Merge lp:~petermatulis/serverguide/serverguide-review-6.1 into lp:~ubuntu-core-doc/serverguide/oneiric
- serverguide-review-6.1
- Merge into oneiric
Status: | Merged |
---|---|
Merged at revision: | 30 |
Proposed branch: | lp:~petermatulis/serverguide/serverguide-review-6.1 |
Merge into: | lp:~ubuntu-core-doc/serverguide/oneiric |
Diff against target: |
3121 lines (+1599/-1179) 1 file modified
serverguide/C/network-auth.xml (+1599/-1179) |
To merge this branch: | bzr merge lp:~petermatulis/serverguide/serverguide-review-6.1 |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Ahmed Kamal (community) | Approve | ||
Ubuntu Documentation Committers | Pending | ||
Review via email: mp+77595@code.launchpad.net |
Commit message
Description of the change
This subchapter was re-written using the Natty document as a skeleton. There were many mistakes in the old document and there was not enough explanation. I tried hard to be concise and referred to upstream documentation when possible. I added a new section call "Logging".
- 8. By Peter Matulis
-
Edits made based on merge proposal; subchapter 6.1
Peter Matulis (petermatulis) wrote : | # |
Changes made. Including all man page links you did not mention.
Re missing command, I am providing the layout of the slapd-config database (/etc/ldap/
Ahmed Kamal (kim0) wrote : | # |
Thank you, this is a great contribution
Connor Imes (ckimes) wrote : | # |
I've merged this one now as well, but had to resolve some conflicts with the section 6.1 review in merge request 75664 that was completed earlier.
Preview Diff
1 | === modified file 'serverguide/C/network-auth.xml' |
2 | --- serverguide/C/network-auth.xml 2011-05-03 07:11:18 +0000 |
3 | +++ serverguide/C/network-auth.xml 2011-10-04 12:44:23 +0000 |
4 | @@ -9,194 +9,427 @@ |
5 | %xinclude; |
6 | <!ENTITY language "&EnglishAmerican;"> |
7 | ]> |
8 | + |
9 | <chapter id="network-authentication" status="review"> |
10 | <title>Network Authentication</title> |
11 | |
12 | - <para> |
13 | - This section explains various Network Authentication protocols. |
14 | - </para> |
15 | + <para> |
16 | + This section applies LDAP to network authentication. |
17 | + </para> |
18 | + |
19 | <sect1 id="openldap-server" status="review"> |
20 | - <title>OpenLDAP Server</title> |
21 | - <para> |
22 | - LDAP is an acronym for Lightweight Directory Access Protocol, it is a simplified |
23 | - version of the X.500 protocol. The directory setup in this section will |
24 | - be used for authentication. Nevertheless, LDAP can be |
25 | - used in numerous ways: authentication, shared directory (for mail |
26 | - clients), address book, etc. |
27 | - </para> |
28 | - |
29 | - <para> |
30 | - To describe LDAP quickly, all information is stored in a tree structure. With |
31 | - <application>OpenLDAP</application> you have freedom to determine |
32 | - the directory arborescence (the Directory Information Tree: the DIT) yourself. |
33 | - We will begin with a basic tree containing two nodes below the root: |
34 | - </para> |
35 | - |
36 | - <itemizedlist> |
37 | - <listitem> |
38 | - <para>"People" node where your users will be stored</para> |
39 | - </listitem> |
40 | - <listitem> |
41 | - <para>"Groups" node where your groups will be stored</para> |
42 | - </listitem> |
43 | - </itemizedlist> |
44 | - |
45 | - <para> |
46 | - Before beginning, you should determine what the root of your LDAP directory |
47 | - will be. By default, your tree will be determined by your Fully Qualified |
48 | - Domain Name (FQDN). If your domain is example.com (which we will use in this |
49 | - example), your root node will be dc=example,dc=com. |
50 | + <title>OpenLDAP Server</title> |
51 | + |
52 | + <para> |
53 | + The Lightweight Directory Access Protocol, or LDAP, is a protocol for querying and modifying a X.500-based directory service running |
54 | + over TCP/IP. The current LDAP version is LDAPv3, as defined in <ulink url="http://tools.ietf.org/html/rfc4510">RFC4510</ulink>, and |
55 | + the LDAP implementation used in Ubuntu is OpenLDAP, currently at version 2.4.25 (Oneiric). |
56 | + </para> |
57 | + |
58 | + <para> |
59 | + So this protocol accesses LDAP directories. Here are some key concepts and terms: |
60 | + </para> |
61 | + |
62 | + <itemizedlist> |
63 | + |
64 | + <listitem> |
65 | + <para> |
66 | + A LDAP directory is a tree of data <emphasis>entries</emphasis> that is hierarchical in nature and is called |
67 | + the Directory Information Tree (DIT). |
68 | + </para> |
69 | + </listitem> |
70 | + |
71 | + <listitem> |
72 | + <para> |
73 | + An entry consists of a set of <emphasis>attributes</emphasis>. |
74 | + </para> |
75 | + </listitem> |
76 | + |
77 | + <listitem> |
78 | + <para> |
79 | + An attribute has a <emphasis>type</emphasis> (a name/description) and one or more <emphasis>values</emphasis>. |
80 | + </para> |
81 | + </listitem> |
82 | + |
83 | + <listitem> |
84 | + <para> |
85 | + Every attribute must be defined in at least one <emphasis>objectClass</emphasis>. |
86 | + </para> |
87 | + </listitem> |
88 | + |
89 | + <listitem> |
90 | + <para> |
91 | + Attributes and objectclasses are defined in <emphasis>schemas</emphasis> (an objectclass is actually |
92 | + considered as a special kind of attribute). |
93 | + </para> |
94 | + </listitem> |
95 | + |
96 | + <listitem> |
97 | + <para> |
98 | + Each entry has a unique identifier: it's <emphasis>Distinguished Name</emphasis> (DN or dn). This consists |
99 | + of it's <emphasis>Relative Distinguished Name</emphasis> (RDN) followed by the parent entry's DN. |
100 | + </para> |
101 | + </listitem> |
102 | + |
103 | + <listitem> |
104 | + <para> |
105 | + The entry's DN is not an attribute. It is not considered part of the entry itself. |
106 | + </para> |
107 | + </listitem> |
108 | + |
109 | + </itemizedlist> |
110 | + |
111 | + <note> |
112 | + <para> |
113 | + The terms <emphasis>object</emphasis>, <emphasis>container</emphasis>, and <emphasis>node</emphasis> have certain |
114 | + connotations but they all essentially mean the same thing as <emphasis>entry</emphasis>, the technically correct term. |
115 | + </para> |
116 | + </note> |
117 | + |
118 | + <para> |
119 | + For example, below we have a single entry consisting of 11 attributes. It's DN is "cn=John Doe,dc=example,dc=com"; it's RDN is "cn=John Doe"; |
120 | + and it's parent DN is "dc=example,dc=com". |
121 | + </para> |
122 | + |
123 | +<programlisting> |
124 | + dn: cn=John Doe,dc=example,dc=com |
125 | + cn: John Doe |
126 | + givenName: John |
127 | + sn: Doe |
128 | + telephoneNumber: +1 888 555 6789 |
129 | + telephoneNumber: +1 888 555 1232 |
130 | + mail: john@example.com |
131 | + manager: cn=Larry Smith,dc=example,dc=com |
132 | + objectClass: inetOrgPerson |
133 | + objectClass: organizationalPerson |
134 | + objectClass: person |
135 | + objectClass: top |
136 | +</programlisting> |
137 | + |
138 | + <para> |
139 | + The above entry is in <emphasis>LDIF</emphasis> format (LDAP Data Interchange Format). Any information that you feed |
140 | + into your DIT must also be in such a format. It is defined in <ulink url="http://tools.ietf.org/html/rfc2849">RFC2849</ulink>. |
141 | + </para> |
142 | + |
143 | + <para> |
144 | + Although this guide will describe how to use it for central authentication, LDAP is good for anything that involves a large number |
145 | + of access requests to a mostly-read, attribute-based (name:value) backend. Examples include an address book, a list of email addresses, |
146 | + and a mail server's configuration. |
147 | </para> |
148 | |
149 | - <sect2 id="openldap-server-installation" status="review"> |
150 | + <sect2 id="openldap-server-installation" status="review"> |
151 | <title>Installation</title> |
152 | |
153 | <para> |
154 | - First, install the <application>OpenLDAP</application> server daemon |
155 | - <application>slapd</application> and <application>ldap-utils</application>, |
156 | - a package containing LDAP management utilities: |
157 | - </para> |
158 | + Install the OpenLDAP server daemon and the traditional LDAP management utilities. These are found in packages <application>slapd</application> |
159 | + and <application>ldap-utils</application> respectively. |
160 | + </para> |
161 | + |
162 | + <para> |
163 | + The installation of slapd will create a working configuration. In particular, it will create a database instance that you |
164 | + can use to store your data. However, the suffix (or base DN) of this instance will be determined from the domain name of the localhost. |
165 | + If you want something different, edit <filename>/etc/hosts</filename> and replace the domain name with one that will give you the |
166 | + suffix you desire. For instance, if you want a suffix of <emphasis>dc=example,dc=com</emphasis> then your file would have a line |
167 | + similar to this: |
168 | + </para> |
169 | + |
170 | +<programlisting> |
171 | +127.0.1.1 hostname.example.com hostname |
172 | +</programlisting> |
173 | + |
174 | + <para> |
175 | + You can revert the change after package installation. |
176 | + </para> |
177 | + |
178 | + <note> |
179 | + <para> |
180 | + This guide will use a database suffix of <emphasis>dc=example,dc=com</emphasis>. |
181 | + </para> |
182 | + </note> |
183 | + |
184 | + <para> |
185 | + Proceed with the install: |
186 | + </para> |
187 | + |
188 | <screen> |
189 | <command>sudo apt-get install slapd ldap-utils</command> |
190 | </screen> |
191 | - |
192 | - <para> |
193 | - By default <application>slapd</application> is configured with minimal options needed |
194 | - to run the <application>slapd</application> daemon. |
195 | - </para> |
196 | - |
197 | - <para> |
198 | - The configuration example in the following sections will match the domain name of the server. |
199 | - For example, if the machine's Fully Qualified Domain Name (FQDN) is |
200 | - ldap.example.com, the default suffix will be <emphasis>dc=example,dc=com</emphasis>. |
201 | - </para> |
202 | - |
203 | - </sect2> |
204 | - <sect2 id="openldap-server-populate" status="review"> |
205 | - <title>Populating LDAP</title> |
206 | - |
207 | - <para> |
208 | - <application>OpenLDAP</application> uses a separate directory which contains the |
209 | - <emphasis>cn=config</emphasis> Directory Information Tree (DIT). The |
210 | - <emphasis>cn=config</emphasis> DIT is used to dynamically configure the |
211 | - <application>slapd</application> daemon, allowing the modification of schema |
212 | - definitions, indexes, ACLs, etc without stopping the service. |
213 | - </para> |
214 | - |
215 | - <para> |
216 | - The backend <emphasis>cn=config</emphasis> directory has only a minimal configuration and will |
217 | - need additional configuration options in order to populate the frontend directory. The frontend will be populated |
218 | - with a "classical" scheme that will be compatible with address book applications and with Unix Posix |
219 | - accounts. Posix accounts will allow authentication to various applications, such as web |
220 | - applications, email Mail Transfer Agent (MTA) applications, etc. |
221 | - </para> |
222 | - |
223 | - <note> |
224 | - <para> |
225 | - For external applications to authenticate using LDAP they will each need to be |
226 | - specifically configured to do so. Refer to the individual application |
227 | - documentation for details. |
228 | - </para> |
229 | - </note> |
230 | - |
231 | - <note> |
232 | - <para> |
233 | - Remember to change <emphasis>dc=example,dc=com</emphasis> in the following examples to match your LDAP configuration. |
234 | - </para> |
235 | - </note> |
236 | - |
237 | - <para> |
238 | - First, some additional schema files need to be loaded. In a terminal enter: |
239 | - </para> |
240 | - |
241 | -<screen> |
242 | -<command>sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif</command> |
243 | -<command>sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif</command> |
244 | -<command>sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif</command> |
245 | -</screen> |
246 | - |
247 | - <para> |
248 | - Next, copy the following example LDIF file, naming it |
249 | - <filename>backend.example.com.ldif</filename>, somewhere on your system: |
250 | - </para> |
251 | - |
252 | -<programlisting> |
253 | -# Load dynamic backend modules |
254 | -dn: cn=module,cn=config |
255 | -objectClass: olcModuleList |
256 | -cn: module |
257 | -olcModulepath: /usr/lib/ldap |
258 | -olcModuleload: back_hdb.la |
259 | - |
260 | -# Database settings |
261 | -dn: olcDatabase=hdb,cn=config |
262 | -objectClass: olcDatabaseConfig |
263 | -objectClass: olcHdbConfig |
264 | -olcDatabase: {1}hdb |
265 | -olcSuffix: dc=example,dc=com |
266 | -olcDbDirectory: /var/lib/ldap |
267 | -olcRootDN: cn=admin,dc=example,dc=com |
268 | -olcRootPW: secret |
269 | -olcDbConfig: set_cachesize 0 2097152 0 |
270 | -olcDbConfig: set_lk_max_objects 1500 |
271 | -olcDbConfig: set_lk_max_locks 1500 |
272 | -olcDbConfig: set_lk_max_lockers 1500 |
273 | -olcDbIndex: objectClass eq |
274 | -olcLastMod: TRUE |
275 | -olcDbCheckpoint: 512 30 |
276 | -olcAccess: to attrs=userPassword by dn="cn=admin,dc=example,dc=com" write by anonymous auth by self write by * none |
277 | -olcAccess: to attrs=shadowLastChange by self write by * read |
278 | -olcAccess: to dn.base="" by * read |
279 | -olcAccess: to * by dn="cn=admin,dc=example,dc=com" write by * read |
280 | - |
281 | -</programlisting> |
282 | - |
283 | - <note> |
284 | - <para> |
285 | - Change <emphasis>olcRootPW: secret</emphasis> to a password of your choosing. |
286 | - </para> |
287 | - </note> |
288 | - |
289 | - <para> |
290 | - Now add the LDIF to the directory: |
291 | - </para> |
292 | - |
293 | -<screen> |
294 | -<command>sudo ldapadd -Y EXTERNAL -H ldapi:/// -f backend.example.com.ldif</command> |
295 | -</screen> |
296 | - |
297 | - <para> |
298 | - The frontend directory is now ready to be populated. Create a <filename>frontend.example.com.ldif</filename> |
299 | - with the following contents: |
300 | - </para> |
301 | - |
302 | -<programlisting> |
303 | -# Create top-level object in domain |
304 | + |
305 | + <para> |
306 | + Since Ubuntu 8.10 slapd is designed to be configured within slapd itself by dedicating a separate DIT for that purpose. This allows one |
307 | + to dynamically configure slapd without the need to restart the service. This configuration database consists of a collection of text-based |
308 | + LDIF files located under <filename>/etc/ldap/slapd.d</filename>. This way of working is known by several names: the slapd-config method, |
309 | + the RTC method (Real Time Configuration), or the cn=config method. You can still use the traditional flat-file method (slapd.conf) but it's |
310 | + not recommended; the functionality will be eventually phased out. |
311 | + </para> |
312 | + |
313 | + <note> |
314 | + <para> |
