mirror of https://github.com/tLDP/LDP
updated
This commit is contained in:
parent
5829688fb2
commit
3aa7a8d195
|
@ -1073,7 +1073,7 @@ FVWM2, Netscape Navigator 4.X, and a customized trackball. </Para>
|
|||
LDAP-HOWTO</ULink>,
|
||||
<CiteTitle>LDAP Linux HOWTO</CiteTitle>
|
||||
</Para><Para>
|
||||
<CiteTitle>Updated: September 2002</CiteTitle>.
|
||||
<CiteTitle>Updated: April 2003</CiteTitle>.
|
||||
Information about installing, configuring, running and maintaining a
|
||||
LDAP (Lightweight Directory Access Protocol) Server on a Linux
|
||||
machine. </Para>
|
||||
|
|
|
@ -1482,7 +1482,7 @@ Describes GNU/Linux localization issues specific for Latvian users
|
|||
LDAP-HOWTO</ULink>,
|
||||
<CiteTitle>LDAP Linux HOWTO</CiteTitle>
|
||||
</Para><Para>
|
||||
<CiteTitle>Updated: September 2002</CiteTitle>.
|
||||
<CiteTitle>Updated: April 2003</CiteTitle>.
|
||||
Information about installing, configuring, running and maintaining a
|
||||
LDAP (Lightweight Directory Access Protocol) Server on a Linux
|
||||
machine. </Para>
|
||||
|
|
|
@ -453,7 +453,7 @@ Linux operating system that use the Linux kernel IPX protocol support. </Para>
|
|||
LDAP-HOWTO</ULink>,
|
||||
<CiteTitle>LDAP Linux HOWTO</CiteTitle>
|
||||
</Para><Para>
|
||||
<CiteTitle>Updated: September 2002</CiteTitle>.
|
||||
<CiteTitle>Updated: April 2003</CiteTitle>.
|
||||
Information about installing, configuring, running and maintaining a
|
||||
LDAP (Lightweight Directory Access Protocol) Server on a Linux
|
||||
machine. </Para>
|
||||
|
|
|
@ -1,8 +1,10 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
|
||||
"http://docbook.org/xml/4.1.2/docbookx.dtd" []>
|
||||
<book id="index"><bookinfo><title>LDAP Linux HOWTO</title>
|
||||
<pubdate>v1.07, 2002-09-16</pubdate>
|
||||
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
|
||||
"http://docbook.org/xml/4.1.2/docbookx.dtd" [
|
||||
]>
|
||||
<book id="index"><bookinfo>
|
||||
<title>LDAP Linux HOWTO</title>
|
||||
<pubdate>v1.08, 2003-04-02</pubdate>
|
||||
<author><firstname>Luiz</firstname>
|
||||
<othername>Ernesto Pinheiro</othername>
|
||||
<surname>Malère</surname>
|
||||
|
@ -16,6 +18,10 @@ Administrator's Guide.</para></abstract>
|
|||
|
||||
|
||||
<revhistory>
|
||||
<revision><revnumber>1.08</revnumber>
|
||||
<date>2003/04/02</date>
|
||||
<revremark>SASL with DIGEST-MD5 authentication.</revremark></revision>
|
||||
|
||||
<revision><revnumber>1.07</revnumber>
|
||||
<date>2002/09/16</date>
|
||||
<revremark>Typo correction.</revremark></revision>
|
||||
|
@ -85,7 +91,9 @@ The information presented on this document represents a nice initialization on
|
|||
using the LDAP server. Possibly after reading this document you would feel
|
||||
encouraged to expand the capabilities of your server and even write your own
|
||||
clients, using the already available C, C++ and Java Development Kits.</para>
|
||||
<section id="WhatisLdap"><title>What's LDAP ?</title>
|
||||
|
||||
<section id="WhatisLdap">
|
||||
<title>What's LDAP ?</title>
|
||||
|
||||
|
||||
<para>LDAP stands for Lightweight Directory Access Protocol. As the name suggests,
|
||||
|
@ -107,12 +115,11 @@ different requirements on how that information can be referenced, queried and
|
|||
updated, how it is protected from unauthorized access, etc. Some directory
|
||||
services are local, providing service to a restricted context (e.g., the finger
|
||||
service on a single machine). Other services are global, providing service to
|
||||
a much broader context.</para>
|
||||
|
||||
</section>
|
||||
a much broader context.</para></section>
|
||||
|
||||
|
||||
<section id="HowitWorks"><title>How does LDAP work ?</title>
|
||||
<section id="HowitWorks">
|
||||
<title>How does LDAP work ?</title>
|
||||
<para>LDAP directory service is based on a client-server model. One or more LDAP
|
||||
servers contain the data making up the LDAP directory tree or LDAP backend
|
||||
database. An LDAP client connects to an LDAP server and asks it a question. The
|
||||
|
@ -121,21 +128,22 @@ database. An LDAP client connects to an LDAP server and asks it a question. The
|
|||
a client connects to, it sees the same view of the directory; a name presented
|
||||
to one LDAP server references the same entry it would at another LDAP server.
|
||||
This is an important feature of a global directory service, like LDAP.</para></section>
|
||||
<section id="LdapBackends"><title>LDAP backends, objects and attributes</title>
|
||||
|
||||
<section id="LdapBackends">
|
||||
<title>LDAP backends, objects and attributes</title>
|
||||
<para>The LDAP server daemon is called <emphasis>Slapd</emphasis>. <emphasis>Slapd</emphasis>
|
||||
supports a variety of different <command>database backends</command> which you can use. They include BDB,
|
||||
a high-performance transactional database backend; LDBM, a lightweight DBM based backend;
|
||||
SHELL, a backend interface to arbitrary shell scripts and PASSWD, a simple backend interface
|
||||
to the passwd(5) file.
