Description: Candidates should be able to configure a basic OpenLDAP server including knowledge of LDIF format and essential access controls.
Key Knowledge Areas:
OpenLDAP
Directory based configuration
Access Control
Distinguished Names
Changetype Operations
Schemas and Whitepages
Directories
Object IDs, Attributes and Classes
Terms and Utilities:
slapd
slapd-config
LDIF
slapadd
slapcat
slapindex
/var/lib/ldap/
loglevel
We begin this course by talking about basics of LDAP. What is LDAP? Where it is used and why ?
LDAP
LDAP is not a program, that is a protocol. LDAP stands for Lightweight Directory Access Protocol and consists in a set of protocols that allows a client to access centrally stored information (over a network). It can be used in numerous ways such as for authentication, shared directory (for mail clients), address book, etc. As LDAP different usages, it can store any kind of information.
The standard TCP ports for LDAP are 389 for unencrypted communication and 636 for LDAP over a TLS-encrypted channel, although it’s not uncommon for LDAP servers to listen on alternate ports for a variety of reasons.
LDAP Directory tree structure
An LDAP directory has a tree structure. All entries (called objects) of the directory have a defined position within this hierarchy. This hierarchy is called the directory information tree (DIT).
Entries at the higher level of hierarchy, represent larger groupings or organizations. Entries under the larger organizations represent smaller organizations that make up the larger ones. The leaf nodes (or entries) of the tree structure represent the individuals or resources.
Namig Model
The naming model defines how entries and data in the DIT are uniquely referenced.
There are some defination which we are expected to know about before start working with ldap:
Object: Sometimes reffered to as a record or an entry, reperesnt a single item in the direstory. This object provides a description based on the structure of the schema.
Schema: This is the structure that is built to define the characteristics (or attributes) of an object. It also defines what can be stored in each attributes.
Attribute: This is a part of an object. One or more attributes make up an object, as defined by schema.
LDIF: Stands for LDAP Interchange Format. It is used to create objects within the LDAP directory. These values are placed into a file and can be loaded into a directory with the slapadd command.
DC: Stands for Domain Component. And that is one of the domain that is reflected in hierarchy.
OU: Stands for Organizational Unit.
CN: Stands for Common Name and is the name of object(often a username, but not always)
DN: Stands for Distinguished Name. Each object in our directory has to have a unique name in order to provide structure. It is build with a CN and one or more DC (example: cn=user,dc=abc,dc=com)
SSSD
Stands for System Security Service Daemon. This provides authentication of user accounts for a LDAP Server(if we want we can use a different solutions)
Note: Configuration of this item is NOT an eaxm objective, Only that we know what it is.
OpenLDAP
OpenLDAP is a free, open source implementation of the Lightweight Directory Access Protocol (LDAP) developed by the OpenLDAP Project. It is released under its own BSD-style license called the OpenLDAP Public License.
OpenLDAP provides a distributed directory service. It stores information associated with users that can be used to authenticate them for login and can provide other information about those users.
OpenLDAP is most commonly used in Linux, but can be compared to Active Directory on Windows as a service provided hierarchical based user information much the same as OpenLDAP.
Installing OpenLDAP server
For demonstaration Lets install OpenLDAP server on a centOS system, we install both sever and client packages to work with that. We should install the following three packages:
openldap-servers – This is the main LDAP server
openldap-clients – This contains all required LDAP client utilities
openldap – This packages contains the LDAP support libraries
[root@centos7-1 ~]# cd /etc/openldap/
[root@centos7-1 openldap]# ll
total 12
drwxr-xr-x. 2 root root 90 Aug 25 01:01 certs
-rw-r--r--. 1 root root 121 May 16 05:56 check_password.conf
-rw-r--r--. 1 root root 363 May 16 05:56 ldap.conf
drwxr-xr-x. 2 root root 4096 Aug 25 01:01 schema
drwxr-x---. 3 ldap ldap 45 Aug 25 01:01 slapd.d
ldap.conf
Used to set system-wide defaults to be applied when running LDAP client tools( likeldapsearchandldapadd).
[root@centos7-1 openldap]# cat ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
TLS_CACERTDIR /etc/openldap/certs
# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON on
Where
SIZELIMIT <integer> : Specifies a size limit (number of entries) to use when performing searches.
TIMELIMIT <integer> : Specifies a time limit (in seconds) to use when performing searches.
By default ldap.conf is world readable and there are no special setting to edit and it is not a part of exam objective.
