Hits : 5630
Last Edit: 01.04.2016 09:48

OpenLDAP :: Notes



Lightweight Directory Access Protocol


http://www.openldap.org/


Installation


client, library & server


# yum -y install openldap openldap-clients openldap-servers

Info


# /usr/sbin/slapd -VVV

@(#) $OpenLDAP: slapd 2.4.40 (Nov 10 2015 09:41:16) $
	mockbuild@c6b8.bsys.dev.centos.org:/builddir/build/BUILD/
        openldap-2.4.40/openldap-2.4.40/build-servers/servers/slapd

Included static backends:
    config
    ldif
    monitor
    bdb
    hdb
    ldap
    mdb
    meta
    null
    passwd
    relay
    shell
    sock

Status


[~] #  /etc/init.d/slapd status
slapd is stopped

[~] #  /etc/init.d/slapd restart
Stopping slapd:                                            [FAILED]
Starting slapd:                                            [  OK  ]

[~] #  chkconfig slapd on 

[~] #  netstat -ntulp | grep slapd
tcp        0      0 0.0.0.0:389  0.0.0.0:*  LISTEN      2690/slapd
tcp        0      0 :::389       :::*       LISTEN      2690/slapd

[~] #  iptables -nvL | grep 389
[~] #  

]# ps -e fuwww | grep l[d]ap
ldap  11986  0.0  0.2 560100  5660 ?  Ssl  18:03  0:00  /usr/sbin/slapd -h  ldap:/// ldapi:/// -u ldap

Display Entire Config


# ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"

Identify olcDatabase


# ldapsearch -H ldapi:// -Y EXTERNAL -b "cn=config" -LLL -Q "olcDatabase=*" dn
dn: olcDatabase={-1}frontend,cn=config

dn: olcDatabase={0}config,cn=config
                                                                                                        
dn: olcDatabase={1}monitor,cn=config
                                                                    
dn: olcDatabase={2}hdb,cn=config


Be careful if it is hdb or bdb for later configuration


hdb stands for: hierarchical database


Initial Conf


OpenLDAP is based on berkeley DB databases (key: value),
so we need to use a default configuration file for openldap to use with BDB/HDB databases.


# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG


Default openldap conf dir 


# cd /etc/openldap/slapd.d/


Default ldapsearch


# ldapsearch -LLL -x -h localhost -p 389 -b '' -s base '(&)' namingContexts

dn:
namingContexts: dc=my-domain,dc=com


or via URI


# ldapsearch -Q -Y EXTERNAL -H ldapi:///  -s base '(&)' namingContexts


# ldapsearch -LLL -x -h localhost -s base
dn:
objectClass: top
objectClass: OpenLDAProotDSE


[~] #  ldapsearch 
SASL/DIGEST-MD5 authentication started
Please enter your password: 
ldap_sasl_interactive_bind_s: Invalid credentials (49)
	additional info: SASL(-13): user not found: no secret in database

[~] # ldapsearch -x

# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1

Password


Create a new -strong- password:


# slappasswd 

New password: 
Re-enter new password: 
{SSHA}3u4JMk96UgMheppVZpdr7HmMJFKHRpEd

Domain Component

The Wrong Way 


bdb.ldif


# vim "/etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif"


diff


-olcSuffix: dc=my-domain,dc=com
+olcSuffix: dc=example,dc=org

-olcRootDN: cn=Manager,dc=my-domain,dc=com
+olcRootDN: cn=Manager,dc=example,dc=org
+olcRootPW: {SSHA}44qvcGE22p2qwgbTH49PNRZjjRs6PIZ4


monitor.ldif


# vim "/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif"


diff


- nal,cn=auth" read  by dn.base="cn=manager,dc=my-domain,dc=com" read  by * n
+ nal,cn=auth" read  by dn.base="cn=manager,dc=example,dc=org" read  by * n

The Correct Way 


# cat openldap_initial.ldif


dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" 
  read by dn.base="cn=admin,dc=example,dc=org" read by * none


dn: olcDatabase={2}bdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=example,dc=org
-
replace: olcRootDN
olcRootDN: cn=admin,dc=example,dc=org
-
add: olcRootPW
olcRootPW: {SSHA}3u4JMk96UgMheppVZpdr7HmMJFKHRpEd


and then just use ldap modify


# ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f /root/openldap_initial.ldif


test it:


# ldapsearch -LLLL -Q -Y EXTERNAL -H ldapi:/// -s base '(&)' namingContexts
dn: namingContexts: dc=example,dc=org


Directory Information Tree

organizationalUnit


# example.gr
dn: dc=example,dc=org
dc: example
objectClass: dcObject
objectClass: organizationalUnit
ou: example.gr

Domain / Groups / People


# Domains
dn: ou=Domains,dc=example,dc=org
objectClass: organizationalUnit
ou: Domains

# Users
dn: ou=People,dc=example,dc=org
objectClass: organizationalUnit
ou: People

# Groups
dn: ou=Groups,dc=example,dc=org
objectClass: organizationalUnit
ou: Groups

Create a new Domain


# New Domain
dn: dc=example.gr,ou=Domains,dc=example,dc=org
dc: example.gr
objectclass: dNSDomain
objectclass: top

Create a new User


dn: uid=test,ou=People,dc=example,dc=org
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
mail: username@example.gr
cn: username example
sn: example
givenName: username
uid: test
uidNumber: 99
gidNumber: 12
homeDirectory: /Maildir/test
userPassword: test


Add the ldif


# ldapmodify -x -W -D cn=Manager,dc=example,dc=org -a -f example.ldif 
Enter LDAP Password: 
adding new entry "dc=example,dc=org"

adding new entry "ou=Users,dc=example,dc=org"

adding new entry "uid=test,ou=Users,dc=example,dc=org"


## # ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /root/openldap_initial.ldif


ldapvi – LDAP client


# /usr/bin/ldapvi --discover --host localhost


CheckPoint


In order to clean up the Berkeley DB log files, you must draw a line in the sand and then use a command to remove the unnecessary log files


Note that the db_checkpoint command must be used first in order for the db_archive command to work.


As root execute the following command to set a checkpoint within Berkeley DB, which will flush all of the active transactions into the DB:


# cd /var/lib/ldap/ 

# db_checkpoint -1


or

# db_checkpoint -1 /var/lib/ldap/


Then, (if you're interested or to verify) run the db_archive command to view which files aren't needed:


# db_archive -a -h /var/lib/ldap/


Now, you can actually remove the log files that are no longer in use:


# db_archive -d -h /var/lib/ldap/


For good measure, restart jabberd and you should be all set.


# /etc/init.d/openldap restart