Chapter 20. Directory Servers
20.1. OpenLDAP
LDAP
(Lightweight Directory Access Protocol) is a set of open protocols used to access centrally stored information over a network. It is based on the X.500
standard for directory sharing, but is less complex and resource-intensive. For this reason, LDAP is sometimes referred to as “X.500 Lite”.
20.1.1. Introduction to LDAP
Important
Important
SSLv3
protocol for security. OpenLDAP is one of the system components that do not provide configuration parameters that allow SSLv3
to be effectively disabled. To mitigate the risk, it is recommended that you use the stunnel
command to provide a secure tunnel, and disable stunnel from using SSLv3
. For more information on using stunnel, see the Red Hat Enterprise Linux 6 Security Guide.
20.1.1.1. LDAP Terminology
- entry
- A single unit within an LDAP directory. Each entry is identified by its unique Distinguished Name (DN).
- attribute
- Information directly associated with an entry. For example, if an organization is represented as an LDAP entry, attributes associated with this organization might include an address, a fax number, etc. Similarly, people can be represented as entries with common attributes such as personal telephone number or email address.An attribute can either have a single value, or an unordered space-separated list of values. While certain attributes are optional, others are required. Required attributes are specified using the
objectClass
definition, and can be found in schema files located in the/etc/openldap/slapd.d/cn=config/cn=schema/
directory.The assertion of an attribute and its corresponding value is also referred to as a Relative Distinguished Name (RDN). Unlike distinguished names that are unique globally, a relative distinguished name is only unique per entry. - LDIF
- The LDAP Data Interchange Format (LDIF) is a plain text representation of an LDAP entry. It takes the following form:
[id] dn: distinguished_name attribute_type: attribute_value attribute_type: attribute_value ...
The optional id is a number determined by the application that is used to edit the entry. Each entry can contain as many attribute_type and attribute_value pairs as needed, as long as they are all defined in a corresponding schema file. A blank line indicates the end of an entry.
20.1.1.2. OpenLDAP Features
- LDAPv3 Support — Many of the changes in the protocol since LDAP version 2 are designed to make LDAP more secure. Among other improvements, this includes the support for Simple Authentication and Security Layer (SASL), and Transport Layer Security (TLS) protocols.
- LDAP Over IPC — The use of inter-process communication (IPC) enhances security by eliminating the need to communicate over a network.
- IPv6 Support — OpenLDAP is compliant with Internet Protocol version 6 (IPv6), the next generation of the Internet Protocol.
- LDIFv1 Support — OpenLDAP is fully compliant with LDIF version 1.
- Updated C API — The current C API improves the way programmers can connect to and use LDAP directory servers.
- Enhanced Standalone LDAP Server — This includes an updated access control system, thread pooling, better tools, and much more.
20.1.1.3. OpenLDAP Server Setup
- Install the OpenLDAP suite. See Section 20.1.2, “Installing the OpenLDAP Suite” for more information on required packages.
- Customize the configuration as described in Section 20.1.3, “Configuring an OpenLDAP Server”.
- Start the
slapd
service as described in Section 20.1.4, “Running an OpenLDAP Server”. - Use the
ldapadd
utility to add entries to the LDAP directory. - Use the
ldapsearch
utility to verify that theslapd
service is accessing the information correctly.
20.1.2. Installing the OpenLDAP Suite
Package | Description |
---|---|
openldap | A package containing the libraries necessary to run the OpenLDAP server and client applications. |
openldap-clients | A package containing the command-line utilities for viewing and modifying directories on an LDAP server. |
openldap-servers | A package containing both the services and utilities to configure and run an LDAP server. This includes the Standalone LDAP Daemon, slapd . |
compat-openldap | A package containing the OpenLDAP compatibility libraries. |
Package | Description |
---|---|
sssd | A package containing the System Security Services Daemon (SSSD) , a set of daemons to manage access to remote directories and authentication mechanisms. It provides the Name Service Switch (NSS) and the Pluggable Authentication Modules (PAM) interfaces toward the system and a pluggable back-end system to connect to multiple different account sources. |
mod_authz_ldap |
A package containing
mod_authz_ldap , the LDAP authorization module for the Apache HTTP Server. This module uses the short form of the distinguished name for a subject and the issuer of the client SSL certificate to determine the distinguished name of the user within an LDAP directory. It is also capable of authorizing users based on attributes of that user's LDAP directory entry, determining access to assets based on the user and group privileges of the asset, and denying access for users with expired passwords. Note that the mod_ssl module is required when using the mod_authz_ldap module.
|
yum
command in the following form:
yum
install
package
~]# yum install openldap openldap-clients openldap-servers
root
) to run this command. For more information on how to install new packages in Red Hat Enterprise Linux, see Section 8.2.4, “Installing Packages”.
