9.2. OpenLDAP
Note
9.2.1. Introduction to LDAP
Important
Important
SSLv3
protocol for security. OpenLDAP is one of the system components that do not provide configuration parameters that allow SSLv3
to be effectively disabled. To mitigate the risk, it is recommended that you use the stunnel
command to provide a secure tunnel, and disable stunnel from using SSLv3
. For more information on using stunnel, see the Red Hat Enterprise Linux 7 Security Guide.
9.2.1.1. LDAP Terminology
- entry
- A single unit within an LDAP directory. Each entry is identified by its unique Distinguished Name (DN).
- attribute
- Information directly associated with an entry. For example, if an organization is represented as an LDAP entry, attributes associated with this organization might include an address, a fax number, and so on. Similarly, people can be represented as entries with common attributes such as personal telephone number or email address.An attribute can either have a single value, or an unordered space-separated list of values. While certain attributes are optional, others are required. Required attributes are specified using the
objectClass
definition, and can be found in schema files located in the/etc/openldap/slapd.d/cn=config/cn=schema/
directory.The assertion of an attribute and its corresponding value is also referred to as a Relative Distinguished Name (RDN). Unlike distinguished names that are unique globally, a relative distinguished name is only unique per entry. - LDIF
- The LDAP Data Interchange Format (LDIF) is a plain text representation of an LDAP entry. It takes the following form:
[id] dn: distinguished_name attribute_type: attribute_value… attribute_type: attribute_value… …
The optional id is a number determined by the application that is used to edit the entry. Each entry can contain as many attribute_type and attribute_value pairs as needed, as long as they are all defined in a corresponding schema file. A blank line indicates the end of an entry.
9.2.1.2. OpenLDAP Features
- LDAPv3 Support — Many of the changes in the protocol since LDAP version 2 are designed to make LDAP more secure. Among other improvements, this includes the support for Simple Authentication and Security Layer (SASL), Transport Layer Security (TLS), and Secure Sockets Layer (SSL) protocols.
- LDAP Over IPC — The use of inter-process communication (IPC) enhances security by eliminating the need to communicate over a network.
- IPv6 Support — OpenLDAP is compliant with Internet Protocol version 6 (IPv6), the next generation of the Internet Protocol.
- LDIFv1 Support — OpenLDAP is fully compliant with LDIF version 1.
- Updated C API — The current C API improves the way programmers can connect to and use LDAP directory servers.
- Enhanced Standalone LDAP Server — This includes an updated access control system, thread pooling, better tools, and much more.
9.2.1.3. OpenLDAP Server Setup
- Install the OpenLDAP suite. See Section 9.2.2, “Installing the OpenLDAP Suite” for more information on required packages.
- Customize the configuration as described in Section 9.2.3, “Configuring an OpenLDAP Server”.
- Start the
slapd
service as described in Section 9.2.5, “Running an OpenLDAP Server”. - Use the
ldapadd
utility to add entries to the LDAP directory. - Use the
ldapsearch
utility to verify that theslapd
service is accessing the information correctly.
9.2.2. Installing the OpenLDAP Suite
Package | Description |
---|---|
openldap | A package containing the libraries necessary to run the OpenLDAP server and client applications. |
openldap-clients | A package containing the command line utilities for viewing and modifying directories on an LDAP server. |
openldap-servers | A package containing both the services and utilities to configure and run an LDAP server. This includes the Standalone LDAP Daemon, slapd . |
compat-openldap | A package containing the OpenLDAP compatibility libraries. |
Package | Description |
---|---|
nss-pam-ldapd | A package containing nslcd , a local LDAP name service that allows a user to perform local LDAP queries. |
mod_ldap |
A package containing the
mod_authnz_ldap and mod_ldap modules. The mod_authnz_ldap module is the LDAP authorization module for the Apache HTTP Server. This module can authenticate users' credentials against an LDAP directory, and can enforce access control based on the user name, full DN, group membership, an arbitrary attribute, or a complete filter string. The mod_ldap module contained in the same package provides a configurable shared memory cache, to avoid repeated directory access across many HTTP requests, and also support for SSL/TLS. Note that this package is provided by the Optional channel. See Adding the Optional and Supplementary Repositories in the System Administrator's Guide for more information on Red Hat additional channels.
|
yum
command in the following form:
yum
install
package…
~]# yum install openldap openldap-clients openldap-servers
root
) to run this command. For more information on how to install new packages in Red Hat Enterprise Linux, see Installing Packages in the System Administrator's Guide.