/etc/openldap/schema/*
Directory that contains a set of default schema specifications which describe the different object classes that are available by default with the OpenLDAP Software. Each set is defined in a file (i.e. core.schema) suitable for inclusion using the include directive in the global definitions portion of the slapd.conf file. It is helpful to browse the contents of these files to determine the required and available attributes for a particular object class.
Try to cat some of core.ldif files and see how they look like.This a part of that:
[root@centos7-1 schema]# cat core.ldif
# OpenLDAP Core schema
# $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
## Copyright 1998-2016 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
## modification, are permitted only as authorized by the OpenLDAP
## Public License.
##
## A copy of this license is available in the file LICENSE in the
## top-level directory of the distribution or, alternatively, at
## <http://www.OpenLDAP.org/license.html>.
#
## Portions Copyright (C) The Internet Society (1997-2003).
## All Rights Reserved.
##
## This document and translations of it may be copied and furnished to
## others, and derivative works that comment on or otherwise explain it
## or assist in its implementation may be prepared, copied, published
## and distributed, in whole or in part, without restriction of any
## kind, provided that the above copyright notice and this paragraph are
## included on all such copies and derivative works. However, this
## document itself may not be modified in any way, such as by removing
## the copyright notice or references to the Internet Society or other
## Internet organizations, except as needed for the purpose of
## developing Internet standards in which case the procedures for
## copyrights defined in the Internet Standards process must be
## followed, or as required to translate it into languages other than
## English.
##
## The limited permissions granted above are perpetual and will not be
## revoked by the Internet Society or its successors or assigns.
##
## This document and the information contained herein is provided on an
## "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
## TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
## BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
## HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
## MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
#
#
#
# Includes LDAPv3 schema items from:
# RFC 2252/2256 (LDAPv3)
#
# Select standard track schema items:
# RFC 1274 (uid/dc)
# RFC 2079 (URI)
# RFC 2247 (dc/dcObject)
# RFC 2587 (PKI)
# RFC 2589 (Dynamic Directory Services)
#
# Select informational schema items:
# RFC 2377 (uidObject)
#
#
# Standard attribute types from RFC 2256
#
dn: cn=core,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: core
#
# system schema
#olcAttributeTypes: ( 2.5.4.0 NAME 'objectClass'
# DESC 'RFC2256: object classes of the entity'
# EQUALITY objectIdentifierMatch
# SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
#
# system schema
#olcAttributeTypes: ( 2.5.4.1 NAME ( 'aliasedObjectName' 'aliasedEntryName' )
# DESC 'RFC2256: name of aliased object'
# EQUALITY distinguishedNameMatch
# SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE )
#
olcAttributeTypes: ( 2.5.4.2 NAME 'knowledgeInformation'
DESC 'RFC2256: knowledge information'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )
#
# system schema
#olcAttributeTypes: ( 2.5.4.3 NAME ( 'cn' 'commonName' )
# DESC 'RFC2256: common name(s) for which the entity is known by'
# SUP name )
#
olcAttributeTypes: ( 2.5.4.4 NAME ( 'sn' 'surname' )
DESC 'RFC2256: last (family) name(s) for which the entity is known by'
SUP name )
#
olcAttributeTypes: ( 2.5.4.5 NAME 'serialNumber'
DESC 'RFC2256: serial number of the entity'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{64} )
#
# RFC 4519 definition ('countryName' in X.500 and RFC2256)
olcAttributeTypes: ( 2.5.4.6 NAME ( 'c' 'countryName' )
DESC 'RFC4519: two-letter ISO-3166 country code'
SUP name
SYNTAX 1.3.6.1.4.1.1466.115.121.1.11
SINGLE-VALUE )
#
olcAttributeTypes: ( 2.5.4.7 NAME ( 'l' 'localityName' )
DESC 'RFC2256: locality which this object resides in'
SUP name )
#
olcAttributeTypes: ( 2.5.4.8 NAME ( 'st' 'stateOrProvinceName' )
DESC 'RFC2256: state or province which this object resides in'
SUP name )
#
olcAttributeTypes: ( 2.5.4.9 NAME ( 'street' 'streetAddress' )
DESC 'RFC2256: street address of this object'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
#
olcAttributeTypes: ( 2.5.4.10 NAME ( 'o' 'organizationName' )
DESC 'RFC2256: organization this object belongs to'
SUP name )
#
olcAttributeTypes: ( 2.5.4.11 NAME ( 'ou' 'organizationalUnitName' )
DESC 'RFC2256: organizational unit this object belongs to'
SUP name )
#
olcAttributeTypes: ( 2.5.4.12 NAME 'title'
DESC 'RFC2256: title associated with the entity'
SUP name )
#
# system schema
#olcAttributeTypes: ( 2.5.4.13 NAME 'description'
# DESC 'RFC2256: descriptive information'
# EQUALITY caseIgnoreMatch
# SUBSTR caseIgnoreSubstringsMatch
# SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} )
#
........
