OpenLDAP: Building and Configuring
CNS 4650Fall 2004
Rev. 2
OpenLDAP History
• http://www.openldap.org
• Based off the Umich code• Died ~ 1996
• OpenLDAP started ~1998
• OpenLDAP 1.0 - August 1998
Downloading OpenLDAP
• Download• http://www.openldap.org/software/download/
• 2.2.18 (~August 2004)
• Software packaged in a “tar-ball”• Tar’ed and then gzip’ed• openldap-2.18.tgz
Building OpenLDAP
• Requirements• C/C++ compiler (gcc)• Posix REGEX (available on most modern
Linux/UN*X systems)• Sleepycat Berkeley DB 4.2+
• Recommended• Cyrus SASL 2.1.18+• OpenSSL 0.9.7+
Building SLAPD
• BDB Backend• Sleepycat Berkeley DB 4.2+
• LDBM Backend• Compatible database manager
• Berkeley DB, GDBM, etc.
Building SLURPD
• Thread Library• Pthreads (POSIX), Cthreads (Mach)
Enviroment Variables
Variable Description Example
CC C compiler gcc
CFLAGS C Flags -O -g
CPPFLAGS CPP Flags -I/path/include -DFOO=42
LDFLAGS LD Flags -L/usr/local/lib
LIBS Libraries -llib
PATH Command Path /usr/local/bin:/usr/bin:/bin
Environment Variables
• Bash• export LDFLAGS=-L/usr/local/Berkeley4.2/lib
• Tcsh (TC Shell/C Shell)• setenv LDFLAGS=-L/usr/local/Berkeley4.2/lib
Building for Linux
• Might have to add directories for SASL, SSL, Berkeley libraries to /etc/ld.so.conf
• After run ldconfig -v
• Set the LD_LIBRARY_PATH with the example from the previous slide• export LD_LIBRARY_PATH=/usr/local/Berkeley4.2/lib
Building
• cd openldap-2.2.18
• ./configure --enable-wrappers• --enable-wrappers allows slapd to be TCP
wrappers aware
• The configure script will warn you if dependencies cannot be found. If no errors then continue
Building
• make depend
• make
• make test
• sudo -s
• make install
Troubleshooting Builds
• Make for sure you have a valid network interface. (ifconfig -a)
• Verify you have the proper environmental flags set (LD_LIBRARY_PATH, LDFLAGS, CPPFLAGS, etc.)
What is Installed?
• Servers
• Client utilities
• Developer libraries
Servers
Binaries Description
/usr/local/libexec/slapd The LDAP Server
/usr/local/libexec/slurpd The LDAP Replication “Server”
Client UtilitiesName Description
/usr/local/bin/ldapadd Command line tool for adding entries (LDAPv2 & LDAPv3)
/usr/local/bin/ldapmodify Command line tool for modifying entries (LDAPv2 & LDAPv3)
/usr/local/bin/ldapdelete Command line tool for deleteing entries (LDAPv2 & LDAPv3)
/usr/local/bin/ldapmodrdn Command line tool for modifying entries RDN (LDAPv2 & LDAPv3)
Client UtilitiesName Description
/usr/local/bin/ldapsearch Command line tool for searching LDAP servers
/usr/local/bin/ldapsearch Command line tool for comparing entry’s attributes
/usr/local/bin/ldappasswd Command line tool for changing a password attribute
/usr/local/sbin/slapadd
/usr/local/sbin/slapcat
/usr/local/sbin/slapindex
Command line tool for manipulating the backend data store
/usr/local/sbin/slappasswd Generates a password for use in the slapd.conf file
Developer LibrariesName Description
/usr/local/lib/libldap* LDAP libraries
/usr/local/lib/liblber* LBER libraries
/usr/local/include/ldap*.h LDAP header files
/usr/local/include/lber*.h LBER header files
Configuration Files
• Configuration files are located in /etc/openldap
• slapd.conf• Configuration for the LDAP server
• ldap.conf• Configuration for LDAP client utilities
• Schema Directory• Contains schema for LDAP server
slapd.conf## See slapd.conf(5) for details on configuration options.# This file should NOT be world readable.#include /etc/openldap/schema/core.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory# service AND an understanding of referrals.#referral ldap://root.openldap.org
loglevel 296pidfile /var/run/slapd.pidargsfile /var/run/slapd.args
# Load dynamic backend modules:# modulepath /usr/local/libexec/modules# moduleload back_bdb.la# moduleload back_ldap.la# moduleload back_ldbm.la# moduleload back_passwd.la# moduleload back_shell.la
Include Directive
• The “include” section contains the schema files that should be included
• If you extend schema for OpenLDAP, add path to your schema file in the include section• include /etc/openldap/schema/my.schema
• By default core.schema is the only schema included.
