Ubuntu Server Guide

Merge lp:~petermatulis/serverguide/serverguide-review-6.1 into lp:~ubuntu-core-doc/serverguide/oneiric

  1. serverguide-review-6.1
  2. Merge into oneiric
Proposed by Peter Matulis
Status: Merged
Merged at revision: 30
Proposed branch: lp:~petermatulis/serverguide/serverguide-review-6.1
Merge into: lp:~ubuntu-core-doc/serverguide/oneiric
Diff against target: 3121 lines (+1599/-1179)
1 file modified
serverguide/C/network-auth.xml (+1599/-1179)
To merge this branch: bzr merge lp:~petermatulis/serverguide/serverguide-review-6.1
Reviewer Review Type Date Requested Status
Ahmed Kamal (community) Approve
Ubuntu Documentation Committers Pending
Review via email: mp+77595@code.launchpad.net

Description of the change

This subchapter was re-written using the Natty document as a skeleton. There were many mistakes in the old document and there was not enough explanation. I tried hard to be concise and referred to upstream documentation when possible. I added a new section call "Logging".

To post a comment you must log in.
Revision history for this message
Ahmed Kamal (kim0) wrote :

An excellent review, thanks for greatly improving this chapter. I got a few little points to discuss:

- I notice a few shell scripts lost their execute permission. Can you please fix that
- On line 354 in this diff (/etc/ldap/slapd.d/ contents), I am not sure how this output was created. i.e. perhaps it's worth showing what command you used
- At the end of the chapter, you're including a list of man page links. Would it be a good idea to remove "oneiric" from the URL, example: http://manpages.ubuntu.com/manpages/en/man1/ldapadduser.1.html It seems the website does the right thing and always redirects you to the latest release

review: Needs Fixing
lp:~petermatulis/serverguide/serverguide-review-6.1 updated
8. By Peter Matulis

Edits made based on merge proposal; subchapter 6.1

Revision history for this message
Peter Matulis (petermatulis) wrote :

Changes made. Including all man page links you did not mention.

Re missing command, I am providing the layout of the slapd-config database (/etc/ldap/slapd.d/). It's not meant for the reader to duplicate that. They should be able to browse the structure themselves using standard tools (i.e. 'ls').

Revision history for this message
Ahmed Kamal (kim0) wrote :

Thank you, this is a great contribution

review: Approve
Revision history for this message
Connor Imes (ckimes) wrote :

I've merged this one now as well, but had to resolve some conflicts with the section 6.1 review in merge request 75664 that was completed earlier.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'serverguide/C/network-auth.xml'
2--- serverguide/C/network-auth.xml 2011-05-03 07:11:18 +0000
3+++ serverguide/C/network-auth.xml 2011-10-04 12:44:23 +0000
4@@ -9,194 +9,427 @@
5 %xinclude;
6 <!ENTITY language "&EnglishAmerican;">
7 ]>
8+
9 <chapter id="network-authentication" status="review">
10 <title>Network Authentication</title>
11
12- <para>
13- This section explains various Network Authentication protocols.
14- </para>
15+ <para>
16+ This section applies LDAP to network authentication.
17+ </para>
18+
19 <sect1 id="openldap-server" status="review">
20- <title>OpenLDAP Server</title>
21- <para>
22- LDAP is an acronym for Lightweight Directory Access Protocol, it is a simplified
23- version of the X.500 protocol. The directory setup in this section will
24- be used for authentication. Nevertheless, LDAP can be
25- used in numerous ways: authentication, shared directory (for mail
26- clients), address book, etc.
27- </para>
28-
29- <para>
30- To describe LDAP quickly, all information is stored in a tree structure. With
31- <application>OpenLDAP</application> you have freedom to determine
32- the directory arborescence (the Directory Information Tree: the DIT) yourself.
33- We will begin with a basic tree containing two nodes below the root:
34- </para>
35-
36- <itemizedlist>
37- <listitem>
38- <para>"People" node where your users will be stored</para>
39- </listitem>
40- <listitem>
41- <para>"Groups" node where your groups will be stored</para>
42- </listitem>
43- </itemizedlist>
44-
45- <para>
46- Before beginning, you should determine what the root of your LDAP directory
47- will be. By default, your tree will be determined by your Fully Qualified
48- Domain Name (FQDN). If your domain is example.com (which we will use in this
49- example), your root node will be dc=example,dc=com.
50+ <title>OpenLDAP Server</title>
51+
52+ <para>
53+ The Lightweight Directory Access Protocol, or LDAP, is a protocol for querying and modifying a X.500-based directory service running
54+ over TCP/IP. The current LDAP version is LDAPv3, as defined in <ulink url="http://tools.ietf.org/html/rfc4510">RFC4510</ulink>, and
55+ the LDAP implementation used in Ubuntu is OpenLDAP, currently at version 2.4.25 (Oneiric).
56+ </para>
57+
58+ <para>
59+ So this protocol accesses LDAP directories. Here are some key concepts and terms:
60+ </para>
61+
62+ <itemizedlist>
63+
64+ <listitem>
65+ <para>
66+ A LDAP directory is a tree of data <emphasis>entries</emphasis> that is hierarchical in nature and is called
67+ the Directory Information Tree (DIT).
68+ </para>
69+ </listitem>
70+
71+ <listitem>
72+ <para>
73+ An entry consists of a set of <emphasis>attributes</emphasis>.
74+ </para>
75+ </listitem>
76+
77+ <listitem>
78+ <para>
79+ An attribute has a <emphasis>type</emphasis> (a name/description) and one or more <emphasis>values</emphasis>.
80+ </para>
81+ </listitem>
82+
83+ <listitem>
84+ <para>
85+ Every attribute must be defined in at least one <emphasis>objectClass</emphasis>.
86+ </para>
87+ </listitem>
88+
89+ <listitem>
90+ <para>
91+ Attributes and objectclasses are defined in <emphasis>schemas</emphasis> (an objectclass is actually
92+ considered as a special kind of attribute).
93+ </para>
94+ </listitem>
95+
96+ <listitem>
97+ <para>
98+ Each entry has a unique identifier: it's <emphasis>Distinguished Name</emphasis> (DN or dn). This consists
99+ of it's <emphasis>Relative Distinguished Name</emphasis> (RDN) followed by the parent entry's DN.
100+ </para>
101+ </listitem>
102+
103+ <listitem>
104+ <para>
105+ The entry's DN is not an attribute. It is not considered part of the entry itself.
106+ </para>
107+ </listitem>
108+
109+ </itemizedlist>
110+
111+ <note>
112+ <para>
113+ The terms <emphasis>object</emphasis>, <emphasis>container</emphasis>, and <emphasis>node</emphasis> have certain
114+ connotations but they all essentially mean the same thing as <emphasis>entry</emphasis>, the technically correct term.
115+ </para>
116+ </note>
117+
118+ <para>
119+ For example, below we have a single entry consisting of 11 attributes. It's DN is "cn=John Doe,dc=example,dc=com"; it's RDN is "cn=John Doe";
120+ and it's parent DN is "dc=example,dc=com".
121+ </para>
122+
123+<programlisting>
124+ dn: cn=John Doe,dc=example,dc=com
125+ cn: John Doe
126+ givenName: John
127+ sn: Doe
128+ telephoneNumber: +1 888 555 6789
129+ telephoneNumber: +1 888 555 1232
130+ mail: john@example.com
131+ manager: cn=Larry Smith,dc=example,dc=com
132+ objectClass: inetOrgPerson
133+ objectClass: organizationalPerson
134+ objectClass: person
135+ objectClass: top
136+</programlisting>
137+
138+ <para>
139+ The above entry is in <emphasis>LDIF</emphasis> format (LDAP Data Interchange Format). Any information that you feed
140+ into your DIT must also be in such a format. It is defined in <ulink url="http://tools.ietf.org/html/rfc2849">RFC2849</ulink>.
141+ </para>
142+
143+ <para>
144+ Although this guide will describe how to use it for central authentication, LDAP is good for anything that involves a large number
145+ of access requests to a mostly-read, attribute-based (name:value) backend. Examples include an address book, a list of email addresses,
146+ and a mail server's configuration.
147 </para>
148
149- <sect2 id="openldap-server-installation" status="review">
150+ <sect2 id="openldap-server-installation" status="review">
151 <title>Installation</title>
152
153 <para>
154- First, install the <application>OpenLDAP</application> server daemon
155- <application>slapd</application> and <application>ldap-utils</application>,
156- a package containing LDAP management utilities:
157- </para>
158+ Install the OpenLDAP server daemon and the traditional LDAP management utilities. These are found in packages <application>slapd</application>
159+ and <application>ldap-utils</application> respectively.
160+ </para>
161+
162+ <para>
163+ The installation of slapd will create a working configuration. In particular, it will create a database instance that you
164+ can use to store your data. However, the suffix (or base DN) of this instance will be determined from the domain name of the localhost.
165+ If you want something different, edit <filename>/etc/hosts</filename> and replace the domain name with one that will give you the
166+ suffix you desire. For instance, if you want a suffix of <emphasis>dc=example,dc=com</emphasis> then your file would have a line
167+ similar to this:
168+ </para>
169+
170+<programlisting>
171+127.0.1.1 hostname.example.com hostname
172+</programlisting>
173+
174+ <para>
175+ You can revert the change after package installation.
176+ </para>
177+
178+ <note>
179+ <para>
180+ This guide will use a database suffix of <emphasis>dc=example,dc=com</emphasis>.
181+ </para>
182+ </note>
183+
184+ <para>
185+ Proceed with the install:
186+ </para>
187+
188 <screen>
189 <command>sudo apt-get install slapd ldap-utils</command>
190 </screen>
191-
192- <para>
193- By default <application>slapd</application> is configured with minimal options needed
194- to run the <application>slapd</application> daemon.
195- </para>
196-
197- <para>
198- The configuration example in the following sections will match the domain name of the server.
199- For example, if the machine's Fully Qualified Domain Name (FQDN) is
200- ldap.example.com, the default suffix will be <emphasis>dc=example,dc=com</emphasis>.
201- </para>
202-
203- </sect2>
204- <sect2 id="openldap-server-populate" status="review">
205- <title>Populating LDAP</title>
206-
207- <para>
208- <application>OpenLDAP</application> uses a separate directory which contains the
209- <emphasis>cn=config</emphasis> Directory Information Tree (DIT). The
210- <emphasis>cn=config</emphasis> DIT is used to dynamically configure the
211- <application>slapd</application> daemon, allowing the modification of schema
212- definitions, indexes, ACLs, etc without stopping the service.
213- </para>
214-
215- <para>
216- The backend <emphasis>cn=config</emphasis> directory has only a minimal configuration and will
217- need additional configuration options in order to populate the frontend directory. The frontend will be populated
218- with a "classical" scheme that will be compatible with address book applications and with Unix Posix
219- accounts. Posix accounts will allow authentication to various applications, such as web
220- applications, email Mail Transfer Agent (MTA) applications, etc.
221- </para>
222-
223- <note>
224- <para>
225- For external applications to authenticate using LDAP they will each need to be
226- specifically configured to do so. Refer to the individual application
227- documentation for details.
228- </para>
229- </note>
230-
231- <note>
232- <para>
233- Remember to change <emphasis>dc=example,dc=com</emphasis> in the following examples to match your LDAP configuration.
234- </para>
235- </note>
236-
237- <para>
238- First, some additional schema files need to be loaded. In a terminal enter:
239- </para>
240-
241-<screen>
242-<command>sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif</command>
243-<command>sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif</command>
244-<command>sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif</command>
245-</screen>
246-
247- <para>
248- Next, copy the following example LDIF file, naming it
249- <filename>backend.example.com.ldif</filename>, somewhere on your system:
250- </para>
251-
252-<programlisting>
253-# Load dynamic backend modules
254-dn: cn=module,cn=config
255-objectClass: olcModuleList
256-cn: module
257-olcModulepath: /usr/lib/ldap
258-olcModuleload: back_hdb.la
259-
260-# Database settings
261-dn: olcDatabase=hdb,cn=config
262-objectClass: olcDatabaseConfig
263-objectClass: olcHdbConfig
264-olcDatabase: {1}hdb
265-olcSuffix: dc=example,dc=com
266-olcDbDirectory: /var/lib/ldap
267-olcRootDN: cn=admin,dc=example,dc=com
268-olcRootPW: secret
269-olcDbConfig: set_cachesize 0 2097152 0
270-olcDbConfig: set_lk_max_objects 1500
271-olcDbConfig: set_lk_max_locks 1500
272-olcDbConfig: set_lk_max_lockers 1500
273-olcDbIndex: objectClass eq
274-olcLastMod: TRUE
275-olcDbCheckpoint: 512 30
276-olcAccess: to attrs=userPassword by dn="cn=admin,dc=example,dc=com" write by anonymous auth by self write by * none
277-olcAccess: to attrs=shadowLastChange by self write by * read
278-olcAccess: to dn.base="" by * read
279-olcAccess: to * by dn="cn=admin,dc=example,dc=com" write by * read
280-
281-</programlisting>
282-
283- <note>
284- <para>
285- Change <emphasis>olcRootPW: secret</emphasis> to a password of your choosing.
286- </para>
287- </note>
288-
289- <para>
290- Now add the LDIF to the directory:
291- </para>
292-
293-<screen>
294-<command>sudo ldapadd -Y EXTERNAL -H ldapi:/// -f backend.example.com.ldif</command>
295-</screen>
296-
297- <para>
298- The frontend directory is now ready to be populated. Create a <filename>frontend.example.com.ldif</filename>
299- with the following contents:
300- </para>
301-
302-<programlisting>
303-# Create top-level object in domain
304+
305+ <para>
306+ Since Ubuntu 8.10 slapd is designed to be configured within slapd itself by dedicating a separate DIT for that purpose. This allows one
307+ to dynamically configure slapd without the need to restart the service. This configuration database consists of a collection of text-based
308+ LDIF files located under <filename>/etc/ldap/slapd.d</filename>. This way of working is known by several names: the slapd-config method,
309+ the RTC method (Real Time Configuration), or the cn=config method. You can still use the traditional flat-file method (slapd.conf) but it's
310+ not recommended; the functionality will be eventually phased out.
311+ </para>
312+
313+ <note>
314+ <para>
315+ Ubuntu now uses the <emphasis>slapd-config</emphasis> method for slapd configuration and this
316+ guide reflects that.
317+ </para>
318+ </note>
319+
320+ <para>
321+ During the install you were prompted to define administrative credentials. These are LDAP-based credentials for the <emphasis>rootDN</emphasis>
322+ of your database instance. By default, this user's DN is <emphasis>cn=admin,dc=example,dc=com</emphasis>. Also by default, there is no
323+ administrative account created for the slapd-config database and you will therefore need to authenticate externally to LDAP in order to access it.
324+ We will see how to do this later on.
325+ </para>
326+
327+ <para>
328+ Some classical schemas (cosine, nis, inetorgperson) come built-in with slapd nowadays. There is also an included "core" schema, a pre-requisite
329+ for any schema to work.
330+ </para>
331+
332+ </sect2>
333+
334+ <sect2 id="openldap-server-postinstall" status="review">
335+ <title>Post-install Inspection</title>
336+
337+ <para>
338+ The installation process set up 2 DITs. One for slapd-config and one for your own data (dc=example,dc=com). Let's take a look.
339+ </para>
340+
341+ <itemizedlist>
342+
343+ <listitem>
344+ <para>
345+ This is what the slapd-config database/DIT looks like. Recall that this database is
346+ LDIF-based and lives under <filename>/etc/ldap/slapd.d</filename>:
347+ </para>
348+
349+<screen>
350+<computeroutput>
351+ /etc/ldap/slapd.d/
352+
353+ ├── cn=config
354+ │ ├── cn=module{0}.ldif
355+ │ ├── cn=schema
356+ │ │ ├── cn={0}core.ldif
357+ │ │ ├── cn={1}cosine.ldif
358+ │ │ ├── cn={2}nis.ldif
359+ │ │ └── cn={3}inetorgperson.ldif
360+ │ ├── cn=schema.ldif
361+ │ ├── olcBackend={0}hdb.ldif
362+ │ ├── olcDatabase={0}config.ldif
363+ │ ├── olcDatabase={-1}frontend.ldif
364+ │ └── olcDatabase={1}hdb.ldif
365+ └── cn=config.ldif
366+</computeroutput>
367+</screen>
368+
369+ <note>
370+ <para>
371+ Do not edit the slapd-config database directly. Make changes via the LDAP protocol (utilities).
372+ </para>
373+ </note>
374+
375+ </listitem>
376+
377+ <listitem>
378+ <para>
379+ This is what the slapd-config DIT looks like via the LDAP protocol:
380+ </para>
381+
382+<screen>
383+<command>sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dn</command>
384+<computeroutput>
385+dn: cn=config
386+
387+dn: cn=module{0},cn=config
388+
389+dn: cn=schema,cn=config
390+
391+dn: cn={0}core,cn=schema,cn=config
392+
393+dn: cn={1}cosine,cn=schema,cn=config
394+
395+dn: cn={2}nis,cn=schema,cn=config
396+
397+dn: cn={3}inetorgperson,cn=schema,cn=config
398+
399+dn: olcBackend={0}hdb,cn=config
400+
