Chapter 11 LDAP Directory Server Administration
» Table of Contents |  | | » Glossary | | | » Index | | |
| | |
| ||
| ||
Table of Contents
The Lightweight Directory Access Protocol (LDAP) is an Internet standard directory service protocol that runs over TCP/IP. An LDAP server manages entries in a directory, and makes the information available to users and applications across the network. An LDAP server can be used as a central repository of user information. When used in this way, an LDAP server is similar to Network Information Services (NIS), also known as the yellow pages. When compared to NIS, an LDAP server offers the following advantages:
Scalability
An LDAP directory can contain millions of entries without negatively affecting performance.
Centralized management
An LDAP directory database can be used to centralize management of user related information, potentially easing the cost of administration and management of data. Directory-aware clients and tools can be used to make the data available to where it is needed.
Access control
The ability to modify an attribute can be controlled at the attribute level. Users can be allowed to modify noncritical information (such as their preferred login shell or mail forwarding address) on their own. Modifications to more sensitive information (such as UID, GID, or a user's home directory) can be restricted to authorized directory managers only.
Availability
You can set up multiple LDAP servers to make the data in the directory highly available. Through a process called replication, you can ensure that all LDAP servers have identical copies of the directory. When you enable replication, a special account for this purpose is created. The LDAP servers bind to one another using this account and, through standard LDAP commands, propagate changes to the directory. For more information on LDAP directory replication, see the documentation for your specific Directory Server.
This chapter provides the following information:
Understanding the LDAP directory schema (Section : Understanding the LDAP Directory Schema)
Managing and Using the OpenLDAP directory server (Section : Managing and Using the OpenLDAP Directory Server)
See Section : Managing the LDAP Module for System Authentication for information on enabling user authorization using the LDAP Module for System Authentication.
The basic unit of information in an LDAP directory is called an entry. An entry is a collection of attribute and value pairs that describes something of interest, for example, a person, a company, or a printer. The attribute value is constrained by its type (binary, integer, case-insensitive string, and so on).
Entries are organized in a tree-like structure, as shown in Figure 11-1. Each entry in the directory tree is identified or named with a distinguished name (DN). A distinguished name consists of a sequence of relative distinguished names (RDNs). An RDN is one or more attribute/value pairs that uniquely identify an LDAP entry from its sibling in the directory tree. A DN is a hierarchical name similar to a file system pathname, while the RDN is similar to the file (or directory) name. In distinguished names, however, the most significant part of the name (the name associated with the root of the tree) is at the right end of the name; the least significant part is on the left end.
The attributes that are required or allowed in a directory entry are defined in an object class. Each directory entry must contain an objectclass attribute that has at least one object class definition for that entry. The LDAP protocol defines a standard set of object classes to promote interoperability. It is also possible to extend the set of standard object classes by adding new object classes and attributes. The collection of all object classes and their attributes is called the directory schema. Example 11-1 shows the object class definition for person, as defined in an LDAP directory server standard directory schema.
Example 11-1 LDAP Standard Object Class Definition for Person
|
objectclass person
oid 2.5.6.6
superior top
requires
sn,
cn
allows
description,
seeAlso,
telephoneNumber,
userPassword |
|
In this example, the person object class inherits attributes from the object class called top. The person object class requires the attributes sn (surname) and at least one cn (common name); you can store multiple common names per surname. Other attributes (description, seeAlso, telephoneNumber, and userPassword) are allowed, but not required. An entry for the person object class might look like the following:
|
cn: James Kirk cn: James T. Kirk sn: Kirk description: Admiral userpassword: Gb0Rda/KJV//a telephonenumber: +1 555 555-1212 objectclass: top objectclass: person |
|
The Tru64 UNIX LDAP Browser allows any directory that is accessible through an LDAP V3 directory server to be browsed, searched, and modified using a graphical user interface. The LDAP Browser can be run on any platform that has Java Runtime Engine (JRE) Version 1.3 or higher installed.