315 | + Ubuntu now uses the <emphasis>slapd-config</emphasis> method for slapd configuration and this |
316 | + guide reflects that. |
317 | + </para> |
318 | + </note> |
319 | + |
320 | + <para> |
321 | + During the install you were prompted to define administrative credentials. These are LDAP-based credentials for the <emphasis>rootDN</emphasis> |
322 | + of your database instance. By default, this user's DN is <emphasis>cn=admin,dc=example,dc=com</emphasis>. Also by default, there is no |
323 | + administrative account created for the slapd-config database and you will therefore need to authenticate externally to LDAP in order to access it. |
324 | + We will see how to do this later on. |
325 | + </para> |
326 | + |
327 | + <para> |
328 | + Some classical schemas (cosine, nis, inetorgperson) come built-in with slapd nowadays. There is also an included "core" schema, a pre-requisite |
329 | + for any schema to work. |
330 | + </para> |
331 | + |
332 | + </sect2> |
333 | + |
334 | + <sect2 id="openldap-server-postinstall" status="review"> |
335 | + <title>Post-install Inspection</title> |
336 | + |
337 | + <para> |
338 | + The installation process set up 2 DITs. One for slapd-config and one for your own data (dc=example,dc=com). Let's take a look. |
339 | + </para> |
340 | + |
341 | + <itemizedlist> |
342 | + |
343 | + <listitem> |
344 | + <para> |
345 | + This is what the slapd-config database/DIT looks like. Recall that this database is |
346 | + LDIF-based and lives under <filename>/etc/ldap/slapd.d</filename>: |
347 | + </para> |
348 | + |
349 | +<screen> |
350 | +<computeroutput> |
351 | + /etc/ldap/slapd.d/ |
352 | + |
353 | + ├── cn=config |
354 | + │ ├── cn=module{0}.ldif |
355 | + │ ├── cn=schema |
356 | + │ │ ├── cn={0}core.ldif |
357 | + │ │ ├── cn={1}cosine.ldif |
358 | + │ │ ├── cn={2}nis.ldif |
359 | + │ │ └── cn={3}inetorgperson.ldif |
360 | + │ ├── cn=schema.ldif |
361 | + │ ├── olcBackend={0}hdb.ldif |
362 | + │ ├── olcDatabase={0}config.ldif |
363 | + │ ├── olcDatabase={-1}frontend.ldif |
364 | + │ └── olcDatabase={1}hdb.ldif |
365 | + └── cn=config.ldif |
366 | +</computeroutput> |
367 | +</screen> |
368 | + |
369 | + <note> |
370 | + <para> |
371 | + Do not edit the slapd-config database directly. Make changes via the LDAP protocol (utilities). |
372 | + </para> |
373 | + </note> |
374 | + |
375 | + </listitem> |
376 | + |
377 | + <listitem> |
378 | + <para> |
379 | + This is what the slapd-config DIT looks like via the LDAP protocol: |
380 | + </para> |
381 | + |
382 | +<screen> |
383 | +<command>sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dn</command> |
384 | +<computeroutput> |
385 | +dn: cn=config |
386 | + |
387 | +dn: cn=module{0},cn=config |
388 | + |
389 | +dn: cn=schema,cn=config |
390 | + |
391 | +dn: cn={0}core,cn=schema,cn=config |
392 | + |
393 | +dn: cn={1}cosine,cn=schema,cn=config |
394 | + |
395 | +dn: cn={2}nis,cn=schema,cn=config |
396 | + |
397 | +dn: cn={3}inetorgperson,cn=schema,cn=config |
398 | + |
399 | +dn: olcBackend={0}hdb,cn=config |
400 | + |
401 | +dn: olcDatabase={-1}frontend,cn=config |
402 | + |
403 | +dn: olcDatabase={0}config,cn=config |
404 | + |
405 | +dn: olcDatabase={1}hdb,cn=config |
406 | +</computeroutput> |
407 | +</screen> |
408 | + |
409 | + <para> |
410 | + Explanation of entries: |
411 | + </para> |
412 | + |
413 | + <itemizedlist> |
414 | + |
415 | + <listitem> |
416 | + <para> |
417 | + <emphasis>cn=config</emphasis>: global settings |
418 | + </para> |
419 | + </listitem> |
420 | + |
421 | + <listitem> |
422 | + <para> |
423 | + <emphasis>cn=module{0},cn=config</emphasis>: a dynamically loaded module |
424 | + </para> |
425 | + </listitem> |
426 | + |
427 | + <listitem> |
428 | + <para> |
429 | + <emphasis>cn=schema,cn=config</emphasis>: contains hard-coded system-level schema |
430 | + </para> |
431 | + </listitem> |
432 | + |
433 | + <listitem> |
434 | + <para> |
435 | + <emphasis>cn={0}core,cn=schema,cn=config</emphasis>: the hard-coded core schema |
436 | + </para> |
437 | + </listitem> |
438 | + |
439 | + <listitem> |
440 | + <para> |
441 | + <emphasis>cn={1}cosine,cn=schema,cn=config</emphasis>: the cosine schema |
442 | + </para> |
443 | + </listitem> |
444 | + |
445 | + <listitem> |
446 | + <para> |
447 | + <emphasis>cn={2}nis,cn=schema,cn=config</emphasis>: the nis schema |
448 | + </para> |
449 | + </listitem> |
450 | + |
451 | + <listitem> |
452 | + <para> |
453 | + <emphasis>cn={3}inetorgperson,cn=schema,cn=config</emphasis>: the inetorgperson schema |
454 | + </para> |
455 | + </listitem> |
456 | + |
457 | + <listitem> |
458 | + <para> |
459 | + <emphasis>olcBackend={0}hdb,cn=config</emphasis>: the 'hdb' backend storage type |
460 | + </para> |
461 | + </listitem> |
462 | + |
463 | + <listitem> |
464 | + <para> |
465 | + <emphasis>olcDatabase={-1}frontend,cn=config</emphasis>: frontend database, default settings for other databases |
466 | + </para> |
467 | + </listitem> |
468 | + |
469 | + <listitem> |
470 | + <para> |
471 | + <emphasis>olcDatabase={0}config,cn=config</emphasis>: slapd configuration database (cn=config) |
472 | + </para> |
473 | + </listitem> |
474 | + |
475 | + <listitem> |
476 | + <para> |
477 | + <emphasis>olcDatabase={1}hdb,cn=config</emphasis>: your database instance (dc=examle,dc=com) |
478 | + </para> |
479 | + </listitem> |
480 | + |
481 | + </itemizedlist> |
482 | + |
483 | + </listitem> |
484 | + |
485 | + <listitem> |
486 | + |
487 | + <para> |
488 | + This is what the dc=example,dc=com DIT looks like: |
489 | + </para> |
490 | + |
491 | +<screen> |
492 | +<command>ldapsearch -x -LLL -H ldap:/// -b dc=example,dc=com dn</command> |
493 | +<computeroutput> |
494 | dn: dc=example,dc=com |
495 | -objectClass: top |
496 | -objectClass: dcObject |
497 | -objectclass: organization |
498 | -o: Example Organization |
499 | -dc: Example |
500 | -description: LDAP Example |
501 | |
502 | -# Admin user. |
503 | dn: cn=admin,dc=example,dc=com |
504 | -objectClass: simpleSecurityObject |
505 | -objectClass: organizationalRole |
506 | -cn: admin |
507 | -description: LDAP administrator |
508 | -userPassword: secret |
509 | - |
510 | -dn: ou=people,dc=example,dc=com |
511 | -objectClass: organizationalUnit |
512 | -ou: people |
513 | - |
514 | -dn: ou=groups,dc=example,dc=com |
515 | -objectClass: organizationalUnit |
516 | -ou: groups |
517 | - |
518 | -dn: uid=john,ou=people,dc=example,dc=com |
519 | +</computeroutput> |
520 | +</screen> |
521 | + |
522 | + <para> |
523 | + Explanation of entries: |
524 | + </para> |
525 | + |
526 | + <itemizedlist> |
527 | + |
528 | + <listitem> |
529 | + <para> |
530 | + <emphasis>dc=example,dc=com</emphasis>: base of the DIT |
531 | + </para> |
532 | + </listitem> |
533 | + |
534 | + <listitem> |
535 | + <para> |
536 | + <emphasis>cn=admin,dc=example,dc=com</emphasis>: administrator (rootDN) for this DIT (set up during package install) |
537 | + </para> |
538 | + </listitem> |
539 | + |
540 | + </itemizedlist> |
541 | + |
542 | + </listitem> |
543 | + |
544 | + </itemizedlist> |
545 | + |
546 | + </sect2> |
547 | + |
548 | + <sect2 id="openldap-server-populate" status="review"> |
549 | + <title>Modifying/Populating your Database</title> |
550 | + |
551 | + <para> |
552 | + Let's introduce some content to our database. We will add the following: |
553 | + </para> |
554 | + |
555 | + <itemizedlist> |
556 | + |
557 | + <listitem> |
558 | + <para> |
559 | + a node called <emphasis>People</emphasis> (to store users) |
560 | + </para> |
561 | + </listitem> |
562 | + |
563 | + <listitem> |
564 | + <para> |
565 | + a node called <emphasis>Groups</emphasis> (to store groups) |
566 | + </para> |
567 | + </listitem> |
568 | + |
569 | + <listitem> |
570 | + <para> |
571 | + a group called <emphasis>miners</emphasis> |
572 | + </para> |
573 | + </listitem> |
574 | + |
575 | + <listitem> |
576 | + <para> |
577 | + a user called <emphasis>john</emphasis> |
578 | + </para> |
579 | + </listitem> |
580 | + |
581 | + </itemizedlist> |
582 | + |
583 | + <para> |
584 | + Create the following LDIF file and call it <filename>add_content.ldif</filename>: |
585 | + </para> |
586 | + |
587 | +<programlisting> |
588 | +dn: ou=People,dc=example,dc=com |
589 | +objectClass: organizationalUnit |
590 | +ou: People |
591 | + |
592 | +dn: ou=Groups,dc=example,dc=com |
593 | +objectClass: organizationalUnit |
594 | +ou: Groups |
595 | + |
596 | +dn: cn=miners,ou=Groups,dc=example,dc=com |
597 | +objectClass: posixGroup |
598 | +cn: miners |
599 | +gidNumber: 5000 |
600 | + |
601 | +dn: uid=john,ou=People,dc=example,dc=com |
602 | objectClass: inetOrgPerson |
603 | objectClass: posixAccount |
604 | objectClass: shadowAccount |
605 | @@ -205,173 +438,99 @@ |
606 | givenName: John |
607 | cn: John Doe |
608 | displayName: John Doe |
609 | -uidNumber: 1000 |
610 | -gidNumber: 10000 |
611 | -userPassword: password |
612 | +uidNumber: 10000 |
613 | +gidNumber: 5000 |
614 | +userPassword: johnldap |
615 | gecos: John Doe |
616 | loginShell: /bin/bash |
617 | homeDirectory: /home/john |
618 | -shadowExpire: -1 |
619 | -shadowFlag: 0 |
620 | -shadowWarning: 7 |
621 | -shadowMin: 8 |
622 | -shadowMax: 999999 |
623 | -shadowLastChange: 10877 |
624 | -mail: john.doe@example.com |
625 | -postalCode: 31000 |
626 | -l: Toulouse |
627 | -o: Example |
628 | -mobile: +33 (0)6 xx xx xx xx |
629 | -homePhone: +33 (0)5 xx xx xx xx |
630 | -title: System Administrator |
631 | -postalAddress: |
632 | -initials: JD |
633 | - |
634 | -dn: cn=example,ou=groups,dc=example,dc=com |
635 | -objectClass: posixGroup |
636 | -cn: example |
637 | -gidNumber: 10000 |
638 | </programlisting> |
639 | |
640 | - <para> |
641 | - In this example the directory structure, a user, and a |
642 | - group have been setup. In other examples you might see the |
643 | - <emphasis>objectClass: top</emphasis> added in every entry, but that is the |
644 | - default behaviour so you do not have to add it explicitly. |
645 | - </para> |
646 | - |
647 | - <para> |
648 | - Add the entries to the LDAP directory: |
649 | - </para> |
650 | - |
651 | - |
652 | + <note> |
653 | + <para> |
654 | + It's important that uid and gid values in your directory do not collide with local values. Use high number ranges. |
655 | + </para> |
656 | + </note> |
657 | + |
658 | + <para> |
659 | + Add the content: |
660 | + </para> |
661 | + |
662 | <screen> |
663 | -<command>sudo ldapadd -x -D cn=admin,dc=example,dc=com -W -f frontend.example.com.ldif</command> |
664 | +<command>ldapadd -x -D cn=admin,dc=example,dc=com -W -f add_content.ldif</command> |
665 | +<computeroutput> |
666 | +Enter LDAP Password: <application>********</application> |
667 | +adding new entry "ou=People,dc=example,dc=com" |
668 | + |
669 | +adding new entry "ou=Groups,dc=example,dc=com" |
670 | + |
671 | +adding new entry "cn=miners,ou=Groups,dc=example,dc=com" |
672 | + |
673 | +adding new entry "uid=john,ou=People,dc=example,dc=com" |
674 | +</computeroutput> |
675 | </screen> |
676 | |
677 | <para> |
678 | - We can check that the content has been correctly added with the |
679 | - <application>ldapsearch</application> utility. Execute a search of the LDAP directory: |
680 | + We can check that the information has been correctly added with the <application>ldapsearch</application> utility: |
681 | </para> |
682 | |
683 | <screen> |
684 | -<command>ldapsearch -xLLL -b "dc=example,dc=com" uid=john sn givenName cn</command> |
685 | +<command>ldapsearch -x -LLL -b dc=example,dc=com 'uid=john' cn gidNumber</command> |
686 | <computeroutput> |
687 | -dn: uid=john,ou=people,dc=example,dc=com |
688 | +dn: uid=john,ou=People,dc=example,dc=com |
689 | cn: John Doe |
690 | -sn: Doe |
691 | -givenName: John |
692 | +gidNumber: 5000 |
693 | </computeroutput> |
694 | </screen> |
695 | |
696 | <para> |
697 | - Just a quick explanation: |
698 | + Explanation of switches: |
699 | </para> |
700 | |
701 | <itemizedlist> |
702 | - <listitem> |
703 | - <para> |
704 | - <emphasis>-x:</emphasis> will not use SASL authentication |
705 | - method, which is the default. |
706 | - </para> |
707 | - </listitem> |
708 | - <listitem> |
709 | - <para> |
710 | - <emphasis>-LLL:</emphasis> disable printing LDIF schema information. |
711 | - </para> |
712 | - </listitem> |
713 | + |
714 | + <listitem> |
715 | + <para> |
716 | + <emphasis>-x:</emphasis> "simple" binding; will not use the default SASL method |
717 | + </para> |
718 | + </listitem> |
719 | + |
720 | + <listitem> |
721 | + <para> |
722 | + <emphasis>-LLL:</emphasis> disable printing extraneous information |
723 | + </para> |
724 | + </listitem> |
725 | + |
726 | + <listitem> |
727 | + <para> |
728 | + <emphasis>uid=john:</emphasis> a "filter" to find the john user |
729 | + </para> |
730 | + </listitem> |
731 | + |
732 | + <listitem> |
733 | + <para> |
734 | + <emphasis>cn gidNumber:</emphasis> requests certain attributes to be displayed (the default is to show all attributes) |
735 | + </para> |
736 | + </listitem> |
737 | + |
738 | </itemizedlist> |
739 | |
740 | - </sect2> |
741 | - <sect2 id="openldap-configuration" status="review"> |
742 | - <title>Further Configuration</title> |
743 | - |
744 | - |
745 | - <para> |
746 | - The <emphasis>cn=config</emphasis> tree can be manipulated using the utilities in the |
747 | - <application>ldap-utils</application> package. For example: |
748 | - </para> |
749 | - |
750 | - <itemizedlist> |
751 | - <listitem> |
752 | - |
753 | - <para> |
754 | - Use <application>ldapsearch</application> to view the tree, entering the admin |
755 | - password set during installation or reconfiguration: |
756 | - </para> |
757 | - |
758 | -<screen> |
759 | -<command>sudo ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dn</command> |
760 | -</screen> |
761 | - |
762 | -<screen> |
763 | -<computeroutput> |
764 | -SASL/EXTERNAL authentication started |
765 | -SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth |
766 | -SASL SSF: 0 |
767 | -dn: cn=config |
768 | - |
769 | -dn: cn=module{0},cn=config |
770 | - |
771 | -dn: cn=schema,cn=config |
772 | - |
773 | -dn: cn={0}core,cn=schema,cn=config |
774 | - |
775 | -dn: cn={1}cosine,cn=schema,cn=config |
776 | - |
777 | -dn: cn={2}nis,cn=schema,cn=config |
778 | - |
779 | -dn: cn={3}inetorgperson,cn=schema,cn=config |
780 | - |
781 | -dn: olcDatabase={-1}frontend,cn=config |
782 | - |
783 | -dn: olcDatabase={0}config,cn=config |
784 | - |
785 | -dn: olcDatabase={1}hdb,cn=config |
786 | -</computeroutput> |
787 | -</screen> |
788 | - |
789 | - <para> |
790 | - The output above is the current configuration options for the <emphasis>cn=config</emphasis> |
791 | - backend database. Your output may be vary. |
792 | - </para> |
793 | - |
794 | - </listitem> |
795 | - <listitem> |
796 | - |
797 | - <para> |
798 | - As an example of modifying the <emphasis>cn=config</emphasis> tree, add another attribute |
799 | - to the index list using <application>ldapmodify</application>: |
800 | - </para> |
801 | - |
802 | -<screen> |
803 | -<command>sudo ldapmodify -Y EXTERNAL -H ldapi:///</command> |
804 | -</screen> |
805 | - |
806 | -<screen> |
807 | -<computeroutput> |
808 | -SASL/EXTERNAL authentication started |
809 | -SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth |
810 | -SASL SSF: 0 |
811 | -<userinput>dn: olcDatabase={1}hdb,cn=config |
812 | -add: olcDbIndex |
813 | -olcDbIndex: uidNumber eq</userinput> |
814 | - |
815 | -modifying entry "olcDatabase={1}hdb,cn=config" |
816 | -</computeroutput> |
817 | -</screen> |
818 | - |
819 | - <para> |
820 | - Once the modification has completed, press <emphasis>Ctrl+D</emphasis> to exit the utility. |
821 | - </para> |
822 | - |
823 | - </listitem> |
824 | - <listitem> |
825 | - |
826 | - <para> |
827 | - <application>ldapmodify</application> can also read the changes from a file. Copy and paste |
828 | - the following into a file named <filename>uid_index.ldif</filename>: |
829 | - </para> |
830 | + </sect2> |
831 | + |
832 | + <sect2 id="openldap-configuration" status="review"> |
833 | + <title>Modifying the slapd Configuration Database</title> |
834 | + |
835 | + <para> |
836 | + The slapd-config DIT can also be queried and modified. Here are a few examples. |
837 | + </para> |
838 | + |
839 | + <itemizedlist> |
840 | + |
841 | + <listitem> |
842 | + <para> |
843 | + Use <application>ldapmodify</application> to add an "Index" (DbIndex attribute) to your <application>{1}hdb,cn=config</application> |
844 | + database (dc=example,dc=com). Create a file, call it <filename>uid_index.ldif</filename>, with the following contents: |
845 | + </para> |
846 | |
847 | <programlisting> |
848 | dn: olcDatabase={1}hdb,cn=config |
849 | @@ -379,44 +538,55 @@ |
850 | olcDbIndex: uid eq,pres,sub |
851 | </programlisting> |
852 | |
853 | - <para> |
854 | - Then execute <application>ldapmodify</application>: |
855 | - </para> |
856 | - |
857 | -<screen> |
858 | -<command>sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f uid_index.ldif</command> |
859 | -</screen> |
860 | - |
861 | -<screen> |
862 | + <para> |
863 | + Then issue the command: |
864 | + </para> |
865 | + |
866 | +<screen> |
867 | +<command>sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f uid_index.ldif</command> |
868 | <computeroutput> |
869 | -SASL/EXTERNAL authentication started |
870 | -SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth |
871 | -SASL SSF: 0 |
872 | modifying entry "olcDatabase={1}hdb,cn=config" |
873 | </computeroutput> |
874 | </screen> |
875 | |
876 | - <para> |
877 | - The file method is very useful for large changes. |
878 | - </para> |
879 | - |
880 | - </listitem> |
881 | - <listitem> |
882 | - |
883 | - <para> |
884 | - Adding additional <emphasis>schemas</emphasis> to <application>slapd</application> requires the |
885 | - schema to be converted to LDIF format. The <filename role="directory">/etc/ldap/schema</filename> |
886 | - directory contains some schema files already converted to LDIF format as demonstrated in the previous section. |
887 | - Fortunately, the <application>slapd</application> program can be used to automate the conversion. |
888 | - The following example will add the <emphasis>dyngroup.schema</emphasis>: |
889 | - </para> |
890 | - |
891 | - <procedure> |
892 | - <step> |
893 | - <para> |
894 | - First, create a conversion <filename>schema_convert.conf</filename> file containing the |
895 | - following lines: |
896 | - </para> |
897 | + <para> |
898 | + You can confirm the change in this way: |
899 | + </para> |
900 | + |
901 | +<screen> |
902 | +<command>sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config '(olcDatabase={1}hdb)' olcDbIndex</command> |
903 | +<computeroutput> |
904 | +dn: olcDatabase={1}hdb,cn=config |
905 | +olcDbIndex: objectClass eq |
906 | +olcDbIndex: uid eq,pres,sub |
907 | +</computeroutput> |
908 | +</screen> |
909 | + |
910 | + </listitem> |
911 | + |
912 | + <listitem> |
913 | + <para> |
914 | + Let's add a schema. It will first need to be converted to LDIF format. You can find unconverted |
915 | + schemas in addition to converted ones in the <filename role="directory">/etc/ldap/schema</filename> directory. |
916 | + </para> |
917 | + |
918 | + <note> |
919 | + <para> |
920 | + It is not trivial to remove a schema from the slapd-config database. Practice adding schemas on a test system. |
921 | + </para> |
922 | + </note> |
923 | + |
924 | + <para> |
925 | + In the following example we'll add the CORBA schema. |
926 | + </para> |
927 | + |
928 | + <procedure> |
929 | + |
930 | + <step> |
931 | + <para> |
932 | + Create the conversion configuration file <filename>schema_convert.conf</filename> containing the |
933 | + following lines: |
934 | + </para> |
935 | |
936 | <programlisting> |
937 | include /etc/ldap/schema/core.schema |
938 | @@ -431,136 +601,229 @@ |
939 | include /etc/ldap/schema/nis.schema |
940 | include /etc/ldap/schema/openldap.schema |
941 | include /etc/ldap/schema/ppolicy.schema |
942 | +include /etc/ldap/schema/ldapns.schema |
943 | +include /etc/ldap/schema/pmi.schema |
944 | </programlisting> |
945 | |
946 | - </step> |
947 | - <step> |
948 | - |
949 | - <para> |
950 | - Next, create a temporary directory to hold the output: |
951 | - </para> |
952 | - |
953 | -<screen> |
954 | -<command>mkdir /tmp/ldif_output</command> |
955 | -</screen> |
956 | - |
957 | - </step> |
958 | - <step> |
959 | - |
960 | - <para> |
961 | - Now using <application>slapcat</application> convert the schema files to LDIF: |
962 | - </para> |
963 | - |
964 | -<screen> |
965 | -<command>slapcat -f schema_convert.conf -F /tmp/ldif_output -n0 -s "cn={5}dyngroup,cn=schema,cn=config" > /tmp/cn=dyngroup.ldif</command> |
966 | -</screen> |
967 | - |
968 | - <para> |
969 | - Adjust the configuration file name and temporary directory names if yours are different. |
970 | - It may be worthwhile to keep the <filename>ldif_output</filename> directory around |
971 | - in case you want to add additional schemas in the future. |
972 | - </para> |
973 | - |
974 | - <note> |
975 | - <para> |
976 | - The <emphasis>"cn={5}"</emphasis> index number may change according to the configuration |
977 | - ordering. To find out the correct number execute the following: |
978 | - </para> |
979 | -<screen> |
980 | -<command>slapcat -f schema_convert.conf -F /tmp/ldif_output -n 0 | grep dyngroup</command> |
981 | -</screen> |
982 | - <para> |
983 | - Replace <emphasis>dyngroup</emphasis> with the appropriate schema name. |
984 | - </para> |
985 | - </note> |
986 | - |
987 | - </step> |
988 | - <step> |
989 | - |
990 | - <para> |
991 | - Edit the <filename>/tmp/cn\=dyngroup.ldif</filename> file, changing the following attributes: |
992 | - </para> |
993 | + </step> |
994 | + |
995 | + <step> |
996 | + <para> |
997 | + Create the output directory <filename>ldif_output</filename>. |
998 | + </para> |
999 | + </step> |
1000 | + |
1001 | + <step> |
1002 | + <para> |
1003 | + Determine the index of the schema: |
1004 | + </para> |
1005 | + |
1006 | +<screen> |
1007 | +<command>slapcat -f schema_convert.conf -F ldif_output -n 0 | grep corba,cn=schema</command> |
1008 | +<computeroutput> |
1009 | +cn={1}corba,cn=schema,cn=config |
1010 | +</computeroutput> |
1011 | +</screen> |
1012 | + |
1013 | + <note> |
1014 | + <para> |
1015 | + When slapd injests objects with the same parent DN it will create an <emphasis>index</emphasis> for that object. |
1016 | + An index is contained within braces: <application>{X}</application>. |
1017 | + </para> |
1018 | + </note> |
1019 | + |
1020 | + </step> |
1021 | + |
1022 | + <step> |
1023 | + <para> |
1024 | + Use <application>slapcat</application> to perform the conversion: |
1025 | + </para> |
1026 | + |
1027 | +<screen> |
1028 | +<command>slapcat -f schema_convert.conf -F ldif_output -n0 -H ldap:///cn={1}corba,cn=schema,cn=config -l cn=corba.ldif</command> |
1029 | +</screen> |
1030 | + |
1031 | + <para> |
1032 | + The converted schema is now in <filename>cn=corba.ldif</filename> |
1033 | + </para> |
1034 | + </step> |
1035 | + |
1036 | + <step> |
1037 | + <para> |
1038 | + Edit <filename>cn=corba.ldif</filename> to arrive at the following attributes: |
1039 | + </para> |
1040 | |
1041 | <programlisting> |
1042 | -dn: cn=dyngroup,cn=schema,cn=config |
1043 | +dn: cn=corba,cn=schema,cn=config |
1044 | ... |
1045 | -cn: dyngroup |
1046 | +cn: corba |
1047 | </programlisting> |
1048 | |
1049 | - <para> |
1050 | - And remove the following lines from the bottom of the file: |
1051 | - </para> |
1052 | + <para> |
1053 | + Also remove the following lines from the bottom: |
1054 | + </para> |
1055 | |
1056 | <programlisting> |
1057 | structuralObjectClass: olcSchemaConfig |
1058 | -entryUUID: 10dae0ea-0760-102d-80d3-f9366b7f7757 |
1059 | +entryUUID: 52109a02-66ab-1030-8be2-bbf166230478 |
1060 | creatorsName: cn=config |
1061 | -createTimestamp: 20080826021140Z |
1062 | -entryCSN: 20080826021140.791425Z#000000#000#000000 |
1063 | +createTimestamp: 20110829165435Z |
1064 | +entryCSN: 20110829165435.935248Z#000000#000#000000 |
1065 | modifiersName: cn=config |
1066 | -modifyTimestamp: 20080826021140Z |
1067 | -</programlisting> |
1068 | - |
1069 | - <note> |
1070 | - <para> |
1071 | - The attribute values will vary, just be sure the attributes are removed. |
1072 | - </para> |
1073 | - </note> |
1074 | - |
1075 | - </step> |
1076 | - <step> |
1077 | - |
1078 | - <para> |
1079 | - Finally, using the <application>ldapadd</application> utility, add the new schema to the |
1080 | - directory: |
1081 | - </para> |
1082 | - |
1083 | -<screen> |
1084 | -<command>sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/cn\=dyngroup.ldif</command> |
1085 | -</screen> |
1086 | - |
1087 | - </step> |
1088 | - </procedure> |
1089 | - |
1090 | - <para> |
1091 | - There should now be a <emphasis>dn: cn={4}dyngroup,cn=schema,cn=config</emphasis> entry in the cn=config tree. |
1092 | - </para> |
1093 | - |
1094 | - </listitem> |
1095 | - </itemizedlist> |
1096 | - |
1097 | - </sect2> |
1098 | - |
1099 | - <sect2 id="openldap-server-replication" status="review"> |
1100 | - <title>LDAP Replication</title> |
1101 | - |
1102 | - <para> |
1103 | - LDAP often quickly becomes a highly critical service to the network. Multiple systems |
1104 | - will come to depend on LDAP for authentication, authorization, configuration, etc. It is a good idea to |
1105 | - setup a redundant system through replication. |
1106 | +modifyTimestamp: 20110829165435Z |
1107 | +</programlisting> |
1108 | + |
1109 | + <para> |
1110 | + Your attribute values will vary. |
1111 | + </para> |
1112 | + </step> |
1113 | + |
1114 | + <step> |
1115 | + <para> |
1116 | + Finally, use <application>ldapadd</application> to add the new schema to the slapd-config DIT: |
1117 | + </para> |
1118 | + |
1119 | +<screen> |
1120 | +<command>sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f cn\=corba.ldif</command> |
1121 | +<computeroutput> |
1122 | +adding new entry "cn=corba,cn=schema,cn=config" |
1123 | +</computeroutput> |
1124 | +</screen> |
1125 | + |
1126 | + </step> |
1127 | + |
1128 | + <step> |
1129 | + <para> |
1130 | + Confirm currently loaded schemas: |
1131 | + </para> |
1132 | + |
1133 | +<screen> |
1134 | +<command>sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config dn</command> |
1135 | +<computeroutput> |
1136 | +dn: cn=schema,cn=config |
1137 | + |
1138 | +dn: cn={0}core,cn=schema,cn=config |
1139 | + |
1140 | +dn: cn={1}cosine,cn=schema,cn=config |
1141 | + |
1142 | +dn: cn={2}nis,cn=schema,cn=config |
1143 | + |
1144 | +dn: cn={3}inetorgperson,cn=schema,cn=config |
1145 | + |
1146 | +dn: cn={4}corba,cn=schema,cn=config |
1147 | +</computeroutput> |
1148 | +</screen> |
1149 | + |
1150 | + </step> |
1151 | + |
1152 | + </procedure> |
1153 | + |
1154 | + </listitem> |
1155 | + |
1156 | + </itemizedlist> |
1157 | + |
1158 | + <note> |
1159 | + <para> |
1160 | + For external applications and clients to authenticate using LDAP they will each need to be specifically |
1161 | + configured to do so. Refer to the appropriate client-side documentation for details. |
1162 | + </para> |
1163 | + </note> |
1164 | + |
1165 | + </sect2> |
1166 | + |
1167 | + <sect2 id="openldap-server-logging" status="review"> |
1168 | + <title>Logging</title> |
1169 | + |
1170 | + <para> |
1171 | + Activity logging for slapd is indispensible when implementing an OpenLDAP-based solution yet it must be manually enabled after |
1172 | + software installation. Otherwise, only rudimentary messages will appear in the logs. Logging, like any other slapd configuration, |
1173 | + is enabled via the slapd-config database. |
1174 | + </para> |
1175 | + |
1176 | + <para> |
1177 | + OpenLDAP comes with multiple logging subsystems (levels) with each one containing the lower one (additive). A good level to |
1178 | + try is <emphasis>stats</emphasis>. The <ulink url="http://manpages.ubuntu.com/manpages/en/man5/slapd-config.5.html">slapd-config</ulink> |
1179 | + man page has more to say on the different subsystems. |
1180 | + </para> |
1181 | + |
1182 | + <para> |
1183 | + Create the file <filename>logging.ldif</filename> with the following contents: |
1184 | + </para> |
1185 | + |
1186 | +<programlisting> |
1187 | +dn: cn=config |
1188 | +changetype: modify |
1189 | +add: olcLogLevel |
1190 | +olcLogLevel: stats |
1191 | +</programlisting> |
1192 | + |
1193 | + <para> |
1194 | + Implement the change: |
1195 | + </para> |
1196 | + |
1197 | +<screen> |
1198 | +<command>sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f logging.ldif</command> |
1199 | +</screen> |
1200 | + |
1201 | + <para> |
1202 | + This will produce a significant amount of logging and you will want to throttle back to a less verbose level once your system |
1203 | + is in production. While in this verbose mode your host's syslog engine (rsyslog) may have a hard time keeping up and may drop |
1204 | + messages: |
1205 | + </para> |
1206 | + |
1207 | +<programlisting> |
1208 | +rsyslogd-2177: imuxsock lost 228 messages from pid 2547 due to rate-limiting |
1209 | +</programlisting> |
1210 | + |
1211 | + <para> |
1212 | + You may consider a change to rsyslog's configuration. In <filename>/etc/rsyslog.conf</filename>, put: |
1213 | + </para> |
1214 | + |
1215 | +<programlisting> |
1216 | +# Disable rate limiting (default is 200 messages in 5 seconds; below we make the 5 become 0) |
1217 | +$SystemLogRateLimitInterval 0 |
1218 | +</programlisting> |
1219 | + |
1220 | + <para> |
1221 | + And then restart the rsyslog daemon: |
1222 | + </para> |
1223 | + |
1224 | +<screen> |
1225 | +<command>sudo service rsyslog restart</command> |
1226 | +</screen> |
1227 | + |
1228 | + </sect2> |
1229 | + |
1230 | + <sect2 id="openldap-server-replication" status="review"> |
1231 | + <title>Replication</title> |
1232 | + |
1233 | + <para> |
