This commit is contained in:
gferg 2003-04-04 20:32:15 +00:00
parent 5829688fb2
commit 3aa7a8d195
4 changed files with 252 additions and 161 deletions

View File

@ -1073,7 +1073,7 @@ FVWM2, Netscape Navigator 4.X, and a customized trackball. </Para>
LDAP-HOWTO</ULink>,
<CiteTitle>LDAP Linux HOWTO</CiteTitle>
</Para><Para>
<CiteTitle>Updated: September 2002</CiteTitle>.
<CiteTitle>Updated: April 2003</CiteTitle>.
Information about installing, configuring, running and maintaining a
LDAP (Lightweight Directory Access Protocol) Server on a Linux
machine. </Para>

View File

@ -1482,7 +1482,7 @@ Describes GNU/Linux localization issues specific for Latvian users
LDAP-HOWTO</ULink>,
<CiteTitle>LDAP Linux HOWTO</CiteTitle>
</Para><Para>
<CiteTitle>Updated: September 2002</CiteTitle>.
<CiteTitle>Updated: April 2003</CiteTitle>.
Information about installing, configuring, running and maintaining a
LDAP (Lightweight Directory Access Protocol) Server on a Linux
machine. </Para>

View File

@ -453,7 +453,7 @@ Linux operating system that use the Linux kernel IPX protocol support. </Para>
LDAP-HOWTO</ULink>,
<CiteTitle>LDAP Linux HOWTO</CiteTitle>
</Para><Para>
<CiteTitle>Updated: September 2002</CiteTitle>.
<CiteTitle>Updated: April 2003</CiteTitle>.
Information about installing, configuring, running and maintaining a
LDAP (Lightweight Directory Access Protocol) Server on a Linux
machine. </Para>

View File

@ -1,8 +1,10 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
"http://docbook.org/xml/4.1.2/docbookx.dtd" []>
<book id="index"><bookinfo><title>LDAP Linux HOWTO</title>
<pubdate>v1.07, 2002-09-16</pubdate>
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
"http://docbook.org/xml/4.1.2/docbookx.dtd" [
]>
<book id="index"><bookinfo>
<title>LDAP Linux HOWTO</title>
<pubdate>v1.08, 2003-04-02</pubdate>
<author><firstname>Luiz</firstname>
<othername>Ernesto Pinheiro</othername>
<surname>Mal&egrave;re</surname>
@ -16,6 +18,10 @@ Administrator's Guide.</para></abstract>
<revhistory>
<revision><revnumber>1.08</revnumber>
<date>2003/04/02</date>
<revremark>SASL with DIGEST-MD5 authentication.</revremark></revision>
<revision><revnumber>1.07</revnumber>
<date>2002/09/16</date>
<revremark>Typo correction.</revremark></revision>
@ -85,7 +91,9 @@ The information presented on this document represents a nice initialization on
using the LDAP server. Possibly after reading this document you would feel
encouraged to expand the capabilities of your server and even write your own
clients, using the already available C, C++ and Java Development Kits.</para>
<section id="WhatisLdap"><title>What's LDAP ?</title>
<section id="WhatisLdap">
<title>What's LDAP ?</title>
<para>LDAP stands for Lightweight Directory Access Protocol. As the name suggests,
@ -107,12 +115,11 @@ different requirements on how that information can be referenced, queried and
updated, how it is protected from unauthorized access, etc. Some directory
services are local, providing service to a restricted context (e.g., the finger
service on a single machine). Other services are global, providing service to
a much broader context.</para>
</section>
a much broader context.</para></section>
<section id="HowitWorks"><title>How does LDAP work ?</title>
<section id="HowitWorks">
<title>How does LDAP work ?</title>
<para>LDAP directory service is based on a client-server model. One or more LDAP
servers contain the data making up the LDAP directory tree or LDAP backend
database. An LDAP client connects to an LDAP server and asks it a question. The
@ -121,21 +128,22 @@ database. An LDAP client connects to an LDAP server and asks it a question. The
a client connects to, it sees the same view of the directory; a name presented
to one LDAP server references the same entry it would at another LDAP server.
This is an important feature of a global directory service, like LDAP.</para></section>
<section id="LdapBackends"><title>LDAP backends, objects and attributes</title>
<section id="LdapBackends">
<title>LDAP backends, objects and attributes</title>
<para>The LDAP server daemon is called <emphasis>Slapd</emphasis>. <emphasis>Slapd</emphasis>
supports a variety of different <command>database backends</command> which you can use. They include BDB,
a high-performance transactional database backend; LDBM, a lightweight DBM based backend;
SHELL, a backend interface to arbitrary shell scripts and PASSWD, a simple backend interface
to the passwd(5) file.
