Penguin
Annotated edit history of LDAPNotes version 49, including all changes. View license author blame.
Rev Author # Line
47 AristotlePagaltzis 1 !!! Running [OpenLDAP] with [TLS] encryption
43 VincentKnecht 2
47 AristotlePagaltzis 3 Most modern LinuxDistribution~s will support [OpenLDAP] and [TLS] "out of the box". They'll all require generation of appropriate [SSL] certificates, and some will require additional configuration.
43 VincentKnecht 4
5 !! Certificates
6
44 CraigBox 7 You'll want to create certificates. See [SSLNotes] to learn how.
43 VincentKnecht 8
47 AristotlePagaltzis 9 When creating certificates, set the HostName (cn) to the name that you'll be connecting to the server on! It'll fail otherwise. For example, if you'll be using [LDAP] + [TLS] to <tt>ldap.wlug.org.nz</tt>, set the <tt>Common Name</tt> to <tt>ldap.wlug.org.nz</tt>, and only ever connect to that name. If you use another name that resolves to the same [IP], it's not going to work.
43 VincentKnecht 10
47 AristotlePagaltzis 11 It is important to have the permissions and ownership set right on your <tt>slapd.pem</tt> certificate. If you don't, slapd(8) will fail to start and exit without displaying an error. The exact permissions will depend on your distribution.
43 VincentKnecht 12
13 !! Configuration
14
47 AristotlePagaltzis 15 Update your <tt>slapd.conf</tt> appropriately to point to your key files:
43 VincentKnecht 16
47 AristotlePagaltzis 17 <verbatim>
18 TLSCACertificateFile /etc/ssl/cacert.pem
19 TLSCertificateFile /etc/ldap/certs/slapd-cert.pem
20 TLSCertificateKeyFile /etc/ldap/certs/slapd-key.pem
21 TLSRandFile /etc/ldap/certs/randfile
22 TLSCipherSuite HIGH:MEDIUM:+SSLv2
23 </verbatim>
43 VincentKnecht 24
44 CraigBox 25 !! Distribution Specific notes
26
27 ! [Debian] [Woody]
43 VincentKnecht 28
47 AristotlePagaltzis 29 Debian Woody ships with a version of slapd(8) that doesn't have [TLS] support enabled. Check out the References section below for links to backports available for Debian Woody, or else rebuild the Debian slapd(8) [Package] with [TLS] support yourself. Change the line in <tt>debian/rules</tt> from <tt>--without-tls</tt> to <tt>--with-tls</tt>.
43 VincentKnecht 30
47 AristotlePagaltzis 31 You'll also need to change the init script: in <tt>/etc/init.d/slapd</tt>, change the line that says <tt>start-stop-daemon --start --quiet --pidfile "$pf" --exec /usr/sbin/slapd</tt> to read <tt>start-stop-daemon --start --quiet --pidfile "$pf" --exec /usr/sbin/slapd -- -h "ldaps:/// ldap:///"</tt>. This starts slapd(8) listening on the <tt>ldaps</tt> and <tt>ldap</tt> [Port]s. You can also use <tt>ldapi</tt> to use [LDAP] over a [Unix] domain socket.
43 VincentKnecht 32
44 CraigBox 33 ! [Debian] [Sarge]
43 VincentKnecht 34
47 AristotlePagaltzis 35 The package that comes with [Sarge] has [TLS] support enabled. Instead of hacking up the init script, edit <tt>/etc/default/slapd</tt> and change the <tt>SLAPD_SERVICES</tt> variable to suit your site, eg:
43 VincentKnecht 36
47 AristotlePagaltzis 37 <verbatim>
38 SLAPD_SERVICES="ldap://127.0.0.1/ ldaps:///"
39 </verbatim>
43 VincentKnecht 40
47 AristotlePagaltzis 41 The example above will cause slapd(8) to listen on the <tt>ldap</tt> port only on the localhost interface, and on the <tt>ldaps</tt> port on any interface.
43 VincentKnecht 42
47 AristotlePagaltzis 43 ! RedHat 7.x
43 VincentKnecht 44
47 AristotlePagaltzis 45 RedHat 7.x supports [TLS] out of the box. All you have to do is recreate your slapd(8) certificate and uncomment the [TLS] config lines in <tt>/etc/openldap/slapd.conf</tt>.
