OpenLDAP

OpenLDAP is an LDAP server quite widespread. The LDAP allows to use a centralized directory.

Directories are often used to save user accounts.

Installation

Packages needed are :

  • slapd
  • ldap-utils

During the installation, the password of the super admin is set. The admin account is “cn=admin” at the base of the tree.

By default, anonymous access is allowed.

To check that the LDAP server is answering, use the command :

ldapsearch -x

Example :

:~# ldapsearch -x
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1
:~#

Configuration

To change the base DN, the easiest way is to use dpkg-reconfigure.

# dpkg-reconfigure slapd
 Omit OpenLDAP config ? no
 Domain name : bouthors.fr
 organisation name : Matthieu Bouthors
 admin password : XXX
 admin password : XXX
 database module to use : HDB
 delete database when purging the package ? non
 Move the previous database ? oui
 Allow LDAPv2 ? non

Once this step done, check that the admin account works with the command :

ldapsearch -x -D [admin user] -W

Example :

:~# ldapsearch -x -D "cn=admin,dc=bouthors,dc=fr" -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1
:~#

It is possible to disable the anonymous BIND by adding the adding the following lines to the config file :

#######################################################################
# Disable Anonymous Bind
require authc
disallow bind_anon

The anonymous bind is then forbidden :

:~# ldapsearch -x
ldap_bind: Inappropriate authentication (48)
        additional info: anonymous bind disallowed
:~#

LDAP request debug

To understand why an LDAP request is not working, it's often useful to trace LDAP access. The easiest way is to enable debug on the server.
For example, when starting the server with the command :

slapd -d 256

It will display all requests recieved by the server along with the answers.

Moreover, to display the packet dump, use :

slapd -d 272

Here is the debug list, to activate several of them, add up the values :

levels are additive, and available levels are:
    1      (0x1 trace) trace function calls
    2      (0x2 packet) debug packet handling
    4      (0x4 args) heavy trace debugging (function args)
    8      (0x8 conns) connection management
    16     (0x10 BER) print out packets sent and received
    32     (0x20 filter) search filter processing
    64     (0x40 config) configuration file processing
    128    (0x80 ACL) access control list processing
    256    (0x100 stats) stats log connections/operations/results
    512    (0x200 stats2) stats log entries sent
    1024   (0x400 shell) print communication with shell backends
    2048   (0x800 parse) entry parsing
    4096   (0x1000 cache) caching (unused)
    8192   (0x2000 index) data indexing (unused)
    16384  (0x4000 sync) LDAPSync replication
    32768  (0x8000  none)  only  messages that get logged whatever
           log level is set
    -1     (any) log all

LDAP clients

To manage the ldap tree and schema, the following tools can be useful :

  • PhpLdapAdmin is web server to browse and edit LDAP servers, it is quite easy to install
  • JXplorer : an free LDAP client.
  • Other tools here

Editing the LDAP tree

Once the server is running, you next need to define his tree and add entries.

Import LDIF datas with slapadd

slapadd allows to import directly a database into slapd. One advantage is that slapadd can modify internal values (like creation date) very useful when restoring a database.

It's the ideal command to reimport result given by the command slapcat described below.

The main limitation of slapadd is that you need to stop slapd to use it.

:!: check that slapd is owner of the files avec using slapadd, otherwise it will refuse to restart.

Example :

