View
218
Download
0
Category
Preview:
Citation preview
7/31/2019 03-OpenLDAP
1/30
OpenLDAP Directory Administration
OpenLDAP
7/31/2019 03-OpenLDAP
2/30
Table of Contents
Obtaining the OpenLDAP Distribution
Software Requirements
Compiling OpenLDAP 2
OpenLDAP Clients and Servers
The slapd.conf Configuration File
Access Control Lists (ACLs)
7/31/2019 03-OpenLDAP
3/30
Table of Contents
Obtaining the OpenLDAP Distribution
Software Requirements
Compiling OpenLDAP 2
OpenLDAP Clients and Servers
The slapd.conf Configuration File
Access Control Lists (ACLs)
7/31/2019 03-OpenLDAP
4/30
Obtaining the OpenLDAP
Distribution OpenLDAP ?
Popular, open source LDAP-v3-compliant server
Attractive for several reasons:
Source code is available for download
Compliant with the core LDAPv3 specifications
Available on multiple platforms, including Linux, Solaris, Mac
OS 10.2, and Windows
Continuation of original University of Michigan LDAP server
Compiling OpenLDAP = lots of dependencies
Try to obtain binary packages (eg.http://www.symas.com/ for Solaris & HP/UX)
Source code: http://www.openldap.org/
http://www.symas.com/http://www.openldap.org/http://www.openldap.org/http://www.openldap.org/http://www.symas.com/7/31/2019 03-OpenLDAP
5/30
Table of Contents
Obtaining the OpenLDAP Distribution
Software Requirements
Compiling OpenLDAP 2
OpenLDAP Clients and Servers
The slapd.conf Configuration File
Access Control Lists (ACLs)
7/31/2019 03-OpenLDAP
6/30
Software Requirements
OpenLDAP server will require several external software
packages: Support for POSIX threads (either by OS or an external
library)
It is possible to compile OpenLDAP without thread support, but
slurpd requires it
SSL/TLS libraries, such as OpenSSL
http://www.openssl.org/
Database manager library that supports DBM type storage
facilities.
Current library of choice is BerkeleyDB 4.1
http://www.sleepycat.com/
ldbm can also be used
http://www.fsf.org/
Release 2.1 of the SASL libraries from Carnegie Mellon
University
http://asg.web.cmu.edu/sasl/sasl-library.html
http://www.openssl.org/http://www.sleepycat.com/http://www.fsf.org/http://asg.web.cmu.edu/sasl/sasl-library.htmlhttp://asg.web.cmu.edu/sasl/sasl-library.htmlhttp://asg.web.cmu.edu/sasl/sasl-library.htmlhttp://asg.web.cmu.edu/sasl/sasl-library.htmlhttp://asg.web.cmu.edu/sasl/sasl-library.htmlhttp://www.fsf.org/http://www.fsf.org/http://www.sleepycat.com/http://www.sleepycat.com/http://www.openssl.org/http://www.openssl.org/7/31/2019 03-OpenLDAP
7/30
Table of Contents
Obtaining the OpenLDAP Distribution
Software Requirements
Compiling OpenLDAP 2
OpenLDAP Clients and Servers
The slapd.conf Configuration File
Access Control Lists (ACLs)
7/31/2019 03-OpenLDAP
8/30
Compiling OpenLDAP
Compiling:
(untar)
./configure --enable-wrappers
make depend
make
make testmake install
Things to check when encountering problems
(if your system supports it) Use ldd tool to verify that
binaries (eg. slapd) have been compiled against correctlibraries
Change /etc/ld.so.conf and run ldconfig -v or setLD_LIBRARY_PATH
Verify that DNS is configured correctly (reverse DNS!)
