OpenLDAP

OpenLDAP + TLS

Most modern linux distributions will support OpenLDAP and TLS "out of the box". They'll all require generation of appropriate SSL certificates, and some will require additional configuration

Certificates

You'll want to create certificates. See SSLNotes.

Note: When creating certificates, set the hostname (cn) as being the name that you'll be connecting to the server on! It'll fail otherwise. Eg, if you'll be using ldap+tls to ldap.wlug.org.nz, make sure to set that as the Common Name! And only ever connect to that name.

Note: It is important to have the permissions and ownership set right on your slapd.pem cert. If you don't slapd will fail to start and exit without displaying an error. The exact permissions will depend on your distribution.

Configuration

Update your slapd.conf appropriately

TLSCACertificateFile /etc/ssl/cacert.pem TLSCertificateFile /etc/ldap/certs/slapd-cert.pem TLSCertificateKeyFile /etc/ldap/certs/slapd-key.pem TLSRandFile /etc/ldap/certs/randfile TLSCipherSuite HIGH:MEDIUM:+SSLv2

Distribution Specific notes:

Debian Woody

Debian Woody ships with a version of slapd that doesn't have TLS support enabled. Check out the References section below for links to backports available for Debian Woody, or else rebuild the debian slapd package with TLS support yourself. Change the line in debian/rules from --without-tls to --with-tls.

You'll also need to change the init script: in /etc/init.d/slapd, change the line that says

start-stop-daemon --start --quiet --pidfile "$pf" --exec /usr/sbin/slapd

to read

start-stop-daemon --start --quiet --pidfile "$pf" --exec /usr/sbin/slapd -- -h "ldaps:/// ldap:///"

This starts slapd listening on ldaps and ldap. You can also use ldapi to use ldap over a unix domain socket.

Debian Sarge

The package that comes with Sarge has TLS support enabled. Instead of hacking up the init script, edit /etc/default/slapd and change the SLAPD_SERVICES variable to suit your site, eg:

SLAPD_SERVICES="ldap://127.0.0.1/ ldaps:///"

Will cause slapd to listen on the localhost interface for ldap, and on any interface for ldaps.

RedHat 7.x Specific

RedHat 7.x supports TLS out of the box. All you have to do is recreate your slapd certificate & uncomment the TLS config lines in /etc/openldap/slapd.conf.

cd /usr/share/ssl/certs
make slapd.pem
... answer some questions

Note: When answering the 2nd to last question about the "Common Name" it is important you specify the server name you're going to be using when connecting from clients. Eg, ldap.somehost.com. It is important that you set up clients to connect via this name. If they use another name that resolves to the same IP it's not going to work. This caught me out in the beginning. I would get connection errors in clients like GQ (a GTK LDAP query tool http://biot.com/gq/).

Use the following commands to set the permissions correctly for RH 7.x:

chmod u=rw,g=r,o= slapd.pem
chown root.ldap slapd.pem

LDAP Client Auth

See LDAPAuthentication for a detailed example of this.

NSCD

After I configured LDAP client auth I also enabled nscd(8) to load at boot (in runlevels 2, 3, 4, & 5). nscd is the daemon which handles passwd and group lookups for running programs and caches the results for the next query. This is important if your using network name services such as LDAP or NIS. Without it your LDAP server gets hammered and clients are slower to respond. Using it also seemed to solve some seg faults I was having with tools like RPM. Weird but true.

Traps & Trip-ups

There are a few things to get tripped up on with LDAP.

1. TLS - Make sure you have the same host names in your Servers SSL Cert Common Name and TLS client configs. Also make sure the permissions on the cert file (slapd.pem) are correct (see above).
2. rootbinddn - In /etc/ldap.conf (pam_ldap's config file), make sure you spell the root user's (aka Manager) DN correctly. This sounds stupid but they it's an easy one to miss.
3. /etc/pam.d/system-auth - Make sure authconfig hasn't bollocked your pam config.
4. If ldap lookups fail for non-root users, but works for root, then it's probably because your config files are not readable. Make sure /etc/nss-ldap.conf is readable by non-root users.
5. If slapcat(8)? works for root, but ldapsearch(1) shows absolutely no entries, then perhaps the permissions on your database files disallow slapd(8)? from reading them (You'd think OpenLDAP would give an error in this case but nooo...). There's also the possibility that you fogot to edit /etc/ldap/ldap.conf (in Debian Sarge at least) to define the BASE and URI configs. You should also try ldapsearch(1) passing the -h <hostname> and -b <base dn> too!

no structuralObjectClass operational attribute

This seems to occur in range of configurations, including having replication set up. Disabling replication has been reported to fix this, however that's not an optimal solution.

The error probably occurs because the data in your tree isn't consistent. You should make sure schemacheck is turned on and try reimporting your database from an ldif, fixing errors as you go.

ldap_sasl_bind_interactive_s: No such attribute

You're trying to use SASL and SASL isn't configured properly. try ldapsearch -x, if this works, then you have SASL issues. The usual solution is to always use "-x" :)

Using the special rootdn and rootpw values

OpenLDAP has a special root account that has root access to the LDAP tree, bypassing any ACLs that you have in place. This account is controlled through the rootdn and rootpw attributes in slapd.conf.

rootpw must be initialised from the output of the slappasswd command this isn't immediately obvious from any of the documentation and trying to bind as the rootdn will fail silently if you initialise it as a plaintext value.

Patch for DHCP to use LDAP as a backend

http://www.newwave.net/masneyb/dhcp-3.0.1rc12-ldap-patch

Neat & Useful Programs

Here are some useful apps to use with your LDAP system:

1. Directory Administrator - An extremely handy GTK user maintenance tool.
2. gq - A GTK-based LDAP client.
3. Erudite Directory Service Admin - A small pyGTK2 user management
4. gosa - A full-featured web-based host and account management system
5. phpldapadmin - Web-based account management system

Contact management only tools:

1. directoryassistant - A small (and improvable) LDAP address book manager
2. turba - The contact manager from the Horde project
3. Many email clients. In particular Evolution 2 should be able to search, edit and insert new contacts in the LDAP addressbook

References

• A reasonable looking Intro to LDAP
• The SAGE guide on LDAP system authentication
• A reasonable selection of LDAP related notes
• Michael !JasonSmith?'s LDAP page
• Debian's Wiki LDAP entry
• Notes on replication
• Debian Woody backports of various LDAP utilities
• Some more notes at http://cmeerw.org/notes/ldap.html

See Also

• OpenLdapAccessControls
• AccessControlLists
• ActiveDirectoryAuthenticationNotes

CategoryNotes CategorySystemAdministration