|
||||
supports a variety of different <command>database backends</command> which you can use.</para>
|
||||
|
||||
BDB utilizes <ulink url="http://www.sleepycat.com/">Sleepycat</ulink> Berkeley DB 4. LDBM utilizes
|
||||
<para>They include the primary choice BDB, a high-performance transactional database backend; LDBM, a lightweight DBM based backend; SHELL, a backend interface to arbitrary shell scripts and PASSWD, a simple backend interface to the passwd(5) file.</para>
|
||||
|
||||
<para>BDB utilizes <ulink url="http://www.sleepycat.com/">Sleepycat</ulink> Berkeley DB 4. LDBM utilizes
|
||||
either <ulink url="http://www.sleepycat.com/">Berkeley DB</ulink> or <ulink url="http://www.gnu.org/software/gdbm/">GDBM</ulink>.</para>
|
||||
|
||||
|
||||
<para>BDB transactional backend is suited for multi-user read/write database access,
|
||||
with any mix of read and write operations. BDB is used in applications that require:
|
||||
|
||||
<itemizedlist><listitem><para>Transactions, including making multiple changes to the
|
||||
<itemizedlist>
|
||||
<listitem><para>Transactions, including making multiple changes to the
|
||||
database atomically and rolling back uncommitted changes when necessary.</para></listitem>
|
||||
|
||||
<listitem><para>Ability to recover from systems crashes and hardware failures without
|
||||
|
@ -148,7 +156,7 @@ losing any committed transactions.</para></listitem>
|
|||
<para>To import and export directory information between LDAP-based directory servers
|
||||
, or to describe a set of changes which are to be applied to a directory, the
|
||||
file format known as LDIF, for LDAP Data Interchange Format, is typically used.
|
||||
An LDIF file stores information in object-oriented hierarchies of entries. The
|
||||
A LDIF file stores information in object-oriented hierarchies of entries. The
|
||||
LDAP software package you're going to get comes with an utility to convert LDIF
|
||||
files to the BDB format</para>
|
||||
|
||||
|
@ -185,7 +193,8 @@ or groups of objects.</para></listitem>
|
|||
|
||||
<listitem><para>Organizations in the directory.</para></listitem>
|
||||
|
||||
<listitem><para>People in the directory.</para></listitem></itemizedlist>
|
||||
<listitem><para>People in the directory.</para></listitem>
|
||||
</itemizedlist>
|
||||
|
||||
|
||||
<para>An entry can belong to more than one object class. For example, the entry for a
|
||||
|
@ -241,32 +250,32 @@ ignored during comparisons).</para></listitem>
|
|||
|
||||
|
||||
<para><command>Note: </command>Usually objectclass and attribute definitions reside on schema files, on the
|
||||
subdirectory <emphasis>schema</emphasis> under the OpenLDAP installation home.</para>
|
||||
</section>
|
||||
subdirectory <emphasis>schema</emphasis> under the OpenLDAP installation home.</para></section>
|
||||
|
||||
|
||||
<section id="NewVersions"><title>New versions of this document</title>
|
||||
<section id="NewVersions">
|
||||
<title>New versions of this document</title>
|
||||
|
||||
<para>This document may receive corrections and updates based on the feedback
|
||||
received by the readers. You should look at:</para>
|
||||
|
||||
<para><ulink url="http://linuxdoc.org/HOWTO/LDAP-HOWTO.html">http://linuxdoc.org/HOWTO/LDAP-HOWTO.html</ulink></para>
|
||||
<para><ulink url="http://www.tldp.org/HOWTO/LDAP-HOWTO.html">http://www.tldp.org/HOWTO/LDAP-HOWTO.html</ulink></para>
|
||||
|
||||
|
||||
<para>for new versions of this HOWTO.</para>
|
||||
</section>
|
||||
<para>for new versions of this HOWTO.</para></section>
|
||||
|
||||
|
||||
<section id="opinions"><title>Opinions and Sugestions</title>
|
||||
<section id="opinions">
|
||||
<title>Opinions and Sugestions</title>
|
||||
|
||||
<para>If you have any kind of doubt about some information avaiable on this document,
|
||||
please contact me on the following email address: <ulink url="malere@yahoo.com">malere@yahoo.com</ulink></para>
|
||||
|
||||
<para>If you have commentaries and/or sugestions, please let me know too !</para>
|
||||
</section>
|
||||
<para>If you have commentaries and/or sugestions, please let me know too !</para></section>
|
||||
|
||||
|
||||
<section id="Acknowledgements"><title>Acknowledgments</title>
|
||||
<section id="Acknowledgements">
|
||||
<title>Acknowledgments</title>
|
||||
|
||||
<para>This Howto was result of an internship made by me on the TUDelft University -
|
||||
Netherlands. I would like to thank the persons that encouraged me to write this
|
||||
|
@ -276,11 +285,14 @@ Thank you very much. They are also Linux fans, just like me.</para>
|
|||
<para>I would like to thank also Thomas Bendler, author of the German Ldap-Howto,
|
||||
for his contributions to my document and Joshua Go, great volunteer on the LDP
|
||||
project.</para>
|
||||
</section>
|
||||
|
||||
<para>Karl Lattimer deserves a prize, for his great contribution on SASL related issues.</para>
|
||||
|
||||
<para>And thanks my Lord !</para></section>
|
||||
|
||||
|
||||
<section id="copyright"><title>Copyright and Disclaimer</title>
|
||||
|
||||
<section id="copyright">
|
||||
<title>Copyright and Disclaimer</title>
|
||||
|
||||
<para>Copyright (c) 1999 Luiz Ernesto Pinheiro Malère.