To install the LDAP Browser on a system, ensure that the Internet Express OpenLDAP subset is installed. Then, follow these steps:
From the Internet Express Administration utility Main menu, choose Manage Components.
From Directory Services, choose Download LDAP Browser.
The Download the LDAP Browser form is displayed.
Right-click on the ldapbrowser.jar link to bring up the browser menu, and then save the file to a directory on your system.
If the client system is running Tru64 UNIX, repeat the same process for the ldapbrowser startup script link, and set the permissions of the resulting file to be executable.
As an alternative to downloading these two files through a Web browser, you can use a mechanism like FTP to download them directly; they can be found in the /usr/internet/openldap/admin directory on the system where Internet Express is installed.
From the LDAP Browser Main Browsing window, you access the Connection Management by choosing Connect from the File menu. The Connection Management window pops up in a separate window. It allows you to manage the configuration information for frequently accessed LDAP servers. The following functions can be performed:
Establish a connection by selecting it in the list and clicking on the Connect button. See Section : Connecting to an LDAP Server.
Edit a connection entry by selecting it in the list and clicking on the Edit button. See Section : Creating or Editing Frequently Used Connections.
Delete a connection entry by selecting it in the list and clicking on the Delete button.
Rename a connection entry by selecting it in the list, clicking on the Rename button, and entering a new name when prompted.
Copy a connection entry by selecting it in the list, clicking on the Copy button, and entering a name for the new entry when prompted.
To connect to an LDAP server, follow these steps:
Choose Connect from the File menu on the LDAP Browser Main Browsing window.
The Connection Management window opens.
Select the LDAP server from the list of connections.
Click on the Connect button.
The LDAP directory information is then displayed in the LDAP Browser Main Browsing window.
The Connection Information form used for adding or editing connection entries prompts for the following connection configuration information:
| Field | Description |
|---|---|
| Connection nickname | Enter a short nickname (alias) to represent this connection in the list of frequently accessed connections |
| Hostname | Enter the host name of an LDAP v3-compliant directory server |
| Port | Enter the port number on which the LDAP server is listening. The default LDAP port is 389. |
| Base DN | Enter the base distinguished name for this connection. The base distinguished name defines the top of the directory tree. To obtain a list of base distinguished names for a particular directory, make sure the host name and port fields have been filled in correctly and then click the Fetch button. If the directory server has been set up to require authentication for this operation, the Bind DN and Password fields will have to be filled in correctly as well. The LDAP Browser will attempt to connect to the specified LDAP server, obtain the list of supported base distinguished names, and populate the Base DN option menu with those names. |
| Secure connection | Choose whether to communicate with the LDAP server using the Secure Sockets Layer (SSL). Such communication is possible only if the LDAP server has been configured to accept SSL connections and if the certificate presented by the server during SSL communication is signed by a trusted certificate authority. See Section : Connecting to an LDAP Server using SSL for more information on how to create a trusted certificate store. |
| Bind DN | Enter the distinguished name to use for authentication when binding to the LDAP server. To bind to a directory anonymously, leave this field blank. Many directories allow anonymous clients to perform read-only operations like searching but will require authentication information for clients that attempt to write to the directory. |
| Password | Enter the password that corresponds to the Bind DN that was entered. Leave this field blank if anonymous binding is desired. |
| Bind information prompting | When BIND information is entered for a connection entry, this information is stored in the LDAP Browser configuration file in the user's home directory. If the security of the user's home directory is compromised, that bind information could potentially be obtained from the configuration file by an intruder. If this is a concern or if you will not always be binding to the directory as the same user, leave the Bind DN and Password fields blank and click in the checkbox to cause the LDAP browser to prompt for BIND information each time the connection is established. |
| Referral strategy | Indicate if you want to automatically follow referrals to entries residing on other LDAP servers. Check either Follow or Don't Follow. |
| Alias dereferencing | Pick a strategy for dereferencing LDAP aliases. Check one of the following: Never, Finding, Searching or Always. |
| Search limit | You can limit the number of entries that will be returned by any LDAP search operation. Check either None for no search limit, or give a specific limit by checking Limit to radio button and then entering a value in the results field. This limit can be useful when dealing with very large directories, because searches that return large numbers of entries can take considerable time to complete and the search results can consume a large amount of memory. |
| Operation time limit | Enter a time limit (in milliseconds) for any LDAP operation to complete. Check the None radio button to specify no time limit. To specify a time limit, check the Limit to radio button, and then enter a value in milliseconds in the ms field. This option is useful when dealing with slow or unreliable connections. |
The Connection Information form for adding or modifying connections provides an option to use the Secure Sockets Layer (SSL) when communicating with an LDAP server. SSL allows for verification of an LDAP server's identity as well as for encryption of the data that passes between the browser and server. For an SSL connection to be established successfully, the following conditions must be satisfied:
The LDAP server must be configured by its administrator to accept SSL connections. The default port for LDAP over SSL is port 636. Many servers are not configured by default to accept SSL connections, so check with the server administrator if there is any doubt.
