Archives de catégorie : English

Articles en anglais

OpenLDAP tutorial – Remotly configuration management by the administrator

This Openldap tutorial aims to show how to grant configuration management access to the server administrator (rootDN). The server administrotor is created during installation procedure. It hasn’t sufficient rights to read/modify the configuration settings! This should make easy the management of this configuration by making possibile the remote modification.

Prerequisites: OpenlDAP is installed and pre configured on a Debian, Ubuntu or compliant system. cf. previous articles about OpenLDAP.

1. Avoid entering the administrator password at each command

Store the super administrator password (« admin » in the sample) in a file:

echo -n "admin" > ~/pwdAdmin
chmod 600 ~/pwdAdmin

This creates the «pwdAdmin» file that contains the super administrator password. To test its use:

ldapsearch -x -H ldap://localhost -D cn=admin,dc=ldaptuto,dc=net -y ~/pwdAdmin -b dc=ldaptuto,dc=net

The advantage of using the server administrator account instead of the system administrator account (root) is that you can execute remote commands. Those commands may be launched from a desktop machine. in this case replace localhost with the DNS name of the remote machine or its IP address.

2. Super administrator access rights to server configuration

The configuration of the OpenLDAP server is located in the database under the DIT cn = config. It’s the equivalent of the configuration file slapd.conf content in the old-style work. By default the super administrator cannot access this configuration:

ldapsearch -x -H ldap://localhost -D cn=admin,dc=ldaptuto,dc=net -y ~/pwdAdmin -b cn=config

The result of this command is empty.

We will use the «root» system user’s extended rights to give the OpenLDAP server super administrator access to the configuration data. Create ths LDIF file «acces-admin.ldif» who has the content:

dn: olcDatabase={0}config,cn=config
changeType: modify
add: olcAccess
olcAccess: to * by dn.exact=cn=admin,dc=ldaptuto,dc=net manage by * break

Then, execute the modify command on the server:

sudo ldapmodify -Y external -H ldapi:/// -f acces-admin.ldif

This gives read and write rights on all configuration data of the server to the administrator (cn=admin,dc=ldaptuto,dc=net). It can easily be verified by running the previous query on this data and did not return any results.

Enable the production of Openldap Log file

Goal: In this 3rd part of the «OpenLDAP tutorial», we will enable the production of Log. To do that we must change default configuration of the server. The production of OpenLDAP log is very important for supervision and the proper use of this server.

Prerequisite: The OpenLDAP server is installed with its default configuration. The installation has been done on GNU/Linux Debian, Ubuntu OS or compliant system. cf. part 1 and part 2 of this «OpenLDAP tutorial» series.

1. Enable the production of server Logs

sudo ldapsearch -Y external -H ldapi:/// -b cn=config "(objectClass=olcGlobal)" olcLogLevel -LLL > slapdlog.ldif

This command creates the slapdlog.ldif file whose content is the result of the LDAP query executed by ldapsearch utility:

dn: cn=config
olcLogLevel: none

The first line contains the DN (distinguished name) who is the unique identifier of the entry. The second line contains the unique attribute requested by the query with value: none. The production of log files is disabled by default.

Modify that file so that its content becomes:

dn: cn=config
changeType: modify
replace: olcLogLevel
olcLogLevel: stats

Now, this LDIF (Lightweight data interchange format) contains a modify command: the second line says we want to change the entry, the third line indicates that it is a replacement of the content of the olcLogLevel attribute and the fourth shows the new value of this attribute. stats level allow generate logs of connections, operations and results. This is perfect for daily monitoring.

To run the command file on the server, we use:

sudo ldapmodify -Y external -H ldapi:/// -f slapdlog.ldif

If we get the message: modifying entry « cn=config », the operation was successful.

To check the result:

sudo ldapsearch -Y external -H ldapi:/// -b cn=config "(objectClass=olcGlobal)" olcLogLevel

This new setting is immediately considered by the server and no reboot is required. The server sends the produced Logs, to the system log management mechanism. This is rsyslog for recent versions of Debian / Ubuntu OS.

