Differences between version 43 and predecessor to the previous major change of LDAPNotes.
Other diffs: Previous Revision, Previous Author, or view the Annotated Edit History
| Newer page: | version 43 | Last edited on Thursday, November 3, 2005 8:14:49 am | by VincentKnecht | Revert |
| Older page: | version 38 | Last edited on Friday, July 15, 2005 8:43:51 am | by JamesBarrett | Revert |
@@ -1,73 +1,80 @@
[OpenLDAP]
-A reasonable looking intro to LDAP is available here: http://staff.pisoftware.com/bmarshal/publications/intro_ldap/index.htm
-Another one which covers LDAP system authentication is here: http://staff.pisoftware.com/bmarshal/publications/system_auth/sage-au/system_auth.html
+!!!OpenLDAP + TLS
-A reasonable selection
of LDAP related notes: http://www
.kingsmountain.com/ldapRoadmap.shtml
+Most modern linux distributions will support OpenLDAP and TLS "out
of the box"
. They'll all require generation of appropriate SSL certificates, and some will require additional configuration
-----
-!!Debian specific install notes
-The OpenLDAP2 packages under Debian Woody (3.), are compiled --with-cyrus-sasl, which will cause issues if you want to do full ldap auth due to a bug in sasl, and also --with-sql, which means they link against libiodbc2, which in turn requires xlib, glib and gtkxmhtml to be installed
! So you end up having to have xlib (the basic X libraries) installed when you want to install slapd (the ldap daemon).
+!! Certificates
-The good news is this is fixed in testing. They seperate out the components that require xlib and so on. Until then, if you want to get rid of xlib, you
'll need
to recompile the debs for slapd --without-sql, or recompile libiodbc2 without the components that need xlib ec
+You
'll want
to create certificates. See [SSLNotes].
+__Note__: When creating certificates, set the hostname (cn) as being the name that you'll be connecting to the server on! It'll fail otherwise. Eg, if you'll be using ldap+tls to ldap.wlug.org.nz, make sure to set that as the Common Name! And only ever connect to that name.
-----
-Also see our [LDAPAuthentication] wiki page, and also http
://ldots
.org/ldap/, written by Michael !JasonSmith at CanterburyUniversity
.
+__Note
:__ It is important to have the permissions and ownership set right on your slapd.pem cert. If you don't slapd will fail to start and exit without displaying an error
. The exact permissions will depend on your distribution
.
-Some other interesting URL's - [Debian's Wiki LDAP entry|http://wiki.debian.net/index.cgi?LDAPAuthentication], some backports of various LDAP utilities for Debian Woody are at [ http://cmeerw.org/debian/] and some more notes at [http://cmeerw.org/notes/ldap.html]
-
-!OpenLDAP + TLS
-
-!!Debian specific:
-
-Under debian, you'll need to recompile slapd. change the line in debian/rules from --without-tls to --with-tls
-
-You'll want to create certificates. See [SSLNotes].
-
-__Note__: When creating certificates, set the hostname (cn) as being the name that you'll be connecting to the server on! It'll fail otherwise. Eg, if you'll be using ldap+tls to ldap.wlug.org.nz, make sure to set that as the Common Name! And only ever connect to that name.
+!! Configuration
Update your slapd.conf appropriately
TLSCACertificateFile /etc/ssl/cacert.pem
TLSCertificateFile /etc/ldap/certs/slapd-cert.pem
TLSCertificateKeyFile /etc/ldap/certs/slapd-key.pem
TLSRandFile /etc/ldap/certs/randfile
TLSCipherSuite HIGH:MEDIUM:+SSLv2
+!! Distribution Specific notes:
+! Debian Woody
+
+Debian Woody ships with a version of slapd that doesn't have TLS support enabled. Check out the References section below for links to backports available for Debian Woody, or else rebuild the debian slapd package with TLS support yourself. Change the line in debian/rules from --without-tls to --with-tls.