|
||||
Permission is granted to copy, distribute and/or modify this document
|
||||
|
@ -295,22 +307,23 @@ and contact the Linux HOWTO coordinator, at: <ulink url="guylhem@metalab.unc.edu
|
|||
</chapter>
|
||||
|
||||
<chapter id="Installing"><title>Installing the LDAP Server</title>
|
||||
|
||||
|
||||
<para>Five steps are necessary to install the server:
|
||||
<itemizedlist><listitem><para>Install the pre-required
|
||||
<itemizedlist>
|
||||
<listitem><para>Install the pre-required
|
||||
packages (if not already installed).</para></listitem>
|
||||
<listitem><para>Download the server.</para></listitem>
|
||||
<listitem><para>Unpack the software.</para></listitem>
|
||||
<listitem><para>Configure the Makefiles.</para></listitem>
|
||||
<listitem><para>Build the server.</para></listitem></itemizedlist></para>
|
||||
<listitem><para>Build the server.</para></listitem>
|
||||
</itemizedlist></para>
|
||||
|
||||
|
||||
<section id="PreReq"><title>Pre-Requirements</title>
|
||||
<section id="PreReq">
|
||||
<title>Pre-Requirements</title>
|
||||
|
||||
<para>To be fully LDAPv3 compliant, OpenLDAP clients and servers require installation
|
||||
of some additional packages. For writing this document, I've used a Mandrake 8.2 box with
|
||||
a 2.4.18 Kernel, manually installing the DBD package, TLS and SASL libraries.</para>
|
||||
of some additional packages. For writing this document, I've used a Mandrake 9.0 box with
|
||||
a 2.4.20 Kernel, manually installing the Berkeley BDB package and SASL libraries.</para>
|
||||
|
||||
|
||||
<para><command>OpenSSL TLS Libraries</command></para>
|
||||
|
@ -332,8 +345,9 @@ is highly recommended.</para>
|
|||
|
||||
<para><command>Cyrus's Simple Authentication and Security Layer Libraries</command></para>
|
||||
<para>Cyrus's SASL libraries are normally part of the base system or compose an
|
||||
optional software component. Cyrus SASL is available from <ulink url="http://asg.web.cmu.edu/sasl/sasl-library.html">http://asg.web.cmu.edu/sasl/sasl-library.html</ulink>
|
||||
Cyrus SASL will make use of OpenSSL and Kerberos/GSSAPI libraries if preinstalled.</para>
|
||||
optional software component. Cyrus SASL is available from <ulink url="http://asg.web.cmu.edu/sasl/sasl-library.html">http://asg.web.cmu.edu/sasl/sasl-library.html</ulink>.
|
||||
Cyrus SASL will make use of OpenSSL and Kerberos/GSSAPI libraries if preinstalled. By the time of this
|
||||
writing, I've used Cyrus SASL 2.1.12.</para>
|
||||
|
||||
<para><command>Database Software</command></para>
|
||||
|
||||
|
@ -345,7 +359,7 @@ If not available at configure time, you will not be able to build slapd with pri
|
|||
<para>Your operating system may provide Berkeley DB, version 4, in the base
|
||||
system or as an optional software component. If not, there are several versions
|
||||
available at <ulink url="http://www.sleepycat.com/download.html">Sleepycat</ulink>.
|
||||
At the time of this writing, the latest release, version 4.0.14, is recommended.
|
||||
At the time of this writing, the latest release, version 4.1.25, is recommended.
|
||||
OpenLDAP's slapd LDBM backend supports a variety of database managers,
|
||||
like Berkeley DB (version 3) and GDBM. GDBM is available from FSF's download
|
||||
site <ulink url="ftp://ftp.gnu.org/pub/gnu/gdbm/.">ftp://ftp.gnu.org/pub/gnu/gdbm/</ulink>.</para>
|
||||
|
@ -363,14 +377,14 @@ consult the Software - Installation - Platform Hints section of the OpenLDAP FAQ
|
|||
<para><command>TCP Wrappers</command></para>
|
||||
|
||||
|
||||
<para><emphasis>Slapd</emphasis>supports TCP wrappers (IP level access control filters) if
|
||||
<para><emphasis>Slapd</emphasis> supports TCP wrappers (IP level access control filters) if
|
||||
preinstalled. Use of TCP wrappers or other IP-level access filters (such as
|
||||
those provided by an IP-level firewall) is recommended for servers containing
|
||||
non-public information.</para>
|
||||
</section>
|
||||
non-public information.</para></section>
|
||||
|
||||
|
||||
<section id="Download"><title>Downloading the Package</title>
|
||||
<section id="Download">
|
||||
<title>Downloading the Package</title>
|
||||
|
||||
<para>There are two free distributed LDAP servers: University of Michigan LDAP server
|
||||
and OpenLDAP server. There's also the Netscape Directory Server, which is free
|
||||
|
@ -384,29 +398,29 @@ available for it. This document assumes that you are using the OpenLDAP server.<
|
|||
this address: </para>
|
||||
<para><ulink url="ftp://terminator.rs.itd.umich.edu/ldap">ftp://terminator.rs.itd.umich.edu/ldap</ulink></para>
|
||||
<para></para>
|
||||
<para>To write this document, I used the 2.1.3 version of the OpenLDAP package. My
|
||||
operating system is a Mandrake Linux with kernel 2.4.18. </para>
|
||||
<para>To write this document, I used the 2.1.16 version of the OpenLDAP package. My
|
||||
operating system is a Mandrake Linux 9.0 with kernel 2.4.20. </para>
|
||||
|
||||
<para>On the OpenLDAP site you can always find the latest development and stable
|
||||
versions of the OpenLDAP server. By the time this document was updated, the
|
||||
latest stable version was openldap-stable-20020618.tgz (version 2.0.25). The latest development
|
||||
version was openldap-2.1.3.tgz. </para></section>
|
||||
latest stable version was openldap-stable-20030317.tgz (version 2.1.16). The latest development
|
||||
version was also openldap-2.1.16.tgz. </para></section>
|
||||
|
||||
|
||||
<section id="Unpacking"><title>Unpacking the Software</title>
|
||||
<section id="Unpacking">
|
||||
<title>Unpacking the Software</title>
|
||||
|
||||
<para>Now that you have the tar gzipped package on your local machine, you can
|
||||
unpack it. </para>
|
||||
<para>First copy the package to a desirable directory, for example /usr/local.