1234 | + The LDAP service becomes increasingly important as more networked systems begin to depend on it. In such an environment, |
1235 | + it is standard practice to build redundancy (high availability) into LDAP to prevent havoc should the LDAP server become |
1236 | + unresponsive. This is done through <emphasis>LDAP replication</emphasis>. |
1237 | </para> |
1238 | |
1239 | <para> |
1240 | - Replication is achieved using the <emphasis>Syncrepl</emphasis> engine. Syncrepl allows the |
1241 | - changes to be synced using a <emphasis>consumer</emphasis>, <emphasis>provider</emphasis> model. |
1242 | - A provider sends directory changes to consumers. |
1243 | - </para> |
1244 | - |
1245 | - <sect3 id="openldap-provider-configuration" status="review"> |
1246 | - <title>Provider Configuration</title> |
1247 | - |
1248 | - <para> |
1249 | - The following is an example of a <emphasis>Single-Master</emphasis> configuration. In this configuration one |
1250 | - OpenLDAP server is configured as a <emphasis>provider</emphasis> and another as a <emphasis>consumer</emphasis>. |
1251 | - </para> |
1252 | + Replication is achieved via the <emphasis>Syncrepl</emphasis> engine. This allows changes to be synchronized using a |
1253 | + <emphasis>Consumer</emphasis> - <emphasis>Provider</emphasis> model. The specific kind of replication we will implement |
1254 | + in this guide is a combination of the following modes: <emphasis>refreshAndPersist</emphasis> and <emphasis>delta-syncrepl</emphasis>. |
1255 | + This has the Provider push changed entries to the Consumer as soon as they're made but, in addition, only actual changes will |
1256 | + be sent, not entire entries. |
1257 | + </para> |
1258 | + |
1259 | + <sect3 id="openldap-provider-configuration" status="review"> |
1260 | + <title>Provider Configuration</title> |
1261 | + |
1262 | + <para> |
1263 | + Begin by configuring the <emphasis>Provider</emphasis>. |
1264 | + </para> |
1265 | |
1266 | <procedure> |
1267 | - <step> |
1268 | - |
1269 | - <para> |
1270 | - First, configure the provider server. Copy the following to a |
1271 | - file named <filename>provider_sync.ldif</filename>: |
1272 | - </para> |
1273 | + |
1274 | + <step> |
1275 | + <para> |
1276 | + Create an LDIF file with the following contents and name it <filename>provider_sync.ldif</filename>: |
1277 | + </para> |
1278 | |
1279 | <programlisting> |
1280 | # Add indexes to the frontend db. |
1281 | @@ -621,175 +884,83 @@ |
1282 | olcAccessLogPurge: 07+00:00 01+00:00 |
1283 | </programlisting> |
1284 | |
1285 | - </step> |
1286 | - <step> |
1287 | - |
1288 | - <para> |
1289 | - The <application>AppArmor</application> profile for <application>slapd</application> will need to be adjusted for the |
1290 | - accesslog database location. Edit <filename>/etc/apparmor.d/usr.sbin.slapd</filename> adding: |
1291 | - </para> |
1292 | + <para> |
1293 | + Change the rootDN in the LDIF file to match the one you have for your directory. |
1294 | + </para> |
1295 | + |
1296 | + </step> |
1297 | + |
1298 | + <step> |
1299 | + <para> |
1300 | + The <application>apparmor</application> profile for slapd will need to be adjusted for the |
1301 | + accesslog database location. Edit <filename>/etc/apparmor.d/local/usr.sbin.slapd</filename> by |
1302 | + adding the following: |
1303 | + </para> |
1304 | |
1305 | <programlisting> |
1306 | - /var/lib/ldap/accesslog/ r, |
1307 | - /var/lib/ldap/accesslog/** rwk, |
1308 | +/var/lib/ldap/accesslog/ r, |
1309 | +/var/lib/ldap/accesslog/** rwk, |
1310 | </programlisting> |
1311 | |
1312 | - <para> |
1313 | - Then create the directory, reload the <application>apparmor</application> profile, and copy |
1314 | - the <filename>DB_CONFIG</filename> file: |
1315 | - </para> |
1316 | + <para> |
1317 | + Create a directory, set up a databse config file, and reload the apparmor profile: |
1318 | + </para> |
1319 | |
1320 | <screen> |
1321 | <command>sudo -u openldap mkdir /var/lib/ldap/accesslog</command> |
1322 | -<command>sudo -u openldap cp /var/lib/ldap/DB_CONFIG /var/lib/ldap/accesslog/</command> |
1323 | -<command>sudo /etc/init.d/apparmor reload</command> |
1324 | -</screen> |
1325 | - |
1326 | - <note> |
1327 | - <para> |
1328 | - Using the <emphasis>-u openldap</emphasis> option with the <application>sudo</application> commands above |
1329 | - removes the need to adjust permissions for the new directory later. |
1330 | - </para> |
1331 | - </note> |
1332 | - |
1333 | - </step> |
1334 | - <step> |
1335 | - |
1336 | - <para> |
1337 | - Edit the file and change the <emphasis>olcRootDN</emphasis> to match your directory: |
1338 | - </para> |
1339 | - |
1340 | -<programlisting> |
1341 | -olcRootDN: cn=admin,dc=example,dc=com |
1342 | -</programlisting> |
1343 | - |
1344 | - </step> |
1345 | - <step> |
1346 | - |
1347 | - |
1348 | - <para> |
1349 | - Next, add the LDIF file using the <application>ldapadd</application> utility: |
1350 | - </para> |
1351 | - |
1352 | -<screen> |
1353 | -<command>sudo ldapadd -Y EXTERNAL -H ldapi:/// -f provider_sync.ldif</command> |
1354 | -</screen> |
1355 | - |
1356 | - </step> |
1357 | - <step> |
1358 | - |
1359 | - |
1360 | - <para> |
1361 | - Restart <application>slapd</application>: |
1362 | - </para> |
1363 | - |
1364 | -<screen> |
1365 | -<command>sudo /etc/init.d/slapd restart</command> |
1366 | -</screen> |
1367 | - |
1368 | - </step> |
1369 | +<command>sudo -u openldap cp /var/lib/ldap/DB_CONFIG /var/lib/ldap/accesslog</command> |
1370 | +<command>sudo service apparmor reload</command> |
1371 | +</screen> |
1372 | + |
1373 | + </step> |
1374 | + |
1375 | + <step> |
1376 | + <para> |
1377 | + Add the new content and, due to the apparmor change, restart the daemon: |
1378 | + </para> |
1379 | + |
1380 | +<screen> |
1381 | +<command>sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f provider_sync.ldif</command> |
1382 | +<command>sudo service slapd restart</command> |
1383 | +</screen> |
1384 | + |
1385 | + </step> |
1386 | + |
1387 | </procedure> |
1388 | |
1389 | <para> |
1390 | - The <emphasis>Provider</emphasis> server is now configured, and it is time to configure a <emphasis>Consumer</emphasis> |
1391 | - server. |
1392 | + The Provider is now configured. |
1393 | </para> |
1394 | |
1395 | - </sect3> |
1396 | - <sect3 id="openldap-consumer-configuration" status="review"> |
1397 | - <title>Consumer Configuration</title> |
1398 | + </sect3> |
1399 | + |
1400 | + <sect3 id="openldap-consumer-configuration" status="review"> |
1401 | + <title>Consumer Configuration</title> |
1402 | + |
1403 | + <para> |
1404 | + And now configure the <emphasis>Consumer</emphasis>. |
1405 | + </para> |
1406 | |
1407 | <procedure> |
1408 | - <step> |
1409 | - |
1410 | - <para> |
1411 | - On the <emphasis>Consumer</emphasis> server configure it the same as the <emphasis>Provider</emphasis> except for the |
1412 | - <emphasis>Syncrepl</emphasis> configuration steps. |
1413 | - </para> |
1414 | - |
1415 | - <para> |
1416 | - Add the additional schema files: |
1417 | - </para> |
1418 | - |
1419 | -<screen> |
1420 | -<command>sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif</command> |
1421 | -<command>sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif</command> |
1422 | -<command>sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif</command> |
1423 | -</screen> |
1424 | - |
1425 | - <para> |
1426 | - Also, create, or copy from the provider server, the <filename>backend.example.com.ldif</filename> |
1427 | - </para> |
1428 | - |
1429 | -<programlisting> |
1430 | -# Load dynamic backend modules |
1431 | -dn: cn=module,cn=config |
1432 | -objectClass: olcModuleList |
1433 | -cn: module |
1434 | -olcModulepath: /usr/lib/ldap |
1435 | -olcModuleload: back_hdb.la |
1436 | - |
1437 | -# Database settings |
1438 | -dn: olcDatabase=hdb,cn=config |
1439 | -objectClass: olcDatabaseConfig |
1440 | -objectClass: olcHdbConfig |
1441 | -olcDatabase: {1}hdb |
1442 | -olcSuffix: dc=example,dc=com |
1443 | -olcDbDirectory: /var/lib/ldap |
1444 | -olcRootDN: cn=admin,dc=example,dc=com |
1445 | -olcRootPW: secret |
1446 | -olcDbConfig: set_cachesize 0 2097152 0 |
1447 | -olcDbConfig: set_lk_max_objects 1500 |
1448 | -olcDbConfig: set_lk_max_locks 1500 |
1449 | -olcDbConfig: set_lk_max_lockers 1500 |
1450 | -olcDbIndex: objectClass eq |
1451 | -olcLastMod: TRUE |
1452 | -olcDbCheckpoint: 512 30 |
1453 | -olcAccess: to attrs=userPassword by dn="cn=admin,dc=example,dc=com" write by anonymous auth by self write by * none |
1454 | -olcAccess: to attrs=shadowLastChange by self write by * read |
1455 | -olcAccess: to dn.base="" by * read |
1456 | -olcAccess: to * by dn="cn=admin,dc=example,dc=com" write by * read |
1457 | -</programlisting> |
1458 | - |
1459 | - <para> |
1460 | - And add the LDIF by entering: |
1461 | - </para> |
1462 | - |
1463 | -<screen> |
1464 | -<command>sudo ldapadd -Y EXTERNAL -H ldapi:/// -f backend.example.com.ldif</command> |
1465 | -</screen> |
1466 | - |
1467 | - </step> |
1468 | - <step> |
1469 | - |
1470 | - <para> |
1471 | - Do the same with the <filename>frontend.example.com.ldif</filename> file listed above, and add it: |
1472 | - </para> |
1473 | - |
1474 | -<screen> |
1475 | -<command>sudo ldapadd -x -D cn=admin,dc=example,dc=com -W -f frontend.example.com.ldif</command> |
1476 | -</screen> |
1477 | - |
1478 | - <para> |
1479 | - The two severs should now have the same configuration except for the <emphasis>Syncrepl</emphasis> |
1480 | - options. |
1481 | - </para> |
1482 | - |
1483 | - </step> |
1484 | - <step> |
1485 | - |
1486 | - <para> |
1487 | - Now create a file named <filename>consumer_sync.ldif</filename> containing: |
1488 | - </para> |
1489 | - |
1490 | -<programlisting> |
1491 | -#Load the syncprov module. |
1492 | + |
1493 | + <step> |
1494 | + <para> |
1495 | + Install the software by going through <xref linkend="openldap-server-installation"/>. Make sure the slapd-config |
1496 | + databse is identical to the Provider's. In particular, make sure schemas and the databse suffix are the same. |
1497 | + </para> |
1498 | + </step> |
1499 | + |
1500 | + <step> |
1501 | + <para> |
1502 | + Create an LDIF file with the following contents and name it <filename>consumer_sync.ldif</filename>: |
1503 | + </para> |
1504 | + |
1505 | +<programlisting> |
1506 | dn: cn=module{0},cn=config |
1507 | changetype: modify |
1508 | add: olcModuleLoad |
1509 | olcModuleLoad: syncprov |
1510 | |
1511 | -# syncrepl specific indices |
1512 | dn: olcDatabase={1}hdb,cn=config |
1513 | changetype: modify |
1514 | add: olcDbIndex |
1515 | @@ -805,130 +976,281 @@ |
1516 | olcUpdateRef: ldap://ldap01.example.com |
1517 | </programlisting> |
1518 | |
1519 | - <para> |
1520 | - You will probably want to change the following attributes: |
1521 | - </para> |
1522 | - |
1523 | - <itemizedlist> |
1524 | - <listitem><para><emphasis>ldap01.example.com</emphasis> to your server's hostname.</para></listitem> |
1525 | - <listitem><para><emphasis>binddn</emphasis></para></listitem> |
1526 | - <listitem><para><emphasis>credentials</emphasis></para></listitem> |
1527 | - <listitem><para><emphasis>searchbase</emphasis></para></listitem> |
1528 | - <listitem><para><emphasis>olcUpdateRef:</emphasis></para></listitem> |
1529 | - </itemizedlist> |
1530 | - |
1531 | - </step> |
1532 | - <step> |
1533 | - |
1534 | - <para> |
1535 | - Add the LDIF file to the configuration tree: |
1536 | - </para> |
1537 | + <para> |
1538 | + Ensure the following attributes have the correct values: |
1539 | + </para> |
1540 | + |
1541 | + <itemizedlist> |
1542 | + <listitem><para><emphasis>ldap01.example.com</emphasis> (Provider server's hostname or IP address)</para></listitem> |
1543 | + <listitem><para><emphasis>binddn</emphasis> (the admin DN you're using)</para></listitem> |
1544 | + <listitem><para><emphasis>credentials</emphasis> (the admin DN password you're using)</para></listitem> |
1545 | + <listitem><para><emphasis>searchbase</emphasis> (the database suffix you're using)</para></listitem> |
1546 | + <listitem><para><emphasis>olcUpdateRef:</emphasis> (Provider server's hostname or IP address)</para></listitem> |
1547 | + </itemizedlist> |
1548 | + |
1549 | + </step> |
1550 | + |
1551 | + <step> |
1552 | + |
1553 | + <para> |
1554 | + Add the new content: |
1555 | + </para> |
1556 | |
1557 | <screen> |
1558 | -<command>sudo ldapadd -c -Y EXTERNAL -H ldapi:/// -f consumer_sync.ldif</command> |
1559 | +<command>sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f consumer_sync.ldif</command> |
1560 | </screen> |
1561 | |
1562 | - </step> |
1563 | + </step> |
1564 | + |
1565 | </procedure> |
1566 | |
1567 | <para> |
1568 | - The frontend database should now sync between servers. You can add additional servers using the |
1569 | - steps above as the need arises. |
1570 | + You're done. The two databases (suffix: dc=example,dc=com) should now be synchronizing. |
1571 | </para> |
1572 | |
1573 | - <note> |
1574 | - <para> |
1575 | - The <application>slapd</application> daemon will send log information to <filename>/var/log/syslog</filename> |
1576 | - by default. So if all does <emphasis>not</emphasis> go well check there for errors and other troubleshooting information. |
1577 | - Also, be sure that each server knows it's Fully Qualified Domain Name (FQDN). This is configured in <filename>/etc/hosts</filename> |
1578 | - with a line similar to: <programlisting>127.0.0.1 ldap01.example.com ldap01</programlisting>. |
1579 | - </para> |
1580 | - </note> |
1581 | - |
1582 | - </sect3> |
1583 | - </sect2> |
1584 | - |
1585 | - <sect2 id="openldap-server-acl" status="review"> |
1586 | - <title>Setting up ACL</title> |
1587 | - |
1588 | - <para> |
1589 | - Authentication requires access to the password field, that should be not |
1590 | - accessible by default. Also, in order for users to change their own password, |
1591 | - using <command>passwd</command> or other utilities, <emphasis>shadowLastChange</emphasis> |
1592 | - needs to be accessible once a user has authenticated. |
1593 | - </para> |
1594 | + <para> |
1595 | + To test if it worked simply query, on the Consumer, the DNs in the database: |
1596 | + </para> |
1597 | + |
1598 | +<screen> |
1599 | +<command>sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b dc=example,dc=com dn</command> |
1600 | +</screen> |
1601 | + |
1602 | + <para> |
1603 | + You should see the user 'john' and the group 'miners' as well as the nodes 'People' and 'Groups'. |
1604 | + </para> |
1605 | + |
1606 | + </sect3> |
1607 | + |
1608 | + </sect2> |
1609 | + |
1610 | + <sect2 id="openldap-server-acl" status="review"> |
1611 | + <title>Access Control</title> |
1612 | + |
1613 | + <para> |
1614 | + The management of what type of access (read, write, etc) users should be granted to resources is known as |
1615 | + <emphasis>access control</emphasis>. The configuration directives involved are called <emphasis>access control lists</emphasis> or ACL. |
1616 | + </para> |
1617 | + |
1618 | + <para> |
1619 | + When we installed the slapd package various ACL were set up automatically. We will look at a few important consequences of those |
1620 | + defaults and, in so doing, we'll get an idea of how ACLs work and how they're configured. |
1621 | + </para> |
1622 | + |
1623 | + <para> |
1624 | + To get the effective ACL for an LDAP query we need to look at the ACL entries of the database being queried as well as those of the |
1625 | + special frontend database instance. The ACLs belonging to the latter act as defaults in case those of the former do not match. The |
1626 | + frontend database is the second to be consulted and the ACL to be applied is the first to match ("first match wins") among these 2 |
1627 | + ACL sources. The following commands will give, respectively, the ACLs of the hdb database ("dc=example,dc=com") and those of the |
1628 | + frontend database: |
1629 | + </para> |
1630 | + |
1631 | +<screen> |
1632 | +<command>sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config '(olcDatabase={1}hdb)' olcAccess</command> |
1633 | +<computeroutput> |
1634 | +dn: olcDatabase={1}hdb,cn=config |
1635 | +olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=example,dc=com" write by * none |
1636 | +olcAccess: {1}to dn.base="" by * read |
1637 | +olcAccess: {2}to * by self write by dn="cn=admin,dc=example,dc=com" write by * |
1638 | + read |
1639 | +</computeroutput> |
1640 | +</screen> |
1641 | + |
1642 | + <note> |
1643 | + <para> |
1644 | + The rootDN always has full rights to it's database. Including it in an ACL does provide an explicit configuration but it also causes |
1645 | + slapd to incure a performance penalty. |
1646 | + </para> |
1647 | + </note> |
1648 | + |
1649 | +<screen> |
1650 | +<command>sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config '(olcDatabase={-1}frontend)' olcAccess</command> |
1651 | +<computeroutput> |
1652 | +dn: olcDatabase={-1}frontend,cn=config |
1653 | +olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break |
1654 | +olcAccess: {1}to dn.exact="" by * read |
1655 | +olcAccess: {2}to dn.base="cn=Subschema" by * read |
1656 | +</computeroutput> |
1657 | +</screen> |
1658 | + |
1659 | + <para> |
1660 | + The very first ACL is crucial: |
1661 | + </para> |
1662 | + |
1663 | +<programlisting> |
1664 | +olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=example,dc=com" write by * none |
1665 | +</programlisting> |
1666 | + |
1667 | + <para> |
1668 | + This can be represented differently for easier digestion: |
1669 | + </para> |
1670 | + |
1671 | +<programlisting> |
1672 | +to attrs=userPassword |
1673 | + by self write |
1674 | + by anonymous auth |
1675 | + by dn="cn=admin,dc=example,dc=com" write |
1676 | + by * none |
1677 | + |
1678 | +to attrs=shadowLastChange |
1679 | + by self write |
1680 | + by anonymous auth |
1681 | + by dn="cn=admin,dc=example,dc=com" write |
1682 | + by * none |
1683 | +</programlisting> |
1684 | + |
1685 | + <para> |
1686 | + This compound ACL (there are 2) enforces the following: |
1687 | + </para> |
1688 | + |
1689 | + <itemizedlist> |
1690 | + |
1691 | + <listitem> |
1692 | + <para> |
1693 | + Anonymous 'auth' access is provided to the <emphasis>userPassword</emphasis> attribute for the initial connection to |
1694 | + occur. Perhaps counter-intuitively, 'by anonymous auth' is needed even when anonymous access to the DIT is |
1695 | + unwanted. Once the remote end is connected, howerver, authentication can occur (see next point). |
1696 | + </para> |
1697 | + </listitem> |
1698 | + |
1699 | + <listitem> |
1700 | + <para> |
1701 | + Authentication can happen because all users have 'read' (due to 'by self write') access to the <emphasis>userPassword</emphasis> attribute. |
1702 | + </para> |
1703 | + </listitem> |
1704 | + |
1705 | + <listitem> |
1706 | + <para> |
1707 | + The <emphasis>userPassword</emphasis> attribute is otherwise unaccessible by all other users, with the exception of the rootDN, who |
1708 | + has complete access to it. |
1709 | + </para> |
1710 | + </listitem> |
1711 | + |
1712 | + <listitem> |
1713 | + <para> |
1714 | + In order for users to change their own password, using <command>passwd</command> or other utilities, the |
1715 | + <emphasis>shadowLastChange</emphasis> attribute needs to be accessible once a user has authenticated. |
1716 | + </para> |
1717 | + </listitem> |
1718 | + |
1719 | + </itemizedlist> |
1720 | + |
1721 | + <para> |
1722 | + This DIT can be searched anonymously because of 'by * read' in this ACL: |
1723 | + </para> |
1724 | + |
1725 | +<programlisting> |
1726 | +to * |
1727 | + by self write |
1728 | + by dn="cn=admin,dc=example,dc=com" write |
1729 | + by * read |
1730 | +</programlisting> |
1731 | + |
1732 | + <para> |
1733 | + If this is unwanted then you need to change the ACLs. To force authentication during a bind request you can alternatively (or |
1734 | + in combination with the modified ACL) use the 'olcRequire: authc' directive. |
1735 | + </para> |
1736 | + |
1737 | + <para> |
1738 | + As previously mentioned, there is no administrative account created for the slapd-config database. There is, however, a SASL |
1739 | + identity that is granted full access to it. It represents the localhost's superuser (root/sudo). Here it is: |
1740 | + </para> |
1741 | + |
1742 | +<programlisting> |
1743 | +dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth |
1744 | +</programlisting> |
1745 | |
1746 | <para> |
1747 | - To view the Access Control List (ACL) for the <emphasis>cn=config</emphasis> tree, use the |
1748 | - <application>ldapsearch</application> utility: |
1749 | + The following command will display the ACLs of the slapd-config database: |
1750 | </para> |
1751 | |
1752 | <screen> |
1753 | -<command>sudo ldapsearch -c -Y EXTERNAL -H ldapi:/// -LLL -b cn=config olcDatabase=config olcAccess</command> |
1754 | -</screen> |
1755 | - |
1756 | -<screen> |
1757 | -<computeroutput>SASL/EXTERNAL authentication started |
1758 | -SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth |
1759 | -SASL SSF: 0 |
1760 | +<command>sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config '(olcDatabase={0}config)' olcAccess</command> |
1761 | +<computeroutput> |
1762 | dn: olcDatabase={0}config,cn=config |
1763 | -olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external |
1764 | - ,cn=auth manage by * break |
1765 | +olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break |
1766 | </computeroutput> |
1767 | </screen> |
1768 | |
1769 | - <para> |
1770 | - To see the ACL for the frontend tree enter: |
1771 | - </para> |
1772 | - |
1773 | -<screen> |
1774 | -<command>sudo ldapsearch -c -Y EXTERNAL -H ldapi:/// -LLL -b cn=config olcDatabase={1}hdb olcAccess</command> |
1775 | -</screen> |
1776 | - |
1777 | - </sect2> |
1778 | - |
1779 | - <sect2 id="openldap-tls" status="review"> |
1780 | - <title>TLS and SSL</title> |
1781 | - |
1782 | - <para> |
1783 | - When authenticating to an OpenLDAP server it is best to do so using an encrypted session. This can be accomplished using Transport |
1784 | - Layer Security (TLS) and/or Secure Sockets Layer (SSL). |
1785 | - </para> |
1786 | - |
1787 | - <para> |
1788 | - The first step in the process is to obtain or create a <emphasis>certificate</emphasis>. Because <application>slapd</application> |
1789 | - is compiled using the <application>gnutls</application> library, the <application>certtool</application> utility will be |
1790 | - used to create certificates. |
1791 | - </para> |
1792 | + <para> |
1793 | + Since this is a SASL identity we need to use a SASL <emphasis>mechanism</emphasis> when invoking the LDAP utility in question and |
1794 | + and we have seen it plenty of times in this guide. It is the EXTERNAL mechanism. See the previous command for an example. Note that: |
1795 | + </para> |
1796 | |
1797 | - <procedure> |
1798 | - <step> |
1799 | - |
1800 | - <para> |
1801 | - First, install <application>gnutls-bin</application> by entering the following in a terminal: |
1802 | - </para> |
1803 | - |
1804 | -<screen> |
1805 | -<command>sudo apt-get install gnutls-bin</command> |
1806 | -</screen> |
1807 | - |
1808 | - </step> |
1809 | - <step> |
1810 | - |
1811 | - <para> |
1812 | - Next, create a private key for the <emphasis>Certificate Authority</emphasis> (CA): |
1813 | - </para> |
1814 | + <procedure> |
1815 | + |
1816 | + <step> |
1817 | + <para> |
1818 | + You must use <emphasis>sudo</emphasis> to become the root identity in order for the ACL to match. |
1819 | + </para> |
1820 | + </step> |
1821 | + |
1822 | + <step> |
1823 | + <para> |
1824 | + The EXTERNAL mechanism works via <emphasis>IPC</emphasis> (UNIX domain sockets). This means you must use the <emphasis>ldapi</emphasis> |
1825 | + URI format. |
1826 | + </para> |
1827 | + </step> |
1828 | + |
1829 | + </procedure> |
1830 | + |
1831 | + <para> |
1832 | + A succinct way to get all the ACLs is like this: |
1833 | + </para> |
1834 | + |
1835 | +<screen> |
1836 | +<command>sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config '(olcAccess=*)' olcAccess olcSuffix</command> |
1837 | +</screen> |
1838 | + |
1839 | + <para> |
1840 | + There is much to say on the topic of access control. See the man page for |
1841 | + <ulink url="http://manpages.ubuntu.com/manpages/en/man5/slapd.access.5.html">slapd.access</ulink>. |
1842 | + </para> |
1843 | + |
1844 | + </sect2> |
1845 | + |
1846 | + <sect2 id="openldap-tls" status="review"> |
1847 | + <title>TLS</title> |
1848 | + |
1849 | + <para> |
1850 | + When authenticating to an OpenLDAP server it is best to do so using an encrypted session. This can be accomplished using Transport |
1851 | + Layer Security (TLS). |
1852 | + </para> |
1853 | + |
1854 | + <para> |
1855 | + Here, we will be our own <emphasis>Certificate Authority</emphasis> and then create and sign our LDAP server certificate as that CA. |
1856 | + Since <application>slapd</application> is compiled using the <application>gnutls</application> library, we will use the |
1857 | + <application>certtool</application> utility to complete these tasks. |
1858 | + </para> |
1859 | + |
1860 | + <procedure> |
1861 | + |
1862 | + <step> |
1863 | + <para> |
1864 | + Install the <application>gnutls-bin</application> and <application>gnutls-bin</application> packages: |
1865 | + </para> |
1866 | + |
1867 | +<screen> |
1868 | +<command>sudo apt-get install gnutls-bin ssl-cert</command> |
1869 | +</screen> |
1870 | + |
1871 | + </step> |
1872 | + |
1873 | + <step> |
1874 | + <para> |
1875 | + Create a private key for the Certificate Authority: |
1876 | + </para> |
1877 | |
1878 | <screen> |
1879 | <command>sudo sh -c "certtool --generate-privkey > /etc/ssl/private/cakey.pem"</command> |
1880 | </screen> |
1881 | |
1882 | - </step> |
1883 | - <step> |
1884 | + </step> |
1885 | |
1886 | - <para> |
1887 | - Create a <filename>/etc/ssl/ca.info</filename> details file to self-sign the CA certificate containing: |
1888 | - </para> |
1889 | + <step> |
1890 | + <para> |
1891 | + Create the template/file <filename>/etc/ssl/ca.info</filename> to define the CA: |
1892 | + </para> |
1893 | |
1894 | <programlisting> |
1895 | cn = Example Company |
1896 | @@ -936,42 +1258,46 @@ |
1897 | cert_signing_key |
1898 | </programlisting> |
1899 | |
1900 | - </step> |
1901 | - <step> |
1902 | - |
1903 | - <para> |
1904 | - Now create the self-signed CA certificate: |
1905 | - </para> |
1906 | - |
1907 | -<screen> |
1908 | -<command>sudo certtool --generate-self-signed --load-privkey /etc/ssl/private/cakey.pem \ |
1909 | - --template /etc/ssl/ca.info --outfile /etc/ssl/certs/cacert.pem</command> |
1910 | -</screen> |
1911 | - |
1912 | - </step> |
1913 | - <step> |
1914 | - |
1915 | - <para> |
1916 | - Make a private key for the server: |
1917 | - </para> |
1918 | - |
1919 | -<screen> |
1920 | -<command>sudo sh -c "certtool --generate-privkey > /etc/ssl/private/ldap01_slapd_key.pem"</command> |
1921 | -</screen> |
1922 | - |
1923 | - <note> |
1924 | - <para> |
1925 | - Replace <emphasis>ldap01</emphasis> in the filename with your server's hostname. Naming the certificate and key for the host |
1926 | - and service that will be using them will help keep filenames and paths straight. |
1927 | - </para> |
1928 | - </note> |
1929 | - |
1930 | - </step> |
1931 | - <step> |
1932 | - |
1933 | - <para> |
1934 | - To sign the server's certificate with the CA, create the <filename>/etc/ssl/ldap01.info</filename> info file containing: |
1935 | - </para> |
1936 | + </step> |
1937 | + |
1938 | + <step> |
1939 | + <para> |
1940 | + Create the self-signed CA certificate: |
1941 | + </para> |
1942 | + |
1943 | +<screen> |
1944 | +<command>sudo certtool --generate-self-signed \ |
1945 | +--load-privkey /etc/ssl/private/cakey.pem \ |
1946 | +--template /etc/ssl/ca.info \ |
1947 | +--outfile /etc/ssl/certs/cacert.pem</command> |
1948 | +</screen> |
1949 | + |
1950 | + </step> |
1951 | + |
1952 | + <step> |
1953 | + <para> |
1954 | + Make a private key for the server: |
1955 | + </para> |
1956 | + |
1957 | +<screen> |
1958 | +<command>sudo certtool --generate-privkey \ |
1959 | +--bits 1024 \ |
1960 | +--outfile /etc/ssl/private/ldap01_slapd_key.pem</command> |
1961 | +</screen> |
1962 | + |
1963 | + <note> |
1964 | + <para> |
1965 | + Replace <emphasis>ldap01</emphasis> in the filename with your server's hostname. Naming the certificate and |
1966 | + key for the host and service that will be using them will help keep things clear. |
1967 | + </para> |
1968 | + </note> |
1969 | + |
1970 | + </step> |
1971 | + |
1972 | + <step> |
1973 | + <para> |
1974 | + Create the <filename>/etc/ssl/ldap01.info</filename> info file containing: |
1975 | + </para> |
1976 | |
1977 | <programlisting> |
1978 | organization = Example Company |
1979 | @@ -979,36 +1305,38 @@ |
1980 | tls_www_server |
1981 | encryption_key |
1982 | signing_key |
1983 | +expiration_days = 3650 |
1984 | </programlisting> |
1985 | |
1986 | - </step> |
1987 | - <step> |
1988 | - |
1989 | - <para> |
1990 | - Create the server's certificate: |
1991 | - </para> |
1992 | - |
1993 | -<screen> |
1994 | -<command>sudo certtool --generate-certificate --load-privkey /etc/ssl/private/ldap01_slapd_key.pem \ |
1995 | - --load-ca-certificate /etc/ssl/certs/cacert.pem --load-ca-privkey /etc/ssl/private/cakey.pem \ |
1996 | - --template /etc/ssl/ldap01.info --outfile /etc/ssl/certs/ldap01_slapd_cert.pem</command> |
1997 | -</screen> |
1998 | - |
1999 | - </step> |
2000 | - </procedure> |
2001 | - |
2002 | - <para> |
2003 | - Once you have a certificate, key, and CA cert installed, use <application>ldapmodify</application> to add the new |
2004 | - configuration options: |
2005 | - </para> |
2006 | - |
2007 | -<screen> |
2008 | -<command>sudo ldapmodify -Y EXTERNAL -H ldapi:///</command> |
2009 | -</screen> |
