OpenLDAP Directory Administration
OpenLDAP
Table of Contents● Obtaining the OpenLDAP Distribution
● Software Requirements
● Compiling OpenLDAP 2
● OpenLDAP Clients and Servers
● The slapd.conf Configuration File
● Access Control Lists (ACLs)
Table of Contents● Obtaining the OpenLDAP Distribution
● Software Requirements
● Compiling OpenLDAP 2
● OpenLDAP Clients and Servers
● The slapd.conf Configuration File
● Access Control Lists (ACLs)
Obtaining the OpenLDAP Distribution
● OpenLDAP ?
– Popular, open source LDAP-v3-compliant server
– Attractive for several reasons:● Source code is available for download● Compliant with the core LDAPv3 specifications● Available on multiple platforms, including Linux, Solaris, Mac
OS 10.2, and Windows● Continuation of original University of Michigan LDAP server
● Compiling OpenLDAP = lots of dependencies
● Try to obtain binary packages (eg. http://www.symas.com/ for Solaris & HP/UX)
● Source code: http://www.openldap.org/
Table of Contents● Obtaining the OpenLDAP Distribution
● Software Requirements
● Compiling OpenLDAP 2
● OpenLDAP Clients and Servers
● The slapd.conf Configuration File
● Access Control Lists (ACLs)
Software Requirements● OpenLDAP server will require several external software
packages:
– Support for POSIX threads (either by OS or an external library)
It is possible to compile OpenLDAP without thread support, but slurpd requires it
– SSL/TLS libraries, such as OpenSSL
http://www.openssl.org/
– Database manager library that supports DBM type storage facilities.
● Current library of choice is BerkeleyDB 4.1
http://www.sleepycat.com/● ldbm can also be used
http://www.fsf.org/
– Release 2.1 of the SASL libraries from Carnegie Mellon University
http://asg.web.cmu.edu/sasl/sasl-library.html
Table of Contents● Obtaining the OpenLDAP Distribution
● Software Requirements
● Compiling OpenLDAP 2
● OpenLDAP Clients and Servers
● The slapd.conf Configuration File
● Access Control Lists (ACLs)
Compiling OpenLDAP● Compiling:
(untar)
./configure --enable-wrappers
make depend
make
make test
make install
● Things to check when encountering problems
– (if your system supports it) Use ldd tool to verify that binaries (eg. slapd) have been compiled against correct libraries
● Change /etc/ld.so.conf and run ldconfig -v or set LD_LIBRARY_PATH
– Verify that DNS is configured correctly (reverse DNS!)
– Verify network connectivity
enables support for TCP wrappers
Table of Contents● Obtaining the OpenLDAP Distribution
● Software Requirements
● Compiling OpenLDAP 2
● OpenLDAP Clients and Servers
● The slapd.conf Configuration File
● Access Control Lists (ACLs)
OpenLDAP Clients and Servers
Name Descriptionlibexec/slapd The LDAP serverlibexec/slurpd The LDAP replication helperbin/ldapaddbin/ldapmodifybin/ldapdeletebin/ldapmodrdnbin/ldapsearchbin/ldapcomparebin/ldappasswd
sbin/slapaddsbin/slapcatsbin/slapindexsbin/slappasswd
lib/libldap* The OpenLDAP client SDKlib/liblber*include/ldap*.hinclude/lber*.h
Command-line tools for adding, modifiying, and deleting entries on an LDAP server (commands support both LDAPv2 and LDAPv3)Command-line utilities for searching an LDAP directory or testing a compare A tool for changing the password attribute in LDAP entries. This tool is the equivalent of /bin/passwdTools for manipulating the local backend data store used by the slapd daemon
A simple utility to generate password hashes suitable for use in slapd.conf
Table of Contents● Obtaining the OpenLDAP Distribution
● Software Requirements
● Compiling OpenLDAP 2
● OpenLDAP Clients and Servers
● The slapd.conf Configuration File
● Access Control Lists (ACLs)
The slapd.conf Configuration File● Central source of configuration information
● Used by slapd, slurpd, and related tools, such as slapcat and slapadd
● Tools like slapmodify and slapsearch use ldap.conf (not slapd.conf) for default settings
● Can be broken into two sections
– Parameters that affect overall behavior of the servers
– Parameters that relate to a specific database backend used by the slapd daemon
The slapd.conf Configuration FileSchema Files
include /etc/ldap/schema/...