401+dn: olcDatabase={-1}frontend,cn=config
402+
403+dn: olcDatabase={0}config,cn=config
404+
405+dn: olcDatabase={1}hdb,cn=config
406+</computeroutput>
407+</screen>
408+
409+ <para>
410+ Explanation of entries:
411+ </para>
412+
413+ <itemizedlist>
414+
415+ <listitem>
416+ <para>
417+ <emphasis>cn=config</emphasis>: global settings
418+ </para>
419+ </listitem>
420+
421+ <listitem>
422+ <para>
423+ <emphasis>cn=module{0},cn=config</emphasis>: a dynamically loaded module
424+ </para>
425+ </listitem>
426+
427+ <listitem>
428+ <para>
429+ <emphasis>cn=schema,cn=config</emphasis>: contains hard-coded system-level schema
430+ </para>
431+ </listitem>
432+
433+ <listitem>
434+ <para>
435+ <emphasis>cn={0}core,cn=schema,cn=config</emphasis>: the hard-coded core schema
436+ </para>
437+ </listitem>
438+
439+ <listitem>
440+ <para>
441+ <emphasis>cn={1}cosine,cn=schema,cn=config</emphasis>: the cosine schema
442+ </para>
443+ </listitem>
444+
445+ <listitem>
446+ <para>
447+ <emphasis>cn={2}nis,cn=schema,cn=config</emphasis>: the nis schema
448+ </para>
449+ </listitem>
450+
451+ <listitem>
452+ <para>
453+ <emphasis>cn={3}inetorgperson,cn=schema,cn=config</emphasis>: the inetorgperson schema
454+ </para>
455+ </listitem>
456+
457+ <listitem>
458+ <para>
459+ <emphasis>olcBackend={0}hdb,cn=config</emphasis>: the 'hdb' backend storage type
460+ </para>
461+ </listitem>
462+
463+ <listitem>
464+ <para>
465+ <emphasis>olcDatabase={-1}frontend,cn=config</emphasis>: frontend database, default settings for other databases
466+ </para>
467+ </listitem>
468+
469+ <listitem>
470+ <para>
471+ <emphasis>olcDatabase={0}config,cn=config</emphasis>: slapd configuration database (cn=config)
472+ </para>
473+ </listitem>
474+
475+ <listitem>
476+ <para>
477+ <emphasis>olcDatabase={1}hdb,cn=config</emphasis>: your database instance (dc=examle,dc=com)
478+ </para>
479+ </listitem>
480+
481+ </itemizedlist>
482+
483+ </listitem>
484+
485+ <listitem>
486+
487+ <para>
488+ This is what the dc=example,dc=com DIT looks like:
489+ </para>
490+
491+<screen>
492+<command>ldapsearch -x -LLL -H ldap:/// -b dc=example,dc=com dn</command>
493+<computeroutput>
494 dn: dc=example,dc=com
495-objectClass: top
496-objectClass: dcObject
497-objectclass: organization
498-o: Example Organization
499-dc: Example
500-description: LDAP Example
501
502-# Admin user.
503 dn: cn=admin,dc=example,dc=com
504-objectClass: simpleSecurityObject
505-objectClass: organizationalRole
506-cn: admin
507-description: LDAP administrator
508-userPassword: secret
509-
510-dn: ou=people,dc=example,dc=com
511-objectClass: organizationalUnit
512-ou: people
513-
514-dn: ou=groups,dc=example,dc=com
515-objectClass: organizationalUnit
516-ou: groups
517-
518-dn: uid=john,ou=people,dc=example,dc=com
519+</computeroutput>
520+</screen>
521+
522+ <para>
523+ Explanation of entries:
524+ </para>
525+
526+ <itemizedlist>
527+
528+ <listitem>
529+ <para>
530+ <emphasis>dc=example,dc=com</emphasis>: base of the DIT
531+ </para>
532+ </listitem>
533+
534+ <listitem>
535+ <para>
536+ <emphasis>cn=admin,dc=example,dc=com</emphasis>: administrator (rootDN) for this DIT (set up during package install)
537+ </para>
538+ </listitem>
539+
540+ </itemizedlist>
541+
542+ </listitem>
543+
544+ </itemizedlist>
545+
546+ </sect2>
547+
548+ <sect2 id="openldap-server-populate" status="review">
549+ <title>Modifying/Populating your Database</title>
550+
551+ <para>
552+ Let's introduce some content to our database. We will add the following:
553+ </para>
554+
555+ <itemizedlist>
556+
557+ <listitem>
558+ <para>
559+ a node called <emphasis>People</emphasis> (to store users)
560+ </para>
561+ </listitem>
562+
563+ <listitem>
564+ <para>
565+ a node called <emphasis>Groups</emphasis> (to store groups)
566+ </para>
567+ </listitem>
568+
569+ <listitem>
570+ <para>
571+ a group called <emphasis>miners</emphasis>
572+ </para>
573+ </listitem>
574+
575+ <listitem>
576+ <para>
577+ a user called <emphasis>john</emphasis>
578+ </para>
579+ </listitem>
580+
581+ </itemizedlist>
582+
583+ <para>
584+ Create the following LDIF file and call it <filename>add_content.ldif</filename>:
585+ </para>
586+
587+<programlisting>
588+dn: ou=People,dc=example,dc=com
589+objectClass: organizationalUnit
590+ou: People
591+
592+dn: ou=Groups,dc=example,dc=com
593+objectClass: organizationalUnit
594+ou: Groups
595+
596+dn: cn=miners,ou=Groups,dc=example,dc=com
597+objectClass: posixGroup
598+cn: miners
599+gidNumber: 5000
600+
601+dn: uid=john,ou=People,dc=example,dc=com
602 objectClass: inetOrgPerson
603 objectClass: posixAccount
604 objectClass: shadowAccount
605@@ -205,173 +438,99 @@
606 givenName: John
607 cn: John Doe
608 displayName: John Doe
609-uidNumber: 1000
610-gidNumber: 10000
611-userPassword: password
612+uidNumber: 10000
613+gidNumber: 5000
614+userPassword: johnldap
615 gecos: John Doe
616 loginShell: /bin/bash
617 homeDirectory: /home/john
618-shadowExpire: -1
619-shadowFlag: 0
620-shadowWarning: 7
621-shadowMin: 8
622-shadowMax: 999999
623-shadowLastChange: 10877
624-mail: john.doe@example.com
625-postalCode: 31000
626-l: Toulouse
627-o: Example
628-mobile: +33 (0)6 xx xx xx xx
629-homePhone: +33 (0)5 xx xx xx xx
630-title: System Administrator
631-postalAddress:
632-initials: JD
633-
634-dn: cn=example,ou=groups,dc=example,dc=com
635-objectClass: posixGroup
636-cn: example
637-gidNumber: 10000
638 </programlisting>
639
640- <para>
641- In this example the directory structure, a user, and a
642- group have been setup. In other examples you might see the
643- <emphasis>objectClass: top</emphasis> added in every entry, but that is the
644- default behaviour so you do not have to add it explicitly.
645- </para>
646-
647- <para>
648- Add the entries to the LDAP directory:
649- </para>
650-
651-
652+ <note>
653+ <para>
654+ It's important that uid and gid values in your directory do not collide with local values. Use high number ranges.
655+ </para>
656+ </note>
657+
658+ <para>
659+ Add the content:
660+ </para>
661+
662 <screen>
663-<command>sudo ldapadd -x -D cn=admin,dc=example,dc=com -W -f frontend.example.com.ldif</command>
664+<command>ldapadd -x -D cn=admin,dc=example,dc=com -W -f add_content.ldif</command>
665+<computeroutput>
666+Enter LDAP Password: <application>********</application>
667+adding new entry "ou=People,dc=example,dc=com"
668+
669+adding new entry "ou=Groups,dc=example,dc=com"
670+
671+adding new entry "cn=miners,ou=Groups,dc=example,dc=com"
672+
673+adding new entry "uid=john,ou=People,dc=example,dc=com"
674+</computeroutput>
675 </screen>
676
677 <para>
678- We can check that the content has been correctly added with the
679- <application>ldapsearch</application> utility. Execute a search of the LDAP directory:
680+ We can check that the information has been correctly added with the <application>ldapsearch</application> utility:
681 </para>
682
683 <screen>
684-<command>ldapsearch -xLLL -b "dc=example,dc=com" uid=john sn givenName cn</command>
685+<command>ldapsearch -x -LLL -b dc=example,dc=com 'uid=john' cn gidNumber</command>
686 <computeroutput>
687-dn: uid=john,ou=people,dc=example,dc=com
688+dn: uid=john,ou=People,dc=example,dc=com
689 cn: John Doe
690-sn: Doe
691-givenName: John
692+gidNumber: 5000
693 </computeroutput>
694 </screen>
695
696 <para>
697- Just a quick explanation:
698+ Explanation of switches:
699 </para>
700
701 <itemizedlist>
702- <listitem>
703- <para>
704- <emphasis>-x:</emphasis> will not use SASL authentication
705- method, which is the default.
706- </para>
707- </listitem>
708- <listitem>
709- <para>
710- <emphasis>-LLL:</emphasis> disable printing LDIF schema information.
711- </para>
712- </listitem>
713+
714+ <listitem>
715+ <para>
716+ <emphasis>-x:</emphasis> "simple" binding; will not use the default SASL method
717+ </para>
718+ </listitem>
719+
720+ <listitem>
721+ <para>
722+ <emphasis>-LLL:</emphasis> disable printing extraneous information
723+ </para>
724+ </listitem>
725+
726+ <listitem>
727+ <para>
728+ <emphasis>uid=john:</emphasis> a "filter" to find the john user
729+ </para>
730+ </listitem>
731+
732+ <listitem>
733+ <para>
734+ <emphasis>cn gidNumber:</emphasis> requests certain attributes to be displayed (the default is to show all attributes)
735+ </para>
736+ </listitem>
737+
738 </itemizedlist>
739
740- </sect2>
741- <sect2 id="openldap-configuration" status="review">
742- <title>Further Configuration</title>
743-
744-
745- <para>
746- The <emphasis>cn=config</emphasis> tree can be manipulated using the utilities in the
747- <application>ldap-utils</application> package. For example:
748- </para>
749-
750- <itemizedlist>
751- <listitem>
752-
753- <para>
754- Use <application>ldapsearch</application> to view the tree, entering the admin
755- password set during installation or reconfiguration:
756- </para>
757-
758-<screen>
759-<command>sudo ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dn</command>
760-</screen>
761-
762-<screen>
763-<computeroutput>
764-SASL/EXTERNAL authentication started
765-SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
766-SASL SSF: 0
767-dn: cn=config
768-
769-dn: cn=module{0},cn=config
770-
771-dn: cn=schema,cn=config
772-
773-dn: cn={0}core,cn=schema,cn=config
774-
775-dn: cn={1}cosine,cn=schema,cn=config
776-
777-dn: cn={2}nis,cn=schema,cn=config
778-
779-dn: cn={3}inetorgperson,cn=schema,cn=config
780-
781-dn: olcDatabase={-1}frontend,cn=config
782-
783-dn: olcDatabase={0}config,cn=config
784-
785-dn: olcDatabase={1}hdb,cn=config
786-</computeroutput>
787-</screen>
788-
789- <para>
790- The output above is the current configuration options for the <emphasis>cn=config</emphasis>
791- backend database. Your output may be vary.
792- </para>
793-
794- </listitem>
795- <listitem>
796-
797- <para>
798- As an example of modifying the <emphasis>cn=config</emphasis> tree, add another attribute
799- to the index list using <application>ldapmodify</application>:
800- </para>
801-
802-<screen>
803-<command>sudo ldapmodify -Y EXTERNAL -H ldapi:///</command>
804-</screen>
805-
806-<screen>
807-<computeroutput>
808-SASL/EXTERNAL authentication started
809-SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
810-SASL SSF: 0
811-<userinput>dn: olcDatabase={1}hdb,cn=config
812-add: olcDbIndex
813-olcDbIndex: uidNumber eq</userinput>
814-
815-modifying entry "olcDatabase={1}hdb,cn=config"
816-</computeroutput>
817-</screen>
818-
819- <para>
820- Once the modification has completed, press <emphasis>Ctrl+D</emphasis> to exit the utility.
821- </para>
822-
823- </listitem>
824- <listitem>
825-
826- <para>
827- <application>ldapmodify</application> can also read the changes from a file. Copy and paste
828- the following into a file named <filename>uid_index.ldif</filename>:
829- </para>
830+ </sect2>
831+
832+ <sect2 id="openldap-configuration" status="review">
833+ <title>Modifying the slapd Configuration Database</title>
834+
835+ <para>
836+ The slapd-config DIT can also be queried and modified. Here are a few examples.
837+ </para>
838+
839+ <itemizedlist>
840+
841+ <listitem>
842+ <para>
843+ Use <application>ldapmodify</application> to add an "Index" (DbIndex attribute) to your <application>{1}hdb,cn=config</application>
844+ database (dc=example,dc=com). Create a file, call it <filename>uid_index.ldif</filename>, with the following contents:
845+ </para>
846
847 <programlisting>
848 dn: olcDatabase={1}hdb,cn=config
849@@ -379,44 +538,55 @@
850 olcDbIndex: uid eq,pres,sub
851 </programlisting>
852
853- <para>
854- Then execute <application>ldapmodify</application>:
855- </para>
856-
857-<screen>
858-<command>sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f uid_index.ldif</command>
859-</screen>
860-
861-<screen>
862+ <para>
863+ Then issue the command:
864+ </para>
865+
866+<screen>
867+<command>sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f uid_index.ldif</command>
868 <computeroutput>
869-SASL/EXTERNAL authentication started
870-SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
871-SASL SSF: 0
872 modifying entry "olcDatabase={1}hdb,cn=config"
873 </computeroutput>
874 </screen>
875
876- <para>
877- The file method is very useful for large changes.
878- </para>
879-
880- </listitem>
881- <listitem>
882-
883- <para>
884- Adding additional <emphasis>schemas</emphasis> to <application>slapd</application> requires the
885- schema to be converted to LDIF format. The <filename role="directory">/etc/ldap/schema</filename>
886- directory contains some schema files already converted to LDIF format as demonstrated in the previous section.
887- Fortunately, the <application>slapd</application> program can be used to automate the conversion.
888- The following example will add the <emphasis>dyngroup.schema</emphasis>:
889- </para>
890-
891- <procedure>
892- <step>
893- <para>
894- First, create a conversion <filename>schema_convert.conf</filename> file containing the
895- following lines:
896- </para>
897+ <para>
898+ You can confirm the change in this way:
899+ </para>
900+
901+<screen>
902+<command>sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config '(olcDatabase={1}hdb)' olcDbIndex</command>
903+<computeroutput>
904+dn: olcDatabase={1}hdb,cn=config
905+olcDbIndex: objectClass eq
906+olcDbIndex: uid eq,pres,sub
907+</computeroutput>
908+</screen>
909+
910+ </listitem>
911+
912+ <listitem>
913+ <para>
914+ Let's add a schema. It will first need to be converted to LDIF format. You can find unconverted
915+ schemas in addition to converted ones in the <filename role="directory">/etc/ldap/schema</filename> directory.
916+ </para>
917+
918+ <note>
919+ <para>
920+ It is not trivial to remove a schema from the slapd-config database. Practice adding schemas on a test system.
921+ </para>
922+ </note>
923+
924+ <para>
925+ In the following example we'll add the CORBA schema.
926+ </para>
927+
928+ <procedure>
929+
930+ <step>
931+ <para>
932+ Create the conversion configuration file <filename>schema_convert.conf</filename> containing the
933+ following lines:
934+ </para>
935
936 <programlisting>
937 include /etc/ldap/schema/core.schema
938@@ -431,136 +601,229 @@
939 include /etc/ldap/schema/nis.schema
940 include /etc/ldap/schema/openldap.schema
941 include /etc/ldap/schema/ppolicy.schema
942+include /etc/ldap/schema/ldapns.schema
943+include /etc/ldap/schema/pmi.schema
944 </programlisting>
945
946- </step>
947- <step>
948-
949- <para>
950- Next, create a temporary directory to hold the output:
951- </para>
952-
953-<screen>
954-<command>mkdir /tmp/ldif_output</command>
955-</screen>
956-
957- </step>
958- <step>
959-
960- <para>
