LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Blogs > kbscores
User Name
Password

Notices



Rate this Entry

Fun with LDAP

Posted 12-02-2011 at 02:25 PM by kbscores
Updated 12-02-2011 at 02:38 PM by kbscores

I have been working with setting up LDAP. Like most who try and tackle a new topic, I went out in search for a good guide and have failed to find something for a simple openLDAP setup. So instead of following a crazy extensive guide I decided to learn as any student would.....from the beginning.
After having about seven weeks now under my very large and bulky LDAP belt, I am now able to compile and install both BDB and openLDAP Server side on Solaris and Red Hat. (Previously having never compiled anything by hand) Both were with basic settings- simple authentication no certificates, no Kerberos, and no SASL. We can query the database using ldapsearch and I fully understand LDIF structure and schemas.

What I need to learn now is how to successfully setup a client and how to utilize LDAP for authentication from HPUX, Solaris and Red Hat. It will most likely be with Solaris Server.

Ok so here is my guide for setting up a VERY BASIC LDAP server:

How-to Install LDAP Server:
General Information:
Note: This is a very simple explanation. LDAP is far more complex and extensive than this document will cover.
LDAP, or Lightweight Directory Access Protocol, is used for accessing and maintaining distributed directory information services over an (IP) network.
LDAP consists of three sections, frontend, overlays, and backend. The frontend is where authentication and information handling occurs.
The overlays are optional interfaces between frontend and backend. The backend is the database that handles the data storage.

Important Files/File Types:
• slapd.conf – It is primary configuration file for LDAP server daemon. If not set properly daemon will not start. [Default location: /usr/local/etc/openldap/]
• slapd.conf- It is primary LDAP configuration file. This file is located on all LDAP clients, as well as LDAP server(s). It defines how and where to connect to LDAP
server. [Default location: /usr/local/etc/openldap/]
• *.ldif –This file type defines structure of database. Creating a default file for new database entries is recommended. [Default location: /usr/local/etc/openldap/]
• *.schema –This further defines daemon setup. Very similar to a library. Editing these files is NOT recommended.

Database/Backend Installation:
• There has to be a database or backend. The most typical backend is the BDB, Berkeley Database. Other backend exist (LDBM, DBM, SHELL, and PASSWD), but for the sake of
brevity only BDB will be discussed.
• BDB is currently owned and maintained by Oracle. To download package visit:
http://www.oracle.com/technetwork/da...eSiteId=ocomen
• Download most current version of Berkeley DB 11gR2 with md5 encryption available.
• Create a new directory and unzip DB files in new file

Example:
[root] # mkdir BerkleyDB5.2
[root] # tar zxvf db.5.2.234.12

• Next change to Build_Unix directory with unzipped contents
Note: Build_Unix is where all headers and libraries will be compiled. This is recommended location. They do not have to be installed here and may be installed anywhere on machine, just adjust following steps accordingly based on location selected.
• Then use following commands
Example:
[root] # ../dist/configure
Note: If this is a new server, this may fail and kick back an error about certain libraries not being available. If this error occurs, glibc libraries are either not installed or headers have not been created.
• Next run following commands to continue installation:
Example:
[root] # make
[root] # make install
• This will unload all libraries and headers into current directory.
LDAP Installation:
• There are many packages available for running LDAP. The one discussed in this document will be OpenLDAP. They are all fairly similar. Usually the primary difference is most proprietary versions come with a GUI and slightly more functionality.
• Open source package is recommended for OpenLDAP installation.
• Start by creating an LDAP directory for configuration files – something in /usr/local is recommended for Linux servers
• Un-tar package, configure then make using following commands:
Example:

Note: If you do not want ldap to be created in current directory specify path with --prefix=path
[root] # LDFLAGS=-L/path-to-bdb-libraries/ CCPFLAGS=-I/path-to=bdb-includes/ ./configure
[root] # make depend
[root] # make
[root] # make install
• Files should install in appropriate directories automatically

Note: If a prefix was installed – please go to path before make commands

Setting up Configuration Files:
Slapd.conf:
File is typically set up with following sections:
#global configuration directives
#backend definition
#database A definition and configuration directives
#database B definition and configuration directives
# database ….however many there are
Note: It is recommended to just modify default slapd.conf file provided if this is first time editing file. It is very easy to corrupt. Also, make at least one copy of default configuration file prior to editing.
Note: There are global directives that may be used under all sections and then there are specific directives. To see a full list of global directives man slapd.conf. Also, directives that contain whitespace must be enclosed in double quotes. Also, if directive contains defined special characters they should be preceded by a back slash.

Initial LDIF File to Add:
• To verify database is working correctly please create a new file labeled init.ldif with following information:

dn: dc=<DomainName>
objectclass: dcObject
objectclass: organization
o: <Domain Description>
dc: <DomainName>
dn: cn=<rootUser>, dc=<DomainName>
objectclass: organizationalRole
cn: <rootUser>

• Next add init.ldif to database with following command:

Example:
[root] # ldapadd –x –D “cn=<rootUser>,dc=<Domain>” –W –f init.ldif

• Finally, verify information was added by using following command:

Example:
[root] # ldapsearch –x –W –D ‘cn=<rootUser>,dc=<Domain>’ –b “” –s

Example Output: (For command listed above)
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#
#
dn:
objectClass: top
objectClass: OpenLDAProotDSE
# search result
search: 2
result: 0 Success
# numberResponses: 2
# numEntries: 1

Explanation:
-x: This tells server to use simple authentication
-W: This tells client to prompt us for password
-D: ‘cn=<rootUser>,dc=<Domain>’: This specifies the DN that we want to use to connect to
directory
-b “”: This sets the base DN for the search. (In ldap.conf file we set default base)
-s base: This indicates that we want to search for just one (base) entry – the entry with DN
specified in the –b parameter.

--At top of results is a summary of how search was process.
--The last section displays a summary, including how many records were returned.
------In this example two are returned DSE entry and summary
------result: 0 Success indicates there were no errors

--To get more extensive information out of root DSE, use following command to query all of operational attributes for record:

Example:
[root] # ldapsearch –x –W –D ‘cn=<rootUser>,dc=penu164204’ –b “” –s base ‘(objectclass=*)’ +

Another Example:
[root] # ldapsearch –D ‘cn=<rootUser>,dc=penu164204’ –x –W *

Note: This returns all data currently listed in database

Troubleshooting LDAP:

Important Things to Note:
• If a LDAP server gets restarted and no startup script exists, the ONLY way to access server is through root access on console
• To start LDAP daemon type:
[root] # slapd
• To stop LDAP server type:
[root] # kill –INT `cat /var/un/slapd/slapd.pid`
• To enable LDAP authentication type:
[root] # authconfig --enableldapauth --ldapserver <serverName or IP> \
--ldapbasedn ‘dc=<Domain>’ –update
• Tod Disable LDAP authentication type:
[root] # authconfig --disableldapauth
• Stopping slapd with any other command may cause database to become corrupted
• A Good ObjectClass website: http://ldap.akbkhome.com/index.php/objectclass/top.html
Posted in Uncategorized
Views 399 Comments 0
« Prev     Main     Next »
Total Comments 0

Comments

 

  



All times are GMT -5. The time now is 04:19 PM.

Main Menu
Advertisement

Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration