Differences between version 47 and predecessor to the previous major change of LDAPNotes.
Other diffs: Previous Revision, Previous Author, or view the Annotated Edit History
| Newer page: | version 47 | Last edited on Monday, May 15, 2006 2:14:48 pm | by AristotlePagaltzis | Revert |
| Older page: | version 43 | Last edited on Thursday, November 3, 2005 8:14:49 am | by VincentKnecht | Revert |
@@ -1,148 +1,151 @@
-[OpenLDAP]
-
-
-+
TLS
-
-Most modern linux distributions will support OpenLDAP and TLS "out of the box". They'll all require generation of appropriate SSL certificates, and some will require additional configuration
-
+!!! Running [
OpenLDAP] with [
TLS] encryption
+Most modern LinuxDistribution~s will support [OpenLDAP] and [TLS] "out of the box". They'll all require generation of appropriate [SSL] certificates, and some will require additional configuration.
!! Certificates
-You'll want to create certificates. See [SSLNotes].
+You'll want to create certificates. See [SSLNotes] to learn how
.
-__Note__:
When creating certificates, set the hostname
(cn) as being
the name that you'll be connecting to the server on! It'll fail otherwise. Eg
, if you'll be using ldap
+tls
to ldap.wlug.org.nz, make sure to
set that as
the Common Name! And
only ever connect to that name.
+When creating certificates, set the HostName
(cn) to
the name that you'll be connecting to the server on!
It'll fail otherwise. For example
, if you'll be using [LDAP]
+ [TLS]
to <tt>
ldap.wlug.org.nz</tt>
, set the <tt>
Common Name</tt> to <tt>ldap.wlug.org.nz</tt>, and
only ever connect to that name. If you use another name that resolves to the same [IP], it's not going to work
.
-__Note:__
It is important to have the permissions and ownership set right on your slapd.pem cert
.
If you don't slapd will fail to start and exit without displaying an error. The exact permissions will depend on your distribution.
+It is important to have the permissions and ownership set right on your <tt>
slapd.pem</tt> certificate
. If you don't,
slapd(8)
will fail to start and exit without displaying an error. The exact permissions will depend on your distribution.
!! Configuration
-Update your slapd.conf appropriately
- TLSCACertificateFile /etc/ssl/cacert.pem
- TLSCertificateFile /etc/ldap/certs/slapd-cert.pem
- TLSCertificateKeyFile /etc/ldap/certs/slapd-
key.pem
- TLSRandFile /etc/ldap/certs/randfile
- TLSCipherSuite HIGH:MEDIUM
:+SSLv2
+Update your <tt>
slapd.conf</tt>
appropriately to point to your
key files
:
-!! Distribution Specific notes
:
+ <verbatim>
+ TLSCACertificateFile /etc/ssl/cacert.pem
+ TLSCertificateFile /etc/ldap/certs/slapd-cert.pem
+ TLSCertificateKeyFile /etc/ldap/certs/slapd-key.pem
+ TLSRandFile /etc/ldap/certs/randfile
+ TLSCipherSuite HIGH
:MEDIUM:+SSLv2
+ </verbatim>
-! Debian Woody
+!! Distribution Specific notes
-Debian Woody ships with a version of slapd that doesn't have TLS support enabled. Check out the References section below for links to backports available for Debian Woody, or else rebuild the debian slapd package with TLS support yourself. Change the line in debian/rules from --without-tls to --with-tls.
+! [
Debian] [
Woody]
-You
'll also need
to change
the init script:
-in /etc/init
.d/slapd, change
the line that says
-verbatim
>
-start-stop-daemon --start --quiet --pidfile "$pf" --exec
/usr/sbin/slapd
-verbatim
>
-to read
-verbatim
>
-start
-stop
-daemon
--start --quiet --pidfile "$pf" --exec
/usr/sbin/slapd
-- -h "ldaps:/// ldap:///"
-verbatim
>
+Debian Woody ships with a version of slapd(8) that doesn
't have [TLS] support enabled. Check out the References section below for links
to backports available for Debian Woody, or else rebuild
the Debian slapd(8) [Package] with [TLS] support yourself
. Change
the line in
<tt
>debian
/rules
</tt
> from
<tt
>--without
-tls<
/tt> to <tt>
--with
-tls
</tt
>.
-This starts slapd listening on ldaps and ldap. You can also use ldapi to use ldap
over a unix
domain socket.