The authentication certificate presented to the LDAP Browser by the server must be signed by a trusted certificate authority.
The LDAP Browser will automatically recognize and trust server certificates that are signed by any one of a group of well-known certificate authorities. However, if an LDAP server presents a certificate that is not signed by one of these well-known certificate authorities, the connection attempt will fail. This is typically the case when attempting to connect to LDAP servers that have been configured with self-signed certificates or certificates issued by a certificate authority internal to a company or organization. In cases such as this, the server's certificate must be manually added to a certificate store file that the LDAP Browser will use as a source of trusted certificates.
To add an LDAP server certificate to a trusted certificate store file, perform the following steps:
Obtain the LDAP server's digital certificate from the server's administrator.
Some administrators provide access to this certificate by posting a link to it on an associated Web site or by storing it in a publicly accessible entry in the LDAP directory. Either the binary form of the certificate or the printable Base64-encoded form defined by the Internet RFC 1421 standard is acceptable.
Import the certificate into a trusted certificate store file called .keystore in the user's home directory.
To accomplish this, use the keytool utility that ships as part of the Java installation. For example:
# keytool -import -alias someserver -file \ someserver.cer -keystore ~/.keystore -storepass mypasswordWhere someserver is an alias that will be used to refer to this certificate, someserver.cer is a file containing the certificate, and mypassword is a password used to access the keystore.
Restart the LDAP Browser to load the new keystore.
Connect to the LDAP server.
If the previous steps have been performed and the connection still cannot be made, verify that the host name, port, base distinguished name, and bind authentication information are all configured correctly. If the problem still remains, the LDAP Browser can be run from the command line with a special qualifier that turns on SSL debugging; this can sometimes reveal the problem. To use the qualifier, run the LDAP Browser from the directory where the ldapbrowser.jar file resides. For example:
|
# java -jar ldapbrowser.jar -Djavax.net.debug=all |
|
Once a connection is established, the main browsing window allows you to view and manage the information in the directory. The directory is graphically represented in tree form, with each directory entry identified by its relative distinguished name (RDN). From the main browsing window, you can perform the following functions:
Operate on a directory entry — Click on an entry in the directory tree, and then choose any of the appropriate operations from the Edit or View menus or from the entry's context-sensitive pop-up menu.
View a directory entry — Click on an entry in the directory tree to select it and see a list of its attributes in the adjoining table. The attributes of an entry can also be viewed in a separate window by selecting the entry and using the View entry item in the appropriate menus or by double-clicking on an entry that has no descendants.
View a directory entry's descendants — Double-click an entry in the tree, or click on the tree node expansion icon for that entry. The tree node expansion icon will graphically indicate that an entry has descendants until this operation is actually performed for the entry and the existence of descendants is either confirmed or disproved.
Operate on an attribute — Select an entry in the tree, select one or more attributes from the attribute table, and then choose any of the appropriate operations from the Edit menu or from the attribute's context-sensitive pop-up menu. Alternatively, double-click an attribute in the table to modify it.
