[OpenLDAP] A Quick HOWTO Guide To Get Started With

[OpenLDAP] A Quick HOWTO Guide To Get Started With


PRODUCT:    OpenLDAP   


OP/SYS:     Fedora 12


SOURCE:     Philippe Vouters
            Fontainebleau/France


LOW-COST HIGH-TECH:  http://techno-star.fr


OVERVIEW:

This document presents a quick HOWTO guide to get started with OpenLDAP.
It stems from the author's personal experience with this software under
Fedora 12. OpenLDAP is the open source solution elsewhere, although Microsoft
specific, implemented in Active Directory.

According to http://en.wikipedia.org/wiki/Active_Directory a major difference
between Active Directory and LDAP based solutions is that Active Directory is
a hierarchical framework of objects whereas LDAP is a true heriarchical
directory.

Other software vendors may also offer their own LDAP based solution. For
example, OpenVMS, an HP proprietary operating system, provides the HP OpenVMS
Enterprise Directory product, bypassing the User Authorization File (UAF)
authentication and replacing it with the Enterprise Directory authentication.
If curious with, refer to the block diagram at 
http://h71000.www7.hp.com/solutions/mail.html


STEPS TO IMPLEMENT A COMPANY LDAP BASED SOLUTION:

This document now focuses on OpenLDAP running on Fedora 12.

Step 1:

Modify /etc/openldap/slapd.conf

You'll notice that it starts with many includes of schema files. You may as well
add other schema files which would match your needs. For example, provided you
wish to add a Samba authentication, you would perform the following command:

      # find / -xdev -name samba.schema
which returns on Fedora 12 with Samba 3.4.5 installed:
      /usr/share/doc/samba-3.4.5/LDAP/samba.schema
      /etc/openldap/schema/samba.schema

then add the samba schema file to the list of includes in
/etc/openldap/slapd.conf.

Still with adding schema components to your /etc/openldap/slapd.conf, you may
get slapd.conf templates with the command:

      # find / -xdev -name slapd.conf 

If commented out, you may find convenient to uncomment the lines:
allow bind_v2

In the "Sample access control policy:" section, it is advised to have such
lines:

access to dn.base="" by * read
access to dn.base="cn=Subschema" by * read
access to attrs=userPassword
     by self write
     by anonymous auth
     by * none
access to *
     by self write
     by users read
     by * none

Failure to proceed so may cause further LDAP queries or data additions to fail.

Then adjust the following lines to your environment. Here my "company" domain
is "vouters.dyndns.org".

database        bdb
suffix          "dc=vouters,dc=dyndns,dc=org"
checkpoint      1024 15
rootdn          "cn=admin,dc=vouters,dc=dyndns,dc=org"
# Cleartext passwords, especially for the rootdn, should
# be avoided.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw        {crypt}ijFYNcSNctBYg

rootdn and rootpw will be the privileged user name and password to maintain
the LDAP company directory. Instead of having {crypt} encrypted the rootpw
password, you may use an MD5 encryption instead.

For example, assuming your clear text rootpw password is "Myself", you would use

     $ /usr/sbin/slappasswd -v -s Myself -h {MD5}
     {MD5}JmxHkfFaXR01aKgbDMOpWg==

And the rootpw line would look like:

rootpw        {MD5}JmxHkfFaXR01aKgbDMOpWg==

When using {crypt} encryption, you must know your computer implementation
of crypt(3) and provide in both your /usr/sbin/slappasswd command via the
-c option and /etc/slapd.conf configuration file via the 
password-crypt-salt-format specifier the format of the salt in sprintf format
string specifier.

Refer to the -c option at:

   http://www.openldap.org/software/man.cgi?query=slappasswd&sektion=8&apropos=0&manpath=OpenLDAP+2.4-Release

and the password-crypt-salt-format option at:

   http://www.openldap.org/software/man.cgi?query=slapd.conf&sektion=5&apropos=0&manpath=OpenLDAP+2.4-Release

for more details.