|
||||
Next use the following command:</para>
|
||||
<screen>tar xvzf openldap-2.1.3.tgz </screen>
|
||||
<screen>tar xvzf openldap-2.1.16.tgz </screen>
|
||||
<para>You can use this command too, as well: </para>
|
||||
<screen>gunzip openldap-2.1.3.tgz | tar xvf -</screen>
|
||||
|
||||
</section>
|
||||
<screen>gunzip openldap-2.1.16.tgz | tar xvf -</screen></section>
|
||||
|
||||
|
||||
<section id="Configuring"><title>Configuring the Software</title>
|
||||
<section id="Configuring">
|
||||
<title>Configuring the Software</title>
|
||||
<para>The OpenLDAP server sources are distributed with a configuration script for
|
||||
setting options like instalation directories, compiler and linker flags. Type
|
||||
the following command on the directory where you unpacked the software: </para>
|
||||
|
@ -447,11 +461,11 @@ configure script:
|
|||
<listitem><para>CPPFLAGS: Specify C Preprocessor flags.</para></listitem>
|
||||
<listitem><para>LDFLAGS: Specify linker flags.</para></listitem>
|
||||
<listitem><para>LIBS: Specify additional libraries.</para></listitem>
|
||||
</itemizedlist></para>
|
||||
</section>
|
||||
</itemizedlist></para></section>
|
||||
|
||||
|
||||
<section id="Building"><title>Building the Server</title>
|
||||
<section id="Building">
|
||||
<title>Building the Server</title>
|
||||
<para>After configuring the software you can start building it. First build the
|
||||
dependencies, using the command: </para>
|
||||
|
||||
|
@ -483,8 +497,7 @@ to do this (depending on where you are installing things): </para>
|
|||
|
||||
<para>That's all, now you have the binary of the server and the binaries of several
|
||||
other utilities. Go to the <xref linkend="Config"/> section to see how to
|
||||
configure the operation of your LDAP server. </para>
|
||||
</section>
|
||||
configure the operation of your LDAP server. </para></section>
|
||||
|
||||
</chapter>
|
||||
|
||||
|
@ -504,7 +517,8 @@ database specific</command>. Here you will find descriptions of directives, toge
|
|||
examples of use. </para>
|
||||
|
||||
|
||||
<section id="ConfigFormat"><title>Configuration File Format</title>
|
||||
<section id="ConfigFormat">
|
||||
<title>Configuration File Format</title>
|
||||
<para>The slapd.conf file consists of three types of configuration information:
|
||||
global, backend specific, and database specific. Global information is
|
||||
specified first, followed by information associated with a particular backend
|
||||
|
@ -536,7 +550,7 @@ database <typeA>
|
|||
database <typeB>
|
||||
<database-specific directives>
|
||||
|
||||
# second database definition & config directives
|
||||
# second "typeA" database definition & config directives
|
||||
database <typeA>
|
||||
<database-specific directives>
|
||||
|
||||
|
@ -557,7 +571,8 @@ definitions (attribute types and object classes) are also provided in the
|
|||
/usr/local/etc/openldap/schema directory.</para></section>
|
||||
|
||||
|
||||
<section id="GlobalDirect"><title>Global Directives</title>
|
||||
<section id="GlobalDirect">
|
||||
<title>Global Directives</title>
|
||||
|
||||
<para>Directives described in this section apply to all backends and databases unless
|
||||
specifically overridden in a backend or database definition. Arguments that
|
||||
|
@ -615,7 +630,8 @@ debugging, invoke slapd with -? or consult the table below. The possible values
|
|||
for <integer> are:</para>
|
||||
|
||||
|
||||
<para><table tocentry="1"><title>Debugging Levels</title>
|
||||
<para><table tocentry="1">
|
||||
<title>Debugging Levels</title>
|
||||
|
||||
<tgroup cols="2"><colspec colname="Level" colwidth="0"/><colspec colname="Description" colwidth="0"/>
|
||||
|
||||
|
@ -695,11 +711,11 @@ operation.</para>
|
|||
will spend answering a search request. If a request is not finished in this
|
||||
time, a result indicating an exceeded timelimit will be returned.</para>
|
||||
<para>Default:</para>
|
||||
<para>timelimit 3600</para>
|
||||
</section>
|
||||
<para>timelimit 3600</para></section>
|
||||
|
||||
|
||||
<section id="GeneralBEDirect"><title>General Backend Directives</title>
|
||||
<section id="GeneralBEDirect">
|
||||
<title>General Backend Directives</title>
|
||||
|
||||
<para>Directives in this section apply only to the backend in which they are defined.
|
||||
They are supported by every type of backend. Backend directives apply
|
||||
|
@ -711,7 +727,8 @@ may be overridden by database directives.</para>
|
|||
<para>This directive marks the beginning of a backend definition. <type> should
|
||||
be one of bdb or one of other supported backend types listed below:
|
||||
|
||||
<table tocentry="1"><title>Database Backends</title>
|
||||
<table tocentry="1">
|
||||
<title>Database Backends</title>
|
||||
|
||||
<tgroup cols="2"><colspec colname="Type" colwidth="0"/><colspec colname="Description" colwidth="0"/>
|
||||
|
||||
|
@ -744,11 +761,11 @@ may be overridden by database directives.</para>
|
|||
|
||||
<para>Example:</para>
|
||||
<para>backend bdb</para>
|
||||
<para>This marks the beginning of a new BDB backend definition</para>
|
||||
</section>
|
||||
<para>This marks the beginning of a new BDB backend definition</para></section>
|
||||
|
||||
|
||||
<section id="GeneralDBDirect"><title>General Database Directives</title>
|
||||
<section id="GeneralDBDirect">
|
||||
<title>General Database Directives</title>
|
||||
|
||||
<para>Directives in this section apply only to the database in which they are
|
||||
defined. They are supported by every type of database.</para>
|
||||
|