supports a variety of different <command>database backends</command> which you can use.</para>
BDB utilizes <ulink url="http://www.sleepycat.com/">Sleepycat</ulink> Berkeley DB 4. LDBM utilizes
<para>They include the primary choice BDB, a high-performance transactional database backend; LDBM, a lightweight DBM based backend; SHELL, a backend interface to arbitrary shell scripts and PASSWD, a simple backend interface to the passwd(5) file.</para>
<para>BDB utilizes <ulink url="http://www.sleepycat.com/">Sleepycat</ulink> Berkeley DB 4. LDBM utilizes
either <ulink url="http://www.sleepycat.com/">Berkeley DB</ulink> or <ulink url="http://www.gnu.org/software/gdbm/">GDBM</ulink>.</para>
<para>BDB transactional backend is suited for multi-user read/write database access,
with any mix of read and write operations. BDB is used in applications that require:
<itemizedlist><listitem><para>Transactions, including making multiple changes to the
<itemizedlist>
<listitem><para>Transactions, including making multiple changes to the
database atomically and rolling back uncommitted changes when necessary.</para></listitem>
<listitem><para>Ability to recover from systems crashes and hardware failures without
@ -148,7 +156,7 @@ losing any committed transactions.</para></listitem>
<para>To import and export directory information between LDAP-based directory servers
, or to describe a set of changes which are to be applied to a directory, the
file format known as LDIF, for LDAP Data Interchange Format, is typically used.
An LDIF file stores information in object-oriented hierarchies of entries. The
A LDIF file stores information in object-oriented hierarchies of entries. The
LDAP software package you're going to get comes with an utility to convert LDIF
files to the BDB format</para>
@ -185,7 +193,8 @@ or groups of objects.</para></listitem>
<listitem><para>Organizations in the directory.</para></listitem>
<listitem><para>People in the directory.</para></listitem></itemizedlist>
<listitem><para>People in the directory.</para></listitem>
</itemizedlist>
<para>An entry can belong to more than one object class. For example, the entry for a
@ -241,32 +250,32 @@ ignored during comparisons).</para></listitem>
<para><command>Note: </command>Usually objectclass and attribute definitions reside on schema files, on the
subdirectory <emphasis>schema</emphasis> under the OpenLDAP installation home.</para>
</section>
subdirectory <emphasis>schema</emphasis> under the OpenLDAP installation home.</para></section>
<section id="NewVersions"><title>New versions of this document</title>
<section id="NewVersions">
<title>New versions of this document</title>
<para>This document may receive corrections and updates based on the feedback
received by the readers. You should look at:</para>
<para><ulink url="http://linuxdoc.org/HOWTO/LDAP-HOWTO.html">http://linuxdoc.org/HOWTO/LDAP-HOWTO.html</ulink></para>
<para><ulink url="http://www.tldp.org/HOWTO/LDAP-HOWTO.html">http://www.tldp.org/HOWTO/LDAP-HOWTO.html</ulink></para>
<para>for new versions of this HOWTO.</para>
</section>
<para>for new versions of this HOWTO.</para></section>
<section id="opinions"><title>Opinions and Sugestions</title>
<section id="opinions">
<title>Opinions and Sugestions</title>
<para>If you have any kind of doubt about some information avaiable on this document,
please contact me on the following email address: <ulink url="malere@yahoo.com">malere@yahoo.com</ulink></para>
<para>If you have commentaries and/or sugestions, please let me know too !</para>
</section>
<para>If you have commentaries and/or sugestions, please let me know too !</para></section>
<section id="Acknowledgements"><title>Acknowledgments</title>
<section id="Acknowledgements">
<title>Acknowledgments</title>
<para>This Howto was result of an internship made by me on the TUDelft University -
Netherlands. I would like to thank the persons that encouraged me to write this
@ -276,11 +285,14 @@ Thank you very much. They are also Linux fans, just like me.</para>
<para>I would like to thank also Thomas Bendler, author of the German Ldap-Howto,
for his contributions to my document and Joshua Go, great volunteer on the LDP
project.</para>
</section>
<para>Karl Lattimer deserves a prize, for his great contribution on SASL related issues.</para>
<para>And thanks my Lord !</para></section>
<section id="copyright"><title>Copyright and Disclaimer</title>
<section id="copyright">
<title>Copyright and Disclaimer</title>
<para>Copyright (c) 1999 Luiz Ernesto Pinheiro Mal&egrave;re.