+You'll also need to change the init script: in <tt>/etc/init.d/slapd</tt>, change the line that says <tt>start-stop-daemon --start --quiet --pidfile "$pf" --exec /usr/sbin/slapd</tt> to read <tt>start-stop-daemon --start --quiet --pidfile "$pf" --exec /usr/sbin/slapd -- -h "ldaps:/// ldap:///"</tt>.
This starts slapd(8)
listening on the <tt>
ldaps</tt>
and <tt>
ldap</tt> [Port]s
. You can also use <tt>
ldapi</tt>
to use [LDAP]
over a [Unix]
domain socket.
-! Debian Sarge
+! [
Debian] [
Sarge]
-The package that comes with Sarge has TLS support enabled. Instead of hacking up the init script, edit /etc/default/slapd and change the SLAPD_SERVICES variable to suit your site, eg:
+The package that comes with [
Sarge]
has [
TLS]
support enabled. Instead of hacking up the init script, edit <tt>
/etc/default/slapd</tt>
and change the <tt>
SLAPD_SERVICES</tt>
variable to suit your site, eg:
-<verbatim>
-SLAPD_SERVICES="ldap://127...1/ ldaps:///"
-</verbatim>
+
<verbatim>
+
SLAPD_SERVICES="ldap://127...1/ ldaps:///"
+
</verbatim>
-Will
cause slapd to listen on the localhost interface for ldap
, and on any interface for ldaps
.
+The example above will
cause slapd(8)
to listen on the <tt>ldap</tt> port only
on the localhost interface, and on the <tt>ldaps</tt> port
on any interface.
+! RedHat 7.x
-!!!
RedHat 7.x Specific
+RedHat 7.x supports [TLS] out of the box. All you have to do is recreate your slapd(8) certificate and uncomment the [TLS] config lines in <tt>/etc/openldap/slapd.conf</tt>.
-RedHat 7.x supports TLS out of the box. All you have to do is recreate your slapd certificate & uncomment the TLS config lines in /etc/openldap/slapd.conf.
-
-verbatim
>
+<pre
>
cd /usr/share/ssl/certs
make slapd.pem
-... answer some questions
-</verbatim
>
-__Note:__ When answering the 2nd to last question
about the "
Common Name" it is important you specify the server name you're going to be using when connecting from clients. Eg, ldap.somehost.com. It is important that you set up clients to connect via this name. If they use another name that resolves to the same IP it's not going to work. This caught me out in the beginning. I would get connection errors in clients like GQ (a GTK LDAP query tool http:
//biot.com/gq/)
.
+''
... answer some questions ...''
+</pre
>
+
+Remember our advice
about the <tt>
Common Name<
/tt> here
.
Use the following commands to set the permissions correctly for RH 7.x:
+
<verbatim>
chmod u=rw,g=r,o= slapd.pem
chown root.ldap slapd.pem
</verbatim>
+-----
+
+!!! LDAP Client Authentication
+
+See [LDAPAuthentication] for a detailed example.
+
+!!! NSCD
+
+After configuring [LDAP] client authentication, you probably want to enable nscd(8) to load at boot (in runlevels 2, 3, 4, & 5). nscd(8) is a dæmon which keeps a cache of looked up passwords and groups for running programs, so that your [LDAP] (or [NIS]) server won't get hammered. It also increases clients responvity.
+
+
+!!! Traps and Trip-ups
+
+There are a few things to get tripped up on with [LDAP].
-!!!LDAP Client Auth
+[TLS]:
+ Make sure you have the same hostnames in your server's [SSL] cert <tt>Common Name</tt> and [TLS] client configurations. __Also__ make sure the permissions on the cert file (<tt>slapd.pem</tt>) are correct (see above).
-See [LDAPAuthentication] for a detailed example of this
.
+rootbinddn:
+ In <tt>/etc/ldap.conf</tt> (<tt>pam_ldap</tt>'s config file), make sure you spell the root user's (aka Manager) DN correctly. This sounds stupid but it's an easy one to miss
.
+<tt>/etc/pam.d/system-auth</tt>:
+ Make sure authconfig hasn't bollocked your pam config.
-!!!NSCD
+LDAP lookups fail for non-root users:
+ Your config files are probably not readable. Make sure <tt>/etc/nss-ldap.conf</tt> is readable by non-root users.
-After I configured LDAP client auth I also enabled nscd
(8) to load at boot
(in runlevels 2, 3, 4, & 5
). nscd is
the daemon which handles passwd and group lookups for running programs and caches the results for the next query. This is important if
your using network name services such as LDAP or NIS
. Without it your LDAP server gets hammered and clients are slower to respond
. Using it also seemed to solve some seg faults I was having with tools like RPM. Weird but true
.