Finally, you will have to change the last lines, so that it reads:

access to *
        by dn.exact="cn=admin,dc=vouters,dc=dyndns,dc=com" read
        by * read

Step 2:

Create an ASCII file that you will name Mycompany-LDAP.ldif

This Mycompany-LDAP.ldif should define the layout of Mycompany LDAP directory
structure.

Still for the vouters.dyndns.org network domain and 'My wife' user,
you would enter the following:

## DEFINE DIT ROOT/BASE/SUFFIX ####
## uses RFC 2377 format
dn: dc=vouters,dc=dyndns,dc=org
dc: vouters
description: My wonderful company as much text as you want to place 
 in this line up to 32K continuation data for the line above must 
 have <CR> or <CR><LF> i.e. ENTER works 
 on both Windows and *nix system - new line MUST begin with ONE SPACE
objectClass: dcObject
objectClass: organization
o: Vouters, Unlimited.

## FIRST Level hierarchy - people 
## uses mixed upper and lower case for objectclass
# this is an ENTRY sequence and is preceded by a BLANK line

dn: ou=people, dc=vouters,dc=dyndns,dc=org
ou: people
description: All people in organisation
objectclass: organizationalunit

## SECOND Level hierarchy
## ADD a single entry under FIRST (people) level
# this is an ENTRY sequence and is preceded by a BLANK line
# the ou: Human Resources is the department name

dn: cn=My wife, ou=people,dc=vouters,dc=dyndns,dc=org
objectclass: inetOrgPerson
cn: My wife 
sn: wife 
uid: wife
userPassword: ToBeSet
mail: My.wife@vouters.dyndns.org
description: Excellent purchaser to be recommended
ou: Purchase Department 

Step 3:

Troubleshooting your /etc/slapd.conf configuration and .ldif files.

Issue the following commands to troubleshoot your configuration using two
root terminals:

$ /usr/sbin/slapd -d 1 -f /etc/openldap/slapd.conf

and

$ ldapadd -x -W -H ldap://127.0.0.1/ -f /path/Mycompany-LDAP.ldif \
-D "cn=admin,dc=vouters,dc=dyndns,dc=org" -d 1
Enter rootpw password

If this looks successful, you then may set your user's LDAP password with a
command like:

$ ldappasswd -H ldap://127.0.0.1 -v -x -W \
-D 'cn=admin,dc=vouters,dc=dyndns,dc=org' \
-S 'cn=My wife,ou=people,dc=vouters,dc=dyndns,dc=org' 
Enter rootpw password

To check the LDAP database content validity, you may issue a command like:

$ ldapsearch -v -D 'cn=My wife,ou=people,dc=vouters,dc=dyndns,dc=org' \
-W -b 'dc=vouters,dc=dyndns,dc=org' -s uid
Enter your user's LDAP password

To add a field to your user profile, you would create a small add.ldif file.
This add.ldif file template adds givenName to My wife.

           dn: cn=My wife,dc=vouters,dc=dyndns,dc=org
           changetype: modify
           add: givenName
           givenName: Mww
           -

Then
$ ldapmodify -x -W -H ldap://127.0.0.1/ -f /path/add.ldif \
-D 'cn=admin,dc=vouters,dc=dyndns,dc=org'
Enter rootpw password.

Step 4:

After you troubleshooted your LDAP configuration, you now can abort the
/usr/sbin/slapd execution with CTRL-C.

Prior to starting the slapd service, because the slapd files owner is currently
root whereas the slapd service files expected owner is group:owner "ldap:ldap",
you must now perform the following:

$ chown ldap:ldap /etc/openldap/slapd.conf
$ chown ldap:ldap /var/lib/ldap/*.bdb

Next, you have to:

$ chkconfig slapd on

And finally:

$ service slapd start

The above should return OK


REFERENCE(S):

Litterature on OpenLDAP can be widely found using Google quieries. The official
OpenLDAP home page is at http://www.openldap.org/

For a PHP code authentication using either Microsoft Active Directory on Windows
or OpenLDAP on Linux, refer to:
../tima/Linux-PHP-AD-OpenLDAP-A_quick_HOWTO_programming_guide_part_2.html
Did you find this helpful? Yes No