:/var/lib/ldap# /etc/init.d/slapd stop
Stopping OpenLDAP: slapd.
:/var/lib/ldap# ps aux|grep ldap
root     32212  0.0  0.0   6480   776 pts/0    R+   11:27   0:00 grep ldap
:/var/lib/ldap# rm -Rf *
:/var/lib/ldap# l
total 0
:/var/lib/ldap# slapadd -l /root/ldif
/etc/ldap/slapd.conf: line 109: rootdn is always granted unlimited privileges.
/etc/ldap/slapd.conf: line 127: rootdn is always granted unlimited privileges.
:/var/lib/ldap# chown openldap:openldap *
:/var/lib/ldap# l
total 1100
-rw-r--r-- 1 openldap openldap    2048 2007-12-16 11:29 alock
-rw------- 1 openldap openldap    8192 2007-12-16 11:28 __db.001
-rw------- 1 openldap openldap 2629632 2007-12-16 11:28 __db.002
-rw------- 1 openldap openldap   98304 2007-12-16 11:28 __db.003
-rw------- 1 openldap openldap  868352 2007-12-16 11:28 __db.004
-rw------- 1 openldap openldap   24576 2007-12-16 11:28 __db.005
-rw-r--r-- 1 openldap openldap      96 2007-12-16 11:28 DB_CONFIG
-rw------- 1 openldap openldap   20480 2007-12-16 11:28 dn2id.bdb
-rw------- 1 openldap openldap   81920 2007-12-16 11:28 id2entry.bdb
-rw------- 1 openldap openldap  188602 2007-12-16 11:28 log.0000000001
-rw------- 1 openldap openldap    8192 2007-12-16 11:28 objectClass.bdb
:/var/lib/ldap# /etc/init.d/slapd start
Starting OpenLDAP: slapd.
:/var/lib/ldap# ps aux|grep sla
openldap 32335  0.0  0.3  48820  3440 ?        Ssl  11:32   0:00 /usr/sbin/slapd -g openldap -u openldap
root     32338  0.0  0.0   6476   776 pts/0    R+   11:32   0:00 grep sla
:/var/lib/ldap#

Import LDIF datas with ldapadd

The ldapadd command provides a way to add new entry to the tree :

ldapadd -D [user] -W

Example :

:~# ldapadd -x -D "cn=admin,dc=bouthors,dc=fr" -W
Enter LDAP Password:
dn: cn=user1,ou=Users,dc=bouthors,dc=fr
cn: user1
sn: first user
objectClass: inetOrgPerson
objectClass: top

adding new entry "cn=user1,ou=Users,dc=bouthors,dc=fr"

:~#

Export datas to LDIF

slapcat allows to export the content of the LDAP server into LDIF format.

slapcat -l file

:!: 2011-01-16 There is currently a bug with slapcat into debian (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598361), the following error is displayed :

hdb_db_open: database "dc=bouthors,dc=fr": unclean shutdown detected; attempting recovery.
hdb_db_open: database "dc=bouthors,dc=fr": recovery skipped in read-only mode. Run manual recovery if errors are encountered.

The workaround is to stop slapd during execution of slapcat.

Example

Example of creation of 2 OU and some entries :

  • OU=Users
    • CN=user1
    • CN=user2
  • OU=Groups
    • CN=Nomades

The 2 users are member of the Nomades group.

For this example, users are using the class inetOrgPerson and groups are using GroupOfUniqueName

Here are the raw datas to import (LDIF format) :

dn: ou=Users,dc=bouthors,dc=fr
ou: Users
objectClass: organizationalUnit
objectClass: top

dn: ou=Groups,dc=bouthors,dc=fr
ou: Groups
objectClass: organizationalUnit
objectClass: top

dn: cn=user1,ou=Users,dc=bouthors,dc=fr
cn: user1
sn: first user
objectClass: inetOrgPerson
objectClass: top

dn: cn=user2,ou=Users,dc=bouthors,dc=fr
cn: user2
sn: second user
objectClass: inetOrgPerson
objectClass: top

dn: cn=Nomades,ou=Groups,dc=bouthors,dc=fr
cn: Nomades
objectClass: groupOfUniqueNames
objectClass: top
uniqueMember: cn=user1,ou=Users,dc=bouthors,dc=fr
uniqueMember: cn=user2,ou=Users,dc=bouthors,dc=fr

To add them to the ldap server, just use ldapadd as discribed before.

When using slapcat, the new entries should appear into the LDIF export.

Changing the schema

The LDAP schema defines the structure of entries. It often appears that the predefined types are not enough.

