OpenLDAPServer
4283
Comment: initial creation of the page
|
6544
|
Deletions are marked like this. | Additions are marked like this. |
Line 13: | Line 13: |
First of all, install ldap daemon on the server : {{{ apt-get install slapd }}} |
First of all, install the ldap server daemon (slapd) on the server ; install the following packages: {{{slapd}}} and {{{ldap-utils}}} (see InstallingSoftware). |
Line 21: | Line 17: |
Only few changes will be operated on the default configuration. First set the root password in the configuration file (instead of in the directory): | Only few changes will be operated on the default configuration. First set the root password in the configuration file (instead of in the directory) by editing the file {{{/etc/ldap/slapd.conf}}}. Don't use a cleartext password however. To generate an encrypted password first use {{{slappasswd yourpasswd}}} |
Line 24: | Line 22: |
8<-------------------------------------------- | $ slappasswd New password: Re-enter password: {SSHA}d2BamRTgBuhC6SxC0vFGWol31ki8iq5m }}} This example shows what happens when using the string "secret" as the password. (By nature of the SSHA encryption scheme, your result will vary.) Now edit {{{/etc/ldap/slapd.conf}}} and copy paste the generated string. {{{ # Make sure you edit or add these directives after the first 'database' directive. |
Line 28: | Line 37: |
rootpw secret 8<-------------------------------------------- |
rootpw {SSHA}d2BamRTgBuhC6SxC0vFGWol31ki8iq5m |
Line 31: | Line 40: |
Line 36: | Line 48: |
LDAP directory can be feed with a ldif file (ldif means ldap directory interchange format). Here is an exemple : | LDAP directory can be fed with a ldif file (ldif means ldap directory interchange format). Generate this example text file {{{init.ldif}}} somewhere on your system: |
Line 40: | Line 52: |
dc= example | objectClass: dcObject objectClass: organizationalUnit dc: example ou: Example Dot Com |
Line 43: | Line 58: |
objectClass: top | |
Line 48: | Line 62: |
objectClass: top | |
Line 51: | Line 64: |
dn: ou=admin,dc=example,dc=com objectClass: top objectClass: organizationalUnit ou: admin |
|
Line 58: | Line 66: |
objectClass: top | |
Line 89: | Line 96: |
objectClass: top | |
Line 91: | Line 97: |
cn: exemple | cn: example |
Line 93: | Line 99: |
displayName: Exemple Alveonet | displayName: Example group |
Line 96: | Line 102: |
In the example above, the directory structure, a user and group have been setup. Now, add it to the LDAP : | In the example above, the directory structure, a user and group have been setup. In other example you might see the objectClass: top added in every entry, but that is default behaviour so you don't have to add it explicitely. Now, add your entries to the LDAP : |
Line 99: | Line 107: |
* delete the content that has been automaticaly added: {{{sudo rm -rf /var/lib/ldap/*}}} | * delete the content that was automaticaly added at installation: {{{sudo rm -rf /var/lib/ldap/*}}} |
Line 102: | Line 110: |
We can check that the content has been correctly added, but first add the ldap-utils package in order to execute search in the LDAP directory : | We can check that the content has been correctly added with the tools from the ldap-utils package. In order to execute a search in the LDAP directory : |
Line 105: | Line 113: |
sudo apt-get install ldap-utils | |
Line 117: | Line 124: |
= And after = | = Put your LDAP server to use = |
Line 119: | Line 126: |
You have setup your LDAP directory, and now you have to use it. You can authenticate you clients on the directory as explained in ["LDAPClientAuthentication"] or use it in a web application. It can be also used as a shared address directory for your mail agent. Usage of LDAP are infinite ! | Now that it is up and running you can: * authenticate your users on the directory as explained in ["LDAPClientAuthentication"] * authenticate your users in a web application. * use it as a shared address directory for your mail agent. Use of LDAP are infinite ! = LDAP replication = LDAP service often quickly becomes a highly critical service in an information system: all is depending of LDAP: autentication, authorization, mail system, etc. It can be a good idea to setup a redundant system. It is easy to setup, here is a quick howto. == Introduction == With OpenLDAP 2.2 (on Breezy and Dapper), replication is based on a master-slave relation. attachment:IconsPage/IconWarning3.png You will have to remember that modifications should ALWAYS be done on the master ! If you modifies the slave, modifications will get lost. == LDAP master == On the master, you have to modify the database section of the {{{/etc/ldap/slapd.conf}}} to add a {{{replica}}} instruction. The following example shows a replica on {{{ldap-2.example.com}}} with the Manager user with {{{secret}}} as password. The replication logfile is the place modifications are stored before they are send to the LDAP slave. {{{ replica uri=ldap://ldap-2.example.com:389 binddn="cn=Manager,dc=example,dc=com" bindmethod=simple credentials=secret replogfile /var/lib/ldap/replog }}} Restart your LDAP server. == LDAP slave == On the slave, you have to authorize your master to update LDAP database. Add the following lines to your {{{/etc/ldap/slapd.conf}}} file in the database section: {{{ updatedn cn=Manager,dc=example,dc=com updateref ldap://ldap-1.example.com }}} Restart your LDAP server. |
Line 123: | Line 169: |
[http://www.openldap.org OpenLDAP website] give you lot of informations [http://www.tldp.org/HOWTO/html_single/LDAP-HOWTO/ LDAP HOWTO] |
* [http://www.openldap.org OpenLDAP website] give you lot of informations * [http://www.tldp.org/HOWTO/html_single/LDAP-HOWTO/ LDAP HOWTO] * [http://luma.sourceforge.net/] Simple gui to LDAP administration, available in repositories. |
Introduction
LDAP means Lightweight Directory Access Protocol, it is a simplified version of X500 protocol. You will find a more detailed presentation [http://en.wikipedia.org/wiki/LDAP on Wikipedia].
