LDP
/
LDP
mirror of https://github.com/tLDP/LDP
0
1
Fork 0
Code Releases Activity

updated

This commit is contained in:
gferg 2000-09-14 14:19:44 +00:00
parent e71ebb8d84
commit 168a6da64d
1 changed files with 1370 additions and 1370 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

124
LDP/howto/linuxdoc/LDAP-HOWTO.sgml
View File

@ -8,7 +8,7 @@
<title>LDAP Linux HOWTO
<author>Luiz Ernesto Pinheiro Malere, <tt/malere@yahoo.com/
<date>v1.01, 15 February 2000
<date>v1.02, 13 September 2000
<abstract>
Information about installing, configuring, running and maintaining a LDAP (Lightweight Directory Access Protocol) Server on a Linux machine is presented on this document. There are also details about how to create LDAP databases, how to update and delete information on the database, how to implement roaming access and how to use Netscape Address Book. This document is mostly based on the University of Michigan LDAP information pages.
</abstract>
@ -117,8 +117,7 @@ Go to the first paragraph of <ref id="3" name="section 3"> to know where the obj
<p>
This document may receive corrections and updates based on the feedback received by the readers. You should look at:
<p>
<url url="http://dutedin.et.tudelft.nl/~malere/LDAP-Linux-HOWTO.html"
name="http://dutedin.et.tudelft.nl/~malere/LDAP-Linux-HOWTO.html">
<url url="http://www.mobilesoft.com.br/HOWTO/LDAP-HOWTO.html" name="http://www.mobilesoft.com.br/HOWTO/LDAP-HOWTO.html">
<p>
for new versions of this HOWTO.
@ -130,9 +129,27 @@ If you have any kind of doubt about some information avaiable on this document,p
<p>
If you have commentaries and/or sugestions, please let me know too !
<sect1>History of Releases
<p>This section lists the releases of this document, sorted by date. Each release carries the changes introduced on the earlier version, plus newer additions and corrections:
<p>v1.0: 20 June 1999, Initial version.
<p>v1.01: 15 February 2000, added the following sections:
<itemize>
<item>LDAP Migration Tools
<item>Authentication using LDAP
<item>Graphical LDAP tools
<item>RFCs
</itemize>
<p>v1.02: 13 September 2000, correction of typos and addition of the following section:
<itemize>
<item>History of Releases
</itemize>
<p>v1.03: Coming soon, comprising Ldap v3, as defined on the <url url="ftp://ftp.isi.edu/in-notes/rfc2251.txt" name="RFC2251">.
<sect1>Acknowledgments
<p>
This Howto was result of an internship made by me on the TUDelft University - Netherlands. I would like to thank the persons that encouraged me to write this document: Rene van Leuken and Wim Tiwon. Thank you very much. They are also Linux fans, just like me.
<p>
I would like to thank also Thomas Bendler, author of the German Ldap-Howto, for his contributions to my document and Joshua Go, great volunteer on the LDP project.
<sect1>Copyright and Disclaimer
<p>
@ -151,11 +168,9 @@ Four steps are necessary to install the server : Download the package, Unpack th
<sect1>Downloading the package
<p>
There are two free distributed LDAP servers : University of Michigan LDAP server and OpenLDAP server. There's also the Netscape Directory Server, which is free only under
some conditions (educational institutions get it free, for example).The OpenLDAP server is based on the latest version of the University of Michigan Server and there are mailing
lists and aditional documentation avaiable for it. This document supposes that you are using the OpenLDAP server.
There are two free distributed LDAP servers: University of Michigan LDAP server and OpenLDAP server. There's also the Netscape Directory Server, which is free only under some conditions (educational institutions get it free, for example).The OpenLDAP server is based on the latest version of the University of Michigan Server and there are mailing lists and additional documentation available for it. This document assumes that you are using the OpenLDAP server.
<p>
It's latest tar gziped version is avaiable on the following address :
It's latest tar gzipped version is avaiable on the following address:
<p>
<url url="http://www.openldap.org" name="http://www.openldap.org">
<p>
@ -167,7 +182,7 @@ To write this document, I used the OpenLDAP latest stable version and OpenLDAP 1
<sect1>Unpacking the server
<p>
Now that you have the tar gziped package on your local machine you can unpack it.
Now that you have the tar gzipped package on your local machine, you can unpack it.
<p>
First copy the package to a desirable directory, for example /usr/local.
