{{tag>en en:linux en:server en:authentication}}
====== OpenLDAP ======
OpenLDAP is an LDAP server quite widespread. The LDAP allows to use a centralized directory.
Directories are often used to save user accounts.
===== Installation =====
Packages needed are :
* slapd
* ldap-utils
During the installation, the password of the super admin is set. The admin account is "cn=admin" at the base of the tree.
By default, anonymous access is allowed.
To check that the LDAP server is answering, use the command :
ldapsearch -x
Example :
:~# ldapsearch -x
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
# numResponses: 1
:~#
===== Configuration =====
To change the base DN, the easiest way is to use dpkg-reconfigure.
# dpkg-reconfigure slapd
Omit OpenLDAP config ? no
Domain name : bouthors.fr
organisation name : Matthieu Bouthors
admin password : XXX
admin password : XXX
database module to use : HDB
delete database when purging the package ? non
Move the previous database ? oui
Allow LDAPv2 ? non
Once this step done, check that the admin account works with the command :
ldapsearch -x -D [admin user] -W
Example :
:~# ldapsearch -x -D "cn=admin,dc=bouthors,dc=fr" -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
# numResponses: 1
:~#
It is possible to disable the anonymous BIND by adding the adding the following lines to the config file :
#######################################################################
# Disable Anonymous Bind
require authc
disallow bind_anon
The anonymous bind is then forbidden :
:~# ldapsearch -x
ldap_bind: Inappropriate authentication (48)
additional info: anonymous bind disallowed
:~#
===== LDAP request debug =====
To understand why an LDAP request is not working, it's often useful to trace LDAP access. The easiest way is to enable debug on the server.\\
For example, when starting the server with the command :
slapd -d 256
It will display all requests recieved by the server along with the answers.
Moreover, to display the packet dump, use :
slapd -d 272
Here is the debug list, to activate several of them, add up the values :
levels are additive, and available levels are:
1 (0x1 trace) trace function calls
2 (0x2 packet) debug packet handling
4 (0x4 args) heavy trace debugging (function args)
8 (0x8 conns) connection management
16 (0x10 BER) print out packets sent and received
32 (0x20 filter) search filter processing
64 (0x40 config) configuration file processing
128 (0x80 ACL) access control list processing
256 (0x100 stats) stats log connections/operations/results
512 (0x200 stats2) stats log entries sent
1024 (0x400 shell) print communication with shell backends
2048 (0x800 parse) entry parsing
4096 (0x1000 cache) caching (unused)
8192 (0x2000 index) data indexing (unused)
16384 (0x4000 sync) LDAPSync replication
32768 (0x8000 none) only messages that get logged whatever
log level is set
-1 (any) log all
===== LDAP clients =====
To manage the ldap tree and schema, the following tools can be useful :
* [[PhpLdapAdmin]] is web server to browse and edit LDAP servers, it is quite easy to install
* [[http://www.jxplorer.org/|JXplorer]] : an free LDAP client.
* Other tools [[http://www.zytrax.com/books/ldap/apb/#tools|here]]
===== Editing the LDAP tree =====
Once the server is running, you next need to define his tree and add entries.
==== Import LDIF datas with slapadd ====
slapadd allows to import directly a database into slapd. One advantage is that slapadd can modify internal values (like creation date) very useful when restoring a database.
It's the ideal command to reimport result given by the command slapcat described [[#Export datas to LDIF|below]].
The main limitation of slapadd is that you need to stop slapd to use it.
**:!: check that slapd is owner of the files avec using slapadd, otherwise it will refuse to restart.**
Example :
:/var/lib/ldap# /etc/init.d/slapd stop
Stopping OpenLDAP: slapd.
:/var/lib/ldap# ps aux|grep ldap
root 32212 0.0 0.0 6480 776 pts/0 R+ 11:27 0:00 grep ldap
:/var/lib/ldap# rm -Rf *
:/var/lib/ldap# l
total 0
:/var/lib/ldap# slapadd -l /root/ldif
/etc/ldap/slapd.conf: line 109: rootdn is always granted unlimited privileges.
/etc/ldap/slapd.conf: line 127: rootdn is always granted unlimited privileges.
