03-OpenLDAP

7/31/2019 03-OpenLDAP

1/30

OpenLDAP Directory Administration

OpenLDAP

7/31/2019 03-OpenLDAP

2/30

Table of Contents

Obtaining the OpenLDAP Distribution

Software Requirements

Compiling OpenLDAP 2

OpenLDAP Clients and Servers

The slapd.conf Configuration File

Access Control Lists (ACLs)

7/31/2019 03-OpenLDAP

3/30

Table of Contents







7/31/2019 03-OpenLDAP

4/30

Obtaining the OpenLDAP

Distribution OpenLDAP ?

Popular, open source LDAP-v3-compliant server

Attractive for several reasons:

Source code is available for download

Compliant with the core LDAPv3 specifications

Available on multiple platforms, including Linux, Solaris, Mac

OS 10.2, and Windows

Continuation of original University of Michigan LDAP server

Compiling OpenLDAP = lots of dependencies

Try to obtain binary packages (eg.http://www.symas.com/ for Solaris & HP/UX)

Source code: http://www.openldap.org/
http://www.symas.com/http://www.openldap.org/http://www.openldap.org/http://www.openldap.org/http://www.symas.com/

7/31/2019 03-OpenLDAP

5/30

Table of Contents







7/31/2019 03-OpenLDAP

6/30


OpenLDAP server will require several external software

packages: Support for POSIX threads (either by OS or an external

library)

It is possible to compile OpenLDAP without thread support, but

slurpd requires it

SSL/TLS libraries, such as OpenSSL

http://www.openssl.org/

Database manager library that supports DBM type storage

facilities.

Current library of choice is BerkeleyDB 4.1

http://www.sleepycat.com/

ldbm can also be used

http://www.fsf.org/

Release 2.1 of the SASL libraries from Carnegie Mellon

University

http://asg.web.cmu.edu/sasl/sasl-library.html
http://www.openssl.org/http://www.sleepycat.com/http://www.fsf.org/http://asg.web.cmu.edu/sasl/sasl-library.htmlhttp://asg.web.cmu.edu/sasl/sasl-library.htmlhttp://asg.web.cmu.edu/sasl/sasl-library.htmlhttp://asg.web.cmu.edu/sasl/sasl-library.htmlhttp://asg.web.cmu.edu/sasl/sasl-library.htmlhttp://www.fsf.org/http://www.fsf.org/http://www.sleepycat.com/http://www.sleepycat.com/http://www.openssl.org/http://www.openssl.org/

7/31/2019 03-OpenLDAP

7/30

Table of Contents







7/31/2019 03-OpenLDAP

8/30

Compiling OpenLDAP

Compiling:

(untar)

./configure --enable-wrappers

make depend

make

make testmake install

Things to check when encountering problems

(if your system supports it) Use ldd tool to verify that

binaries (eg. slapd) have been compiled against correctlibraries

Change /etc/ld.so.conf and run ldconfig -v or setLD_LIBRARY_PATH

Verify that DNS is configured correctly (reverse DNS!)

Verify network connectivity

enables support for TCP wrappers

7/31/2019 03-OpenLDAP

9/30

Table of Contents







7/31/2019 03-OpenLDAP

10/30


Name Description

libexec/slapd The LDAP serverlibexec/slurpd The LDAP replication helperbin/ldapadd

bin/ldapmodify

bin/ldapdelete

bin/ldapmodrdn

bin/ldapsearch

bin/ldapcompare

bin/ldappasswd

sbin/slapadd

sbin/slapcat

sbin/slapindex

sbin/slappasswd

lib/libldap* The OpenLDAP client SDKlib/liblber*

include/ldap*.h

include/lber*.h

Command-line tools for adding,modifiying, and deleting entries on anLDAP server (commands support bothLDAPv2 and LDAPv3)Command-line utilities for searching anLDAP directory or testing a compareA tool for changing the passwordattribute in LDAP entries. This tool is theequivalent of /bin/passwd

Tools for manipulating the local backenddata store used by the slapd daemon

A simple utility to generate passwordhashes suitable for use in slapd.conf

7/31/2019 03-OpenLDAP

11/30

Table of Contents







7/31/2019 03-OpenLDAP

12/30


Central source of configuration information

Used by slapd, slurpd, and related tools, such as slapcatand slapadd

Tools like slapmodify and slapsearch use ldap.conf (notslapd.conf) for default settings