+
+You'll also need to change the init script:
in /etc/init.d/slapd, change the line that says
-
start-stop-daemon --start --quiet --pidfile "$pf" --exec /usr/sbin/slapd
-
+<verbatim>
+
start-stop-daemon --start --quiet --pidfile "$pf" --exec /usr/sbin/slapd
+</verbatim>
to read
-
start-stop-daemon --start --quiet --pidfile "$pf" --exec /usr/sbin/slapd -- -h "ldaps:/// ldap:///"
+<verbatim>
+
start-stop-daemon --start --quiet --pidfile "$pf" --exec /usr/sbin/slapd -- -h "ldaps:/// ldap:///"
+</verbatim>
This starts slapd listening on ldaps and ldap. You can also use ldapi to use ldap over a unix domain socket.
+
+! Debian Sarge
+
+The package that comes with Sarge has TLS support enabled. Instead of hacking up the init script, edit /etc/default/slapd and change the SLAPD_SERVICES variable to suit your site, eg:
+
+<verbatim>
+SLAPD_SERVICES="ldap://127.0.0.1/ ldaps:///"
+</verbatim>
+
+Will cause slapd to listen on the localhost interface for ldap, and on any interface for ldaps.
+
!!!RedHat 7.x Specific
RedHat 7.x supports TLS out of the box. All you have to do is recreate your slapd certificate & uncomment the TLS config lines in /etc/openldap/slapd.conf.
-
cd /usr/share/ssl/certs
- make slapd.pem
- ... answer some questions
-
+<verbatim>
+
cd /usr/share/ssl/certs
+make slapd.pem
+... answer some questions
+</verbatim>
__Note:__ When answering the 2nd to last question about the "Common Name" it is important you specify the server name you're going to be using when connecting from clients. Eg, ldap.somehost.com. It is important that you set up clients to connect via this name. If they use another name that resolves to the same IP it's not going to work. This caught me out in the beginning. I would get connection errors in clients like GQ (a GTK LDAP query tool http://biot.com/gq/).
-
chmod u=rw,g=r,o= slapd.pem
- chown root.ldap slapd.pem
+Use the following commands to set the permissions correctly for RH 7.x:
+<verbatim>
+
chmod u=rw,g=r,o= slapd.pem
+chown root.ldap slapd.pem
+</verbatim>
-__Note:__ It is important to have the permissions and ownership set right on your slapd.pem cert. If you don't slapd will fail to start and exit without displaying an error.
-
-----
!!!LDAP Client Auth
See [LDAPAuthentication] for a detailed example of this.
-
!!!NSCD
@@ -80,119 +87,62 @@
# ''__TLS__'' - Make sure you have the same host names in your Servers SSL Cert Common Name and TLS client configs. __Also__ make sure the permissions on the cert file (slapd.pem) are correct (see above).
# ''__rootbinddn__'' - In /etc/ldap.conf (pam_ldap's config file), make sure you spell the root user's (aka Manager) DN correctly. This sounds stupid but they it's an easy one to miss.
# ''__/etc/pam.d/system-auth__'' - Make sure authconfig hasn't bollocked your pam config.
# If ldap lookups fail for non-root users, but works for root, then it's probably because your config files are not readable. Make sure __/etc/nss-ldap.conf__ is readable by non-root users.
-# If slapcat(8) works for root, but ldapsearch(1) shows absolutely no entries, then perhaps the permissions on your database files disallow slapd(8) from reading them (You'd think [OpenLDAP] would give an error in this case but nooo...). There's also the possibility that you fogot to edit /etc/ldap/ldap.conf (in Debian Testing
at least) to define the BASE and URI configs. You should also try ldapsearch(1) passing the -h <hostname> and -b <base dn> too!
+# If slapcat(8) works for root, but ldapsearch(1) shows absolutely no entries, then perhaps the permissions on your database files disallow slapd(8) from reading them (You'd think [OpenLDAP] would give an error in this case but nooo...). There's also the possibility that you fogot to edit /etc/ldap/ldap.conf (in Debian Sarge
at least) to define the BASE and URI configs. You should also try ldapsearch(1) passing the -h <hostname> and -b <base dn> too!