2010 | - |
2011 | -<screen> |
2012 | -<computeroutput>Enter LDAP Password: |
2013 | -<userinput>dn: cn=config |
2014 | + <para> |
2015 | + The above certificate is good for 10 years. Adjust accordingly. |
2016 | + </para> |
2017 | + </step> |
2018 | + |
2019 | + <step> |
2020 | + <para> |
2021 | + Create the server's certificate: |
2022 | + </para> |
2023 | + |
2024 | +<screen> |
2025 | +<command>sudo certtool --generate-certificate \ |
2026 | +--load-privkey /etc/ssl/private/ldap01_slapd_key.pem \ |
2027 | +--load-ca-certificate /etc/ssl/certs/cacert.pem \ |
2028 | +--load-ca-privkey /etc/ssl/private/cakey.pem \ |
2029 | +--template /etc/ssl/ldap01.info \ |
2030 | +--outfile /etc/ssl/certs/ldap01_slapd_cert.pem</command> |
2031 | +</screen> |
2032 | + |
2033 | + </step> |
2034 | + |
2035 | + </procedure> |
2036 | + |
2037 | + <para> |
2038 | + Create the file <filename>certinfo.ldif</filename> with the following contents (adjust accordingly): |
2039 | + </para> |
2040 | + |
2041 | +<programlisting> |
2042 | +dn: cn=config |
2043 | add: olcTLSCACertificateFile |
2044 | olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem |
2045 | - |
2046 | @@ -1016,170 +1344,171 @@ |
2047 | olcTLSCertificateFile: /etc/ssl/certs/ldap01_slapd_cert.pem |
2048 | - |
2049 | add: olcTLSCertificateKeyFile |
2050 | -olcTLSCertificateKeyFile: /etc/ssl/private/ldap01_slapd_key.pem</userinput> |
2051 | - |
2052 | -modifying entry "cn=config" |
2053 | -</computeroutput> |
2054 | +olcTLSCertificateKeyFile: /etc/ssl/private/ldap01_slapd_key.pem |
2055 | +</programlisting> |
2056 | + |
2057 | + <para> |
2058 | + Use the <application>ldapmodify</application> command to tell slapd about our TLS work via the slapd-config database: |
2059 | + </para> |
2060 | + |
2061 | +<screen> |
2062 | +<command>sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ssl/certinfo.ldif</command> |
2063 | </screen> |
2064 | - |
2065 | - <note> |
2066 | - <para> |
2067 | - Adjust the <filename>ldap01_slapd_cert.pem</filename>, <filename>ldap01_slapd_key.pem</filename>, and |
2068 | - <filename>cacert.pem</filename> names if yours are different. |
2069 | - </para> |
2070 | - </note> |
2071 | - |
2072 | - <para> |
2073 | - Next, edit <filename>/etc/default/slapd</filename> uncomment the <emphasis>SLAPD_SERVICES</emphasis> option: |
2074 | - </para> |
2075 | + |
2076 | + <para> |
2077 | + Contratry to popular belief, you do not need <emphasis>ldaps://</emphasis> in <filename>/etc/default/slapd</filename> |
2078 | + in order to use encryption. You should have just: |
2079 | + </para> |
2080 | |
2081 | <programlisting> |
2082 | -SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///" |
2083 | +SLAPD_SERVICES="ldap:/// ldapi:///" |
2084 | </programlisting> |
2085 | |
2086 | - <para> |
2087 | - Now the <emphasis>openldap</emphasis> user needs access to the certificate: |
2088 | - </para> |
2089 | + <note> |
2090 | + <para> |
2091 | + LDAP over TLS/SSL (ldaps://) is deprecated in favour of <emphasis>StartTLS</emphasis>. The latter refers to an |
2092 | + existing LDAP session (listening on TCP port 389) becoming protected by TLS/SSL whereas LDAPS, like HTTPS, is a |
2093 | + distinct encrypted-from-the-start protocol that operates over TCP port 636. |
2094 | + </para> |
2095 | + </note> |
2096 | + |
2097 | + |
2098 | + <para> |
2099 | + Tighten up ownership and permissions: |
2100 | + </para> |
2101 | |
2102 | <screen> |
2103 | <command>sudo adduser openldap ssl-cert</command> |
2104 | <command>sudo chgrp ssl-cert /etc/ssl/private/ldap01_slapd_key.pem</command> |
2105 | <command>sudo chmod g+r /etc/ssl/private/ldap01_slapd_key.pem</command> |
2106 | +<command>sudo chmod o-r /etc/ssl/private/ldap01_slapd_key.pem</command> |
2107 | </screen> |
2108 | |
2109 | - <note> |
2110 | - <para> |
2111 | - If the <filename role="directory">/etc/ssl/private</filename> and <filename>/etc/ssl/private/server.key</filename> have |
2112 | - different permissions, adjust the commands appropriately. |
2113 | - </para> |
2114 | - </note> |
2115 | - |
2116 | - <para> |
2117 | - Finally, restart <application>slapd</application>: |
2118 | - </para> |
2119 | + <para> |
2120 | + Restart OpenLDAP: |
2121 | + </para> |
2122 | |
2123 | <screen> |
2124 | -<command>sudo /etc/init.d/slapd restart</command> |
2125 | +<command>sudo service slapd restart</command> |
2126 | </screen> |
2127 | |
2128 | - <para> |
2129 | - The <application>slapd</application> daemon should now be listening for LDAPS connections and be able to use STARTTLS during |
2130 | - authentication. |
2131 | - </para> |
2132 | - |
2133 | - <note> |
2134 | - <para>If you run into troubles with the server not starting, |
2135 | - check the /var/log/syslog. If you see errors like |
2136 | - main: TLS init def ctx failed: -1, |
2137 | - it is likely there is a configuration problem. |
2138 | - Check that the certificate is signed by the authority from |
2139 | - in the files configured, and that the ssl-cert group |
2140 | - has read permissions on the private key. |
2141 | - </para> |
2142 | - </note> |
2143 | - |
2144 | - |
2145 | - <sect3 id="openldap-tls-replication" status="review"> |
2146 | - <title>TLS Replication</title> |
2147 | - |
2148 | - <para> |
2149 | - If you have setup <application>Syncrepl</application> between servers, it is prudent to encrypt the replication traffic |
2150 | - using <emphasis>Transport Layer Security (TLS)</emphasis>. For details on setting up replication see |
2151 | - <xref linkend="openldap-server-replication"/>. |
2152 | - </para> |
2153 | - |
2154 | - <para> |
2155 | - Assuming you have followed the above instructions and created a CA certificate and server certificate on the |
2156 | - <emphasis>Provider</emphasis> server. Follow the following instructions to create a certificate and key for the |
2157 | - <emphasis>Consumer</emphasis> server. |
2158 | - </para> |
2159 | - |
2160 | - <procedure> |
2161 | - <step> |
2162 | - |
2163 | - <para> |
2164 | - Create a new key for the Consumer server: |
2165 | + <para> |
2166 | + Check your host's logs (/var/log/syslog) to see if the server has started properly. |
2167 | + </para> |
2168 | + |
2169 | + </sect2> |
2170 | + |
2171 | + <sect2 id="openldap-tls-replication" status="review"> |
2172 | + <title>Replication and TLS</title> |
2173 | + |
2174 | + <para> |
2175 | + If you have set up replication between servers, it is common practice to encrypt (StartTLS) the replication traffic to prevent |
2176 | + evesdropping. This is distinct from using encryption with authentication as we did above. In this section we will build on that |
2177 | + TLS-authentication work. |
2178 | + </para> |
2179 | + |
2180 | + <para> |
2181 | + The assumption here is that you have set up replication between Provider and Consumer according to <xref linkend="openldap-server-replication"/> |
2182 | + and have configured TLS for authentication on the Provider by following <xref linkend="openldap-tls"/>. |
2183 | + </para> |
2184 | + |
2185 | + <para> |
2186 | + As previously stated, the objective (for us) with replication is high availablity for the LDAP service. Since we have TLS for |
2187 | + authentication on the Provider we will require the same on the Consumer. In addition to this, however, we want to encrypt |
2188 | + replication traffic. What remains to be done is to create a key and certificate for the Consumer and then configure accordingly. |
2189 | + We will generate the key/certificate on the Provider, to avoid having to create another CA certificate, and then transfer the |
2190 | + necessary material over to the Consumer. |
2191 | + </para> |
2192 | + |
2193 | + <procedure> |
2194 | + |
2195 | + <step> |
2196 | + <para> |
2197 | + On the Provider, |
2198 | + </para> |
2199 | + |
2200 | + <para> |
2201 | + Create a holding directory (which will be used for the eventual transfer) and then the Consumer's private key: |
2202 | </para> |
2203 | |
2204 | <screen> |
2205 | <command>mkdir ldap02-ssl</command> |
2206 | <command>cd ldap02-ssl</command> |
2207 | -<command>certtool --generate-privkey > ldap02_slapd_key.pem</command> |
2208 | +<command>sudo certtool --generate-privkey \ |
2209 | +--bits 1024 \ |
2210 | +--outfile ldap02_slapd_key.pem</command> |
2211 | </screen> |
2212 | |
2213 | - <note> |
2214 | - <para> |
2215 | - Creating a new directory is not strictly necessary, but it will help keep things organized and make it easier to copy the |
2216 | - files to the Consumer server. |
2217 | - </para> |
2218 | - </note> |
2219 | - |
2220 | - </step> |
2221 | - <step> |
2222 | - |
2223 | <para> |
2224 | - Next, create an info file, <filename>ldap02.info</filename> for the Consumer server, changing the attributes to match your |
2225 | - locality and server: |
2226 | + Create an info file, <filename>ldap02.info</filename>, for the Consumer server, adjusting it's values accordingly: |
2227 | </para> |
2228 | |
2229 | <programlisting> |
2230 | -country = US |
2231 | -state = North Carolina |
2232 | -locality = Winston-Salem |
2233 | organization = Example Company |
2234 | -cn = ldap02.salem.edu |
2235 | -tls_www_client |
2236 | +cn = ldap02.example.com |
2237 | +tls_www_server |
2238 | encryption_key |
2239 | signing_key |
2240 | +expiration_days = 3650 |
2241 | </programlisting> |
2242 | |
2243 | - </step> |
2244 | - <step> |
2245 | - |
2246 | <para> |
2247 | - Create the certificate: |
2248 | + Create the Consumer's certificate: |
2249 | </para> |
2250 | |
2251 | <screen> |
2252 | -<command>sudo certtool --generate-certificate --load-privkey ldap02_slapd_key.pem \ |
2253 | - --load-ca-certificate /etc/ssl/certs/cacert.pem --load-ca-privkey /etc/ssl/private/cakey.pem \ |
2254 | - --template ldap02.info --outfile ldap02_slapd_cert.pem</command> |
2255 | +<command>sudo certtool --generate-certificate \ |
2256 | +--load-privkey ldap02_slapd_key.pem \ |
2257 | +--load-ca-certificate /etc/ssl/certs/cacert.pem \ |
2258 | +--load-ca-privkey /etc/ssl/private/cakey.pem \ |
2259 | +--template ldap02.info \ |
2260 | +--outfile ldap02_slapd_cert.pem</command> |
2261 | </screen> |
2262 | |
2263 | - </step> |
2264 | - <step> |
2265 | - |
2266 | <para> |
2267 | - Copy the <filename>cacert.pem</filename> to the directory: |
2268 | + Get a copy of the CA certificate: |
2269 | </para> |
2270 | |
2271 | <screen> |
2272 | <command>cp /etc/ssl/certs/cacert.pem .</command> |
2273 | </screen> |
2274 | |
2275 | - </step> |
2276 | - <step> |
2277 | - |
2278 | - <para> |
2279 | - The only thing left is to copy the <filename>ldap02-ssl</filename> directory to the Consumer server, then copy |
2280 | - <filename>ldap02_slapd_cert.pem</filename> and <filename>cacert.pem</filename> to <filename>/etc/ssl/certs</filename>, |
2281 | - and copy <filename>ldap02_slapd_key.pem</filename> to <filename>/etc/ssl/private</filename>. |
2282 | - </para> |
2283 | - |
2284 | - </step> |
2285 | - <step> |
2286 | - |
2287 | - <para> |
2288 | - Once the files are in place adjust the <emphasis>cn=config</emphasis> tree by entering: |
2289 | - </para> |
2290 | - |
2291 | -<screen> |
2292 | -<command>sudo ldapmodify -Y EXTERNAL -H ldapi:///</command> |
2293 | -</screen> |
2294 | - |
2295 | -<screen> |
2296 | -<computeroutput>Enter LDAP Password: |
2297 | -<userinput>dn: cn=config |
2298 | + <para> |
2299 | + We're done. Now transfer the <filename>ldap02-ssl</filename> directory to the Consumer. Here we use scp (adjust accordingly): |
2300 | + </para> |
2301 | + |
2302 | +<screen> |
2303 | +<command>cd ..</command> |
2304 | +<command>scp -r ldap02-ssl user@consumer:</command> |
2305 | +</screen> |
2306 | + |
2307 | + </step> |
2308 | + |
2309 | + <step> |
2310 | + <para> |
2311 | + On the Consumer, |
2312 | + </para> |
2313 | + |
2314 | + <para> |
2315 | + Configure TLS authentication: |
2316 | + </para> |
2317 | + |
2318 | +<screen> |
2319 | +<command>sudo apt-get install ssl-cert</command> |
2320 | +<command>sudo adduser openldap ssl-cert</command> |
2321 | +<command>sudo cp ldap02_slapd_cert.pem cacert.pem /etc/ssl/certs</command> |
2322 | +<command>sudo cp ldap02_slapd_key.pem /etc/ssl/private</command> |
2323 | +<command>sudo chgrp ssl-cert /etc/ssl/private/ldap02_slapd_key.pem</command> |
2324 | +<command>sudo chmod g+r /etc/ssl/private/ldap02_slapd_key.pem</command> |
2325 | +<command>sudo chmod o-r /etc/ssl/private/ldap02_slapd_key.pem</command> |
2326 | +</screen> |
2327 | + |
2328 | + <para> |
2329 | + Create the file <filename>/etc/ssl/certinfo.ldif</filename> with the following contents (adjust accordingly): |
2330 | + </para> |
2331 | + |
2332 | +<programlisting> |
2333 | +dn: cn=config |
2334 | add: olcTLSCACertificateFile |
2335 | olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem |
2336 | - |
2337 | @@ -1187,175 +1516,194 @@ |
2338 | olcTLSCertificateFile: /etc/ssl/certs/ldap02_slapd_cert.pem |
2339 | - |
2340 | add: olcTLSCertificateKeyFile |
2341 | -olcTLSCertificateKeyFile: /etc/ssl/private/ldap02_slapd_key.pem</userinput> |
2342 | - |
2343 | -modifying entry "cn=config" |
2344 | -</computeroutput> |
2345 | -</screen> |
2346 | - |
2347 | - </step> |
2348 | - <step> |
2349 | - |
2350 | - <para> |
2351 | - As with the Provider you can now edit <filename>/etc/default/slapd</filename> and add the <emphasis>ldaps:///</emphasis> |
2352 | - parameter to the <emphasis>SLAPD_SERVICES</emphasis> option. |
2353 | - </para> |
2354 | - |
2355 | - </step> |
2356 | - </procedure> |
2357 | - |
2358 | - <para> |
2359 | - Now that <emphasis>TLS</emphasis> has been setup on each server, once again modify the <emphasis>Consumer</emphasis> server's |
2360 | - <emphasis>cn=config</emphasis> tree by entering the following in a terminal: |
2361 | - </para> |
2362 | - |
2363 | -<screen> |
2364 | -<command>sudo ldapmodify -Y EXTERNAL -H ldapi:///</command> |
2365 | -</screen> |
2366 | - |
2367 | -<screen> |
2368 | -<computeroutput>SASL/EXTERNAL authentication started |
2369 | -SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth |
2370 | -SASL SSF: 0 |
2371 | -<userinput> |
2372 | +olcTLSCertificateKeyFile: /etc/ssl/private/ldap02_slapd_key.pem |
2373 | +</programlisting> |
2374 | + |
2375 | + <para> |
2376 | + Configure the slapd-config database: |
2377 | + </para> |
2378 | + |
2379 | +<screen> |
2380 | +<command>sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f certinfo.ldif</command> |
2381 | +</screen> |
2382 | + |
2383 | + <para> |
2384 | + Configure <filename>/etc/default/slapd</filename> as on the Provider (SLAPD_SERVICES). |
2385 | + </para> |
2386 | + </step> |
2387 | + |
2388 | + <step> |
2389 | + <para> |
2390 | + On the Consumer, |
2391 | + </para> |
2392 | + |
2393 | + <para> |
2394 | + Configure TLS for Consumer-side replication. Modify the existing <emphasis>olcSyncrepl</emphasis> attribute by tacking |
2395 | + on some TLS options. In so doing, we will see, for the first time, how to change an attribute's value(s). |
2396 | + </para> |