.....
...
..
.
slapd.conf
Main server configuration file that contains information needed by the slapd LDAP server. Lets take a look at it:
[root@centos7-1 ~]# cd /etc/openldap/
[root@centos7-1 openldap]# ll
total 12
drwxr-xr-x. 2 root root 90 Aug 25 01:01 certs
-rw-r--r--. 1 root root 121 May 16 05:56 check_password.conf
-rw-r--r--. 1 root root 363 May 16 05:56 ldap.conf
drwxr-xr-x. 2 root root 4096 Aug 25 01:01 schema
drwxr-x---. 3 ldap ldap 45 Aug 25 01:01 slapd.d
Where is it?
[root@centos7-1 openldap]# updatedb
[root@centos7-1 openldap]# locate slapd.conf
/usr/lib/tmpfiles.d/slapd.conf
/usr/share/man/man5/slapd.conf.5.gz
[root@centos7-1 openldap]# cat /usr/lib/tmpfiles.d/slapd.conf
# openldap runtime directory for slapd.arg and slapd.pid
d /var/run/openldap 0755 ldap ldap -
Historically OpenLDAP has been statically configured, that is, to make a change to the configuration the slapd.conf file was modified and slapd stopped and started. In the case of larger users this could take a considerable period of time and had become increasingly unacceptable as an operational method.
slapd.conf or dynamic runtime configuration engine
Significant changes to slapd were introduced with version 2.3 and 2.4. The most significant change is that, while slapd.conf is still supported (as of 2.4), increasingly OpenLDAP is moving toward On-Line Configuration (OLC) - frequently also known as cn=config or slapd.d configuration. This method enables most configuration changes to be made without starting and stopping the LDAP server.
If you have got confused, in a simple world, it is like having a configuration data base for configuring a database and no more single configuration file slapd.conf.
Unfortunately LPIC2 exam objective is about Old OpenLDAP versions (perior v2.3 ) but here what we have is OpenLDAP v2.4:
[root@centos7-1 openldap]# slapd -V
@(#) $OpenLDAP: slapd 2.4.44 (May 16 2018 09:55:53) $
mockbuild@c1bm.rdu2.centos.org:/builddir/build/BUILD/openldap-2.4.44/openldap-2.4.44/servers/slapd
tlsmc_get_pin: INFO: Please note the extracted key file will not be protected with a PIN any more, however it will be still protected at least by file permissions.
[root@centos7-1 openldap]# pwd
/etc/openldap
[root@centos7-1 openldap]# ls -l
total 12
drwxr-xr-x. 2 root root 90 Aug 25 01:01 certs
-rw-r--r--. 1 root root 121 May 16 05:56 check_password.conf
-rw-r--r--. 1 root root 363 May 16 05:56 ldap.conf
drwxr-xr-x. 2 root root 4096 Aug 25 01:01 schema
drwxr-x---. 3 ldap ldap 45 Aug 25 01:01 slapd.d
So lets stick to our modern OpenLDAP how ever we need to cover exam objectives .So i have prepared another system, with CentOS5 and OpenLDAP 2.3.x on it to show differences:
[root@centos5-1 ~]# slapd -V
@(#) $OpenLDAP: slapd 2.3.43 (Sep 29 2015 06:22:05) $
mockbuild@builder17.centos.org:/builddir/build/BUILD/openldap-2.3.43/openldap-2.3.43/build-servers/servers/slapd
[root@centos5-1 ~]# ls -l /etc/openldap/
total 40
drwxr-xr-x 2 root root 4096 Sep 29 2015 cacerts
-rw-r----- 1 root ldap 921 Sep 29 2015 DB_CONFIG.example
-rw-r--r-- 1 root root 327 Aug 26 23:26 ldap.conf
drwxr-xr-x 3 root root 4096 Aug 27 01:31 schema
-rw-r----- 1 root ldap 3801 Sep 29 2015 slapd.conf
[root@centos5-1 openldap]# cat ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example, dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
URI ldap://127.0.0.1/
BASE dc=example,dc=com
TLS_CACERTDIR /etc/openldap/cacerts
[root@centos5-1 openldap]# cat slapd.conf
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# Load dynamic backend modules:
# modulepath /usr/lib64/openldap
# Modules available in openldap-servers-overlays RPM package
# Module syncprov.la is now statically linked with slapd and there
# is no need to load it here
# moduleload accesslog.la
# moduleload auditlog.la
# moduleload denyop.la
# moduleload dyngroup.la
# moduleload dynlist.la
# moduleload lastmod.la
# moduleload pcache.la
# moduleload ppolicy.la
# moduleload refint.la
# moduleload retcode.la
# moduleload rwm.la
# moduleload smbk5pwd.la
# moduleload translucent.la
# moduleload unique.la
# moduleload valsort.la
# modules available in openldap-servers-sql RPM package:
# moduleload back_sql.la
# The next three lines allow use of TLS for encrypting connections using a
# dummy test certificate which you can generate by changing to
# /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on
# slapd.pem so that the ldap user or group can read it. Your client software
# may balk at self-signed certificates, however.
# TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
# TLSCertificateFile /etc/pki/tls/certs/slapd.pem
# TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#######################################################################
# ldbm and/or bdb database definitions
#######################################################################
database bdb
suffix "dc=my-domain,dc=com"
rootdn "cn=Manager,dc=my-domain,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw secret
# rootpw {crypt}ijFYNcSNctBYg
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
# Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 starttls=critical
# bindmethod=sasl saslmech=GSSAPI
# authcId=host/ldap-master.example.com@EXAMPLE.COM
Configuring OpenLDAP v 2.4 :
OpenLDAP v2.4 servers configuration files are found in /etc/openldap/slapd.d/
Note : Although the slapd-config system stores its configuration as (text-based) LDIF files, you should never edit any of the LDIF files directly. Configuration changes should be performed via LDAP operations, e.g. ldapadd, ldapdelete, or ldapmodify.
slapcat
Slapcat is used to generate an LDAP Directory Interchange Format (LDIF) output based upon the contents of a slapd database. It opens the given database determined by the database number or suffix and writes the corresponding LDIF to standard output or the specified file.
[root@centos7-1 ~]# slapcat
5b82165c The first database does not allow slapcat; using the first available one (2)
5b82165c hdb_db_open: warning - no DB_CONFIG file found in directory /var/lib/ldap: (2).
Expect poor performance for suffix "dc=my-domain,dc=com".
By default slapcat in version 2.3 (and prior versions) shows default database .but here in version 2.4.x (and above) it shows nothing , so we define where configuration database is placed in slapd data base and it shows default configurations:
[root@centos7-1 ~]# slapcat -b cn=config
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/openldap/slapd.args
olcPidFile: /var/run/openldap/slapd.pid
olcTLSCACertificatePath: /etc/openldap/certs
olcTLSCertificateFile: "OpenLDAP Server"
olcTLSCertificateKeyFile: /etc/openldap/certs/password
structuralObjectClass: olcGlobal
entryUUID: b08165de-3c6f-1038-830f-65a4f4479506
creatorsName: cn=config
createTimestamp: 20180825050137Z
entryCSN: 20180825050137.110276Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20180825050137Z
dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema
structuralObjectClass: olcSchemaConfig
entryUUID: b081765a-3c6f-1038-8310-65a4f4479506
creatorsName: cn=config
createTimestamp: 20180825050137Z
entryCSN: 20180825050137.110757Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20180825050137Z
dn: cn={0}core,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: {0}core
olcAttributeTypes: {0}( 2.5.4.2 NAME 'knowledgeInformation' DESC 'RFC2256: k
nowledge information' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.
121.1.15{32768} )
olcAttributeTypes: {1}( 2.5.4.4 NAME ( 'sn' 'surname' ) DESC 'RFC2256: last
(family) name(s) for which the entity is known by' SUP name )
olcAttributeTypes: {2}( 2.5.4.5 NAME 'serialNumber' DESC 'RFC2256: serial nu
mber of the entity' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMat
ch SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{64} )
olcAttributeTypes: {3}( 2.5.4.6 NAME ( 'c' 'countryName' ) DESC 'RFC4519: tw
o-letter ISO-3166 country code' SUP name SYNTAX 1.3.6.1.4.1.1466.115.121.1.
11 SINGLE-VALUE )
.....
.....