9.2.2.1. Overview of OpenLDAP Server Utilities
slapd
service:
Command | Description |
---|---|
slapacl | Allows you to check the access to a list of attributes. |
slapadd | Allows you to add entries from an LDIF file to an LDAP directory. |
slapauth | Allows you to check a list of IDs for authentication and authorization permissions. |
slapcat | Allows you to pull entries from an LDAP directory in the default format and save them in an LDIF file. |
slapdn | Allows you to check a list of Distinguished Names (DNs) based on available schema syntax. |
slapindex | Allows you to re-index the slapd directory based on the current content. Run this utility whenever you change indexing options in the configuration file. |
slappasswd | Allows you to create an encrypted user password to be used with the ldapmodify utility, or in the slapd configuration file. |
slapschema | Allows you to check the compliance of a database with the corresponding schema. |
slaptest | Allows you to check the LDAP server configuration. |
Important
root
can run slapadd
, the slapd
service runs as the ldap
user. Because of this, the directory server is unable to modify any files created by slapadd
. To correct this issue, after running the slapdadd
utility, type the following at a shell prompt:
~]# chown -R ldap:ldap /var/lib/ldap
Warning
slapd
service before using slapadd
, slapcat
, or slapindex
. You can do so by typing the following at a shell prompt:
~]# systemctl stop slapd.service
slapd
service, see Section 9.2.5, “Running an OpenLDAP Server”.
9.2.2.2. Overview of OpenLDAP Client Utilities
Command | Description |
---|---|
ldapadd | Allows you to add entries to an LDAP directory, either from a file, or from standard input. It is a symbolic link to ldapmodify -a . |
ldapcompare | Allows you to compare given attribute with an LDAP directory entry. |
ldapdelete | Allows you to delete entries from an LDAP directory. |
ldapexop | Allows you to perform extended LDAP operations. |
ldapmodify | Allows you to modify entries in an LDAP directory, either from a file, or from standard input. |
ldapmodrdn | Allows you to modify the RDN value of an LDAP directory entry. |
ldappasswd | Allows you to set or change the password for an LDAP user. |
ldapsearch | Allows you to search LDAP directory entries. |
ldapurl | Allows you to compose or decompose LDAP URLs. |
ldapwhoami | Allows you to perform a whoami operation on an LDAP server. |
ldapsearch
, each of these utilities is more easily used by referencing a file containing the changes to be made rather than typing a command for each entry to be changed within an LDAP directory. The format of such a file is outlined in the man page for each utility.
9.2.2.3. Overview of Common LDAP Client Applications
9.2.3. Configuring an OpenLDAP Server
/etc/openldap/
directory. The following table highlights the most important directories and files within this directory:
/etc/openldap/slapd.conf
file. Instead, it uses a configuration database located in the /etc/openldap/slapd.d/
directory. If you have an existing slapd.conf
file from a previous installation, you can convert it to the new format by running the following command:
~]# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
slapd
configuration consists of LDIF entries organized in a hierarchical directory structure, and the recommended way to edit these entries is to use the server utilities described in Section 9.2.2.1, “Overview of OpenLDAP Server Utilities”.
Important
slapd
service unable to start. Because of this, it is strongly advised that you avoid editing the LDIF files within the /etc/openldap/slapd.d/
directly.
