Chapter 26
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Chapter 26 as PDF for free.
More details
- Words: 2,112
- Pages: 34
Chapter_26 Light Weight Directory Access Protocol (LDAP)
LDAP is a client server system. The LDAP server can store a database, which will contain a wide variety of informations such as the username, addresses, hostnames, e-mail addresses, phone numbers etc of an organization. The LDAP clients can retrieve these information from the LDAP server whenever necessary. The LDAP server database is generally considered as a directory service. A directory is a specialized database, which is optimized for reading, browsing and searching. The directory entries arranged in a hierarchical tree like structure
Each directory entry will have a set of attributes, which will be helpful to define that entry. LDAP allows you to determine which attributes are required and allowed for an entry through the use of a special attribute called objectClass. The values of the objectClass attribute determine the schema rules the entry must obey. LDAP Directory Tree dc=aita
UID=manoj
An entry is referenced by its distinguished name, which is constructed by taking the name of the entry itself (called the Relative Distinguished Name) and concatenating the names of its ancestor entries. For example the entry for Manoj in the above example has an RDN of uid=manoj and a DN of uid=manoj,ou=people,dc=aita,dc=com. A DN should be unique in a directory tree. LDAP provides a set of tools for searching, adding, deleting and modifying the directory entries. The LDAP search operation allows some portion of the directory to be searched for entries that match some criteria specified by a search filter. Information can be requested from each entry matches the criteria.
Working of LDAP LDAP directory service is based on a clientserver model. One or more LDAP servers contain the data making up the directory information tree (DIT). The client connects to servers and asks it a question. The server responds with an answer and/or with a pointer to where the client can get additional information (typically another LDAP server).
slapd – LDAP Directory Server slapd is an LDAP directory server that runs on many different platforms. You can use it to provide a directory service of your own. Your directory can contain pretty much anything you want to put in it.
Configuring LDAP Directory Server Red Hat Linux coming along with Openldap directory server package. If you have performed a full installation all the files required for configuring the LDAP sever will be installed. The slapd.conf file The slapd.conf is the main sever configuration file used by the OpenLDAP server
Given below is a sample slapd.conf file # $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.7 2001/09/27 20:00:31 kurt Exp $ # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema Include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/redhat/rfc822MailMember.schema include /etc/openldap/schema/redhat/autofs.schema Include /etc/openldap/schema/redhat/kerberosobject.schema
# Define global ACLs to disable default read access. # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org #piffled //var/run/slapd.pid #argsfile //var/run/slapd.args # Create a replication log in /var/lib/ldap for use by slurpd. #replogfile /var/lib/ldap/master-slapd.replog # Load dynamic backend modules: # modulepath /usr/sbin/openldap # moduleload back_ldap.la # moduleload back_ldbm.la # moduleload back_passwd.la # moduleload back_shell.la
# The next three lines allow use of TLS for connections using a dummy test # certificate, but you should generate a proper certificate by changing to # /usr/share/ssl/certs, running "make slapd.pem", and fixing permissions on # slapd.pem so that the ldap user or group can read it. # TLSCertificateFile /usr/share/ssl/certs/slapd.pem # TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem # TLSCACertificateFile /usr/share/ssl/certs/ca-bundle.crt # # Sample Access Control # Allow read access of root DSE # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate
#access to dn="" by * read #access to * # by self write # by users read # by anonymous auth # # if no access controls are present, the default is: # Allow read by all # # rootdn can always write!
