34
OpenLDAP: Building and Configuring CNS 4650 Fall 2004 Rev. 2

OpenLDAP: Building and Configuring CNS 4650 Fall 2004 Rev. 2

Embed Size (px)

Citation preview

Page 1: OpenLDAP: Building and Configuring CNS 4650 Fall 2004 Rev. 2

OpenLDAP: Building and Configuring

CNS 4650Fall 2004

Rev. 2

Page 2: OpenLDAP: Building and Configuring CNS 4650 Fall 2004 Rev. 2

OpenLDAP History

• http://www.openldap.org

• Based off the Umich code• Died ~ 1996

• OpenLDAP started ~1998

• OpenLDAP 1.0 - August 1998

Page 3: OpenLDAP: Building and Configuring CNS 4650 Fall 2004 Rev. 2

Downloading OpenLDAP

• Download• http://www.openldap.org/software/download/

• 2.2.18 (~August 2004)

• Software packaged in a “tar-ball”• Tar’ed and then gzip’ed• openldap-2.18.tgz

Page 4: OpenLDAP: Building and Configuring CNS 4650 Fall 2004 Rev. 2

Building OpenLDAP

• Requirements• C/C++ compiler (gcc)• Posix REGEX (available on most modern

Linux/UN*X systems)• Sleepycat Berkeley DB 4.2+

• Recommended• Cyrus SASL 2.1.18+• OpenSSL 0.9.7+

Page 5: OpenLDAP: Building and Configuring CNS 4650 Fall 2004 Rev. 2

Building SLAPD

• BDB Backend• Sleepycat Berkeley DB 4.2+

• LDBM Backend• Compatible database manager

• Berkeley DB, GDBM, etc.

Page 6: OpenLDAP: Building and Configuring CNS 4650 Fall 2004 Rev. 2

Building SLURPD

• Thread Library• Pthreads (POSIX), Cthreads (Mach)

Page 7: OpenLDAP: Building and Configuring CNS 4650 Fall 2004 Rev. 2

Enviroment Variables

Variable Description Example

CC C compiler gcc

CFLAGS C Flags -O -g

CPPFLAGS CPP Flags -I/path/include -DFOO=42

LDFLAGS LD Flags -L/usr/local/lib

LIBS Libraries -llib

PATH Command Path /usr/local/bin:/usr/bin:/bin

Page 8: OpenLDAP: Building and Configuring CNS 4650 Fall 2004 Rev. 2

Environment Variables

• Bash• export LDFLAGS=-L/usr/local/Berkeley4.2/lib

• Tcsh (TC Shell/C Shell)• setenv LDFLAGS=-L/usr/local/Berkeley4.2/lib

Page 9: OpenLDAP: Building and Configuring CNS 4650 Fall 2004 Rev. 2

Building for Linux

• Might have to add directories for SASL, SSL, Berkeley libraries to /etc/ld.so.conf

• After run ldconfig -v

• Set the LD_LIBRARY_PATH with the example from the previous slide• export LD_LIBRARY_PATH=/usr/local/Berkeley4.2/lib

Page 10: OpenLDAP: Building and Configuring CNS 4650 Fall 2004 Rev. 2

Building

• cd openldap-2.2.18

• ./configure --enable-wrappers• --enable-wrappers allows slapd to be TCP

wrappers aware

• The configure script will warn you if dependencies cannot be found. If no errors then continue

Page 11: OpenLDAP: Building and Configuring CNS 4650 Fall 2004 Rev. 2

Building

• make depend

• make

• make test

• sudo -s

• make install

Page 12: OpenLDAP: Building and Configuring CNS 4650 Fall 2004 Rev. 2

Troubleshooting Builds

• Make for sure you have a valid network interface. (ifconfig -a)

• Verify you have the proper environmental flags set (LD_LIBRARY_PATH, LDFLAGS, CPPFLAGS, etc.)

Page 13: OpenLDAP: Building and Configuring CNS 4650 Fall 2004 Rev. 2

What is Installed?