.....
olcObjectClasses: {0}( 2.5.6.2 NAME 'country' DESC 'RFC2256: a country' SUP
top STRUCTURAL MUST c MAY ( searchGuide $ description ) )
olcObjectClasses: {1}( 2.5.6.3 NAME 'locality' DESC 'RFC2256: a locality' SU
P top STRUCTURAL MAY ( street $ seeAlso $ searchGuide $ st $ l $ descriptio
n ) )
olcObjectClasses: {2}( 2.5.6.4 NAME 'organization' DESC 'RFC2256: an organiz
ation' SUP top STRUCTURAL MUST o MAY ( userPassword $ searchGuide $ seeAlso
$ businessCategory $ x121Address $ registeredAddress $ destinationIndicato
r $ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ tel
ephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $ street
$ postOfficeBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName
$ st $ l $ description ) )
olcObjectClasses: {3}( 2.5.6.5 NAME 'organizationalUnit' DESC 'RFC2256: an o
rganizational unit' SUP top STRUCTURAL MUST ou MAY ( userPassword $ searchG
uide $ seeAlso $ businessCategory $ x121Address $ registeredAddress $ desti
nationIndicator $ preferredDeliveryMethod $ telexNumber $ teletexTerminalId
entifier $ telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNu
mber $ street $ postOfficeBox $ postalCode $ postalAddress $ physicalDelive
ryOfficeName $ st $ l $ description ) )
.....
.....
.....
olcObjectClasses: {25}( 1.3.6.1.4.1.1466.344 NAME 'dcObject' DESC 'RFC2247:
domain component object' SUP top AUXILIARY MUST dc )
olcObjectClasses: {26}( 1.3.6.1.1.3.1 NAME 'uidObject' DESC 'RFC2377: uid ob
ject' SUP top AUXILIARY MUST uid )
structuralObjectClass: olcSchemaConfig
entryUUID: b0818bfe-3c6f-1038-8311-65a4f4479506
creatorsName: cn=config
createTimestamp: 20180825050137Z
entryCSN: 20180825050137.111311Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20180825050137Z
dn: olcDatabase={-1}frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: {-1}frontend
structuralObjectClass: olcDatabaseConfig
entryUUID: b081be26-3c6f-1038-8312-65a4f4479506
creatorsName: cn=config
createTimestamp: 20180825050137Z
entryCSN: 20180825050137.112594Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20180825050137Z
dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern
al,cn=auth" manage by * none
structuralObjectClass: olcDatabaseConfig
entryUUID: b081e6e4-3c6f-1038-8313-65a4f4479506
creatorsName: cn=config
createTimestamp: 20180825050137Z
entryCSN: 20180825050137.113635Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20180825050137Z
dn: olcDatabase={1}monitor,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {1}monitor
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern
al,cn=auth" read by dn.base="cn=Manager,dc=my-domain,dc=com" read by * none
structuralObjectClass: olcDatabaseConfig
entryUUID: b081ed42-3c6f-1038-8314-65a4f4479506
creatorsName: cn=config
createTimestamp: 20180825050137Z
entryCSN: 20180825050137.113801Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20180825050137Z
dn: olcDatabase={2}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=my-domain,dc=com
olcRootDN: cn=Manager,dc=my-domain,dc=com
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
structuralObjectClass: olcHdbConfig
entryUUID: b081f3fa-3c6f-1038-8315-65a4f4479506
creatorsName: cn=config
createTimestamp: 20180825050137Z
entryCSN: 20180825050137.113973Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20180825050137Z
-bsuffix Use the specified suffix to determine which database to generate output for.
To start with the configuration of LDAP, we would need to update the variables “olcSuffix” and “olcRootDN“.
olcSuffix – Database Suffix, it is the domain name for which the LDAP server provides the information. In simple words, it should be changed to your domainname.
olcRootDN – Root Distinguished Name (DN) entry for the user who has the unrestricted access to perform all administration activities on LDAP, like a root user.
olcRootPW – LDAP admin password for the above RootDN.
The above entries need to be updated in /etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif file. Manually edit of LDAP configuration is not recommended as we will lose changes whenever you run ldapmodify command.
First lets generate an admin password:
slappasswd
OpenLDAP password utility, Slappasswd is used to generate an userPassword value suitable for use with ldapmodify, slapd.conf(5) rootpw configuration directive or the slapd-config olcRootPW configuration directive.
