Installation and configuration of basic openLDAP server
Installation and configuration of basic openLDAP server
Install ldap server
To install ldap server use:
yum -y install openldap-servers openldap-clients openldap
Also ensure that folder '/var/lib/ldap' exists and is owned by 'ldap:ldap'
Basic ldap configuration
Very basic ldap configuration is:
include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args database bdb suffix "dc=sbarjatiya,dc=com" rootdn "cn=owner,dc=sbarjatiya,dc=com" rootpw iiit123 directory /var/lib/ldap
The file should have permissions 400 with owner ldap:ldap.
One can also edit file '/etc/sysconfig/ldap' to change 'SLAPD_LDAPS' to yes to enable SASL based binding for ldap.
Starting ldap
Start ldap server using:
slapd -f /etc/openldap/slapd.conf
Do not user 'service slapd start' as for some reason the command is not using the correct configuration file.
Use command 'ldapsearch -x "context=*"' to verify that reported value of base matches with value specified in desired configuration file.
LDIF configuration files
LDIF files have following different types of lines:
- Lines that start with # are treated as comment lines
- Lines that start with space are treated as continuation of previous attribute line
- Lines that start with - are used to terminate changetype:modify directive
- Lines that are completely blank are treated as new lines (no-effect).
- Lines that are not-blank and do not start with space, - or # are treated as attribute lines.
Sample ldif files
Sample ldif configuration files are:
LDIF configuration for sbarjatiya.com domain
#Main ldap base entry dn: dc=sbarjatiya,dc=com objectClass: dcObject objectClass: organization #dc is must for dcObject dc: sbarjatiya #o is must for organization o: IIIT Hyderabad description: This is homepage for Saurabh Barjatiya
LDIF configuration for creating organizational units with name people and groups in sbarjatiya.com
dn: ou=people,dc=sbarjatiya,dc=com objectClass: organizationalUnit ou: people description: All people in organisation dn: ou=groups,dc=sbarjatiya,dc=com objectClass: organizationalUnit ou: groups description: All groups in organisation
LDIF configuration file for creating a person entry as child entry in people ou
dn: cn=Saurabh Barjatiya,ou=people,dc=sbarjatiya,dc=com objectClass: inetOrgPerson #Must due to person cn: Saurabh Barjatiya #Must due to person sn: Barjatiya uid: saurabh.barjatiya mail: saurabh.barjatiya@iiit.ac.in mail: barjatiya.saurabh@gmail.com ou: people homePhone: 040 6653 1293 displayName: Saurabh Barjatiya telephoneNumber: 93939 14337 postalAddress: OFQ F2, IIIT Hyderabad
LDIF configuration file for creating a group of persons called owners as child entry in group ou
dn:cn=owners,ou=groups,dc=sbarjatiya,dc=com objectClass: groupOfNames cn: owners description: Owners of the organization member: cn=Saurabh Barjatiya,ou=people,dc=sbarjatiya,dc=com
Managing DIT
Adding an LDIF file to DIT
To add a LDIF file to DIT use:
ldapadd -x -D "cn=owner,dc=sbarjatiya,dc=com" -f <ldif_file> -W
Then enter 'rootpw' as mentioned in slapd.conf to add the entry. One can also use '-w ≪password>' to supply password directly on command-line so that there is no separate password prompt.
Deleting a ldap entry
To delete an ldap entry use:
ldapdelete -x -D "cn=owner,dc=sbarjatiya,dc=com" -W <dn_to_be_deleted>
Modifying existing entries
To modify entries we can create an ldif file similar to:
dn: cn=Saurabh Barjatiya,ou=People,dc=sbarjatiya,dc=com changeType: modify add: mobile mobile: 93939 14337 mobile: 86865 99552 - delete: telephoneNumber - add: mail mail: saurabh.barjatiya@yahoo.com mail: saurabh.barjatiya@hotmail.com - replace: userPassword userPassword: iiit123 - replace: postalAddress postalAddress: Staff Quarters F2, IIIT Hyderabad
Here:
- 'changeType: modify' is used to indicate that entry will be modified
- 'add: mobile' is used to indicate that given mobile attributes should be added. Any existing mobile attribute values will remain unaffected.
- 'delete: telephoneNumber' is used to indicate that all values for attribute telephoneNumber should be deleted
- 'replace: userPassword' is used to indicate that delete all existing values for attribute userPassword and add the given values in their place.
- Hypen '-' is required to terminate a changeType directive such as add, replace or delete. The last directive is not required to be followed by a hypen.