20.1.2.1. Overview of OpenLDAP Server Utilities
slapd
service:
Command | Description |
---|---|
slapacl | Allows you to check the access to a list of attributes. |
slapadd | Allows you to add entries from an LDIF file to an LDAP directory. |
slapauth | Allows you to check a list of IDs for authentication and authorization permissions. |
slapcat | Allows you to pull entries from an LDAP directory in the default format and save them in an LDIF file. |
slapdn | Allows you to check a list of Distinguished Names (DNs) based on available schema syntax. |
slapindex | Allows you to re-index the slapd directory based on the current content. Run this utility whenever you change indexing options in the configuration file. |
slappasswd | Allows you to create an encrypted user password to be used with the ldapmodify utility, or in the slapd configuration file. |
slapschema | Allows you to check the compliance of a database with the corresponding schema. |
slaptest | Allows you to check the LDAP server configuration. |
Important
root
can run slapadd
, the slapd
service runs as the ldap
user. Because of this, the directory server is unable to modify any files created by slapadd
. To correct this issue, after running the slapd
utility, type the following at a shell prompt:
~]# chown -R ldap:ldap /var/lib/ldap
Warning
slapd
service before using slapadd
, slapcat
, or slapindex
. You can do so by typing the following at a shell prompt:
~]# service slapd stop
Stopping slapd: [ OK ]
slapd
service, see Section 20.1.4, “Running an OpenLDAP Server”.
20.1.2.2. Overview of OpenLDAP Client Utilities
Command | Description |
---|---|
ldapadd | Allows you to add entries to an LDAP directory, either from a file, or from standard input. It is a symbolic link to ldapmodify -a . |
ldapcompare | Allows you to compare given attribute with an LDAP directory entry. |
ldapdelete | Allows you to delete entries from an LDAP directory. |
ldapexop | Allows you to perform extended LDAP operations. |
ldapmodify | Allows you to modify entries in an LDAP directory, either from a file, or from standard input. |
ldapmodrdn | Allows you to modify the RDN value of an LDAP directory entry. |
ldappasswd | Allows you to set or change the password for an LDAP user. |
ldapsearch | Allows you to search LDAP directory entries. |
ldapurl | Allows you to compose or decompose LDAP URLs. |
ldapwhoami | Allows you to perform a whoami operation on an LDAP server. |
ldapsearch
, each of these utilities is more easily used by referencing a file containing the changes to be made rather than typing a command for each entry to be changed within an LDAP directory. The format of such a file is outlined in the man page for each utility.
20.1.2.3. Overview of Common LDAP Client Applications
20.1.3. Configuring an OpenLDAP Server
/etc/openldap/
directory. Table 20.5, “List of OpenLDAP configuration files and directories” highlights the most important files and directories within this directory.
slapd
service uses a configuration database located in the /etc/openldap/slapd.d/
directory and only reads the old /etc/openldap/slapd.conf
configuration file if this directory does not exist. If you have an existing slapd.conf
file from a previous installation, you can either wait for the openldap-servers package to convert it to the new format the next time you update this package, or type the following at a shell prompt as root
to convert it immediately:
~]# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
slapd
configuration consists of LDIF entries organized in a hierarchical directory structure, and the recommended way to edit these entries is to use the server utilities described in Section 20.1.2.1, “Overview of OpenLDAP Server Utilities”.
Important
slapd
service unable to start. Because of this, it is strongly advised that you avoid editing the LDIF files within the /etc/openldap/slapd.d/
directory directly.