2397 | + |
2398 | + <para> |
2399 | + Create the file <filename>consumer_sync_tls.ldif</filename> with the following contents: |
2400 | + </para> |
2401 | + |
2402 | +<programlisting> |
2403 | dn: olcDatabase={1}hdb,cn=config |
2404 | -replace: olcSyncrepl |
2405 | -olcSyncrepl: {0}rid=0 provider=ldap://ldap01.example.com bindmethod=simple binddn="cn=ad |
2406 | - min,dc=example,dc=com" credentials=secret searchbase="dc=example,dc=com" logbas |
2407 | - e="cn=accesslog" logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" s |
2408 | - chemachecking=on type=refreshAndPersist retry="60 +" syncdata=accesslog starttls=yes</userinput> |
2409 | - |
2410 | -modifying entry "olcDatabase={1}hdb,cn=config" |
2411 | -</computeroutput> |
2412 | -</screen> |
2413 | - |
2414 | - <para> |
2415 | - If the LDAP server hostname does not match the Fully Qualified Domain Name (FQDN) in the certificate, you may have to edit |
2416 | - <filename>/etc/ldap/ldap.conf</filename> and add the following TLS options: |
2417 | - </para> |
2418 | +replace: olcSyncRepl |
2419 | +olcSyncRepl: rid=0 provider=ldap://ldap01.example.com bindmethod=simple |
2420 | + binddn="cn=admin,dc=example,dc=com" credentials=secret searchbase="dc=example,dc=com" |
2421 | + logbase="cn=accesslog" logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" |
2422 | + schemachecking=on type=refreshAndPersist retry="60 +" syncdata=accesslog |
2423 | + <application>starttls=critical tls_reqcert=demand</application> |
2424 | +</programlisting> |
2425 | + |
2426 | + <para> |
2427 | + The extra options specify, respectively, that the consumer must use StartTLS and that the CA certificate is required to verify the |
2428 | + Provider's identity. Also note the LDIF syntax for changing the values of an attribute ('replace'). |
2429 | + </para> |
2430 | + |
2431 | + <para> |
2432 | + Implement these changes: |
2433 | + </para> |
2434 | + |
2435 | +<screen> |
2436 | +<command>sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f consumer_sync_tls.ldif</command> |
2437 | +</screen> |
2438 | + |
2439 | + <para> |
2440 | + And restart slapd: |
2441 | + </para> |
2442 | + |
2443 | +<screen> |
2444 | +<command>sudo service slapd restart</command> |
2445 | +</screen> |
2446 | + |
2447 | + </step> |
2448 | + |
2449 | + <step> |
2450 | + <para> |
2451 | + On the Provider, |
2452 | + </para> |
2453 | + |
2454 | + <para> |
2455 | + Check to see that a TLS session has been established. In <filename>/var/log/syslog</filename>, providing you have |
2456 | + 'conns'-level logging set up, you should see messages similar to: |
2457 | + </para> |
2458 | |
2459 | <programlisting> |
2460 | -TLS_CERT /etc/ssl/certs/ldap02_slapd_cert.pem |
2461 | -TLS_KEY /etc/ssl/private/ldap02_slapd_key.pem |
2462 | -TLS_CACERT /etc/ssl/certs/cacert.pem |
2463 | +slapd[3620]: conn=1047 fd=20 ACCEPT from IP=10.153.107.229:57922 (IP=0.0.0.0:389) |
2464 | +slapd[3620]: conn=1047 op=0 EXT oid=1.3.6.1.4.1.1466.20037 |
2465 | +slapd[3620]: conn=1047 op=0 STARTTLS |
2466 | +slapd[3620]: conn=1047 op=0 RESULT oid= err=0 text= |
2467 | +slapd[3620]: conn=1047 fd=20 TLS established tls_ssf=128 ssf=128 |
2468 | +slapd[3620]: conn=1047 op=1 BIND dn="cn=admin,dc=example,dc=com" method=128 |
2469 | +slapd[3620]: conn=1047 op=1 BIND dn="cn=admin,dc=example,dc=com" mech=SIMPLE ssf=0 |
2470 | +slapd[3620]: conn=1047 op=1 RESULT tag=97 err=0 text |
2471 | </programlisting> |
2472 | |
2473 | - |
2474 | - <para> |
2475 | - Finally, restart <application>slapd</application> on each of the servers: |
2476 | - </para> |
2477 | - |
2478 | -<screen> |
2479 | -<command>sudo /etc/init.d/slapd restart</command> |
2480 | -</screen> |
2481 | - |
2482 | - </sect3> |
2483 | - |
2484 | - </sect2> |
2485 | - |
2486 | - <sect2 id="openldap-auth-config" status="review"> |
2487 | - <title>LDAP Authentication</title> |
2488 | - |
2489 | - <para> |
2490 | - Once you have a working LDAP server, the <application>auth-client-config</application> and <application>libnss-ldap</application> |
2491 | - packages take the pain out of configuring an Ubuntu client to authenticate using LDAP. To install the packages from, a terminal |
2492 | - prompt enter: |
2493 | - </para> |
2494 | + </step> |
2495 | + |
2496 | + </procedure> |
2497 | + |
2498 | + </sect2> |
2499 | + |
2500 | + <sect2 id="openldap-auth-config" status="review"> |
2501 | + <title>LDAP Authentication</title> |
2502 | + |
2503 | + <para> |
2504 | + Once you have a working LDAP server, you will need to install libraries on the client that will know how and when to contact it. |
2505 | + On Ubuntu, this has been traditionally accomplishd by installing the <application>libnss-ldap</application> package. This package |
2506 | + will bring in other tools that will assist you in the configuration step. Install this package now: |
2507 | + </para> |
2508 | |
2509 | <screen> |
2510 | <command>sudo apt-get install libnss-ldap</command> |
2511 | </screen> |
2512 | |
2513 | - <para> |
2514 | - During the install a menu dialog will ask you connection details about your LDAP server. |
2515 | - </para> |
2516 | - |
2517 | - <para> |
2518 | - If you make a mistake when entering your information you can execute the dialog again using: |
2519 | - </para> |
2520 | - |
2521 | + <para> |
2522 | + You will be prompted for details of your LDAP server. If you make a mistake you can try again using: |
2523 | + </para> |
2524 | + |
2525 | <screen> |
2526 | <command>sudo dpkg-reconfigure ldap-auth-config</command> |
2527 | </screen> |
2528 | |
2529 | - <para> |
2530 | - The results of the dialog can be seen in <filename>/etc/ldap.conf</filename>. If your server requires options not covered in the menu |
2531 | - edit this file accordingly. |
2532 | - </para> |
2533 | + <para> |
2534 | + The results of the dialog can be seen in <filename>/etc/ldap.conf</filename>. If your server requires options not covered in the menu |
2535 | + edit this file accordingly. |
2536 | + </para> |
2537 | |
2538 | - <para> |
2539 | - Now that <application>libnss-ldap</application> is configured enable the <application>auth-client-config</application> LDAP profile by |
2540 | - entering: |
2541 | - </para> |
2542 | + <para> |
2543 | + Now configure the LDAP profile for NSS: |
2544 | + </para> |
2545 | |
2546 | <screen> |
2547 | <command>sudo auth-client-config -t nss -p lac_ldap</command> |
2548 | </screen> |
2549 | |
2550 | - <itemizedlist> |
2551 | - <listitem> |
2552 | - <para> |
2553 | - <emphasis>-t:</emphasis> only modifies <filename>/etc/nsswitch.conf</filename>. |
2554 | - </para> |
2555 | - </listitem> |
2556 | - <listitem> |
2557 | - <para> |
2558 | - <emphasis>-p:</emphasis> name of the profile to enable, disable, etc. |
2559 | - </para> |
2560 | - </listitem> |
2561 | - <listitem> |
2562 | - <para> |
2563 | - <emphasis>lac_ldap:</emphasis> the <application>auth-client-config</application> profile that is part of the |
2564 | - <application>ldap-auth-config</application> package. |
2565 | - </para> |
2566 | - </listitem> |
2567 | - </itemizedlist> |
2568 | - |
2569 | - <para> |
2570 | - Using the <application>pam-auth-update</application> utility, configure the system to use LDAP for authentication: |
2571 | - </para> |
2572 | + <para> |
2573 | + Configure the system to use LDAP for authentication: |
2574 | + </para> |
2575 | |
2576 | <screen> |
2577 | <command>sudo pam-auth-update</command> |
2578 | </screen> |
2579 | |
2580 | - <para> |
2581 | - From the <application>pam-auth-update</application> menu, choose LDAP and any other authentication mechanisms you need. |
2582 | - </para> |
2583 | - |
2584 | - <para> |
2585 | - You should now be able to login using user credentials stored in the LDAP directory. |
2586 | - </para> |
2587 | - |
2588 | - <note> |
2589 | - <para> |
2590 | - If you are going to use LDAP to store Samba users you will need to configure the server to authenticate using LDAP. |
2591 | - See <xref linkend="samba-ldap"/> for details. |
2592 | - </para> |
2593 | - </note> |
2594 | - |
2595 | - </sect2> |
2596 | - <sect2 id="ldap-usergroup-management" status="review"> |
2597 | - <title>User and Group Management</title> |
2598 | - |
2599 | - <para> |
2600 | - The <application>ldap-utils</application> package comes with multiple utilities to manage the directory, but the long |
2601 | - string of options needed, can make them a burden to use. The <application>ldapscripts</application> package contains |
2602 | - configurable scripts to easily manage LDAP users and groups. |
2603 | - </para> |
2604 | - |
2605 | - <para> |
2606 | - To install the package, from a terminal enter: |
2607 | - </para> |
2608 | + <para> |
2609 | + From the menu, choose LDAP and any other authentication mechanisms you need. |
2610 | + </para> |
2611 | + |
2612 | + <para> |
2613 | + You should now be able to log in using LDAP-based credentials. |
2614 | + </para> |
2615 | + |
2616 | + <para> |
2617 | + LDAP clients will need to refer to multiple servers if replication is in use. In <filename>/etc/ldap.conf</filename> you would |
2618 | + have something like: |
2619 | + </para> |
2620 | + |
2621 | +<programlisting> |
2622 | +uri ldap://ldap01.example.com ldap://ldap02.example.com |
2623 | +</programlisting> |
2624 | + |
2625 | + <para> |
2626 | + The request will time out and the Consumer (ldap02) will attempt to be reached if the Provider (ldap01) becomes unresponsive. |
2627 | + </para> |
2628 | + |
2629 | + <para> |
2630 | + If you are going to use LDAP to store Samba users you will need to configure the Samba server to authenticate using LDAP. See |
2631 | + <xref linkend="samba-ldap"/> for details. |
2632 | + </para> |
2633 | + |
2634 | + <note> |
2635 | + <para> |
2636 | + An alternative to the <application>libnss-ldap</application> package is the <application>libnss-ldapd</application> |
2637 | + package. This, however, will bring in the <application>nscd</application> package which is problably not wanted. Simply |
2638 | + remove it afterwards. |
2639 | + </para> |
2640 | + </note> |
2641 | + |
2642 | + </sect2> |
2643 | + |
2644 | + <sect2 id="ldap-usergroup-management" status="review"> |
2645 | + <title>User and Group Management</title> |
2646 | + |
2647 | + <para> |
2648 | + The <application>ldap-utils</application> package comes with enough utilities to manage the directory but the long string of |
2649 | + options needed can make them a burden to use. The <application>ldapscripts</application> package contains wrapper scripts to these |
2650 | + utilities that some people find easier to use. |
2651 | + </para> |
2652 | + |
2653 | + <para> |
2654 | + Install the package: |
2655 | + </para> |
2656 | |
2657 | <screen> |
2658 | <command>sudo apt-get install ldapscripts</command> |
2659 | </screen> |
2660 | |
2661 | - <para> |
2662 | - Next, edit the config file <filename>/etc/ldapscripts/ldapscripts.conf</filename> uncommenting and changing the following to |
2663 | - match your environment: |
2664 | - </para> |
2665 | + <para> |
2666 | + Then edit the file <filename>/etc/ldapscripts/ldapscripts.conf</filename> to arrive at something similar to the following: |
2667 | + </para> |
2668 | |
2669 | <programlisting> |
2670 | SERVER=localhost |
2671 | @@ -1370,104 +1718,125 @@ |
2672 | MIDSTART=10000 |
2673 | </programlisting> |
2674 | |
2675 | - <para> |
2676 | - Now, create the <filename>ldapscripts.passwd</filename> file to allow authenticated access to the directory: |
2677 | - </para> |
2678 | + <para> |
2679 | + Now, create the <filename>ldapscripts.passwd</filename> file to allow rootDN access to the directory: |
2680 | + </para> |
2681 | |
2682 | <screen> |
2683 | <command>sudo sh -c "echo -n 'secret' > /etc/ldapscripts/ldapscripts.passwd"</command> |
2684 | <command>sudo chmod 400 /etc/ldapscripts/ldapscripts.passwd</command> |
2685 | </screen> |
2686 | |
2687 | - <note> |
2688 | - <para> |
2689 | - Replace <quote>secret</quote> with the actual password for your LDAP admin user. |
2690 | - </para> |
2691 | - </note> |
2692 | - |
2693 | - <para> |
2694 | - The <application>ldapscripts</application> are now ready to help manage your directory. The following are some examples |
2695 | - of how to use the scripts: |
2696 | - </para> |
2697 | - |
2698 | - <itemizedlist> |
2699 | - <listitem> |
2700 | - <para> |
2701 | - Create a new user: |
2702 | - </para> |
2703 | + <note> |
2704 | + <para> |
2705 | + Replace <quote>secret</quote> with the actual password for your database's rootDN user. |
2706 | + </para> |
2707 | + </note> |
2708 | + |
2709 | + <para> |
2710 | + The scripts are now ready to help manage your directory. Here are some examples of how to use them: |
2711 | + </para> |
2712 | + |
2713 | + <itemizedlist> |
2714 | + |
2715 | + <listitem> |
2716 | + <para> |
2717 | + Create a new user: |
2718 | + </para> |
2719 | + |
2720 | <screen> |
2721 | <command>sudo ldapadduser george example</command> |
2722 | </screen> |
2723 | - <para> |
2724 | - This will create a user with uid <emphasis role="italic">george</emphasis> and set the user's primary group (gid) to |
2725 | - <emphasis role="italic">example</emphasis> |
2726 | - </para> |
2727 | - </listitem> |
2728 | - <listitem> |
2729 | - <para> |
2730 | - Change a user's password: |
2731 | - </para> |
2732 | + |
2733 | + <para> |
2734 | + This will create a user with uid <emphasis role="italic">george</emphasis> and set the user's primary group (gid) to |
2735 | + <emphasis role="italic">example</emphasis> |
2736 | + </para> |
2737 | + </listitem> |
2738 | + |
2739 | + <listitem> |
2740 | + <para> |
2741 | + Change a user's password: |
2742 | + </para> |
2743 | + |
2744 | <screen> |
2745 | <command>sudo ldapsetpasswd george</command> |
2746 | <computeroutput>Changing password for user uid=george,ou=People,dc=example,dc=com</computeroutput> |
2747 | <userinput>New Password: </userinput> |
2748 | <userinput>New Password (verify): </userinput> |
2749 | </screen> |
2750 | - </listitem> |
2751 | - <listitem> |
2752 | - <para> |
2753 | - Delete a user: |
2754 | - </para> |
2755 | + |
2756 | + </listitem> |
2757 | + |
2758 | + <listitem> |
2759 | + <para> |
2760 | + Delete a user: |
2761 | + </para> |
2762 | + |
2763 | <screen> |
2764 | <command>sudo ldapdeleteuser george</command> |
2765 | </screen> |
2766 | |
2767 | - </listitem> |
2768 | - <listitem> |
2769 | - <para> |
2770 | - Add a group: |
2771 | - </para> |
2772 | + </listitem> |
2773 | + |
2774 | + <listitem> |
2775 | + <para> |
2776 | + Add a group: |
2777 | + </para> |
2778 | + |
2779 | <screen> |
2780 | <command>sudo ldapaddgroup qa</command> |
2781 | </screen> |
2782 | - </listitem> |
2783 | - <listitem> |
2784 | - <para> |
2785 | - Delete a group: |
2786 | - </para> |
2787 | + |
2788 | + </listitem> |
2789 | + |
2790 | + <listitem> |
2791 | + <para> |
2792 | + Delete a group: |
2793 | + </para> |
2794 | + |
2795 | <screen> |
2796 | <command>sudo ldapdeletegroup qa</command> |