For example, I am using two new types :

The class mboUser contains the following fields :

  • cn (mandatory) : user login and unique identifier
  • sn : full name
  • mail : email
  • uidNumber : user number (UID)
  • gidNumber : group number (GID)
  • description : description
  • userPassword : password
  • homeDirectory : personnal directory
  • loginShell : shell
  • preferredLanguage : langage
  • memberOf : groups of the user (custom field)

The class mboGroup contains the following fields :

  • cn (mandatory) : group name and unique identifier
  • gidNumber : group number (GID)
  • uniqueMember : list of users identified by their DN
  • description : description

Here is how to configure OpenLDAP :

  • Create the following schema file /etc/ldap/schema/mbo.schema with the following content :
#attribut exemple de type nom
attributetype (1.3.6.1.4.1.200579.1.101 NAME 'mboNom'
        DESC 'attribut exemple de type nom'
        SUP name )

#attribut exemple de type date
attributetype ( 1.3.6.1.4.1.200579.1.102 NAME 'mboDate'
        DESC 'attribut exemple de type date'
        EQUALITY generalizedTimeMatch
        ORDERING generalizedTimeOrderingMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
        SINGLE-VALUE
        )

#attribut de type DN multivalue
attributetype ( 1.3.6.1.4.1.200579.1.1 NAME 'memberOf'
        DESC 'list groups DN of the user'
        SUP uniqueMember )

objectclass ( 1.3.6.1.4.1.200579.2.1 NAME 'mboUser'
        DESC 'Define a user for bouthors.fr'
        SUP top
        STRUCTURAL
        MUST (cn)
        MAY (
                sn $ mail $ uidNumber $ gidNumber $ description $
                userPassword $ homeDirectory $ loginShell $
                preferredLanguage $ memberOf
                 )
        )

objectclass ( 1.3.6.1.4.1.200579.2.2 NAME 'mboGroup'
        DESC 'Define a group for bouthors.fr'
        SUP top STRUCTURAL
        MUST (cn)
        MAY (gidNumber $ uniqueMember $ description) )
  • load the schema into openldap, in /etc/ldap/slapd.conf add :
include         /etc/ldap/schema/mbo.schema

Then these classes can be used to create entries.

Example of datas with the custom schema (LDIF)

version: 1

# Exportation LDIF pour : dc=bouthors,dc=fr
# Généré par phpLDAPadmin ( http://phpldapadmin.sourceforge.net/ ) pour December 22, 2007 11:50 am
# Serveur: My LDAP Server (localhost)
# Portée de la recherche: sub
# Filtre de recherche: (objectClass=*)
# Entrées totales: 50

dn: dc=bouthors,dc=fr
objectClass: top
objectClass: dcObject
objectClass: organization
o: bouthors.fr
dc: bouthors

dn: cn=admin,dc=bouthors,dc=fr
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:

dn: ou=groups,dc=bouthors,dc=fr
ou: groups
objectClass: organizationalUnit
objectClass: top

dn: cn=web,ou=groups,dc=bouthors,dc=fr
cn: web
objectClass: mboGroup
uniqueMember: cn=matthieu,ou=users,dc=bouthors,dc=fr

dn: ou=services,dc=bouthors,dc=fr
ou: services
objectClass: organizationalUnit
objectClass: top

dn: cn=apache,ou=services,dc=bouthors,dc=fr
cn: apache
sn: apache
objectClass: person
objectClass: top
userPassword:

dn: ou=users,dc=bouthors,dc=fr
ou: users
objectClass: organizationalUnit
objectClass: top

dn: cn=matthieu,ou=users,dc=bouthors,dc=fr
cn: matthieu
sn: Matthieu Bouthors
objectClass: mboUser
loginShell: /bin/false
preferredLanguage: fr
uidNumber: 1000
gidNumber: 1000
homeDirectory: /ftp
mail: matthieu@bouthors.fr
userPassword:

Example of slapd.conf

# This is the main slapd configuration file. See slapd.conf(5) for more
# info on the configuration options.

#######################################################################
# Global Directives:

# Features to permit
#allow bind_v2

# Schema and objectClass definitions
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema
include         /etc/ldap/schema/mbo.schema

# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile         /var/run/slapd/slapd.pid