+slapcat
(8) works for root, but ldapsearch
(1
) shows absolutely no entries:
+ Perhaps
the permissions on
your database files disallow slapd(8) from reading them (you'd think [OpenLDAP] would give an error in this case, but noooo
...)
-!!!Traps & Trip-ups
+ There's also the possibility that you forgot to edit <tt>/etc/ldap/ldap.conf</tt> (in [Debian] [Sarge] at least) to define the <tt>BASE</tt> and <tt>URI</tt> settings.
-There are a few things to get tripped up on with LDAP.
+ You should also try ldapsearch(1), passing the <tt>-h <hostname> and -b <base dn></tt> too!
-# ''__TLS__'' - Make sure you have the same host names
in your Servers SSL Cert Common Name and TLS client configs
. __Also__ make sure the permissions on the cert file (slapd.pem) are correct (see above).
-# ''__rootbinddn__'' - In /etc/ldap.conf (pam_ldap's config file)
, make sure you spell the root user's (aka Manager) DN correctly. This sounds stupid but they it
's an easy one to miss
.
-# ''__/etc/pam.d/system-auth__'' - Make sure authconfig hasn't bollocked your pam config.
-# If ldap lookups fail for non-root users, but works for root, then it's
probably because your config files are not readable
. Make
sure __
/etc/nss-ldap.conf__
is readable by non-root users.
-# If slapcat(8) works for root, but ldapsearch(1) shows absolutely no entries, then perhaps the permissions
on your database files disallow slapd(8)
from reading them (You'd think
[OpenLDAP
] would give an error in this case but nooo...). There's also the possibility that
you fogot to edit /etc/ldap/ldap
.conf (in Debian Sarge at least) to define the BASE and URI configs. You should also try ldapsearch(1) passing the -h <hostname> and -b <base dn> too!
+<tt>no structuralObjectClass operational attribute</tt>:
+ This seems to occur
in range of configurations, including having replication set up
. Disabling replication has been reported to fix this
, however that
's not
an optimal solution
. The error
probably occurs
because the data in
your tree isn't consistent
. You should make
sure <tt>schemacheck<
/tt>
is turned
on and try reimporting
your database from an
[LDIF
], fixing errors as
you go
.
+<tt>ldap_sasl_bind_interactive_s No such attribute</tt>:
+ You're trying to use [SASL] but isn't configured properly. Try <tt>ldapsearch -x</tt>, if this works, then you have [SASL] issues. The usual solution is to always use <tt>-x</tt>.
-!!no structuralObjectClass operational attribute
-This seems to occur in range of configurations, including having replication set up. Disabling replication has been reported to fix this, however that's not an optimal solution.
+!!! Using the special <tt>rootdn</tt> and <tt>rootpw</tt> values
-The error probably occurs because
the data in your
tree isn't consistent
. You should make sure schemacheck
is turned on
and try reimporting your database from an ldif, fixing errors as you go
.
+[OpenLDAP] has a special root account that has root access to
the [LDAP]
tree, bypassing any [ACL]s that you have in place
. This account
is controlled through the <tt>rootdn</tt>
and <tt>rootpw</tt> attributes in <tt>slapd.conf</tt>
.
-!!ldap
_sasl
_bind
_interactive
_s: No such attribute
-You
're
trying to use [SASL] and [SASL] isn't configured properly. try ldapsearch -x,
if this works, then
you have [SASL] issues
. The usual solution is to always use "-x" :)
+__<tt>rootpw</tt> must be initialised from the output of the <tt>slappasswd</tt> command.
__ This isn
't immediately obvious from any of the documentation and
trying to bind as the <tt>rootdn</tt> will fail silently
if you initialise it with a plaintext value
.
-!!!Using the special rootdn and rootpw values
-[OpenLDAP] has a special root account that has root access to the LDAP tree, bypassing any ACLs that you have in place. This account is controlled through the rootdn and rootpw attributes in slapd.conf.
-__rootpw must be initialised from the output of the slappasswd command__ this isn't immediately obvious from any of the documentation
and trying to bind as the rootdn will fail silently if you initialise it as a plaintext value.