Adding initial entries to LDAP Database
After setting up the /etc/openldap/slapd.conf you have to start the LDAP server as follows: # service ldap start After starting the LDAP server the first thing you need to do is the creation of the LDAP back end database. You can use ldapadd command to add entries to your LDAP directory. ldapadd command expects input in LDAP Data Interchnge Format (LDIF). The basic form an LDIF entry is as follows: #comment dn: : :
For adding the initial entries in your LDAP data base create a LDIF file as follows: # vi start.ldif dn: dc=aita,dc=com objectClass: dcObject dc: aita dn: cn=root,dc=aita,dc=com objectClass: organizationalRole cn: root Now, you may run ldapadd command to insert these entries in to your directory ldapadd –x –D “cn=root,dc=aita,dc=com” –W –f first.ldif Enter LDAP Password:
To verify whether the new entries are added in your directory, use the following command: # ldapsearch –x –b “dc=aita,dc=com” ‘(objectclass=*)’ The above command will search for and retrieve every entry in the database. # ldapsearch –x –b “dc=aita,dc=com” ‘(cn=root)’ The above command will search for and retrieve every entry which has cn:root attribute set.
Implementing access control By default, the slapd database grants read access to everybody excepting the superuser (As specified by the rootdn configuration directive). For controlling this you can remove the “#” symbols from the following entries of the /etc/openldap/slapd.conf file. access to * by self write by users read by anonymous auth The above lines will implement the access control as authenticated users will have the read access, anonymous users can authenticate and a user can change his own attributes.
After modifying the slapd.conf file you need to restart the LDAP server as follows: # service ldap restart Before using any of ldap client commands (like ldapadd, ldapsearch, ldapdelete) you may need to edit the ldap client configuration files. This files are /etc/ldap.conf and /etc/openldap/ldap.conf.
/etc/openldap/ldap.conf file # $OpenLDAP: pkg/ldap/libraries/libldap/ldap.conf,v 1.4.8.6 2000/09/05 17:54:38 kurt Exp $ # # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. #BASE dc=example, dc=com #URI ldap://ldap.example.com ldap://ldapmaster.example.com:666 #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never HOST 100.0.0.71 BASE dc=aita,dc=com
In this file you may need to specify the base DN name and the IP address of the LDAP server In /etc/ldap.conf file also you need to specify the HOST IP address and BASE DN Now you try to retrive the informations for the LDAP database as follows: # ldapsearch –x –b ‘dc=aita,dc=com’ ‘(objectclass=*)’ The above command will not be retrieving any information from the LDAP database because of the non authentication. So you can modify the above command as follows: # ldapsearch –x –D “cn=root,dc=aita,dc=com” –W ‘(objectclass=*)’ # ldapsearch -LLL -x -D "cn=root,dc=aita,dc=com" -W '(objectclass=*)'
Adding additional entries with LDAP database: Create a LDIF file as follows: # vi people.ldif dn: ou=people,dc=aita,dc=com objectclass: organizationalunit ou: people dn: uid=manoj,ou=people,dc=aita,dc=com objectclass: person objectclass: inetorgperson sn: manu cn: manoj uid: manoj userpassword: flower
After creating the file run the ldapadd command to add the entries in LDAP database ldapadd -x -D "cn=root,dc=aita,dc=com" -W -f people.ldif Enter LDAP Password: The command will add and oraganisational unit people (DN: ou=people,dc=aita,dc=com) and one user manoj (DN: uid:manoj,ou=people,dc=aita.dc=com).
ldapmodify command The ldapmodify command is used to modify the LDAP database entries. This command also expecting the input in LDIF format. For example to modify some entries in out existing LDAP database, create a LDIF file as follows: # vi.mod.ldif dn: uid=manoj,ou=people,dc=aita,dc=com changetype: modify add: mail mail: [email protected]: title title: courseware replace: sn sn: mrg
After creating the LDIF file as above run the ldapmodify command as follows: # ldapmodify –x –D “cn=root,dc=aita,dc=com” –W –f mod.ldif Enter LDAP password: This will add the e-mail address as [email protected] , add title as courseware and modify the sn (short name) as mrg for object manoj. Apart from add and replace you can also specify delete option to delete any attributes as follows # vi.mod.ldif dn: uid=manoj,ou=people,dc=aita,dc=com changetype: modify delete: title
Then run the ldapmodify command as follows: # ldapmodify –x –D “cn=root,dc=aita,dc=com” –W –f mod.ldif Enter LDAP password: The above command will delete the title attribute from the object manoj
ldapdelete command The ldapdelete command is used to delete the entries from a ldap database. # ldapdelete -x -D "cn=root,dc=aita,dc=com" -W uid=manoj,ou=people,dc=aita,dc=com" Enter LDAP Password: The above command will delete the LDAP object manoj from the LDAP database.
Configuring LDAP to authenticating user logon LDAP server can be configured to authenticating user logon in a network like NIS. For this you need to migrate the /etc/passwd file as LDAP database. You can use the perl scripts stored under /usr/share/openldap/migration to do this.
1. Copy the /etc/passwd file to some other name # cp /etc/passwd /passwd.ldap 2. Edit the passwd.ldap file and remove the entries of the users which you may not convert as a LDAP user .
3. Entre in to the /usr/share/openldap/migration directory and edit the migrate_Common.ph file and add/change the follwing lines as below $DEFAULT_MAIL_DOMAIN = "aita.com"; $DEFAULT_BASE = "dc=aita,dc=com"; 4. Run the following command #./migrate_passwd.pl /etc/passwd.ldap passwd.ldif The above command will create passwd.ldif file. By defaults the passwd.ldif file will configure to add all the users under an organiational unit named people.
5. Next you can use the passwd.ldif file you have created on the previous step to add the user in LDAP database as follows: # ldapadd –x –D “cn=root,dc=aita,dc=com” –W –f passwd.ldif Enter LDAP Password: The above command will add all the users in the LDAP database along with all the parameters like UID, GID, password, home directory, default shell, passwd expiry details etc.
6. In the client side you have to edit the ldap.conf file and /etc/nsswitch.conf to perform the authentication by the LDAP server.In the nsswitch.conf file set the search order for passwd, group and shadow files as follows passwd: files ldap shadow: files ldap group: files ldap This will enable the searching of the user names and passwords first in the local /etc/passwd file and then in the LDAP server database.
Implementing Address books A very useful feature of an Ldap database on a linuxserver is that when you have an internal network in your organization, you can have a single place to store all your external contacts. You could even divide it in groups, or departments. It is no longer neccesary to give each employee a seperate address book. Apart from using Ldap, this could also be done with Microsoft Exchange Server, Lotus Domino, and Netscape Active Directory.
To use Microsoft Address Book and programs that rely on it, such as Microsoft Outlook, Microsoft Outlook Express and Microsoft Outlook 2000 there is no need to change the basic ldap configuration. There are two things that need to be modified though. At first, you have to create a directory tree to store your addresses and relevant data. Second, you have to make sure that all hosts on your local network have read access to this tree.
All Microsoft Email programs can use the Ldap Directory Services. If you want to search for people, you have to use the Address Book. When composing a new email message, a name can be automatically matched to an email address. To do this, the cn,sn,givenname and mail fields are searched. When you want to configure your Microsoft email program to use an Ldap server as your address book, or to look up email addresses, you need to do the following: Start your favorite email program and open the address book. This can be done by selecting Tools, Addressbook from within the program, or via the start menu by selecting Start,Programs,Accessories,Address Book.
1. Click on Tools,Accounts to open the Internet Account window. 2. Click Add, now you get an Internet Connection Wizard window, type the ip address or hostname of your Ldap server, and click OK. 3. On the next window, answer Yes to confirm you want to check your adresses using this directory, or No if you don't want do not want that. Now click Next and click Finish. 4. Now you're back at the Internet Account window. Select your newly-added account and click Properties.
5.On the properties window, click the Advanced tab. 6.In the Search Base field, enter the base of the tree where your adresses will be stored. An example could be ou=Addressbook,dc=aita,dc=com. 7.Press OK to close the window and click Close to close the Internet Account window. You should have returned to the main Address Book window now. 8.Now, when you enter a name in the to: field, the email address is looked up in the Ldap Directory, and automatically filled in for you. If an entry is not found, a window is presented, and any typos can be corrected, or a new search
LDAP is a client server system. The LDAP server can store a database, which will contain a wide variety of informations such as the username, addresses, hostnames, e-mail addresses, phone numbers etc of an organization. The LDAP clients can retrieve these information from the LDAP server whenever necessary. The LDAP server database is generally considered as a directory service. A directory is a specialized database, which is optimized for reading, browsing and searching. The directory entries arranged in a hierarchical tree like structure
Each directory entry will have a set of attributes, which will be helpful to define that entry. LDAP allows you to determine which attributes are required and allowed for an entry through the use of a special attribute called objectClass. The values of the objectClass attribute determine the schema rules the entry must obey. LDAP Directory Tree dc=aita
UID=manoj
An entry is referenced by its distinguished name, which is constructed by taking the name of the entry itself (called the Relative Distinguished Name) and concatenating the names of its ancestor entries. For example the entry for Manoj in the above example has an RDN of uid=manoj and a DN of uid=manoj,ou=people,dc=aita,dc=com. A DN should be unique in a directory tree. LDAP provides a set of tools for searching, adding, deleting and modifying the directory entries. The LDAP search operation allows some portion of the directory to be searched for entries that match some criteria specified by a search filter. Information can be requested from each entry matches the criteria.
Working of LDAP LDAP directory service is based on a clientserver model. One or more LDAP servers contain the data making up the directory information tree (DIT). The client connects to servers and asks it a question. The server responds with an answer and/or with a pointer to where the client can get additional information (typically another LDAP server).
slapd – LDAP Directory Server slapd is an LDAP directory server that runs on many different platforms. You can use it to provide a directory service of your own. Your directory can contain pretty much anything you want to put in it.
Configuring LDAP Directory Server Red Hat Linux coming along with Openldap directory server package. If you have performed a full installation all the files required for configuring the LDAP sever will be installed. The slapd.conf file The slapd.conf is the main sever configuration file used by the OpenLDAP server
Given below is a sample slapd.conf file # $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.7 2001/09/27 20:00:31 kurt Exp $ # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema Include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/redhat/rfc822MailMember.schema include /etc/openldap/schema/redhat/autofs.schema Include /etc/openldap/schema/redhat/kerberosobject.schema
# Define global ACLs to disable default read access. # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org #piffled //var/run/slapd.pid #argsfile //var/run/slapd.args # Create a replication log in /var/lib/ldap for use by slurpd. #replogfile /var/lib/ldap/master-slapd.replog # Load dynamic backend modules: # modulepath /usr/sbin/openldap # moduleload back_ldap.la # moduleload back_ldbm.la # moduleload back_passwd.la # moduleload back_shell.la
# The next three lines allow use of TLS for connections using a dummy test # certificate, but you should generate a proper certificate by changing to # /usr/share/ssl/certs, running "make slapd.pem", and fixing permissions on # slapd.pem so that the ldap user or group can read it. # TLSCertificateFile /usr/share/ssl/certs/slapd.pem # TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem # TLSCACertificateFile /usr/share/ssl/certs/ca-bundle.crt # # Sample Access Control # Allow read access of root DSE # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate
#access to dn="" by * read #access to * # by self write # by users read # by anonymous auth # # if no access controls are present, the default is: # Allow read by all # # rootdn can always write!
Adding initial entries to LDAP Database
After setting up the /etc/openldap/slapd.conf you have to start the LDAP server as follows: # service ldap start After starting the LDAP server the first thing you need to do is the creation of the LDAP back end database. You can use ldapadd command to add entries to your LDAP directory. ldapadd command expects input in LDAP Data Interchnge Format (LDIF). The basic form an LDIF entry is as follows: #comment dn:
For adding the initial entries in your LDAP data base create a LDIF file as follows: # vi start.ldif dn: dc=aita,dc=com objectClass: dcObject dc: aita dn: cn=root,dc=aita,dc=com objectClass: organizationalRole cn: root Now, you may run ldapadd command to insert these entries in to your directory ldapadd –x –D “cn=root,dc=aita,dc=com” –W –f first.ldif Enter LDAP Password:
To verify whether the new entries are added in your directory, use the following command: # ldapsearch –x –b “dc=aita,dc=com” ‘(objectclass=*)’ The above command will search for and retrieve every entry in the database. # ldapsearch –x –b “dc=aita,dc=com” ‘(cn=root)’ The above command will search for and retrieve every entry which has cn:root attribute set.
Implementing access control By default, the slapd database grants read access to everybody excepting the superuser (As specified by the rootdn configuration directive). For controlling this you can remove the “#” symbols from the following entries of the /etc/openldap/slapd.conf file. access to * by self write by users read by anonymous auth The above lines will implement the access control as authenticated users will have the read access, anonymous users can authenticate and a user can change his own attributes.
After modifying the slapd.conf file you need to restart the LDAP server as follows: # service ldap restart Before using any of ldap client commands (like ldapadd, ldapsearch, ldapdelete) you may need to edit the ldap client configuration files. This files are /etc/ldap.conf and /etc/openldap/ldap.conf.
/etc/openldap/ldap.conf file # $OpenLDAP: pkg/ldap/libraries/libldap/ldap.conf,v 1.4.8.6 2000/09/05 17:54:38 kurt Exp $ # # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. #BASE dc=example, dc=com #URI ldap://ldap.example.com ldap://ldapmaster.example.com:666 #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never HOST 100.0.0.71 BASE dc=aita,dc=com
In this file you may need to specify the base DN name and the IP address of the LDAP server In /etc/ldap.conf file also you need to specify the HOST IP address and BASE DN Now you try to retrive the informations for the LDAP database as follows: # ldapsearch –x –b ‘dc=aita,dc=com’ ‘(objectclass=*)’ The above command will not be retrieving any information from the LDAP database because of the non authentication. So you can modify the above command as follows: # ldapsearch –x –D “cn=root,dc=aita,dc=com” –W ‘(objectclass=*)’ # ldapsearch -LLL -x -D "cn=root,dc=aita,dc=com" -W '(objectclass=*)'
Adding additional entries with LDAP database: Create a LDIF file as follows: # vi people.ldif dn: ou=people,dc=aita,dc=com objectclass: organizationalunit ou: people dn: uid=manoj,ou=people,dc=aita,dc=com objectclass: person objectclass: inetorgperson sn: manu cn: manoj uid: manoj userpassword: flower
After creating the file run the ldapadd command to add the entries in LDAP database ldapadd -x -D "cn=root,dc=aita,dc=com" -W -f people.ldif Enter LDAP Password: The command will add and oraganisational unit people (DN: ou=people,dc=aita,dc=com) and one user manoj (DN: uid:manoj,ou=people,dc=aita.dc=com).
ldapmodify command The ldapmodify command is used to modify the LDAP database entries. This command also expecting the input in LDIF format. For example to modify some entries in out existing LDAP database, create a LDIF file as follows: # vi.mod.ldif dn: uid=manoj,ou=people,dc=aita,dc=com changetype: modify add: mail mail: [email protected]: title title: courseware replace: sn sn: mrg
After creating the LDIF file as above run the ldapmodify command as follows: # ldapmodify –x –D “cn=root,dc=aita,dc=com” –W –f mod.ldif Enter LDAP password: This will add the e-mail address as [email protected] , add title as courseware and modify the sn (short name) as mrg for object manoj. Apart from add and replace you can also specify delete option to delete any attributes as follows # vi.mod.ldif dn: uid=manoj,ou=people,dc=aita,dc=com changetype: modify delete: title
Then run the ldapmodify command as follows: # ldapmodify –x –D “cn=root,dc=aita,dc=com” –W –f mod.ldif Enter LDAP password: The above command will delete the title attribute from the object manoj
ldapdelete command The ldapdelete command is used to delete the entries from a ldap database. # ldapdelete -x -D "cn=root,dc=aita,dc=com" -W uid=manoj,ou=people,dc=aita,dc=com" Enter LDAP Password: The above command will delete the LDAP object manoj from the LDAP database.
Configuring LDAP to authenticating user logon LDAP server can be configured to authenticating user logon in a network like NIS. For this you need to migrate the /etc/passwd file as LDAP database. You can use the perl scripts stored under /usr/share/openldap/migration to do this.
1. Copy the /etc/passwd file to some other name # cp /etc/passwd /passwd.ldap 2. Edit the passwd.ldap file and remove the entries of the users which you may not convert as a LDAP user .
3. Entre in to the /usr/share/openldap/migration directory and edit the migrate_Common.ph file and add/change the follwing lines as below $DEFAULT_MAIL_DOMAIN = "aita.com"; $DEFAULT_BASE = "dc=aita,dc=com"; 4. Run the following command #./migrate_passwd.pl /etc/passwd.ldap passwd.ldif The above command will create passwd.ldif file. By defaults the passwd.ldif file will configure to add all the users under an organiational unit named people.
5. Next you can use the passwd.ldif file you have created on the previous step to add the user in LDAP database as follows: # ldapadd –x –D “cn=root,dc=aita,dc=com” –W –f passwd.ldif Enter LDAP Password: The above command will add all the users in the LDAP database along with all the parameters like UID, GID, password, home directory, default shell, passwd expiry details etc.
6. In the client side you have to edit the ldap.conf file and /etc/nsswitch.conf to perform the authentication by the LDAP server.In the nsswitch.conf file set the search order for passwd, group and shadow files as follows passwd: files ldap shadow: files ldap group: files ldap This will enable the searching of the user names and passwords first in the local /etc/passwd file and then in the LDAP server database.
Implementing Address books A very useful feature of an Ldap database on a linuxserver is that when you have an internal network in your organization, you can have a single place to store all your external contacts. You could even divide it in groups, or departments. It is no longer neccesary to give each employee a seperate address book. Apart from using Ldap, this could also be done with Microsoft Exchange Server, Lotus Domino, and Netscape Active Directory.
To use Microsoft Address Book and programs that rely on it, such as Microsoft Outlook, Microsoft Outlook Express and Microsoft Outlook 2000 there is no need to change the basic ldap configuration. There are two things that need to be modified though. At first, you have to create a directory tree to store your addresses and relevant data. Second, you have to make sure that all hosts on your local network have read access to this tree.
All Microsoft Email programs can use the Ldap Directory Services. If you want to search for people, you have to use the Address Book. When composing a new email message, a name can be automatically matched to an email address. To do this, the cn,sn,givenname and mail fields are searched. When you want to configure your Microsoft email program to use an Ldap server as your address book, or to look up email addresses, you need to do the following: Start your favorite email program and open the address book. This can be done by selecting Tools, Addressbook from within the program, or via the start menu by selecting Start,Programs,Accessories,Address Book.
1. Click on Tools,Accounts to open the Internet Account window. 2. Click Add, now you get an Internet Connection Wizard window, type the ip address or hostname of your Ldap server, and click OK. 3. On the next window, answer Yes to confirm you want to check your adresses using this directory, or No if you don't want do not want that. Now click Next and click Finish. 4. Now you're back at the Internet Account window. Select your newly-added account and click Properties.
5.On the properties window, click the Advanced tab. 6.In the Search Base field, enter the base of the tree where your adresses will be stored. An example could be ou=Addressbook,dc=aita,dc=com. 7.Press OK to close the window and click Close to close the Internet Account window. You should have returned to the main Address Book window now. 8.Now, when you enter a name in the to: field, the email address is looked up in the Ldap Directory, and automatically filled in for you. If an entry is not found, a window is presented, and any typos can be corrected, or a new search
Related Documents
Chapter 26
June 2020 11
Chapter 26
December 2019 6
Chapter 26
October 2019 20
Chapter 26
November 2019 11
Chapter 26
November 2019 15