To describe quickly, all informations are stored in a tree. You have to determine by yourself the directory arborescence (the Directory Information Tree: the DIT). We will begin with a basic tree with two nodes above the root :
- "People" node where your users will be stored
- "Groups" node where your groups will be stored
You have to first determine what the root of your LDAP will be. By default, your tree will be determined by your internet domain. If your domain is example.com (we will use it in the above example), your root will be dc=example,dc=com.
Installation
First of all, install the ldap server daemon (slapd) on the server ; install the following packages: slapd and ldap-utils (see InstallingSoftware).
Enter your domain as asked and the password that you want for the directory administrator.
Only few changes will be operated on the default configuration. First set the root password in the configuration file (instead of in the directory) by editing the file /etc/ldap/slapd.conf.
Don't use a cleartext password however. To generate an encrypted password first use slappasswd yourpasswd
$ slappasswd New password: Re-enter password: {SSHA}d2BamRTgBuhC6SxC0vFGWol31ki8iq5m
This example shows what happens when using the string "secret" as the password. (By nature of the SSHA encryption scheme, your result will vary.)
Now edit /etc/ldap/slapd.conf and copy paste the generated string.
# Make sure you edit or add these directives after the first 'database' directive. suffix "dc=example,dc=com" directory "/var/lib/ldap" rootdn "cn=admin,dc=example,dc=com" rootpw {SSHA}d2BamRTgBuhC6SxC0vFGWol31ki8iq5m
Populating LDAP
The directory has been created at the installation, now it is time to populate. It will be populated with a "classical" entry that will be compatible with directory (for example for a shared directory), with classical accounts (for a web application) and with Unix accounts (posix).
LDAP directory can be fed with a ldif file (ldif means ldap directory interchange format). Generate this example text file init.ldif somewhere on your system:
dn: dc=example,dc=com objectClass: dcObject objectClass: organizationalUnit dc: example ou: Example Dot Com dn: ou=people,dc=example,dc=com objectClass: organizationalUnit ou: people dn: ou=groups,dc=example,dc=com objectClass: organizationalUnit ou: groups dn: uid=lionel,ou=people,dc=example,dc=com objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount uid: lionel sn: Porcheron givenName: Lionel cn: Lionel Porcheron displayName: Lionel Porcheron uidNumber: 1000 gidNumber: 10000 gecos: Lionel Porcheron loginShell: /bin/bash homeDirectory: /home/lionel shadowExpire: -1 shadowFlag: 0 shadowWarning: 7 shadowMin: 8 shadowMax: 999999 shadowLastChange: 10877 mail: lionel.porcheron@example.com postalCode: 31000 l: Toulouse o: Example mobile: +33 (0)6 xx xx xx xx homePhone: +33 (0)5 xx xx xx xx title: System Administrator postalAddress: initials: LP dn: cn=example,ou=groups,dc=example,dc=com objectClass: posixGroup cn: example gidNumber: 10000 displayName: Example group
In the example above, the directory structure, a user and group have been setup. In other example you might see the objectClass: top added in every entry, but that is default behaviour so you don't have to add it explicitely.
Now, add your entries to the LDAP :
stop LDAP daemon: sudo /etc/init.d/slapd stop
delete the content that was automaticaly added at installation: sudo rm -rf /var/lib/ldap/*
add the content sudo slapadd -l init.ldif
We can check that the content has been correctly added with the tools from the ldap-utils package. In order to execute a search in the LDAP directory :
ldapsearch -xLLL uid=lionel sn givenName cn dn: uid=lionel,ou=people,dc=example,dc=com cn: Lionel Porcheron sn: Porcheron givenName: Lionel
Just a quick explanation :
-x is because we do not use SASL authentication method (by default)
-LLL disable printing LDIF informations
Put your LDAP server to use
Now that it is up and running you can:
- authenticate your users on the directory as explained in ["LDAPClientAuthentication"]
- authenticate your users in a web application.
- use it as a shared address directory for your mail agent.
Use of LDAP are infinite !
LDAP replication
LDAP service often quickly becomes a highly critical service in an information system: all is depending of LDAP: autentication, authorization, mail system, etc. It can be a good idea to setup a redundant system. It is easy to setup, here is a quick howto.
Introduction
With OpenLDAP 2.2 (on Breezy and Dapper), replication is based on a master-slave relation.
attachment:IconsPage/IconWarning3.png You will have to remember that modifications should ALWAYS be done on the master ! If you modifies the slave, modifications will get lost.
LDAP master
On the master, you have to modify the database section of the /etc/ldap/slapd.conf to add a replica instruction. The following example shows a replica on ldap-2.example.com with the Manager user with secret as password. The replication logfile is the place modifications are stored before they are send to the LDAP slave.
replica uri=ldap://ldap-2.example.com:389 binddn="cn=Manager,dc=example,dc=com" bindmethod=simple credentials=secret replogfile /var/lib/ldap/replog
Restart your LDAP server.
LDAP slave
On the slave, you have to authorize your master to update LDAP database. Add the following lines to your /etc/ldap/slapd.conf file in the database section:
updatedn cn=Manager,dc=example,dc=com updateref ldap://ldap-1.example.com
Restart your LDAP server.
Links
[http://www.openldap.org OpenLDAP website] give you lot of informations
[http://www.tldp.org/HOWTO/html_single/LDAP-HOWTO/ LDAP HOWTO]
[http://luma.sourceforge.net/] Simple gui to LDAP administration, available in repositories.
OpenLDAPServer (last edited 2008-08-06 16:22:34 by localhost)