:/var/lib/ldap# chown openldap:openldap *
:/var/lib/ldap# l
total 1100
-rw-r--r-- 1 openldap openldap 2048 2007-12-16 11:29 alock
-rw------- 1 openldap openldap 8192 2007-12-16 11:28 __db.001
-rw------- 1 openldap openldap 2629632 2007-12-16 11:28 __db.002
-rw------- 1 openldap openldap 98304 2007-12-16 11:28 __db.003
-rw------- 1 openldap openldap 868352 2007-12-16 11:28 __db.004
-rw------- 1 openldap openldap 24576 2007-12-16 11:28 __db.005
-rw-r--r-- 1 openldap openldap 96 2007-12-16 11:28 DB_CONFIG
-rw------- 1 openldap openldap 20480 2007-12-16 11:28 dn2id.bdb
-rw------- 1 openldap openldap 81920 2007-12-16 11:28 id2entry.bdb
-rw------- 1 openldap openldap 188602 2007-12-16 11:28 log.0000000001
-rw------- 1 openldap openldap 8192 2007-12-16 11:28 objectClass.bdb
:/var/lib/ldap# /etc/init.d/slapd start
Starting OpenLDAP: slapd.
:/var/lib/ldap# ps aux|grep sla
openldap 32335 0.0 0.3 48820 3440 ? Ssl 11:32 0:00 /usr/sbin/slapd -g openldap -u openldap
root 32338 0.0 0.0 6476 776 pts/0 R+ 11:32 0:00 grep sla
:/var/lib/ldap#
==== Import LDIF datas with ldapadd ====
The ldapadd command provides a way to add new entry to the tree :
ldapadd -D [user] -W
Example :
:~# ldapadd -x -D "cn=admin,dc=bouthors,dc=fr" -W
Enter LDAP Password:
dn: cn=user1,ou=Users,dc=bouthors,dc=fr
cn: user1
sn: first user
objectClass: inetOrgPerson
objectClass: top
adding new entry "cn=user1,ou=Users,dc=bouthors,dc=fr"
:~#
==== Export datas to LDIF ====
slapcat allows to export the content of the LDAP server into LDIF format.
slapcat -l file
:!: 2011-01-16 There is currently a bug with slapcat into debian (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598361), the following error is displayed :
hdb_db_open: database "dc=bouthors,dc=fr": unclean shutdown detected; attempting recovery.
hdb_db_open: database "dc=bouthors,dc=fr": recovery skipped in read-only mode. Run manual recovery if errors are encountered.
The workaround is to stop slapd during execution of slapcat.
==== Example ====
Example of creation of 2 OU and some entries :
* OU=Users
* CN=user1
* CN=user2
* OU=Groups
* CN=Nomades
The 2 users are member of the Nomades group.
For this example, users are using the class inetOrgPerson and groups are using GroupOfUniqueName
Here are the raw datas to import (LDIF format) :
dn: ou=Users,dc=bouthors,dc=fr
ou: Users
objectClass: organizationalUnit
objectClass: top
dn: ou=Groups,dc=bouthors,dc=fr
ou: Groups
objectClass: organizationalUnit
objectClass: top
dn: cn=user1,ou=Users,dc=bouthors,dc=fr
cn: user1
sn: first user
objectClass: inetOrgPerson
objectClass: top
dn: cn=user2,ou=Users,dc=bouthors,dc=fr
cn: user2
sn: second user
objectClass: inetOrgPerson
objectClass: top
dn: cn=Nomades,ou=Groups,dc=bouthors,dc=fr
cn: Nomades
objectClass: groupOfUniqueNames
objectClass: top
uniqueMember: cn=user1,ou=Users,dc=bouthors,dc=fr
uniqueMember: cn=user2,ou=Users,dc=bouthors,dc=fr
To add them to the ldap server, just use ldapadd as discribed before.
When using slapcat, the new entries should appear into the LDIF export.
===== Changing the schema =====
The LDAP schema defines the structure of entries. It often appears that the predefined types are not enough.
