OpenLDAP Directory Administration

OpenLDAP

Table of Contents

Obtaining the OpenLDAP Distribution Software Requirements

Compiling OpenLDAP 2
OpenLDAP Clients and Servers The slapd.conf Configuration File

Access Control Lists (ACLs)

Table of Contents

Obtaining the OpenLDAP Distribution Software Requirements Compiling OpenLDAP 2 OpenLDAP Clients and Servers The slapd.conf Configuration File Access Control Lists (ACLs)

Obtaining the OpenLDAP Distribution

OpenLDAP ?

Popular, open source LDAP-v3-compliant server Attractive for several reasons:

Source code is available for download Compliant with the core LDAPv3 specifications Available on multiple platforms, including Linux, Solaris, Mac OS 10.2, and Windows Continuation of original University of Michigan LDAP server

Compiling OpenLDAP = lots of dependencies Try to obtain binary packages (eg. http://www.symas.com/ for Solaris & HP/UX) Source code: http://www.openldap.org/

Table of Contents

Obtaining the OpenLDAP Distribution Software Requirements Compiling OpenLDAP 2 OpenLDAP Clients and Servers The slapd.conf Configuration File Access Control Lists (ACLs)

Software Requirements

OpenLDAP server will require several external software packages:

Support for POSIX threads (either by OS or an external library)

It is possible to compile OpenLDAP without thread support, but slurpd requires it

SSL/TLS libraries, such as OpenSSL

http://www.openssl.org/

Database manager library that supports DBM type storage facilities.

Current library of choice is BerkeleyDB 4.1

http://www.sleepycat.com/

ldbm can also be used

http://www.fsf.org/

Release 2.1 of the SASL libraries from Carnegie Mellon University

http://asg.web.cmu.edu/sasl/sasl-library.html

Table of Contents

Obtaining the OpenLDAP Distribution Software Requirements Compiling OpenLDAP 2 OpenLDAP Clients and Servers The slapd.conf Configuration File Access Control Lists (ACLs)

Compiling OpenLDAP

Compiling:
(untar) ./configure --enable-wrappers make depend make
enables support for TCP wrappers

make test
make install

Things to check when encountering problems

(if your system supports it) Use ldd tool to verify that binaries (eg. slapd) have been compiled against correct libraries

Change /etc/ld.so.conf and run ldconfig -v or set LD_LIBRARY_PATH

Verify that DNS is configured correctly (reverse DNS!)

Verify network connectivity

Table of Contents

Obtaining the OpenLDAP Distribution Software Requirements Compiling OpenLDAP 2 OpenLDAP Clients and Servers The slapd.conf Configuration File Access Control Lists (ACLs)

OpenLDAP Clients and Servers

Name
libexec/slapd libexec/slurpd bin/ldapadd bin/ldapmodify bin/ldapdelete bin/ldapmodrdn bin/ldapsearch bin/ldapcompare bin/ldappasswd

Description
The LDAP server The LDAP replication helper Command-line tools for adding, modifiying, and deleting entries on an LDAP server (commands support both LDAPv2 and LDAPv3) Command-line utilities for searching an LDAP directory or testing a compare A tool for changing the password attribute in LDAP entries. This tool is the equivalent of /bin/passwd Tools for manipulating the local backend data store used by the slapd daemon A simple utility to generate password hashes suitable for use in slapd.conf The OpenLDAP client SDK

sbin/slapadd sbin/slapcat sbin/slapindex sbin/slappasswd lib/libldap* lib/liblber* include/ldap*.h include/lber*.h

Table of Contents

Obtaining the OpenLDAP Distribution Software Requirements Compiling OpenLDAP 2 OpenLDAP Clients and Servers The slapd.conf Configuration File Access Control Lists (ACLs)

The slapd.conf Configuration File

Central source of configuration information Used by slapd, slurpd, and related tools, such as slapcat and slapadd Tools like slapmodify and slapsearch use ldap.conf (not slapd.conf) for default settings

Can be broken into two sections

Parameters that affect overall behavior of the servers Parameters that relate to a specific database backend used by the slapd daemon

