Installation and configuration of basic openLDAP server

From Notes_Wiki

Home > CentOS > CentOS 6.x > LDAP servers > OpenLDAP > Basic OpenLDAP server configuration

LDAP Basics

Basic theory of LDAP is mentioned at Basic_theory_of_ldap. It is important to be familiar with basic terminology before trying simple LDAP server setup.


Setup basic LDAP server with base DN

  1. Install required packages: 
    yum -y install openldap-servers openldap-clients openldap
  2. Create '/etc/openldap/slapd.conf' file with following contents: 
    include          /etc/openldap/schema/core.schema
    

    include          /etc/openldap/schema/cosine.schema
    

    include          /etc/openldap/schema/inetorgperson.schema
    

    pidfile          /var/run/openldap/slapd.pid
    

    argsfile         /var/run/openldap/slapd.args
    

    defaultsearchbase  "dc=sbarjatiya,dc=com"
    

    

    database        bdb
    

    suffix           "dc=sbarjatiya,dc=com"
    

    rootdn           "cn=root,dc=sbarjatiya,dc=com"
    

    rootpw           rekall123
    

    directory        /var/lib/ldap
  3. Start LDAP using 'slapd -f /etc/openldap/slapd.conf' command. Do not use 'service openldap start' as that would use '/etc/openldap/slapd.d' with 'cn=config' style configuration, which is not being used here.
  4. Verify that slapd is running using 'ps aux | grep slapd'
  5. Create an organization entry LDIF file named 'sbarjatiya.com.ldif' with following contents: 
    #Main ldap base entry
    

    dn: dc=sbarjatiya,dc=com
    

    objectClass: dcObject
    

    objectClass: organization
    

    #dc is must for dcObject
    

    dc: sbarjatiya
    

    #o is must for organization
    

    o: Barjatiya Softwares
    

    description: This is main domain for sbarjatiya company
  6. Add the entry to ldap database using: 
    ldapadd -x -D 'cn=root,dc=sbarjatiya,dc=com' -f sbarjatiya.com.ldif -W
    and enter password 'rekall123' as mentioned in slapd.conf
  7. Search for all entries in LDAP server using: 'ldapsearch -x'. You should see the organization entry that was added.
  8. To see all entries in LDIF format use: 'ldapsearch -x -LLL'.
  9. Note that the search command requires a base dn to work with. Since we have specified 'defaultsearchbase' in 'slapd.conf' configuration file, that base is being used when we have not specified base explicitly. To specify search base explicitly while searching use: 
    ldapsearch -x -LLL -b 'dc=sbarjatiya,dc=com'


About LDIF files

LDIF files have following different types of lines:

  1. Lines that start with # are treated as comment lines
  2. Lines that start with space are treated as continuation of previous attribute line
  3. Lines that start with - are used to terminate changetype:modify directive
  4. Lines that are completely blank are treated as new lines (no-effect).
  5. Lines that are not-blank and do not start with space, - or # are treated as attribute lines.

All modifications to LDAP database are performed using LDIF files and one among ldapadd, ldapmodify or ldapdelete commands.


Creating organisation units, users and groups

Creating organisation units (ou)

  1. Create LDIF file 'people,groups.sbarjatiya.com.ldif' with following contents: 
    dn: ou=people,dc=sbarjatiya,dc=com
    

    objectClass: organizationalUnit
    

    ou: people
    

    description: All people in organisation
    

    

    dn: ou=groups,dc=sbarjatiya,dc=com
    

    objectClass: organizationalUnit
    

    ou: groups
    

    description: All groups in organisation
  2. Add both groups to database using: 
    ldapadd -x -D 'cn=root,dc=sbarjatiya,dc=com' -f people,groups.sbarjatiya.com.ldif -W
  3. Verify that things got added using 'ldapsearch -x -LLL'
  4. To list only organizationUnit entries in search use: 
    ldapsearch -x -LLL '(objectClass=organizationalUnit)'