961- Now using <application>slapcat</application> convert the schema files to LDIF:
962- </para>
963-
964-<screen>
965-<command>slapcat -f schema_convert.conf -F /tmp/ldif_output -n0 -s "cn={5}dyngroup,cn=schema,cn=config" > /tmp/cn=dyngroup.ldif</command>
966-</screen>
967-
968- <para>
969- Adjust the configuration file name and temporary directory names if yours are different.
970- It may be worthwhile to keep the <filename>ldif_output</filename> directory around
971- in case you want to add additional schemas in the future.
972- </para>
973-
974- <note>
975- <para>
976- The <emphasis>"cn={5}"</emphasis> index number may change according to the configuration
977- ordering. To find out the correct number execute the following:
978- </para>
979-<screen>
980-<command>slapcat -f schema_convert.conf -F /tmp/ldif_output -n 0 | grep dyngroup</command>
981-</screen>
982- <para>
983- Replace <emphasis>dyngroup</emphasis> with the appropriate schema name.
984- </para>
985- </note>
986-
987- </step>
988- <step>
989-
990- <para>
991- Edit the <filename>/tmp/cn\=dyngroup.ldif</filename> file, changing the following attributes:
992- </para>
993+ </step>
994+
995+ <step>
996+ <para>
997+ Create the output directory <filename>ldif_output</filename>.
998+ </para>
999+ </step>
1000+
1001+ <step>
1002+ <para>
1003+ Determine the index of the schema:
1004+ </para>
1005+
1006+<screen>
1007+<command>slapcat -f schema_convert.conf -F ldif_output -n 0 | grep corba,cn=schema</command>
1008+<computeroutput>
1009+cn={1}corba,cn=schema,cn=config
1010+</computeroutput>
1011+</screen>
1012+
1013+ <note>
1014+ <para>
1015+ When slapd injests objects with the same parent DN it will create an <emphasis>index</emphasis> for that object.
1016+ An index is contained within braces: <application>{X}</application>.
1017+ </para>
1018+ </note>
1019+
1020+ </step>
1021+
1022+ <step>
1023+ <para>
1024+ Use <application>slapcat</application> to perform the conversion:
1025+ </para>
1026+
1027+<screen>
1028+<command>slapcat -f schema_convert.conf -F ldif_output -n0 -H ldap:///cn={1}corba,cn=schema,cn=config -l cn=corba.ldif</command>
1029+</screen>
1030+
1031+ <para>
1032+ The converted schema is now in <filename>cn=corba.ldif</filename>
1033+ </para>
1034+ </step>
1035+
1036+ <step>
1037+ <para>
1038+ Edit <filename>cn=corba.ldif</filename> to arrive at the following attributes:
1039+ </para>
1040
1041 <programlisting>
1042-dn: cn=dyngroup,cn=schema,cn=config
1043+dn: cn=corba,cn=schema,cn=config
1044 ...
1045-cn: dyngroup
1046+cn: corba
1047 </programlisting>
1048
1049- <para>
1050- And remove the following lines from the bottom of the file:
1051- </para>
1052+ <para>
1053+ Also remove the following lines from the bottom:
1054+ </para>
1055
1056 <programlisting>
1057 structuralObjectClass: olcSchemaConfig
1058-entryUUID: 10dae0ea-0760-102d-80d3-f9366b7f7757
1059+entryUUID: 52109a02-66ab-1030-8be2-bbf166230478
1060 creatorsName: cn=config
1061-createTimestamp: 20080826021140Z
1062-entryCSN: 20080826021140.791425Z#000000#000#000000
1063+createTimestamp: 20110829165435Z
1064+entryCSN: 20110829165435.935248Z#000000#000#000000
1065 modifiersName: cn=config
1066-modifyTimestamp: 20080826021140Z
1067-</programlisting>
1068-
1069- <note>
1070- <para>
1071- The attribute values will vary, just be sure the attributes are removed.
1072- </para>
1073- </note>
1074-
1075- </step>
1076- <step>
1077-
1078- <para>
1079- Finally, using the <application>ldapadd</application> utility, add the new schema to the
1080- directory:
1081- </para>
1082-
1083-<screen>
1084-<command>sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/cn\=dyngroup.ldif</command>
1085-</screen>
1086-
1087- </step>
1088- </procedure>
1089-
1090- <para>
1091- There should now be a <emphasis>dn: cn={4}dyngroup,cn=schema,cn=config</emphasis> entry in the cn=config tree.
1092- </para>
1093-
1094- </listitem>
1095- </itemizedlist>
1096-
1097- </sect2>
1098-
1099- <sect2 id="openldap-server-replication" status="review">
1100- <title>LDAP Replication</title>
1101-
1102- <para>
1103- LDAP often quickly becomes a highly critical service to the network. Multiple systems
1104- will come to depend on LDAP for authentication, authorization, configuration, etc. It is a good idea to
1105- setup a redundant system through replication.
1106+modifyTimestamp: 20110829165435Z
1107+</programlisting>
1108+
1109+ <para>
1110+ Your attribute values will vary.
1111+ </para>
1112+ </step>
1113+
1114+ <step>
1115+ <para>
1116+ Finally, use <application>ldapadd</application> to add the new schema to the slapd-config DIT:
1117+ </para>
1118+
1119+<screen>
1120+<command>sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f cn\=corba.ldif</command>
1121+<computeroutput>
1122+adding new entry "cn=corba,cn=schema,cn=config"
1123+</computeroutput>
1124+</screen>
1125+
1126+ </step>
1127+
1128+ <step>
1129+ <para>
1130+ Confirm currently loaded schemas:
1131+ </para>
1132+
1133+<screen>
1134+<command>sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config dn</command>
1135+<computeroutput>
1136+dn: cn=schema,cn=config
1137+
1138+dn: cn={0}core,cn=schema,cn=config
1139+
1140+dn: cn={1}cosine,cn=schema,cn=config
1141+
1142+dn: cn={2}nis,cn=schema,cn=config
1143+
1144+dn: cn={3}inetorgperson,cn=schema,cn=config
1145+
1146+dn: cn={4}corba,cn=schema,cn=config
1147+</computeroutput>
1148+</screen>
1149+
1150+ </step>
1151+
1152+ </procedure>
1153+
1154+ </listitem>
1155+
1156+ </itemizedlist>
1157+
1158+ <note>
1159+ <para>
1160+ For external applications and clients to authenticate using LDAP they will each need to be specifically
1161+ configured to do so. Refer to the appropriate client-side documentation for details.
1162+ </para>
1163+ </note>
1164+
1165+ </sect2>
1166+
1167+ <sect2 id="openldap-server-logging" status="review">
1168+ <title>Logging</title>
1169+
1170+ <para>
1171+ Activity logging for slapd is indispensible when implementing an OpenLDAP-based solution yet it must be manually enabled after
1172+ software installation. Otherwise, only rudimentary messages will appear in the logs. Logging, like any other slapd configuration,
1173+ is enabled via the slapd-config database.
1174+ </para>
1175+
1176+ <para>
1177+ OpenLDAP comes with multiple logging subsystems (levels) with each one containing the lower one (additive). A good level to
1178+ try is <emphasis>stats</emphasis>. The <ulink url="http://manpages.ubuntu.com/manpages/en/man5/slapd-config.5.html">slapd-config</ulink>
1179+ man page has more to say on the different subsystems.
1180+ </para>
1181+
1182+ <para>
1183+ Create the file <filename>logging.ldif</filename> with the following contents:
1184+ </para>
1185+
1186+<programlisting>
1187+dn: cn=config
1188+changetype: modify
1189+add: olcLogLevel
1190+olcLogLevel: stats
1191+</programlisting>
1192+
1193+ <para>
1194+ Implement the change:
1195+ </para>
1196+
1197+<screen>
1198+<command>sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f logging.ldif</command>
1199+</screen>
1200+
1201+ <para>
1202+ This will produce a significant amount of logging and you will want to throttle back to a less verbose level once your system
1203+ is in production. While in this verbose mode your host's syslog engine (rsyslog) may have a hard time keeping up and may drop
1204+ messages:
1205+ </para>
1206+
1207+<programlisting>
1208+rsyslogd-2177: imuxsock lost 228 messages from pid 2547 due to rate-limiting
1209+</programlisting>
1210+
1211+ <para>
1212+ You may consider a change to rsyslog's configuration. In <filename>/etc/rsyslog.conf</filename>, put:
1213+ </para>
1214+
1215+<programlisting>
1216+# Disable rate limiting (default is 200 messages in 5 seconds; below we make the 5 become 0)
1217+$SystemLogRateLimitInterval 0
1218+</programlisting>
1219+
1220+ <para>
1221+ And then restart the rsyslog daemon:
1222+ </para>
1223+
1224+<screen>
1225+<command>sudo service rsyslog restart</command>
1226+</screen>
1227+
1228+ </sect2>
1229+
1230+ <sect2 id="openldap-server-replication" status="review">
1231+ <title>Replication</title>
1232+
1233+ <para>
1234+ The LDAP service becomes increasingly important as more networked systems begin to depend on it. In such an environment,
1235+ it is standard practice to build redundancy (high availability) into LDAP to prevent havoc should the LDAP server become
1236+ unresponsive. This is done through <emphasis>LDAP replication</emphasis>.
1237 </para>
1238
1239 <para>
1240- Replication is achieved using the <emphasis>Syncrepl</emphasis> engine. Syncrepl allows the
1241- changes to be synced using a <emphasis>consumer</emphasis>, <emphasis>provider</emphasis> model.
1242- A provider sends directory changes to consumers.
1243- </para>
1244-
1245- <sect3 id="openldap-provider-configuration" status="review">
1246- <title>Provider Configuration</title>
1247-
1248- <para>
1249- The following is an example of a <emphasis>Single-Master</emphasis> configuration. In this configuration one
1250- OpenLDAP server is configured as a <emphasis>provider</emphasis> and another as a <emphasis>consumer</emphasis>.
1251- </para>
1252+ Replication is achieved via the <emphasis>Syncrepl</emphasis> engine. This allows changes to be synchronized using a
1253+ <emphasis>Consumer</emphasis> - <emphasis>Provider</emphasis> model. The specific kind of replication we will implement
1254+ in this guide is a combination of the following modes: <emphasis>refreshAndPersist</emphasis> and <emphasis>delta-syncrepl</emphasis>.
1255+ This has the Provider push changed entries to the Consumer as soon as they're made but, in addition, only actual changes will
1256+ be sent, not entire entries.
1257+ </para>
1258+
1259+ <sect3 id="openldap-provider-configuration" status="review">
1260+ <title>Provider Configuration</title>
1261+
1262+ <para>
1263+ Begin by configuring the <emphasis>Provider</emphasis>.
1264+ </para>
1265
1266 <procedure>
1267- <step>
1268-
1269- <para>
1270- First, configure the provider server. Copy the following to a
1271- file named <filename>provider_sync.ldif</filename>:
1272- </para>
1273+
1274+ <step>
1275+ <para>
1276+ Create an LDIF file with the following contents and name it <filename>provider_sync.ldif</filename>:
1277+ </para>
1278
1279 <programlisting>
1280 # Add indexes to the frontend db.
1281@@ -621,175 +884,83 @@
1282 olcAccessLogPurge: 07+00:00 01+00:00
1283 </programlisting>
1284
1285- </step>
1286- <step>
1287-
1288- <para>
1289- The <application>AppArmor</application> profile for <application>slapd</application> will need to be adjusted for the
1290- accesslog database location. Edit <filename>/etc/apparmor.d/usr.sbin.slapd</filename> adding:
1291- </para>
1292+ <para>
1293+ Change the rootDN in the LDIF file to match the one you have for your directory.
1294+ </para>
1295+
1296+ </step>
1297+
1298+ <step>
1299+ <para>
1300+ The <application>apparmor</application> profile for slapd will need to be adjusted for the
1301+ accesslog database location. Edit <filename>/etc/apparmor.d/local/usr.sbin.slapd</filename> by
1302+ adding the following:
1303+ </para>
1304
1305 <programlisting>
1306- /var/lib/ldap/accesslog/ r,
1307- /var/lib/ldap/accesslog/** rwk,
1308+/var/lib/ldap/accesslog/ r,
1309+/var/lib/ldap/accesslog/** rwk,
1310 </programlisting>
1311
1312- <para>
1313- Then create the directory, reload the <application>apparmor</application> profile, and copy
1314- the <filename>DB_CONFIG</filename> file:
1315- </para>
1316+ <para>
1317+ Create a directory, set up a databse config file, and reload the apparmor profile:
1318+ </para>
1319
1320 <screen>
1321 <command>sudo -u openldap mkdir /var/lib/ldap/accesslog</command>
1322-<command>sudo -u openldap cp /var/lib/ldap/DB_CONFIG /var/lib/ldap/accesslog/</command>
1323-<command>sudo /etc/init.d/apparmor reload</command>
1324-</screen>
1325-
1326- <note>
1327- <para>
1328- Using the <emphasis>-u openldap</emphasis> option with the <application>sudo</application> commands above
1329- removes the need to adjust permissions for the new directory later.
1330- </para>
1331- </note>
1332-
1333- </step>
1334- <step>
1335-
1336- <para>
1337- Edit the file and change the <emphasis>olcRootDN</emphasis> to match your directory:
1338- </para>
1339-
1340-<programlisting>
1341-olcRootDN: cn=admin,dc=example,dc=com
1342-</programlisting>
1343-
1344- </step>
1345- <step>
1346-
1347-
1348- <para>
1349- Next, add the LDIF file using the <application>ldapadd</application> utility:
1350- </para>
1351-
1352-<screen>
1353-<command>sudo ldapadd -Y EXTERNAL -H ldapi:/// -f provider_sync.ldif</command>
1354-</screen>
1355-
1356- </step>
1357- <step>
1358-
1359-
1360- <para>
1361- Restart <application>slapd</application>:
1362- </para>
1363-
1364-<screen>
1365-<command>sudo /etc/init.d/slapd restart</command>
1366-</screen>
1367-
1368- </step>
1369+<command>sudo -u openldap cp /var/lib/ldap/DB_CONFIG /var/lib/ldap/accesslog</command>
1370+<command>sudo service apparmor reload</command>
1371+</screen>
1372+
1373+ </step>
1374+
1375+ <step>
1376+ <para>
1377+ Add the new content and, due to the apparmor change, restart the daemon:
1378+ </para>
1379+
1380+<screen>
1381+<command>sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f provider_sync.ldif</command>
1382+<command>sudo service slapd restart</command>
1383+</screen>
1384+
1385+ </step>
1386+
1387 </procedure>
1388
1389 <para>
1390- The <emphasis>Provider</emphasis> server is now configured, and it is time to configure a <emphasis>Consumer</emphasis>
1391- server.
1392+ The Provider is now configured.
1393 </para>
1394
1395- </sect3>
1396- <sect3 id="openldap-consumer-configuration" status="review">
1397- <title>Consumer Configuration</title>
1398+ </sect3>
1399+
1400+ <sect3 id="openldap-consumer-configuration" status="review">
1401+ <title>Consumer Configuration</title>
1402+
1403+ <para>
1404+ And now configure the <emphasis>Consumer</emphasis>.
1405+ </para>
1406
1407 <procedure>
1408- <step>
1409-
1410- <para>
1411- On the <emphasis>Consumer</emphasis> server configure it the same as the <emphasis>Provider</emphasis> except for the
1412- <emphasis>Syncrepl</emphasis> configuration steps.
1413- </para>
1414-
1415- <para>
1416- Add the additional schema files:
1417- </para>
1418-
1419-<screen>
1420-<command>sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif</command>
1421-<command>sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif</command>
1422-<command>sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif</command>
1423-</screen>
1424-
1425- <para>
1426- Also, create, or copy from the provider server, the <filename>backend.example.com.ldif</filename>
