LDAP is an acronym for Lightweight Directory Access Protocol, it is a simplified version of the X.500 protocol. The directory setup in this section will be used for authentication. Nevertheless, LDAP can be used in numerous ways: authentication, shared directory (for mail clients), address book, etc.
To describe LDAP quickly, all information is stored in a tree structure. With OpenLDAP you have freedom to determine the directory arborescence (the Directory Information Tree: the DIT) yourself. We will begin with a basic tree containing two nodes below the root:
-
"People" node where your users will be stored
-
"Groups" node where your groups will be stored
Before beginning, you should determine what the root of your LDAP directory will be. By default, your tree will be determined by your Fully Qualified Domain Name (FQDN). If your domain is example.com (which we will use in this example), your root node will be dc=example,dc=com.
First, install the OpenLDAP server daemon slapd and ldap-utils, a package containing LDAP management utilities:
sudo apt-get install slapd ldap-utils
The installation process will prompt you for the LDAP directory admin password and confirmation.
After installing slapd the directory can be configured using dpkg-reconfigure:
sudo dpkg-reconfigure slapd
You will then be taken through a menu based configuration dialog allowing you to configure various slapd options. For the most part the defaults work well, but if your root node differs from the server's FQDN be sure to enter the correct name.
The directory has been created during installation and reconfiguration, and now it is time to populate it. It will be populated with a "classical" scheme that will be compatible with address book applications and with Unix Posix accounts. Posix accounts will allow authentication to various applications, such as web applications, email Mail Transfer Agent (MTA) applications, etc.
![[Note]](../../images/admon/note.png)
|
|
|
For external applications to authenticate using LDAP they will each need to be specifically configured to do so. Refer to the individual application documentation for details. |
LDAP directories can be populated with LDIF (LDAP Directory
Interchange Format) files. Copy the following example LDIF file, naming it
example.com.ldif, somewhere on your system:
dn: ou=people,dc=example,dc=com
objectClass: organizationalUnit
ou: people
dn: ou=groups,dc=example,dc=com
objectClass: organizationalUnit
ou: groups
dn: uid=john,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: john
sn: Doe
givenName: John
cn: John Doe
displayName: John Doe
uidNumber: 1000
gidNumber: 10000
userPassword: password
gecos: John Doe
loginShell: /bin/bash
homeDirectory: /home/john
shadowExpire: -1
shadowFlag: 0
shadowWarning: 7
shadowMin: 8
shadowMax: 999999
shadowLastChange: 10877
mail: john.doe@example.com
postalCode: 31000
l: Toulouse
o: Example
mobile: +33 (0)6 xx xx xx xx
homePhone: +33 (0)5 xx xx xx xx
title: System Administrator
postalAddress:
initials: JD
dn: cn=example,ou=groups,dc=example,dc=com
objectClass: posixGroup
cn: example
gidNumber: 10000
In this example the directory structure, a user, and a group have been setup. In other examples you might see the objectClass: top added in every entry, but that is the default behaviour so you do not have to add it explicitly.
Now, to add your entries to the LDAP directory:
-
Stop slapd:
sudo /etc/init.d/slapd stop -
Add the content:
sudo slapadd -l example.com.ldif -
Start LDAP daemon:
sudo /etc/init.d/slapd start
We can check that the content has been correctly added with the tools from the ldap-utils package. In order to execute a search of the LDAP directory:
ldapsearch -xLLL -b "dc=example,dc=com" uid=john sn givenName cn
dn: uid=john,ou=people,dc=example,dc=com
cn: John Doe
sn: Doe
givenName: John
Just a quick explanation:
-
-x: will not use SASL authentication method, which is the default.
-
-LLL: disable printing LDIF schema information.
Authentication requires access to the password field, that should be not accessible by default. Another issue is that during password change using passwd, shadowLastChange needs to be accessible by authenticated users. The following code, from /etc/ldap/slapd.conf, shows the default ACL setting that permits the admin user and authenticated users access to shadowLastChange:
access to attrs=userPassword,shadowLastChange
by dn="cn=admin,dc=example,dc=com" write
by anonymous auth
by self write
by * none
LDAP service often quickly becomes a highly critical service in an information system: multiple systems depend on LDAP for authentication, authorization, mail, etc. It is a good idea to setup a redundant system.
Replication is achieved using the Syncrepl engine. Syncrepl allows the directory to be synced using either a push or pull based system. In a push based configuration a “primary” server will push directory updates to “secondary” servers, while a pull based approach allows replication servers to sync on a time based interval.
The following is an example of push configuration. First you need to setup the
slapd provider by uncommenting the following line in
/etc/ldap/slapd.conf:
rootdn "cn=admin,dc=example,dc=com"
Below the rootdn line add:
moduleload syncprov.la
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
Now restart slapd:
sudo /etc/init.d/slapd restart
On separate OpenLDAP server configure the slapd consumer
by again uncommenting the rootdn line in /etc/ldap/slapd.conf:
rootdn "cn=admin,dc=example,dc=com"
Then add the following below the rootdn entry:
syncrepl rid=123
provider=ldap://ldap01.example.com:389
type=refreshAndPersist
searchbase="dc=example,dc=com"
filter="(objectClass=*)"
scope=sub
schemachecking=off
bindmethod=simple
binddn="uid=john,ou=people,dc=example,dc=com"
credentials=password
|
|
|
|
This example uses the john user we created above to authenticate the sync process. Be sure to use an account with sufficient privileges. Also, replace ldap://ldap01.example.com:389 with the appropriate host name. |
Now restart the consumer slapd daemon:
sudo /etc/init.d/slapd restart
If all goes well you should be able to execute the ldapsearch example from above on the server with the replicated directory.
ldapsearch -xLLL -b "dc=example,dc=com" uid=john sn givenName cn
The slapd daemon will send log information to /var/log/syslog
by default. So if all does not go well check there for errors and other troubleshooting information.
-
For more information see OpenLDAP Home Page
-
Though starting to show it's age, a great source for in depth LDAP information is O'Reilly's LDAP System Administration