Permission is granted to copy, distribute and/or modify this document
@ -295,22 +307,23 @@ and contact the Linux HOWTO coordinator, at: <ulink url="guylhem@metalab.unc.edu
</chapter>
<chapter id="Installing"><title>Installing the LDAP Server</title>
<para>Five steps are necessary to install the server:
<itemizedlist><listitem><para>Install the pre-required
<itemizedlist>
<listitem><para>Install the pre-required
packages (if not already installed).</para></listitem>
<listitem><para>Download the server.</para></listitem>
<listitem><para>Unpack the software.</para></listitem>
<listitem><para>Configure the Makefiles.</para></listitem>
<listitem><para>Build the server.</para></listitem></itemizedlist></para>
<listitem><para>Build the server.</para></listitem>
</itemizedlist></para>
<section id="PreReq"><title>Pre-Requirements</title>
<section id="PreReq">
<title>Pre-Requirements</title>
<para>To be fully LDAPv3 compliant, OpenLDAP clients and servers require installation
of some additional packages. For writing this document, I've used a Mandrake 8.2 box with
a 2.4.18 Kernel, manually installing the DBD package, TLS and SASL libraries.</para>
of some additional packages. For writing this document, I've used a Mandrake 9.0 box with
a 2.4.20 Kernel, manually installing the Berkeley BDB package and SASL libraries.</para>
<para><command>OpenSSL TLS Libraries</command></para>
@ -332,8 +345,9 @@ is highly recommended.</para>
<para><command>Cyrus's Simple Authentication and Security Layer Libraries</command></para>
<para>Cyrus's SASL libraries are normally part of the base system or compose an
optional software component. Cyrus SASL is available from <ulink url="http://asg.web.cmu.edu/sasl/sasl-library.html">http://asg.web.cmu.edu/sasl/sasl-library.html</ulink>
Cyrus SASL will make use of OpenSSL and Kerberos/GSSAPI libraries if preinstalled.</para>
optional software component. Cyrus SASL is available from <ulink url="http://asg.web.cmu.edu/sasl/sasl-library.html">http://asg.web.cmu.edu/sasl/sasl-library.html</ulink>.
Cyrus SASL will make use of OpenSSL and Kerberos/GSSAPI libraries if preinstalled. By the time of this
writing, I've used Cyrus SASL 2.1.12.</para>
<para><command>Database Software</command></para>
@ -345,7 +359,7 @@ If not available at configure time, you will not be able to build slapd with pri
<para>Your operating system may provide Berkeley DB, version 4, in the base
system or as an optional software component. If not, there are several versions
available at <ulink url="http://www.sleepycat.com/download.html">Sleepycat</ulink>.
At the time of this writing, the latest release, version 4.0.14, is recommended.
At the time of this writing, the latest release, version 4.1.25, is recommended.
OpenLDAP's slapd LDBM backend supports a variety of database managers,
like Berkeley DB (version 3) and GDBM. GDBM is available from FSF's download
site <ulink url="ftp://ftp.gnu.org/pub/gnu/gdbm/.">ftp://ftp.gnu.org/pub/gnu/gdbm/</ulink>.</para>
@ -363,14 +377,14 @@ consult the Software - Installation - Platform Hints section of the OpenLDAP FAQ
<para><command>TCP Wrappers</command></para>
<para><emphasis>Slapd</emphasis>supports TCP wrappers (IP level access control filters) if
<para><emphasis>Slapd</emphasis> supports TCP wrappers (IP level access control filters) if
preinstalled. Use of TCP wrappers or other IP-level access filters (such as
those provided by an IP-level firewall) is recommended for servers containing
non-public information.</para>
</section>
non-public information.</para></section>
<section id="Download"><title>Downloading the Package</title>
<section id="Download">
<title>Downloading the Package</title>
<para>There are two free distributed LDAP servers: University of Michigan LDAP server
and OpenLDAP server. There's also the Netscape Directory Server, which is free
@ -384,29 +398,29 @@ available for it. This document assumes that you are using the OpenLDAP server.<
this address: </para>
<para><ulink url="ftp://terminator.rs.itd.umich.edu/ldap">ftp://terminator.rs.itd.umich.edu/ldap</ulink></para>
<para></para>
<para>To write this document, I used the 2.1.3 version of the OpenLDAP package. My
operating system is a Mandrake Linux with kernel 2.4.18. </para>
<para>To write this document, I used the 2.1.16 version of the OpenLDAP package. My
operating system is a Mandrake Linux 9.0 with kernel 2.4.20. </para>
<para>On the OpenLDAP site you can always find the latest development and stable
versions of the OpenLDAP server. By the time this document was updated, the
latest stable version was openldap-stable-20020618.tgz (version 2.0.25). The latest development
version was openldap-2.1.3.tgz. </para></section>
latest stable version was openldap-stable-20030317.tgz (version 2.1.16). The latest development
version was also openldap-2.1.16.tgz. </para></section>
<section id="Unpacking"><title>Unpacking the Software</title>
<section id="Unpacking">
<title>Unpacking the Software</title>
<para>Now that you have the tar gzipped package on your local machine, you can
unpack it. </para>
<para>First copy the package to a desirable directory, for example /usr/local.