corba.schema
Schema for storing Corba Objects in LDAP (RFC 2714)
core.schema
OpenLDAP required core schemas: basic LDAPv3 attributes and objects described in RFCs 2251-2256
cosine.schema
For supporting COSINE and X.500 directory pilots (RFC 1274)
inetorgperson.schema
Defined inetOrgPerson object class & attributes (RFC 2798)
java.schema
For storing Java objects (RFC 2713)
misc.schema
Miscellaneous objects (eg LDAP-based mail routing with sendmail)
nis.schema
Attributes and objects necessary for using LDAP+NIS (RFC 2307)
openldap.schema
Miscelaneous objects used by the OpenLDAP project
The slapd.conf Configuration FileLogging
loglevel 296
pidfile /var/run/slapd.pid
argsfile /var/run/slapd.args
loglevel is a set of bit flags that should be OR'ed together
Level I nformation recorded-1 All logging information0 No logging information1 Trace function calls2 Packet-handling debugging information4 Heavy trace debugging8 Connection management16 Packets sent and received32 Search filter processing64 Configuration file processing128 Access Control List processing256 Statistics for connection, operations, and results512 Statistics for results returned to cients1024 Communication with shell backends2048 Print entry parsing debug information
The slapd.conf Configuration FileSASL Options
– SASL is not needed if only simple binds will be used
– However, often useful to allow a combination of simple binds and SASL mechanisms for user connections, eg.:
● Normal users can do lookups via a simple bind● Administrators must authenticate via SASL
– slapd.conf has three SASL-related global options:● sasl-host hostname● sasl-realm string● sasl-secprops properties
– sasl-host and sasl-realm are respectively the FQDN and SASL domain used for authentication
Use sasldblistusers to dump the /etc/sasldb database
– sasl-secprops allows you to define conditions that affect SASL security properties (see next slide)
The slapd.conf Configuration FileSASL Options (cont.)
– sasl-secprops parameter values and descriptions:
Flag DescriptionNonenoplain
noactive Disables mechanisms vulnerable to active attacksnodict
noanonymous Disables mechanisms that support anonymous loginsforwardsec Requires forward secrecy between sessionspasscred Requires mechanisms that pass client credentialsminssf=factor
maxssf=factor
maxbufsize=size
Clears the default security properties (noplain,noanonymous)Disables mechanisms vulnerable to passive attacks, such as viewing network packets to examine passwords
Disables mechanisms that are vulnerable to dictionary-based password attacks
Defines the minimum security strength enforced. Possible values include: 0 (no protection), 1 (integrity protection only), 56 (allow DES encryption), 112 (allow 3DES or other string encryption methods), and 128 (allow RC4, Blowfish, or other encryption algorithms of this class)Defines the maximum security strength setting. The possible values are identical to those of minssfDefines the maximum size of the security layer receive buffer. A value of 0 disables the security layer. The default value is the maximum of INT_MAX (ie. 65536)
The slapd.conf Configuration FileSASL Options (cont.)
– Various cyrus-sasl plugins:
maxssfANONYMOUS NOPLAIN 0CRAM-MD5 NOPLAIN 0DIGEST-MD5
GSSAPI 56
KERBEROS_V4 56
LOGIN NOANONYMOUS 0PLAIN NOANONYMOUS 0SCRAM-MD5 NONE 0SRP NOPLAIN 0
SASL Mechanisms
Security Property Flags
NOPLAIN NOANONYMOUS
128 if compiled with RC4; 112 if compiled with DES; 0 if compiled with neither RC4 not DES
NOPLAIN NOACTIVE NOANONYMOUSNOPLAIN NOACTIVE NOANONYMOUS
The slapd.conf Configuration FileSASL Options (cont.)
– If you had this in slapd.conf:
– the following machanisms for authentication would be allowed:
● DIGEST-MD5● GSSAPI● KERBEROS_4
## No PLAIN or ANONYMOUS mechanisms; use DES encryptionsasl-secprops noplain,noanonymous,minssf=56## No PLAIN or ANONYMOUS mechanisms; use DES encryptionsasl-secprops noplain,noanonymous,minssf=56
The slapd.conf Configuration FileSSL/TLS Options
– Parameters:
TLSCipherSuite cipher-suite-specification
TLSCertificateFile filename
TLSCertificateKeyFile filename
The slapd.conf Configuration FileServing Up Data
– After global section: one or more database sections, eachdefining directory partition
– database directive, possible values:
bdb: BerkeleyDB 4 database manager, makes extensive use of indexing and caching; recommended OpenLDAP backend
ldbm: GNU Database Manager or Sleepycat BerkeleyDB; older implementation
passwd: Quick and dirty means of providing directory interface to the system passwd file
shell: Allows the use of alternative (external) databases
The slapd.conf Configuration FileServing Up Data (cont.)