• Servers

• Client utilities

• Developer libraries

Page 14: OpenLDAP: Building and Configuring CNS 4650 Fall 2004 Rev. 2

Servers

Binaries Description

/usr/local/libexec/slapd The LDAP Server

/usr/local/libexec/slurpd The LDAP Replication “Server”

Page 15: OpenLDAP: Building and Configuring CNS 4650 Fall 2004 Rev. 2

Client UtilitiesName Description

/usr/local/bin/ldapadd Command line tool for adding entries (LDAPv2 & LDAPv3)

/usr/local/bin/ldapmodify Command line tool for modifying entries (LDAPv2 & LDAPv3)

/usr/local/bin/ldapdelete Command line tool for deleteing entries (LDAPv2 & LDAPv3)

/usr/local/bin/ldapmodrdn Command line tool for modifying entries RDN (LDAPv2 & LDAPv3)

Page 16: OpenLDAP: Building and Configuring CNS 4650 Fall 2004 Rev. 2

Client UtilitiesName Description

/usr/local/bin/ldapsearch Command line tool for searching LDAP servers

/usr/local/bin/ldapsearch Command line tool for comparing entry’s attributes

/usr/local/bin/ldappasswd Command line tool for changing a password attribute

/usr/local/sbin/slapadd

/usr/local/sbin/slapcat

/usr/local/sbin/slapindex

Command line tool for manipulating the backend data store

/usr/local/sbin/slappasswd Generates a password for use in the slapd.conf file

Page 17: OpenLDAP: Building and Configuring CNS 4650 Fall 2004 Rev. 2

Developer LibrariesName Description

/usr/local/lib/libldap* LDAP libraries

/usr/local/lib/liblber* LBER libraries

/usr/local/include/ldap*.h LDAP header files

/usr/local/include/lber*.h LBER header files

Page 18: OpenLDAP: Building and Configuring CNS 4650 Fall 2004 Rev. 2

Configuration Files

• Configuration files are located in /etc/openldap

• slapd.conf• Configuration for the LDAP server

• ldap.conf• Configuration for LDAP client utilities

• Schema Directory• Contains schema for LDAP server

Page 19: OpenLDAP: Building and Configuring CNS 4650 Fall 2004 Rev. 2

slapd.conf## See slapd.conf(5) for details on configuration options.# This file should NOT be world readable.#include /etc/openldap/schema/core.schema

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory# service AND an understanding of referrals.#referral ldap://root.openldap.org

loglevel 296pidfile /var/run/slapd.pidargsfile /var/run/slapd.args

# Load dynamic backend modules:# modulepath /usr/local/libexec/modules# moduleload back_bdb.la# moduleload back_ldap.la# moduleload back_ldbm.la# moduleload back_passwd.la# moduleload back_shell.la

Page 20: OpenLDAP: Building and Configuring CNS 4650 Fall 2004 Rev. 2

Include Directive

• The “include” section contains the schema files that should be included

• If you extend schema for OpenLDAP, add path to your schema file in the include section• include /etc/openldap/schema/my.schema

• By default core.schema is the only schema included.

• The administrator should probably add more• Recommend adding the following

• include /etc/openldap/schema/cosine.schema• include /etc/openldap/schema/inetorgperson.schema• include /etc/openldap/schema/nis.schema

Page 21: OpenLDAP: Building and Configuring CNS 4650 Fall 2004 Rev. 2

Loglevel Directive

• You might need to add “loglevel”

• Add levels together to achieve desired log• Example: 8 + 32 + 256 = 296

• See table on next slide for log levels and descriptions

Page 22: OpenLDAP: Building and Configuring CNS 4650 Fall 2004 Rev. 2

Loglevel TableLevel Description-1 All logging information

0 No logging information

1 Trace function calls

2 Packet-handling debugging information

4 Heavy trace debugging

8 Connection management

16 Packets sent and received

32 Search filter processing

64 Configuration file processing

128 Access control list processing

256 Statistics for connection, operation, and results

512 Statistics for results returned to client

1024 Communication with shell backend

2048 Print entry parsing debug information

Page 23: OpenLDAP: Building and Configuring CNS 4650 Fall 2004 Rev. 2

slapd Logging

• Logging happens at LOG_LEVEL4 of syslog

• Add following to /etc/syslog.conf• Local4.log /var/log/slapd.log

Page 24: OpenLDAP: Building and Configuring CNS 4650 Fall 2004 Rev. 2

Modules Directive

• The “modules” section allows for the LDAP server to talk to different backends or databases• Example: UNIX flat files, PERL, Monitor

• Berkeley does not necessarily have to be uncommented

• If you plan to use Monitor then you need to add directive• moduleload back_monitor.la

• Make sure you uncomment the first line!!!• The path to the module directory

Page 25: OpenLDAP: Building and Configuring CNS 4650 Fall 2004 Rev. 2

slapd.conf Cont.