Next use the following command:</para>
<screen>tar xvzf openldap-2.1.3.tgz </screen>
<screen>tar xvzf openldap-2.1.16.tgz </screen>
<para>You can use this command too, as well: </para>
<screen>gunzip openldap-2.1.3.tgz | tar xvf -</screen>
</section>
<screen>gunzip openldap-2.1.16.tgz | tar xvf -</screen></section>
<section id="Configuring"><title>Configuring the Software</title>
<section id="Configuring">
<title>Configuring the Software</title>
<para>The OpenLDAP server sources are distributed with a configuration script for
setting options like instalation directories, compiler and linker flags. Type
the following command on the directory where you unpacked the software: </para>
@ -447,11 +461,11 @@ configure script:
<listitem><para>CPPFLAGS: Specify C Preprocessor flags.</para></listitem>
<listitem><para>LDFLAGS: Specify linker flags.</para></listitem>
<listitem><para>LIBS: Specify additional libraries.</para></listitem>
</itemizedlist></para>
</section>
</itemizedlist></para></section>
<section id="Building"><title>Building the Server</title>
<section id="Building">
<title>Building the Server</title>
<para>After configuring the software you can start building it. First build the
dependencies, using the command: </para>
@ -483,8 +497,7 @@ to do this (depending on where you are installing things): </para>
<para>That's all, now you have the binary of the server and the binaries of several
other utilities. Go to the <xref linkend="Config"/> section to see how to
configure the operation of your LDAP server. </para>
</section>
configure the operation of your LDAP server. </para></section>
</chapter>
@ -504,7 +517,8 @@ database specific</command>. Here you will find descriptions of directives, toge
examples of use. </para>
<section id="ConfigFormat"><title>Configuration File Format</title>
<section id="ConfigFormat">
<title>Configuration File Format</title>
<para>The slapd.conf file consists of three types of configuration information:
global, backend specific, and database specific. Global information is
specified first, followed by information associated with a particular backend
@ -536,7 +550,7 @@ database &lt;typeA&gt;
database &lt;typeB&gt;
&lt;database-specific directives&gt;
# second database definition &amp; config directives
# second &quot;typeA&quot; database definition &amp; config directives
database &lt;typeA&gt;
&lt;database-specific directives&gt;
@ -557,7 +571,8 @@ definitions (attribute types and object classes) are also provided in the
/usr/local/etc/openldap/schema directory.</para></section>
<section id="GlobalDirect"><title>Global Directives</title>
<section id="GlobalDirect">
<title>Global Directives</title>
<para>Directives described in this section apply to all backends and databases unless
specifically overridden in a backend or database definition. Arguments that
@ -615,7 +630,8 @@ debugging, invoke slapd with -? or consult the table below. The possible values
for &lt;integer&gt; are:</para>
<para><table tocentry="1"><title>Debugging Levels</title>
<para><table tocentry="1">
<title>Debugging Levels</title>
<tgroup cols="2"><colspec colname="Level" colwidth="0"/><colspec colname="Description" colwidth="0"/>
@ -695,11 +711,11 @@ operation.</para>
will spend answering a search request. If a request is not finished in this
time, a result indicating an exceeded timelimit will be returned.</para>
<para>Default:</para>
<para>timelimit 3600</para>
</section>
<para>timelimit 3600</para></section>
<section id="GeneralBEDirect"><title>General Backend Directives</title>
<section id="GeneralBEDirect">
<title>General Backend Directives</title>
<para>Directives in this section apply only to the backend in which they are defined.
They are supported by every type of backend. Backend directives apply
@ -711,7 +727,8 @@ may be overridden by database directives.</para>
<para>This directive marks the beginning of a backend definition. &lt;type&gt; should
be one of bdb or one of other supported backend types listed below:
<table tocentry="1"><title>Database Backends</title>
<table tocentry="1">
<title>Database Backends</title>
<tgroup cols="2"><colspec colname="Type" colwidth="0"/><colspec colname="Description" colwidth="0"/>
@ -744,11 +761,11 @@ may be overridden by database directives.</para>
<para>Example:</para>
<para>backend bdb</para>
<para>This marks the beginning of a new BDB backend definition</para>
</section>
<para>This marks the beginning of a new BDB backend definition</para></section>
<section id="GeneralDBDirect"><title>General Database Directives</title>
<section id="GeneralDBDirect">
<title>General Database Directives</title>
<para>Directives in this section apply only to the database in which they are
defined. They are supported by every type of database.</para>
@ -886,12 +903,11 @@ return to clients which submit update requests upon the replica. If specified