2. Consideration of OpenLDAP log in rsyslog

Create a configuration file in the folder /etc/rsyslog.d/choose any name10-slapd.conf for example. The number in the name classifies files in this folder. This file contains those settings:

$template slapdtmpl,"[%$DAY%-%$MONTH%-%$YEAR% %timegenerated:12:19:date-rfc3339%] %app-name% %syslogseverity-text% %msg%\n"
local4.*    /var/log/slapd.log;slapdtmpl

The chosen name slapdtmpl, refers to a presentation format of the contents of the log file.

For details on the template creations for rsyslog consult the manual:

man rsyslog.conf

See, in particular the section TEMPLATES.

Finally you must restart rsyslog for the new settings to take effect.

service rsyslog restart

3. Test this functionality of the OpenLDAP server

Start a query and view the contents of the file /var/log/slapd.log :

sudo ldapsearch -Y external -H ldapi:/// -b dc=ldaptuto,dc=net
sudo cat /var/log/slapd.log

You should have a fairly significant content that show the work done by the OpenLDAP server to produce the query result..

OpenLDAP tutorial (2) – Modify the default settings

Goal: This«OpenLDAP tutorial» aims to show how to improve the basic server configuration viewed in OpenLDAP tutorial – Installation and basic configuration post. This reconfiguration allows to customize settings made by default in the installation procedure. This is a further step to prepare th server use in a real environment.

Prerequisite: The OpenLDAP server is installed with its default configuration. The installation is  done on a host with Debian / Ubuntu OS or compliant.

This reconfiguration must be made before filling the directory server with data. The reason is this will reset the database and set its contents to empty.

This reconfiguration is done with the command:

sudo dpkg-reconfigure slapd

Following this a series of screens appear and asks you to enter settings or make choices.

Reconfiguring OpenLDAP – step 1

openldap tutorial openldap ubuntuChoose <No> to start the reconfiguration.

Reconfiguring OpenLDAP – step 2

openldap tutorial

By default, the domain name configured for the host machine is taken. Enter the domain name, this sets the DIT in the directory. In this example: dc=ldaptuto,dc=net

Reconfiguring OpenLDAP – step 3

openldap tutorial openldap ubuntuEnter the name of the organization, a label attached to the DIT in the directory. For information only.

Reconfiguring OpenLDAP – step 4

openldap tutorial openldap ubuntuPassword of the directory administrator who is cn=admin,dc=ldaptuto,dc=net. The administrator has all the rights and it is not subject to any restrictions set.

Reconfiguring OpenLDAP – step 5

openldap tutorial

The Database type to use. OpenLDAP can work with many types of databases like BDB, HDB and MDB, which are proposed by the installation procedure. MDB is the recommended database. It is more compact and powerful than HDB and BDB. MDB works without any special configuration and allows you to rename a sub-set of the directory (any node) just like HDB.

Reconfiguring OpenLDAP – step 6

openldap tutorial openldap ubuntuBehavior when uninstalling and then purge the package slapd. Choose whether the data files to be deleted or not (<No> is more cautious, <Yes> is more efficient).

Reconfiguring OpenLDAP – step 7

openldap tutorial

Choose <Yes>. The data files will moved from /var/lib/ldap to /var/backup.

Reconfiguring OpenLDAP – step 8 (if it apears)

openldap tutorial openldap ubuntuChoose <No>, unless there is a good reason (eg maintain compatibility with old system).

Following this step, the directory server is reset and restarted.