- If more than one entry is to be modified then two modification entries should be separated by a blank line. For example:
dn: dc=sbarjatiya,dc=com changeType: modify replace: description description: Test description dn: ou=People,dc=sbarjatiya,dc=com changeType: modify replace: description description: Test description for people
To modify entries using above ldif file use:
ldapmodify -x -D "cn=owner,dc=sbarjatiya,dc=com" -W -f <file_name>
Searching in LDAP database
Use following to search for all entries in dc=sbarjatiya,dc=com:
ldapsearch -x -LLL -b "dc=sbarjatiya,dc=com"
Use following to search for all entries in ou people:
ldapsearch -x -LLL -b "ou=people,dc=sbarjatiya,dc=com"
Use following to search for all entries in ou people and list only dn, cn and sn attributes of the entries:
ldapsearch -x -LLL -b "ou=people,dc=sbarjatiya,dc=com" dn cn sn
Use following to search for all entries where 'cn=Saurabh Barjatiya':
ldapsearch -x -LLL -b "dc=sbarjatiya,dc=com" '(cn=Saurabh Barjatiya)'
Use following to search for all entries where 'cn=Saurabh Barjatiya': and list only sn attribute
ldapsearch -x -LLL -b "dc=sbarjatiya,dc=com" '(cn=Saurabh Barjatiya)' sn
Note: that dn will also get listed automatically.
Overall ldapsearch has following options:
- '-x' to bind to server for searching. Since we have not specified -D '<dn>' and -W or -w, the binding would be anonymous.
- '-LLL' to list in the ldif format.
- '-b' to speceify base from where search should start
- filter enclosed in () in filter format
- list of attributes to be displayed for matched entries
Bind mechanisms
Anonymous binding
To bind with ldap server anonymously use '-x' option in most ldap command such as:
ldapwhoami -x
Simple binding
To bind with ldap server with password use '-D' to specify bind dn and '-W' or '-w' to specify password:
ldapwhoami -x -D "cn=owner,dc=sbarjatiya,dc=com" -W
Disabling anonymous bind
To disable anonymous bind, use following line in 'slapd.conf' file:
disallow bind_anon
Disabling simple bind
To disable simple bind, use following line in 'slapd.conf' file:
disallow simple_bind
Configuring indexing
For configuring indexing for database bdb one can use configuration similar to:
index default eq,pres index uid eq index cn,gn,mail eq,sub index sn eq,sub index ou eq index telephonenumber eq
These lines should be added to '/etc/openldap/slapd.conf' file after database specification. Here
- eq
- Index for equality tests without use of wildcard
- sub
- Index for substrings. There are three sub-categories of this index subinitial, subany and subfinal.
- subinitail
- Index for string starting with given part such as 'cn=abc*'
- subany
- Index for strings containing given part such as 'cn=*abc*'
- subfinal
- index for strings terminating with given part such as 'cn=*abc'
- approx
- Index for approximate searches for sound-line such as 'cn~=person'
- pres
- Index for checking whether particular attribute is present or whether entry belongs to a given objectClass or not. such as 'objectClass=person' or 'attribute=mail'
If the configuration is done while creating an ldap server then indexes will be maintained automatically when entries are added or modified. But if a index entry is modified in an existing ldap server, then:
- ldap server should be stopped
- 'slapindex -f /etc/openldap/slapd.conf' command should be used to generated index based on configuration file
- Finally ldap server can be started again
ldap global configuration options
idleTimeout
Specify the number of seconds to wait before forcibly closing an idle client connection. An idletimeout of 0, the default, disables this feature.
Example:
idleTimeout 30
sizeLimit
This directive specifies the maximum number of entries to return from a search operation.
Default:
sizelimit 500
We can change limit for specific DNs using:
limits dn.exact="cn=Saurabh Barjatiya,ou=people,dc=sbarjatiya,dc=com" size=100000
Note that the limits do not apply to roodn.
timelimit
This directive specifies the maximum number of seconds (in real time) slapd will spend answering a search request. If a request is not finished in this time, a result indicating an exceeded timelimit will be returned.
Default:
timelimit 3600
We can create exception for specific DNs using:
limits dn.exact="cn=Saurabh Barjatiya,ou=people,dc=sbarjatiya,dc=com" time=3600
Note that the limits do not apply to roodn.
ldap database configuration options
checkpoint
This directive specifies how often to checkpoint the BDB transaction log. A checkpoint operation flushes the database buffers to disk and writes a checkpoint record in the log. The checkpoint will occur if either <kbyte> data has been written or <min> minutes have passed since the last checkpoint. Both arguments default to zero, in which case they are ignored. When the <min> argument is non-zero, an internal task will run every <min> minutes to perform the checkpoint.
checkpoint 1024 5