UbuntuHelp:OpenLDAPServer
来自Ubuntu中文
Oneleaf(讨论 | 贡献)2007年5月13日 (日) 11:23的版本 (New page: {{From|https://help.ubuntu.com/community/OpenLDAPServer}} {{Languages|php5}} == Introduction == LDAP means Lightweight Directory Access Protocol, it is a simplified version of X500 protoc...)
Introduction
LDAP means Lightweight Directory Access Protocol, it is a simplified version of X500 protocol. You will find a more detailed presentation on Wikipedia.
To describe quickly, all informations are stored in a tree. You have to determine by yourself the directory arborescence (the Directory Information Tree: the DIT). We will begin with a basic tree with two nodes above the root :
- "People" node where your users will be stored
- "Groups" node where your groups will be stored
You have to first determine what the root of your LDAP will be. By default, your tree will be determined by your internet domain. If your domain is example.com (we will use it in the above example), your root will be dc=example,dc=com.
Installation
First of all, install the ldap server daemon (slapd) on the server ; install the following packages: slapd and ldap-utils (see InstallingSoftware).
Enter your domain as asked and the password that you want for the directory administrator.
Only few changes will be operated on the default configuration. First set the root password in the configuration file (instead of in the directory) by editing the file /etc/ldap/slapd.conf.
Don't use a cleartext password however. To generate an encrypted password first use slappasswd:
$ slappasswd
New password:
Re-enter password:
{SSHA}d2BamRTgBuhC6SxC0vFGWol31ki8iq5m
</code>
This example shows what happens when using the string "secret" as the password. (By nature of the SSHA encryption scheme, your result will vary.)
Now edit <code>/etc/ldap/slapd.conf</code> and copy paste the generated string.
<pre>
# Make sure you edit or add these directives after the first 'database' directive.
suffix "dc=example,dc=com"
directory "/var/lib/ldap"
rootdn "cn=admin,dc=example,dc=com"
rootpw {SSHA}d2BamRTgBuhC6SxC0vFGWol31ki8iq5m
</code>
== Populating LDAP ==
The directory has been created at the installation, now it is time to populate. It will be populated with a "classical" entry that will be compatible with directory (for example for a shared directory), with classical accounts (for a web application) and with Unix accounts (posix).
LDAP directory can be fed with a ldif file (ldif means ldap directory interchange format). Generate this example text file <code>init.ldif</code> somewhere on your system:
<pre>
dn: dc=example,dc=com
objectClass: dcObject
objectClass: organizationalUnit
dc: example
ou: Example Dot Com
dn: cn=admin,dc=example,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
dn: ou=people,dc=example,dc=com
objectClass: organizationalUnit
ou: people
dn: ou=groups,dc=example,dc=com
objectClass: organizationalUnit
ou: groups
dn: uid=lionel,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: lionel
sn: Porcheron
givenName: Lionel
cn: Lionel Porcheron
displayName: Lionel Porcheron
uidNumber: 1000
gidNumber: 10000
userPassword: <password>
gecos: Lionel Porcheron
loginShell: /bin/bash
homeDirectory: /home/lionel
shadowExpire: -1
shadowFlag: 0
shadowWarning: 7
shadowMin: 8
shadowMax: 999999
shadowLastChange: 10877
mail: [email protected]
postalCode: 31000
l: Toulouse
o: Example
mobile: +33 (0)6 xx xx xx xx
homePhone: +33 (0)5 xx xx xx xx
title: System Administrator
postalAddress:
initials: LP
dn: cn=example,ou=groups,dc=example,dc=com
objectClass: posixGroup
cn: example
gidNumber: 10000
</code>
In the example above, the directory structure, a user and group have been setup. In other example you might see the objectClass: top added in every entry, but that is default behavior so you don't have to add it explicitly.
To generate a password you can use <code>slappasswd</code> using the MD5 or CRYPT hashing scheme (see Installation above and <code>man slappasswd</code>).
Now, add your entries to the LDAP:
** stop LDAP daemon: <code>sudo /etc/init.d/slapd stop</code>
** delete the content that was automatically added at installation: <code>sudo rm -rf /var/lib/ldap/*</code>
** add the content <code>sudo slapadd -l init.ldif </code>
** start LDAP daemon: <code>sudo /etc/init.d/slapd start</code>
An alternative method to add the entries when you just installed the packages:
** reconfigure your LDAP installation when needed: <code>sudo dpkg-reconfigure slapd</code>
** start LDAP daemon when not running: <code>sudo /etc/init.d/slapd start</code>
** load the initial data: <code>sudo ldapadd -x -W -c -D "cn=admin,dc=kemuri,dc=net" -f init.ldif</code>
We can check that the content has been correctly added with the tools from the ldap-utils package. In order to execute a search in the LDAP directory :
<pre>
$ ldapsearch -xLLL -b "dc=example,dc=com" uid=lionel sn givenName cn
dn: uid=lionel,ou=people,dc=example,dc=com
cn: Lionel Porcheron
sn: Porcheron
givenName: Lionel
</code>
Just a quick explanation :
** <code>-x</code> is because we do not use SASL authentication method (by default)
** <code>-LLL</code> disable printing LDIF informations
== Put your LDAP server to use ==
Now that it is up and running you can:
* authenticate your users on the directory as explained in [[UbuntuHelp:LDAPClientAuthentication]]
* authenticate your users in a web application.
* use it as a shared address directory for your mail agent.
Use of LDAP are infinite !
== ACL setup ==
Authentication requires access to password field, that should be not accessible by default. Another issue is that during password change using passwd shadowLastChange needs to be accessible as well. Following code shows example ACL setting that permits access to shadowLastChange:
<pre>
access to attrs=userPassword,shadowLastChange
by dn="cn=admin,dc=example,dc=com" write
by anonymous auth
by self write
by * none
</code>
Usually the installation of the OpenLDAP packages will create correct ACL settings in the slapd.conf configuration file.
== LDAP replication ==
LDAP service often quickly becomes a highly critical service in an information system: all is depending of LDAP: authentication, authorization, mail system, etc. It can be a good idea to setup a redundant system. It is easy to setup, here is a quick HOWTO.
=== Introduction ===
With OpenLDAP 2.2 (on Breezy and Dapper), replication is based on a master-slave relation.
Before implementing LDAP replication consider the following steps:
1. Stop the master server's slapd daemon.
2. Reconfigure the master server's slapd.conf to enable replication to the new slave server.
3. Export the database of the master server.
4. Configure the replica server's slapd.conf.
5. Import the database of the master server to the slaver server.
6. Re/Start the replica server's slapd process
7. Re/Start the master server's slapd process.
attachment:IconsPage/IconWarning3.png You will have to remember that modifications should ALWAYS be done on the master ! If you modifies the slave, modifications will get lost.
=== LDAP master ===
On the master, you have to modify the database section of the <code>/etc/ldap/slapd.conf</code> to add a <code>replica</code> instruction. The following example shows a replica on <code>ldap-2.example.com</code> with the Manager user with <code>secret</code> as password. The replication logfile is the place modifications are stored before they are send to the LDAP slave.
<pre>
replica uri=ldap://ldap-2.example.com:389 binddn="cn=Manager,dc=example,dc=com" bindmethod=simple credentials=secret
replogfile /var/lib/ldap/replog
</code>
Export the database of the master using slapcat. Then copy master.ldif to the slave using scp or other tools.
<pre>
user@master:~$ sudo slapcat -l master.ldif
</code>
=== LDAP slave ===
On the slave, you have to authorize your master to update LDAP database. Add the following lines to your <code>/etc/ldap/slapd.conf</code> file in the database section:
<pre>
updatedn cn=Manager,dc=example,dc=com
updateref ldap://ldap-1.example.com
</code>
Import the master.ldif using slapadd.
<pre>
user@slave:~$ sudo slapadd -c -l master.ldif
</code>
Restart the master server.
<pre>
user@master:~$ sudo /etc/init.d/slapd start
</code>
Restart the slave server.
<pre>
user@slave:~$ sudo /etc/init.d/slapd start
</code>
== Links ==
* [http://www.openldap.org OpenLDAP website] give you lot of informations
* [http://www.tldp.org/HOWTO/html_single/LDAP-HOWTO/ LDAP HOWTO]
* [http://luma.sourceforge.net/] Simple GUI to LDAP administration, available in repositories.
----
CategoryDocumentation
[[category:UbuntuHelp]]
