:registerdAddress: postOfficeBox:destinationIndicator: postalCode:preferredDeliveryMethod: postalAddres:telexNumber:physicalDeliveryOfficeName:teletexTerminalIdentifier: ou:telephoneNumber: st:internaliSDNNumber: l:
objectClass:inetOrgPerson
audio: manager:businessCategory:mobile:carLicense: o:departmentNumber:pager:displayName: photo:employeeNumber: roomNumber:employeeType: secretary:givenName: uid:homePhone:userCertificate:homePostalAddress:x500uniqueIdentifier:initials:preferredLangluage:jpegPhoto:userSMIMECertificate:labeledURI: userPKCS12:mail:
objectClass:inetOrgPerson
audio: manager:businessCategory:mobile:carLicense: o:departmentNumber:pager:displayName: photo:employeeNumber: roomNumber:employeeType: secretary:givenName: uid:homePhone:userCertificate:homePostalAddress:x500uniqueIdentifier:initials:preferredLangluage:jpegPhoto:userSMIMECertificate:labeledURI: userPKCS12:mail:
optional attributes
parent
parent
Defining the Schema (cont.)● Directory will use the cn attribute as the RDN for each
entry
● Reduce name collisions ?
– Group enmployees in some type of logical container
– We will use the ou=people container
● Example LDIF file:
dn: cn=Gerald W. Carter,ou=people,ou=plainjoe,ou=orgobjectClass: inetOrgPersoncn: Gerald W. Cartersn: Cartermail: [email protected]: [email protected]: http://www.plainjoe.org/roomNumber: 1234 Dudley HalldepartmentNumber: EngineeringtelephoneNumber: 222-555-2345pager: 222-555-6789mobile: 222-555-1011
dn: cn=Gerald W. Carter,ou=people,ou=plainjoe,ou=orgobjectClass: inetOrgPersoncn: Gerald W. Cartersn: Cartermail: [email protected]: [email protected]: http://www.plainjoe.org/roomNumber: 1234 Dudley HalldepartmentNumber: EngineeringtelephoneNumber: 222-555-2345pager: 222-555-6789mobile: 222-555-1011
Defining the Schema (cont.)Deep/narrow or wide/shallow directory ?
– Depends on two factors:● How likely is it for a change to force an entry (a person) to be
moved from one organization unit to another ?– Deeper directory trees = an entry ust meet more requirements
● Does the implementation of your LDAP directory server favor one design over another ?
– For OpenLDAP, the answer depends on the needs– Number of writes ?– slapd requires a lock on the parent entry for the requesting client– Depper tree = searches can be made more efficient by giving a
more detailed search base
– Read “Understanding and Deploying LDAP Directory Services” (MacMillan Technical Press)
Table of Contents● A Starting Point
● Defining the Schema
● Updating slapd.conf
● Starting slapd
● Adding the Initial Directory Entries
● Graphical Editors
Updating slapd.conf● Modify slapd.conf to select the supported attribute
types and object classes:
● To better support searches, modify the set of indexes to include a more complete list of attributes:
# Global section
# Minimum schema requiredinclude /etc/ldap/schema/core.schema
# inetOrgPerson objectinclude /etc/ldap/schema/cosine.schemainclude /etc/ldap/schema/inetorgperson.schema
# Global section
# Minimum schema requiredinclude /etc/ldap/schema/core.schema
# inetOrgPerson objectinclude /etc/ldap/schema/cosine.schemainclude /etc/ldap/schema/inetorgperson.schema
# Indexes to maintainindex objectClass eqindex cn,sn,mail eq,subindex departmentNumber eq
# Indexes to maintainindex objectClass eqindex cn,sn,mail eq,subindex departmentNumber eq
equality and substring matching
Table of Contents● A Starting Point
● Defining the Schema
● Updating slapd.conf
● Starting slapd
● Adding the Initial Directory Entries
● Graphical Editors
Starting slapd● Generally:
# /path/to/slapd
● Check with “ps -ef”, or use an init.d script !
● Commandline options:
-d integer (specifies log level (to console))
-f filename (specifies config file)
-h URI_list (URIs that LDAP server should serve, eg. ldap://)
-l syslog-local-user (specifies local user of syslog facility)
-n name (Defines service name to use when logging)
-r directory (Specifies a chroot() jail directory)
-s syslog-level (Defines syslog level other than default)
-u username/-g groupname (Effective UID/GID for slapd)
Table of Contents● A Starting Point
● Defining the Schema
● Updating slapd.conf
● Starting slapd
● Adding the Initial Directory Entries
● Graphical Editors
Adding the Initial Directory Entries
● Two ways to add information to directory
– slapadd & other slap* commands: work directly with database, don't interact with slapd at all!