multiple times, each URL is provided.</para>
<para>Example:</para>
<para>update ldap://master.example.net</para>
</section>
<para>update ldap://master.example.net</para></section>
<section id="BDBDirect"><title>BDB Database Directives</title>
<section id="BDBDirect">
<title>BDB Database Directives</title>
<para>Directives in this category only apply a BDB database. That is, they must
follow a "database bdb" line and come before any subsequent "backend" or "database" line.</para>
@ -906,7 +922,8 @@ database and associated indexes reside.</para>
<para>directory /usr/local/var/openldap-data</para></section>
<section id="LDBMDirect"><title>LDBM Database Directives</title>
<section id="LDBMDirect">
<title>LDBM Database Directives</title>
<para>Directives in this category only apply to the LDBM backend database. That is,
they must follow a "database ldbm" line and come before any other "database" or
@ -979,7 +996,8 @@ index files should have.</para>
<para>mode 0600</para></section>
<section id="AccessControl"><title>Access Control Examples</title>
<section id="AccessControl">
<title>Access Control Examples</title>
<para>The access control facility provided by the <emphasis>access</emphasis> directive is
quite powerfull. This section shows some examples of it's use. First, some simple
@ -1064,7 +1082,8 @@ Administrator's Guide. Take a look at: <ulink url="http://www.openldap.org/doc/a
for more information about this subject.</para></section>
<section id="ConfigurationExample"><title>Configuration File Example</title>
<section id="ConfigurationExample">
<title>Configuration File Example</title>
<para>The following is an example configuration file, interspersed with explanatory
text. It defines two databases to handle different parts of the X.500 tree;
@ -1165,9 +1184,7 @@ to the global access rule at line 4.</para>
36. directory /usr/local/var/openldap-data-net
37. rootdn "cn=Manager,dc=example,dc=com"
38. index objectClass eq
39. access to * by users read</screen>
</section>
39. access to * by users read</screen></section>
</chapter>
@ -1179,7 +1196,8 @@ issues with underlying databases, and conserve system resources. Running from in
an option.</para>
<section id="CommandOptions"><title>Command Line Options</title>
<section id="CommandOptions">
<title>Command Line Options</title>
<para><emphasis>Slapd</emphasis> supports a number of command-line options as detailed
in the manual page. This section details a few commonly used options:</para>
@ -1233,8 +1251,8 @@ or initializing any backends.</para>
character, the various debugging levels are printed and slapd exits, regardless
of any other options you give it. Current debugging levels are:</para>
<para>
<table tocentry="1"><title>Debugging Levels</title>
<para><table tocentry="1">
<title>Debugging Levels</title>
<tgroup cols="2"><colspec colname="Level" colwidth="0"/><colspec colname="Description" colwidth="0"/>
@ -1269,8 +1287,7 @@ character, the various debugging levels are printed and slapd exits, regardless
<row><entry>1024</entry>
<entry>print communication with shell backends </entry></row>
<row><entry>2048</entry>
<entry>print entry parsing debugging </entry></row></tbody></tgroup></table>
</para>
<entry>print entry parsing debugging </entry></row></tbody></tgroup></table></para>
<para>You may enable multiple levels by specifying the debug option once for each
desired level. Or, since debugging levels are additive, you can do the math
@ -1280,12 +1297,11 @@ this case, -d 65). Or, you can let slapd do the math, (e.g. -d 1 -d 64).
Consult &lt;ldap.h&gt; for more details.</para>
<para><command>Note:</command> slapd must have been compiled with -DLDAP_DEBUG defined for
any debugging information beyond the two stats levels to be available. </para>
</section>
any debugging information beyond the two stats levels to be available. </para></section>
<section><title>Starting the LDAP Server</title>
<section id="StartingLDAP">
<title>Starting the LDAP Server</title>
<para>In general, slapd is run like this:</para>
<screen>/usr/local/etc/libexec/slapd [&lt;option&gt;]*</screen>
@ -1296,7 +1312,8 @@ one of the options described above (or in slapd(8)). Unless you have specified
a debugging level (including level 0), slapd will automatically fork and detach
itself from its controlling terminal and run in the background.</para></section>
<section><title>Killing the LDAP Server</title>
<section id="KillingLDAP">
<title>Killing the LDAP Server</title>
<para>To kill off slapd safely, you should give a command like this: </para>
<screen>kill -TERM `cat $(ETCDIR)/slapd.pid`</screen>
@ -1331,7 +1348,8 @@ which would take an unacceptably long time using the LDAP method, or if you want
ensure the database is not accessed while it is being created. Note that not all database
types support these utilitites.</para>