Create user

  1. Create LDIF file 'saurabh.people.sbarjatiya.com.ldif' with following contents: 
    dn: cn=Saurabh Barjatiya,ou=people,dc=sbarjatiya,dc=com
    

    objectClass: inetOrgPerson
    

    #Must due to person
    

    cn: Saurabh Barjatiya
    

    #Must due to person
    

    sn: Barjatiya
    

    uid: saurabhb
    

    mail: saurabhb@sbarjatiya.co.in
    

    mail: barjatiya.saurabh@gmail.com
    

    ou: people
    

    homePhone: 040 6653 1293
    

    displayName: Saurabh Barjatiya
    

    telephoneNumber: 93939 14337
    

    postalAddress: Hyderabad, India
    

    userPassword: rekall123
  2. Add user to LDAP using: 
    ldapadd -x -D 'cn=root,dc=sbarjatiya,dc=com' -f saurabh.people.sbarjatiya.com.ldif -W
  3. Verify that entry is added using: 
    ldapsearch -x -LLL '(uid=sa*)'

Note dn for user could also have been 

      dn: uid=saurabhb,ou=people,dc=sbarjatiya,dc=com

so that conversion from uid to dn or dn to uid can be done with simple string manipulation without requiring any directory search. In current case to find dn for 'uid=saurabhb' following search would be required: 

 
     ldapsearch -x -LLL '(uid=saurabhb)' dn

Also note that this kind of user is not useful for authentication. For authentication posixAccount and shadowAccount objectclasses should be used as explained at Configuring authentication with openLDAP server


Create group

  1. Create LDIF file 'admins.groups.sbarjatiya.com.ldif' with following contents: 
    dn:cn=admins,ou=groups,dc=sbarjatiya,dc=com
    

    objectClass: groupOfNames
    

    cn: admins
    

    description: Set of administrators (system, network or desktop) for the organization.
    

    member: cn=Saurabh Barjatiya,ou=people,dc=sbarjatiya,dc=com
    Note that value for member is 'dn' for the member to be added to the group.
  2. Add the group to LDAP database using: 
    ldapadd -x -D 'cn=root,dc=sbarjatiya,dc=com' -f admins.groups.sbarjatiya.com.ldif -W
  3. Verify that values got added using: 
    ldapsearch -x -LLL '(cn=admins)'

Note that same as mentioned for user above, the groups created in this manner are not useful for authentication purposes



Modifying or deleting entries

Create some test entries

  1. Create LDIF file with following contents: 
    dn: cn=User One,ou=people,dc=sbarjatiya,dc=com
    

    objectClass: inetOrgPerson
    

    #Must due to person
    

    cn: User One
    

    #Must due to person
    

    sn: One
    

    uid: user1
    

    

    dn: cn=User Two,ou=people,dc=sbarjatiya,dc=com
    

    objectClass: inetOrgPerson
    

    #Must due to personOpenLDAP server configuratioOpenLDAP server configuration|n|
    

    cn: User Two
    

    #Must due to person
    

    sn: Two
    

    uid: user2
    

    

    dn: cn=User Three,ou=people,dc=sbarjatiya,dc=com
    

    objectClass: inetOrgPerson
    

    #Must due to person
    

    cn: User Three
    

    #Must due to person
    

    sn: Three
    

    uid: user3
  2. Add entries to the database using: 
    ldapadd -x -D "cn=root,dc=sbarjatiya,dc=com" -f <ldif_file> -W
  3. Verify entries got added using: 
    ldapsearch -x -LLL '(uid=user*)'


Modify test entries

Add attributes

  1. To add attributes to an existing entry create LDIF file with following contents: 
    dn: cn=User One,ou=people,dc=sbarjatiya,dc=com
    

    changeType: modify
    

    add: mobile
    

    mobile: 93939 14337
    

    mobile: 86865 99552
  2. Add attribute entries for user1 to the database using: 
    ldapmodify -x -D 'cn=root,dc=sbarjatiya,dc=com' -W -f <ldif-file>
  3. Verify that attribute entries were added to user1 using: 
    ldapsearch -x -LLL '(uid=user1)'