43 VincentKnecht 46
44 CraigBox 47 <pre>
43 VincentKnecht 48 cd /usr/share/ssl/certs
49 make slapd.pem
44 CraigBox 50 ''... answer some questions ...''
51 </pre>
52
47 AristotlePagaltzis 53 Remember our advice about the <tt>Common Name</tt> here.
43 VincentKnecht 54
55 Use the following commands to set the permissions correctly for RH 7.x:
47 AristotlePagaltzis 56
43 VincentKnecht 57 <verbatim>
58 chmod u=rw,g=r,o= slapd.pem
59 chown root.ldap slapd.pem
60 </verbatim>
61
44 CraigBox 62 -----
43 VincentKnecht 63
47 AristotlePagaltzis 64 !!! LDAP Client Authentication
43 VincentKnecht 65
48 JohnMcPherson 66 See [LDAPAuthentication] for a detailed example for having user accounts in LDAP.
43 VincentKnecht 67
47 AristotlePagaltzis 68 !!! NSCD
43 VincentKnecht 69
47 AristotlePagaltzis 70 After configuring [LDAP] client authentication, you probably want to enable nscd(8) to load at boot (in runlevels 2, 3, 4, & 5). nscd(8) is a dæmon which keeps a cache of looked up passwords and groups for running programs, so that your [LDAP] (or [NIS]) server won't get hammered. It also increases clients responvity.
43 VincentKnecht 71
48 JohnMcPherson 72 !!! HTTP authentication in Apache
73 First, enable apache's LDAP authentication module (which should be distributed with apache2 in recent distributions), which is called __authnz_ldap__.
74 (Debian-based distros: run ''a2enmod authnz_ldap'')
75
76 The following assumes you are only doing this on SSL-enabled sites or on a LAN so that packet sniffing isn't a security concern:
77 <verbatim>
78 <Location /ldap.html>
79 AuthName "test ldap auth"
80 AuthType Basic
81 # the following will check against the uid attribute
82 AuthLDAPURL ldap://ldapserver.hostname/ou=People,dc=yourdomain,dc=com?uid
83 # our ldap server allows anonymous binds, so don't need these:
84 # AuthLDAPBindDN
85 # AuthLDAPBindPassword
86
87 # choose a method of access:
88 # 1) TO LIMIT ACCESS TO A SET OF USERS:
89 #Require ldap-user user1 user2 user3
90
91 # 2) TO LIMIT ACCESS TO VALID USERS IN LDAP:
49 JohnMcPherson 92 # use ldap instead of default "file"
93 AuthBasicProvider ldap
94 # allow AuthBasic to work
95 AuthzLDAPAuthoritative off
96 # valid-user is an AuthBasic directive...
97 Require valid-user
48 JohnMcPherson 98
99 # 3) TO LIMIT ACCESS TO MEMBERS OF A GROUP:
100 ## which ldap attribute do we use (defaults to uniqueMember)
101 ## posixGroup objectClass uses the memberUid attribute:
102 #AuthLDAPGroupAttribute memberUid
103 #AuthLDAPGroupAttributeIsDN off
104 #Require ldap-group cn=admins,ou=Group,dc=yourdomain,dc=com
105 </Location>
106 </verbatim>
44 CraigBox 107
47 AristotlePagaltzis 108 !!! Traps and Trip-ups
43 VincentKnecht 109
47 AristotlePagaltzis 110 There are a few things to get tripped up on with [LDAP].
43 VincentKnecht 111
47 AristotlePagaltzis 112 [TLS]:
113 Make sure you have the same hostnames in your server's [SSL] cert <tt>Common Name</tt> and [TLS] client configurations. __Also__ make sure the permissions on the cert file (<tt>slapd.pem</tt>) are correct (see above).
43 VincentKnecht 114
47 AristotlePagaltzis 115 rootbinddn:
116 In <tt>/etc/ldap.conf</tt> (<tt>pam_ldap</tt>'s config file), make sure you spell the root user's (aka Manager) DN correctly. This sounds stupid but it's an easy one to miss.
43 VincentKnecht 117
47 AristotlePagaltzis 118 <tt>/etc/pam.d/system-auth</tt>:
119 Make sure authconfig hasn't bollocked your pam config.
43 VincentKnecht 120
47 AristotlePagaltzis 121 LDAP lookups fail for non-root users:
122 Your config files are probably not readable. Make sure <tt>/etc/nss-ldap.conf</tt> is readable by non-root users.
43 VincentKnecht 123
47 AristotlePagaltzis 124 slapcat(8) works for root, but ldapsearch(1) shows absolutely no entries:
125 Perhaps the permissions on your database files disallow slapd(8) from reading them (you'd think [OpenLDAP] would give an error in this case, but noooo...)
43 VincentKnecht 126
47 AristotlePagaltzis 127 There's also the possibility that you forgot to edit <tt>/etc/ldap/ldap.conf</tt> (in [Debian] [Sarge] at least) to define the <tt>BASE</tt> and <tt>URI</tt> settings.