9.2.3.1. Changing the Global Configuration
/etc/openldap/slapd.d/cn=config.ldif
file. The following directives are commonly used:
-
olcAllows
- The
olcAllows
directive allows you to specify which features to enable. It takes the following form:olcAllows
: feature…It accepts a space-separated list of features as described in Table 9.6, “AvailableolcAllows
options”. The default option isbind_v2
.Table 9.6. Available olcAllows options Option Description bind_v2
Enables the acceptance of LDAP version 2 bind requests. bind_anon_cred
Enables an anonymous bind when the Distinguished Name (DN) is empty. bind_anon_dn
Enables an anonymous bind when the Distinguished Name (DN) is not empty. update_anon
Enables processing of anonymous update operations. proxy_authz_anon
Enables processing of anonymous proxy authorization control. Example 9.1. Using the
olcAllows
directiveolcAllows: bind_v2 update_anon
-
olcConnMaxPending
- The
olcConnMaxPending
directive allows you to specify the maximum number of pending requests for an anonymous session. It takes the following form:olcConnMaxPending
: numberThe default option is100
.Example 9.2. Using the
olcConnMaxPending
directiveolcConnMaxPending: 100
-
olcConnMaxPendingAuth
- The
olcConnMaxPendingAuth
directive allows you to specify the maximum number of pending requests for an authenticated session. It takes the following form:olcConnMaxPendingAuth
: numberThe default option is1000
.Example 9.3. Using the
olcConnMaxPendingAuth
directiveolcConnMaxPendingAuth: 1000
-
olcDisallows
- The
olcDisallows
directive allows you to specify which features to disable. It takes the following form:olcDisallows
: feature…It accepts a space-separated list of features as described in Table 9.7, “AvailableolcDisallows
options”. No features are disabled by default.Table 9.7. Available olcDisallows options Option Description bind_anon
Disables the acceptance of anonymous bind requests. bind_simple
Disables the simple bind authentication mechanism. tls_2_anon
Disables the enforcing of an anonymous session when the STARTTLS command is received. tls_authc
Disallows the STARTTLS command when authenticated. Example 9.4. Using the
olcDisallows
directiveolcDisallows: bind_anon
-
olcIdleTimeout
- The
olcIdleTimeout
directive allows you to specify how many seconds to wait before closing an idle connection. It takes the following form:olcIdleTimeout
: numberThis option is disabled by default (that is, set to0
).Example 9.5. Using the
olcIdleTimeout
directiveolcIdleTimeout: 180
-
olcLogFile
- The
olcLogFile
directive allows you to specify a file in which to write log messages. It takes the following form:olcLogFile
: file_nameThe log messages are written to standard error by default.Example 9.6. Using the
olcLogFile
directiveolcLogFile: /var/log/slapd.log
-
olcReferral
- The
olcReferral
option allows you to specify a URL of a server to process the request in case the server is not able to handle it. It takes the following form:olcReferral
: URLThis option is disabled by default.Example 9.7. Using the
olcReferral
directiveolcReferral: ldap://root.openldap.org
-
olcWriteTimeout
- The
olcWriteTimeout
option allows you to specify how many seconds to wait before closing a connection with an outstanding write request. It takes the following form:olcWriteTimeout
This option is disabled by default (that is, set to0
).Example 9.8. Using the
olcWriteTimeout
directiveolcWriteTimeout: 180
9.2.3.2. The Front End Configuration
etc/openldap/slapd.d/cn=config/olcDatabase={-1}frontend.ldif
file and defines global database options, such as access control lists (ACL). For details, see the Global Database Options section in the slapd-config(5) man page.
9.2.3.3. The Monitor Back End
/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif
file controls the OpenLDAP monitor back end. If enabled, it is automatically generated and dynamically updated by OpenLDAP with information about the running status of the daemon. The suffix is cn=Monitor
and cannot be changed. For further details, see the slapd-monitor(5) man page.
9.2.3.4. Database-Specific Configuration
hdb
database back end. Besides that it uses a hierarchical database layout which supports subtree renames, it is identical to the bdb
back end and uses the same configuration options. The configuration for this database back end is stored in the /etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif
file.