Verify network connectivity
enables support for TCP wrappers
7/31/2019 03-OpenLDAP
9/30
Table of Contents
Obtaining the OpenLDAP Distribution
Software Requirements
Compiling OpenLDAP 2
OpenLDAP Clients and Servers
The slapd.conf Configuration File
Access Control Lists (ACLs)
7/31/2019 03-OpenLDAP
10/30
OpenLDAP Clients and Servers
Name Description
libexec/slapd The LDAP serverlibexec/slurpd The LDAP replication helperbin/ldapadd
bin/ldapmodify
bin/ldapdelete
bin/ldapmodrdn
bin/ldapsearch
bin/ldapcompare
bin/ldappasswd
sbin/slapadd
sbin/slapcat
sbin/slapindex
sbin/slappasswd
lib/libldap* The OpenLDAP client SDKlib/liblber*
include/ldap*.h
include/lber*.h
Command-line tools for adding,modifiying, and deleting entries on anLDAP server (commands support bothLDAPv2 and LDAPv3)Command-line utilities for searching anLDAP directory or testing a compareA tool for changing the passwordattribute in LDAP entries. This tool is theequivalent of /bin/passwd
Tools for manipulating the local backenddata store used by the slapd daemon
A simple utility to generate passwordhashes suitable for use in slapd.conf
7/31/2019 03-OpenLDAP
11/30
Table of Contents
Obtaining the OpenLDAP Distribution
Software Requirements
Compiling OpenLDAP 2
OpenLDAP Clients and Servers
The slapd.conf Configuration File
Access Control Lists (ACLs)
7/31/2019 03-OpenLDAP
12/30
The slapd.conf Configuration File
Central source of configuration information
Used by slapd, slurpd, and related tools, such as slapcatand slapadd
Tools like slapmodify and slapsearch use ldap.conf (notslapd.conf) for default settings
Can be broken into two sections
Parameters that affect overall behavior of the servers
Parameters that relate to a specific database backend used
by the slapd daemon
7/31/2019 03-OpenLDAP
13/30
The slapd.conf Configuration File
Schema Files
include /etc/ldap/schema/...corba.schema
Schema for storing Corba Objects in LDAP (RFC 2714)
core.schema
OpenLDAP required core schemas: basic LDAPv3 attributes and objectsdescribed in RFCs 2251-2256
cosine.schema
For supporting COSINE and X.500 directory pilots (RFC 1274)
inetorgperson.schema
Defined inetOrgPerson object class & attributes (RFC 2798)
java.schema
For storing Java objects (RFC 2713)misc.schema
Miscellaneous objects (eg LDAP-based mail routing with sendmail)
nis.schema
Attributes and objects necessary for using LDAP+NIS (RFC 2307)
openldap.schema
Miscelaneous objects used by the OpenLDAP project
7/31/2019 03-OpenLDAP
14/30
The slapd.conf Configuration File
Logging
loglevel 296pidfile /var/run/slapd.pid
argsfile /var/run/slapd.args
loglevel is a set of bit flags that should be OR'ed together
Level Information recorded-1 All logging information
0 No logging information
1 Trace function calls
2 Packet-handling debugging information
4 Heavy trace debugging
8 Connection management
16 Packets sent and received32 Search filter processing
64 Configuration file processing
128 Access Control List processing
256 Statistics for connection, operations, and results
512 Statistics for results returned to cients
1024 Communication with shell backends
2048 Print entry parsing debug information
7/31/2019 03-OpenLDAP
15/30
The slapd.conf Configuration File
SASL Options
SASL is not needed if only simple binds will be used
However, often useful to allow a combination of simple
binds and SASL mechanisms for user connections, eg.:
Normal users can do lookups via a simple bind
Administrators must authenticate via SASL
slapd.conf has three SASL-related global options:
sasl-host hostname
sasl-realm string
sasl-secprops properties
sasl-host and sasl-realm are respectively the FQDN and SASLdomain used for authentication
Use sasldblistusers to dump the/etc/sasldb database
sasl-secprops allows you to define conditions that affectSASL security properties (see next slide)
7/31/2019 03-OpenLDAP
16/30
The slapd.conf Configuration File
SASL Options (cont.)