<section id="DBOnline"><title>Creating a Database online</title>
<section id="DBOnline">
<title>Creating a Database online</title>
<para>The OpenLDAP software package comes with an utility called ldapadd, used to add
entries while the LDAP server is running. If you choose to create the Database online, you can
@ -1448,12 +1466,11 @@ ldapadd command instead of -w "password". You will be prompted to enter the pass
<screen>
ldapadd -f /tmp/newentry -x -D "cn=Manager, o=TUDelft, c=NL" -W
Enter LDAP Password: </screen>
</section>
Enter LDAP Password: </screen></section>
<section id="CreateDBOffline"><title>Creating a Database offline</title>
<section id="CreateDBOffline">
<title>Creating a Database offline</title>
<para>The second method of database creation is to do it off-line, using the slapd
database tools described below. This method is best if you have many
@ -1557,11 +1574,11 @@ want to edit your database off-line. The program is invoked like this:</para>
<para>where -n or -b is used to select the database in the slapd.conf(5) specified
using -f. The corresponding LDIF output is written to standard output or to the
file specified using the -l option.</para>
</section>
file specified using the -l option.</para></section>
<section><title>More on the LDIF Format</title>
<section id="MoreonLDIF">
<title>More on the LDIF Format</title>
<para>The LDAP Data Interchange Format (LDIF) is used to represent LDAP entries in a
simple text format. The basic form of an entry is: </para>
@ -1658,10 +1675,10 @@ jpegPhoto:&lt; file://path/to/file.jpeg</screen>
<para>Trailing spaces are not trimmed from values in an LDIF file. Nor are multiple
internal spaces compressed. If you don't want them in your data, don't put
them there.</para>
</section>
them there.</para></section>
<section id="Utilities"><title>The ldapsearch, ldapdelete and ldapmodify utilities</title>
<section id="Utilities">
<title>The ldapsearch, ldapdelete and ldapmodify utilities</title>
<para><command>ldapsearch</command> - ldapsearch is a shell accessible interface to the ldap_search(3)
library call. Use this utility to search for entries on our LDAP database
backend. </para>
@ -1848,8 +1865,7 @@ changetype: delete
<para>The -f option stands for file (read the modification information from a file
instead of standard input), the -b option stands for binary (any values
starting with a '/' on the input file are interpreted as binaries), the -r
stands for replace (replace existing values by default). </para>
</section>
stands for replace (replace existing values by default). </para></section>
</chapter>
@ -1861,7 +1877,7 @@ recomendations about the subject LDAP.</para>
<section><title>LDAP Migration Tools</title>
<section id="LDAPMigrationTools"><title>LDAP Migration Tools</title>
<para>The LDAP Migration Tools are a collection of Perl scripts provided by PADL
Software Ltd. They are used to convert configuration files to the LDIF format.
I recommend reading the license terms before using them, even being free. If
@ -1885,11 +1901,11 @@ scripts.</para>
<para>Another recommended URL with migration tools is:</para>
<para><ulink url="http://dataconv.org/apps_ldap.html">http://dataconv.org/apps_ldap.html</ulink></para>
</section>
<para><ulink url="http://dataconv.org/apps_ldap.html">http://dataconv.org/apps_ldap.html</ulink></para></section>
<section id="Authentication"><title>Authentication using LDAP</title>
<section id="Authentication">
<title>Authentication using LDAP</title>
<para>To access the LDAP service, the LDAP client first must authenticate itself to
the service. That is, it must tell the LDAP server who is going to be accessing
@ -1916,26 +1932,121 @@ specifies a challenge-response protocol in which data is exchanged between the
client and the server for the purposes of authentication and establishment of a
security layer on which to carry out subsequent communication. By using SASL,
LDAP can support any type of authentication agreed upon by the LDAP client and
server. SASL instalation and setup is far away from being a user-friendly custom task.
Actually I haven't hurd of many people using OpenLDAP with SASL (specially with the
simpler protocol DIGEST-MD5). Anyway, you can try this adventure downloading the
Cyrus-SASL package: <ulink url="http://asg.web.cmu.edu/sasl/sasl-library.html">http://asg.web.cmu.edu/sasl/sasl-library.html</ulink>.
server.
The Cyrus-SASL package is available at the following URL: <ulink url="http://asg.web.cmu.edu/sasl/sasl-library.html">http://asg.web.cmu.edu/sasl/sasl-library.html</ulink>.
If you prefer to use SASL with Kerberos V or GSSAPI, there's a useful link at
<ulink url="http://www.openldap.org/doc/admin/sasl.html">http://www.openldap.org/doc/admin/sasl.html</ulink>. This link assumes you've already managed to install and configure the SASL library.
