Presentation is loading. Please wait.

Presentation is loading. Please wait.

OpenLDAP: Building and Configuring CNS 4650 Fall 2004 Rev. 2.

Published byAubrey Lesley Newton Modified over 9 years ago

Similar presentations

Presentation on theme: "OpenLDAP: Building and Configuring CNS 4650 Fall 2004 Rev. 2."— Presentation transcript:

1 OpenLDAP: Building and Configuring CNS 4650 Fall 2004 Rev. 2

2 OpenLDAP History http://www.openldap.org Based off the Umich code Died ~ 1996 OpenLDAP started ~1998 OpenLDAP 1.0 - August 1998

3 Downloading OpenLDAP Download http://www.openldap.org/software/download/ 2.2.18 (~August 2004) Software packaged in a “tar-ball” Tar’ed and then gzip’ed openldap-2.18.tgz

4 Building OpenLDAP Requirements C/C++ compiler (gcc) Posix REGEX (available on most modern Linux/UN*X systems) Sleepycat Berkeley DB 4.2+ Recommended Cyrus SASL 2.1.18+ OpenSSL 0.9.7+

5 Building SLAPD BDB Backend Sleepycat Berkeley DB 4.2+ LDBM Backend Compatible database manager Berkeley DB, GDBM, etc.

6 Building SLURPD Thread Library Pthreads (POSIX), Cthreads (Mach)

7 Enviroment Variables VariableDescriptionExample CCC compiler gcc CFLAGSC Flags -O -g CPPFLAGSCPP Flags -I/path/include -DFOO=42 LDFLAGSLD Flags -L/usr/local/lib LIBSLibraries -llib PATHCommand Path /usr/local/bin:/usr/bin:/bin

8 Environment Variables Bash export LDFLAGS=-L/usr/local/Berkeley4.2/lib Tcsh (TC Shell/C Shell) setenv LDFLAGS=-L/usr/local/Berkeley4.2/lib

9 Building for Linux Might have to add directories for SASL, SSL, Berkeley libraries to /etc/ld.so.conf After run ldconfig -v Set the LD_LIBRARY_PATH with the example from the previous slide export LD_LIBRARY_PATH=/usr/local/Berkeley4.2/lib

10 Building cd openldap-2.2.18./configure --enable-wrappers --enable-wrappers allows slapd to be TCP wrappers aware The configure script will warn you if dependencies cannot be found. If no errors then continue

11 Building make depend make make test sudo -s make install

12 Troubleshooting Builds Make for sure you have a valid network interface. (ifconfig -a) Verify you have the proper environmental flags set (LD_LIBRARY_PATH, LDFLAGS, CPPFLAGS, etc.)

13 What is Installed? Servers Client utilities Developer libraries

14 Servers BinariesDescription /usr/local/libexec/slapdThe LDAP Server /usr/local/libexec/slurpdThe LDAP Replication “Server”

15 Client Utilities NameDescription /usr/local/bin/ldapaddCommand line tool for adding entries (LDAPv2 & LDAPv3) /usr/local/bin/ldapmodifyCommand line tool for modifying entries (LDAPv2 & LDAPv3) /usr/local/bin/ldapdeleteCommand line tool for deleteing entries (LDAPv2 & LDAPv3) /usr/local/bin/ldapmodrdnCommand line tool for modifying entries RDN (LDAPv2 & LDAPv3)

16 Client Utilities NameDescription /usr/local/bin/ldapsearchCommand line tool for searching LDAP servers /usr/local/bin/ldapsearchCommand line tool for comparing entry’s attributes /usr/local/bin/ldappasswdCommand line tool for changing a password attribute /usr/local/sbin/slapadd /usr/local/sbin/slapcat /usr/local/sbin/slapindex Command line tool for manipulating the backend data store /usr/local/sbin/slappasswdGenerates a password for use in the slapd.conf file

17 Developer Libraries NameDescription /usr/local/lib/libldap*LDAP libraries /usr/local/lib/liblber*LBER libraries /usr/local/include/ldap*.hLDAP header files /usr/local/include/lber*.hLBER header files