@ -886,12 +903,11 @@ return to clients which submit update requests upon the replica. If specified
|
|||
multiple times, each URL is provided.</para>
|
||||
|
||||
<para>Example:</para>
|
||||
<para>update ldap://master.example.net</para>
|
||||
|
||||
</section>
|
||||
<para>update ldap://master.example.net</para></section>
|
||||
|
||||
|
||||
<section id="BDBDirect"><title>BDB Database Directives</title>
|
||||
<section id="BDBDirect">
|
||||
<title>BDB Database Directives</title>
|
||||
|
||||
<para>Directives in this category only apply a BDB database. That is, they must
|
||||
follow a "database bdb" line and come before any subsequent "backend" or "database" line.</para>
|
||||
|
@ -906,7 +922,8 @@ database and associated indexes reside.</para>
|
|||
<para>directory /usr/local/var/openldap-data</para></section>
|
||||
|
||||
|
||||
<section id="LDBMDirect"><title>LDBM Database Directives</title>
|
||||
<section id="LDBMDirect">
|
||||
<title>LDBM Database Directives</title>
|
||||
|
||||
<para>Directives in this category only apply to the LDBM backend database. That is,
|
||||
they must follow a "database ldbm" line and come before any other "database" or
|
||||
|
@ -979,7 +996,8 @@ index files should have.</para>
|
|||
<para>mode 0600</para></section>
|
||||
|
||||
|
||||
<section id="AccessControl"><title>Access Control Examples</title>
|
||||
<section id="AccessControl">
|
||||
<title>Access Control Examples</title>
|
||||
|
||||
<para>The access control facility provided by the <emphasis>access</emphasis> directive is
|
||||
quite powerfull. This section shows some examples of it's use. First, some simple
|
||||
|
@ -1064,7 +1082,8 @@ Administrator's Guide. Take a look at: <ulink url="http://www.openldap.org/doc/a
|
|||
for more information about this subject.</para></section>
|
||||
|
||||
|
||||
<section id="ConfigurationExample"><title>Configuration File Example</title>
|
||||
<section id="ConfigurationExample">
|
||||
<title>Configuration File Example</title>
|
||||
|
||||
<para>The following is an example configuration file, interspersed with explanatory
|
||||
text. It defines two databases to handle different parts of the X.500 tree;
|
||||
|
@ -1165,9 +1184,7 @@ to the global access rule at line 4.</para>
|
|||
36. directory /usr/local/var/openldap-data-net
|
||||
37. rootdn "cn=Manager,dc=example,dc=com"
|
||||
38. index objectClass eq
|
||||
39. access to * by users read</screen>
|
||||
|
||||
</section>
|
||||
39. access to * by users read</screen></section>
|
||||
</chapter>
|
||||
|
||||
|
||||
|
@ -1179,7 +1196,8 @@ issues with underlying databases, and conserve system resources. Running from in
|
|||
an option.</para>
|
||||
|
||||
|
||||
<section id="CommandOptions"><title>Command Line Options</title>
|
||||
<section id="CommandOptions">
|
||||
<title>Command Line Options</title>
|
||||
<para><emphasis>Slapd</emphasis> supports a number of command-line options as detailed
|
||||
in the manual page. This section details a few commonly used options:</para>
|
||||
|
||||
|
@ -1233,8 +1251,8 @@ or initializing any backends.</para>
|
|||
character, the various debugging levels are printed and slapd exits, regardless
|
||||
of any other options you give it. Current debugging levels are:</para>
|
||||
|
||||
<para>
|
||||
<table tocentry="1"><title>Debugging Levels</title>
|
||||
<para><table tocentry="1">
|
||||
<title>Debugging Levels</title>
|
||||
|
||||
<tgroup cols="2"><colspec colname="Level" colwidth="0"/><colspec colname="Description" colwidth="0"/>
|
||||
|
||||
|
@ -1269,8 +1287,7 @@ character, the various debugging levels are printed and slapd exits, regardless
|
|||
<row><entry>1024</entry>
|
||||
<entry>print communication with shell backends </entry></row>
|
||||
<row><entry>2048</entry>
|
||||
<entry>print entry parsing debugging </entry></row></tbody></tgroup></table>
|
||||
</para>
|
||||
<entry>print entry parsing debugging </entry></row></tbody></tgroup></table></para>
|
||||
|
||||
<para>You may enable multiple levels by specifying the debug option once for each
|
||||
desired level. Or, since debugging levels are additive, you can do the math
|
||||
|
@ -1280,12 +1297,11 @@ this case, -d 65). Or, you can let slapd do the math, (e.g. -d 1 -d 64).
|
|||
Consult <ldap.h> for more details.</para>
|
||||
|
||||
<para><command>Note:</command> slapd must have been compiled with -DLDAP_DEBUG defined for
|
||||
any debugging information beyond the two stats levels to be available. </para>
|
||||
|
||||
</section>
|
||||
any debugging information beyond the two stats levels to be available. </para></section>
|
||||
|
||||
|
||||
<section><title>Starting the LDAP Server</title>
|
||||
<section id="StartingLDAP">
|
||||
<title>Starting the LDAP Server</title>
|
||||
<para>In general, slapd is run like this:</para>
|
||||
|
||||
<screen>/usr/local/etc/libexec/slapd [<option>]*</screen>
|
||||
|
@ -1296,7 +1312,8 @@ one of the options described above (or in slapd(8)). Unless you have specified
|
|||
a debugging level (including level 0), slapd will automatically fork and detach
|
||||
itself from its controlling terminal and run in the background.</para></section>
|
||||
|
||||
<section><title>Killing the LDAP Server</title>
|
||||
<section id="KillingLDAP">
|
||||
<title>Killing the LDAP Server</title>
|
||||
<para>To kill off slapd safely, you should give a command like this: </para>
|
||||
|
||||
<screen>kill -TERM `cat $(ETCDIR)/slapd.pid`</screen>
|
||||
|
@ -1331,7 +1348,8 @@ which would take an unacceptably long time using the LDAP method, or if you want
|
|||
ensure the database is not accessed while it is being created. Note that not all database