sasl-secprops parameter values and descriptions:
Flag DescriptionNone
noplain
noactive Disables mechanisms vulnerable to active attacksnodict
noanonymous Disables mechanisms that support anonymous loginsforwardsec Requires forward secrecy between sessionspasscred Requires mechanisms that pass client credentialsminssf=factor
maxssf=factor
maxbufsize=size
Clears the default security properties (noplain,noanonymous)
D i s a b l e s m e c h a n i s m s v u l n e r a b l e t o p a s s i v e a t t a c k s , s u c h a s v ie w i n g
n e t w o r k p a c k e t s t o e x a m i n e p a s s w o r d s
D i s a b l e s m e c h a n i s m s t h a t a r e v u l n e r a b l e t o d i c t i o n a r y - b a s e d p a s s w o r d
a t t a c k s
D e f in e s t h e m i n i m u m s e c u r i t y s t r e n g t h e n f o r c e d . P o s s ib l e v a l u e s i n c l u d e :
0 ( n o p r o t e c t i o n ) , 1 ( i n t e g r i t y p r o t e c t io n o n l y ) , 5 6 ( a l lo w D E S
e n c r y p t i o n ) , 1 1 2 ( a l l o w 3 D E S o r o t h e r s t r i n g e n c r y p t io n m e t h o d s ) , a n d
1 2 8 ( a l l o w R C 4 , B l o w f i s h , o r o t h e r e n c r y p t i o n a l g o r i t h m s o f t h is c la s s )
Defines the maximum security strength setting. The possible values areidentical to those ofminssf
Defines the maximum size of the security layer receive buffer. A value of0 disables the security layer. The default value is the maximum ofINT_MAX (ie. 65536)
7/31/2019 03-OpenLDAP
17/30
The slapd.conf Configuration File
SASL Options (cont.)
Various cyrus-sasl plugins:
maxssfANONYMOUS NOPLAIN 0CRAM-MD5 NOPLAIN 0DIGEST-MD5
GSSAPI 56
KERBEROS_V4 56
LOGIN NOANONYMOUS 0
PLAIN NOANONYMOUS 0SCRAM-MD5 NONE 0SRP NOPLAIN 0
SASLMechanisms
Security PropertyFlags
NOPLAIN
NOANONYMOUS
128 if compiled with RC4; 112 if
compiled with DES; 0 if compiledwith neither RC4 not DES
NOPLAIN NOACTIVENOANONYMOUS
NOPLAIN NOACTIVENOANONYMOUS
7/31/2019 03-OpenLDAP
18/30
The slapd.conf Configuration File
SASL Options (cont.)
If you had this in slapd.conf:
the following machanisms for authentication would be
allowed: DIGEST-MD5
GSSAPI
KERBEROS_4
## No PLAIN or ANONYMOUS mechanisms; use DES encryptionsasl-secprops noplain,noanonymous,minssf=56
7/31/2019 03-OpenLDAP
19/30
The slapd.conf Configuration File
SSL/TLS Options
Parameters:TLSCipherSuite cipher-suite-specification
TLSCertificateFile filename
TLSCertificateKeyFile filename
7/31/2019 03-OpenLDAP
20/30
The slapd.conf Configuration File
Serving Up Data
After global section: one or more database sections,eachdefining directory partition
database directive, possible values:
bdb: BerkeleyDB 4 database manager, makes extensive use ofindexing and caching; recommended OpenLDAP backend
ldbm: GNU Database Manager or Sleepycat BerkeleyDB; olderimplementation
passwd: Quick and dirty means of providing directory interfaceto the system passwd file
shell: Allows the use of alternative (external) databases
7/31/2019 03-OpenLDAP
21/30
The slapd.conf Configuration File
Serving Up Data (cont.)
Example:
# Begin a new database sectiondatabase bdb
# Define the root suffix you servesuffix dc=plainjoe,dc=org
# Define root DN for superuser privilegesrootdn cn=Manager,dc=plainjoe,dc=org
# Define root DN's password: salted secure hash of 'secret'rootpw {SSHA}2aksIaicAvwc+DhCrXUFlhgWsbBJPLxy
# Directory containing the database files
directory /var/ldap/plainjoe.org
# Files should be created rw for the owner *only*mode 0600
7/31/2019 03-OpenLDAP
22/30
Table of Contents
Obtaining the OpenLDAP Distribution
Software Requirements
Compiling OpenLDAP 2
OpenLDAP Clients and Servers
The slapd.conf Configuration File
Access Control Lists (ACLs)
7/31/2019 03-OpenLDAP
23/30
Access Control Lists
OpenLDAP ACLs are simple in syntax, yet very flexible
and powerful
Basic idea:
WHO has ACCESS to WHAT ?