-!!!Integration with Outlook and Outlook Express
-Here are a list of attibutes used by the various "Outlook/OE" clients for their addressbooks. Note, there is
no simple way to "add" contacts to an LDAP tree from these programs - none that I am aware of anyway...
-Outlook 2K (Workgroup mode)/ Outlook XP:
+!!
no structuralObjectClass operational attribute
-commonName%%%
-department%%%
-display-name%%%
-givenName%%%
-mail%%%
-organizationalUnitName%%%
-organizationName%%%
-physicalDeliveryOfficeName%%%
-postalAddress%%%
-2roleOccupant%%%
-surname%%%
-telephoneNumber%%%
-title%%%
+This seems to occur in range of configurations, including having replication set up. Disabling replication has been reported to fix this, however that's not an optimal solution.
+The error probably occurs because the data in your tree isn't consistent. You should make sure schemacheck is turned on and try reimporting your database from an ldif, fixing errors as you go.
+!!ldap_sasl_bind_interactive_s: No such attribute
+You're trying to use [SASL] and [SASL] isn't configured properly. try ldapsearch -x, if this works, then you have [SASL] issues. The usual solution is to always use "-x" :)
-Outlook Express:%%%
+!!!Using the special rootdn and rootpw values
+[OpenLDAP] has a special root account that has root access to the LDAP tree, bypassing any ACLs that you have in place. This account is controlled through the rootdn and rootpw attributes in slapd.conf.
-comment%%%
-commonName%%%
-conferenceInformation%%%
-department%%%
-display-name%%%
-facsimileTelephoneNumber%%%
-givenName%%%
-homePhone%%%
-homePostalAddress%%%
-info%%%
-initials%%%
-IPPhone%%%
-labeledURI%%%
-mail%%%
-Manager%%%
-mobile%%%
-!OfficeFax%%%
-!OfficePager%%%
-organizationalUnitName%%%
-organizationName%%%
-otherFacsimileTelephoneNumber%%%
-otherMailbox%%%
-otherPager%%%
-pager%%%
-physicalDeliveryOfficeName%%%
-postalAddress%%%
-postalCode%%%
-Reports%%%
-street%%%
-streetAddress%%%
-surname%%%
-telephoneNumber%%%
-title%%%
-userCertificate;binary%%%
-userSMIMECertificate;binary%%%
+__rootpw must be initialised from the output of the slappasswd command__ this isn't immediately obvious from any of the documentation and trying to bind as the rootdn will fail silently if you initialise it as a plaintext value.
-Note 1: outlook uses the 'mail' attribute
for the email address, some
-server (Netscape) declare this
as 'rfc822mailbox'.%%%
-Linking mail->rfc822mailbox makes it work.%%%
-
-Note 2
: Outlook 2K
/XP does not query LDAP for a users' PKI certificate,
-Outlook express does
.
-
+!!Patch
for [DHCP] to use [
LDAP]
as a backend
+http
://www
.newwave.net/~masneyb/dhcp-3..1rc12-ldap-patch
!!!Neat & Useful Programs
Here are some useful apps to use with your LDAP system:
# [Directory Administrator|http://diradmin.open-it.org] - An extremely handy GTK user maintenance tool.
# [gq|http://biot.com/gq] - A GTK-based LDAP client.
-# [Erudite Directory Service Admin|http://edsadmin.sourceforge.net] - A small pyGTK2 user management
-# [gosa|https://gosa.gonicus.de] - A full-featured web-based host and account management system
-# [phpldapadmin|http://phpldapadmin.sourceforge.net] - Web-based account management system
+# [Erudite Directory Service Admin|http://edsadmin.sourceforge.net] - A small pyGTK2 user management.
+# [gosa|https://gosa.gonicus.de] - A full-featured web-based host and account management system.