• The administrator should probably add more• Recommend adding the following
• include /etc/openldap/schema/cosine.schema• include /etc/openldap/schema/inetorgperson.schema• include /etc/openldap/schema/nis.schema
Loglevel Directive
• You might need to add “loglevel”
• Add levels together to achieve desired log• Example: 8 + 32 + 256 = 296
• See table on next slide for log levels and descriptions
Loglevel TableLevel Description-1 All logging information
0 No logging information
1 Trace function calls
2 Packet-handling debugging information
4 Heavy trace debugging
8 Connection management
16 Packets sent and received
32 Search filter processing
64 Configuration file processing
128 Access control list processing
256 Statistics for connection, operation, and results
512 Statistics for results returned to client
1024 Communication with shell backend
2048 Print entry parsing debug information
slapd Logging
• Logging happens at LOG_LEVEL4 of syslog
• Add following to /etc/syslog.conf• Local4.log /var/log/slapd.log
Modules Directive
• The “modules” section allows for the LDAP server to talk to different backends or databases• Example: UNIX flat files, PERL, Monitor
• Berkeley does not necessarily have to be uncommented
• If you plan to use Monitor then you need to add directive• moduleload back_monitor.la
• Make sure you uncomment the first line!!!• The path to the module directory
slapd.conf Cont.
# Sample security restrictions# Require integrity protection (prevent hijacking)# Require 112-bit (3DES or better) encryption for updates# Require 63-bit encryption for simple bind# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:# Root DSE: allow anyone to read it# Subschema (sub)entry DSE: allow anyone to read it# Other DSEs:# Allow self write access# Allow authenticated users read access# Allow anonymous users to authenticate# Directives needed to implement policy:# access to dn.base="" by * read# access to dn.base="cn=Subschema" by * read# access to *# by self write# by users read# by anonymous auth## if no access controls are present, the default policy# allows anyone and everyone to read anything but restricts# updates to rootdn. (e.g., "access to * by * read")## rootdn can always read and write EVERYTHING!
Access Control Lists
• What• Regular expressions are used to define
what can be accessed• access to dn.[targetstyle]=[regex]• targetstyle defines how far below the ACL
applies (can contain subtree, base, one or nothing)
• regex is a DN of the container you wish to control
Access Control Lists
• Sample “What”s• access to dn.base="cn=Subschema”• access to dn=“.*,dc=uvsc,dc=edu”• access to dn.one=“dc=uvsc,dc=edu”
Access Control Lists
• Who• Defines who can perform what operation in
the defined context• by [who] [operation]
• [who] defines who exactly can perform the operation (*, self, anonymous, users, [regex that matches a DN])
• [operation] defines what the defined user can do (read, write, search, compare, auth, none)
Access Control Lists
• Sample “Who”s• by * auth• by self write• by * read• by dn=“.*,ou=class,dc=uvsc,dc=edu”
Access Control Lists
access to attrs=userPassword by self write by * authaccess to dn.subtree=cn=monitor by dn.exact=“cn=Manager,dc=uvsc,dc=edu” write by dn.subtree=“dc=uvsc,dc=edu” read by * readaccess to * by self write by * read
slapd.conf Cont.
######################################################################## BDB database definitions#######################################################################
database bdbsuffix "dc=my-domain,dc=com"rootdn "cn=Manager,dc=my-domain,dc=com"# Cleartext passwords, especially for the rootdn, should# be avoid. See slappasswd(8) and slapd.conf(5) for details.# Use of strong authentication encouraged.rootpw secret# The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools.# Mode 700 recommended.directory /var/db/openldap-data# Indices to maintainindex objectClass eq
Database Directive• Berkeley is usually defined for you
• database bdb
• Suffix• Defines you directory domain, should be unique
• Rootdn• Defines the “super user” for your LDAP server• Usually “cn=Manager, “ + the suffix
• Rootpw• Use /usr/local/sbin/slappasswd to generate
password• Include everything returned!!
• Example: {SSHA}hwQhVL4hfn4p4HXvlgwOf1lFF/tppU6R
Database Directive
• For Monitor support• database monitor
Resources
• LDAP System Administration: O’Reilly and Associates. Gerald Carter
• OpenLDAP website http://www.openldap.org