LDAP
(Lightweight Directory Access Protocol) is a set of open protocols used to access centrally stored information over a network. It is based on the X.500
standard for directory sharing, but is less complex and resource-intensive. For this reason, LDAP is sometimes referred to as “X.500 Lite”.
Using Mozilla NSS
objectClass
definition, and can be found in schema files located in the /etc/openldap/slapd.d/cn=config/cn=schema/
directory.
[id] dn: distinguished_name
attribute_type: attribute_value…
attribute_type: attribute_value…
…
slapd
service as described in Section 11.1.4, “Running an OpenLDAP Server”.
ldapadd
utility to add entries to the LDAP directory.
ldapsearch
utility to verify that the slapd
service is accessing the information correctly.
Table 11.1. List of OpenLDAP packages
Package | Description |
---|---|
openldap | A package containing the libraries necessary to run the OpenLDAP server and client applications. |
openldap-clients | A package containing the command line utilities for viewing and modifying directories on an LDAP server. |
openldap-servers | A package containing both the services and utilities to configure and run an LDAP server. This includes the Standalone LDAP Daemon, slapd . |
openldap-servers-sql | A package containing the SQL support module. |
Table 11.2. List of commonly installed additional LDAP packages
Package | Description |
---|---|
nss-pam-ldapd | A package containing nslcd , a local LDAP name service that allows a user to perform local LDAP queries. |
mod_authz_ldap |
A package containing
mod_authz_ldap , the LDAP authorization module for the Apache HTTP Server. This module uses the short form of the distinguished name for a subject and the issuer of the client SSL certificate to determine the distinguished name of the user within an LDAP directory. It is also capable of authorizing users based on attributes of that user's LDAP directory entry, determining access to assets based on the user and group privileges of the asset, and denying access for users with expired passwords. Note that the mod_ssl module is required when using the mod_authz_ldap module.
|
yum
command in the following form:
yum
install
package…
root
:
yum install openldap openldap-clients openldap-servers
root
) to run this command. For more information on how to install new packages in Fedora, refer to Section 5.2.4, “Installing Packages”.
slapd
service:
Table 11.3. List of OpenLDAP server utilities
Command | Description |
---|---|
slapacl | Allows you to check the access to a list of attributes. |
slapadd | Allows you to add entries from an LDIF file to an LDAP directory. |
slapauth | Allows you to check a list of IDs for authentication and authorization permissions. |
slapcat | Allows you to pull entries from an LDAP directory in the default format and save them in an LDIF file. |
slapdn | Allows you to check a list of Distinguished Names (DNs) based on available schema syntax. |
slapindex | Allows you to re-index the slapd directory based on the current content. Run this utility whenever you change indexing options in the configuration file. |
slappasswd | Allows you to create an encrypted user password to be used with the ldapmodify utility, or in the slapd configuration file. |
slapschema | Allows you to check the compliance of a database with the corresponding schema. |
slaptest | Allows you to check the LDAP server configuration. |
Make sure the files have correct owner
root
can run slapadd
, the slapd
service runs as the ldap
user. Because of this, the directory server is unable to modify any files created by slapadd
. To correct this issue, after running the slapadd
utility, type the following at a shell prompt:
chown -R ldap:ldap /var/lib/ldap
Stop slapd before using these utilities
slapd
service before using slapadd
, slapcat
, or slapindex
. You can do so by typing the following at a shell prompt as root
:
systemctl stop slapd.service
slapd
service, refer to Section 11.1.4, “Running an OpenLDAP Server”.