Can be broken into two sections

Parameters that affect overall behavior of the servers

Parameters that relate to a specific database backend used

by the slapd daemon

7/31/2019 03-OpenLDAP

13/30


Schema Files

include /etc/ldap/schema/...corba.schema

Schema for storing Corba Objects in LDAP (RFC 2714)

core.schema

OpenLDAP required core schemas: basic LDAPv3 attributes and objectsdescribed in RFCs 2251-2256

cosine.schema

For supporting COSINE and X.500 directory pilots (RFC 1274)

inetorgperson.schema

Defined inetOrgPerson object class & attributes (RFC 2798)

java.schema

For storing Java objects (RFC 2713)misc.schema

Miscellaneous objects (eg LDAP-based mail routing with sendmail)

nis.schema

Attributes and objects necessary for using LDAP+NIS (RFC 2307)

openldap.schema

Miscelaneous objects used by the OpenLDAP project

7/31/2019 03-OpenLDAP

14/30


Logging

loglevel 296pidfile /var/run/slapd.pid

argsfile /var/run/slapd.args

loglevel is a set of bit flags that should be OR'ed together

Level Information recorded-1 All logging information

0 No logging information

1 Trace function calls

2 Packet-handling debugging information

4 Heavy trace debugging

8 Connection management

16 Packets sent and received32 Search filter processing

64 Configuration file processing

128 Access Control List processing

256 Statistics for connection, operations, and results

512 Statistics for results returned to cients

1024 Communication with shell backends

2048 Print entry parsing debug information

7/31/2019 03-OpenLDAP

15/30


SASL Options

SASL is not needed if only simple binds will be used

However, often useful to allow a combination of simple

binds and SASL mechanisms for user connections, eg.:

Normal users can do lookups via a simple bind

Administrators must authenticate via SASL

slapd.conf has three SASL-related global options:

sasl-host hostname

sasl-realm string

sasl-secprops properties

sasl-host and sasl-realm are respectively the FQDN and SASLdomain used for authentication

Use sasldblistusers to dump the/etc/sasldb database

sasl-secprops allows you to define conditions that affectSASL security properties (see next slide)

7/31/2019 03-OpenLDAP

16/30


SASL Options (cont.)

sasl-secprops parameter values and descriptions:

Flag DescriptionNone

noplain

noactive Disables mechanisms vulnerable to active attacksnodict

noanonymous Disables mechanisms that support anonymous loginsforwardsec Requires forward secrecy between sessionspasscred Requires mechanisms that pass client credentialsminssf=factor

maxssf=factor

maxbufsize=size

Clears the default security properties (noplain,noanonymous)

D i s a b l e s m e c h a n i s m s v u l n e r a b l e t o p a s s i v e a t t a c k s , s u c h a s v ie w i n g

n e t w o r k p a c k e t s t o e x a m i n e p a s s w o r d s

D i s a b l e s m e c h a n i s m s t h a t a r e v u l n e r a b l e t o d i c t i o n a r y - b a s e d p a s s w o r d

a t t a c k s

D e f in e s t h e m i n i m u m s e c u r i t y s t r e n g t h e n f o r c e d . P o s s ib l e v a l u e s i n c l u d e :

0 ( n o p r o t e c t i o n ) , 1 ( i n t e g r i t y p r o t e c t io n o n l y ) , 5 6 ( a l lo w D E S

e n c r y p t i o n ) , 1 1 2 ( a l l o w 3 D E S o r o t h e r s t r i n g e n c r y p t io n m e t h o d s ) , a n d

1 2 8 ( a l l o w R C 4 , B l o w f i s h , o r o t h e r e n c r y p t i o n a l g o r i t h m s o f t h is c la s s )

Defines the maximum security strength setting. The possible values areidentical to those ofminssf

Defines the maximum size of the security layer receive buffer. A value of0 disables the security layer. The default value is the maximum ofINT_MAX (ie. 65536)

7/31/2019 03-OpenLDAP

17/30



Various cyrus-sasl plugins:

maxssfANONYMOUS NOPLAIN 0CRAM-MD5 NOPLAIN 0DIGEST-MD5

GSSAPI 56

KERBEROS_V4 56

LOGIN NOANONYMOUS 0

PLAIN NOANONYMOUS 0SCRAM-MD5 NONE 0SRP NOPLAIN 0

SASLMechanisms

Security PropertyFlags

NOPLAIN

NOANONYMOUS

128 if compiled with RC4; 112 if

compiled with DES; 0 if compiledwith neither RC4 not DES

NOPLAIN NOACTIVENOANONYMOUS

NOPLAIN NOACTIVENOANONYMOUS

7/31/2019 03-OpenLDAP

18/30



If you had this in slapd.conf:

the following machanisms for authentication would be

allowed: DIGEST-MD5

GSSAPI

KERBEROS_4

## No PLAIN or ANONYMOUS mechanisms; use DES encryptionsasl-secprops noplain,noanonymous,minssf=56

7/31/2019 03-OpenLDAP

19/30


SSL/TLS Options

Parameters:TLSCipherSuite cipher-suite-specification

TLSCertificateFile filename

TLSCertificateKeyFile filename

7/31/2019 03-OpenLDAP

20/30


Serving Up Data

After global section: one or more database sections,eachdefining directory partition

database directive, possible values:

bdb: BerkeleyDB 4 database manager, makes extensive use ofindexing and caching; recommended OpenLDAP backend

ldbm: GNU Database Manager or Sleepycat BerkeleyDB; olderimplementation

passwd: Quick and dirty means of providing directory interfaceto the system passwd file

shell: Allows the use of alternative (external) databases

7/31/2019 03-OpenLDAP

21/30


Serving Up Data (cont.)