1427- </para>
1428-
1429-<programlisting>
1430-# Load dynamic backend modules
1431-dn: cn=module,cn=config
1432-objectClass: olcModuleList
1433-cn: module
1434-olcModulepath: /usr/lib/ldap
1435-olcModuleload: back_hdb.la
1436-
1437-# Database settings
1438-dn: olcDatabase=hdb,cn=config
1439-objectClass: olcDatabaseConfig
1440-objectClass: olcHdbConfig
1441-olcDatabase: {1}hdb
1442-olcSuffix: dc=example,dc=com
1443-olcDbDirectory: /var/lib/ldap
1444-olcRootDN: cn=admin,dc=example,dc=com
1445-olcRootPW: secret
1446-olcDbConfig: set_cachesize 0 2097152 0
1447-olcDbConfig: set_lk_max_objects 1500
1448-olcDbConfig: set_lk_max_locks 1500
1449-olcDbConfig: set_lk_max_lockers 1500
1450-olcDbIndex: objectClass eq
1451-olcLastMod: TRUE
1452-olcDbCheckpoint: 512 30
1453-olcAccess: to attrs=userPassword by dn="cn=admin,dc=example,dc=com" write by anonymous auth by self write by * none
1454-olcAccess: to attrs=shadowLastChange by self write by * read
1455-olcAccess: to dn.base="" by * read
1456-olcAccess: to * by dn="cn=admin,dc=example,dc=com" write by * read
1457-</programlisting>
1458-
1459- <para>
1460- And add the LDIF by entering:
1461- </para>
1462-
1463-<screen>
1464-<command>sudo ldapadd -Y EXTERNAL -H ldapi:/// -f backend.example.com.ldif</command>
1465-</screen>
1466-
1467- </step>
1468- <step>
1469-
1470- <para>
1471- Do the same with the <filename>frontend.example.com.ldif</filename> file listed above, and add it:
1472- </para>
1473-
1474-<screen>
1475-<command>sudo ldapadd -x -D cn=admin,dc=example,dc=com -W -f frontend.example.com.ldif</command>
1476-</screen>
1477-
1478- <para>
1479- The two severs should now have the same configuration except for the <emphasis>Syncrepl</emphasis>
1480- options.
1481- </para>
1482-
1483- </step>
1484- <step>
1485-
1486- <para>
1487- Now create a file named <filename>consumer_sync.ldif</filename> containing:
1488- </para>
1489-
1490-<programlisting>
1491-#Load the syncprov module.
1492+
1493+ <step>
1494+ <para>
1495+ Install the software by going through <xref linkend="openldap-server-installation"/>. Make sure the slapd-config
1496+ databse is identical to the Provider's. In particular, make sure schemas and the databse suffix are the same.
1497+ </para>
1498+ </step>
1499+
1500+ <step>
1501+ <para>
1502+ Create an LDIF file with the following contents and name it <filename>consumer_sync.ldif</filename>:
1503+ </para>
1504+
1505+<programlisting>
1506 dn: cn=module{0},cn=config
1507 changetype: modify
1508 add: olcModuleLoad
1509 olcModuleLoad: syncprov
1510
1511-# syncrepl specific indices
1512 dn: olcDatabase={1}hdb,cn=config
1513 changetype: modify
1514 add: olcDbIndex
1515@@ -805,130 +976,281 @@
1516 olcUpdateRef: ldap://ldap01.example.com
1517 </programlisting>
1518
1519- <para>
1520- You will probably want to change the following attributes:
1521- </para>
1522-
1523- <itemizedlist>
1524- <listitem><para><emphasis>ldap01.example.com</emphasis> to your server's hostname.</para></listitem>
1525- <listitem><para><emphasis>binddn</emphasis></para></listitem>
1526- <listitem><para><emphasis>credentials</emphasis></para></listitem>
1527- <listitem><para><emphasis>searchbase</emphasis></para></listitem>
1528- <listitem><para><emphasis>olcUpdateRef:</emphasis></para></listitem>
1529- </itemizedlist>
1530-
1531- </step>
1532- <step>
1533-
1534- <para>
1535- Add the LDIF file to the configuration tree:
1536- </para>
1537+ <para>
1538+ Ensure the following attributes have the correct values:
1539+ </para>
1540+
1541+ <itemizedlist>
1542+ <listitem><para><emphasis>ldap01.example.com</emphasis> (Provider server's hostname or IP address)</para></listitem>
1543+ <listitem><para><emphasis>binddn</emphasis> (the admin DN you're using)</para></listitem>
1544+ <listitem><para><emphasis>credentials</emphasis> (the admin DN password you're using)</para></listitem>
1545+ <listitem><para><emphasis>searchbase</emphasis> (the database suffix you're using)</para></listitem>
1546+ <listitem><para><emphasis>olcUpdateRef:</emphasis> (Provider server's hostname or IP address)</para></listitem>
1547+ </itemizedlist>
1548+
1549+ </step>
1550+
1551+ <step>
1552+
1553+ <para>
1554+ Add the new content:
1555+ </para>
1556
1557 <screen>
1558-<command>sudo ldapadd -c -Y EXTERNAL -H ldapi:/// -f consumer_sync.ldif</command>
1559+<command>sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f consumer_sync.ldif</command>
1560 </screen>
1561
1562- </step>
1563+ </step>
1564+
1565 </procedure>
1566
1567 <para>
1568- The frontend database should now sync between servers. You can add additional servers using the
1569- steps above as the need arises.
1570+ You're done. The two databases (suffix: dc=example,dc=com) should now be synchronizing.
1571 </para>
1572
1573- <note>
1574- <para>
1575- The <application>slapd</application> daemon will send log information to <filename>/var/log/syslog</filename>
1576- by default. So if all does <emphasis>not</emphasis> go well check there for errors and other troubleshooting information.
1577- Also, be sure that each server knows it's Fully Qualified Domain Name (FQDN). This is configured in <filename>/etc/hosts</filename>
1578- with a line similar to: <programlisting>127.0.0.1 ldap01.example.com ldap01</programlisting>.
1579- </para>
1580- </note>
1581-
1582- </sect3>
1583- </sect2>
1584-
1585- <sect2 id="openldap-server-acl" status="review">
1586- <title>Setting up ACL</title>
1587-
1588- <para>
1589- Authentication requires access to the password field, that should be not
1590- accessible by default. Also, in order for users to change their own password,
1591- using <command>passwd</command> or other utilities, <emphasis>shadowLastChange</emphasis>
1592- needs to be accessible once a user has authenticated.
1593- </para>
1594+ <para>
1595+ To test if it worked simply query, on the Consumer, the DNs in the database:
1596+ </para>
1597+
1598+<screen>
1599+<command>sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b dc=example,dc=com dn</command>
1600+</screen>
1601+
1602+ <para>
1603+ You should see the user 'john' and the group 'miners' as well as the nodes 'People' and 'Groups'.
1604+ </para>
1605+
1606+ </sect3>
1607+
1608+ </sect2>
1609+
1610+ <sect2 id="openldap-server-acl" status="review">
1611+ <title>Access Control</title>
1612+
1613+ <para>
1614+ The management of what type of access (read, write, etc) users should be granted to resources is known as
1615+ <emphasis>access control</emphasis>. The configuration directives involved are called <emphasis>access control lists</emphasis> or ACL.
1616+ </para>
1617+
1618+ <para>
1619+ When we installed the slapd package various ACL were set up automatically. We will look at a few important consequences of those
1620+ defaults and, in so doing, we'll get an idea of how ACLs work and how they're configured.
1621+ </para>
1622+
1623+ <para>
1624+ To get the effective ACL for an LDAP query we need to look at the ACL entries of the database being queried as well as those of the
1625+ special frontend database instance. The ACLs belonging to the latter act as defaults in case those of the former do not match. The
1626+ frontend database is the second to be consulted and the ACL to be applied is the first to match ("first match wins") among these 2
1627+ ACL sources. The following commands will give, respectively, the ACLs of the hdb database ("dc=example,dc=com") and those of the
1628+ frontend database:
1629+ </para>
1630+
1631+<screen>
1632+<command>sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config '(olcDatabase={1}hdb)' olcAccess</command>
1633+<computeroutput>
1634+dn: olcDatabase={1}hdb,cn=config
1635+olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=example,dc=com" write by * none
1636+olcAccess: {1}to dn.base="" by * read
1637+olcAccess: {2}to * by self write by dn="cn=admin,dc=example,dc=com" write by *
1638+ read
1639+</computeroutput>
1640+</screen>
1641+
1642+ <note>
1643+ <para>
1644+ The rootDN always has full rights to it's database. Including it in an ACL does provide an explicit configuration but it also causes
1645+ slapd to incure a performance penalty.
1646+ </para>
1647+ </note>
1648+
1649+<screen>
1650+<command>sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config '(olcDatabase={-1}frontend)' olcAccess</command>
1651+<computeroutput>
1652+dn: olcDatabase={-1}frontend,cn=config
1653+olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
1654+olcAccess: {1}to dn.exact="" by * read
1655+olcAccess: {2}to dn.base="cn=Subschema" by * read
1656+</computeroutput>
1657+</screen>
1658+
1659+ <para>
1660+ The very first ACL is crucial:
1661+ </para>
1662+
1663+<programlisting>
1664+olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=example,dc=com" write by * none
1665+</programlisting>
1666+
1667+ <para>
1668+ This can be represented differently for easier digestion:
1669+ </para>
1670+
1671+<programlisting>
1672+to attrs=userPassword
1673+ by self write
1674+ by anonymous auth
1675+ by dn="cn=admin,dc=example,dc=com" write
1676+ by * none
1677+
1678+to attrs=shadowLastChange
1679+ by self write
1680+ by anonymous auth
1681+ by dn="cn=admin,dc=example,dc=com" write
1682+ by * none
1683+</programlisting>
1684+
1685+ <para>
1686+ This compound ACL (there are 2) enforces the following:
1687+ </para>
1688+
1689+ <itemizedlist>
1690+
1691+ <listitem>
1692+ <para>
1693+ Anonymous 'auth' access is provided to the <emphasis>userPassword</emphasis> attribute for the initial connection to
1694+ occur. Perhaps counter-intuitively, 'by anonymous auth' is needed even when anonymous access to the DIT is
1695+ unwanted. Once the remote end is connected, howerver, authentication can occur (see next point).
1696+ </para>
1697+ </listitem>
1698+
1699+ <listitem>
1700+ <para>
1701+ Authentication can happen because all users have 'read' (due to 'by self write') access to the <emphasis>userPassword</emphasis> attribute.
1702+ </para>
1703+ </listitem>
1704+
1705+ <listitem>
1706+ <para>
1707+ The <emphasis>userPassword</emphasis> attribute is otherwise unaccessible by all other users, with the exception of the rootDN, who
1708+ has complete access to it.
1709+ </para>
1710+ </listitem>
1711+
1712+ <listitem>
1713+ <para>
1714+ In order for users to change their own password, using <command>passwd</command> or other utilities, the
1715+ <emphasis>shadowLastChange</emphasis> attribute needs to be accessible once a user has authenticated.
1716+ </para>
1717+ </listitem>
1718+
1719+ </itemizedlist>
1720+
1721+ <para>
1722+ This DIT can be searched anonymously because of 'by * read' in this ACL:
1723+ </para>
1724+
1725+<programlisting>
1726+to *
1727+ by self write
1728+ by dn="cn=admin,dc=example,dc=com" write
1729+ by * read
1730+</programlisting>
1731+
1732+ <para>
1733+ If this is unwanted then you need to change the ACLs. To force authentication during a bind request you can alternatively (or
1734+ in combination with the modified ACL) use the 'olcRequire: authc' directive.
1735+ </para>
1736+
1737+ <para>
1738+ As previously mentioned, there is no administrative account created for the slapd-config database. There is, however, a SASL
1739+ identity that is granted full access to it. It represents the localhost's superuser (root/sudo). Here it is:
1740+ </para>
1741+
1742+<programlisting>
1743+dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
1744+</programlisting>
1745
1746 <para>
1747- To view the Access Control List (ACL) for the <emphasis>cn=config</emphasis> tree, use the
1748- <application>ldapsearch</application> utility:
1749+ The following command will display the ACLs of the slapd-config database:
1750 </para>
1751
1752 <screen>
1753-<command>sudo ldapsearch -c -Y EXTERNAL -H ldapi:/// -LLL -b cn=config olcDatabase=config olcAccess</command>
1754-</screen>
1755-
1756-<screen>
1757-<computeroutput>SASL/EXTERNAL authentication started
1758-SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
1759-SASL SSF: 0
1760+<command>sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config '(olcDatabase={0}config)' olcAccess</command>
1761+<computeroutput>
1762 dn: olcDatabase={0}config,cn=config
1763-olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
1764- ,cn=auth manage by * break
1765+olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
1766 </computeroutput>
1767 </screen>
1768
1769- <para>
1770- To see the ACL for the frontend tree enter:
1771- </para>
1772-
1773-<screen>
1774-<command>sudo ldapsearch -c -Y EXTERNAL -H ldapi:/// -LLL -b cn=config olcDatabase={1}hdb olcAccess</command>
1775-</screen>
1776-
1777- </sect2>
1778-
1779- <sect2 id="openldap-tls" status="review">
1780- <title>TLS and SSL</title>
1781-
1782- <para>
1783- When authenticating to an OpenLDAP server it is best to do so using an encrypted session. This can be accomplished using Transport
1784- Layer Security (TLS) and/or Secure Sockets Layer (SSL).
1785- </para>
1786-
1787- <para>
1788- The first step in the process is to obtain or create a <emphasis>certificate</emphasis>. Because <application>slapd</application>
1789- is compiled using the <application>gnutls</application> library, the <application>certtool</application> utility will be
1790- used to create certificates.
1791- </para>
1792+ <para>
1793+ Since this is a SASL identity we need to use a SASL <emphasis>mechanism</emphasis> when invoking the LDAP utility in question and
1794+ and we have seen it plenty of times in this guide. It is the EXTERNAL mechanism. See the previous command for an example. Note that:
1795+ </para>
1796
1797- <procedure>
1798- <step>
1799-
1800- <para>
1801- First, install <application>gnutls-bin</application> by entering the following in a terminal:
1802- </para>
1803-
1804-<screen>
1805-<command>sudo apt-get install gnutls-bin</command>
1806-</screen>
1807-
1808- </step>
1809- <step>
1810-
1811- <para>
1812- Next, create a private key for the <emphasis>Certificate Authority</emphasis> (CA):
1813- </para>
1814+ <procedure>
1815+
1816+ <step>
1817+ <para>
1818+ You must use <emphasis>sudo</emphasis> to become the root identity in order for the ACL to match.
1819+ </para>
1820+ </step>
1821+
1822+ <step>
1823+ <para>
1824+ The EXTERNAL mechanism works via <emphasis>IPC</emphasis> (UNIX domain sockets). This means you must use the <emphasis>ldapi</emphasis>
1825+ URI format.
1826+ </para>
1827+ </step>
1828+
1829+ </procedure>
1830+
1831+ <para>
1832+ A succinct way to get all the ACLs is like this:
1833+ </para>
1834+
1835+<screen>
1836+<command>sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config '(olcAccess=*)' olcAccess olcSuffix</command>