# List of arguments that were passed to the server
argsfile        /var/run/slapd/slapd.args

# Read slapd.conf(5) for possible values
loglevel        none

# Where the dynamically loaded modules are stored
modulepath      /usr/lib/ldap
moduleload      back_hdb

# The maximum number of entries that is returned for a search operation
sizelimit 500

# The tool-threads parameter sets the actual amount of cpu's that is used
# for indexing.
tool-threads 1

#######################################################################
# Disable Anonymous Bind
require authc
disallow bind_anon

#######################################################################
# Specific Backend Directives for hdb:
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
backend         hdb

#######################################################################
# Specific Backend Directives for 'other':
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
#backend                <other>

#######################################################################
# Specific Directives for database #1, of type hdb:
# Database specific directives apply to this databasse until another
# 'database' directive occurs
database        hdb

# The base of your directory in database #1
suffix          "dc=bouthors,dc=fr"

# rootdn directive for specifying a superuser on the database. This is needed
# for syncrepl.
# rootdn          "cn=admin,dc=bouthors,dc=fr"

# Where the database file are physically stored for database #1
directory       "/var/lib/ldap"

# The dbconfig settings are used to generate a DB_CONFIG file the first
# time slapd starts.  They do NOT override existing an existing DB_CONFIG
# file.  You should therefore change these settings in DB_CONFIG directly
# or remove DB_CONFIG and restart slapd for changes to take effect.

# For the Debian package we use 2MB as default but be sure to update this
# value if you have plenty of RAM
dbconfig set_cachesize 0 2097152 0

# Sven Hartge reported that he had to set this value incredibly high
# to get slapd running at all. See http://bugs.debian.org/303057 for more
# information.

# Number of objects that can be locked at the same time.
dbconfig set_lk_max_objects 1500
# Number of locks (both requested and granted)
dbconfig set_lk_max_locks 1500
# Number of lockers
dbconfig set_lk_max_lockers 1500

# Indexing options for database #1
index           objectClass eq

# Save the time that the entry gets modified, for database #1
lastmod         on

# Checkpoint the BerkeleyDB database periodically in case of system
# failure and to speed slapd shutdown.
checkpoint      512 30

# Where to store the replica logs for database #1
# replogfile    /var/lib/ldap/replog

# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
# These access lines apply to database #1 only
access to attrs=userPassword,shadowLastChange
        by dn="cn=admin,dc=bouthors,dc=fr" write
        by anonymous auth
        by self write
        by * none

# Ensure read access to the base for things like
# supportedSASLMechanisms.  Without this you may
# have problems with SASL not knowing what
# mechanisms are available and the like.
# Note that this is covered by the 'access to *'
# ACL below too but if you change that as people
# are wont to do you'll still need this if you
# want SASL (and possible other things) to work
# happily.
access to dn.base="" by * read

# The admin dn has full write access, everyone else
# can read everything.
access to *
        by dn="cn=admin,dc=bouthors,dc=fr" write
        by * read

# For Netscape Roaming support, each user gets a roaming
# profile for which they have write access to
#access to dn=".*,ou=Roaming,o=morsnet"
#        by dn="cn=admin,dc=bouthors,dc=fr" write
#        by dnattr=owner write

#######################################################################
# Specific Directives for database #2, of type 'other' (can be hdb too):
# Database specific directives apply to this databasse until another
# 'database' directive occurs
#database        <other>

# The base of your directory for database #2
#suffix         "dc=debian,dc=org"

Performance and Index

If you have some performance issues or the “bdb_equality_candidates” message, it is possible to solve it by generating indexes for common requests.

The steps are :

  • add indexes into slapd.conf :
# Indexing options for database #1
index           objectClass eq
index           cn eq
index           gidNumber eq
  • stop slapd
# /etc/init.d/slapd stop
Stopping OpenLDAP: slapd.
#
  • generate indexes
# sudo -u openldap slapindex
  • start slapd
# /etc/init.d/slapd start
Starting OpenLDAP: slapd.
#

Configure services to use LDAP authentifcation

Backup

  • /etc/ldap/slapd.conf
  • /etc/ldap/schema/mbo.schema
  • /var/lib/ldap

Links

en/linux/openldap.txt · Last modified: 2011/01/16 18:47 by matthieu
Recent changes RSS feed Debian Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki