ldap

LDAP stands for Lightweight Directory Access Protocol.
LDAP is a solution to access centrally stored information over network. This centrally stored information is organized in a directory that follows X.500 standard.

The information is stored and organized in a hierarchical manner and the advantage of this approach is that the information can be grouped into containers and clients can access these containers whenever needed.
The OpenLDAP hierarchy is almost similar to the DNS hierarchy.

The following are the two most commonly used objects in OpenLDAP:
  1. cn (common name) – This refers to the leaf entries, which are end objects (for example: users and groups)
  2. dc (domain component) – This refers to one of the container entries in the LDAP hierarchy. If in a setup the LDAP hierarchy is mapped to a DNS hierarchy, typically all DNS domains are referred to as DC objects.
For example, if there is user in the hierarchy http://www.example.com, the fully distinguished name of this user is referred as cn=www, dc=eaample, dc=com. If you noticed in the FDN (fully distinguished name), a comma is used a separator and not a dot, which is common in DNS.
By using the different LDAP entry types, you can setup a hierarchical directory structure. This is the reason why openLDAP is so widely used. You can easily build an openLDAP hierarchy where objects in the other locations are easily referred to without storing them on local servers. This makes OpenLDAP a lightweight directory, especially when compared to other directory servers such as Microsoft’s Active directory.
Now lets see how to setup a single instance of an LDAP server that can be used by multiple clients in your network for authentication.
  1. openldap-servers – This is the main LDAP server
  2. openldap-clients – This contains all required LDAP client utilities
  3. openldap – This packages contains the LDAP support libraries

LDAP Config Files

  • config.ldif – The LDAP default configuration is stored under a file in /etc/openldap/slapd.d/cn=config.ldif that is created in the LDIF format. This is the LDAP Input Format (LDIF), a specific format that allows you to enter information in to the LDAP directory.
  • olcDatabase{2}bdb.ldif – You can also modify the settings like number of connections the server can support, timeouts and other database settings under the file /etc/openldap/slapd.d/cn=config/olcDatabase{2}bdb.ldif. This is the file that also contains the parameters like LDAP root user and the base DN.

[root@LDAP ~]# yum install *openldap* 

[root@LDAP ~]# yum install -y openldap openldap-clients openldap-servers

[root@LDAP ~]# netstat -tlpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      2250/sshd
tcp        0      0 127.0.0.1:631               0.0.0.0:*                   LISTEN      2045/cupsd
tcp        0      0 127.0.0.1:25                0.0.0.0:*                   LISTEN      2375/master
tcp        0      0 :::22                       :::*                        LISTEN      2250/sshd
tcp        0      0 ::1:631                     :::*                        LISTEN      2045/cupsd
tcp        0      0 ::1:25                      :::*                        LISTEN      2375/master

[root@LDAP ~]# service slapd status
slapd is stopped

[root@LDAP ~]# service slapd start
Starting slapd:                                            [  OK  ]

[root@LDAP ~]# netstat -tlpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name
tcp        0      0 0.0.0.0:389                 0.0.0.0:*                   LISTEN      3044/slapd
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      2250/sshd
tcp        0      0 127.0.0.1:631               0.0.0.0:*                   LISTEN      2045/cupsd
tcp        0      0 127.0.0.1:25                0.0.0.0:*                   LISTEN      2375/master
tcp        0      0 :::389                      :::*                        LISTEN      3044/slapd
tcp        0      0 :::22                       :::*                        LISTEN      2250/sshd
tcp        0      0 ::1:631                     :::*                        LISTEN      2045/cupsd
tcp        0      0 ::1:25                      :::*                        LISTEN      2375/master

[root@LDAP ~]# chkconfig –list | grep slapd
slapd           0:off 1:off 2:off 3:off 4:off 5:off 6:off

[root@LDAP ~]# chkconfig slapd –level 235 on

[root@LDAP ~]# chkconfig –list | grep slapd
slapd           0:off 1:off 2:on 3:on 4:off 5:on 6:off

[root@LDAP ~]# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted
[root@LDAP ~]# cat /etc/selinux/config 

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing – SELinux security policy is enforced.
#     permissive – SELinux prints warnings instead of enforcing.
#     disabled – No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
#     targeted – Targeted processes are protected,
#     mls – Multi Level Security protection.
SELINUXTYPE=targeted

[root@LDAP ~]# vim /etc/selinux/config 
[root@LDAP ~]# cat /etc/selinux/config 

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing – SELinux security policy is enforced.
#     permissive – SELinux prints warnings instead of enforcing.
#     disabled – No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
#     targeted – Targeted processes are protected,
#     mls – Multi Level Security protection.
SELINUXTYPE=targeted