2797 | </screen> |
2798 | - </listitem> |
2799 | - <listitem> |
2800 | - <para> |
2801 | - Add a user to a group: |
2802 | - </para> |
2803 | + |
2804 | + </listitem> |
2805 | + |
2806 | + <listitem> |
2807 | + <para> |
2808 | + Add a user to a group: |
2809 | + </para> |
2810 | + |
2811 | <screen> |
2812 | <command>sudo ldapaddusertogroup george qa</command> |
2813 | </screen> |
2814 | - <para> |
2815 | - You should now see a <emphasis>memberUid</emphasis> attribute for the <emphasis role="italic">qa</emphasis> group with |
2816 | - a value of <emphasis role="italic">george</emphasis>. |
2817 | - </para> |
2818 | - </listitem> |
2819 | - <listitem> |
2820 | - <para> |
2821 | - Remove a user from a group: |
2822 | - </para> |
2823 | + |
2824 | + <para> |
2825 | + You should now see a <emphasis>memberUid</emphasis> attribute for the <emphasis role="italic">qa</emphasis> group with |
2826 | + a value of <emphasis role="italic">george</emphasis>. |
2827 | + </para> |
2828 | + </listitem> |
2829 | + |
2830 | + <listitem> |
2831 | + <para> |
2832 | + Remove a user from a group: |
2833 | + </para> |
2834 | + |
2835 | <screen> |
2836 | <command>sudo ldapdeleteuserfromgroup george qa</command> |
2837 | </screen> |
2838 | - <para> |
2839 | - The <emphasis>memberUid</emphasis> attribute should now be removed from the <emphasis role="italic">qa</emphasis> |
2840 | - group. |
2841 | - </para> |
2842 | - </listitem> |
2843 | - <listitem> |
2844 | - <para> |
2845 | - The <application>ldapmodifyuser</application> script allows you to add, remove, or replace a user's attributes. |
2846 | - The script uses the same syntax as the <application>ldapmodify</application> utility. For example: |
2847 | - </para> |
2848 | + |
2849 | + <para> |
2850 | + The <emphasis>memberUid</emphasis> attribute should now be removed from the <emphasis role="italic">qa</emphasis> |
2851 | + group. |
2852 | + </para> |
2853 | + </listitem> |
2854 | + |
2855 | + <listitem> |
2856 | + <para> |
2857 | + The <application>ldapmodifyuser</application> script allows you to add, remove, or replace a user's attributes. |
2858 | + The script uses the same syntax as the <application>ldapmodify</application> utility. For example: |
2859 | + </para> |
2860 | + |
2861 | <screen> |
2862 | <command>sudo ldapmodifyuser george</command> |
2863 | <computeroutput># About to modify the following entry : |
2864 | @@ -1489,36 +1858,38 @@ |
2865 | <userinput>replace: gecos |
2866 | gecos: George Carlin</userinput> |
2867 | </screen> |
2868 | - <para> |
2869 | - The user's <emphasis>gecos</emphasis> should now be <quote>George Carlin</quote>. |
2870 | - </para> |
2871 | - </listitem> |
2872 | - <listitem> |
2873 | - <para> |
2874 | - Another great feature of <application>ldapscripts</application>, is the template system. Templates |
2875 | - allow you to customize the attributes of user, group, and machine objectes. For example, to enable |
2876 | - the <emphasis>user</emphasis> template edit <filename>/etc/ldapscripts/ldapscripts.conf</filename> |
2877 | - changing: |
2878 | - </para> |
2879 | + |
2880 | + <para> |
2881 | + The user's <emphasis>gecos</emphasis> should now be <quote>George Carlin</quote>. |
2882 | + </para> |
2883 | + </listitem> |
2884 | + |
2885 | + <listitem> |
2886 | + <para> |
2887 | + A nice feature of <application>ldapscripts</application> is the template system. Templates allow you to customize the |
2888 | + attributes of user, group, and machine objectes. For example, to enable the <emphasis>user</emphasis> template edit |
2889 | + <filename>/etc/ldapscripts/ldapscripts.conf</filename> changing: |
2890 | + </para> |
2891 | |
2892 | <programlisting> |
2893 | UTEMPLATE="/etc/ldapscripts/ldapadduser.template" |
2894 | </programlisting> |
2895 | |
2896 | - <para> |
2897 | - There are <emphasis role="italic">sample</emphasis> templates in the <filename>/etc/ldapscripts</filename> directory. |
2898 | - Copy or rename the <filename>ldapadduser.template.sample</filename> file to |
2899 | - <filename>/etc/ldapscripts/ldapadduser.template</filename>: |
2900 | - </para> |
2901 | + <para> |
2902 | + There are <emphasis role="italic">sample</emphasis> templates in the <filename>/etc/ldapscripts</filename> directory. |
2903 | + Copy or rename the <filename>ldapadduser.template.sample</filename> file to |
2904 | + <filename>/etc/ldapscripts/ldapadduser.template</filename>: |
2905 | + </para> |
2906 | |
2907 | <screen> |
2908 | -<command>sudo cp /usr/share/doc/ldapscripts/examples/ldapadduser.template.sample /etc/ldapscripts/ldapadduser.template</command> |
2909 | +<command>sudo cp /usr/share/doc/ldapscripts/examples/ldapadduser.template.sample \ |
2910 | +/etc/ldapscripts/ldapadduser.template</command> |
2911 | </screen> |
2912 | |
2913 | - <para> |
2914 | - Edit the new template to add the desired attributes. The following will create new user's as with an |
2915 | - <emphasis>objectClass</emphasis> of <emphasis>inetOrgPerson</emphasis>: |
2916 | - </para> |
2917 | + <para> |
2918 | + Edit the new template to add the desired attributes. The following will create new users with an objectClass of |
2919 | + inetOrgPerson: |
2920 | + </para> |
2921 | |
2922 | <programlisting> |
2923 | dn: uid=<user>,<usuffix>,<suffix> |
2924 | @@ -1536,59 +1907,112 @@ |
2925 | title: Employee |
2926 | </programlisting> |
2927 | |
2928 | - <para> |
2929 | - Notice the <emphasis><ask></emphasis> option used for the <emphasis>ssn</emphasis> value. Using <ask> |
2930 | - will configure <application>ldapadduser</application> to prompt you for the attribute value during user creation. |
2931 | - </para> |
2932 | - |
2933 | - </listitem> |
2934 | - </itemizedlist> |
2935 | - |
2936 | - <para> |
2937 | - There are more useful scripts in the package, to see a full list enter: <command>dpkg -L ldapscripts | grep bin</command> |
2938 | - </para> |
2939 | - |
2940 | - </sect2> |
2941 | - <sect2 id="openldap-server-resources" status="review"> |
2942 | - <title>Resources</title> |
2943 | - <itemizedlist> |
2944 | - <listitem> |
2945 | - <para> |
2946 | - The <ulink url="https://help.ubuntu.com/community/OpenLDAPServer">OpenLDAP Ubuntu Wiki</ulink> page has more details. |
2947 | - </para> |
2948 | - </listitem> |
2949 | - <listitem> |
2950 | - <para> |
2951 | - For more information see <ulink url="http://www.openldap.org/">OpenLDAP Home Page</ulink> |
2952 | - </para> |
2953 | - </listitem> |
2954 | - <listitem> |
2955 | - <para> |
2956 | - Though starting to show it's age, a great source for in depth LDAP information is |
2957 | - O'Reilly's <ulink url="http://www.oreilly.com/catalog/ldapsa/">LDAP System Administration</ulink> |
2958 | - </para> |
2959 | - </listitem> |
2960 | - <listitem> |
2961 | - <para> |
2962 | - Packt's <ulink url="http://www.packtpub.com/OpenLDAP-Developers-Server-Open-Source-Linux/book">Mastering OpenLDAP</ulink> |
2963 | - is a great reference covering newer versions of OpenLDAP. |
2964 | - </para> |
2965 | - </listitem> |
2966 | - <listitem> |
2967 | - <para> |
2968 | - For more information on <application>auth-client-config</application> see the man page: <command>man auth-client-config</command>. |
2969 | - </para> |
2970 | - </listitem> |
2971 | - <listitem> |
2972 | - <para> |
2973 | - For more details regarding the <application>ldapscripts</application> package see the man pages: <command>man ldapscripts</command>, |
2974 | - <command>man ldapadduser</command>, <command>man ldapaddgroup</command>, etc. |
2975 | - </para> |
2976 | - </listitem> |
2977 | - </itemizedlist> |
2978 | + <para> |
2979 | + Notice the <emphasis><ask></emphasis> option used for the <emphasis>sn</emphasis> attribute. This |
2980 | + will make <application>ldapadduser</application> prompt you for it's value. |
2981 | + </para> |
2982 | + </listitem> |
2983 | + |
2984 | + </itemizedlist> |
2985 | + |
2986 | + <para> |
2987 | + There are utilities in the package that were not covered here. Here is a complete list: |
2988 | + </para> |
2989 | + |
2990 | +<programlisting> |
2991 | +<ulink url="http://manpages.ubuntu.com/manpages/en/man1/ldaprenamemachine.1.html">ldaprenamemachine</ulink> |
2992 | +<ulink url="http://manpages.ubuntu.com/manpages/en/man1/ldapadduser.1.html">ldapadduser</ulink> |
2993 | +<ulink url="http://manpages.ubuntu.com/manpages/en/man1/ldapdeleteuserfromgroup.1.html">ldapdeleteuserfromgroup</ulink> |
2994 | +<ulink url="http://manpages.ubuntu.com/manpages/en/man1/ldapfinger.1.html">ldapfinger</ulink> |
2995 | +<ulink url="http://manpages.ubuntu.com/manpages/en/man1/ldapid.1.html">ldapid</ulink> |
2996 | +<ulink url="http://manpages.ubuntu.com/manpages/en/man1/ldapgid.1.html">ldapgid</ulink> |
2997 | +<ulink url="http://manpages.ubuntu.com/manpages/en/man1/ldapmodifyuser.1.html">ldapmodifyuser</ulink> |
2998 | +<ulink url="http://manpages.ubuntu.com/manpages/en/man1/ldaprenameuser.1.html">ldaprenameuser</ulink> |
2999 | +<ulink url="http://manpages.ubuntu.com/manpages/en/man1/lsldap.1.html">lsldap</ulink> |
3000 | +<ulink url="http://manpages.ubuntu.com/manpages/en/man1/ldapaddusertogroup.1.html">ldapaddusertogroup</ulink> |
3001 | +<ulink url="http://manpages.ubuntu.com/manpages/en/man1/ldapsetpasswd.1.html">ldapsetpasswd</ulink> |
3002 | +<ulink url="http://manpages.ubuntu.com/manpages/en/man1/ldapinit.1.html">ldapinit</ulink> |
3003 | +<ulink url="http://manpages.ubuntu.com/manpages/en/man1/ldapaddgroup.1.html">ldapaddgroup</ulink> |
3004 | +<ulink url="http://manpages.ubuntu.com/manpages/en/man1/ldapdeletegroup.1.html">ldapdeletegroup</ulink> |
3005 | +<ulink url="http://manpages.ubuntu.com/manpages/en/man1/ldapmodifygroup.1.html">ldapmodifygroup</ulink> |
3006 | +<ulink url="http://manpages.ubuntu.com/manpages/en/man1/ldapdeletemachine.1.html">ldapdeletemachine</ulink> |
3007 | +<ulink url="http://manpages.ubuntu.com/manpages/en/man1/ldaprenamegroup.1.html">ldaprenamegroup</ulink> |
3008 | +<ulink url="http://manpages.ubuntu.com/manpages/en/man1/ldapaddmachine.1.html">ldapaddmachine</ulink> |
3009 | +<ulink url="http://manpages.ubuntu.com/manpages/en/man1/ldapmodifymachine.1.html">ldapmodifymachine</ulink> |
3010 | +<ulink url="http://manpages.ubuntu.com/manpages/en/man1/ldapsetprimarygroup.1.html">ldapsetprimarygroup</ulink> |
3011 | +<ulink url="http://manpages.ubuntu.com/manpages/en/man1/ldapdeleteuser.1.html">ldapdeleteuser</ulink> |
3012 | +</programlisting> |
3013 | + |
3014 | + </sect2> |
3015 | + |
3016 | + <sect2 id="openldap-server-resources" status="review"> |
3017 | + <title>Resources</title> |
3018 | + |
3019 | + <itemizedlist> |
3020 | + |
3021 | + <listitem> |
3022 | + <para> |
3023 | + The primary resource is the upstream documentation: <ulink url="http://www.openldap.org/">www.openldap.org</ulink> |
3024 | + </para> |
3025 | + </listitem> |
3026 | + |
3027 | + <listitem> |
3028 | + <para> |
3029 | + There are many man pages that come with the slapd package. Here are some important ones, especially considering the material |
3030 | + presented in this guide: |
3031 | + </para> |
3032 | + |
3033 | +<programlisting> |
3034 | +<ulink url="http://manpages.ubuntu.com/manpages/en/man8/slapd.8.html">slapd</ulink> |
3035 | +<ulink url="http://manpages.ubuntu.com/manpages/en/man5/slapd-config.5.html">slapd-config</ulink> |
3036 | +<ulink url="http://manpages.ubuntu.com/manpages/en/man5/slapd.access.5.html">slapd.access</ulink> |
3037 | +<ulink url="http://manpages.ubuntu.com/manpages/en/man5/slapo-syncprov.5.html">slapo-syncprov</ulink> |
3038 | +</programlisting> |
3039 | + |
3040 | + </listitem> |
3041 | + |
3042 | + <listitem> |
3043 | + <para> |
3044 | + Other man pages: |
3045 | + </para> |
3046 | + |
3047 | +<programlisting> |
3048 | +<ulink url="http://manpages.ubuntu.com/manpages/en/man8/auth-client-config.8.html">auth-client-config</ulink> |
3049 | +<ulink url="http://manpages.ubuntu.com/manpages/en/man8/pam-auth-update.8.html">pam-auth-update</ulink> |
3050 | +</programlisting> |
3051 | + |
3052 | + </listitem> |
3053 | + |
3054 | + <listitem> |
3055 | + <para> |
3056 | + Zytrax's <ulink url="http://www.zytrax.com/books/ldap/">LDAP for Rocket Scientists</ulink>; a less pedantic but comprehensive treatment of LDAP |
3057 | + </para> |
3058 | + </listitem> |
3059 | + |
3060 | + <listitem> |
3061 | + <para> |
3062 | + A Ubuntu community <ulink url="https://help.ubuntu.com/community/OpenLDAPServer">OpenLDAP wiki</ulink> page has a collection of notes |
3063 | + </para> |
3064 | + </listitem> |
3065 | + |
3066 | + <listitem> |
3067 | + <para> |
3068 | + O'Reilly's <ulink url="http://www.oreilly.com/catalog/ldapsa/">LDAP System Administration</ulink> (textbook; 2003) |
3069 | + </para> |
3070 | + </listitem> |
3071 | + |
3072 | + <listitem> |
3073 | + <para> |
3074 | + Packt's <ulink url="http://www.packtpub.com/OpenLDAP-Developers-Server-Open-Source-Linux/book">Mastering OpenLDAP</ulink> (textbook; 2007) |
3075 | + </para> |
3076 | + </listitem> |
3077 | + |
3078 | + </itemizedlist> |
3079 | |
3080 | - </sect2> |
3081 | - </sect1> |
3082 | + </sect2> |
3083 | + |
3084 | + </sect1> |
3085 | + |
3086 | <sect1 id="samba-ldap" status="review"> |
3087 | <title>Samba and LDAP</title> |
3088 | |
3089 | @@ -1725,11 +2149,9 @@ |
3090 | modifyTimestamp: 20080827045234Z |
3091 | </programlisting> |
3092 | |
3093 | - <note> |
3094 | <para> |
3095 | The attribute values will vary, just be sure the attributes are removed. |
3096 | </para> |
3097 | - </note> |
3098 | |
3099 | </step> |
3100 | <step> |
3101 | @@ -1845,7 +2267,7 @@ |
3102 | |
3103 | <note> |
3104 | <para> |
3105 | - You can create an LDIF file containing the new Samba objects by executing <command>sudo smbldap-populate -e samba.ldif</command>. |
3106 | + You can create a LDIF file containing the new Samba objects by executing <command>sudo smbldap-populate -e samba.ldif</command>. |
3107 | This allows you to look over the changes making sure everything is correct. |
3108 | </para> |
3109 | </note> |
3110 | @@ -2769,11 +3191,9 @@ |
3111 | modifyTimestamp: 20090111203515Z |
3112 | </programlisting> |
3113 | |
3114 | - <note> |
3115 | <para> |
3116 | The attribute values will vary, just be sure the attributes are removed. |
3117 | </para> |
3118 | - </note> |
3119 | |
3120 | </step> |
3121 | <step> |
An excellent review, thanks for greatly improving this chapter. I got a few little points to discuss:
- I notice a few shell scripts lost their execute permission. Can you please fix that manpages. ubuntu. com/manpages/ en/man1/ ldapadduser. 1.html It seems the website does the right thing and always redirects you to the latest release
- On line 354 in this diff (/etc/ldap/slapd.d/ contents), I am not sure how this output was created. i.e. perhaps it's worth showing what command you used
- At the end of the chapter, you're including a list of man page links. Would it be a good idea to remove "oneiric" from the URL, example: http://