The slapd.conf Configuration File

Schema Files
include /etc/ldap/schema/...
corba.schema
Schema for storing Corba Objects in LDAP (RFC 2714)

core.schema
OpenLDAP required core schemas: basic LDAPv3 attributes and objects described in RFCs 2251-2256

cosine.schema
For supporting COSINE and X.500 directory pilots (RFC 1274)

inetorgperson.schema
Defined inetOrgPerson object class & attributes (RFC 2798)

java.schema
For storing Java objects (RFC 2713)

misc.schema
Miscellaneous objects (eg LDAP-based mail routing with sendmail)

nis.schema
Attributes and objects necessary for using LDAP+NIS (RFC 2307)

openldap.schema
Miscelaneous objects used by the OpenLDAP project

The slapd.conf Configuration File

Logging
loglevel 296 pidfile argsfile /var/run/slapd.pid /var/run/slapd.args

loglevel is a set of bit flags that should be OR'ed together

Level
-1 0 1 2 4 8 16 32 64 128 256 512 1024 2048

Information recorded
All logging information No logging information Trace function calls Packet-handling debugging information Heavy trace debugging Connection management Packets sent and received Search filter processing Configuration file processing Access Control List processing Statistics for connection, operations, and results Statistics for results returned to cients Communication with shell backends Print entry parsing debug information

The slapd.conf Configuration File

SASL Options

SASL is not needed if only simple binds will be used However, often useful to allow a combination of simple binds and SASL mechanisms for user connections, eg.:

Normal users can do lookups via a simple bind Administrators must authenticate via SASL

slapd.conf has three SASL-related global options:

sasl-host hostname sasl-realm string sasl-secprops properties

sasl-host and sasl-realm are respectively the FQDN and SASL domain used for authentication
Use sasldblistusers to dump the /etc/sasldb database

sasl-secprops allows you to define conditions that affect SASL security properties (see next slide)

The slapd.conf Configuration File

SASL Options (cont.)

sasl-secprops parameter values and descriptions:

Flag
None noplain noactive nodict noanonymous forwardsec passcred minssf=factor

Description
Clears the default security properties (noplain,noanonymous)
D is a b le s m e c h a n is m s v u ln e r a b le t o p a s s iv e a t t a c k s , s u c h a s v ie w in g n e t w o r k p a c k e t s t o e x a m in e p a s s w o r d s

Disables mechanisms vulnerable to active attacks

D is a b le s m e c h a n is m s t h a t a r e v u ln e r a b le t o d ic t io n a r y - b a s e d p a s s w o r d a tta cks

Disables mechanisms that support anonymous logins Requires forward secrecy between sessions Requires mechanisms that pass client credentials
D e fin e s t h e m in im u m s e c u r it y s t r e n g t h e n fo r c e d . P o s s ib le v a lu e s in c lu d e : 0 ( n o p r o t e c t io n ) , 1 ( in t e g r it y p r o t e c t io n o n ly ) , 5 6 ( a llo w D E S e n c r y p t io n ) , 1 1 2 ( a llo w 3 D E S o r o t h e r s t r in g e n c r y p t io n m e t h o d s ) , a n d 1 2 8 ( a llo w R C 4 , B lo w fis h , o r o t h e r e n c r y p t io n a lg o r it h m s o f t h is c la s s )

Defines the maximum security strength setting. The possible values are identical to those of minssf maxbufsize=size Defines the maximum size of the security layer receive buffer. A value of 0 disables the security layer. The default value is the maximum of INT_MAX (ie. 65536) maxssf=factor

The slapd.conf Configuration File

SASL Options (cont.)

Various cyrus-sasl plugins:

SASL Mechanisms
ANONYMOUS CRAM-MD5 DIGEST-MD5

Security Property Flags

NOPLAIN NOPLAIN NOPLAIN NOANONYMOUS NOPLAIN NOACTIVE NOANONYMOUS NOPLAIN NOACTIVE NOANONYMOUS NOANONYMOUS NOANONYMOUS NONE NOPLAIN

maxssf
0 0 128 if compiled with RC4; 112 if compiled with DES; 0 if compiled with neither RC4 not DES 56 56 0 0 0 0

GSSAPI KERBEROS_V4 LOGIN PLAIN SCRAM-MD5 SRP

The slapd.conf Configuration File

SASL Options (cont.)

