View Source: LDAPNotes - Waikato Linux Users Group

Edit PageHistory Diff Info LikePages
!!! Running [OpenLDAP] with [TLS] encryption

Most modern LinuxDistribution~s will support [OpenLDAP] and [TLS] "out of the box". They'll all require generation of appropriate [SSL] certificates, and some will require additional configuration.

!! Certificates

You'll want to create certificates. See [SSLNotes] to learn how.

When creating certificates, set the HostName (cn) to the name that you'll be connecting to the server on!  It'll fail otherwise. For example, if you'll be using [LDAP] + [TLS] to <tt>ldap.wlug.org.nz</tt>, set the <tt>Common Name</tt> to <tt>ldap.wlug.org.nz</tt>, and only ever connect to that name. If you use another name that resolves to the same [IP], it's not going to work.

It is important to have the permissions and ownership set right on your <tt>slapd.pem</tt> certificate. If you don't, slapd(8) will fail to start and exit without displaying an error. The exact permissions will depend on your distribution.

!! Configuration

Update your <tt>slapd.conf</tt> appropriately to point to your key files:

  <verbatim>
  TLSCACertificateFile /etc/ssl/cacert.pem
  TLSCertificateFile /etc/ldap/certs/slapd-cert.pem
  TLSCertificateKeyFile /etc/ldap/certs/slapd-key.pem
  TLSRandFile /etc/ldap/certs/randfile
  TLSCipherSuite HIGH:MEDIUM:+SSLv2
  </verbatim>

!! Distribution Specific notes

! [Debian] [Woody]

Debian Woody ships with a version of slapd(8) that doesn't have [TLS] support enabled. Check out the References section below for links to backports available for Debian Woody, or else rebuild the Debian slapd(8) [Package] with [TLS] support yourself. Change the line in <tt>debian/rules</tt> from <tt>--without-tls</tt> to <tt>--with-tls</tt>.

You'll also need to change the init script: in <tt>/etc/init.d/slapd</tt>, change the line that says <tt>start-stop-daemon --start --quiet --pidfile "$pf" --exec /usr/sbin/slapd</tt> to read <tt>start-stop-daemon --start --quiet --pidfile "$pf" --exec /usr/sbin/slapd -- -h "ldaps:/// ldap:///"</tt>. This starts slapd(8) listening on the <tt>ldaps</tt> and <tt>ldap</tt> [Port]s. You can also use <tt>ldapi</tt> to use [LDAP] over a [Unix] domain socket.

! [Debian] [Sarge]

The package that comes with [Sarge] has [TLS] support enabled. Instead of hacking up the init script, edit <tt>/etc/default/slapd</tt> and change the <tt>SLAPD_SERVICES</tt> variable to suit your site, eg:

  <verbatim>
  SLAPD_SERVICES="ldap://127.0.0.1/ ldaps:///"
  </verbatim>

The example above will cause slapd(8) to listen on the <tt>ldap</tt> port only on the localhost interface, and on the <tt>ldaps</tt> port on any interface.

! RedHat 7.x

RedHat 7.x supports [TLS] out of the box.  All you have to do is recreate your slapd(8) certificate and uncomment the [TLS] config lines in <tt>/etc/openldap/slapd.conf</tt>.

<pre>
cd /usr/share/ssl/certs
make slapd.pem
''... answer some questions ...''
</pre>

Remember our advice about the <tt>Common Name</tt> here.

Use the following commands to set the permissions correctly for RH 7.x:

<verbatim>
chmod u=rw,g=r,o= slapd.pem
chown root.ldap slapd.pem
</verbatim>

-----

!!! LDAP Client Authentication

See [LDAPAuthentication] for a detailed example for having user accounts in LDAP.

!!! NSCD

After configuring [LDAP] client authentication, you probably want to enable nscd(8) to load at boot (in runlevels 2, 3, 4, & 5). nscd(8) is a dæmon which keeps a cache of looked up passwords and groups for running programs, so that your [LDAP] (or [NIS]) server won't get hammered. It also increases clients responvity.

!!! HTTP authentication in Apache
First, enable apache's LDAP authentication module (which should be distributed with apache2 in recent distributions), which is called __authnz_ldap__.
(Debian-based distros: run ''a2enmod authnz_ldap'')

The following assumes you are only doing this on SSL-enabled sites or on a LAN so that packet sniffing isn't a security concern:
<verbatim>
        <Location /ldap.html>
                AuthName "test ldap auth"
                AuthType Basic
                # the following will check against the uid attribute
                AuthLDAPURL ldap://ldapserver.hostname/ou=People,dc=yourdomain,dc=com?uid
                # our ldap server allows anonymous binds, so don't need these:
                # AuthLDAPBindDN
                # AuthLDAPBindPassword

                # choose a method of access:
                # 1) TO LIMIT ACCESS TO A SET OF USERS:
                #Require ldap-user user1 user2 user3

                # 2) TO LIMIT ACCESS TO VALID USERS IN LDAP:
                # use ldap instead of default "file"
                AuthBasicProvider ldap
                # allow AuthBasic to work
                AuthzLDAPAuthoritative off
                # valid-user is an AuthBasic directive...
                Require valid-user

                # 3) TO LIMIT ACCESS TO MEMBERS OF A GROUP:
                ## which ldap attribute do we use (defaults to uniqueMember)
                ## posixGroup objectClass uses the memberUid attribute:
                #AuthLDAPGroupAttribute memberUid
                #AuthLDAPGroupAttributeIsDN off
                #Require ldap-group cn=admins,ou=Group,dc=yourdomain,dc=com
        </Location>
</verbatim>

!!! Traps and Trip-ups

There are a few things to get tripped up on with [LDAP].

[TLS]:
    Make sure you have the same hostnames in your server's [SSL] cert <tt>Common Name</tt> and [TLS] client configurations. __Also__ make sure the permissions on the cert file (<tt>slapd.pem</tt>) are correct (see above).

rootbinddn:
    In <tt>/etc/ldap.conf</tt> (<tt>pam_ldap</tt>'s config file), make sure you spell the root user's (aka Manager) DN correctly. This sounds stupid but it's an easy one to miss.

<tt>/etc/pam.d/system-auth</tt>:
     Make sure authconfig hasn't bollocked your pam config.

LDAP lookups fail for non-root users:
    Your config files are probably not readable. Make sure <tt>/etc/nss-ldap.conf</tt> is readable by non-root users.

slapcat(8) works for root, but ldapsearch(1) shows absolutely no entries:
    Perhaps the permissions on your database files disallow slapd(8) from reading them (you'd think [OpenLDAP] would give an error in this case, but noooo...)

    There's also the possibility that you forgot to edit <tt>/etc/ldap/ldap.conf</tt> (in [Debian] [Sarge] at least) to define the <tt>BASE</tt> and <tt>URI</tt> settings.

    You should also try ldapsearch(1), passing the <tt>-h <hostname> and -b <base dn></tt> too!

<tt>no structuralObjectClass operational attribute</tt>:
    This seems to occur in range of configurations, including having replication set up. Disabling replication has been reported to fix this, however that's not an optimal solution. The error probably occurs because the data in your tree isn't consistent. You should make sure <tt>schemacheck</tt> is turned on and try reimporting your database from an [LDIF], fixing errors as you go.

<tt>ldap_sasl_bind_interactive_s  No such attribute</tt>:
     You're trying to use [SASL] but isn't configured properly. Try <tt>ldapsearch -x</tt>, if this works, then you have [SASL] issues.  The usual solution is to always use <tt>-x</tt>.


!!! Using the special <tt>rootdn</tt> and <tt>rootpw</tt> values

[OpenLDAP] has a special root account that has root access to the [LDAP] tree, bypassing any [ACL]s that you have in place. This account is controlled through the <tt>rootdn</tt> and <tt>rootpw</tt> attributes in <tt>slapd.conf</tt>.

__<tt>rootpw</tt> must be initialised from the output of the <tt>slappasswd</tt> command.__ This isn't immediately obvious from any of the documentation and trying to bind as the <tt>rootdn</tt> will fail silently if you initialise it with a plaintext value.


!!! Neat and Useful Programs

! Useful apps for your [LDAP] system

* [Directory Administrator|http://diradmin.open-it.org] - An extremely handy GTK user maintenance tool.
* [gq|http://biot.com/gq] - A GTK-based LDAP client.
* [Erudite Directory Service Admin|http://edsadmin.sourceforge.net] - A small pyGTK2 user management.
* [gosa|https://gosa.gonicus.de] - A full-featured web-based host and account management system.
* [phpldapadmin|http://phpldapadmin.sourceforge.net] - Web-based account management system.
* [JXplorer|http://www.jxplorer.org] - Java based LDAP browser and editor. Supports custom HTML templates.

! Contact management tools

* [directoryassistant|http://olivier.sessink.nl/directoryassistant] - A small (and improvable) LDAP address book manager
* [turba|http://www.horde.org/turba] - The contact manager from the Horde project
* Many [Email] clients. In particular Evolution 2 should be able to search, edit and insert new contacts in the [LDAP] addressbook

! Patches for [LDAP] support

* [Brian Masney's patch|http://www.lunytune.net/isc-ldap.html] for [DHCP] to use [LDAP] as a backend.


!!! References

* A reasonable-looking [Intro to LDAP | http://quark.humbug.org.au/publications/ldap/intro_ldap/index.htm]
* [SAGE guide on LDAP system authentication | http://quark.humbug.org.au/publications/ldap/system_auth/sage-au/system_auth.html]
* [LDAP related notes | http://www.kingsmountain.com/ldapRoadmap.shtml]
* [Michael Jason-Smith's LDAP page | http://ldots.org/ldap/]
* [The Debian Wiki's LDAP entry | http://wiki.debian.net/index.cgi?LDAPAuthentication]
* [Notes on replication | http://snipsnap.wendlandnet.de/digital-life/space/start/2004-10-01/1#Directoy_replication_with_syncrepl]
* [Debian Woody backports of various LDAP utilities | http://cmeerw.org/debian/]
* [Some more notes | http://cmeerw.org/notes/ldap.html]


!!! See Also

* OpenLdapAccessControls
* AccessControlLists
* ActiveDirectoryAuthenticationNotes

----
Part of CategoryNotes and CategorySystemAdministration
6 pages link to LDAPNotes:
Last edited on Thursday, December 20, 2007 8:26:28 am by JohnMcPherson
Edit PageHistory Diff Info LikePages