Installation and configuration of basic openLDAP server

From Notes_Wiki
Revision as of 10:10, 7 November 2012 by Saurabh (talk | contribs) (Created page with "=Installation and configuration of basic openLDAP server= ==Install ldap server== To install ldap server use: <pre> yum -y install openldap-servers openldap-clients openldap...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Installation and configuration of basic openLDAP server

Install ldap server

To install ldap server use:

yum -y install openldap-servers openldap-clients openldap

Also ensure that folder '/var/lib/ldap' exists and is owned by 'ldap:ldap'


Basic ldap configuration

Very basic ldap configuration is:

include          /etc/openldap/schema/core.schema
include          /etc/openldap/schema/cosine.schema
include          /etc/openldap/schema/inetorgperson.schema
pidfile          /var/run/openldap/slapd.pid
argsfile         /var/run/openldap/slapd.args
database        bdb
suffix           "dc=sbarjatiya,dc=com"
rootdn           "cn=owner,dc=sbarjatiya,dc=com"
rootpw           iiit123
directory        /var/lib/ldap

The file should have permissions 400 with owner ldap:ldap.

One can also edit file '/etc/sysconfig/ldap' to change 'SLAPD_LDAPS' to yes to enable SASL based binding for ldap.



Starting ldap

Start ldap server using:

slapd -f /etc/openldap/slapd.conf

Do not user 'service slapd start' as for some reason the command is not using the correct configuration file.

Use command 'ldapsearch -x "context=*"' to verify that reported value of base matches with value specified in desired configuration file.


LDIF configuration files

LDIF files have following different types of lines:

  • Lines that start with # are treated as comment lines
  • Lines that start with space are treated as continuation of previous attribute line
  • Lines that start with - are used to terminate changetype:modify directive
  • Lines that are completely blank are treated as new lines (no-effect).
  • Lines that are not-blank and do not start with space, - or # are treated as attribute lines.


Sample ldif files

Sample ldif configuration files are:

LDIF configuration for sbarjatiya.com domain

#Main ldap base entry
dn: dc=sbarjatiya,dc=com
objectClass: dcObject
objectClass: organization
#dc is must for dcObject
dc: sbarjatiya
#o is must for organization
o: IIIT Hyderabad
description: This is homepage for Saurabh Barjatiya


LDIF configuration for creating organizational units with name people and groups in sbarjatiya.com

dn: ou=people,dc=sbarjatiya,dc=com
objectClass: organizationalUnit
ou: people
description: All people in organisation

dn: ou=groups,dc=sbarjatiya,dc=com
objectClass: organizationalUnit
ou: groups
description: All groups in organisation


LDIF configuration file for creating a person entry as child entry in people ou

dn: cn=Saurabh Barjatiya,ou=people,dc=sbarjatiya,dc=com
objectClass: inetOrgPerson
#Must due to person
cn: Saurabh Barjatiya
#Must due to person
sn: Barjatiya
uid: saurabh.barjatiya
mail: saurabh.barjatiya@iiit.ac.in
mail: barjatiya.saurabh@gmail.com
ou: people
homePhone: 040 6653 1293
displayName: Saurabh Barjatiya
telephoneNumber: 93939 14337
postalAddress: OFQ F2, IIIT Hyderabad

LDIF configuration file for creating a group of persons called owners as child entry in group ou

dn:cn=owners,ou=groups,dc=sbarjatiya,dc=com
objectClass: groupOfNames
cn: owners
description: Owners of the organization
member: cn=Saurabh Barjatiya,ou=people,dc=sbarjatiya,dc=com


Managing DIT

Adding an LDIF file to DIT

To add a LDIF file to DIT use:

ldapadd -x -D "cn=owner,dc=sbarjatiya,dc=com" -f <ldif_file> -W

Then enter 'rootpw' as mentioned in slapd.conf to add the entry. One can also use '-w ≪password>' to supply password directly on command-line so that there is no separate password prompt.


Deleting a ldap entry

To delete an ldap entry use:

ldapdelete -x -D "cn=owner,dc=sbarjatiya,dc=com" -W <dn_to_be_deleted>


Modifying existing entries

To modify entries we can create an ldif file similar to:

dn: cn=Saurabh Barjatiya,ou=People,dc=sbarjatiya,dc=com
changeType: modify
add: mobile
mobile: 93939 14337
mobile: 86865 99552
-
delete: telephoneNumber
-
add: mail
mail: saurabh.barjatiya@yahoo.com
mail: saurabh.barjatiya@hotmail.com
-
replace: userPassword
userPassword: iiit123
-
replace: postalAddress
postalAddress: Staff Quarters F2, IIIT Hyderabad

Here:

  • 'changeType: modify' is used to indicate that entry will be modified
  • 'add: mobile' is used to indicate that given mobile attributes should be added. Any existing mobile attribute values will remain unaffected.
  • 'delete: telephoneNumber' is used to indicate that all values for attribute telephoneNumber should be deleted
  • 'replace: userPassword' is used to indicate that delete all existing values for attribute userPassword and add the given values in their place.
  • Hypen '-' is required to terminate a changeType directive such as add, replace or delete. The last directive is not required to be followed by a hypen.
  • If more than one entry is to be modified then two modification entries should be separated by a blank line. For example:
dn: dc=sbarjatiya,dc=com
changeType: modify
replace: description
description: Test description

dn: ou=People,dc=sbarjatiya,dc=com
changeType: modify
replace: description
description: Test description for people

To modify entries using above ldif file use:

ldapmodify -x -D "cn=owner,dc=sbarjatiya,dc=com" -W -f <file_name>


Searching in LDAP database

Use following to search for all entries in dc=sbarjatiya,dc=com:

ldapsearch -x -LLL -b "dc=sbarjatiya,dc=com"


Use following to search for all entries in ou people:

ldapsearch -x -LLL -b "ou=people,dc=sbarjatiya,dc=com"


Use following to search for all entries in ou people and list only dn, cn and sn attributes of the entries:

ldapsearch -x -LLL -b "ou=people,dc=sbarjatiya,dc=com" dn cn sn


Use following to search for all entries where 'cn=Saurabh Barjatiya':

ldapsearch -x -LLL -b "dc=sbarjatiya,dc=com" '(cn=Saurabh Barjatiya)'

Use following to search for all entries where 'cn=Saurabh Barjatiya': and list only sn attribute

ldapsearch -x -LLL -b "dc=sbarjatiya,dc=com" '(cn=Saurabh Barjatiya)' sn

Note: that dn will also get listed automatically.


Overall ldapsearch has following options:

  • '-x' to bind to server for searching. Since we have not specified -D '<dn>' and -W or -w, the binding would be anonymous.
  • '-LLL' to list in the ldif format.
  • '-b' to speceify base from where search should start
  • filter enclosed in () in filter format
  • list of attributes to be displayed for matched entries


Bind mechanisms

Anonymous binding

To bind with ldap server anonymously use '-x' option in most ldap command such as:

ldapwhoami -x


Simple binding

To bind with ldap server with password use '-D' to specify bind dn and '-W' or '-w' to specify password:

ldapwhoami -x -D "cn=owner,dc=sbarjatiya,dc=com" -W


Disabling anonymous bind

To disable anonymous bind, use following line in 'slapd.conf' file:

disallow bind_anon


Disabling simple bind

To disable simple bind, use following line in 'slapd.conf' file:

disallow simple_bind




Configuring indexing

For configuring indexing for database bdb one can use configuration similar to:

index default eq,pres
index uid eq
index cn,gn,mail eq,sub
index sn eq,sub
index ou eq
index telephonenumber eq

These lines should be added to '/etc/openldap/slapd.conf' file after database specification. Here

eq
Index for equality tests without use of wildcard
sub
Index for substrings. There are three sub-categories of this index subinitial, subany and subfinal.
subinitail
Index for string starting with given part such as 'cn=abc*'
subany
Index for strings containing given part such as 'cn=*abc*'
subfinal
index for strings terminating with given part such as 'cn=*abc'
approx
Index for approximate searches for sound-line such as 'cn~=person'
pres
Index for checking whether particular attribute is present or whether entry belongs to a given objectClass or not. such as 'objectClass=person' or 'attribute=mail'

If the configuration is done while creating an ldap server then indexes will be maintained automatically when entries are added or modified. But if a index entry is modified in an existing ldap server, then:

  1. ldap server should be stopped
  2. 'slapindex -f /etc/openldap/slapd.conf' command should be used to generated index based on configuration file
  3. Finally ldap server can be started again



ldap global configuration options

idleTimeout

Specify the number of seconds to wait before forcibly closing an idle client connection. An idletimeout of 0, the default, disables this feature.

Example:

idleTimeout 30


sizeLimit

This directive specifies the maximum number of entries to return from a search operation.

Default:

sizelimit 500

We can change limit for specific DNs using:

limits dn.exact="cn=Saurabh Barjatiya,ou=people,dc=sbarjatiya,dc=com" size=100000

Note that the limits do not apply to roodn.


timelimit

This directive specifies the maximum number of seconds (in real time) slapd will spend answering a search request. If a request is not finished in this time, a result indicating an exceeded timelimit will be returned.

Default:

timelimit 3600

We can create exception for specific DNs using:

limits dn.exact="cn=Saurabh Barjatiya,ou=people,dc=sbarjatiya,dc=com" time=3600

Note that the limits do not apply to roodn.




ldap database configuration options

checkpoint

This directive specifies how often to checkpoint the BDB transaction log. A checkpoint operation flushes the database buffers to disk and writes a checkpoint record in the log. The checkpoint will occur if either <kbyte> data has been written or <min> minutes have passed since the last checkpoint. Both arguments default to zero, in which case they are ignored. When the <min> argument is non-zero, an internal task will run every <min> minutes to perform the checkpoint.

checkpoint 1024 5