If you had this in slapd.conf:

## No PLAIN or ANONYMOUS mechanisms; use DES encryption sasl-secprops noplain,noanonymous,minssf=56

the following machanisms for authentication would be allowed:

DIGEST-MD5 GSSAPI KERBEROS_4

The slapd.conf Configuration File

SSL/TLS Options

Parameters:
TLSCipherSuite cipher-suite-specification TLSCertificateFile filename TLSCertificateKeyFile filename

The slapd.conf Configuration File

Serving Up Data

After global section: one or more database sections, eachdefining directory partition database directive, possible values:
bdb: BerkeleyDB 4 database manager, makes extensive use of indexing and caching; recommended OpenLDAP backend ldbm: GNU Database Manager or Sleepycat BerkeleyDB; older implementation passwd: Quick and dirty means of providing directory interface to the system passwd file

shell: Allows the use of alternative (external) databases

The slapd.conf Configuration File

Serving Up Data (cont.)

Example:

# Begin a new database section database bdb

# Define the root suffix you serve suffix dc=plainjoe,dc=org # Define root DN for superuser privileges rootdn cn=Manager,dc=plainjoe,dc=org # Define root DN's password: salted secure hash of 'secret' rootpw {SSHA}2aksIaicAvwc+DhCrXUFlhgWsbBJPLxy # Directory containing the database files directory /var/ldap/plainjoe.org # Files should be created rw for the owner *only* mode 0600

Table of Contents

Obtaining the OpenLDAP Distribution Software Requirements Compiling OpenLDAP 2 OpenLDAP Clients and Servers The slapd.conf Configuration File Access Control Lists (ACLs)

Access Control Lists

OpenLDAP ACLs are simple in syntax, yet very flexible and powerful Basic idea: WHO has ACCESS to WHAT ?

Access Control Lists (cont.)

WHO has ACCESS to WHAT ? WHO can be:
* Any connected user, including anonymous connections self

DN of currently connected user

anonymous Nonauthenticated user connections users Authenticated user connections Regular expression Matches a DN or a SASL identity

Note: login name can be DN (dn=cn=gerald carter,ou=people,dc=plainjoe,dc=org) or SASL identity (dn=uid=jerry,cn=gssapi,cn=auth)

Access Control Lists (cont.)

WHO has ACCESS to WHAT ? (cont.) ACCESS can be:
write Access to update attribute values read

Access to read search results (eg. show all entries with a telephoneNumber of 555*)
search Access to apply search filters (eg. are there any entries with a telephoneNumber of 555*)

compare
Access to compare attributes auth Access to bind (authenticate). Requires that the client send a username (DN) and some type of credentials none No access

Access Control Lists (cont.)

WHO has ACCESS to WHAT ? (cont.) WHAT can be:
Regular expression defining the DN of the proposed target of the ACL Syntax is dn.targetstyle=regex where:

targetstyle is one of base, subtree, one, or children regex is a regular expresion representing a DN

targetstyle is used to broaden or narrow the scope (default subtree) An LDAP search filter that confirms to RFC 2254 Syntax is filter=ldapFilter

A comma-separated list of attribute names

Syntax is attrs=attributeList

Access Control Lists (cont.)

Examples

Simple ACL granting read access to the world:

access to * by * read

Restrict access to the userPassword attribute

access to attrs=userPassword by * auth

User should be allowed to modify her own password:

access to attrs=userPassword by self write by * auth

Access Control Lists (cont.)

Examples (cont.)

ACLs are evaluated on a first-match-wins basis: more restrictive ACLs should be listed prior to more general ones eg.
access to attrs=userPassword by * auth

access to attrs=userPassword by self write by * auth

better:
access to attrs=userPassword by self write by * auth access to attrs=userPassword by * auth

Access Control Lists (cont.)

Examples (cont.)

Assume:

Administrative accounts are located beneath the DN ou=admins,ou=eng,dc=plainjoe,dc=org Normal user accounts are located beneath ou=users,ou=eng,dc=plainjoe,dc=org Normal users should not be allowed to see other users' passwords A user should be able to modify his password

Admin users should be able to modify any user's password

Gives:
access to dn=.*,ou=eng,dc=plainjoe,dc=org attrs=userPassword by self write by * auth by dn=.*,ou=admins,ou=eng,dc=plainjoe,dc=org write

Access Control Lists (cont.)

Examples (cont.)

This example:
access to dn=.*,ou=eng,dc=plainjoe,dc=org attrs=userPassword by self write by * auth by dn=.*,ou=admins,ou=eng,dc=plainjoe,dc=org write

Can also be written as:

access to dn.children==ou=eng,dc=plainjoe,dc=org attrs=userPassword by self write by * auth by dn.children=ou=admins,ou=eng,dc=plainjoe,dc=org write