● slapadd, slapcat, slapindex, slappasswd● Much faster!● Must be run locally on server (for version 2.0 or lower, slapd
must not be running)● God for getting server online
– Number of tools, like ldapmodify, distributed with OpenLDAP, to update a live directory
● More flexible, allow greater control● day-to-day administration
Adding the Initial Directory Entries (cont.)
● slapadd command-line arguments:
● slapcat dumps the contents of an entire directory (including persistent operational attributes such as modifyTimestamp) in LDIF format
– Identical command-line options, except -l specifies an output file
– LDIF format = most portable format
Option Description-c Continues processing input in the event of errors
Specifies which configuration file to read
-v
-b suffix Specify which database in the configuration file to use by the directory's suffix (-b) or by its location (-n) in the slapd.conf file (first database is labeled 0); these options are mutually exclusive
-n integer
-d integer Specifies which debugging information to log. See the loglevel parameter in slapd.conf for a listing of log levels
- f filename- l filename Specifies the LDIF file to use for input. In the absense of this
options, slapadd reads data from standard inputEnables verbose mode. In this mode, slapd prints some additional messages on standard output
Adding the Initial Directory Entries (cont.)
● slapindex can regenerate indexes for a bdb backend (-l options isn't used)
● Example of slapadd command:
# slapadd -v -l /tmp/top.ldifadded: “dc=plainjoe,dc=org” (00000001)added: “ou=people,dc=plainjoe,dc=org” (00000002)
# slapadd -v -l /tmp/top.ldifadded: “dc=plainjoe,dc=org” (00000001)added: “ou=people,dc=plainjoe,dc=org” (00000002)
Adding the Initial Directory Entries (cont.)
Verifying the Directory's Contents
– (after bringing the directory online)
– Use ldapsearch to query the directory● In its simplest form, query requires
– LDAP server's hostname or IP address– The credentials (user DN and password)– Search base in the form of a DN– The scope of a directory search– A search filter– A list of attributes to return
Adding the Initial Directory Entries (cont.)
Verifying the Directory's Contents (cont.)
– Example: (“show me everything” search)
$ ldapsearch -x -b “dc=plainjoe,dc=org” “(objectclass=*)”version: 2
# filter: (objectclass=*)# requesting: ALL## plainjoe,dc=orgdn: dc=plainjoe,dc=orgdc: plainjoe.orgobjectClass: organizationalUnitou: Plainjoe Dot Org
# people,dc=plainjoe,dc=orgdn: ou=people,dc=plainjoe,dc=orgou: peopleobjectClass: organizationalUnit
# Search resultsearch: 2result: 0 Success
# numResponses: 3# numEntries: 2
$ ldapsearch -x -b “dc=plainjoe,dc=org” “(objectclass=*)”version: 2
# filter: (objectclass=*)# requesting: ALL## plainjoe,dc=orgdn: dc=plainjoe,dc=orgdc: plainjoe.orgobjectClass: organizationalUnitou: Plainjoe Dot Org
# people,dc=plainjoe,dc=orgdn: ou=people,dc=plainjoe,dc=orgou: peopleobjectClass: organizationalUnit
# Search resultsearch: 2result: 0 Success
# numResponses: 3# numEntries: 2
“simple bind” (no SASL)
defines DN as search base suffix
search filter
- ldapsearch binds to localhost is server isn't specified (-h option)- no authentication required- default search scope: all entries- by default, all non-operational attributes are returned
Adding the Initial Directory Entries (cont.)
Verifying the Directory's Contents (cont.)
Command-line options common to ldapsearch, ldapadd, ldapdelete, ldapmodify, and ldapmodrdn
Option Description
Specifies the DN to use for binding to the LDAP server-e [!]ctrl[=ctrlparam]
Specifies the file containing the LDIF entries to be used in the operations-H URI Defines the LDAP URI to be used in the connection request- l
-k Enables Kerberos 4 authentication-K Enables only the first step of the Kerberos 4 bind for authentication-M-MM
-n Does not perform the search, just displays what would be done-O security_properties
-d integer Specifies what debugging information to log (see the loglevel slapd.conf parameter for a listing of loglevels
-D binddnDefines an LDAP control to be used on the current operation. See also the -M option for the ManageDSAit control
- f filename
Enables the SASL “interactive” mode. By default, the client prompts for information only when necessary
Enable the Manager DSA IT control. This option is necessary when modifying an entry that is a referral or an alias. -MM requires that the Manager DSA IT control be supported by the server
Defines the SASL security properties for authentication. See previous information on the sasl-secprops parameter in slapd.conf
Adding the Initial Directory Entries (cont.)
Verifying the Directory's Contents (cont.)
Command-line options common to ldapsearch, ldapadd, ldapdelete, ldapmodify, and ldapmodrdn (cont.)
Option Description-P [2|3]
-Q
-R sasl_realm Defines the realm to be used by the SASL authentication mechanism-U username Defines the username to be used by the SASL authentication mechanism-v Enables Verbose mode-w password Specifies the password to be used for authentication-W Instructs the client to prompt for the password-x Enables simple authentication. The default is to use SASL authentication-X id
-y paswordfile-Y sasl_mechanism
-Z-ZZ
Defines which protocol version to use in the connection (Version 2 or 3).Default is LDAPv3Suppresses SASL-related messages such as the authentication mechanism use, username, and realm
Defines the SASL authorization identity. The identity has the form dn:dn or u:user. The default is to use the same authorization entity as the authenticated user
Instructs the ldap tool to read the password for a simple bind from the given Instructs the client as to which SASL mechanism should be used. The bind request will fail if the server does not support the chosen mechanismIssue a StartTLS request. Use of -ZZ makes the support of this request mandatory for a successful connection
Adding the Initial Directory Entries (cont.)
Verifying the Directory's Contents (cont.)
Command-line options specific to ldapsearch
Option Description
-A For any entries found, returns the attribute names but not their values-b basedn Defines the base DN for the directory search-F prefix
- l limit Defines a time limit (in seconds) for the server in the search-L -LL-LLL
-S attribute Causes the ldapsearch client to sort the results by the value of attribute-t-tt-T directory
-u Includes user-friendly names in the output-z limit Specifies the maximum number of entries to return
-a [never|always|search|find]
Specifies how to handle aliases when located during a search. Possible values include never (the default), always, search, and find
Defines the URL prefix for filenames. The default is to use the value stored in $LDAP_FILE_URI_PREFIX
Print the resulting output in LDIFv1 format. -LL causes the result to be printed in LDIF format without comments. -LLL prints the resulting output in LDIF format without comments or version information
-s [sub|base|one] Defines the scope of the search to be base, one, or sub (the default)
Write binary values to files in a temporary directory defined by -T option. - tt specifies that all values should be written to files in a temporary directory defined by Defines the directory used to store the resulting output files. The default is the directory specified by $LDAP_TMPDIR
Adding the Initial Directory Entries (cont.)
Updating What Is Already There
– Use ldapmodify to update the data in the directory
– (note that ldapmodify can also add entries)
– eg.
– Options:
-a Entries are to be added to the directory (default
for ldapmodify is to modify)
-f filename Reads new entries from given filename
-r Replaces entries and values
-F Forces all change records to be used from the
input
$ ldapmodify -D “cn=Manager,dc=plainjoe,dc=org” -w secret \> -x -a -f /tmp/users.diffadding new entry ...
$ ldapmodify -D “cn=Manager,dc=plainjoe,dc=org” -w secret \> -x -a -f /tmp/users.diffadding new entry ...
Adding the Initial Directory Entries (cont.)
Updating What Is Already There (cont.)
– Example LDIF file that adds & deletes an attribute:
– changetype keyword values:● add● delete● modify● modrdn (changes RDN of an entry)● moddn (changes DN of an entry)
## /tmp/update.ldif
dn: cn=Jerry Carter,ou=people,dc=plainjoe,dc=orgchangetype: modifyadd: labeledURIlabeledURI: http://www.plainjoe.org/~jerry/
dn: cn=Gerald W. Carter,ou=people,dc=plainjoe,dc=orgchangetype: modifydelete: mailmail: [email protected]
## /tmp/update.ldif
dn: cn=Jerry Carter,ou=people,dc=plainjoe,dc=orgchangetype: modifyadd: labeledURIlabeledURI: http://www.plainjoe.org/~jerry/
dn: cn=Gerald W. Carter,ou=people,dc=plainjoe,dc=orgchangetype: modifydelete: mailmail: [email protected]
separated by blank line
Adding the Initial Directory Entries (cont.)
Updating What Is Already There (cont.)
– Running ldapmodify in verbose mode:
$ ldapmodify -D “cn=Manager,dc=plainjoe,dc=org” -w secret \> -x -v -f /tmp/update.ldif
ldap_initialize( <DEFAULT> )add labeledURI:
http://www.plainjoe.org/~jerry/modifying entry “cn=Jerry Carter,ou=people,dc=plainjoe,dc=org“modify complete
delete mail:[email protected]
modifying entry “cn=Gerald W. Carter,ou=people,dc=plainjoe,dc=org”modify complete
$ ldapmodify -D “cn=Manager,dc=plainjoe,dc=org” -w secret \> -x -v -f /tmp/update.ldif
ldap_initialize( <DEFAULT> )add labeledURI:
http://www.plainjoe.org/~jerry/modifying entry “cn=Jerry Carter,ou=people,dc=plainjoe,dc=org“modify complete
delete mail:[email protected]
modifying entry “cn=Gerald W. Carter,ou=people,dc=plainjoe,dc=org”modify complete
Adding the Initial Directory Entries (cont.)