<p>
@ -909,8 +924,7 @@ ERXRTc4UG1RV19iZ2hnPk1xeXBkeFxlZ2P/2wBDARESEhgVG
...
</verb></tscreen>
<p>
Notice that the jpegPhoto in Jennifer Jensen's entry is encoded using base 64. The ldif program that comes with the OpenLDAP package can be used to produce the LDIF
format.
Notice that the jpegPhoto in Jennifer Jensen's entry is encoded using base 64. The ldif program that comes with the OpenLDAP package can be used to produce the LDIF format.
<p>
NOTE: Trailing spaces are not trimmed from values in an LDIF file. Nor are multiple internal spaces compressed. If you don't want them in your data, don't put them there.
@ -1050,23 +1064,15 @@ will remove Babs Jensen's entry.
The -f option stands for file (read the modification information from a file instead of standard input), the -b option stands for binary (any values starting with a '/' on the input file
are interpreted as binaries), the -r stands for replace (replace existing values by default).
<sect>Aditional Informations and Features
<sect>Additional Information and Features
<p>
On this section you will find information about the Netscape Address Book, a LDAP client that can be used to query your Directory. Also is presented details on how to implement
Roaming Access using the Netscape Navigator, version 4.5 or above and your LDAP server. There have been a lot of talk on the OpenLDAP mailing lists about the Roaming
Access, since this is a feature that is not totally implemented. Most part of the people don't like the way Netscape Navigator operates with the LDAP server while making
downloads and uploads to it. So, if after reading this you find that the Roaming Access is not working the way you would like, nevermind, a lot of people passed through this
situation already. The purpose of introducing this feature here is more for giving people an idea about the capabilities of the LDAP protocol. To finish you will see some information
about killing safely the slapd process and about slapd logs.
In this section you will find information about the Netscape Address Book, a LDAP client that can be used to query your Directory. Also presented are details on how to implement Roaming Access using the Netscape Navigator, version 4.5 or above and your LDAP server. There has been a lot of talk on the OpenLDAP mailing lists about Roaming Access, since this is a feature that is not totally implemented. Most of the people don't like the way Netscape Navigator operates with the LDAP server while making downloads and uploads to it. So, if after reading this you find that the Roaming Access is not working the way you would like, nevermind. A lot of people passed through this situation already. The purpose of introducing this feature here is more for giving people an idea about the capabilities of the LDAP protocol. To finish you will see some information about safely killing the slapd process and about slapd logs.
<sect1>Roaming Access
<p>
The goal of Roaming Access is that wherever you are on the Net, you can retrieve your bookmarks, preferences, mail filters, etc. using a Netscape Navigator and a LDAP server.
This is a very nice feature, imagine that wherever you access the Web, you can have your own settings on the browser. If you will travell and you need to access that currency
site that is stored on your local bookmarks, don't worry, upload the bookmarks and other configuration files to a LDAP server and you can retrieve them all later independent of
the place you will be.
The goal of Roaming Access is that wherever you are on the Net, you can retrieve your bookmarks, preferences, mail filters, etc. using Netscape Navigator and a LDAP server. This is a very nice feature. Imagine that wherever you access the Web, you can have your own settings on the browser. If you will travel and you need to access that currency site that is stored on your local bookmarks, don't worry. Upload the bookmarks and other configuration files to a LDAP server and you can retrieve them all later, independent of the place you will be.
<p>
To implement the Roaming Access you have to follow these steps :
To implement Roaming Access you have to follow these steps:
<itemize>
<item>Change your attributes description file
<item>Change your objectclass description file
@ -1076,8 +1082,7 @@ To implement the Roaming Access you have to follow these steps :
</itemize>
<p>
- Changing the attributes file:
You need to add new attributes on the attribute list present on the file slapd.at.conf (this is a file you include on your slapd.conf and it's normally located at /usr/local/etc/openldap)
:
You need to add new attributes on the attribute list present on the file slapd.at.conf (this is a file you include on your slapd.conf and it's normally located at /usr/local/etc/openldap):
<tscreen><verb>
attribute nsLIPtrURL ces
attribute nsLIPrefs ces
@ -1089,8 +1094,7 @@ attribute nsLIVersion cis
</verb></tscreen>
<p>
- Changing the objectclass file:
You also have to add some new classes to your slapd.oc.conf (this is another file you include on your slapd.conf and it's normally located at /usr/local/etc/openldap) in order to
enable the roaming access :
You also have to add some new classes to your slapd.oc.conf (this is another file you include on your slapd.conf and it's normally located at /usr/local/etc/openldap) in order to enable Roaming Access:
<tscreen><verb>
objectclass nsLIPtr
requires
@ -1130,8 +1134,7 @@ allows
</verb></tscreen>
<p>
- Changing the LDIF file:
Now you have to modify your LDIF file, adding profiles entries to each user that wish to try the Roaming Access feature of Netscape. Look an example of a simple LDIF file with
profiles entries :
Now you have to modify your LDIF file, adding profiles entries to each user that wish to try the Roaming Access feature of Netscape. Look an example of a simple LDIF file with profiles entries:
<tscreen><verb>
dn: o=myOrg,c=NL
o: myOrg
@ -1154,11 +1157,11 @@ The next step is to configure Netscape to enable the Roaming Access against your
<p>
- Go to Menu Edit -&gt; Preferences -&gt; Roaming User
<p>
Now you have to first Enable the Roaming Access for this profile, clicking on the checkbox correspondent to this option.
Now you have to first enable Roaming Access for this profile, clicking on the checkbox corresponding to this option.
<p>
- Fill the username box with an appropiate value, for instance john
- Fill the username box with an appropriate value, for instance john
<p>
Pull down the arrow of the Roaming User option on the left side of the Preferences Window, so see the suboptions of Roaming Access.
Pull down the arrow of the Roaming User option on the left side of the Preferences Window to see the suboptions of Roaming Access.
<p>
- Click on Server Information and enable the option LDAP Server and fill the boxes with the following information:
<p>
@ -1166,17 +1169,13 @@ Address: ldap://myHost/nsLIProfileName=$USERID,ou=Roaming,o=myOrg,c=NL
<p>
User DN: cn=$USERID,ou=People,o=myOrg,c=NL
<p>
IMPORTANT : Netscape automatically substitutes the $USERID variable for the name of the profile you selected before running the browser. So if you selected the profile seallers,
it will substitute $USERID for seallers, if you selected profile gonzales, if will substitute $USERID for gonzales. If you are not familiar with profiles, run the Profile Manager aplication
that comes on the Netscape Comunicator package. It's an application designed to satisfy the multiple users of a browser on the same machine, so each one can have their on
settings on the browser.
IMPORTANT: Netscape automatically substitutes the $USERID variable for the name of the profile you selected before running the browser. So if you selected the profile seallers, it will substitute $USERID for seallers, if you selected profile gonzales, it will substitute $USERID for gonzales. If you are not familiar with profiles, run the Profile Manager application that comes on the Netscape Comunicator package. It's an application designed to satisfy the multiple users of a browser on the same machine, so each one can have their own settings on the browser.
<p>
The final step is to restart the server, take a look on the <ref id="6.6" name="section 6.6"> to see how you do that safely and on <ref id="4" name="section 4"> to see how to start it again.
The final step is to restart the server. Take a look on the <ref id="6.6" name="section 6.6"> to see how you do that safely and on <ref id="4" name="section 4"> to see how to start it again.
<sect1>Netscape Address Book
<p>
Once you have your LDAP server up and running, you can access it with many diferent clients (e.g. ldapsearch command line utility). A very interesting one is the Netscape
Address Book. It's avaiable from version 4.x of Netscape but you have to use the 4.5 or above version for a stable interoperation with your LDAP server.
Once you have your LDAP server up and running, you can access it with many different clients (e.g. ldapsearch command line utility). A very interesting one is the Netscape Address Book. It's available from version 4.x of Netscape but you have to use the 4.5 or above version for a stable interoperation with your LDAP server.
<p>
Just follow the sequence:
<p>
@ -1194,21 +1193,20 @@ Fill the boxes with your server information. For example :
- Server Root: o=TUDelft, c=NL
<p>
The default LDAP port is 389, don't change it, at least if you changed this option while building your server.
The default LDAP port is 389. Don't change it, unless you changed this option while building your server.
<p>
Now, make simple queries to your server, using the box Show Names Containing, or advanced queries, using the Search for button.
<sect1>LDAP Migration Tools
<p>
The LDAP Migration Tools are a collection of Perl scripts used to convert configuration files to the LDIF format. The scripts are provided by PADL Software Ltd and I recommend you to take a look on the license terms before using them, even being free. If you plan to use your LDAP server to authenticate users, this tools may be very usefull. Use the Migration Tools to convert your NIS or password archives to the LDIF format, making these files compatible with your LDAP Server. Apply also these Perl Scripts to migrate users, groups, aliases, hosts, netgroups, networks, protocols, RPCs and services from existing nameservices (NIS, flat files and NetInfo) to the LDIF format.
The LDAP Migration Tools are a collection of Perl scripts used to convert configuration files to the LDIF format. The scripts are provided by PADL Software Ltd. I recommend you to take a look at the license terms before using them, even being free. If you plan to use your LDAP server to authenticate users, this tools may be very useful. Use the Migration Tools to convert your NIS or password archives to the LDIF format, making these files compatible with your LDAP Server. Apply also these Perl Scripts to migrate users, groups, aliases, hosts, netgroups, networks, protocols, RPCs and services from existing nameservices (NIS, flat files and NetInfo) to the LDIF format.
To download the LDAP Migration Tools and get more information, go to the following address:
<p>
<tscreen><htmlurl url="http://www.padl.com/tools.html"
name="http://www.padl.com/tools.html"></tscreen>
<tscreen><htmlurl url="http://www.padl.com/tools.html" name="http://www.padl.com/tools.html"></tscreen>
<p>
The package comes with a README file and the name of the script files are intuitive. Take a first look on the README file and then start aplying the scripts.
The package comes with a README file and the name of the script files are intuitive. Take a first look on the README file and then start applying the scripts.
<sect1>Authentication using LDAP
<p>
@ -1221,11 +1219,10 @@ That was in the beginning. Since then, a number of new ways for authenticating u
The authentication module for LDAP is available as a tar ball on the following address:
<p>
<tscreen><htmlurl url="http://www.padl.com/pam_ldap.html"
name="http://www.padl.com/pam_ldap.html"></tscreen>
<tscreen><htmlurl url="http://www.padl.com/pam_ldap.html" name="http://www.padl.com/pam_ldap.html"></tscreen>
<p>
Here I assume that your Linux distribution is already PAM prepared. If not take a look on this url : <url url="http://www.kernel.org/pub/linux/libs/pam" name="http://www.kernel.org/pub/linux/libs/pam">. Actually, the various Linux distributions use different standard settings related to PAM. Usually, the configuration PAM files reside on the <tt>/etc/pam.d/</tt> directory. There you can find a file for each service running on your box. As an example, if you want to use the LDAP server for logging users in after your Linux boot up, you should make your Linux PAM compatible (as described on the begin of this paragraph), install the LDAP PAM module and edit a file called login on the PAM configuration directory (/etc/pam.d/) with the following content :
Here I assume that your Linux distribution is already PAM prepared. If not take a look at this URL: <url url="http://www.kernel.org/pub/linux/libs/pam" name="http://www.kernel.org/pub/linux/libs/pam">. Various Linux distributions use different standard settings related to PAM. Usually, the PAM configuration files reside on the <tt>/etc/pam.d/</tt> directory. There you can find a file for each service running on your box. As an example, if you want to use the LDAP server for logging users in after your Linux boot up, you should make your Linux PAM compatible (as described in the beginning of this paragraph), install the LDAP PAM module and edit a file called login in the PAM configuration directory (/etc/pam.d/) with the following content:
<tscreen><verb>
#%PAM-1.0
@ -1250,12 +1247,11 @@ session required /lib/security/pam_unix_session.so
<p>
<tscreen>
Kldap is a graphical LDAP client wrote for the KDE desktop environment. Kldap has a nice interface and is able to show all the information tree stored on your Directory. You can check some screenshots from the application and download it at:
Kldap is a graphical LDAP client written for KDE. Kldap has a nice interface and is able to show all the information tree stored on your Directory. You can check some screenshots from the application and download it at:
</tscreen>
<p>
<tscreen><htmlurl url="http://www.mountpoint.ch/oliver/kldap/"
name="http://www.mountpoint.ch/oliver/kldap"></tscreen>
<tscreen><htmlurl url="http://www.mountpoint.ch/oliver/kldap/" name="http://www.mountpoint.ch/oliver/kldap"></tscreen>
<p>
<itemize>
@ -1264,16 +1260,15 @@ Kldap is a graphical LDAP client wrote for the KDE desktop environment. Kldap ha
<p>
<tscreen>
GQ is another graphical LDAP client with a simpler interface and that was wrote for the Gnome environment. It also runs under KDE, the same way Kldap runs under Gnome. The address for downloading and getting more information is :
GQ is another graphical LDAP client with a simpler interface. It was written for GNOME. It also runs under KDE, the same way Kldap runs under GNOME. The address for downloading and getting more information is:
</tscreen>
<p>
<tscreen><htmlurl url="http://biot.com/gq/"
name="http://biot.com/gq/"></tscreen>
<tscreen><htmlurl url="http://biot.com/gq/" name="http://biot.com/gq/"></tscreen>
<sect1>Killing the LDAP server<label id="6.6">
<p>
To kill off slapd safely, you should give a command like this
To kill off slapd safely, you should give a command like this:
<p>
kill -TERM `cat $(ETCDIR)/slapd.pid`
<p>
@ -1290,14 +1285,13 @@ You can change the location of the args file by changing the SLAPD_ARGSFILE vari
<p>
Slapd uses the syslog(8) facility to generate logs. The default user of the syslog(8) facility is LOCAL4, but values from LOCAL0, LOCAL1, up to LOCAL7 are allowed.
<p>
In order to enable the generation of logs you have to edit your syslog.conf file, usually located at /etc directory.
In order to enable the generation of logs you have to edit your syslog.conf file, usually located in the /etc directory.
<p>
Create a line like this:
<p>
local4.*&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;/usr/adm/ldalog
<p>
This will use the default user LOCAL4 for the syslog facility. If you are not familiar with the sintax of this line, take a look at the man pages of syslog, syslog.conf and syslogd. If you
want to change the default user or to specify the level of the logs generated, you have the following options while starting slapd :
This will use the default user LOCAL4 for the syslog facility. If you are not familiar with the sintax of this line, take a look at the man pages of syslog, syslog.conf and syslogd. If you want to change the default user or to specify the level of the logs generated, you have the following options while starting slapd:
<p>
-s syslog-level
This option tells slapd at what level debugging statements should be logged to the syslog(8) facility. The level describes the severity of the message, and is a keyword from the
@ -1308,15 +1302,15 @@ want to change the default user or to specify the level of the logs generated, y
Selects the local user of the syslog(8) facility. Values can be LOCAL0, LOCAL1, and so on, up to LOCAL7. The default is LOCAL4. However, this option is only permitted on
systems that support local users with the syslog(8) facility.
<p>
Now take a look at the logs generated, they can help you a lot to solve problems with queries, updates, binding, etc.
Now take a look at the logs generated. They can help you tremendously in solving problems with queries, updates, binding, etc.
<sect>References
<p>
On this section you will find aditional documentation about LDAP : usefull Urls, cool Books and definition RFCs.
On this section you will find additional documentation about LDAP: useful URLs, cool books and definition RFCs.
<sect1>URLs
<p>
Here are the URLs that contain very usefull information about LDAP. From this URLs this howto was made, so if after reading this document you need more specific information, you probably will find here :
Here are the URLs that contain very useful information about LDAP. From these URLs, this HOWTO was made, so if after reading this document you need more specific information, you probably will find here:
<itemize>
<item>
University of Michigan LDAP Page:
@ -1327,7 +1321,7 @@ University of Michigan LDAP Documentation Page :
<p>
<url url="http://www.umich.edu/&tilde;dirsvcs/ldap/doc/" name="http://www.umich.edu/&tilde;dirsvcs/ldap/doc/">
<item>
Manually Implementing Roaming Access
Manually Implementing Roaming Access:
<p>
<url url="http://help.netscape.com/products/client/communicator/manual_roaming2.html" name="http://help.netscape.com/products/client/communicator/manual_roaming2.html">
<item>
@ -1335,13 +1329,17 @@ Customizing LDAP Settings for Communicator 4.5 :
<p>
<url url="http://developer.netscape.com/docs/manuals/communicator/ldap45.htm" name="http://developer.netscape.com/docs/manuals/communicator/ldap45.htm">
<item>
Linux Directory Service
Introducing to Directory Service (X.500):
<p>
<url url="http://www.nic.surfnet.nl/surfnet/projects/x500/introducing/" name="http://www.nic.surfnet.nl/surfnet/projects/x500/introducing/">
<item>
Linux Directory Service:
<p>
<url url="http://www.rage.net/ldap/" name="http://www.rage.net/ldap/">
</itemize>
<sect1>Books
<p>These are the most popular and usefull books about LDAP :
<p>These are the most popular and useful books about LDAP:
<itemize>
<item>Implementing LDAP by Mark Wilcox
@ -1368,3 +1366,5 @@ and Good
<item>RFC 2307: LDAP as a Network Information Service
</itemize>
</article>