Table 11.4. List of OpenLDAP client utilities
Command | Description |
---|---|
ldapadd | Allows you to add entries to an LDAP directory, either from a file, or from standard input. It is a symbolic link to ldapmodify -a . |
ldapcompare | Allows you to compare given attribute with an LDAP directory entry. |
ldapdelete | Allows you to delete entries from an LDAP directory. |
ldapexop | Allows you to perform extended LDAP operations. |
ldapmodify | Allows you to modify entries in an LDAP directory, either from a file, or from standard input. |
ldapmodrdn | Allows you to modify the RDN value of an LDAP directory entry. |
ldappasswd | Allows you to set or change the password for an LDAP user. |
ldapsearch | Allows you to search LDAP directory entries. |
ldapurl | Allows you to compose or decompose LDAP URLs. |
ldapwhoami | Allows you to perform a whoami operation on an LDAP server. |
ldapsearch
, each of these utilities is more easily used by referencing a file containing the changes to be made rather than typing a command for each entry to be changed within an LDAP directory. The format of such a file is outlined in the man page for each utility.
/etc/openldap/
directory. The following table highlights the most important directories and files within this directory:
Table 11.5. List of OpenLDAP configuration files and directories
/etc/openldap/slapd.conf
file. Instead, it uses a configuration database located in the /etc/openldap/slapd.d/
directory. If you have an existing slapd.conf
file from a previous installation, you can convert it to the new format by running the following command as root
:
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
slapd
configuration consists of LDIF entries organized in a hierarchical directory structure, and the recommended way to edit these entries is to use the server utilities described in Section 11.1.2.1, “Overview of OpenLDAP Server Utilities”.
Do not edit LDIF files directly
slapd
service unable to start. Because of this, it is strongly advised that you avoid editing the LDIF files within the /etc/openldap/slapd.d/
directly.
/etc/openldap/slapd.d/cn=config.ldif
file. The following directives are commonly used:
olcAllows
olcAllows
directive allows you to specify which features to enable. It takes the following form:
olcAllows
: feature…
bind_v2
.
Table 11.6. Available olcAllows options
Option | Description |
---|---|
bind_v2 | Enables the acceptance of LDAP version 2 bind requests. |
bind_anon_cred | Enables an anonymous bind when the Distinguished Name (DN) is empty. |
bind_anon_dn | Enables an anonymous bind when the Distinguished Name (DN) is not empty. |
update_anon | Enables processing of anonymous update operations. |
proxy_authz_anon | Enables processing of anonymous proxy authorization control. |
olcConnMaxPending
olcConnMaxPending
directive allows you to specify the maximum number of pending requests for an anonymous session. It takes the following form:
olcConnMaxPending
: number
100
.
olcConnMaxPendingAuth
olcConnMaxPendingAuth
directive allows you to specify the maximum number of pending requests for an authenticated session. It takes the following form:
olcConnMaxPendingAuth
: number
1000
.
olcDisallows
olcDisallows
directive allows you to specify which features to disable. It takes the following form:
olcDisallows
: feature…
Table 11.7. Available olcDisallows options
Option | Description |
---|---|
bind_anon | Disables the acceptance of anonymous bind requests. |
bind_simple | Disables the simple bind authentication mechanism. |
tls_2_anon | Disables the enforcing of an anonymous session when the STARTTLS command is received. |
tls_authc | Disallows the STARTTLS command when authenticated. |
olcIdleTimeout
olcIdleTimeout
directive allows you to specify how many seconds to wait before closing an idle connection. It takes the following form:
olcIdleTimeout
: number
0
).
olcLogFile
olcLogFile
directive allows you to specify a file in which to write log messages. It takes the following form:
olcLogFile
: file_name
olcReferral
olcReferral
option allows you to specify a URL of a server to process the request in case the server is not able to handle it. It takes the following form:
olcReferral
: URL
olcWriteTimeout
olcWriteTimeout
option allows you to specify how many seconds to wait before closing a connection with an outstanding write request. It takes the following form:
olcWriteTimeout
0
).
