1 / 31

OpenLDAP Directory Administration OpenLDAP: Building a Company White Pages

OpenLDAP Directory Administration OpenLDAP: Building a Company White Pages. Table of Contents. A Starting Point Defining the Schema Updating slapd.conf Starting slapd Adding the Initial Directory Entries Graphical Editors. Table of Contents. A Starting Point Defining the Schema

cosmo
Download Presentation

OpenLDAP Directory Administration OpenLDAP: Building a Company White Pages

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. OpenLDAP Directory AdministrationOpenLDAP: Building a Company White Pages

  2. Table of Contents • A Starting Point • Defining the Schema • Updating slapd.conf • Starting slapd • Adding the Initial Directory Entries • Graphical Editors

  3. Table of Contents • A Starting Point • Defining the Schema • Updating slapd.conf • Starting slapd • Adding the Initial Directory Entries • Graphical Editors

  4. A Starting Point • From previous chapter: # Global section # include minimum schema required include /etc/ldap/schema/core.schema # Added logging parameters loglevel 296 pidfile /var/run/slapd.pid argsfile /var/run/slapd.args # TLS options for slapd TLSCipherSuite HIGH TLSCertificateFile /etc/ldap/slapd-cert.pem TLSCertificateKeyFile /etc/ldap/slapd-key.pem # Misc settings password-hash {SSHA} # Example database database bdb ... (continued) ...

  5. A Starting Point (cont.) ... (continued) ... # Define the rot suffix you serve suffix “dc=plainjoe,dc=org” # Define a root DN for superuser privileges rootdn “cn=Manager,dc=plainjoe,dc=org” # Define password used with rootdn (“secret”) rootpw {SSHA}2aksIaicAvwc+DhCrXUFlhgWsbBJPLxy # Directory containing database files directory /var/ldap/plainjoe.org # Files should be created rw for the owner **only** mode 600 # Indexes to maintain index objectClass eq index cn pres,eq # DB Tuning parameters cachesize 2000 # Simple ACL access to * by * read

  6. Table of Contents • A Starting Point • Defining the Schema • Updating slapd.conf • Starting slapd • Adding the Initial Directory Entries • Graphical Editors

  7. Defining the Schema • First step in implementing a directory is determining what information to store in the directory • If you use standard schemas = widely supported by vendors • inetOrgPerson schema (RFC 2798) in OpenLDAP's inetorgperson.schema file • Is a descendent of the organizationalPerson, which was itself derived from the person object class • Only required attributes for this object are cn and sn attributes

  8. Defining the Schema (cont.) parent objectClass:person cn: sn: userPassword: telephoneNumber: seeAlso: description: required attributes objectClass:organizationalPerson title: facsimileTelephoneNumber: x121ddress: street: registerdAddress: postOfficeBox: destinationIndicator: postalCode: preferredDeliveryMethod: postalAddres: telexNumber: physicalDeliveryOfficeName: teletexTerminalIdentifier: ou: telephoneNumber: st: internaliSDNNumber: l: optional attributes optional attributes parent objectClass:inetOrgPerson audio: manager: businessCategory: mobile: carLicense: o: departmentNumber: pager: displayName: photo: employeeNumber: roomNumber: employeeType: secretary: givenName: uid: homePhone: userCertificate: homePostalAddress: x500uniqueIdentifier: initials: preferredLangluage: jpegPhoto: userSMIMECertificate: labeledURI: userPKCS12: mail:

  9. Defining the Schema (cont.) • Directory will use the cn attribute as the RDN for each entry • Reduce name collisions ? • Group enmployees in some type of logical container • We will use the ou=people container • Example LDIF file: dn: cn=Gerald W. Carter,ou=people,ou=plainjoe,ou=org objectClass: inetOrgPerson cn: Gerald W. Carter sn: Carter mail: jerry@plainjoe.org mail: gcarter@valinux.com labeledURI: http://www.plainjoe.org/ roomNumber: 1234 Dudley Hall departmentNumber: Engineering telephoneNumber: 222-555-2345 pager: 222-555-6789 mobile: 222-555-1011

  10. Defining the Schema (cont.) Deep/narrow or wide/shallow directory ? • Depends on two factors: • How likely is it for a change to force an entry (a person) to be moved from one organization unit to another ? • Deeper directory trees = an entry ust meet more requirements • Does the implementation of your LDAP directory server favor one design over another ? • For OpenLDAP, the answer depends on the needs • Number of writes ? • slapd requires a lock on the parent entry for the requesting client • Depper tree = searches can be made more efficient by giving a more detailed search base • Read “Understanding and Deploying LDAP Directory Services” (MacMillan Technical Press)

  11. Table of Contents • A Starting Point • Defining the Schema • Updating slapd.conf • Starting slapd • Adding the Initial Directory Entries • Graphical Editors

  12. Updating slapd.conf • Modify slapd.conf to select the supported attribute types and object classes: • To better support searches, modify the set of indexes to include a more complete list of attributes: # Global section # Minimum schema required include /etc/ldap/schema/core.schema # inetOrgPerson object include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/inetorgperson.schema # Indexes to maintain index objectClass eq index cn,sn,mail eq,sub index departmentNumber eq equality and substring matching

  13. Table of Contents • A Starting Point • Defining the Schema • Updating slapd.conf • Starting slapd • Adding the Initial Directory Entries • Graphical Editors

  14. Starting slapd • Generally: # /path/to/slapd • Check with “ps -ef”, or use an init.d script ! • Commandline options: -d integer (specifies log level (to console)) -f filename (specifies config file) -h URI_list (URIs that LDAP server should serve, eg. ldap://) -l syslog-local-user (specifies local user of syslog facility) -n name (Defines service name to use when logging) -r directory (Specifies a chroot() jail directory) -s syslog-level (Defines syslog level other than default) -u username/-g groupname (Effective UID/GID for slapd)

  15. Table of Contents • A Starting Point • Defining the Schema • Updating slapd.conf • Starting slapd • Adding the Initial Directory Entries • Graphical Editors

  16. Adding the Initial Directory Entries • Two ways to add information to directory • slapadd & other slap* commands: work directly with database, don't interact with slapd at all! • slapadd, slapcat, slapindex, slappasswd • Much faster! • Must be run locally on server (for version 2.0 or lower, slapd must not be running) • God for getting server online • Number of tools, like ldapmodify, distributed with OpenLDAP, to update a live directory • More flexible, allow greater control • day-to-day administration

  17. Adding the Initial Directory Entries (cont.) • slapadd command-line arguments: • slapcat dumps the contents of an entire directory (including persistent operational attributes such as modifyTimestamp) in LDIF format • Identical command-line options, except -l specifies an output file • LDIF format = most portable format

  18. Adding the Initial Directory Entries (cont.) • slapindex can regenerate indexes for a bdb backend (-l options isn't used) • Example of slapadd command: # slapadd -v -l /tmp/top.ldif added: “dc=plainjoe,dc=org” (00000001) added: “ou=people,dc=plainjoe,dc=org” (00000002)

  19. Adding the Initial Directory Entries (cont.) Verifying the Directory's Contents • (after bringing the directory online) • Use ldapsearch to query the directory • In its simplest form, query requires • LDAP server's hostname or IP address • The credentials (user DN and password) • Search base in the form of a DN • The scope of a directory search • A search filter • A list of attributes to return

  20. Adding the Initial Directory Entries (cont.) Verifying the Directory's Contents (cont.) • Example: (“show me everything” search) $ ldapsearch -x -b “dc=plainjoe,dc=org” “(objectclass=*)” version: 2 # filter: (objectclass=*) # requesting: ALL # # plainjoe,dc=org dn: dc=plainjoe,dc=org dc: plainjoe.org objectClass: organizationalUnit ou: Plainjoe Dot Org # people,dc=plainjoe,dc=org dn: ou=people,dc=plainjoe,dc=org ou: people objectClass: organizationalUnit # Search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2 search filter defines DN as search base suffix “simple bind” (no SASL) - ldapsearch binds to localhost is server isn't specified (-h option) - no authentication required - default search scope: all entries - by default, all non-operational attributes are returned

  21. Adding the Initial Directory Entries (cont.) Verifying the Directory's Contents (cont.) Command-line options common to ldapsearch, ldapadd, ldapdelete, ldapmodify, and ldapmodrdn

  22. Adding the Initial Directory Entries (cont.) Verifying the Directory's Contents (cont.) Command-line options common to ldapsearch, ldapadd, ldapdelete, ldapmodify, and ldapmodrdn (cont.)

  23. Adding the Initial Directory Entries (cont.) Verifying the Directory's Contents (cont.) Command-line options specific to ldapsearch

  24. Adding the Initial Directory Entries (cont.) Updating What Is Already There • Use ldapmodify to update the data in the directory • (note that ldapmodify can also add entries) • eg. • Options: -a Entries are to be added to the directory (default for ldapmodify is to modify) -f filename Reads new entries from given filename -r Replaces entries and values -F Forces all change records to be used from the input $ ldapmodify -D “cn=Manager,dc=plainjoe,dc=org” -w secret \ > -x -a -f /tmp/users.diff adding new entry ...

  25. Adding the Initial Directory Entries (cont.) Updating What Is Already There (cont.) • Example LDIF file that adds & deletes an attribute: • changetype keyword values: • add • delete • modify • modrdn (changes RDN of an entry) • moddn (changes DN of an entry) ## /tmp/update.ldif dn: cn=Jerry Carter,ou=people,dc=plainjoe,dc=org changetype: modify add: labeledURI labeledURI: http://www.plainjoe.org/~jerry/ dn: cn=Gerald W. Carter,ou=people,dc=plainjoe,dc=org changetype: modify delete: mail mail: gcarter@valinux.com separated by blank line

  26. Adding the Initial Directory Entries (cont.) Updating What Is Already There (cont.) • Running ldapmodify in verbose mode: $ ldapmodify -D “cn=Manager,dc=plainjoe,dc=org” -w secret \ > -x -v -f /tmp/update.ldif ldap_initialize( <DEFAULT> ) add labeledURI: http://www.plainjoe.org/~jerry/ modifying entry “cn=Jerry Carter,ou=people,dc=plainjoe,dc=org“ modify complete delete mail: gcarter@valinux.com modifying entry “cn=Gerald W. Carter,ou=people,dc=plainjoe,dc=org” modify complete

  27. Adding the Initial Directory Entries (cont.) Updating What Is Already There (cont.) • Multiple changes to a single entry are separated by single dash (-) on a line by itself # /tmp/changetypes.ldif dn: cn=Peabody Soup,ou=people,dc=plainjoe,dc=org changetype: add cn: Peabody Soup sn: Soup objectclass: inetOrgPerson dn: cn=Jerry Carter,ou=people,dc=plainjoe,dc=org changetype: modify delete: telephoneNumber telephoneNumber: 555-123-1234 - add: telephoneNumber telephoneNumber: 234-555-6789 dn: cn=Peabody Soup,ou=people,dc=plainjoe,dc=org changetype: delete

  28. Adding the Initial Directory Entries (cont.) Updating What Is Already There (cont.) • Modifying the RDN of an entry • If entry is not a leaf node, changing RDN orphans its children: BAD! • Or from the command-line: # /tmp/modrdn.ldif dn: cn=Jerry Carter,ou=people,dc=plainjoe,dc=org changetype: modrdn newrdn: cn=Gerry Carter deleteoldrdn: 1 $ ldapmodrdn \ > “cn=Jerry Carter,ou=people,dc=plainjoe,dc=org” \ > “cn=Gerry Carter”

  29. Adding the Initial Directory Entries (cont.) Updating What Is Already There (cont.) • ldapmodrdn command-line options: -c Continue if errors occur -r Remove the old RDN value -s new_superior_node Defines new superior, or parent, entry under which the renamed entry should be located • ldapdelete: one new option: -r (recursive) (note that delete is not atomic) $ ldapdelete -D “cn=Manager,dc=plainjoe,dc=org” -w secret -x \ > -r -v “ou=people,dc=plainjoe,dc=org” ldap_initialize ( <DEFAULT> ) deleting entry “ou=people,dc=plainjoe,dc=org” deleting children of: ou=people,dc=plainjoe,dc=org deleting children of: cn=Gerald W. Carter,ou=people,dc=plainjoe,dc=org removing cn=Gerald W. Carter,ou=people,dc=plainjoe,dc=org ...

  30. Table of Contents • A Starting Point • Defining the Schema • Updating slapd.conf • Starting slapd • Adding the Initial Directory Entries • Graphical Editors

  31. Graphical Editors • GQ (http://biot.com/gq/) • GPL, GTK+ based LDAPv3 client • Supports browsing, searching, editing/deleting entries, creating template entries, exporting subtrees or directory to an LDIF file, • Supports multiple server profiles, SASL authentication • Java LDAP Browser/Editor (http://www.iit.edu/~gawojar/ldap/) • Written in Java using JNDI classes • Supports LDAPv2/3, including SSL, editing attribute values, searching, exporting and importing data using LDIF files, creating template entries, using multiple server profiles • Softerra LDAP Browser (http://www.ldapbrowser.com/) • Freely available, Win32-based • Explorer-like interface, supports LDAPv2/3, SSL for v3 sessions, multiple server profiles, exporting entries and subtrees to an LDIF file

More Related