# man slapd-hdb
Note
bdb
and hdb
back ends are deprecated. Consider using the mdb
back end for new installations instead.
-
olcReadOnly
- The
olcReadOnly
directive allows you to use the database in a read-only mode. It takes the following form:olcReadOnly
: booleanIt accepts eitherTRUE
(enable the read-only mode), orFALSE
(enable modifications of the database). The default option isFALSE
.Example 9.9. Using the
olcReadOnly
directiveolcReadOnly: TRUE
-
olcRootDN
- The
olcRootDN
directive allows you to specify the user that is unrestricted by access controls or administrative limit parameters set for operations on the LDAP directory. It takes the following form:olcRootDN
: distinguished_nameIt accepts a Distinguished Name (DN). The default option iscn=Manager,dn=my-domain,dc=com
.Example 9.10. Using the
olcRootDN
directiveolcRootDN: cn=root,dn=example,dn=com
-
olcRootPW
- The
olcRootPW
directive allows you to set a password for the user that is specified using theolcRootDN
directive. It takes the following form:olcRootPW
: passwordIt accepts either a plain text string, or a hash. To generate a hash, type the following at a shell prompt:~]$
slappaswd
New password: Re-enter new password: {SSHA}WczWsyPEnMchFf1GRTweq2q7XJcvmSxDExample 9.11. Using the
olcRootPW
directiveolcRootPW: {SSHA}WczWsyPEnMchFf1GRTweq2q7XJcvmSxD
-
olcSuffix
- The
olcSuffix
directive allows you to specify the domain for which to provide information. It takes the following form:olcSuffix
: domain_nameIt accepts a fully qualified domain name (FQDN). The default option isdc=my-domain,dc=com
.Example 9.12. Using the
olcSuffix
directiveolcSuffix: dc=example,dc=com
9.2.3.5. Extending Schema
/etc/openldap/slapd.d/
directory also contains LDAP definitions that were previously located in /etc/openldap/schema/
. It is possible to extend the schema used by OpenLDAP to support additional attribute types and object classes using the default schema files as a guide. However, this task is beyond the scope of this chapter. For more information on this topic, see https://openldap.org/doc/admin24/schema.html.
9.2.3.6. Establishing a Secure Connection
Server Configuration
slapd
that need to be specified in the /etc/openldap/slapd.d/cn=config.ldif
file on an OpenLDAP server in order to establish TLS.
/usr/local/etc/openldap/slapd.conf
, the new style uses a slapd
back end database to store the configuration. The configuration database normally resides in the /usr/local/etc/openldap/slapd.d/
directory.
/etc/sysconfig/slapd
file and append the ldaps:///
string to the list of URLs specified with the SLAPD_URLS
directive.
-
olcTLSCACertificateFile
- The
olcTLSCACertificateFile
directive specifies the file encoded with privacy-enhanced mail (PEM) schema that contains trusted CA certificates. The directive takes the following form:olcTLSCACertificateFile
: pathReplace path with the path to the CA certificate file. -
olcTLSCACertificatePath
- The
olcTLSCACertificatePath
directive specifies the path to a directory containing individual CA certificates in separate files. This directory must be specially managed with the OpenSSL c_rehash utility that generates symbolic links with the hashed names that point to the actual certificate files. In general, it is simpler to use theolcTLSCACertificateFile
directive instead.The directive takes the following form:olcTLSCACertificatePath
: pathReplace path with a path to the directory containing the CA certificate files. The specified directory must be managed with the OpenSSL c_rehash utility. -
olcTLSCertificateFile
- The
olcTLSCertificateFile
directive specifies the file that contains theslapd
server certificate. The directive takes the following form:olcTLSCertificateFile
: pathReplace path with a path to the server certificate file of theslapd
service. -
olcTLSCertificateKeyFile
- The
olcTLSCertificateKeyFile
directive specifies the file that contains the private key that matches the certificate stored in the file specified witholcTLSCertificateFile
. Note that the current implementation does not support encrypted private keys, and therefore the containing file must be sufficiently protected. The directive takes the following form:olcTLSCertificateKeyFile
: pathReplace path with a path to the private key file.