|
||||
types support these utilitites.</para>
|
||||
|
||||
<section id="DBOnline"><title>Creating a Database online</title>
|
||||
<section id="DBOnline">
|
||||
<title>Creating a Database online</title>
|
||||
|
||||
<para>The OpenLDAP software package comes with an utility called ldapadd, used to add
|
||||
entries while the LDAP server is running. If you choose to create the Database online, you can
|
||||
|
@ -1448,12 +1466,11 @@ ldapadd command instead of -w "password". You will be prompted to enter the pass
|
|||
|
||||
<screen>
|
||||
ldapadd -f /tmp/newentry -x -D "cn=Manager, o=TUDelft, c=NL" -W
|
||||
Enter LDAP Password: </screen>
|
||||
|
||||
</section>
|
||||
Enter LDAP Password: </screen></section>
|
||||
|
||||
|
||||
<section id="CreateDBOffline"><title>Creating a Database offline</title>
|
||||
<section id="CreateDBOffline">
|
||||
<title>Creating a Database offline</title>
|
||||
|
||||
<para>The second method of database creation is to do it off-line, using the slapd
|
||||
database tools described below. This method is best if you have many
|
||||
|
@ -1557,11 +1574,11 @@ want to edit your database off-line. The program is invoked like this:</para>
|
|||
|
||||
<para>where -n or -b is used to select the database in the slapd.conf(5) specified
|
||||
using -f. The corresponding LDIF output is written to standard output or to the
|
||||
file specified using the -l option.</para>
|
||||
</section>
|
||||
file specified using the -l option.</para></section>
|
||||
|
||||
|
||||
<section><title>More on the LDIF Format</title>
|
||||
<section id="MoreonLDIF">
|
||||
<title>More on the LDIF Format</title>
|
||||
<para>The LDAP Data Interchange Format (LDIF) is used to represent LDAP entries in a
|
||||
simple text format. The basic form of an entry is: </para>
|
||||
|
||||
|
@ -1658,10 +1675,10 @@ jpegPhoto:< file://path/to/file.jpeg</screen>
|
|||
|
||||
<para>Trailing spaces are not trimmed from values in an LDIF file. Nor are multiple
|
||||
internal spaces compressed. If you don't want them in your data, don't put
|
||||
them there.</para>
|
||||
</section>
|
||||
them there.</para></section>
|
||||
|
||||
<section id="Utilities"><title>The ldapsearch, ldapdelete and ldapmodify utilities</title>
|
||||
<section id="Utilities">
|
||||
<title>The ldapsearch, ldapdelete and ldapmodify utilities</title>
|
||||
<para><command>ldapsearch</command> - ldapsearch is a shell accessible interface to the ldap_search(3)
|
||||
library call. Use this utility to search for entries on our LDAP database
|
||||
backend. </para>
|
||||
|
@ -1848,8 +1865,7 @@ changetype: delete
|
|||
<para>The -f option stands for file (read the modification information from a file
|
||||
instead of standard input), the -b option stands for binary (any values
|
||||
starting with a '/' on the input file are interpreted as binaries), the -r
|
||||
stands for replace (replace existing values by default). </para>
|
||||
</section>
|
||||
stands for replace (replace existing values by default). </para></section>
|
||||
</chapter>
|
||||
|
||||
|
||||
|
@ -1861,7 +1877,7 @@ recomendations about the subject LDAP.</para>
|
|||
|
||||
|
||||
|
||||
<section><title>LDAP Migration Tools</title>
|
||||
<section id="LDAPMigrationTools"><title>LDAP Migration Tools</title>
|
||||
<para>The LDAP Migration Tools are a collection of Perl scripts provided by PADL
|
||||
Software Ltd. They are used to convert configuration files to the LDIF format.
|
||||
I recommend reading the license terms before using them, even being free. If
|
||||
|
@ -1885,11 +1901,11 @@ scripts.</para>
|
|||
|
||||
<para>Another recommended URL with migration tools is:</para>
|
||||
|
||||
<para><ulink url="http://dataconv.org/apps_ldap.html">http://dataconv.org/apps_ldap.html</ulink></para>
|
||||
</section>
|
||||
<para><ulink url="http://dataconv.org/apps_ldap.html">http://dataconv.org/apps_ldap.html</ulink></para></section>
|
||||
|
||||
|
||||
<section id="Authentication"><title>Authentication using LDAP</title>
|
||||
<section id="Authentication">
|
||||
<title>Authentication using LDAP</title>
|
||||
|
||||
<para>To access the LDAP service, the LDAP client first must authenticate itself to
|
||||
the service. That is, it must tell the LDAP server who is going to be accessing
|
||||
|
@ -1916,26 +1932,121 @@ specifies a challenge-response protocol in which data is exchanged between the
|
|||
client and the server for the purposes of authentication and establishment of a
|
||||
security layer on which to carry out subsequent communication. By using SASL,
|
||||
LDAP can support any type of authentication agreed upon by the LDAP client and
|
||||
server. SASL instalation and setup is far away from being a user-friendly custom task.
|
||||
Actually I haven't hurd of many people using OpenLDAP with SASL (specially with the
|
||||
simpler protocol DIGEST-MD5). Anyway, you can try this adventure downloading the
|
||||
Cyrus-SASL package: <ulink url="http://asg.web.cmu.edu/sasl/sasl-library.html">http://asg.web.cmu.edu/sasl/sasl-library.html</ulink>.
|
||||
server.
|
||||
The Cyrus-SASL package is available at the following URL: <ulink url="http://asg.web.cmu.edu/sasl/sasl-library.html">http://asg.web.cmu.edu/sasl/sasl-library.html</ulink>.
|
||||
|
||||
If you prefer to use SASL with Kerberos V or GSSAPI, there's a useful link at
|
||||
<ulink url="http://www.openldap.org/doc/admin/sasl.html">http://www.openldap.org/doc/admin/sasl.html</ulink>. This link assumes you've already managed to install and configure the SASL library.