[root@LDAP ~]# ls -l /etc/openldap/
total 20
drwxr-xr-x. 2 root root 4096 Mar 27 07:07 certs
-rw-r—–. 1 root ldap  121 Sep 30 03:54 check_password.conf
-rw-r–r–. 1 root root  282 Oct 24 05:52 ldap.conf
drwxr-xr-x. 2 root root 4096 Mar 27 07:07 schema
drwx——. 3 ldap ldap 4096 Mar 27 07:07 slapd.d

[root@LDAP ~]# slappasswd 
New password:
Re-enter new password:
{SSHA}4CmU0AzDA1bkRjho9+cfrb5krz5X6aSZ

Take the hash output of the above command and add it to the oclRootPW parameter in the config.ldif file as shown below

[root@LDAP ~]# cat >> /etc/openldap/slapd.d/cn\=config.ldif 
olcRootPW: {SSHA}4CmU0AzDA1bkRjho9+cfrb5krz5X6aSZ

[root@LDAP ~]# cat /etc/openldap/slapd.d/cn\=config.ldif |grep “olcRootPW:{SSHA}+MELoptjuhfYFC83pUB4nmBG67zhWo6n”
olcRootPW: {SSHA}4CmU0AzDA1bkRjho9+cfrb5krz5X6aSZ

[root@LDAP ~]# cat /etc/openldap/ldap.conf 
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never

TLS_CACERTDIR /etc/openldap/cacerts

[root@LDAP ~]# cd /etc/openldap/slapd.d/cn\=config

[root@LDAP cn=config]# ls -l
total 80
drwx——. 2 ldap ldap  4096 Mar 27 07:07 cn=schema
-rw——-. 1 ldap ldap 59366 Mar 27 07:07 cn=schema.ldif
-rw——-. 1 ldap ldap   663 Mar 27 07:07 olcDatabase={0}config.ldif
-rw——-. 1 ldap ldap   596 Mar 27 07:07 olcDatabase={-1}frontend.ldif
-rw——-. 1 ldap ldap   695 Mar 27 07:07 olcDatabase={1}monitor.ldif
-rw——-. 1 ldap ldap  1273 Mar 27 07:07 olcDatabase={2}bdb.ldif

Create olcSuffix Domain Name
Now setup the olcSuffix and to set the domain that you want. Simply modify the line that starts with olcSuffix in the file olcDatabase={2}bdb.ldif as shown below.

[root@LDAP ~]# cat /etc/openldap/slapd.d/cn\=config/olcDatabase={2}bdb.ldif |grep olcSuffix:
olcSuffix: dc=my-domain,dc=com

[root@LDAP ~]# nano /etc/openldap/slapd.d/cn\=config/olcDatabase={2}bdb.ldif
[root@LDAP ~]# cat /etc/openldap/slapd.d/cn\=config/olcDatabase={2}bdb.ldif |grep olcSuffix:
olcSuffix: dc=rafi,dc=com

/etc/openldap/ldap.conf
The configuration file for client applications that use the OpenLDAP libraries. This includes ldapadd, ldapsearch, Evolution, etc.

/etc/openldap/slapd.d/
The directory containing the slapd configuration.

Command Description
ldapadd           Allows you to add entries to an LDAP directory, either from a file, or from standard                               input.It is a symbolic link to ldapmodify -a.
ldapcompare Allows you to compare given attribute with an LDAP directory entry.
ldapdelete Allows you to delete entries from an LDAP directory.
ldapexop         Allows you to perform extended LDAP operations.
ldapmodify Allows you to modify entries in an LDAP directory, either from a file, or from                                        standard input.
ldapmodrdn Allows you to modify the RDN value of an LDAP directory entry.
ldappasswd Allows you to set or change the password for an LDAP user.
ldapsearch Allows you to search LDAP directory entries.
ldapurl        Allows you to compose or decompose LDAP URLs.
ldapwhoami Allows you to perform a whoami operation on an LDAP server.

slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/

slaptest -u

Command Description
slapacl Allows you to check the access to a list of attributes.
slapadd Allows you to add entries from an LDIF file to an LDAP directory.
slapauth         Allows you to check a list of IDs for authentication and authorization permissions.
slapcat Allows you to pull entries from an LDAP directory in the default format and save                                  them in an LDIF file.
slapdn Allows you to check a list of Distinguished Names (DNs) based on available schema                            syntax.
slapindex          Allows you to re-index the slapd directory based on the current content. Run this                                 utility whenever you change indexing options in the configuration file.
slappasswd Allows you to create an encrypted user password to be used with the ldapmodify                                   utility, or in the slapd configuration file.
slapschema  Allows you to check the compliance of a database with the corresponding schema.
slaptest          Allows you to check the LDAP server configuration.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s