350 likes | 455 Views
OpenLDAP: Building and Configuring. CNS 4650 Fall 2004 Rev. 2. OpenLDAP History. http://www.openldap.org Based off the Umich code Died ~ 1996 OpenLDAP started ~1998 OpenLDAP 1.0 - August 1998. Downloading OpenLDAP. Download http://www.openldap.org/software/download/
E N D
OpenLDAP: Building and Configuring CNS 4650 Fall 2004 Rev. 2
OpenLDAP History • http://www.openldap.org • Based off the Umich code • Died ~ 1996 • OpenLDAP started ~1998 • OpenLDAP 1.0 - August 1998
Downloading OpenLDAP • Download • http://www.openldap.org/software/download/ • 2.2.18 (~August 2004) • Software packaged in a “tar-ball” • Tar’ed and then gzip’ed • openldap-2.18.tgz
Building OpenLDAP • Requirements • C/C++ compiler (gcc) • Posix REGEX (available on most modern Linux/UN*X systems) • Sleepycat Berkeley DB 4.2+ • Recommended • Cyrus SASL 2.1.18+ • OpenSSL 0.9.7+
Building SLAPD • BDB Backend • Sleepycat Berkeley DB 4.2+ • LDBM Backend • Compatible database manager • Berkeley DB, GDBM, etc.
Building SLURPD • Thread Library • Pthreads (POSIX), Cthreads (Mach)
Environment Variables • Bash • export LDFLAGS=-L/usr/local/Berkeley4.2/lib • Tcsh (TC Shell/C Shell) • setenv LDFLAGS=-L/usr/local/Berkeley4.2/lib
Building for Linux • Might have to add directories for SASL, SSL, Berkeley libraries to /etc/ld.so.conf • After run ldconfig -v • Set the LD_LIBRARY_PATH with the example from the previous slide • export LD_LIBRARY_PATH=/usr/local/Berkeley4.2/lib
Building • cd openldap-2.2.18 • ./configure --enable-wrappers • --enable-wrappers allows slapd to be TCP wrappers aware • The configure script will warn you if dependencies cannot be found. If no errors then continue
Building • make depend • make • make test • sudo -s • make install
Troubleshooting Builds • Make for sure you have a valid network interface. (ifconfig -a) • Verify you have the proper environmental flags set (LD_LIBRARY_PATH, LDFLAGS, CPPFLAGS, etc.)
What is Installed? • Servers • Client utilities • Developer libraries
Configuration Files • Configuration files are located in /etc/openldap • slapd.conf • Configuration for the LDAP server • ldap.conf • Configuration for LDAP client utilities • Schema Directory • Contains schema for LDAP server
slapd.conf # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/core.schema # Define global ACLs to disable default read access. # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org loglevel 296 pidfile /var/run/slapd.pid argsfile /var/run/slapd.args # Load dynamic backend modules: # modulepath /usr/local/libexec/modules # moduleload back_bdb.la # moduleload back_ldap.la # moduleload back_ldbm.la # moduleload back_passwd.la # moduleload back_shell.la
Include Directive • The “include” section contains the schema files that should be included • If you extend schema for OpenLDAP, add path to your schema file in the include section • include /etc/openldap/schema/my.schema • By default core.schema is the only schema included. • The administrator should probably add more • Recommend adding the following • include /etc/openldap/schema/cosine.schema • include /etc/openldap/schema/inetorgperson.schema • include /etc/openldap/schema/nis.schema
Loglevel Directive • You might need to add “loglevel” • Add levels together to achieve desired log • Example: 8 + 32 + 256 = 296 • See table on next slide for log levels and descriptions
slapd Logging • Logging happens at LOG_LEVEL4 of syslog • Add following to /etc/syslog.conf • Local4.log /var/log/slapd.log
Modules Directive • The “modules” section allows for the LDAP server to talk to different backends or databases • Example: UNIX flat files, PERL, Monitor • Berkeley does not necessarily have to be uncommented • If you plan to use Monitor then you need to add directive • moduleload back_monitor.la • Make sure you uncomment the first line!!! • The path to the module directory
slapd.conf Cont. # Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64 # Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # Directives needed to implement policy: # access to dn.base="" by * read # access to dn.base="cn=Subschema" by * read # access to * # by self write # by users read # by anonymous auth # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING!
Access Control Lists • What • Regular expressions are used to define what can be accessed • access to dn.[targetstyle]=[regex] • targetstyle defines how far below the ACL applies (can contain subtree, base, one or nothing) • regex is a DN of the container you wish to control
Access Control Lists • Sample “What”s • access to dn.base="cn=Subschema” • access to dn=“.*,dc=uvsc,dc=edu” • access to dn.one=“dc=uvsc,dc=edu”
Access Control Lists • Who • Defines who can perform what operation in the defined context • by [who] [operation] • [who] defines who exactly can perform the operation (*, self, anonymous, users, [regex that matches a DN]) • [operation] defines what the defined user can do (read, write, search, compare, auth, none)
Access Control Lists • Sample “Who”s • by * auth • by self write • by * read • by dn=“.*,ou=class,dc=uvsc,dc=edu”
Access Control Lists access to attrs=userPassword by self write by * auth access to dn.subtree=cn=monitor by dn.exact=“cn=Manager,dc=uvsc,dc=edu” write by dn.subtree=“dc=uvsc,dc=edu” read by * read access to * by self write by * read
slapd.conf Cont. ####################################################################### # BDB database definitions ####################################################################### database bdb suffix "dc=my-domain,dc=com" rootdn "cn=Manager,dc=my-domain,dc=com" # Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw secret # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /var/db/openldap-data # Indices to maintain index objectClass eq
Database Directive • Berkeley is usually defined for you • database bdb • Suffix • Defines you directory domain, should be unique • Rootdn • Defines the “super user” for your LDAP server • Usually “cn=Manager, “ + the suffix • Rootpw • Use /usr/local/sbin/slappasswd to generate password • Include everything returned!! • Example: {SSHA}hwQhVL4hfn4p4HXvlgwOf1lFF/tppU6R
Database Directive • For Monitor support • database monitor
Resources • LDAP System Administration: O’Reilly and Associates. Gerald Carter • OpenLDAP website http://www.openldap.org