Client Configuration
/etc/openldap/ldap.conf
configuration file on the client system. Most of these directives are parallel to the server configuration options. Directives in/etc/openldap/ldap.conf
are configured on a system-wide basis, however, individual users may override them in their ~/.ldaprc
files.
ldaps://
string must be used instead of ldap://
in OpenLDAP commands such as ldapsearch
. This forces commands to use the default port for SSL, port 636, configured on the server.
-
TLS_CACERT
- The
TLS_CACERT
directive specifies a file containing certificates for all of the Certificate Authorities the client will recognize. This is equivalent to theolcTLSCACertificateFile
directive on a server.TLS_CACERT
should always be specified beforeTLS_CACERTDIR
in/etc/openldap/ldap.conf
. The directive takes the following form:TLS_CACERT
pathReplace path with a path to the CA certificate file. -
TLS_CACERTDIR
- The
TLS_CACERTDIR
directive specifies the path to a directory that contains Certificate Authority certificates in separate files. As witholcTLSCACertificatePath
on a server, the specified directory must be managed with the OpenSSL c_rehash utility.TLS_CACERTDIR
directoryReplace directory with a path to the directory containing CA certificate files. -
TLS_CERT
- The
TLS_CERT
specifies the file that contains a client certificate. This directive can only be specified in a user's~/.ldaprc
file. The directive takes the following form:TLS_CERT
pathReplace path with a path to the client certificate file. -
TLS_KEY
- The
TLS_KEY
specifies the file that contains the private key that matches the certificate stored in the file specified with theTLS_CERT
directive. As witholcTLSCertificateFile
on a server, encrypted key files are not supported, so the file itself must be carefully protected. This option is only configurable in a user's~/.ldaprc
file.TheTLS_KEY
directive takes the following form:TLS_KEY
pathReplace path with a path to the client certificate file.
9.2.3.7. Setting Up Replication
/etc/openldap/slapd.d/
on both provider and consumers.
-
olcMirrorMode
- The
olcMirrorMode
directive enables the mirror replication mode. It takes the following form:olcMirrorMode
on
This option needs to be specified both on provider and consumers. Also aserverID
must be specified along withsyncrepl
options. Find a detailed example in the 18.3.4. MirrorMode section of the OpenLDAP Software Administrator's Guide (see the section called “Installed Documentation”). -
olcSyncrepl
- The
olcSyncrepl
directive enables the sync replication mode. It takes the following form:olcSyncrepl
on
The sync replication mode requires a specific configuration on both the provider and the consumers. This configuration is thoroughly described in the 18.3.1. Syncrepl section of the OpenLDAP Software Administrator's Guide (see the section called “Installed Documentation”).
9.2.3.8. Loading Modules and Back ends
slapd
service with dynamically loaded modules. Support for these modules must be enabled with the --enable-modules
option when configuring slapd
. Modules are stored in files with the .la extension:
module_name.la
slapd
, or when module support is enabled, they may be dynamically loaded. In the latter case, the following naming convention is applied:
back_backend_name.la
/etc/openldap/slapd.d/
:
-
olcModuleLoad
- The
olcModuleLoad
directive specifies a dynamically loadable module to load. It takes the following form:olcModuleLoad
: moduleHere, module stands either for a file containing the module, or a back end, that will be loaded.
9.2.4. SELinux Policy for Applications Using LDAP
allow_ypbind
SELinux Boolean needs to be enabled. Certain applications also demand an enabled authlogin_nsswitch_use_ldap
Boolean in this scenario. Execute the following commands to enable the aforementioned Booleans:
~]#setsebool
-P
allow_ypbind
=1
~]#setsebool
-P
authlogin_nsswitch_use_ldap
=1
-P
option makes this setting persistent across system reboots. See the Red Hat Enterprise Linux 7 SELinux User's and Administrator's Guide for more detailed information about SELinux.
