Professional Documents
Culture Documents
Using OpenLDAP
Doc. v. rc0.1 - 2/06/09
About Me
Freelance Consultant - Software Developer System Integrator Founder of OpenT !n" #abs OSS $vangel!st Ma!n Developer of OpenT !n" SAS More Info %
Blog % ttp%&&w!ldanm'wordpress'com Y! % aw"!ng()*+ Gtalk % w!ldan'm Mobile Phone % ,-*./..0122*02
Overv!ew
T e bas!c funct!onal d!v!s!on of t e Open#DA3 tools % daemons4 cl!ents4 and ut!l!t!es T e bas!c d!rectory server operat!ons 5u!ld!ng an !n!t!al d!rectory tree !n an #DIF f!le #oad!ng t e data !nto t e d!rectory 6or"!ng w!t t e d!rectory records Searc !ng t e d!rectory Sett!ng passwords and aut ent!cat!ng aga!nst t e d!rectory
S#A3D
T e S#A3D server andles all cl!ent !nteract!ons4 !nclud!ng aut ent!cat!on :called binding !n #DA3 parlance;4 process!ng AC#s4 perform!ng searc es4 and andl!ng c anges4 add!t!ons4 and delet!ons of t e data and also manages t e databases t at store #DA3 content
T e 5!nd!ng Operat!on
Typ!cally4 t ere are two d!fferent ways by w !c a cl!ent can aut ent!cate to a server% t roug a S!mple 5!nd4 and t roug an SAS# 5!nd' Typ!cally4 to aut ent!cate a user4 S#A3D loo"s up t e D< :and t e D<=s userPassword attr!bute; !n t e d!rectory and ver!f!es t e follow!ng% )' T e suppl!ed D< e>!sts !n t e d!rectory' *' T e D< !s allowed to connect under t e present cond!t!ons :suc as from t e or!g!nat!ng I3 address4 or w!t t e currently-!mplemented secur!ty features;' +' T e password suppl!ed matc es t e value of t e D<=s userPassword attr!bute'
T e Searc Operat!on
In order to searc t e d!rectory we need to "now t e follow!ng t !ngs% Base DN% 6 ere !n t e d!rectory to start from Scope% ?ow deep !n t e tree to loo" Attributes% 6 at !nformat!on we want retr!eved Filter% 6 at to loo" for $>ample % 5ob wants to get a l!st of all of t e people !n !s organ!@at!on4 $>ample'Com4 w o ave ema!l addresses t at beg!n w!t t e letter m
T e Searc Operat!on A*
6e ave % Base DN% dcBe>ample4dcBcom Scope% $nt!re subtree Attributes% ma!l4 cn4 telep one<umber T e Searc f!lter % :ma!lBmC; T !s s!mple f!lter !s composed of four parts%
First4 t e f!lter !s enclosed !n parent eses' 3arent eses are used for group!ng elements w!t !n t e f!lter' For any f!lter4 t e ent!re f!lter s ould always be enclosed !n parent eses' Second4 t e f!lter beg!ns w!t an attr!bute descr!pt!on% ma!l' Third !s t e matc !ng rule' T ere are four matc !ng rules% e7ual!ty :B;4 appro>!mate matc :DB;4 greater t an or e7ual to :EB;4 and less t an or e7ual to :FB;' ?ow t ese are used :and w et er t ey can be used; !s determ!ned to a large degree by t e d!rectory sc ema' In t !s case t e f!lter performs str!ng matc !ng' Finall 4 we ave t e assert!on valueGt e str!ng or pattern t at we want results to matc ' In t !s case !t !s composed of t e c aracter m and t e w!ldcard c aracter :C;' T !s !nd!cates t at t e str!ng must start w!t !4 and can t en ave @ero or more c aracters follow!ng !t'
T e Add!t!on Operat!on
An ent!re record for a user to be added m!g t loo" somet !ng l!"e t !s%
dn: uid=bjensen,dc=exam le,dc=com cn: !arbara "ensen mail: bjensen#exam le$com uid: bjensen objec%&lass: erson objec%&lass: or'ani(a%ional)erson objec%&lass: ine%*r')erson
T e Mod!f!cat!on Operat!on
Mod!f!cat!on acts on a part!cular record4 spec!f!ed by D<' Any number of c anges can be done on a s!ngle record !n one mod!f!cat!on re7uest' An add 9e7uest A replace re7uest A delete re7uest
T e Delete Operat!on