A C t l Li t ( t )
7/31/2019 03-OpenLDAP
24/30
Access Control Lists (cont.)
WHO has ACCESS to WHAT ?
WHO can be:*
Any connected user, including anonymous connections
self
DN of currently connected user
anonymous
Nonauthenticated user connections
users
Authenticated user connections
Regular expressionMatches a DN or a SASL identity
Note: login name can be DN (dn=cn=gerald
carter,ou=people,dc=plainjoe,dc=org) or SASL identity
(dn=uid=jerry,cn=gssapi,cn=auth)
A C t l Li t ( t )
7/31/2019 03-OpenLDAP
25/30
Access Control Lists (cont.)
WHO has ACCESS to WHAT ? (cont.)
ACCESS can be:write
Access to update attribute values
read
Access to read search results (eg. show all entries with a
telephoneNumber of 555*)
search
Access to apply search filters (eg. are there any entries with atelephoneNumber of 555*)
compare
Access to compare attributes
auth
Access to bind (authenticate). Requires that the client send a username(DN) and some type of credentials
none
No access
A C t l Li t ( t )
7/31/2019 03-OpenLDAP
26/30
Access Control Lists (cont.)
WHO has ACCESS to WHAT ? (cont.)
WHAT can be:Regular expression defining the DN of the proposed target of the ACL
Syntax is dn.targetstyle=regex
where:
targetstyle is one ofbase, subtree, one, or children
regex is a regular expresion representing a DN
targetstyle is used to broaden or narrow the scope (default subtree)
An LDAP search filter that confirms to RFC 2254
Syntax is filter=ldapFilter
A comma-separated list of attribute names
Syntax is attrs=attributeList
A C t l Li t ( t )
7/31/2019 03-OpenLDAP
27/30
Access Control Lists (cont.)
Examples
Simple ACL granting read access to the world:
Restrict access to the userPassword attribute
User should be allowed to modify her own password:
access to *by * read
access to attrs=userPasswordby * auth
access to attrs=userPasswordby self writeby * auth
Access Control Lists (cont )
7/31/2019 03-OpenLDAP
28/30
Access Control Lists (cont.)
Examples (cont.)
ACLs are evaluated on a first-match-wins basis: morerestrictive ACLs should be listed prior to more general ones
eg.
better:
access to attrs=userPasswordby * auth
access to attrs=userPasswordby self writeby * auth
access to attrs=userPasswordby self writeby * auth
access to attrs=userPasswordby * auth
Access Control Lists (cont )
7/31/2019 03-OpenLDAP
29/30
Access Control Lists (cont.)
Examples (cont.)
Assume: Administrative accounts are located beneath the DN
ou=admins,ou=eng,dc=plainjoe,dc=org
Normal user accounts are located beneath
ou=users,ou=eng,dc=plainjoe,dc=org
Normal users should not be allowed to see other users'passwords
A user should be able to modify his password
Admin users should be able to modify any user's password
Gives:
access to dn=.*,ou=eng,dc=plainjoe,dc=orgattrs=userPasswordby self writeby * authby dn=.*,ou=admins,ou=eng,dc=plainjoe,dc=org write
Access Control Lists (cont )
7/31/2019 03-OpenLDAP
30/30
Access Control Lists (cont.)
Examples (cont.)
This example:
Can also be written as:
access to dn=.*,ou=eng,dc=plainjoe,dc=orgattrs=userPasswordby self writeby * authby dn=.*,ou=admins,ou=eng,dc=plainjoe,dc=org write
access to dn.children==ou=eng,dc=plainjoe,dc=orgattrs=userPasswordby self writeby * authby dn.children=ou=admins,ou=eng,dc=plainjoe,dc=org write
Recommended