1837+</screen>
1838+
1839+ <para>
1840+ There is much to say on the topic of access control. See the man page for
1841+ <ulink url="http://manpages.ubuntu.com/manpages/en/man5/slapd.access.5.html">slapd.access</ulink>.
1842+ </para>
1843+
1844+ </sect2>
1845+
1846+ <sect2 id="openldap-tls" status="review">
1847+ <title>TLS</title>
1848+
1849+ <para>
1850+ When authenticating to an OpenLDAP server it is best to do so using an encrypted session. This can be accomplished using Transport
1851+ Layer Security (TLS).
1852+ </para>
1853+
1854+ <para>
1855+ Here, we will be our own <emphasis>Certificate Authority</emphasis> and then create and sign our LDAP server certificate as that CA.
1856+ Since <application>slapd</application> is compiled using the <application>gnutls</application> library, we will use the
1857+ <application>certtool</application> utility to complete these tasks.
1858+ </para>
1859+
1860+ <procedure>
1861+
1862+ <step>
1863+ <para>
1864+ Install the <application>gnutls-bin</application> and <application>gnutls-bin</application> packages:
1865+ </para>
1866+
1867+<screen>
1868+<command>sudo apt-get install gnutls-bin ssl-cert</command>
1869+</screen>
1870+
1871+ </step>
1872+
1873+ <step>
1874+ <para>
1875+ Create a private key for the Certificate Authority:
1876+ </para>
1877
1878 <screen>
1879 <command>sudo sh -c "certtool --generate-privkey > /etc/ssl/private/cakey.pem"</command>
1880 </screen>
1881
1882- </step>
1883- <step>
1884+ </step>
1885
1886- <para>
1887- Create a <filename>/etc/ssl/ca.info</filename> details file to self-sign the CA certificate containing:
1888- </para>
1889+ <step>
1890+ <para>
1891+ Create the template/file <filename>/etc/ssl/ca.info</filename> to define the CA:
1892+ </para>
1893
1894 <programlisting>
1895 cn = Example Company
1896@@ -936,42 +1258,46 @@
1897 cert_signing_key
1898 </programlisting>
1899
1900- </step>
1901- <step>
1902-
1903- <para>
1904- Now create the self-signed CA certificate:
1905- </para>
1906-
1907-<screen>
1908-<command>sudo certtool --generate-self-signed --load-privkey /etc/ssl/private/cakey.pem \
1909- --template /etc/ssl/ca.info --outfile /etc/ssl/certs/cacert.pem</command>
1910-</screen>
1911-
1912- </step>
1913- <step>
1914-
1915- <para>
1916- Make a private key for the server:
1917- </para>
1918-
1919-<screen>
1920-<command>sudo sh -c "certtool --generate-privkey > /etc/ssl/private/ldap01_slapd_key.pem"</command>
1921-</screen>
1922-
1923- <note>
1924- <para>
1925- Replace <emphasis>ldap01</emphasis> in the filename with your server's hostname. Naming the certificate and key for the host
1926- and service that will be using them will help keep filenames and paths straight.
1927- </para>
1928- </note>
1929-
1930- </step>
1931- <step>
1932-
1933- <para>
1934- To sign the server's certificate with the CA, create the <filename>/etc/ssl/ldap01.info</filename> info file containing:
1935- </para>
1936+ </step>
1937+
1938+ <step>
1939+ <para>
1940+ Create the self-signed CA certificate:
1941+ </para>
1942+
1943+<screen>
1944+<command>sudo certtool --generate-self-signed \
1945+--load-privkey /etc/ssl/private/cakey.pem \
1946+--template /etc/ssl/ca.info \
1947+--outfile /etc/ssl/certs/cacert.pem</command>
1948+</screen>
1949+
1950+ </step>
1951+
1952+ <step>
1953+ <para>
1954+ Make a private key for the server:
1955+ </para>
1956+
1957+<screen>
1958+<command>sudo certtool --generate-privkey \
1959+--bits 1024 \
1960+--outfile /etc/ssl/private/ldap01_slapd_key.pem</command>
1961+</screen>
1962+
1963+ <note>
1964+ <para>
1965+ Replace <emphasis>ldap01</emphasis> in the filename with your server's hostname. Naming the certificate and
1966+ key for the host and service that will be using them will help keep things clear.
1967+ </para>
1968+ </note>
1969+
1970+ </step>
1971+
1972+ <step>
1973+ <para>
1974+ Create the <filename>/etc/ssl/ldap01.info</filename> info file containing:
1975+ </para>
1976
1977 <programlisting>
1978 organization = Example Company
1979@@ -979,36 +1305,38 @@
1980 tls_www_server
1981 encryption_key
1982 signing_key
1983+expiration_days = 3650
1984 </programlisting>
1985
1986- </step>
1987- <step>
1988-
1989- <para>
1990- Create the server's certificate:
1991- </para>
1992-
1993-<screen>
1994-<command>sudo certtool --generate-certificate --load-privkey /etc/ssl/private/ldap01_slapd_key.pem \
1995- --load-ca-certificate /etc/ssl/certs/cacert.pem --load-ca-privkey /etc/ssl/private/cakey.pem \
1996- --template /etc/ssl/ldap01.info --outfile /etc/ssl/certs/ldap01_slapd_cert.pem</command>
1997-</screen>
1998-
1999- </step>
2000- </procedure>
2001-
2002- <para>
2003- Once you have a certificate, key, and CA cert installed, use <application>ldapmodify</application> to add the new
2004- configuration options:
2005- </para>
2006-
2007-<screen>
2008-<command>sudo ldapmodify -Y EXTERNAL -H ldapi:///</command>
2009-</screen>
2010-
2011-<screen>
2012-<computeroutput>Enter LDAP Password:
2013-<userinput>dn: cn=config
2014+ <para>
2015+ The above certificate is good for 10 years. Adjust accordingly.
2016+ </para>
2017+ </step>
2018+
2019+ <step>
2020+ <para>
2021+ Create the server's certificate:
2022+ </para>
2023+
2024+<screen>
2025+<command>sudo certtool --generate-certificate \
2026+--load-privkey /etc/ssl/private/ldap01_slapd_key.pem \
2027+--load-ca-certificate /etc/ssl/certs/cacert.pem \
2028+--load-ca-privkey /etc/ssl/private/cakey.pem \
2029+--template /etc/ssl/ldap01.info \
2030+--outfile /etc/ssl/certs/ldap01_slapd_cert.pem</command>
2031+</screen>
2032+
2033+ </step>
2034+
2035+ </procedure>
2036+
2037+ <para>
2038+ Create the file <filename>certinfo.ldif</filename> with the following contents (adjust accordingly):
2039+ </para>
2040+
2041+<programlisting>
2042+dn: cn=config
2043 add: olcTLSCACertificateFile
2044 olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
2045 -
2046@@ -1016,170 +1344,171 @@
2047 olcTLSCertificateFile: /etc/ssl/certs/ldap01_slapd_cert.pem
2048 -
2049 add: olcTLSCertificateKeyFile
2050-olcTLSCertificateKeyFile: /etc/ssl/private/ldap01_slapd_key.pem</userinput>
2051-
2052-modifying entry "cn=config"
2053-</computeroutput>
2054+olcTLSCertificateKeyFile: /etc/ssl/private/ldap01_slapd_key.pem
2055+</programlisting>
2056+
2057+ <para>
2058+ Use the <application>ldapmodify</application> command to tell slapd about our TLS work via the slapd-config database:
2059+ </para>
2060+
2061+<screen>
2062+<command>sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ssl/certinfo.ldif</command>
2063 </screen>
2064-
2065- <note>
2066- <para>
2067- Adjust the <filename>ldap01_slapd_cert.pem</filename>, <filename>ldap01_slapd_key.pem</filename>, and
2068- <filename>cacert.pem</filename> names if yours are different.
2069- </para>
2070- </note>
2071-
2072- <para>
2073- Next, edit <filename>/etc/default/slapd</filename> uncomment the <emphasis>SLAPD_SERVICES</emphasis> option:
2074- </para>
2075+
2076+ <para>
2077+ Contratry to popular belief, you do not need <emphasis>ldaps://</emphasis> in <filename>/etc/default/slapd</filename>
2078+ in order to use encryption. You should have just:
2079+ </para>
2080
2081 <programlisting>
2082-SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"
2083+SLAPD_SERVICES="ldap:/// ldapi:///"
2084 </programlisting>
2085
2086- <para>
2087- Now the <emphasis>openldap</emphasis> user needs access to the certificate:
2088- </para>
2089+ <note>
2090+ <para>
2091+ LDAP over TLS/SSL (ldaps://) is deprecated in favour of <emphasis>StartTLS</emphasis>. The latter refers to an
2092+ existing LDAP session (listening on TCP port 389) becoming protected by TLS/SSL whereas LDAPS, like HTTPS, is a
2093+ distinct encrypted-from-the-start protocol that operates over TCP port 636.
2094+ </para>
2095+ </note>
2096+
2097+
2098+ <para>
2099+ Tighten up ownership and permissions:
2100+ </para>
2101
2102 <screen>
2103 <command>sudo adduser openldap ssl-cert</command>
2104 <command>sudo chgrp ssl-cert /etc/ssl/private/ldap01_slapd_key.pem</command>
2105 <command>sudo chmod g+r /etc/ssl/private/ldap01_slapd_key.pem</command>
2106+<command>sudo chmod o-r /etc/ssl/private/ldap01_slapd_key.pem</command>
2107 </screen>
2108
2109- <note>
2110- <para>
2111- If the <filename role="directory">/etc/ssl/private</filename> and <filename>/etc/ssl/private/server.key</filename> have
2112- different permissions, adjust the commands appropriately.
2113- </para>
2114- </note>
2115-
2116- <para>
2117- Finally, restart <application>slapd</application>:
2118- </para>
2119+ <para>
2120+ Restart OpenLDAP:
2121+ </para>
2122
2123 <screen>
2124-<command>sudo /etc/init.d/slapd restart</command>
2125+<command>sudo service slapd restart</command>
2126 </screen>
2127
2128- <para>
2129- The <application>slapd</application> daemon should now be listening for LDAPS connections and be able to use STARTTLS during
2130- authentication.
2131- </para>
2132-
2133- <note>
2134- <para>If you run into troubles with the server not starting,
2135- check the /var/log/syslog. If you see errors like
2136- main: TLS init def ctx failed: -1,
2137- it is likely there is a configuration problem.
2138- Check that the certificate is signed by the authority from
2139- in the files configured, and that the ssl-cert group
2140- has read permissions on the private key.
2141- </para>
2142- </note>
2143-
2144-
2145- <sect3 id="openldap-tls-replication" status="review">
2146- <title>TLS Replication</title>
2147-
2148- <para>
2149- If you have setup <application>Syncrepl</application> between servers, it is prudent to encrypt the replication traffic
2150- using <emphasis>Transport Layer Security (TLS)</emphasis>. For details on setting up replication see
2151- <xref linkend="openldap-server-replication"/>.
2152- </para>
2153-
2154- <para>
2155- Assuming you have followed the above instructions and created a CA certificate and server certificate on the
2156- <emphasis>Provider</emphasis> server. Follow the following instructions to create a certificate and key for the
2157- <emphasis>Consumer</emphasis> server.
2158- </para>
2159-
2160- <procedure>
2161- <step>
2162-
2163- <para>
2164- Create a new key for the Consumer server:
2165+ <para>
2166+ Check your host's logs (/var/log/syslog) to see if the server has started properly.
2167+ </para>
2168+
2169+ </sect2>
2170+
2171+ <sect2 id="openldap-tls-replication" status="review">
2172+ <title>Replication and TLS</title>
2173+
2174+ <para>
2175+ If you have set up replication between servers, it is common practice to encrypt (StartTLS) the replication traffic to prevent
2176+ evesdropping. This is distinct from using encryption with authentication as we did above. In this section we will build on that
2177+ TLS-authentication work.
2178+ </para>
2179+
2180+ <para>
2181+ The assumption here is that you have set up replication between Provider and Consumer according to <xref linkend="openldap-server-replication"/>
2182+ and have configured TLS for authentication on the Provider by following <xref linkend="openldap-tls"/>.
2183+ </para>
2184+
2185+ <para>
2186+ As previously stated, the objective (for us) with replication is high availablity for the LDAP service. Since we have TLS for
2187+ authentication on the Provider we will require the same on the Consumer. In addition to this, however, we want to encrypt
2188+ replication traffic. What remains to be done is to create a key and certificate for the Consumer and then configure accordingly.
2189+ We will generate the key/certificate on the Provider, to avoid having to create another CA certificate, and then transfer the
2190+ necessary material over to the Consumer.
2191+ </para>
2192+
2193+ <procedure>
2194+
2195+ <step>
2196+ <para>
2197+ On the Provider,
2198+ </para>
2199+
2200+ <para>
2201+ Create a holding directory (which will be used for the eventual transfer) and then the Consumer's private key:
2202 </para>
2203
2204 <screen>
2205 <command>mkdir ldap02-ssl</command>
2206 <command>cd ldap02-ssl</command>
2207-<command>certtool --generate-privkey > ldap02_slapd_key.pem</command>
2208+<command>sudo certtool --generate-privkey \
2209+--bits 1024 \
2210+--outfile ldap02_slapd_key.pem</command>
2211 </screen>
2212
2213- <note>
2214- <para>
2215- Creating a new directory is not strictly necessary, but it will help keep things organized and make it easier to copy the
2216- files to the Consumer server.
2217- </para>
2218- </note>
2219-
2220- </step>
2221- <step>
2222-
2223 <para>
2224- Next, create an info file, <filename>ldap02.info</filename> for the Consumer server, changing the attributes to match your
2225- locality and server:
2226+ Create an info file, <filename>ldap02.info</filename>, for the Consumer server, adjusting it's values accordingly:
2227 </para>
2228
2229 <programlisting>
2230-country = US
2231-state = North Carolina
2232-locality = Winston-Salem
2233 organization = Example Company
2234-cn = ldap02.salem.edu
2235-tls_www_client
2236+cn = ldap02.example.com
2237+tls_www_server
2238 encryption_key
2239 signing_key
2240+expiration_days = 3650
2241 </programlisting>
2242
2243- </step>
2244- <step>
2245-
2246 <para>
2247- Create the certificate:
2248+ Create the Consumer's certificate:
2249 </para>
2250
2251 <screen>
2252-<command>sudo certtool --generate-certificate --load-privkey ldap02_slapd_key.pem \
2253- --load-ca-certificate /etc/ssl/certs/cacert.pem --load-ca-privkey /etc/ssl/private/cakey.pem \
2254- --template ldap02.info --outfile ldap02_slapd_cert.pem</command>
2255+<command>sudo certtool --generate-certificate \
2256+--load-privkey ldap02_slapd_key.pem \
2257+--load-ca-certificate /etc/ssl/certs/cacert.pem \
2258+--load-ca-privkey /etc/ssl/private/cakey.pem \
2259+--template ldap02.info \
2260+--outfile ldap02_slapd_cert.pem</command>
2261 </screen>
2262
2263- </step>
2264- <step>
2265-
2266 <para>
2267- Copy the <filename>cacert.pem</filename> to the directory:
2268+ Get a copy of the CA certificate:
2269 </para>
2270
2271 <screen>
2272 <command>cp /etc/ssl/certs/cacert.pem .</command>
2273 </screen>
2274
2275- </step>
2276- <step>
2277-
2278- <para>
2279- The only thing left is to copy the <filename>ldap02-ssl</filename> directory to the Consumer server, then copy
2280- <filename>ldap02_slapd_cert.pem</filename> and <filename>cacert.pem</filename> to <filename>/etc/ssl/certs</filename>,
2281- and copy <filename>ldap02_slapd_key.pem</filename> to <filename>/etc/ssl/private</filename>.
2282- </para>
2283-
2284- </step>
2285- <step>
2286-
2287- <para>
2288- Once the files are in place adjust the <emphasis>cn=config</emphasis> tree by entering:
2289- </para>
2290-
2291-<screen>
2292-<command>sudo ldapmodify -Y EXTERNAL -H ldapi:///</command>
2293-</screen>
2294-
2295-<screen>
2296-<computeroutput>Enter LDAP Password:
2297-<userinput>dn: cn=config
2298+ <para>
2299+ We're done. Now transfer the <filename>ldap02-ssl</filename> directory to the Consumer. Here we use scp (adjust accordingly):
2300+ </para>
2301+
2302+<screen>
2303+<command>cd ..</command>
2304+<command>scp -r ldap02-ssl user@consumer:</command>
2305+</screen>
2306+
2307+ </step>
2308+
2309+ <step>
2310+ <para>
2311+ On the Consumer,
2312+ </para>
2313+
2314+ <para>
2315+ Configure TLS authentication:
2316+ </para>
2317+
2318+<screen>
2319+<command>sudo apt-get install ssl-cert</command>
2320+<command>sudo adduser openldap ssl-cert</command>
2321+<command>sudo cp ldap02_slapd_cert.pem cacert.pem /etc/ssl/certs</command>
2322+<command>sudo cp ldap02_slapd_key.pem /etc/ssl/private</command>
2323+<command>sudo chgrp ssl-cert /etc/ssl/private/ldap02_slapd_key.pem</command>
2324+<command>sudo chmod g+r /etc/ssl/private/ldap02_slapd_key.pem</command>
2325+<command>sudo chmod o-r /etc/ssl/private/ldap02_slapd_key.pem</command>
2326+</screen>
2327+
2328+ <para>
2329+ Create the file <filename>/etc/ssl/certinfo.ldif</filename> with the following contents (adjust accordingly):
2330+ </para>
2331+
2332+<programlisting>
2333+dn: cn=config
2334 add: olcTLSCACertificateFile
2335 olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
2336 -
2337@@ -1187,175 +1516,194 @@
2338 olcTLSCertificateFile: /etc/ssl/certs/ldap02_slapd_cert.pem
2339 -
2340 add: olcTLSCertificateKeyFile
2341-olcTLSCertificateKeyFile: /etc/ssl/private/ldap02_slapd_key.pem</userinput>
2342-
2343-modifying entry "cn=config"
2344-</computeroutput>
2345-</screen>
2346-
2347- </step>
2348- <step>
2349-
2350- <para>
2351- As with the Provider you can now edit <filename>/etc/default/slapd</filename> and add the <emphasis>ldaps:///</emphasis>
2352- parameter to the <emphasis>SLAPD_SERVICES</emphasis> option.
2353- </para>
2354-
2355- </step>
2356- </procedure>
2357-
2358- <para>
2359- Now that <emphasis>TLS</emphasis> has been setup on each server, once again modify the <emphasis>Consumer</emphasis> server's
2360- <emphasis>cn=config</emphasis> tree by entering the following in a terminal:
2361- </para>
2362-
2363-<screen>
2364-<command>sudo ldapmodify -Y EXTERNAL -H ldapi:///</command>
2365-</screen>
2366-
2367-<screen>
2368-<computeroutput>SASL/EXTERNAL authentication started
2369-SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
2370-SASL SSF: 0
2371-<userinput>
2372+olcTLSCertificateKeyFile: /etc/ssl/private/ldap02_slapd_key.pem
2373+</programlisting>
2374+
2375+ <para>
2376+ Configure the slapd-config database:
2377+ </para>
2378+
2379+<screen>
2380+<command>sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f certinfo.ldif</command>
2381+</screen>
2382+
2383+ <para>
2384+ Configure <filename>/etc/default/slapd</filename> as on the Provider (SLAPD_SERVICES).
2385+ </para>
2386+ </step>
2387+
2388+ <step>
2389+ <para>
2390+ On the Consumer,
2391+ </para>
2392+
2393+ <para>
2394+ Configure TLS for Consumer-side replication. Modify the existing <emphasis>olcSyncrepl</emphasis> attribute by tacking
2395+ on some TLS options. In so doing, we will see, for the first time, how to change an attribute's value(s).
2396+ </para>
2397+
2398+ <para>
2399+ Create the file <filename>consumer_sync_tls.ldif</filename> with the following contents:
2400+ </para>
2401+
2402+<programlisting>
2403 dn: olcDatabase={1}hdb,cn=config
2404-replace: olcSyncrepl
2405-olcSyncrepl: {0}rid=0 provider=ldap://ldap01.example.com bindmethod=simple binddn="cn=ad
2406- min,dc=example,dc=com" credentials=secret searchbase="dc=example,dc=com" logbas
2407- e="cn=accesslog" logfilter="(&amp;(objectClass=auditWriteObject)(reqResult=0))" s
2408- chemachecking=on type=refreshAndPersist retry="60 +" syncdata=accesslog starttls=yes</userinput>
2409-
2410-modifying entry "olcDatabase={1}hdb,cn=config"
2411-</computeroutput>
2412-</screen>
2413-
2414- <para>
2415- If the LDAP server hostname does not match the Fully Qualified Domain Name (FQDN) in the certificate, you may have to edit
2416- <filename>/etc/ldap/ldap.conf</filename> and add the following TLS options:
2417- </para>
2418+replace: olcSyncRepl
2419+olcSyncRepl: rid=0 provider=ldap://ldap01.example.com bindmethod=simple
2420+ binddn="cn=admin,dc=example,dc=com" credentials=secret searchbase="dc=example,dc=com"
2421+ logbase="cn=accesslog" logfilter="(&amp;(objectClass=auditWriteObject)(reqResult=0))"
2422+ schemachecking=on type=refreshAndPersist retry="60 +" syncdata=accesslog
2423+ <application>starttls=critical tls_reqcert=demand</application>
2424+</programlisting>
2425+
2426+ <para>
2427+ The extra options specify, respectively, that the consumer must use StartTLS and that the CA certificate is required to verify the
2428+ Provider's identity. Also note the LDIF syntax for changing the values of an attribute ('replace').
2429+ </para>
2430+
2431+ <para>
2432+ Implement these changes:
2433+ </para>
2434+
2435+<screen>
2436+<command>sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f consumer_sync_tls.ldif</command>
2437+</screen>
2438+
2439+ <para>
2440+ And restart slapd:
2441+ </para>
2442+
2443+<screen>
2444+<command>sudo service slapd restart</command>
2445+</screen>
2446+
2447+ </step>
2448+
2449+ <step>
2450+ <para>
2451+ On the Provider,
2452+ </para>
2453+
2454+ <para>
2455+ Check to see that a TLS session has been established. In <filename>/var/log/syslog</filename>, providing you have
2456+ 'conns'-level logging set up, you should see messages similar to:
2457+ </para>
2458
2459 <programlisting>
2460-TLS_CERT /etc/ssl/certs/ldap02_slapd_cert.pem
2461-TLS_KEY /etc/ssl/private/ldap02_slapd_key.pem
2462-TLS_CACERT /etc/ssl/certs/cacert.pem
2463+slapd[3620]: conn=1047 fd=20 ACCEPT from IP=10.153.107.229:57922 (IP=0.0.0.0:389)
2464+slapd[3620]: conn=1047 op=0 EXT oid=1.3.6.1.4.1.1466.20037
2465+slapd[3620]: conn=1047 op=0 STARTTLS
2466+slapd[3620]: conn=1047 op=0 RESULT oid= err=0 text=
2467+slapd[3620]: conn=1047 fd=20 TLS established tls_ssf=128 ssf=128
2468+slapd[3620]: conn=1047 op=1 BIND dn="cn=admin,dc=example,dc=com" method=128
2469+slapd[3620]: conn=1047 op=1 BIND dn="cn=admin,dc=example,dc=com" mech=SIMPLE ssf=0
2470+slapd[3620]: conn=1047 op=1 RESULT tag=97 err=0 text
2471 </programlisting>
2472
2473-
2474- <para>
2475- Finally, restart <application>slapd</application> on each of the servers:
2476- </para>
2477-
2478-<screen>
2479-<command>sudo /etc/init.d/slapd restart</command>
2480-</screen>
2481-
2482- </sect3>
2483-
2484- </sect2>
2485-
2486- <sect2 id="openldap-auth-config" status="review">
2487- <title>LDAP Authentication</title>
2488-
2489- <para>
2490- Once you have a working LDAP server, the <application>auth-client-config</application> and <application>libnss-ldap</application>
2491- packages take the pain out of configuring an Ubuntu client to authenticate using LDAP. To install the packages from, a terminal
2492- prompt enter:
2493- </para>
2494+ </step>
2495+
2496+ </procedure>
2497+
2498+ </sect2>
2499+
2500+ <sect2 id="openldap-auth-config" status="review">
2501+ <title>LDAP Authentication</title>
2502+
2503+ <para>
2504+ Once you have a working LDAP server, you will need to install libraries on the client that will know how and when to contact it.
2505+ On Ubuntu, this has been traditionally accomplishd by installing the <application>libnss-ldap</application> package. This package
2506+ will bring in other tools that will assist you in the configuration step. Install this package now:
2507+ </para>
2508
2509 <screen>
2510 <command>sudo apt-get install libnss-ldap</command>
2511 </screen>
2512
2513- <para>
2514- During the install a menu dialog will ask you connection details about your LDAP server.
2515- </para>
2516-
2517- <para>
2518- If you make a mistake when entering your information you can execute the dialog again using:
2519- </para>
2520-
2521+ <para>
2522+ You will be prompted for details of your LDAP server. If you make a mistake you can try again using:
2523+ </para>
2524+
2525 <screen>
2526 <command>sudo dpkg-reconfigure ldap-auth-config</command>
2527 </screen>
2528
2529- <para>
2530- The results of the dialog can be seen in <filename>/etc/ldap.conf</filename>. If your server requires options not covered in the menu
2531- edit this file accordingly.
2532- </para>
2533+ <para>
2534+ The results of the dialog can be seen in <filename>/etc/ldap.conf</filename>. If your server requires options not covered in the menu
2535+ edit this file accordingly.
2536+ </para>
2537
2538- <para>
2539- Now that <application>libnss-ldap</application> is configured enable the <application>auth-client-config</application> LDAP profile by
2540- entering:
2541- </para>
2542+ <para>
2543+ Now configure the LDAP profile for NSS:
2544+ </para>
2545
2546 <screen>
2547 <command>sudo auth-client-config -t nss -p lac_ldap</command>
2548 </screen>
2549
2550- <itemizedlist>
2551- <listitem>
2552- <para>
2553- <emphasis>-t:</emphasis> only modifies <filename>/etc/nsswitch.conf</filename>.
2554- </para>
2555- </listitem>
2556- <listitem>
2557- <para>
2558- <emphasis>-p:</emphasis> name of the profile to enable, disable, etc.
2559- </para>
2560- </listitem>
2561- <listitem>
2562- <para>
2563- <emphasis>lac_ldap:</emphasis> the <application>auth-client-config</application> profile that is part of the
2564- <application>ldap-auth-config</application> package.
2565- </para>
2566- </listitem>
2567- </itemizedlist>
2568-
2569- <para>
2570- Using the <application>pam-auth-update</application> utility, configure the system to use LDAP for authentication:
2571- </para>
2572+ <para>
2573+ Configure the system to use LDAP for authentication:
2574+ </para>
2575
2576 <screen>
2577 <command>sudo pam-auth-update</command>
2578 </screen>
2579
2580- <para>
2581- From the <application>pam-auth-update</application> menu, choose LDAP and any other authentication mechanisms you need.
2582- </para>
2583-
2584- <para>
2585- You should now be able to login using user credentials stored in the LDAP directory.
2586- </para>
2587-
2588- <note>
2589- <para>
2590- If you are going to use LDAP to store Samba users you will need to configure the server to authenticate using LDAP.
2591- See <xref linkend="samba-ldap"/> for details.
2592- </para>
2593- </note>
2594-
2595- </sect2>
2596- <sect2 id="ldap-usergroup-management" status="review">
2597- <title>User and Group Management</title>
2598-
2599- <para>
2600- The <application>ldap-utils</application> package comes with multiple utilities to manage the directory, but the long
2601- string of options needed, can make them a burden to use. The <application>ldapscripts</application> package contains
2602- configurable scripts to easily manage LDAP users and groups.
2603- </para>
2604-
2605- <para>
2606- To install the package, from a terminal enter:
2607- </para>
2608+ <para>
2609+ From the menu, choose LDAP and any other authentication mechanisms you need.
2610+ </para>
2611+
2612+ <para>
2613+ You should now be able to log in using LDAP-based credentials.
2614+ </para>
2615+
2616+ <para>
2617+ LDAP clients will need to refer to multiple servers if replication is in use. In <filename>/etc/ldap.conf</filename> you would
2618+ have something like:
2619+ </para>
2620+
2621+<programlisting>
2622+uri ldap://ldap01.example.com ldap://ldap02.example.com
2623+</programlisting>
2624+
2625+ <para>
2626+ The request will time out and the Consumer (ldap02) will attempt to be reached if the Provider (ldap01) becomes unresponsive.
2627+ </para>
2628+
2629+ <para>
2630+ If you are going to use LDAP to store Samba users you will need to configure the Samba server to authenticate using LDAP. See
2631+ <xref linkend="samba-ldap"/> for details.
2632+ </para>
2633+
2634+ <note>
2635+ <para>
2636+ An alternative to the <application>libnss-ldap</application> package is the <application>libnss-ldapd</application>
2637+ package. This, however, will bring in the <application>nscd</application> package which is problably not wanted. Simply
2638+ remove it afterwards.
2639+ </para>
2640+ </note>
2641+
2642+ </sect2>
2643+
2644+ <sect2 id="ldap-usergroup-management" status="review">
2645+ <title>User and Group Management</title>
2646+
2647+ <para>
2648+ The <application>ldap-utils</application> package comes with enough utilities to manage the directory but the long string of
2649+ options needed can make them a burden to use. The <application>ldapscripts</application> package contains wrapper scripts to these
2650+ utilities that some people find easier to use.
2651+ </para>
2652+
2653+ <para>
2654+ Install the package:
2655+ </para>
2656
2657 <screen>
2658 <command>sudo apt-get install ldapscripts</command>
2659 </screen>
2660
2661- <para>
2662- Next, edit the config file <filename>/etc/ldapscripts/ldapscripts.conf</filename> uncommenting and changing the following to
2663- match your environment:
2664- </para>
2665+ <para>
2666+ Then edit the file <filename>/etc/ldapscripts/ldapscripts.conf</filename> to arrive at something similar to the following:
2667+ </para>
2668
2669 <programlisting>
2670 SERVER=localhost
2671@@ -1370,104 +1718,125 @@
2672 MIDSTART=10000
2673 </programlisting>
2674
2675- <para>
2676- Now, create the <filename>ldapscripts.passwd</filename> file to allow authenticated access to the directory:
2677- </para>
2678+ <para>
2679+ Now, create the <filename>ldapscripts.passwd</filename> file to allow rootDN access to the directory:
2680+ </para>
2681
2682 <screen>
2683 <command>sudo sh -c "echo -n 'secret' > /etc/ldapscripts/ldapscripts.passwd"</command>
2684 <command>sudo chmod 400 /etc/ldapscripts/ldapscripts.passwd</command>
2685 </screen>
2686
2687- <note>
2688- <para>
2689- Replace <quote>secret</quote> with the actual password for your LDAP admin user.
2690- </para>
2691- </note>
2692-
2693- <para>
2694- The <application>ldapscripts</application> are now ready to help manage your directory. The following are some examples
2695- of how to use the scripts:
2696- </para>
2697-
2698- <itemizedlist>
2699- <listitem>
2700- <para>
2701- Create a new user:
2702- </para>
2703+ <note>
2704+ <para>
2705+ Replace <quote>secret</quote> with the actual password for your database's rootDN user.
2706+ </para>
2707+ </note>
2708+
2709+ <para>
2710+ The scripts are now ready to help manage your directory. Here are some examples of how to use them:
2711+ </para>
2712+
2713+ <itemizedlist>
2714+