18 Configuration Files Configuration files are located in /etc/openldap slapd.conf Configuration for the LDAP server ldap.conf Configuration for LDAP client utilities Schema Directory Contains schema for LDAP server

19 slapd.conf # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include/etc/openldap/schema/core.schema # Define global ACLs to disable default read access. # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referralldap://root.openldap.org loglevel296 pidfile/var/run/slapd.pid argsfile/var/run/slapd.args # Load dynamic backend modules: # modulepath/usr/local/libexec/modules # moduleloadback_bdb.la # moduleloadback_ldap.la # moduleloadback_ldbm.la # moduleloadback_passwd.la # moduleloadback_shell.la

20 Include Directive The “include” section contains the schema files that should be included If you extend schema for OpenLDAP, add path to your schema file in the include section include /etc/openldap/schema/my.schema By default core.schema is the only schema included. The administrator should probably add more Recommend adding the following include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema

21 Loglevel Directive You might need to add “loglevel” Add levels together to achieve desired log Example: 8 + 32 + 256 = 296 See table on next slide for log levels and descriptions

22 Loglevel Table LevelDescription All logging information 0No logging information 1Trace function calls 2Packet-handling debugging information 4Heavy trace debugging 8Connection management 16Packets sent and received 32Search filter processing 64Configuration file processing 128Access control list processing 256Statistics for connection, operation, and results 512Statistics for results returned to client 1024Communication with shell backend 2048Print entry parsing debug information

23 slapd Logging Logging happens at LOG_LEVEL4 of syslog Add following to /etc/syslog.conf Local4.log/var/log/slapd.log

24 Modules Directive The “modules” section allows for the LDAP server to talk to different backends or databases Example: UNIX flat files, PERL, Monitor Berkeley does not necessarily have to be uncommented If you plan to use Monitor then you need to add directive moduleload back_monitor.la Make sure you uncomment the first line!!! The path to the module directory

25 slapd.conf Cont. # Sample security restrictions #Require integrity protection (prevent hijacking) #Require 112-bit (3DES or better) encryption for updates #Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64 # Sample access control policy: #Root DSE: allow anyone to read it #Subschema (sub)entry DSE: allow anyone to read it #Other DSEs: #Allow self write access #Allow authenticated users read access #Allow anonymous users to authenticate #Directives needed to implement policy: # access to dn.base="" by * read # access to dn.base="cn=Subschema" by * read # access to * #by self write #by users read #by anonymous auth # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING!

26 Access Control Lists What Regular expressions are used to define what can be accessed access to dn.[targetstyle]=[regex] targetstyle defines how far below the ACL applies (can contain subtree, base, one or nothing) regex is a DN of the container you wish to control

27 Access Control Lists Sample “What”s access to dn.base="cn=Subschema” access to dn=“.*,dc=uvsc,dc=edu” access to dn.one=“dc=uvsc,dc=edu”

28 Access Control Lists Who Defines who can perform what operation in the defined context by [who] [operation] [who] defines who exactly can perform the operation (*, self, anonymous, users, [regex that matches a DN]) [operation] defines what the defined user can do (read, write, search, compare, auth, none)

29 Access Control Lists Sample “Who”s by * auth by self write by * read by dn=“.*,ou=class,dc=uvsc,dc=edu”

30 Access Control Lists access to attrs=userPassword by self write by * auth access to dn.subtree=cn=monitor by dn.exact=“cn=Manager,dc=uvsc,dc=edu” write by dn.subtree=“dc=uvsc,dc=edu” read by * read access to * by self write by * read

31 slapd.conf Cont. ####################################################################### # BDB database definitions ####################################################################### databasebdb suffix"dc=my-domain,dc=com" rootdn"cn=Manager,dc=my-domain,dc=com" # Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpwsecret # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory/var/db/openldap-data # Indices to maintain indexobjectClasseq

32 Database Directive Berkeley is usually defined for you databasebdb Suffix Defines you directory domain, should be unique Rootdn Defines the “super user” for your LDAP server Usually “cn=Manager, “ + the suffix Rootpw Use /usr/local/sbin/slappasswd to generate password Include everything returned!! Example: {SSHA}hwQhVL4hfn4p4HXvlgwOf1lFF/tppU6R

33 Database Directive For Monitor support database monitor

34 Resources LDAP System Administration: O’Reilly and Associates. Gerald Carter OpenLDAP website http://www.openldap.org

Download ppt "OpenLDAP: Building and Configuring CNS 4650 Fall 2004 Rev. 2."

Similar presentations

© 2009 GroundWork Open Source, Inc. PROPRIETARY INFORMATION: Information contained herein is not for use or disclosure outside of GroundWork Open Source,

© 2009 GroundWork Open Source, Inc. PROPRIETARY INFORMATION: Information contained herein is not for use or disclosure outside of GroundWork Open Source,
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 6 Managing and Administering DNS in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 6 Managing and Administering DNS in Windows Server 2008.
UIC Data Conversion and Submission via CDX Node Client UIC Database V2 6/16/2010 1.

UIC Data Conversion and Submission via CDX Node Client UIC Database V2 6/16/
SELinux (Security Enhanced Linux) By: Corey McClurg.

SELinux (Security Enhanced Linux) By: Corey McClurg.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Hands-On Microsoft Windows Server 2003 Administration Chapter 6 Managing Printers, Publishing, Auditing, and Desk Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 6 Managing Printers, Publishing, Auditing, and Desk Resources.
Chapter 8: Network Operating Systems and Windows Server 2003-Based Networking Network+ Guide to Networks Third Edition.

Chapter 8: Network Operating Systems and Windows Server 2003-Based Networking Network+ Guide to Networks Third Edition.
LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL 03 AUGUST 2005 LINUX SYSTEM ADMINISTRATION AND SECURITY VINEET BHARDWAJ VINAY KUMAR THOTA.

LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL 03 AUGUST 2005 LINUX SYSTEM ADMINISTRATION AND SECURITY VINEET BHARDWAJ VINAY KUMAR THOTA.
LDAP LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL PRESENTATION BY ALAKESH APURVA DHAN AND ASH.

LDAP LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL PRESENTATION BY ALAKESH APURVA DHAN AND ASH.
CIT 470: Advanced Network and System Administration

CIT 470: Advanced Network and System Administration
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.

1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
Event Viewer Was of getting to event viewer Go to –Start –Control Panel, –Administrative Tools –Event Viewer Go to –Start.

Event Viewer Was of getting to event viewer Go to –Start –Control Panel, –Administrative Tools –Event Viewer Go to –Start.
Microsoft ® Official Course Module 9 Configuring Applications.

Microsoft ® Official Course Module 9 Configuring Applications.
Network and Active Directory Performance Monitoring and Troubleshooting NETW4008 Lecture 8.

Network and Active Directory Performance Monitoring and Troubleshooting NETW4008 Lecture 8.
Working with Applications Lesson 7. Objectives Administer Internet Explorer Secure Internet Explorer Configure Application Compatibility Configure Application.

Working with Applications Lesson 7. Objectives Administer Internet Explorer Secure Internet Explorer Configure Application Compatibility Configure Application.
Active Directory Administration Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Creating Users, Computers, and Groups Automate creation.

Active Directory Administration Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Creating Users, Computers, and Groups Automate creation.
Configuring a Web Server. Overview Overview of IIS Preparing for an IIS Installation Installing IIS Configuring a Web Site Administering IIS Troubleshooting.

Configuring a Web Server. Overview Overview of IIS Preparing for an IIS Installation Installing IIS Configuring a Web Site Administering IIS Troubleshooting.
Session 5: Working with MySQL iNET Academy Open Source Web Development.

Session 5: Working with MySQL iNET Academy Open Source Web Development.
September 18, 2002 Introduction to Windows 2000 Server Components Ryan Larson David Greer.

September 18, 2002 Introduction to Windows 2000 Server Components Ryan Larson David Greer.
Apache Server. -2--2- The Apache Server Apache is a WWW server that implements the HTTP protocol. Apache runs as a daemon. This means that it is a resident.

Apache Server The Apache Server Apache is a WWW server that implements the HTTP protocol. Apache runs as a daemon. This means that it is a resident.

Similar presentations

Ads by Google