+!!! Neat
and Useful Programs
+! Useful apps for your [LDAP] system
-!!Patch for
[DHCP
] to use
[LDAP
] as a backend
-http://www
.newwave
.net/~masneyb
/dhcp
-3
.1rc12
-ldap
-patch
+*
[Directory Administrator|http://diradmin.open-it.org
] - An extremely handy GTK user maintenance tool.
+*
[gq|http://biot.com/gq
] - A GTK-based LDAP client.
+* [Erudite Directory Service Admin|
http://edsadmin
.sourceforge
.net] - A small pyGTK2 user management.
+* [gosa|https:
//gosa.gonicus.de]
- A full-featured web-based host and account management system
.
+* [phpldapadmin|http://phpldapadmin
.sourceforge.net]
- Web
-based account management system.
+* [JXplorer|http://www.jxplorer.org] - Java based LDAP browser and editor. Supports custom HTML templates.
+! Contact management tools
-!!!Neat & Useful Programs
+* [directoryassistant|http://olivier.sessink.nl/directoryassistant] - A small (and improvable) LDAP address book manager
+* [turba|http://www.horde.org/turba] - The contact manager from the Horde project
+* Many [Email] clients. In particular Evolution 2 should be able to search, edit and insert new contacts in the [LDAP] addressbook
-Here are some useful apps to use with your
LDAP system:
+! Patches for [
LDAP] support
-#
[Directory Administrator
|http://diradmin
.open-it
.org] - An extremely handy GTK user maintenance tool.
-# [gq|http:
//biot.com/gq]
- A GTK-based LDAP client
.
-# [Erudite Directory Service Admin|http://edsadmin.sourceforge.net
] - A small pyGTK2 user management.
-#
[gosa|https://gosa.gonicus.de
] - A full-featured web-based host and account management system.
-#
[phpldapadmin|http://phpldapadmin.sourceforge.net
] - Web-based account management system.
-# [JXplorer|http://www.jxplorer.org] - Java based LDAP browser and editor. Supports custom HTML templates
.
+*
[Brian Masney's patch
|http://www
.lunytune
.net
/isc
-ldap
.html
] for
[DHCP
] to use
[LDAP
] as a backend
.
-Contact management only tools:
-# [directoryassistant|http://olivier.sessink.nl/directoryassistant] - A small (and improvable) LDAP address book manager
-# [turba|http://www.horde.org/turba] - The contact manager from the Horde project
-# Many email clients. In particular Evolution 2 should be able to search, edit and insert new contacts in the LDAP addressbook
+!!! References
+* A reasonable-looking [Intro to LDAP | http://quark.humbug.org.au/publications/ldap/intro_ldap/index.htm]
+* [SAGE guide on LDAP system authentication | http://quark.humbug.org.au/publications/ldap/system_auth/sage-au/system_auth.html]
+* [LDAP related notes | http://www.kingsmountain.com/ldapRoadmap.shtml]
+* [Michael Jason-Smith's LDAP page | http://ldots.org/ldap/]
+* [The Debian Wiki's LDAP entry | http://wiki.debian.net/index.cgi?LDAPAuthentication]
+* [Notes on replication | http://snipsnap.wendlandnet.de/digital-life/space/start/2004-10-01/1#Directoy_replication_with_syncrepl]
+* [Debian Woody backports of various LDAP utilities | http://cmeerw.org/debian/]
+* [Some more notes | http://cmeerw.org/notes/ldap.html]
-!!References
-* A reasonable looking [Intro to LDAP|http://quark.humbug.org.au/publications/ldap/intro_ldap/index.htm]
-* The SAGE guide on [LDAP system authentication|http://quark.humbug.org.au/publications/ldap/system_auth/sage-au/system_auth.html]
-* A reasonable selection of [LDAP related notes|http://www.kingsmountain.com/ldapRoadmap.shtml]
-* Michael
!JasonSmith's [LDAP page|http://ldots.org/ldap/]
-* [Debian's Wiki LDAP entry|http://wiki.debian.net/index.cgi?LDAPAuthentication]
-* Notes on [replication|http://snipsnap.wendlandnet.de/digital-life/space/start/2004-10-01/1#Directoy_replication_with_syncrepl]
-* Debian Woody backports of [various LDAP utilities|http://cmeerw.org/debian/]
-* Some more notes at [http://cmeerw.org/notes/ldap.html]
+!!! See Also
-!!See Also
* OpenLdapAccessControls
* AccessControlLists
* ActiveDirectoryAuthenticationNotes
----
-CategoryNotes CategorySystemAdministration
+Part of
CategoryNotes and
CategorySystemAdministration