Replace attributes

  1. To replace attributes of an existing entry create LDIF file with following contents: 
    dn: cn=User One,ou=people,dc=sbarjatiya,dc=com
    

    changeType: modify
    

    replace: mobile
    

    mobile: 93297 33122
    

    mobile: 93000 33122
  2. Replate attribute entries for user1 in the database using: 
    ldapmodify -x -D 'cn=root,dc=sbarjatiya,dc=com' -W -f <ldif-file>
  3. Verify that attribute entries were modified using: 
    ldapsearch -x -LLL '(uid=user1)'


Removing attribute values

  1. To remove attributes to an existing entry create LDIF file with following contents: 
    dn: cn=User One,ou=people,dc=sbarjatiya,dc=com
    

    changeType: modify
    

    delete: mobile
  2. Delete attribute entries for user1 in the database using: 
    ldapmodify -x -D 'cn=root,dc=sbarjatiya,dc=com' -W -f <ldif-file>
  3. Verify that attribute entries were deleted using: 
    ldapsearch -x -LLL '(uid=user1)'


Multiple modifications

It is possible to do multiple modifications to same entry using LDIF file such as: 

    dn: cn=User One,ou=People,dc=sbarjatiya,dc=com
    changeType: modify
    add: mobile
    mobile: 93939 14337
    mobile: 86865 99552
    -
    add: mail
    mail: saurabh.barjatiya@yahoo.com
    mail: saurabh.barjatiya@hotmail.com
    -
    replace: userPassword
    userPassword: rekall123
    -
    replace: postalAddress
    postalAddress: Hyderabad, India


Multiple entry modifications

It is also possible to modify attributes across DNs using LDIF file such as: 

    dn: cn=User Two,ou=People,dc=sbarjatiya,dc=com
    changeType: modify
    add: mobile
    mobile: 93939 14337
    mobile: 86865 99552
    -
    replace: userPassword
    userPassword: rekall123

    dn: cn=User Three,ou=People,dc=sbarjatiya,dc=com
    changeType: modify
    add: mobile
    mobile: 93939 14337
    mobile: 86865 99552
    -
    replace: userPassword
    userPassword: rekall123


Syntax of modification LDIF files

Modification LDIF files use following syntax:

  • 'changeType: modify' is used to indicate that entry will be modified
  • 'add: <attribute>' is used to indicate that given attributes should be added or appended. Any existing attribute values will remain unaffected.
  • 'delete: <attribute>' is used to indicate that all values for given attribute should be deleted
  • 'replace: <attribute>' is used to indicate that delete all existing values for given attribute and add the given values in their place.
  • Hypen '-' is required to terminate a changeType directive such as add, replace or delete. The last directive is not required to be followed by a hypen.
  • If more than one entry is to be modified then two modification entries should be separated by a blank line.


Deleting test entries

To delete entries use

    ldapdelete -x -D "cn=root,dc=sbarjatiya,dc=com" -W 'cn=User One,ou=people,dc=sbarjatiya,dc=com'
    ldapdelete -x -D "cn=root,dc=sbarjatiya,dc=com" -W 'cn=User Two,ou=people,dc=sbarjatiya,dc=com'
    ldapdelete -x -D "cn=root,dc=sbarjatiya,dc=com" -W 'cn=User Three,ou=people,dc=sbarjatiya,dc=com'


Searching in LDAP database

Use following to search for all entries in dc=sbarjatiya,dc=com: 

ldapsearch -x -LLL -b "dc=sbarjatiya,dc=com"


Use following to search for all entries in ou people: 

ldapsearch -x -LLL -b "ou=people,dc=sbarjatiya,dc=com"


Use following to search for all entries in ou people and list only dn, cn and sn attributes of the entries: 

ldapsearch -x -LLL -b "ou=people,dc=sbarjatiya,dc=com" dn cn sn


Use following to search for all entries where 'cn=Saurabh Barjatiya': 

ldapsearch -x -LLL -b "dc=sbarjatiya,dc=com" '(cn=Saurabh Barjatiya)'

Use following to search for all entries where 'cn=Saurabh Barjatiya': and list only sn attribute 

ldapsearch -x -LLL -b "dc=sbarjatiya,dc=com" '(cn=Saurabh Barjatiya)' sn

Note: that dn will also get listed automatically.