|
||||
The mailing lists will help you get going with this matter: <ulink url="http://asg.web.cmu.edu/sasl/index.html#mailinglists">http://asg.web.cmu.edu/sasl/index.html#mailinglists</ulink>
|
||||
</para>
|
||||
|
||||
|
||||
<para>Further on authenticating users to access information from your Directory Tree,
|
||||
your LDAP server can authenticate users from other services too (Sendmail,
|
||||
Login, Ftp, etc.). This is accomplished migrating specific user information to
|
||||
your LDAP server and using a mechanism called PAM (Pluggable Authentication
|
||||
Module). The authentication module for LDAP is available as a tar ball on the following
|
||||
address:
|
||||
<ulink url="http://www.padl.com/OSS/pam_ldap.html">http://www.padl.com/OSS/pam_ldap.html</ulink></para>
|
||||
</section>
|
||||
<ulink url="http://www.padl.com/OSS/pam_ldap.html">http://www.padl.com/OSS/pam_ldap.html</ulink></para></section>
|
||||
|
||||
<section id="sasl">
|
||||
<title>SASL Configuration : Digest-MD5</title>
|
||||
<para>I've got LDAP-SASL authentication running using the DIGEST-MD5 mechanism. To accomplish that, I've
|
||||
followed strictly the steps listed bellow:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem><para>Downloaded SleepyCat 4.1.25, compiling and building manually. After downloading,
|
||||
I've just followed the instructions listed on the file doc/install.html under the directory where I've
|
||||
unpacked the .tar.gz bundle.</para>
|
||||
<para>After unpacking you can run the suggested:</para>
|
||||
<screen>root@rdnt03:/usr/local/db-4.1.25/build_unix#../dist/configure
|
||||
root@rdnt03:/usr/local/db-4.1.25/build_unix#make
|
||||
root@rdnt03:/usr/local/db-4.1.25/build_unix#make install
|
||||
</screen></listitem>
|
||||
<listitem><para>Downloaded Cyrus SASL 2.1.12, unpacking and following the instructions listed on the
|
||||
document doc/install.html, under the directory where I've unpacked the .tar.gz file. Here there's a point of
|
||||
attention, you need to run the configure script using some env parameters:</para>
|
||||
<screen>root@rdnt03:/usr/local/cyrus-sasl-2.1.12#env CPPFLAGS="-I/usr/local/BerkeleyDB.4.1/include"
|
||||
LDFLAGS="-L/usr/local/BerkeleyDB.4.1/lib" ./configure</screen>
|
||||
<para>The CPPFLAGS and LDFLAGS environment parameters should point to the respective include and lib directories where Berkeley BDB was installed.</para>
|
||||
<para>After that you can run the suggested:</para>
|
||||
<screen>root@rdnt03:/usr/local/cyrus-sasl-2.1.12#make
|
||||
root@rdnt03:/usr/local/cyrus-sasl-2.1.12#make install
|
||||
root@rdnt03:/usr/local/cyrus-sasl-2.1.12#ln -s /usr/local/lib/sasl2 /usr/lib/sasl2</screen></listitem>
|
||||
<listitem><para>Finally, I've installed OpenLDAP 2.1.16 using the same directions listed on this document, just running the configure script the same way as SASL's configure:</para>
|
||||
<screen>root@rdnt03:/usr/local/openldap-2.1.16#env CPPFLAGS="-I/usr/local/BerkeleyDB.4.1/include"
|
||||
LDFLAGS="-L/usr/local/BerkeleyDB.4.1/lib" ./configure</screen>
|
||||
<para>After that, I've run the suggested:</para>
|
||||
<screen>root@rdnt03:/usr/local/openldap-2.1.16#make depend
|
||||
root@rdnt03:/usr/local/openldap-2.1.16#make
|
||||
root@rdnt03:/usr/local/openldap-2.1.16#make install</screen></listitem>
|
||||
<listitem><para>Next, I've created the sasl user database:</para>
|
||||
<screen>root@rdnt03:~# saslpasswd2 -c admin</screen>
|
||||
<para>You'll be prompted for a password. Remember that the username should not be a DN (distinguished name). Also remember to use the same password as your admin entry on the directory tree.</para></listitem>
|
||||
<listitem><para>Now, you should set the sasl-regexp directive in the <emphasis>slapd.conf</emphasis> file before starting the slapd daemon and testing the authentication. My <emphasis>slapd.conf</emphasis> file resides at /usr/local/etc/openldap:</para>
|
||||
<screen>sasl-regexp uid=(.*),cn=rdnt03,cn=DIGEST-MD5,cn=auth uid=$1,ou=People,o=Ever</screen>
|
||||
|
||||
<para>This parameter is in the format of:</para>
|
||||
<para>uid=<username>,cn=<realm>,cn=<mech>,cn=auth</para>
|
||||
<para>The username is taken from sasl and inserted into the ldap search string in the place of $1.Your realm is supposed to be your FQDN (fully qualified domain name), but in some cases it isn't, like mine. To find out what your realm is do:</para>
|
||||
<screen>root@rdnt03:~# sasldblistusers2
|
||||
admin@rdnt03: userPassword
|
||||
admin@rdnt03: cmusaslsecretOTP</screen>
|
||||
<para>In my case, <emphasis>rdnt03</emphasis> is indicated as the realm. If it is your FQDN you shouldn't have any problems. I use the following LDIF file:
|
||||
</para>
|
||||
<screen>dn: o=Ever
|
||||
o: Ever
|
||||
description: Organization Root
|
||||
objectClass: top
|
||||
objectClass: organization
|
||||
|
||||
dn: ou=Staff, o=Ever
|
||||
ou: Staff
|
||||
description: These are privileged users that can interact with Organization products
|
||||
objectClass: top
|
||||
objectClass: organizationalUnit
|
||||
|
||||
dn: ou=People, o=Ever
|
||||
ou: People
|
||||
objectClass: top
|
||||
objectClass: organizationalUnit
|
||||
|
||||
dn: uid=admin, ou=Staff, o=Ever
|
||||
uid: admin
|
||||
cn: LDAP Adminstrator
|
||||
sn: admin
|
||||
userPassword: {SHA}5en6G6MezRroT3XKqkdPOmY/BfQ=
|
||||
objectClass: Top
|
||||
objectClass: Person
|
||||
objectClass: Organizationalperson
|
||||
objectClass: Inetorgperson
|
||||
|
||||
dn: uid=admin,ou=People,o=Ever
|
||||
objectClass: top
|
||||
objectClass: person
|
||||
objectClass: organizationalPerson
|
||||
objectClass: inetOrgPerson
|
||||
userPassword: {SHA}5en6G6MezRroT3XKqkdPOmY/BfQ=
|
||||
displayName: admin
|
||||
mail: admin@eversystems.com.br
|
||||
uid: admin
|
||||
cn: Administrator
|
||||
sn: admin
|
||||
</screen>
|
||||
<para>Add the entries to your LDAP directory using the following command:</para>
|
||||
<screen>slapadd -c -l Ever.ldif -f slapd.conf -v -d 256</screen>
|
||||
</listitem>
|
||||
<listitem><para>Now, start the <emphasis>slapd</emphasis> daemon and run a query using the <emphasis>ldapsearch</emphasis> command:</para>
|
||||
<screen>root@rdnt03:~# ldapsearch -U admin@rdnt03 -b 'o=Ever' '(objectclass=*)'
|
||||
SASL/DIGEST-MD5 authentication started
|
||||
Please enter your password:
|
||||
SASL username: admin@rdnt03
|
||||
SASL SSF: 128
|
||||
SASL installing layers
|
||||
...