The mailing lists will help you get going with this matter: <ulink url="http://asg.web.cmu.edu/sasl/index.html#mailinglists">http://asg.web.cmu.edu/sasl/index.html#mailinglists</ulink>
</para>
<para>Further on authenticating users to access information from your Directory Tree,
your LDAP server can authenticate users from other services too (Sendmail,
Login, Ftp, etc.). This is accomplished migrating specific user information to
your LDAP server and using a mechanism called PAM (Pluggable Authentication
Module). The authentication module for LDAP is available as a tar ball on the following
address:
<ulink url="http://www.padl.com/OSS/pam_ldap.html">http://www.padl.com/OSS/pam_ldap.html</ulink></para>
</section>
<ulink url="http://www.padl.com/OSS/pam_ldap.html">http://www.padl.com/OSS/pam_ldap.html</ulink></para></section>
<section id="sasl">
<title>SASL Configuration : Digest-MD5</title>
<para>I've got LDAP-SASL authentication running using the DIGEST-MD5 mechanism. To accomplish that, I've
followed strictly the steps listed bellow:</para>
<itemizedlist>
<listitem><para>Downloaded SleepyCat 4.1.25, compiling and building manually. After downloading,
I've just followed the instructions listed on the file doc/install.html under the directory where I've
unpacked the .tar.gz bundle.</para>
<para>After unpacking you can run the suggested:</para>
<screen>root@rdnt03:/usr/local/db-4.1.25/build_unix#../dist/configure
root@rdnt03:/usr/local/db-4.1.25/build_unix#make
root@rdnt03:/usr/local/db-4.1.25/build_unix#make install
</screen></listitem>
<listitem><para>Downloaded Cyrus SASL 2.1.12, unpacking and following the instructions listed on the
document doc/install.html, under the directory where I've unpacked the .tar.gz file. Here there's a point of
attention, you need to run the configure script using some env parameters:</para>
<screen>root@rdnt03:/usr/local/cyrus-sasl-2.1.12#env CPPFLAGS="-I/usr/local/BerkeleyDB.4.1/include"
LDFLAGS="-L/usr/local/BerkeleyDB.4.1/lib" ./configure</screen>
<para>The CPPFLAGS and LDFLAGS environment parameters should point to the respective include and lib directories where Berkeley BDB was installed.</para>
<para>After that you can run the suggested:</para>
<screen>root@rdnt03:/usr/local/cyrus-sasl-2.1.12#make
root@rdnt03:/usr/local/cyrus-sasl-2.1.12#make install
root@rdnt03:/usr/local/cyrus-sasl-2.1.12#ln -s /usr/local/lib/sasl2 /usr/lib/sasl2</screen></listitem>
<listitem><para>Finally, I've installed OpenLDAP 2.1.16 using the same directions listed on this document, just running the configure script the same way as SASL's configure:</para>
<screen>root@rdnt03:/usr/local/openldap-2.1.16#env CPPFLAGS="-I/usr/local/BerkeleyDB.4.1/include"
LDFLAGS="-L/usr/local/BerkeleyDB.4.1/lib" ./configure</screen>
<para>After that, I've run the suggested:</para>
<screen>root@rdnt03:/usr/local/openldap-2.1.16#make depend
root@rdnt03:/usr/local/openldap-2.1.16#make
root@rdnt03:/usr/local/openldap-2.1.16#make install</screen></listitem>
<listitem><para>Next, I've created the sasl user database:</para>
<screen>root@rdnt03:~# saslpasswd2 -c admin</screen>
<para>You'll be prompted for a password. Remember that the username should not be a DN (distinguished name). Also remember to use the same password as your admin entry on the directory tree.</para></listitem>
<listitem><para>Now, you should set the sasl-regexp directive in the <emphasis>slapd.conf</emphasis> file before starting the slapd daemon and testing the authentication. My <emphasis>slapd.conf</emphasis> file resides at /usr/local/etc/openldap:</para>
<screen>sasl-regexp uid=(.*),cn=rdnt03,cn=DIGEST-MD5,cn=auth uid=$1,ou=People,o=Ever</screen>
<para>This parameter is in the format of:</para>
<para>uid=&lt;username&gt;,cn=&lt;realm&gt;,cn=&lt;mech&gt;,cn=auth</para>
<para>The username is taken from sasl and inserted into the ldap search string in the place of $1.Your realm is supposed to be your FQDN (fully qualified domain name), but in some cases it isn't, like mine. To find out what your realm is do:</para>
<screen>root@rdnt03:~# sasldblistusers2
admin@rdnt03: userPassword
admin@rdnt03: cmusaslsecretOTP</screen>
<para>In my case, <emphasis>rdnt03</emphasis> is indicated as the realm. If it is your FQDN you shouldn't have any problems. I use the following LDIF file:
</para>
<screen>dn: o=Ever
o: Ever
description: Organization Root
objectClass: top
objectClass: organization
dn: ou=Staff, o=Ever
ou: Staff
description: These are privileged users that can interact with Organization products
objectClass: top
objectClass: organizationalUnit
dn: ou=People, o=Ever
ou: People
objectClass: top
objectClass: organizationalUnit
dn: uid=admin, ou=Staff, o=Ever
uid: admin
cn: LDAP Adminstrator
sn: admin
userPassword: {SHA}5en6G6MezRroT3XKqkdPOmY/BfQ=
objectClass: Top
objectClass: Person
objectClass: Organizationalperson
objectClass: Inetorgperson
dn: uid=admin,ou=People,o=Ever
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
userPassword: {SHA}5en6G6MezRroT3XKqkdPOmY/BfQ=
displayName: admin
mail: admin@eversystems.com.br
uid: admin
cn: Administrator
sn: admin
</screen>
<para>Add the entries to your LDAP directory using the following command:</para>
<screen>slapadd -c -l Ever.ldif -f slapd.conf -v -d 256</screen>
</listitem>
<listitem><para>Now, start the <emphasis>slapd</emphasis> daemon and run a query using the <emphasis>ldapsearch</emphasis> command:</para>
<screen>root@rdnt03:~# ldapsearch -U admin@rdnt03 -b 'o=Ever' '(objectclass=*)'
SASL/DIGEST-MD5 authentication started
Please enter your password:
SASL username: admin@rdnt03
SASL SSF: 128
SASL installing layers
...