# Sample security restrictions# Require integrity protection (prevent hijacking)# Require 112-bit (3DES or better) encryption for updates# Require 63-bit encryption for simple bind# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:# Root DSE: allow anyone to read it# Subschema (sub)entry DSE: allow anyone to read it# Other DSEs:# Allow self write access# Allow authenticated users read access# Allow anonymous users to authenticate# Directives needed to implement policy:# access to dn.base="" by * read# access to dn.base="cn=Subschema" by * read# access to *# by self write# by users read# by anonymous auth## if no access controls are present, the default policy# allows anyone and everyone to read anything but restricts# updates to rootdn. (e.g., "access to * by * read")## rootdn can always read and write EVERYTHING!

Page 26: OpenLDAP: Building and Configuring CNS 4650 Fall 2004 Rev. 2

Access Control Lists

• What• Regular expressions are used to define

what can be accessed• access to dn.[targetstyle]=[regex]• targetstyle defines how far below the ACL

applies (can contain subtree, base, one or nothing)

• regex is a DN of the container you wish to control

Page 27: OpenLDAP: Building and Configuring CNS 4650 Fall 2004 Rev. 2

Access Control Lists

• Sample “What”s• access to dn.base="cn=Subschema”• access to dn=“.*,dc=uvsc,dc=edu”• access to dn.one=“dc=uvsc,dc=edu”

Page 28: OpenLDAP: Building and Configuring CNS 4650 Fall 2004 Rev. 2

Access Control Lists

• Who• Defines who can perform what operation in

the defined context• by [who] [operation]

• [who] defines who exactly can perform the operation (*, self, anonymous, users, [regex that matches a DN])

• [operation] defines what the defined user can do (read, write, search, compare, auth, none)

Page 29: OpenLDAP: Building and Configuring CNS 4650 Fall 2004 Rev. 2

Access Control Lists

• Sample “Who”s• by * auth• by self write• by * read• by dn=“.*,ou=class,dc=uvsc,dc=edu”

Page 30: OpenLDAP: Building and Configuring CNS 4650 Fall 2004 Rev. 2

Access Control Lists

access to attrs=userPassword by self write by * authaccess to dn.subtree=cn=monitor by dn.exact=“cn=Manager,dc=uvsc,dc=edu” write by dn.subtree=“dc=uvsc,dc=edu” read by * readaccess to * by self write by * read

Page 31: OpenLDAP: Building and Configuring CNS 4650 Fall 2004 Rev. 2

slapd.conf Cont.

######################################################################## BDB database definitions#######################################################################

database bdbsuffix "dc=my-domain,dc=com"rootdn "cn=Manager,dc=my-domain,dc=com"# Cleartext passwords, especially for the rootdn, should# be avoid. See slappasswd(8) and slapd.conf(5) for details.# Use of strong authentication encouraged.rootpw secret# The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools.# Mode 700 recommended.directory /var/db/openldap-data# Indices to maintainindex objectClass eq

Page 32: OpenLDAP: Building and Configuring CNS 4650 Fall 2004 Rev. 2

Database Directive• Berkeley is usually defined for you

• database bdb

• Suffix• Defines you directory domain, should be unique

• Rootdn• Defines the “super user” for your LDAP server• Usually “cn=Manager, “ + the suffix

• Rootpw• Use /usr/local/sbin/slappasswd to generate

password• Include everything returned!!

• Example: {SSHA}hwQhVL4hfn4p4HXvlgwOf1lFF/tppU6R

Page 33: OpenLDAP: Building and Configuring CNS 4650 Fall 2004 Rev. 2

Database Directive

• For Monitor support• database monitor

Page 34: OpenLDAP: Building and Configuring CNS 4650 Fall 2004 Rev. 2

Resources

• LDAP System Administration: O’Reilly and Associates. Gerald Carter

• OpenLDAP website http://www.openldap.org