Check the new setting

sudo ldapsearch -Y external -H ldapi:///  -b dc=ldaptuto,dc=net ↵

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
# extended LDIF
# LDAPv3
# base <dc=ldaptuto,dc=net> with scope subtree
# filter: (objectclass=*)
# requesting: ALL

dn: dc=ldaptuto,dc=net
objectClass: top
objectClass: dcObject
objectClass: organization
o: OpenLDAP tutorial
dc: ldaptuto

# admin,
dn: cn=admin,dc=ldaptuto,dc=net
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2

Noice the new DIT dc=ldaptuto,dc=net and its label o: OpenLDAP tutorial

OpenLDAP tutorial – Installation

First article in a series « OpenLDAP tutorial ».The presentation is done step by step by showing all the details necessary for the final operation. The exposed installation has a minimum configuration for correct operation. Other articles will follow to improve the installation on different aspects. It is advisable to follow this series of posts in order:

  1. This article, installation and basic configuration.
  2. Modify the default settings
  3. Enable the production of Openldap Log file
  4. Remotly configuration management by the administrator
  5. Organization and data types
  6. Adding data to the directory
  7. Using OpenLDAP to protect access to a website
  8. OpenLDAP password policy – Managing users accounts

Prerequisite: Nothing about the OpenLDAP server.

OpenLDAP tutorial, step 1: Properly configure the host Debian / Ubuntu

The server installation procedure systematically sets up a database.  The DIT (like an instance in relational databases) is selected based on the domain name of the host machine.

hostname -f

This command returns the full qualified name of the machine. Example: In this case the database will have as DIT: dc=meddeb,dc=net (the right part of the name from the 1st dot met).

If the configuration does not suit you, it should be modified (files /etc/hostname and /etc/hosts).

OpenLDAP tutorial, step 2: Install the OpenLDAP server on Debian / Ubuntu

sudo apt-get purge slapd
sudo apt-get install slapd

The installation process will start and request the password of the server administrator.
openldap tutorial, openldap ubuntu, openldap debianIn addition to the executable binary files, it is installed the files in folders:

  • /usr/lib/ldap/ : OpenLDAP overlay libraries, binary native files.
  • /etc/ldap/schema/ : OpenLDAP schemas availables, text files.
  • /etc/ldap/slap.d/ : Dynamic configuration, text files.
  • /var/lib/ldap/ : Installed database files.
  • /var/run/slapd/ : Run settings, text files.

OpenLDAP tutorial, step 3: Install the OpenLDAP client utilities

sudo apt-get install ldap-utils

This installs the Openldap client utilities , including the ldapsearch query tool. The configuration file of those tools, /etc/ldap/ldap.conf, may be very useful. It allows to set defaults queries parameters. This simplifies the interaction with the server. a typical contents of this file is:

BASE   dc=meddeb,dc=net
URI    ldap://localhost
DEREF          never
# TLS certificates (needed for GnuTLS)
TLS_CACERT      /etc/ssl/certs/ca-certificates.crt

OpenLDAP tutorial, step 4: Check the installation.

slapd -V ↵
@(#) $OpenLDAP: slapd  (Ubuntu) (Mar 17 2014 21:20:08) $

In this sample, the installed server version is 2.4.31

ldapsearch -Y external  -H ldapi:/// -b cn=config "(objectClass=olcGlobal)" -LLL ↵
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/slapd/slapd.args
olcLogLevel: none
olcPidFile: /var/run/slapd/
olcToolThreads: 1

This gives the global part of the configuration. This is a default setting. Notice the runtime parameters folder: /var/run/slapd/.

Notice, also, the olcLogLevel parameter set to none. This value must be modified for better operation.

sudo ldapsearch -Y external  -H ldapi:/// -b dc=meddeb,dc=net -LLL ↵

ASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
dn: dc=meddeb,dc=net
objectClass: top
objectClass: dcObject
objectClass: organization
dc: meddeb

dn: cn=admin,dc=meddeb,dc=net
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator

This gives the only two entries created by default in the directory:

  • dc=meddeb,dc=net, who is the DIT of the directory.
  • cn=admin,dc=meddeb,dc=net, who is the administrator of the directory and his password given during installation.