/etc/openldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif
file. The following directives are commonly used in a database-specific configuration:
olcReadOnly
olcReadOnly
directive allows you to use the database in a read-only mode. It takes the following form:
olcReadOnly
: boolean
TRUE
(enable the read-only mode), or FALSE
(enable modifications of the database). The default option is FALSE
.
olcRootDN
olcRootDN
directive allows you to specify the user that is unrestricted by access controls or administrative limit parameters set for operations on the LDAP directory. It takes the following form:
olcRootDN
: distinguished_name
cn=Manager,dn=my-domain,dc=com
.
olcRootPW
olcRootPW
directive allows you to set a password for the user that is specified using the olcRootDN
directive. It takes the following form:
olcRootPW
: password
slappaswd
utility, for example:
~]$ slappaswd
New password:
Re-enter new password:
{SSHA}WczWsyPEnMchFf1GRTweq2q7XJcvmSxD
olcSuffix
olcSuffix
directive allows you to specify the domain for which to provide information. It takes the following form:
olcSuffix
: domain_name
dc=my-domain,dc=com
.
/etc/openldap/slapd.d/
directory also contains LDAP definitions that were previously located in /etc/openldap/schema/
. It is possible to extend the schema used by OpenLDAP to support additional attribute types and object classes using the default schema files as a guide. However, this task is beyond the scope of this chapter. For more information on this topic, refer to http://www.openldap.org/doc/admin/schema.html.
slapd
service, type the following at a shell prompt as root
:
systemctl start slapd.service
systemctl enable slapd.service
slapd
service, type the following at a shell prompt as root
:
systemctl stop slapd.service
systemctl disable slapd.service
slapd
service, type the following at a shell prompt as root
:
systemctl restart slapd.service
systemctl is-active slapd.service
root
:
yum install openldap openldap-clients nss-pam-ldapd
root
:
yum install migrationtools
/usr/share/migrationtools/
directory. Once installed, edit the /usr/share/migrationtools/migrate_common.ph
file and change the following lines to reflect the correct domain, for example:
# Default DNS domain $DEFAULT_MAIL_DOMAIN = "example.com"; # Default base $DEFAULT_BASE = "dc=example,dc=com";
migrate_all_online.sh
script with the default base set to dc=example,dc=com
, type:
export DEFAULT_BASE="dc=example,dc=com" \
/usr/share/migrationtools/migrate_all_online.sh
Table 11.8. Commonly used LDAP migration scripts
Existing Name Service | Is LDAP Running? | Script to Use |
---|---|---|
/etc flat files | yes | migrate_all_online.sh |
/etc flat files | no | migrate_all_offline.sh |
NetInfo | yes | migrate_all_netinfo_online.sh |
NetInfo | no | migrate_all_netinfo_offline.sh |
NIS (YP) | yes | migrate_all_nis_online.sh |
NIS (YP) | no | migrate_all_nis_offline.sh |
README
and the migration-tools.txt
files in the /usr/share/doc/migrationtools/
directory.
/usr/share/doc/openldap-servers/guide.html
/usr/share/doc/openldap-servers/README.schema
man ldapadd
— Describes how to add entries to an LDAP directory.
man ldapdelete
— Describes how to delete entries within an LDAP directory.
man ldapmodify
— Describes how to modify entries within an LDAP directory.
man ldapsearch
— Describes how to search for entries within an LDAP directory.
man ldappasswd
— Describes how to set or change the password of an LDAP user.
man ldapcompare
— Describes how to use the ldapcompare
tool.
man ldapwhoami
— Describes how to use the ldapwhoami
tool.
man ldapmodrdn
— Describes how to modify the RDNs of entries.
man slapd
— Describes command line options for the LDAP server.
man slapadd
— Describes command line options used to add entries to a slapd
database.
man slapcat
— Describes command line options used to generate an LDIF file from a slapd
database.
man slapindex
— Describes command line options used to regenerate an index based upon the contents of a slapd
database.
man slappasswd
— Describes command line options used to generate user passwords for LDAP directories.
man ldap.conf
— Describes the format and options available within the configuration file for LDAP clients.
man slapd-config
— Describes the format and options available within the configuration directory.