43 VincentKnecht 128
47 AristotlePagaltzis 129 You should also try ldapsearch(1), passing the <tt>-h <hostname> and -b <base dn></tt> too!
43 VincentKnecht 130
47 AristotlePagaltzis 131 <tt>no structuralObjectClass operational attribute</tt>:
132 This seems to occur in range of configurations, including having replication set up. Disabling replication has been reported to fix this, however that's not an optimal solution. The error probably occurs because the data in your tree isn't consistent. You should make sure <tt>schemacheck</tt> is turned on and try reimporting your database from an [LDIF], fixing errors as you go.
133
134 <tt>ldap_sasl_bind_interactive_s No such attribute</tt>:
135 You're trying to use [SASL] but isn't configured properly. Try <tt>ldapsearch -x</tt>, if this works, then you have [SASL] issues. The usual solution is to always use <tt>-x</tt>.
136
137
138 !!! Using the special <tt>rootdn</tt> and <tt>rootpw</tt> values
139
140 [OpenLDAP] has a special root account that has root access to the [LDAP] tree, bypassing any [ACL]s that you have in place. This account is controlled through the <tt>rootdn</tt> and <tt>rootpw</tt> attributes in <tt>slapd.conf</tt>.
141
142 __<tt>rootpw</tt> must be initialised from the output of the <tt>slappasswd</tt> command.__ This isn't immediately obvious from any of the documentation and trying to bind as the <tt>rootdn</tt> will fail silently if you initialise it with a plaintext value.
143
144
145 !!! Neat and Useful Programs
146
147 ! Useful apps for your [LDAP] system
43 VincentKnecht 148
44 CraigBox 149 * [Directory Administrator|http://diradmin.open-it.org] - An extremely handy GTK user maintenance tool.
150 * [gq|http://biot.com/gq] - A GTK-based LDAP client.
151 * [Erudite Directory Service Admin|http://edsadmin.sourceforge.net] - A small pyGTK2 user management.
152 * [gosa|https://gosa.gonicus.de] - A full-featured web-based host and account management system.
153 * [phpldapadmin|http://phpldapadmin.sourceforge.net] - Web-based account management system.
154 * [JXplorer|http://www.jxplorer.org] - Java based LDAP browser and editor. Supports custom HTML templates.
43 VincentKnecht 155
47 AristotlePagaltzis 156 ! Contact management tools
43 VincentKnecht 157
44 CraigBox 158 * [directoryassistant|http://olivier.sessink.nl/directoryassistant] - A small (and improvable) LDAP address book manager
159 * [turba|http://www.horde.org/turba] - The contact manager from the Horde project
47 AristotlePagaltzis 160 * Many [Email] clients. In particular Evolution 2 should be able to search, edit and insert new contacts in the [LDAP] addressbook
44 CraigBox 161
47 AristotlePagaltzis 162 ! Patches for [LDAP] support
43 VincentKnecht 163
44 CraigBox 164 * [Brian Masney's patch|http://www.lunytune.net/isc-ldap.html] for [DHCP] to use [LDAP] as a backend.
43 VincentKnecht 165
166
47 AristotlePagaltzis 167 !!! References
168
169 * A reasonable-looking [Intro to LDAP | http://quark.humbug.org.au/publications/ldap/intro_ldap/index.htm]
170 * [SAGE guide on LDAP system authentication | http://quark.humbug.org.au/publications/ldap/system_auth/sage-au/system_auth.html]
171 * [LDAP related notes | http://www.kingsmountain.com/ldapRoadmap.shtml]
172 * [Michael Jason-Smith's LDAP page | http://ldots.org/ldap/]
173 * [The Debian Wiki's LDAP entry | http://wiki.debian.net/index.cgi?LDAPAuthentication]
174 * [Notes on replication | http://snipsnap.wendlandnet.de/digital-life/space/start/2004-10-01/1#Directoy_replication_with_syncrepl]
175 * [Debian Woody backports of various LDAP utilities | http://cmeerw.org/debian/]
176 * [Some more notes | http://cmeerw.org/notes/ldap.html]
177
178
179 !!! See Also
43 VincentKnecht 180
181 * OpenLdapAccessControls
182 * AccessControlLists
183 * ActiveDirectoryAuthenticationNotes
184
185 ----
47 AristotlePagaltzis 186 Part of CategoryNotes and CategorySystemAdministration

PHP Warning

lib/blame.php:177: Warning: Invalid argument supplied for foreach() (...repeated 11 times)