Updating What Is Already There (cont.)
– Multiple changes to a single entry are separated by single dash (-) on a line by itself
# /tmp/changetypes.ldif
dn: cn=Peabody Soup,ou=people,dc=plainjoe,dc=orgchangetype: addcn: Peabody Soupsn: Soupobjectclass: inetOrgPerson
dn: cn=Jerry Carter,ou=people,dc=plainjoe,dc=orgchangetype: modifydelete: telephoneNumbertelephoneNumber: 555-123-1234-add: telephoneNumbertelephoneNumber: 234-555-6789
dn: cn=Peabody Soup,ou=people,dc=plainjoe,dc=orgchangetype: delete
# /tmp/changetypes.ldif
dn: cn=Peabody Soup,ou=people,dc=plainjoe,dc=orgchangetype: addcn: Peabody Soupsn: Soupobjectclass: inetOrgPerson
dn: cn=Jerry Carter,ou=people,dc=plainjoe,dc=orgchangetype: modifydelete: telephoneNumbertelephoneNumber: 555-123-1234-add: telephoneNumbertelephoneNumber: 234-555-6789
dn: cn=Peabody Soup,ou=people,dc=plainjoe,dc=orgchangetype: delete
Adding the Initial Directory Entries (cont.)
Updating What Is Already There (cont.)
– Modifying the RDN of an entry● If entry is not a leaf node, changing RDN orphans its children:
BAD!
– Or from the command-line:
# /tmp/modrdn.ldif
dn: cn=Jerry Carter,ou=people,dc=plainjoe,dc=orgchangetype: modrdnnewrdn: cn=Gerry Carterdeleteoldrdn: 1
# /tmp/modrdn.ldif
dn: cn=Jerry Carter,ou=people,dc=plainjoe,dc=orgchangetype: modrdnnewrdn: cn=Gerry Carterdeleteoldrdn: 1
$ ldapmodrdn \> “cn=Jerry Carter,ou=people,dc=plainjoe,dc=org” \> “cn=Gerry Carter”
$ ldapmodrdn \> “cn=Jerry Carter,ou=people,dc=plainjoe,dc=org” \> “cn=Gerry Carter”
Adding the Initial Directory Entries (cont.)
Updating What Is Already There (cont.)
– ldapmodrdn command-line options:
-c Continue if errors occur
-r Remove the old RDN value
-s new_superior_node Defines new superior, or parent,
entry under which the renamed entry should be
located
– ldapdelete: one new option: -r (recursive) (note that delete is not atomic)
$ ldapdelete -D “cn=Manager,dc=plainjoe,dc=org” -w secret -x \> -r -v “ou=people,dc=plainjoe,dc=org”
ldap_initialize ( <DEFAULT> )deleting entry “ou=people,dc=plainjoe,dc=org”deleting children of: ou=people,dc=plainjoe,dc=orgdeleting children of: cn=Gerald W. Carter,ou=people,dc=plainjoe,dc=org
removing cn=Gerald W. Carter,ou=people,dc=plainjoe,dc=org...
$ ldapdelete -D “cn=Manager,dc=plainjoe,dc=org” -w secret -x \> -r -v “ou=people,dc=plainjoe,dc=org”
ldap_initialize ( <DEFAULT> )deleting entry “ou=people,dc=plainjoe,dc=org”deleting children of: ou=people,dc=plainjoe,dc=orgdeleting children of: cn=Gerald W. Carter,ou=people,dc=plainjoe,dc=org
removing cn=Gerald W. Carter,ou=people,dc=plainjoe,dc=org...
Table of Contents● A Starting Point
● Defining the Schema
● Updating slapd.conf
● Starting slapd
● Adding the Initial Directory Entries
● Graphical Editors
Graphical Editors● GQ (http://biot.com/gq/)
– GPL, GTK+ based LDAPv3 client
– Supports browsing, searching, editing/deleting entries, creating template entries, exporting subtrees or directory to an LDIF file,
– Supports multiple server profiles, SASL authentication
● Java LDAP Browser/Editor (http://www.iit.edu/~gawojar/ldap/)
– Written in Java using JNDI classes
– Supports LDAPv2/3, including SSL, editing attribute values, searching, exporting and importing data using LDIF files, creating template entries, using multiple server profiles
● Softerra LDAP Browser (http://www.ldapbrowser.com/)
– Freely available, Win32-based
– Explorer-like interface, supports LDAPv2/3, SSL for v3 sessions, multiple server profiles, exporting entries and subtrees to an LDIF file