20.1.3.1. Changing the Global Configuration
/etc/openldap/slapd.d/cn=config.ldif
file. The following directives are commonly used:
-
olcAllows
- The
olcAllows
directive allows you to specify which features to enable. It takes the following form:olcAllows
: featureIt accepts a space-separated list of features as described in Table 20.6, “Available olcAllows options”. The default option isbind_v2
.Table 20.6. Available olcAllows options Option Description bind_v2
Enables the acceptance of LDAP version 2 bind requests. bind_anon_cred
Enables an anonymous bind when the Distinguished Name (DN) is empty. bind_anon_dn
Enables an anonymous bind when the Distinguished Name (DN) is not empty. update_anon
Enables processing of anonymous update operations. proxy_authz_anon
Enables processing of anonymous proxy authorization control. Example 20.1. Using the olcAllows directive
olcAllows: bind_v2 update_anon
-
olcConnMaxPending
- The
olcConnMaxPending
directive allows you to specify the maximum number of pending requests for an anonymous session. It takes the following form:olcConnMaxPending
: numberThe default option is100
.Example 20.2. Using the olcConnMaxPending directive
olcConnMaxPending: 100
-
olcConnMaxPendingAuth
- The
olcConnMaxPendingAuth
directive allows you to specify the maximum number of pending requests for an authenticated session. It takes the following form:olcConnMaxPendingAuth
: numberThe default option is1000
.Example 20.3. Using the olcConnMaxPendingAuth directive
olcConnMaxPendingAuth: 1000
-
olcDisallows
- The
olcDisallows
directive allows you to specify which features to disable. It takes the following form:olcDisallows
: featureIt accepts a space-separated list of features as described in Table 20.7, “Available olcDisallows options”. No features are disabled by default.Table 20.7. Available olcDisallows options Option Description bind_anon
Disables the acceptance of anonymous bind requests. bind_simple
Disables the simple bind authentication mechanism. tls_2_anon
Disables the enforcing of an anonymous session when the STARTTLS command is received. tls_authc
Disallows the STARTTLS command when authenticated. Example 20.4. Using the olcDisallows directive
olcDisallows: bind_anon
-
olcIdleTimeout
- The
olcIdleTimeout
directive allows you to specify how many seconds to wait before closing an idle connection. It takes the following form:olcIdleTimeout
: numberThis option is disabled by default (that is, set to0
).Example 20.5. Using the olcIdleTimeout directive
olcIdleTimeout: 180
-
olcLogFile
- The
olcLogFile
directive allows you to specify a file in which to write log messages. It takes the following form:olcLogFile
: file_nameThe log messages are written to standard error by default.Example 20.6. Using the olcLogFile directive
olcLogFile: /var/log/slapd.log
-
olcReferral
- The
olcReferral
option allows you to specify a URL of a server to process the request in case the server is not able to handle it. It takes the following form:olcReferral
: URLThis option is disabled by default.Example 20.7. Using the olcReferral directive
olcReferral: ldap://root.openldap.org
-
olcWriteTimeout
- The
olcWriteTimeout
option allows you to specify how many seconds to wait before closing a connection with an outstanding write request. It takes the following form:olcWriteTimeout
This option is disabled by default (that is, set to0
).Example 20.8. Using the olcWriteTimeout directive
olcWriteTimeout: 180
20.1.3.2. Changing the Database-Specific Configuration
/etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif
file. The following directives are commonly used in a database-specific configuration:
-
olcReadOnly
- The
olcReadOnly
directive allows you to use the database in a read-only mode. It takes the following form:olcReadOnly
: booleanIt accepts eitherTRUE
(enable the read-only mode), orFALSE
(enable modifications of the database). The default option isFALSE
.Example 20.9. Using the olcReadOnly directive
olcReadOnly: TRUE
-
olcRootDN
- The
olcRootDN
directive allows you to specify the user that is unrestricted by access controls or administrative limit parameters set for operations on the LDAP directory. It takes the following form:olcRootDN
: distinguished_nameIt accepts a Distinguished Name (DN). The default option iscn=Manager,dc=my-domain,dc=com
.Example 20.10. Using the olcRootDN directive
olcRootDN: cn=root,dc=example,dc=com
-
olcRootPW
- The
olcRootPW
directive allows you to set a password for the user that is specified using theolcRootDN
directive. It takes the following form:olcRootPW
: passwordIt accepts either a plain text string, or a hash. To generate a hash, type the following at a shell prompt:~]$
slappaswd
New password: Re-enter new password: {SSHA}WczWsyPEnMchFf1GRTweq2q7XJcvmSxDExample 20.11. Using the olcRootPW directive
olcRootPW: {SSHA}WczWsyPEnMchFf1GRTweq2q7XJcvmSxD
-
olcSuffix
- The
olcSuffix
directive allows you to specify the domain for which to provide information. It takes the following form:olcSuffix
: domain_nameIt accepts a fully qualified domain name (FQDN). The default option isdc=my-domain,dc=com
.Example 20.12. Using the olcSuffix directive
olcSuffix: dc=example,dc=com
20.1.3.3. Extending Schema
/etc/openldap/slapd.d/cn=config/cn=schema/
directory also contains LDAP definitions that were previously located in /etc/openldap/schema/
. It is possible to extend the schema used by OpenLDAP to support additional attribute types and object classes using the default schema files as a guide. However, this task is beyond the scope of this chapter. For more information on this topic, see http://www.openldap.org/doc/admin/schema.html.