[root@centos7-1 ~]# slappasswd
New password:
Re-enter new password:
{SSHA}un1ELmHXVCdBQOOx+eK0V9hWtGYj1RYF
To add something to the LDAP directory, we need to first create a LDIF file.The ldif file should contain definitions for all attributes that are required for the entries that you want to create, modify or change.
Now lets create a ldif file define requiered changes inside that (include generated password for ldap admin user"ldapadm"):
ldapmodify opens a connection to an LDAP server, binds, and modifies or adds entries. The entry information is read from standard input or from file through the use of the -f option.
by default ldapmodify chekh our ldif file for syntax errors before inserting into ldap databas and it seems good.
slaptest
slaptest - Check the suitability of the OpenLDAP slapd.conf file. Although there is no slapd.conf in 2.4 version but it still works . We use -u switch to enable dry-run mode (i.e. don't fail if databases cannot be opened, but config is fine) and -v for verbrosity:
Configuting OpenLDAP v2.3.x is much easier. We need to configure Database-Specific Directives in slapd.conf:
database bdb
suffix "dc=my-domain,dc=com"
rootdn "cn=Manager,dc=my-domain,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw secret
# rootpw {crypt}ijFYNcSNctBYg
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap
database: The type of database, a Berkeley database in this case, is determined in the first line of this section.
suffix: The suffix line names the domain for which the LDAP server provides information and should be changed.
rootdn:The rootdn entry is the Distinguished Name (DN) for a user who is unrestricted by access controls or administrative limit parameters set for operations on the LDAP directory. The rootdn user can be thought of as the root user for the LDAP directory. In the configuration file, change the rootdn line from its default value.
rootpw : The administrator password is set with rootpw. Instead of using secret here, it is possible to enter the hash of the administrator password created by slappasswd.
directory : The directory directive indicates the directory (in the file system) where the database directories are stored on the server. There is no need to change it.
and the slapd.conf file would be like this after doing changes:
database bdb
suffix "dc=example,dc=com"
rootdn "cn=ldapadm,dc=example,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw secret
# rootpw {crypt}ijFYNcSNctBYg
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap
test configuration (we are using OpenLDAP server version before 2.3):
[root@localhost log]# service ldap stop
Stopping slapd: [ OK ]
[root@localhost log]# service ldap start
Starting slapd: [ OK ]
/var/lib/ldap
Contains all files that make up the LDAP directory database( LDAP Background Data Bases and log files). None of the files contained in this directory should be manually edited. The LDAP directory database type and location will be defined in the/etc/openldap/slapd.conf
[root@centos7-1 ~]# ls -l /var/lib/ | grep ldap
drwx------ 2 ldap ldap 126 Aug 26 08:11 ldap
[root@centos7-1 ~]# ls -la /var/lib/ldap/
total 380
drwx------ 2 ldap ldap 126 Aug 26 08:11 .
drwxr-xr-x. 58 root root 4096 Aug 26 04:48 ..
-rw-r--r-- 1 ldap ldap 4096 Aug 26 08:11 alock
-rw------- 1 ldap ldap 303104 Aug 26 08:23 __db.001
-rw------- 1 ldap ldap 40960 Aug 26 08:23 __db.002
-rw------- 1 ldap ldap 49152 Aug 26 08:23 __db.003
-rw------- 1 ldap ldap 8192 Aug 26 04:48 dn2id.bdb
-rw------- 1 ldap ldap 32768 Aug 26 04:48 id2entry.bdb
-rw------- 1 ldap ldap 10485760 Aug 26 07:21 log.0000000001
These files are reponsible for serving the context of our directory server once we start the service .
Note:slapd runs as ldap user by default, if you attempted to start it (or loaded ldif etc..) as root user, it'd create files with incorrect permission. Try chown -R ldap.ldap /var/lib/ldap to fix the permissions and start the service.
OpenLDAP v2.4:
[root@centos7-1 ~]# chown -R ldap:ldap /var/lib/ldap
[root@centos7-1 ~]# ls -la /var/lib/ldap/
total 380
drwx------ 2 ldap ldap 126 Aug 26 23:10 .
drwxr-xr-x. 58 root root 4096 Aug 26 04:48 ..
-rw-r--r-- 1 ldap ldap 4096 Aug 26 08:11 alock
-rw------- 1 ldap ldap 303104 Aug 26 08:23 __db.001
-rw------- 1 ldap ldap 40960 Aug 26 08:23 __db.002
-rw------- 1 ldap ldap 49152 Aug 26 08:23 __db.003
-rw------- 1 ldap ldap 8192 Aug 26 04:48 dn2id.bdb
-rw------- 1 ldap ldap 32768 Aug 26 04:48 id2entry.bdb
-rw------- 1 ldap ldap 10485760 Aug 26 07:21 log.0000000001
But the way Where is the configuration data base in Version 2.4.X and higher?