Entries
...</screen></listitem>
</itemizedlist>
<para>That's it ! If you prefer to use SASL with Kerberos V or GSSAPI, there's a useful link at
<ulink url="http://www.openldap.org/doc/admin/sasl.html">http://www.openldap.org/doc/admin/sasl.html</ulink>. This link assumes you've already managed to install and configure the SASL library.
The mailing lists will help you get going with this matter: <ulink url="http://asg.web.cmu.edu/sasl/index.html#mailinglists">http://asg.web.cmu.edu/sasl/index.html#mailinglists</ulink></para>
</section>
<section id="Graphicaltools"><title>Graphical LDAP tools</title>
@ -2006,52 +2117,48 @@ only permitted on systems that support local users with the syslog(8) facility.
<para>Now take a look at the logs generated (/usr/adm/ldaplog in the example). They can help
you tremendously in solving problems with queries, updates, binding, etc. </para>
</section>
you tremendously in solving problems with queries, updates, binding, etc. </para></section>
</chapter>
<chapter><title>References</title>
<chapter id="References"><title>References</title>
<para>On this section you will find additional documentation about LDAP: useful URLs,
cool books and definition RFCs. </para>
<section id="Urls"><title>URL's</title>
<section id="Urls">
<title>URL's</title>
<para>Here are the URLs that contain very useful information about LDAP. From these
<para>Here are the URLs that contain very useful information about LDAP. >From these
URLs, this HOWTO was made, so if after reading this document you need more
specific information, you probably will find here: </para>
<para><itemizedlist>
<listitem>
<para>University of Michigan LDAP Page:
<listitem><para>University of Michigan LDAP Page:
<ulink url="http://www.umich.edu/~dirsvcs/ldap/">http://www.umich.edu/~dirsvcs/ldap/</ulink></para></listitem>
<listitem>
<para>University of Michigan LDAP Documentation Page:
<listitem><para>University of Michigan LDAP Documentation Page:
<ulink url="http://www.umich.edu/~dirsvcs/ldap/doc/">http://www.umich.edu/~dirsvcs/ldap/doc/</ulink></para></listitem>
<listitem>
<para>OpenLDAP Administrator's Guide (brother document):
<listitem><para>OpenLDAP Administrator's Guide (brother document):
<ulink url="http://www.openldap.org/doc/admin">http://www.openldap.org/doc/admin</ulink></para></listitem>
<listitem>
<para>Linux Directory Service:
<listitem><para>Linux Directory Service:
<ulink url="http://www.rage.net/ldap/">http://www.rage.net/ldap/</ulink></para></listitem>
<listitem>
<para>Red Hat and LDAP:
<ulink url="http://www.redhat.com/docs/manuals/linux/RHL-7.3-Manual/ref-guide/ch-ldap.html">http://www.redhat.com/docs/manuals/linux/RHL-7.3-Manual/ref-guide/ch-ldap.html</ulink></para></listitem>
<listitem><para>Red Hat and LDAP:
<ulink url="http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/ref-guide/ch-ldap.html">http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/ref-guide/ch-ldap.html</ulink></para></listitem>
<listitem><para>Mandrake Linux - Using OpenLDAP for Authentication:
<ulink url="http://www.mandrakesecure.net/en/docs/ldap-auth.php">http://www.mandrakesecure.net/en/docs/ldap-auth.php</ulink></para></listitem>
<listitem>
<para>Integrating OpenLDAP with other Open Source projects:
<ulink url="ftp://kalamazoolinux.org/pub/pdf/ldapv3.pdf">ftp://kalamazoolinux.org/pub/pdf/ldapv3.pdf</ulink></para></listitem></itemizedlist></para></section>
<listitem><para>Integrating OpenLDAP with other Open Source projects:
<ulink url="ftp://kalamazoolinux.org/pub/pdf/ldapv3.pdf">ftp://kalamazoolinux.org/pub/pdf/ldapv3.pdf</ulink></para></listitem>
</itemizedlist></para></section>
<section id="Books"><title>Books</title>
<section id="Books">
<title>Books</title>
<para>These are the most popular and useful books about LDAP:</para>
<itemizedlist>
@ -2060,10 +2167,10 @@ specific information, you probably will find here: </para>
Directory Access Protocol by Howes and Smith</para></listitem>
<listitem><para>Understanding and Deploying LDAP Directory Servers by Howes, Smith,
and Good</para></listitem>
</itemizedlist>
</section>
</itemizedlist></section>
<section id="RFCs"><title>RFC's</title>
<section id="RFCs">
<title>RFC's</title>
<para>The RFCs that support the LDAP development efforts:</para>
@ -2084,19 +2191,3 @@ and Good</para></listitem>
</chapter></book>