20.1.4. Running an OpenLDAP Server
20.1.4.1. Starting the Service
slapd
service, type the following at a shell prompt:
~]# service slapd start
Starting slapd: [ OK ]
~]# chkconfig slapd on
20.1.4.2. Stopping the Service
slapd
service, type the following at a shell prompt:
~]# service slapd stop
Stopping slapd: [ OK ]
~]# chkconfig slapd off
20.1.5. Configuring a System to Authenticate Using OpenLDAP
~]# yum install openldap openldap-clients sssd
20.1.5.1. Migrating Old Authentication Information to LDAP Format
~]# yum install migrationtools
/usr/share/migrationtools/
directory. Once installed, edit the /usr/share/migrationtools/migrate_common.ph
file and change the following lines to reflect the correct domain, for example:
# Default DNS domain $DEFAULT_MAIL_DOMAIN = "example.com"; # Default base $DEFAULT_BASE = "dc=example,dc=com";
migrate_all_online.sh
script with the default base set to dc=example,dc=com
, type:
~]#export DEFAULT_BASE="dc=example,dc=com" \
/usr/share/migrationtools/migrate_all_online.sh
Existing Name Service | Is LDAP Running? | Script to Use |
---|---|---|
/etc flat files | yes | migrate_all_online.sh |
/etc flat files | no | migrate_all_offline.sh |
NetInfo | yes | migrate_all_netinfo_online.sh |
NetInfo | no | migrate_all_netinfo_offline.sh |
NIS (YP) | yes | migrate_all_nis_online.sh |
NIS (YP) | no | migrate_all_nis_offline.sh |
README
and the migration-tools.txt
files in the /usr/share/doc/migrationtools-version/
directory.
20.1.6. Additional Resources
20.1.6.1. Installed Documentation
/usr/share/doc/openldap-servers-version/guide.html
- A copy of the OpenLDAP Software Administrator's Guide.
/usr/share/doc/openldap-servers-version/README.schema
- A README file containing the description of installed schema files.
- Client Applications
man ldapadd
— Describes how to add entries to an LDAP directory.man ldapdelete
— Describes how to delete entries within an LDAP directory.man ldapmodify
— Describes how to modify entries within an LDAP directory.man ldapsearch
— Describes how to search for entries within an LDAP directory.man ldappasswd
— Describes how to set or change the password of an LDAP user.man ldapcompare
— Describes how to use theldapcompare
tool.man ldapwhoami
— Describes how to use theldapwhoami
tool.man ldapmodrdn
— Describes how to modify the RDNs of entries.
- Server Applications
man slapd
— Describes command-line options for the LDAP server.
- Administrative Applications
man slapadd
— Describes command-line options used to add entries to aslapd
database.man slapcat
— Describes command-line options used to generate an LDIF file from aslapd
database.man slapindex
— Describes command-line options used to regenerate an index based upon the contents of aslapd
database.man slappasswd
— Describes command-line options used to generate user passwords for LDAP directories.
- Configuration Files
man ldap.conf
— Describes the format and options available within the configuration file for LDAP clients.man slapd-config
— Describes the format and options available within the configuration directory.
20.1.6.2. Useful Websites
- http://www.openldap.org/doc/admin24/
- The current version of the OpenLDAP Software Administrator's Guide.