|
||||
Entries
|
||||
...</screen></listitem>
|
||||
</itemizedlist>
|
||||
<para>That's it ! If you prefer to use SASL with Kerberos V or GSSAPI, there's a useful link at
|
||||
<ulink url="http://www.openldap.org/doc/admin/sasl.html">http://www.openldap.org/doc/admin/sasl.html</ulink>. This link assumes you've already managed to install and configure the SASL library.
|
||||
The mailing lists will help you get going with this matter: <ulink url="http://asg.web.cmu.edu/sasl/index.html#mailinglists">http://asg.web.cmu.edu/sasl/index.html#mailinglists</ulink></para>
|
||||
</section>
|
||||
|
||||
<section id="Graphicaltools"><title>Graphical LDAP tools</title>
|
||||
|
||||
|
@ -2006,52 +2117,48 @@ only permitted on systems that support local users with the syslog(8) facility.
|
|||
|
||||
|
||||
<para>Now take a look at the logs generated (/usr/adm/ldaplog in the example). They can help
|
||||
you tremendously in solving problems with queries, updates, binding, etc. </para>
|
||||
</section>
|
||||
you tremendously in solving problems with queries, updates, binding, etc. </para></section>
|
||||
|
||||
</chapter>
|
||||
|
||||
|
||||
<chapter><title>References</title>
|
||||
<chapter id="References"><title>References</title>
|
||||
|
||||
<para>On this section you will find additional documentation about LDAP: useful URLs,
|
||||
cool books and definition RFCs. </para>
|
||||
<section id="Urls"><title>URL's</title>
|
||||
<section id="Urls">
|
||||
<title>URL's</title>
|
||||
|
||||
<para>Here are the URLs that contain very useful information about LDAP. From these
|
||||
<para>Here are the URLs that contain very useful information about LDAP. >From these
|
||||
URLs, this HOWTO was made, so if after reading this document you need more
|
||||
specific information, you probably will find here: </para>
|
||||
|
||||
<para><itemizedlist>
|
||||
|
||||
<listitem>
|
||||
<para>University of Michigan LDAP Page:
|
||||
<listitem><para>University of Michigan LDAP Page:
|
||||
<ulink url="http://www.umich.edu/~dirsvcs/ldap/">http://www.umich.edu/~dirsvcs/ldap/</ulink></para></listitem>
|
||||
|
||||
<listitem>
|
||||
<para>University of Michigan LDAP Documentation Page:
|
||||
<listitem><para>University of Michigan LDAP Documentation Page:
|
||||
<ulink url="http://www.umich.edu/~dirsvcs/ldap/doc/">http://www.umich.edu/~dirsvcs/ldap/doc/</ulink></para></listitem>
|
||||
|
||||
<listitem>
|
||||
<para>OpenLDAP Administrator's Guide (brother document):
|
||||
<listitem><para>OpenLDAP Administrator's Guide (brother document):
|
||||
<ulink url="http://www.openldap.org/doc/admin">http://www.openldap.org/doc/admin</ulink></para></listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Linux Directory Service:
|
||||
<listitem><para>Linux Directory Service:
|
||||
<ulink url="http://www.rage.net/ldap/">http://www.rage.net/ldap/</ulink></para></listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Red Hat and LDAP:
|
||||
<ulink url="http://www.redhat.com/docs/manuals/linux/RHL-7.3-Manual/ref-guide/ch-ldap.html">http://www.redhat.com/docs/manuals/linux/RHL-7.3-Manual/ref-guide/ch-ldap.html</ulink></para></listitem>
|
||||
<listitem><para>Red Hat and LDAP:
|
||||
<ulink url="http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/ref-guide/ch-ldap.html">http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/ref-guide/ch-ldap.html</ulink></para></listitem>
|
||||
|
||||
<listitem><para>Mandrake Linux - Using OpenLDAP for Authentication:
|
||||
<ulink url="http://www.mandrakesecure.net/en/docs/ldap-auth.php">http://www.mandrakesecure.net/en/docs/ldap-auth.php</ulink></para></listitem>
|
||||
<listitem>
|
||||
<para>Integrating OpenLDAP with other Open Source projects:
|
||||
<ulink url="ftp://kalamazoolinux.org/pub/pdf/ldapv3.pdf">ftp://kalamazoolinux.org/pub/pdf/ldapv3.pdf</ulink></para></listitem></itemizedlist></para></section>
|
||||
<listitem><para>Integrating OpenLDAP with other Open Source projects:
|
||||
<ulink url="ftp://kalamazoolinux.org/pub/pdf/ldapv3.pdf">ftp://kalamazoolinux.org/pub/pdf/ldapv3.pdf</ulink></para></listitem>
|
||||
</itemizedlist></para></section>
|
||||
|
||||
|
||||
<section id="Books"><title>Books</title>
|
||||
<section id="Books">
|
||||
<title>Books</title>
|
||||
<para>These are the most popular and useful books about LDAP:</para>
|
||||
|
||||
<itemizedlist>
|
||||
|
@ -2060,10 +2167,10 @@ specific information, you probably will find here: </para>
|
|||
Directory Access Protocol by Howes and Smith</para></listitem>
|
||||
<listitem><para>Understanding and Deploying LDAP Directory Servers by Howes, Smith,
|
||||
and Good</para></listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
</itemizedlist></section>
|
||||
|
||||
<section id="RFCs"><title>RFC's</title>
|
||||
<section id="RFCs">
|
||||
<title>RFC's</title>
|
||||
<para>The RFCs that support the LDAP development efforts:</para>
|
||||
|
||||
|
||||
|
@ -2084,19 +2191,3 @@ and Good</para></listitem>
|
|||
</chapter></book>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
|
Loading…
Reference in New Issue