Example:

# Begin a new database sectiondatabase bdb

# Define the root suffix you servesuffix dc=plainjoe,dc=org

# Define root DN for superuser privilegesrootdn cn=Manager,dc=plainjoe,dc=org

# Define root DN's password: salted secure hash of 'secret'rootpw {SSHA}2aksIaicAvwc+DhCrXUFlhgWsbBJPLxy

# Directory containing the database files

directory /var/ldap/plainjoe.org

# Files should be created rw for the owner *only*mode 0600

7/31/2019 03-OpenLDAP

22/30

Table of Contents







7/31/2019 03-OpenLDAP

23/30

Access Control Lists

OpenLDAP ACLs are simple in syntax, yet very flexible

and powerful

Basic idea:

WHO has ACCESS to WHAT ?

A C t l Li t ( t )

7/31/2019 03-OpenLDAP

24/30

Access Control Lists (cont.)

WHO has ACCESS to WHAT ?

WHO can be:*

Any connected user, including anonymous connections

self

DN of currently connected user

anonymous

Nonauthenticated user connections

users

Authenticated user connections

Regular expressionMatches a DN or a SASL identity

Note: login name can be DN (dn=cn=gerald

carter,ou=people,dc=plainjoe,dc=org) or SASL identity

(dn=uid=jerry,cn=gssapi,cn=auth)

A C t l Li t ( t )

7/31/2019 03-OpenLDAP

25/30


WHO has ACCESS to WHAT ? (cont.)

ACCESS can be:write

Access to update attribute values

read

Access to read search results (eg. show all entries with a

telephoneNumber of 555*)

search

Access to apply search filters (eg. are there any entries with atelephoneNumber of 555*)

compare

Access to compare attributes

auth

Access to bind (authenticate). Requires that the client send a username(DN) and some type of credentials

none

No access

A C t l Li t ( t )

7/31/2019 03-OpenLDAP

26/30


WHO has ACCESS to WHAT ? (cont.)

WHAT can be:Regular expression defining the DN of the proposed target of the ACL

Syntax is dn.targetstyle=regex

where:

targetstyle is one ofbase, subtree, one, or children

regex is a regular expresion representing a DN

targetstyle is used to broaden or narrow the scope (default subtree)

An LDAP search filter that confirms to RFC 2254

Syntax is filter=ldapFilter

A comma-separated list of attribute names

Syntax is attrs=attributeList

A C t l Li t ( t )

7/31/2019 03-OpenLDAP

27/30


Examples

Simple ACL granting read access to the world:

Restrict access to the userPassword attribute

User should be allowed to modify her own password:

access to *by * read

access to attrs=userPasswordby * auth

access to attrs=userPasswordby self writeby * auth

Access Control Lists (cont )

7/31/2019 03-OpenLDAP

28/30


Examples (cont.)

ACLs are evaluated on a first-match-wins basis: morerestrictive ACLs should be listed prior to more general ones

eg.

better:






7/31/2019 03-OpenLDAP

29/30


Examples (cont.)

Assume: Administrative accounts are located beneath the DN

ou=admins,ou=eng,dc=plainjoe,dc=org

Normal user accounts are located beneath

ou=users,ou=eng,dc=plainjoe,dc=org

Normal users should not be allowed to see other users'passwords

A user should be able to modify his password

Admin users should be able to modify any user's password

Gives:

access to dn=.*,ou=eng,dc=plainjoe,dc=orgattrs=userPasswordby self writeby * authby dn=.*,ou=admins,ou=eng,dc=plainjoe,dc=org write


7/31/2019 03-OpenLDAP

30/30


Examples (cont.)

This example:

Can also be written as:

access to dn=.*,ou=eng,dc=plainjoe,dc=orgattrs=userPasswordby self writeby * authby dn=.*,ou=admins,ou=eng,dc=plainjoe,dc=org write

access to dn.children==ou=eng,dc=plainjoe,dc=orgattrs=userPasswordby self writeby * authby dn.children=ou=admins,ou=eng,dc=plainjoe,dc=org write

Documents

03-OpenLDAP