9.2.5. Running an OpenLDAP Server
9.2.5.1. Starting the Service
slapd
service in the current session, type the following at a shell prompt as root
:
~]# systemctl start slapd.service
root
:
~]# systemctl enable slapd.service
ln -s '/usr/lib/systemd/system/slapd.service' '/etc/systemd/system/multi-user.target.wants/slapd.service'
9.2.5.2. Stopping the Service
slapd
service in the current session, type the following at a shell prompt as root
:
~]# systemctl stop slapd.service
root
:
~]# systemctl disable slapd.service
rm '/etc/systemd/system/multi-user.target.wants/slapd.service'
9.2.6. Configuring a System to Authenticate Using OpenLDAP
~]# yum install openldap openldap-clients nss-pam-ldapd
9.2.6.1. Migrating Old Authentication Information to LDAP Format
~]# yum install migrationtools
/usr/share/migrationtools/
directory. Once installed, edit the /usr/share/migrationtools/migrate_common.ph
file and change the following lines to reflect the correct domain, for example:
# Default DNS domain $DEFAULT_MAIL_DOMAIN = "example.com"; # Default base $DEFAULT_BASE = "dc=example,dc=com";
migrate_all_online.sh
script with the default base set to dc=example,dc=com
, type:
~]#export DEFAULT_BASE="dc=example,dc=com" \
/usr/share/migrationtools/migrate_all_online.sh
Existing Name Service | Is LDAP Running? | Script to Use |
---|---|---|
/etc flat files | yes | migrate_all_online.sh |
/etc flat files | no | migrate_all_offline.sh |
NetInfo | yes | migrate_all_netinfo_online.sh |
NetInfo | no | migrate_all_netinfo_offline.sh |
NIS (YP) | yes | migrate_all_nis_online.sh |
NIS (YP) | no | migrate_all_nis_offline.sh |
README
and the migration-tools.txt
files in the /usr/share/doc/migrationtools-version/
directory.
9.2.7. Additional Resources
Installed Documentation
/usr/share/doc/openldap-servers-version/guide.html
— A copy of the OpenLDAP Software Administrator's Guide./usr/share/doc/openldap-servers-version/README.schema
— A README file containing the description of installed schema files.
- Client Applications
- ldapadd(1) — The manual page for the
ldapadd
command describes how to add entries to an LDAP directory. - ldapdelete(1) — The manual page for the
ldapdelete
command describes how to delete entries within an LDAP directory. - ldapmodify(1) — The manual page for the
ldapmodify
command describes how to modify entries within an LDAP directory. - ldapsearch(1) — The manual page for the
ldapsearch
command describes how to search for entries within an LDAP directory. - ldappasswd(1) — The manual page for the
ldappasswd
command describes how to set or change the password of an LDAP user. - ldapcompare(1) — Describes how to use the
ldapcompare
tool. - ldapwhoami(1) — Describes how to use the
ldapwhoami
tool. - ldapmodrdn(1) — Describes how to modify the RDNs of entries.
- Server Applications
- slapd(8C) — Describes command line options for the LDAP server.
- Administrative Applications
- slapadd(8C) — Describes command line options used to add entries to a
slapd
database. - slapcat(8C) — Describes command line options used to generate an LDIF file from a
slapd
database. - slapindex(8C) — Describes command line options used to regenerate an index based upon the contents of a
slapd
database. - slappasswd(8C) — Describes command line options used to generate user passwords for LDAP directories.
- Configuration Files
- ldap.conf(5) — The manual page for the
ldap.conf
file describes the format and options available within the configuration file for LDAP clients. - slapd-config(5) — Describes the format and options available within the
/etc/openldap/slapd.d
configuration directory.
Other Resources
- OpenLDAP and Mozilla NSS Compatibility Layer Implementation details of NSS database backwards compatibility.
- How do I use TLS/SSL? Information on how to configure OpenLDAP to use OpenSSL.