2715+ <listitem>
2716+ <para>
2717+ Create a new user:
2718+ </para>
2719+
2720 <screen>
2721 <command>sudo ldapadduser george example</command>
2722 </screen>
2723- <para>
2724- This will create a user with uid <emphasis role="italic">george</emphasis> and set the user's primary group (gid) to
2725- <emphasis role="italic">example</emphasis>
2726- </para>
2727- </listitem>
2728- <listitem>
2729- <para>
2730- Change a user's password:
2731- </para>
2732+
2733+ <para>
2734+ This will create a user with uid <emphasis role="italic">george</emphasis> and set the user's primary group (gid) to
2735+ <emphasis role="italic">example</emphasis>
2736+ </para>
2737+ </listitem>
2738+
2739+ <listitem>
2740+ <para>
2741+ Change a user's password:
2742+ </para>
2743+
2744 <screen>
2745 <command>sudo ldapsetpasswd george</command>
2746 <computeroutput>Changing password for user uid=george,ou=People,dc=example,dc=com</computeroutput>
2747 <userinput>New Password: </userinput>
2748 <userinput>New Password (verify): </userinput>
2749 </screen>
2750- </listitem>
2751- <listitem>
2752- <para>
2753- Delete a user:
2754- </para>
2755+
2756+ </listitem>
2757+
2758+ <listitem>
2759+ <para>
2760+ Delete a user:
2761+ </para>
2762+
2763 <screen>
2764 <command>sudo ldapdeleteuser george</command>
2765 </screen>
2766
2767- </listitem>
2768- <listitem>
2769- <para>
2770- Add a group:
2771- </para>
2772+ </listitem>
2773+
2774+ <listitem>
2775+ <para>
2776+ Add a group:
2777+ </para>
2778+
2779 <screen>
2780 <command>sudo ldapaddgroup qa</command>
2781 </screen>
2782- </listitem>
2783- <listitem>
2784- <para>
2785- Delete a group:
2786- </para>
2787+
2788+ </listitem>
2789+
2790+ <listitem>
2791+ <para>
2792+ Delete a group:
2793+ </para>
2794+
2795 <screen>
2796 <command>sudo ldapdeletegroup qa</command>
2797 </screen>
2798- </listitem>
2799- <listitem>
2800- <para>
2801- Add a user to a group:
2802- </para>
2803+
2804+ </listitem>
2805+
2806+ <listitem>
2807+ <para>
2808+ Add a user to a group:
2809+ </para>
2810+
2811 <screen>
2812 <command>sudo ldapaddusertogroup george qa</command>
2813 </screen>
2814- <para>
2815- You should now see a <emphasis>memberUid</emphasis> attribute for the <emphasis role="italic">qa</emphasis> group with
2816- a value of <emphasis role="italic">george</emphasis>.
2817- </para>
2818- </listitem>
2819- <listitem>
2820- <para>
2821- Remove a user from a group:
2822- </para>
2823+
2824+ <para>
2825+ You should now see a <emphasis>memberUid</emphasis> attribute for the <emphasis role="italic">qa</emphasis> group with
2826+ a value of <emphasis role="italic">george</emphasis>.
2827+ </para>
2828+ </listitem>
2829+
2830+ <listitem>
2831+ <para>
2832+ Remove a user from a group:
2833+ </para>
2834+
2835 <screen>
2836 <command>sudo ldapdeleteuserfromgroup george qa</command>
2837 </screen>
2838- <para>
2839- The <emphasis>memberUid</emphasis> attribute should now be removed from the <emphasis role="italic">qa</emphasis>
2840- group.
2841- </para>
2842- </listitem>
2843- <listitem>
2844- <para>
2845- The <application>ldapmodifyuser</application> script allows you to add, remove, or replace a user's attributes.
2846- The script uses the same syntax as the <application>ldapmodify</application> utility. For example:
2847- </para>
2848+
2849+ <para>
2850+ The <emphasis>memberUid</emphasis> attribute should now be removed from the <emphasis role="italic">qa</emphasis>
2851+ group.
2852+ </para>
2853+ </listitem>
2854+
2855+ <listitem>
2856+ <para>
2857+ The <application>ldapmodifyuser</application> script allows you to add, remove, or replace a user's attributes.
2858+ The script uses the same syntax as the <application>ldapmodify</application> utility. For example:
2859+ </para>
2860+
2861 <screen>
2862 <command>sudo ldapmodifyuser george</command>
2863 <computeroutput># About to modify the following entry :
2864@@ -1489,36 +1858,38 @@
2865 <userinput>replace: gecos
2866 gecos: George Carlin</userinput>
2867 </screen>
2868- <para>
2869- The user's <emphasis>gecos</emphasis> should now be <quote>George Carlin</quote>.
2870- </para>
2871- </listitem>
2872- <listitem>
2873- <para>
2874- Another great feature of <application>ldapscripts</application>, is the template system. Templates
2875- allow you to customize the attributes of user, group, and machine objectes. For example, to enable
2876- the <emphasis>user</emphasis> template edit <filename>/etc/ldapscripts/ldapscripts.conf</filename>
2877- changing:
2878- </para>
2879+
2880+ <para>
2881+ The user's <emphasis>gecos</emphasis> should now be <quote>George Carlin</quote>.
2882+ </para>
2883+ </listitem>
2884+
2885+ <listitem>
2886+ <para>
2887+ A nice feature of <application>ldapscripts</application> is the template system. Templates allow you to customize the
2888+ attributes of user, group, and machine objectes. For example, to enable the <emphasis>user</emphasis> template edit
2889+ <filename>/etc/ldapscripts/ldapscripts.conf</filename> changing:
2890+ </para>
2891
2892 <programlisting>
2893 UTEMPLATE="/etc/ldapscripts/ldapadduser.template"
2894 </programlisting>
2895
2896- <para>
2897- There are <emphasis role="italic">sample</emphasis> templates in the <filename>/etc/ldapscripts</filename> directory.
2898- Copy or rename the <filename>ldapadduser.template.sample</filename> file to
2899- <filename>/etc/ldapscripts/ldapadduser.template</filename>:
2900- </para>
2901+ <para>
2902+ There are <emphasis role="italic">sample</emphasis> templates in the <filename>/etc/ldapscripts</filename> directory.
2903+ Copy or rename the <filename>ldapadduser.template.sample</filename> file to
2904+ <filename>/etc/ldapscripts/ldapadduser.template</filename>:
2905+ </para>
2906
2907 <screen>
2908-<command>sudo cp /usr/share/doc/ldapscripts/examples/ldapadduser.template.sample /etc/ldapscripts/ldapadduser.template</command>
2909+<command>sudo cp /usr/share/doc/ldapscripts/examples/ldapadduser.template.sample \
2910+/etc/ldapscripts/ldapadduser.template</command>
2911 </screen>
2912
2913- <para>
2914- Edit the new template to add the desired attributes. The following will create new user's as with an
2915- <emphasis>objectClass</emphasis> of <emphasis>inetOrgPerson</emphasis>:
2916- </para>
2917+ <para>
2918+ Edit the new template to add the desired attributes. The following will create new users with an objectClass of
2919+ inetOrgPerson:
2920+ </para>
2921
2922 <programlisting>
2923 dn: uid=&lt;user&gt;,&lt;usuffix&gt;,&lt;suffix&gt;
2924@@ -1536,59 +1907,112 @@
2925 title: Employee
2926 </programlisting>
2927
2928- <para>
2929- Notice the <emphasis>&lt;ask&gt;</emphasis> option used for the <emphasis>ssn</emphasis> value. Using &lt;ask&gt;
2930- will configure <application>ldapadduser</application> to prompt you for the attribute value during user creation.
2931- </para>
2932-
2933- </listitem>
2934- </itemizedlist>
2935-
2936- <para>
2937- There are more useful scripts in the package, to see a full list enter: <command>dpkg -L ldapscripts | grep bin</command>
2938- </para>
2939-
2940- </sect2>
2941- <sect2 id="openldap-server-resources" status="review">
2942- <title>Resources</title>
2943- <itemizedlist>
2944- <listitem>
2945- <para>
2946- The <ulink url="https://help.ubuntu.com/community/OpenLDAPServer">OpenLDAP Ubuntu Wiki</ulink> page has more details.
2947- </para>
2948- </listitem>
2949- <listitem>
2950- <para>
2951- For more information see <ulink url="http://www.openldap.org/">OpenLDAP Home Page</ulink>
2952- </para>
2953- </listitem>
2954- <listitem>
2955- <para>
2956- Though starting to show it's age, a great source for in depth LDAP information is
2957- O'Reilly's <ulink url="http://www.oreilly.com/catalog/ldapsa/">LDAP System Administration</ulink>
2958- </para>
2959- </listitem>
2960- <listitem>
2961- <para>
2962- Packt's <ulink url="http://www.packtpub.com/OpenLDAP-Developers-Server-Open-Source-Linux/book">Mastering OpenLDAP</ulink>
2963- is a great reference covering newer versions of OpenLDAP.
2964- </para>
2965- </listitem>
2966- <listitem>
2967- <para>
2968- For more information on <application>auth-client-config</application> see the man page: <command>man auth-client-config</command>.
2969- </para>
2970- </listitem>
2971- <listitem>
2972- <para>
2973- For more details regarding the <application>ldapscripts</application> package see the man pages: <command>man ldapscripts</command>,
2974- <command>man ldapadduser</command>, <command>man ldapaddgroup</command>, etc.
2975- </para>
2976- </listitem>
2977- </itemizedlist>
2978+ <para>
2979+ Notice the <emphasis>&lt;ask&gt;</emphasis> option used for the <emphasis>sn</emphasis> attribute. This
2980+ will make <application>ldapadduser</application> prompt you for it's value.
2981+ </para>
2982+ </listitem>
2983+
2984+ </itemizedlist>
2985+
2986+ <para>
2987+ There are utilities in the package that were not covered here. Here is a complete list:
2988+ </para>
2989+
2990+<programlisting>
2991+<ulink url="http://manpages.ubuntu.com/manpages/en/man1/ldaprenamemachine.1.html">ldaprenamemachine</ulink>
2992+<ulink url="http://manpages.ubuntu.com/manpages/en/man1/ldapadduser.1.html">ldapadduser</ulink>
2993+<ulink url="http://manpages.ubuntu.com/manpages/en/man1/ldapdeleteuserfromgroup.1.html">ldapdeleteuserfromgroup</ulink>
2994+<ulink url="http://manpages.ubuntu.com/manpages/en/man1/ldapfinger.1.html">ldapfinger</ulink>
2995+<ulink url="http://manpages.ubuntu.com/manpages/en/man1/ldapid.1.html">ldapid</ulink>
2996+<ulink url="http://manpages.ubuntu.com/manpages/en/man1/ldapgid.1.html">ldapgid</ulink>
2997+<ulink url="http://manpages.ubuntu.com/manpages/en/man1/ldapmodifyuser.1.html">ldapmodifyuser</ulink>
2998+<ulink url="http://manpages.ubuntu.com/manpages/en/man1/ldaprenameuser.1.html">ldaprenameuser</ulink>
2999+<ulink url="http://manpages.ubuntu.com/manpages/en/man1/lsldap.1.html">lsldap</ulink>
3000+<ulink url="http://manpages.ubuntu.com/manpages/en/man1/ldapaddusertogroup.1.html">ldapaddusertogroup</ulink>
3001+<ulink url="http://manpages.ubuntu.com/manpages/en/man1/ldapsetpasswd.1.html">ldapsetpasswd</ulink>
3002+<ulink url="http://manpages.ubuntu.com/manpages/en/man1/ldapinit.1.html">ldapinit</ulink>
3003+<ulink url="http://manpages.ubuntu.com/manpages/en/man1/ldapaddgroup.1.html">ldapaddgroup</ulink>
3004+<ulink url="http://manpages.ubuntu.com/manpages/en/man1/ldapdeletegroup.1.html">ldapdeletegroup</ulink>
3005+<ulink url="http://manpages.ubuntu.com/manpages/en/man1/ldapmodifygroup.1.html">ldapmodifygroup</ulink>
3006+<ulink url="http://manpages.ubuntu.com/manpages/en/man1/ldapdeletemachine.1.html">ldapdeletemachine</ulink>
3007+<ulink url="http://manpages.ubuntu.com/manpages/en/man1/ldaprenamegroup.1.html">ldaprenamegroup</ulink>
3008+<ulink url="http://manpages.ubuntu.com/manpages/en/man1/ldapaddmachine.1.html">ldapaddmachine</ulink>
3009+<ulink url="http://manpages.ubuntu.com/manpages/en/man1/ldapmodifymachine.1.html">ldapmodifymachine</ulink>
3010+<ulink url="http://manpages.ubuntu.com/manpages/en/man1/ldapsetprimarygroup.1.html">ldapsetprimarygroup</ulink>
3011+<ulink url="http://manpages.ubuntu.com/manpages/en/man1/ldapdeleteuser.1.html">ldapdeleteuser</ulink>
3012+</programlisting>
3013+
3014+ </sect2>
3015+
3016+ <sect2 id="openldap-server-resources" status="review">
3017+ <title>Resources</title>
3018+
3019+ <itemizedlist>
3020+
3021+ <listitem>
3022+ <para>
3023+ The primary resource is the upstream documentation: <ulink url="http://www.openldap.org/">www.openldap.org</ulink>
3024+ </para>
3025+ </listitem>
3026+
3027+ <listitem>
3028+ <para>
3029+ There are many man pages that come with the slapd package. Here are some important ones, especially considering the material
3030+ presented in this guide:
3031+ </para>
3032+
3033+<programlisting>
3034+<ulink url="http://manpages.ubuntu.com/manpages/en/man8/slapd.8.html">slapd</ulink>
3035+<ulink url="http://manpages.ubuntu.com/manpages/en/man5/slapd-config.5.html">slapd-config</ulink>
3036+<ulink url="http://manpages.ubuntu.com/manpages/en/man5/slapd.access.5.html">slapd.access</ulink>
3037+<ulink url="http://manpages.ubuntu.com/manpages/en/man5/slapo-syncprov.5.html">slapo-syncprov</ulink>
3038+</programlisting>
3039+
3040+ </listitem>
3041+
3042+ <listitem>
3043+ <para>
3044+ Other man pages:
3045+ </para>
3046+
3047+<programlisting>
3048+<ulink url="http://manpages.ubuntu.com/manpages/en/man8/auth-client-config.8.html">auth-client-config</ulink>
3049+<ulink url="http://manpages.ubuntu.com/manpages/en/man8/pam-auth-update.8.html">pam-auth-update</ulink>
3050+</programlisting>
3051+
3052+ </listitem>
3053+
3054+ <listitem>
3055+ <para>
3056+ Zytrax's <ulink url="http://www.zytrax.com/books/ldap/">LDAP for Rocket Scientists</ulink>; a less pedantic but comprehensive treatment of LDAP
3057+ </para>
3058+ </listitem>
3059+
3060+ <listitem>
3061+ <para>
3062+ A Ubuntu community <ulink url="https://help.ubuntu.com/community/OpenLDAPServer">OpenLDAP wiki</ulink> page has a collection of notes
3063+ </para>
3064+ </listitem>
3065+
3066+ <listitem>
3067+ <para>
3068+ O'Reilly's <ulink url="http://www.oreilly.com/catalog/ldapsa/">LDAP System Administration</ulink> (textbook; 2003)
3069+ </para>
3070+ </listitem>
3071+
3072+ <listitem>
3073+ <para>
3074+ Packt's <ulink url="http://www.packtpub.com/OpenLDAP-Developers-Server-Open-Source-Linux/book">Mastering OpenLDAP</ulink> (textbook; 2007)
3075+ </para>
3076+ </listitem>
3077+
3078+ </itemizedlist>
3079
3080- </sect2>
3081- </sect1>
3082+ </sect2>
3083+
3084+ </sect1>
3085+
3086 <sect1 id="samba-ldap" status="review">
3087 <title>Samba and LDAP</title>
3088
3089@@ -1725,11 +2149,9 @@
3090 modifyTimestamp: 20080827045234Z
3091 </programlisting>
3092
3093- <note>
3094 <para>
3095 The attribute values will vary, just be sure the attributes are removed.
3096 </para>
3097- </note>
3098
3099 </step>
3100 <step>
3101@@ -1845,7 +2267,7 @@
3102
3103 <note>
3104 <para>
3105- You can create an LDIF file containing the new Samba objects by executing <command>sudo smbldap-populate -e samba.ldif</command>.
3106+ You can create a LDIF file containing the new Samba objects by executing <command>sudo smbldap-populate -e samba.ldif</command>.
3107 This allows you to look over the changes making sure everything is correct.
3108 </para>
3109 </note>
3110@@ -2769,11 +3191,9 @@
3111 modifyTimestamp: 20090111203515Z
3112 </programlisting>
3113
3114- <note>
3115 <para>
3116 The attribute values will vary, just be sure the attributes are removed.
3117 </para>
3118- </note>
3119
3120 </step>
3121 <step>

Subscribers

People subscribed via source and target branches