– Example:
# Begin a new database sectiondatabase bdb
# Define the root suffix you servesuffix “dc=plainjoe,dc=org”
# Define root DN for superuser privilegesrootdn “cn=Manager,dc=plainjoe,dc=org”
# Define root DN's password: salted secure hash of 'secret'rootpw {SSHA}2aksIaicAvwc+DhCrXUFlhgWsbBJPLxy
# Directory containing the database filesdirectory /var/ldap/plainjoe.org
# Files should be created rw for the owner *only*mode 0600
# Begin a new database sectiondatabase bdb
# Define the root suffix you servesuffix “dc=plainjoe,dc=org”
# Define root DN for superuser privilegesrootdn “cn=Manager,dc=plainjoe,dc=org”
# Define root DN's password: salted secure hash of 'secret'rootpw {SSHA}2aksIaicAvwc+DhCrXUFlhgWsbBJPLxy
# Directory containing the database filesdirectory /var/ldap/plainjoe.org
# Files should be created rw for the owner *only*mode 0600
Table of Contents● Obtaining the OpenLDAP Distribution
● Software Requirements
● Compiling OpenLDAP 2
● OpenLDAP Clients and Servers
● The slapd.conf Configuration File
● Access Control Lists (ACLs)
Access Control Lists● OpenLDAP ACLs are simple in syntax, yet very flexible
and powerful
● Basic idea:
WHO has ACCESS to WHAT ?
Access Control Lists (cont.)WHO has ACCESS to WHAT ?
WHO can be:
*
Any connected user, including anonymous connections
self
DN of currently connected user
anonymous
Nonauthenticated user connections
users
Authenticated user connections
Regular expression
Matches a DN or a SASL identity
Note: login name can be DN (dn=“cn=gerald carter,ou=people,dc=plainjoe,dc=org”) or SASL identity (dn=“uid=jerry,cn=gssapi,cn=auth”)
Access Control Lists (cont.)WHO has ACCESS to WHAT ? (cont.)
ACCESS can be:
write
Access to update attribute values
read
Access to read search results (eg. show all entries with a telephoneNumber of 555*)
search
Access to apply search filters (eg. are there any entries with a telephoneNumber of 555*)
compare
Access to compare attributes
auth
Access to bind (authenticate). Requires that the client send a username (DN) and some type of credentials
none
No access
Access Control Lists (cont.)WHO has ACCESS to WHAT ? (cont.)
WHAT can be:
Regular expression defining the DN of the proposed target of the ACL
Syntax is dn.targetstyle=regex
where:– targetstyle is one of base, subtree, one, or children– regex is a regular expresion representing a DN
targetstyle is used to broaden or narrow the scope (default subtree)
An LDAP search filter that confirms to RFC 2254
Syntax is filter=ldapFilter
A comma-separated list of attribute names
Syntax is attrs=attributeList
Access Control Lists (cont.)Examples
● Simple ACL granting read access to the world:
● Restrict access to the userPassword attribute
● User should be allowed to modify her own password:
access to *by * read
access to *by * read
access to attrs=userPasswordby * auth
access to attrs=userPasswordby * auth
access to attrs=userPasswordby self writeby * auth
access to attrs=userPasswordby self writeby * auth
Access Control Lists (cont.)Examples (cont.)
● ACLs are evaluated on a first-match-wins basis: more restrictive ACLs should be listed prior to more general ones
● eg.
● better:
access to attrs=userPasswordby * auth
access to attrs=userPasswordby self writeby * auth
access to attrs=userPasswordby * auth
access to attrs=userPasswordby self writeby * auth
access to attrs=userPasswordby self writeby * auth
access to attrs=userPasswordby * auth
access to attrs=userPasswordby self writeby * auth
access to attrs=userPasswordby * auth
Access Control Lists (cont.)Examples (cont.)
● Assume:
– Administrative accounts are located beneath the DN ou=admins,ou=eng,dc=plainjoe,dc=org
– Normal user accounts are located beneath ou=users,ou=eng,dc=plainjoe,dc=org
– Normal users should not be allowed to see other users' passwords
– A user should be able to modify his password
– Admin users should be able to modify any user's password
● Gives:
access to dn=”.*,ou=eng,dc=plainjoe,dc=org”attrs=userPasswordby self writeby * authby dn=”.*,ou=admins,ou=eng,dc=plainjoe,dc=org” write
access to dn=”.*,ou=eng,dc=plainjoe,dc=org”attrs=userPasswordby self writeby * authby dn=”.*,ou=admins,ou=eng,dc=plainjoe,dc=org” write
Access Control Lists (cont.)Examples (cont.)
● This example:
● Can also be written as:
access to dn=”.*,ou=eng,dc=plainjoe,dc=org”attrs=userPasswordby self writeby * authby dn=”.*,ou=admins,ou=eng,dc=plainjoe,dc=org” write
access to dn=”.*,ou=eng,dc=plainjoe,dc=org”attrs=userPasswordby self writeby * authby dn=”.*,ou=admins,ou=eng,dc=plainjoe,dc=org” write
access to dn.children==”ou=eng,dc=plainjoe,dc=org”attrs=userPasswordby self writeby * authby dn.children=”ou=admins,ou=eng,dc=plainjoe,dc=org” write
access to dn.children==”ou=eng,dc=plainjoe,dc=org”attrs=userPasswordby self writeby * authby dn.children=”ou=admins,ou=eng,dc=plainjoe,dc=org” write