Overall ldapsearch has following options:

  • '-x' to bind to server for searching. Since we have not specified -D '<dn>' and -W or -w, the binding would be anonymous.
  • '-LLL' to list in the ldif format.
  • '-b' to speceify base from where search should start
  • filter enclosed in () in filter format
  • list of attributes to be displayed for matched entries


Bind mechanisms

Anonymous binding

To bind with ldap server anonymously use '-x' option in most ldap command such as: 

ldapwhoami -x


Simple binding

To bind with ldap server with password use '-D' to specify bind dn and '-W' or '-w' to specify password: 

ldapwhoami -x -D "cn=owner,dc=sbarjatiya,dc=com" -W


Disabling anonymous bind

To disable anonymous bind, use following line in 'slapd.conf' file: 

disallow bind_anon


Disabling simple bind

To disable simple bind, use following line in 'slapd.conf' file: 

disallow simple_bind




Configuring indexing

For configuring indexing for database bdb one can use configuration similar to: 

index default eq,pres
index uid eq
index cn,gn,mail eq,sub
index sn eq,sub
index ou eq
index telephonenumber eq

These lines should be added to '/etc/openldap/slapd.conf' file after database specification. Here

eq
Index for equality tests without use of wildcard
sub
Index for substrings. There are three sub-categories of this index subinitial, subany and subfinal.
subinitail
Index for string starting with given part such as 'cn=abc*'
subany
Index for strings containing given part such as 'cn=*abc*'
subfinal
index for strings terminating with given part such as 'cn=*abc'
approx
Index for approximate searches for sound-line such as 'cn~=person'
pres
Index for checking whether particular attribute is present or whether entry belongs to a given objectClass or not. such as 'objectClass=person' or 'attribute=mail'

If the configuration is done while creating an ldap server then indexes will be maintained automatically when entries are added or modified. But if a index entry is modified in an existing ldap server, then:

  1. ldap server should be stopped
  2. 'slapindex -f /etc/openldap/slapd.conf' command should be used to generated index based on configuration file
  3. Finally ldap server can be started again



ldap global configuration options

idleTimeout

Specify the number of seconds to wait before forcibly closing an idle client connection. An idletimeout of 0, the default, disables this feature.

Example: 

idleTimeout 30


sizeLimit

This directive specifies the maximum number of entries to return from a search operation.

Default: 

sizelimit 500

We can change limit for specific DNs using: 

limits dn.exact="cn=Saurabh Barjatiya,ou=people,dc=sbarjatiya,dc=com" size=100000

Note that the limits do not apply to roodn.


timelimit

This directive specifies the maximum number of seconds (in real time) slapd will spend answering a search request. If a request is not finished in this time, a result indicating an exceeded timelimit will be returned.

Default: 

timelimit 3600

We can create exception for specific DNs using: 

limits dn.exact="cn=Saurabh Barjatiya,ou=people,dc=sbarjatiya,dc=com" time=3600

Note that the limits do not apply to roodn.




ldap database configuration options

checkpoint

This directive specifies how often to checkpoint the BDB transaction log. A checkpoint operation flushes the database buffers to disk and writes a checkpoint record in the log. The checkpoint will occur if either <kbyte> data has been written or <min> minutes have passed since the last checkpoint. Both arguments default to zero, in which case they are ignored. When the <min> argument is non-zero, an internal task will run every <min> minutes to perform the checkpoint. 

checkpoint 1024 5


Home > CentOS > CentOS 6.x > LDAP servers > OpenLDAP > Basic OpenLDAP server configuration

Retrieved from "http://www.sbarjatiya.com/notes_wiki/index.php?title=Installation_and_configuration_of_basic_openLDAP_server&oldid=5468"