[root@localhost log]# service ldap stop
Stopping slapd: [ OK ]
[root@localhost log]# service ldap start
Starting slapd: [ OK ]
to make sure every thing is okey lets do a search in our directory server:
ldapsearch
ldapsearch opens a connection to an LDAP server, binds, and performs a search using specified parameters. The filter should conform to the string representation for search filters:
-x means use simple authentication ,-b for defining search base that we want to run search on (which is blank in our example because we want to search for every thing), -s indicates the base we want to use (we defined just our base with all object classes in our directory server) and finally we want all of the names (namingContext).
The bdb backend to slapd uses the Oracle Berkeley DB (BDB) package to store data. It makes extensive use of indexing and caching to speed data access.
Note that BDB is deprecated and support will be dropped in future OpenLDAP releases. Installations should use the mdb backend instead.
hdb is a variant of the bdb backend that uses a hierarchical database layout which supports subtree renames. It is both more space-efficient and more execution-efficient than the bdb backend. It is otherwise identical to the bdb behavior, and all the same configuration options apply.
Please notice that these options are intended to complement Berkeley DB configuration options set in the environment's DB_CONFIG file. See Berkeley DB documentation for details on DB_CONFIG configuration options. Where there is overlap, settings in DB_CONFIG take precedence.
slapindex
slapindex - Reindex entries in a SLAPD database. It makes extensive use of indexing and caching to speed data access.
Unfortunately there are no usefull documentation for slapindex in OpenLDAP2.4 and its still show information for previous OpenLDAP versions and needs slapd.conf file!(try man slapindex on CentOS7 to see ).So lets try it using OpenLDAP v2.3.X:
[root@centos5-1 openldap]# slapindex -f /etc/openldap/slapd.conf -b "dc=example,dc=com"
bdb_db_open: database already in use
backend_startup_one: bi_db_open failed! (-1)
slap_startup failed
[root@centos5-1 openldap]# service ldap stop
Stopping slapd: [ OK ]
[root@centos5-1 openldap]# slapindex -f /etc/openldap/slapd.conf -b "dc=example,dc=com"
bdb_db_open: Warning - No DB_CONFIG file found in directory /var/lib/ldap: (2)
Expect poor performance for suffix dc=example,dc=com.
As you can see it nags about not founding DB_CONFIG file. Fortunately there is Example DB_CONFIG file for use in conjunction with slapd databases.We can simply copy this file to your LDAP directory's base directory.
[root@centos5-1 openldap]# locate DB_CONFIG
/etc/openldap/DB_CONFIG.example
[root@centos5-1 openldap]# cp /etc/openldap/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@centos5-1 openldap]# chown -R ldap:ldap /var/lib/ldap
[root@centos5-1 openldap]# ls -l /var/lib/ldap/
total 9888
-rw-r--r-- 1 ldap ldap 4096 Aug 27 21:11 alock
-rw------- 1 root root 24576 Aug 27 21:11 __db.001
-rw------- 1 root root 104857600 Aug 27 21:11 __db.002
-rw------- 1 root root 335552512 Aug 27 21:11 __db.003
-rw------- 1 root root 2359296 Aug 27 21:11 __db.004
-rw------- 1 root root 557056 Aug 27 21:11 __db.005
-rw------- 1 root root 24576 Aug 27 21:11 __db.006
-rw-r----- 1 ldap ldap 921 Aug 27 21:10 DB_CONFIG
-rw------- 1 ldap ldap 8192 Aug 27 02:12 dn2id.bdb
-rw------- 1 ldap ldap 32768 Aug 27 02:12 id2entry.bdb
-rw------- 1 ldap ldap 10485760 Aug 27 21:11 log.0000000001
-rw-r--r-- 1 ldap ldap 37 Aug 27 01:31 openldap-severs-update.log
and take look at it:
[root@centos5-1 openldap]# cat /var/lib/ldap/DB_CONFIG
# $OpenLDAP: pkg/ldap/servers/slapd/DB_CONFIG,v 1.1.2.4 2007/12/18 11:51:46 ghenry Exp $
# Example DB_CONFIG file for use with slapd(8) BDB/HDB databases.
#
# See the Oracle Berkeley DB documentation
# <http://www.oracle.com/technology/documentation/berkeley-db/db/ref/env/db_config.html>
# for detail description of DB_CONFIG syntax and semantics.
#
# Hints can also be found in the OpenLDAP Software FAQ
# <http://www.openldap.org/faq/index.cgi?file=2>
# in particular:
# <http://www.openldap.org/faq/index.cgi?file=1075>
# Note: most DB_CONFIG settings will take effect only upon rebuilding
# the DB environment.
# one 0.25 GB cache
set_cachesize 0 268435456 1
# Data Directory
#set_data_dir db
# Transaction Log settings
set_lg_regionmax 262144
set_lg_bsize 2097152
#set_lg_dir logs
# Note: special DB_CONFIG flags are no longer needed for "quick"
# slapadd(8) or slapindex(8) access (see their -q option).
and check again:
[root@centos5-1 openldap]# slapindex -f /etc/openldap/slapd.conf -b "dc=example,dc=com"
bdb_db_open: DB_CONFIG for suffix dc=example,dc=com has changed.
Performing database recovery to activate new settings.
loglevel
Although not included by default in the configuration file, logging can be setup using the loglevel directive. This directive specifies the level at which debugging statements and operation statistics should be logged. Log levels may be specified as integers or by keyword; however, most people stick to using loglevel integers.
loglevel number
Log levels may be specified as integers or by keyword.
Level Keyword Description
-1 any enable all debugging
0 no debugging
1 (0x1 trace) trace function calls
2 (0x2 packets) debug packet handling
4 (0x4 args) heavy trace debugging
8 (0x8 conns) connection management
16 (0x10 BER) print out packets sent and received
32 (0x20 filter) search filter processing
64 (0x40 config) configuration processing
128 (0x80 ACL) access control list processing
256 (0x100 stats) stats log connections/operations/results
512 (0x200 stats2) stats log entries sent
1024 (0x400 shell) print communication with shell backends
2048 (0x800 parse) print entry parsing debugging
16384 (0x4000 sync) syncrepl consumer processing
32768 (0x8000 none) only messages that get logged whatever log level is set
Multiple log levels may be used and the levels are additive.
# (1 + 8 + 128 + 256)=393
loglevel 393
Another setting related to logging that is not included by default is thelogfiledirective. By default, log entries for LDAP are sent to syslog. While this has its benefits, I find it more convenient to direct log entries to a file using thelogfiledirective:
When specifying thelogfiledirective, we need to make certain that the log file exists prior to starting the LDAP server.
touch /var/log/ldap.log
LDAP implementations
Once upon a time OpenLDAP was the only game in the Open Source LDAP town. It is still regarded as the LDAP reference implementation and remains an excellent system with many production implementations, is actively developed and extremly complex to implement for other than trivial applications. It is, however, no longer the only game in town. There is now the 389 Directory Server (ex-Fedora Directory Server), another University of Michigan derivative, OpenDJ (a fork of OpenDS a Sun-led Java-based LDAP implementation which now appears inactive), and the ApacheDS (Apache Directory) project. All appear excellent projects and together with OpenLDAP provide an embarrassment of riches in the Open Source LDAP space - driving forward capabilities and functionality.
Now that we have our OpenLDAP up and running it is time to create some OU and Users inside it.
slapadd
slapadd: Adds entries to an LDAP directory by accepting input via a file or standard input; ldapadd is actually a hard link to ldapmodify -a
slapdelete: Deletes entries from an LDAP directory by accepting user input at a shell prompt or via a file.
Now we have created our inital LDAP server, we have to create DN an the associated top levels DCs that we can add entries into.To get the best results and covering LPIC2 exam objectives, we have used OpenLDAP v2.3.x on CentOS 5 in this section. First we need to create LDIF file:
[root@centos5-1 openldap]# vi mydc.ldif
[root@centos5-1 openldap]# cat mydc.ldif
dn: dc=example,dc=com
dc: example
description: creating my dc
objectClass: dcObject
objectClass: organization
o: example,organization.
Flash back: How it can realize dcObject consept or organization concept? From schema files! Try ls -l schema/ and cat schema/core.ldif | grep dcObject or grep for organization.
as slapadd and slapdelete access directly to the data base it is not possible to use them from a remote computer. In the next lesson we will learn how to use ldapadd and ldapdelete tools inorder to configure our Open LDAP server from a remote host.
Please go back to 210.3 course for more details. :-)
Any problem in install OpenLDAP 2.3.x on CentOS5? Look at here and here .