F!nally4 an ent!re #DA3 record can be deleted' #!"e mod!f!cat!ons4 delet!on operates on a part!cular record4 t e record=s D<' Dur!ng a delete operat!on4 t e ent!re record !s removed from t e d!rectoryGt e D< and all attr!butes' Only records t at do not ave c !ldren can be deleted from t e d!rectory' If an entry as c !ldren4 t e c !ldren must be removed from t e d!rectory :or relocated to anot er part of t e tree; before t e parent entry can be removed'
Infre7uent Operat!ons
Mod!fyD< Compare $>tended Operat!on
Mod!fyD<
T e Mod!fyD< operat!on prov!des a way to c ange Iust t e 9D< or t e ent!re D<' C ang!ng t e latter e7uates to mov!ng t e record to anot er part of t e d!rectory tree'
T e Compare Operat!on
A Compare operat!on ta"es a D< and an attr!bute value assert!on :attribute " #alue;4 and c ec"s to see !f t at attr!bute assert!on !s true or $alse' For e>ample4 !f t e cl!ent suppl!es t e D< cn"Matt%dc"e&a!ple%dc"co! and t e attr!bute value assert!on cn"Matthew4 t en t e server w!ll return true !f t e record as an attr!bute cn w!t t e value Matthew4 or $alse ot erw!se' T !s operat!on can be faster :and also more secure; t an fetc !ng a record and do!ng t e compar!son on t e cl!ent s!de'
T e $>tended Operat!on
F!nally4 Open#DA3 !mplements t e #DA3 v'+ $>tended Operat!on4 w !c ma"es !t poss!ble for a server to !mplement custom operat!ons' T e e>act synta> of an $>tended Operat!on w!ll depend on t e !mplementat!on of t e e>tens!on' T e supported $>tended Operat!ons are l!sted !n t e root DS$ under t e supported'&tension attr!bute' Ta"e a loo" at t e root DS$ at t e end of Sl!de A*' In t at record t ere are two e>tended operat!ons%
)'+'-')'0')'0*H+')'))')% T !s Modi$ Password e>tens!on !s def!ned !n 9FC +H-* : ttp%&&www'rfc-ed!tor'org&rfc&rfc+H-*'t>t;' T !s e>tens!on prov!des an operat!on for updat!ng a password !n t e d!rectory' )'+'-')'0')'0*H+')'))'+% T !s (ho A! )* e>tens!on !s def!ned !n 9FC 01+* : ttp%&&www'rfc-ed!tor'org&rfc&rfc01+*'t>t;' T !s e>tens!on ma"es !t poss!ble for t e currently act!ve D< to f!nd out about !tself from t e server'
S#A3D Summary
S#893D
$>ample'com #DIF
T ere are two popular ways of def!n!ng t e roots of an organ!@at!onal d!rectory tree% T e f!rst !s to create a root entry t at !nd!cates t e off!c!al name of t e organ!@at!on and t e geograp !c locat!on :usually Iust t e country; of t e organ!@at!on' ?ere are a few e>amples% o=6rius .%d$,c=AB o=6cme <m!8,c=,? o=?xam le$&om,c=A0 In eac of t ese t ree e>amples4 o represents t e organ!@at!on name4 and c !s t e two-c aracter country code' T e second popular model !s to use t e organ!@at!on=s doma!n name' For e>ample4 !f t e company A!r!us as reg!stered t e a!rus'co'u" doma!n name4 t en t e root D< would be composed of t ree doma!n component :dc; attr!butes% dc=airius,dc=co,dc=uC dc=acme,dc=de dc=exam le,dc=com
lica%ions$
6!t our O8s !n place we are ready to add a t !rd t!er to our d!rectory tree' 5efore we start creat!ng !nd!v!dual records let=s get an overv!ew of w at t !s ne>t t!er w!ll loo" l!"e' ?ere !s t e d!rectory tree structure w!t a group4 a system account4 and a pa!r of users%
# 57is is %7e roo% o3 %7e direc%or/ %ree dn: dc=exam le,dc=com descri %ion: ?xam le$&om, /our %rus%ed nonDexis%en% cor ora%ion$ dc: exam le o: ?xam le$&om objec%&lass: %o objec%&lass: dc*bjec% objec%&lass: or'ani(a%ion # 0ub%ree 3or users dn: ou=Asers,dc=exam le,dc=com ou: Asers descri %ion: ?xam le$&om Asers objec%&lass: or'ani(a%ionalAni% # 0ub%ree 3or 'rou s dn: ou=<rou s,dc=exam le,dc=com ou: <rou s descri %ion: ?xam le$&om <rou s objec%&lass: or'ani(a%ionalAni% # 0ub%ree 3or s/s%em accoun%s dn: ou=0/s%em,dc=exam le,dc=com ou: 0/s%em descri %ion: 0 ecial accoun%s used b/ so3%Gare a lica%ions$ objec%&lass: or'ani(a%ionalAni% ##
## A0?I0 ## # 1a%% !u%c7er dn: uid=ma%%,ou=Asers,dc=exam le,dc=com ou: Asers # Name in3o: uid: ma%% cn: 1a%% !u%c7er sn: !u%c7er 'i9enName: 1a%% 'i9enName: 1a%%7eG dis la/Name: 1a%% !u%c7er # =orC 2n3o: %i%le: 0/s%ems 2n%e'ra%or descri %ion: 0/s%ems 2n%e'ra%ion and 25 3or ?xam le$&om em lo/ee5/ e: ?m lo/ee de ar%men%Number: 004 em lo/eeNumber: 004D0KDLK mail: mbu%c7er#exam le$com mail: ma%%#exam le$com roomNumber: 304 %ele 7oneNumber: M4 >>> >>> ;3:4 mobile: M4 >>> >>> @NKL s%: 2llinois l: &7ica'o s%ree%: 4:3; &icero 69e$
3
# 8ome 2n3o: 7ome)7one: M4 >>> >>> LKN@ 7ome)os%al6ddress: 4:3; 7ome s%ree% O &7ica'o, 2. O @0@LLD4:3; # 1isc: user)assGord: secre% re3erred.an'ua'e: enDus,enD'b # *bjec% &lasses: objec%&lass: erson objec%&lass: or'ani(a%ional)erson objec%&lass: ine%*r')erson # !arbara "ensen: dn: uid=barbara,ou=Asers,dc=exam le,dc=com ou: Asers uid: barbara sn: "ensen cn: !arbara "ensen 'i9enName: !arbara dis la/Name: !arbara "ensen mail: barbara#exam le$com user)assGord: secre% objec%&lass: erson objec%&lass: or'ani(a%ional)erson objec%&lass: ine%*r')erson # .,6) 6dmin <rou : dn: cn=.,6) 6dmins,ou=<rou s,dc=exam le,dc=com cn: .,6) 6dmins ou: <rou s descri %ion: Asers G7o are .,6) adminis%ra%ors uniEue1ember: uid=barbara,dc=exam le,dc=com uniEue1ember: uid=ma%%,dc=exam le,dc=com
;
objec%&lass: 'rou *3AniEueNames # 0 ecial 6ccoun% 3or 6u%7en%ica%ion: dn: uid=au%7en%ica%e,ou=0/s%em,dc=exam le,dc=com uid: au%7en%ica%e ou: 0/s%em descri %ion: 0 ecial accoun% 3or au%7en%ica%in' users user)assGord: secre% objec%&lass: accoun% objec%&lass: sim le0ecuri%/*bjec%
slapadd
T e slapadd program !s used to load d!rectory data4 formated as #DIF f!les4 d!rectly !nto Open#DA3' It !s e>ecuted from w!t !n an operat!ng system s ell :for e>ample a command prompt or s ell scr!pt;' T e slapadd program does not use t e #DA3 protocol to connect to a runn!ng server' Instead4 !t wor"s d!rectly w!t t e Open#DA3 bac"end' For t at reason4 w en you run slapadd you must f!rst s ut down t e d!rectory server' Ot erw!se4 you may end up w!t confl!cts between t e slapd server process and t e slapadd process as t ey bot try to e>clus!vely manage t e same databases'
6 at Does slapadd Do M
T e slapadd ut!l!ty reads t e slapd'conf f!le :and any !ncluded f!les;4 loads t e appropr!ate bac"end databases4 and t en reads #DIF data :usually from a f!le;' As !t reads t e data4 !t ver!f!es t at all of t e records are correctly constructed :t at t e D<s are !n a tree t at t e server manages4 t at t e records use t e r!g t attr!butes for t e!r obIect classes4 t at all re7u!red f!elds are t ere4 t at t e record !s formatted correctly4 and so on;4 and t en !t loads t e records !nto t e appropr!ate bac"end' S!nce slapadd does not connect over t e #DA3 protocol4 !t does not re7u!re any aut ent!cat!on to t e d!rectory' It does4 owever4 re7u!re wr!te access to t e d!rectory database f!les' So slapadd !s usually run from t e s ell of e!t er t e user t at runs t e d!rectory :often ldap or slapd; or from t e root account'
Stopp!ng T e Server
Gildan#* en57inC.abs:PO sudo Je%cJini%$dJsla d s%o
none 3as%S
<o errors' 6e are ready to proceed to t e t !rd step% !mport!ng t e records !nto t e d!rectory'
slap!nde>
slapcat
Operat!onal Attr!butes
slapacl
slapaut
slapdn
slappasswd
slaptest
ldapsearc
ldapadd ldapmod!fy
ldapdelete ldapcompare ldapmoddrn Mod!fy!ng t e Super!or D< w!t ldapmoddrn ldapppasswd ldapw oam!
Common Flags
ldapsearc
A S!mple Searc
ldapadd
ldapmod!fy
ldapdelete
ldapcompare
ldapmoddrn
ldappasswd
ldapw oam!
Summary
OPA
9ererence
Matt 5utc er4 Master!ng Open#DA34 3ACLT 3ubl!s !ng