+# [phpldapadmin|http://phpldapadmin.sourceforge.net] - Web-based account management system.
+# [JXplorer|http://www.jxplorer.org] - Java based LDAP browser and editor. Supports custom HTML templates.
Contact management only tools:
# [directoryassistant|http://olivier.sessink.nl/directoryassistant] - A small (and improvable) LDAP address book manager
# [turba|http://www.horde.org/turba] - The contact manager from the Horde project
# Many email clients. In particular Evolution 2 should be able to search, edit and insert new contacts in the LDAP addressbook
-!!!no structuralObjectClass operational attribute
-ldapadd was spitting this error at me every time I tried to add anything, a google search provided nothing, but several people complaining about approximately the same problem (and not getting any replies). Commenting out all the replica information in my slapd.conf fixed it, confused, adding it back breaks it again. I have no idea why replication should {a,e}ffect structural classes of objects in the tree, but there ya go, it does. This is slapd-2.1.17-1, if you have a newer version this bug may be fixed.
-I have a Debian Testing now (21 January 2005) and slapd 2.1.30-3. I just replicated my LDAP database and was getting this no structuralObjectClass when I was trying to add some entry in the slave LDAP database. I don't know if I can acctually add stuff to the slave LDAP server, couse it doesn't replicate it to the master (maybee I'm missing some configs here). My point is that I manage to add an user entry in the replicated LDAP server by adding the line "structuralObjectClass: account" to the ldif entry... To see the structural data of an entry of your you should execute: "ldapsearch -b "uid=caozinho,ou=People,dc=tux.dc=com" -s base +". Hope this helps you
!
+!!References
-!!!no structuralObjectClass operational attribute
-This occurs if the updatedn is trying
to add items
. Change your updatedn
.
-
-!!!
ldap_sasl_bind_interactive_s: No such attribute
-You're trying to use
[SASL] and [SASL] isn't configured properly
. try ldapsearch -x, if this works, then you have [SASL] issues
. The usual solution is to always use "
-x" :)
-
-!!!Using the special rootdn and rootpw values
-OpenLDAP
] has a special root account that has root access to the
LDAP tree, bypassing any ACLs that you have in place
. This account is controlled through the rootdn and rootpw attributes in slapd
.conf
.
-
-rootpw must be initialised from the output of the slappasswd command
__ this isn't immediately obvious from any
of the documentation and trying to bind as the rootdn will fail silently if you initialise it as a plaintext value
.
+* A reasonable looking [Intro
to LDAP|http://quark
.humbug
.org.au/publications/
ldap/intro
_ldap/index.htm]
+* The SAGE guide on
[LDAP system authentication|http://quark
.humbug
.org.au/publications/ldap/system_auth/sage
-au/system_auth.html]
+* A reasonable selection of [LDAP related notes|http://www.kingsmountain.com/ldapRoadmap.shtml]
+* Michael
!JasonSmith's
[LDAP page|http://ldots.org/ldap/
]
+* [Debian's Wiki
LDAP entry|http://wiki
.debian
.net/index
.cgi?LDAPAuthentication]
+* Notes on [replication|http://snipsnap.wendlandnet.de/digital-life/space/start/2004-10-01/1#Directoy
_replication
_with
_syncrepl]
+* Debian Woody backports
of [various LDAP utilities|http://cmeerw
.org/debian/]
+* Some more notes at [http://cmeerw.org/notes/ldap.html]
!!See Also
* OpenLdapAccessControls
* AccessControlLists
* ActiveDirectoryAuthenticationNotes
-!!Patch for [DHCP] to use [LDAP] as a backend
-http://www.newwave.net/~masneyb/dhcp-3.0.1rc12-ldap-patch
-
-!!Replication
-* http://snipsnap.wendlandnet.de/digital-life/space/start/2004-10-01/1#Directoy_replication_with_syncrepl
----
-CategoryNotes
+CategoryNotes CategorySystemAdministration