For example, I am using two new types :
The class mboUser contains the following fields :
* cn (mandatory) : user login and unique identifier
* sn : full name
* mail : email
* uidNumber : user number (UID)
* gidNumber : group number (GID)
* description : description
* userPassword : password
* homeDirectory : personnal directory
* loginShell : shell
* preferredLanguage : langage
* memberOf : groups of the user (custom field)
The class mboGroup contains the following fields :
* cn (mandatory) : group name and unique identifier
* gidNumber : group number (GID)
* uniqueMember : list of users identified by their DN
* description : description
Here is how to configure OpenLDAP :
* Create the following schema file ///etc/ldap/schema/mbo.schema// with the following content :
#attribut exemple de type nom
attributetype (1.3.6.1.4.1.200579.1.101 NAME 'mboNom'
DESC 'attribut exemple de type nom'
SUP name )
#attribut exemple de type date
attributetype ( 1.3.6.1.4.1.200579.1.102 NAME 'mboDate'
DESC 'attribut exemple de type date'
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
SINGLE-VALUE
)
#attribut de type DN multivalue
attributetype ( 1.3.6.1.4.1.200579.1.1 NAME 'memberOf'
DESC 'list groups DN of the user'
SUP uniqueMember )
objectclass ( 1.3.6.1.4.1.200579.2.1 NAME 'mboUser'
DESC 'Define a user for bouthors.fr'
SUP top
STRUCTURAL
MUST (cn)
MAY (
sn $ mail $ uidNumber $ gidNumber $ description $
userPassword $ homeDirectory $ loginShell $
preferredLanguage $ memberOf
)
)
objectclass ( 1.3.6.1.4.1.200579.2.2 NAME 'mboGroup'
DESC 'Define a group for bouthors.fr'
SUP top STRUCTURAL
MUST (cn)
MAY (gidNumber $ uniqueMember $ description) )
* load the schema into openldap, in ///etc/ldap/slapd.conf// add :
include /etc/ldap/schema/mbo.schema
Then these classes can be used to create entries.
===== Example of datas with the custom schema (LDIF) =====
version: 1
# Exportation LDIF pour : dc=bouthors,dc=fr
# Généré par phpLDAPadmin ( http://phpldapadmin.sourceforge.net/ ) pour December 22, 2007 11:50 am
# Serveur: My LDAP Server (localhost)
# Portée de la recherche: sub
# Filtre de recherche: (objectClass=*)
# Entrées totales: 50
dn: dc=bouthors,dc=fr
objectClass: top
objectClass: dcObject
objectClass: organization
o: bouthors.fr
dc: bouthors
dn: cn=admin,dc=bouthors,dc=fr
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:
dn: ou=groups,dc=bouthors,dc=fr
ou: groups
objectClass: organizationalUnit
objectClass: top
dn: cn=web,ou=groups,dc=bouthors,dc=fr
cn: web
objectClass: mboGroup
uniqueMember: cn=matthieu,ou=users,dc=bouthors,dc=fr
dn: ou=services,dc=bouthors,dc=fr
ou: services
objectClass: organizationalUnit
objectClass: top
dn: cn=apache,ou=services,dc=bouthors,dc=fr
cn: apache
sn: apache
objectClass: person
objectClass: top
userPassword:
dn: ou=users,dc=bouthors,dc=fr
ou: users
objectClass: organizationalUnit
objectClass: top
dn: cn=matthieu,ou=users,dc=bouthors,dc=fr
cn: matthieu
sn: Matthieu Bouthors
objectClass: mboUser
loginShell: /bin/false
preferredLanguage: fr
uidNumber: 1000
gidNumber: 1000
homeDirectory: /ftp
mail: matthieu@bouthors.fr
userPassword:
===== Example of slapd.conf =====
# This is the main slapd configuration file. See slapd.conf(5) for more
# info on the configuration options.
#######################################################################
# Global Directives:
# Features to permit
#allow bind_v2
# Schema and objectClass definitions
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/mbo.schema
# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile /var/run/slapd/slapd.pid
# List of arguments that were passed to the server
argsfile /var/run/slapd/slapd.args
# Read slapd.conf(5) for possible values
loglevel none
# Where the dynamically loaded modules are stored
modulepath /usr/lib/ldap
moduleload back_hdb
# The maximum number of entries that is returned for a search operation
sizelimit 500
# The tool-threads parameter sets the actual amount of cpu's that is used
# for indexing.
tool-threads 1
#######################################################################
# Disable Anonymous Bind
require authc
disallow bind_anon
#######################################################################
# Specific Backend Directives for hdb:
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
backend hdb
#######################################################################
# Specific Backend Directives for 'other':
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
#backend
#######################################################################
# Specific Directives for database #1, of type hdb:
# Database specific directives apply to this databasse until another
# 'database' directive occurs
database hdb
# The base of your directory in database #1
suffix "dc=bouthors,dc=fr"
# rootdn directive for specifying a superuser on the database. This is needed
# for syncrepl.
# rootdn "cn=admin,dc=bouthors,dc=fr"
# Where the database file are physically stored for database #1
directory "/var/lib/ldap"
# The dbconfig settings are used to generate a DB_CONFIG file the first
# time slapd starts. They do NOT override existing an existing DB_CONFIG
# file. You should therefore change these settings in DB_CONFIG directly
# or remove DB_CONFIG and restart slapd for changes to take effect.
# For the Debian package we use 2MB as default but be sure to update this
# value if you have plenty of RAM
dbconfig set_cachesize 0 2097152 0
# Sven Hartge reported that he had to set this value incredibly high
# to get slapd running at all. See http://bugs.debian.org/303057 for more
# information.
# Number of objects that can be locked at the same time.
dbconfig set_lk_max_objects 1500
# Number of locks (both requested and granted)
dbconfig set_lk_max_locks 1500
# Number of lockers
dbconfig set_lk_max_lockers 1500
# Indexing options for database #1
index objectClass eq
# Save the time that the entry gets modified, for database #1
lastmod on
# Checkpoint the BerkeleyDB database periodically in case of system
# failure and to speed slapd shutdown.
checkpoint 512 30
# Where to store the replica logs for database #1
# replogfile /var/lib/ldap/replog
# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
# These access lines apply to database #1 only
access to attrs=userPassword,shadowLastChange
by dn="cn=admin,dc=bouthors,dc=fr" write
by anonymous auth
by self write
by * none
# Ensure read access to the base for things like
# supportedSASLMechanisms. Without this you may
# have problems with SASL not knowing what
# mechanisms are available and the like.
# Note that this is covered by the 'access to *'
# ACL below too but if you change that as people
# are wont to do you'll still need this if you
# want SASL (and possible other things) to work
# happily.
access to dn.base="" by * read
# The admin dn has full write access, everyone else
# can read everything.
access to *
by dn="cn=admin,dc=bouthors,dc=fr" write
by * read
# For Netscape Roaming support, each user gets a roaming
# profile for which they have write access to
#access to dn=".*,ou=Roaming,o=morsnet"
# by dn="cn=admin,dc=bouthors,dc=fr" write
# by dnattr=owner write
#######################################################################
# Specific Directives for database #2, of type 'other' (can be hdb too):
# Database specific directives apply to this databasse until another
# 'database' directive occurs
#database
# The base of your directory for database #2
#suffix "dc=debian,dc=org"
===== Performance and Index =====
If you have some performance issues or the "bdb_equality_candidates" message, it is possible to solve it by generating indexes for common requests.
The steps are :
* add indexes into slapd.conf :
# Indexing options for database #1
index objectClass eq
index cn eq
index gidNumber eq
* stop slapd
# /etc/init.d/slapd stop
Stopping OpenLDAP: slapd.
#
* generate indexes
# sudo -u openldap slapindex
* start slapd
# /etc/init.d/slapd start
Starting OpenLDAP: slapd.
#
===== Configure services to use LDAP authentifcation =====
* Web server : see [[Serveur Web]]
* FTP server : see [[Proftpd]]
* Dokuwiki : see [[en:linux:dokuwiki:ldap]]
===== Backup =====
* /etc/ldap/slapd.conf
* /etc/ldap/schema/mbo.schema
* /var/lib/ldap
===== Links =====
* [[linux:phpldapadmin|PhpLdapAdmin]]
* [[http://www.openldap.org/]]
* [[http://www.openldap.org/doc/admin23/]]
* [[http://www-unix.mcs.anl.gov/~gawor/ldap/]]