Sort the attribute table — Click on either column header in the attribute table to sort the data in that column. Click on the header again to reverse the sort order.
To create a new main window, choose the New Window option from the File menu. A newly created main window can be connected to the same directory server as any other main window or to an entirely different directory server
To close a main window without affecting any other main windows that are currently open, choose the Close Window option from the File menu.
To view a directory entry in a separate window, select an entry in the main window, and choose View entry from the View menu or from the entry's context-sensitive pop-up menu. Alternatively, double-click an entry that has no descendants.
To refresh an entry, choose an entry in the main window, and choose the Refresh entry from the View menu. The LDAP Browser will reload the information for the selected entry from the LDAP server and set the state of the entry's descendants, so that their information will also be refreshed the next time they are chosen.
Client-side schema checking allows the LDAP Browser to adapt to and enforce the rules imposed by an LDAP directory's schema when entries are being created or modified. As a result, the process of creating and modifying entries becomes much less mistake prone, and vague object class violation errors that result from server-side schema checking can often be prevented.
Client-side schema checking is enabled by default.
Client-side schema checking can be enabled and disabled through an Edit menu check box item in either the main browsing window or the add or modify entry forms. When schema checking is enabled, the following behavior is introduced:
In the add and modify entry forms, required attributes are marked with an asterisk (*).
Required attributes cannot be deleted.
The add attribute dialog box presents only choices allowed by the schema.
Multiple values cannot be added for attributes defined as single-valued by the schema.
When objectClass attribute values are removed or modified, attributes that are no longer allowed as a result of the change are removed, after warning the user first.
When objectClass attribute values are added or modified, newly required attributes that do not already exist in the entry are automatically added.
From the main window, choose the parent for the new entry.
Choose the Add Entry submenu beneath the Edit menu.
Choose a template to use for the new entry.
Entry templates define which object classes a new entry will belong to and which attributes will be included in the entry creation form by default. Several default templates are provided. See Section : Creating Entry Templates for information on how to create more.
Once a template is selected, a form will appear that allows the new entry's parent and attributes to be defined. Use the + and - buttons next to the attributes to add additional values or to remove existing values for the attribute.
Attributes not present in the form can also be added through an option in the form's Edit menu. Another option in the form's Edit menu determines whether attribute values left blank are ignored (the default) or are communicated to the LDAP server. Attributes can have either string or binary values. The binary value editor allows binary attribute values (such as JPEG files, certificates, and so on) to be loaded from a file. The current value can also be saved to a file.
From the main window, choose one or more entries.
From the Edit menu, choose Delete entry.
Respond to the confirmation prompt.
Deleting an entry will delete not just the entry but all its descendants, so use this function with care.
From the main window, choose an entry.
From the Edit menu or from the entry's context-sensitive pop-up menu, choose Copy entry.
Enter the copy parameters in the resulting dialog box. If the entry is copied to the same parent, a different RDN value for the new entry should be specified; otherwise, an underscore and a sequence number will be appended to the RDN attribute to distinguish it from the original entry.
The entry can be copied to either the same parent or to a new one.
Multiple copies of an entry can also be made. By default, an underscore and a sequence number will be appended to the RDN of each copy to distinguish them from each other. Alternatively, if a pound sign (#) is included in the new RDN value, the new RDN value will be generated by replacing the pound sign with a sequence number.
An entry's descendants can be copied along with the entry itself.
Renaming an entry refers to modifying the entry's RDN value while the entry's parent remains unchanged.
Moving an entry refers to reparenting the entry while the entry's RDN remains unchanged.
From the main window, choose the entry.
From the Edit menu or from the entry's context-sensitive pop-up menu, choose Move entry.
Enter the distinguished name of the entry's new parent when prompted.
Note that moving an entry is actually a two-part operation: making a copy of the entry under the new parent; and deleting the old entry. This operation can fail under some circumstances; for example when a directory server does not allow two entries in the same directory to have the same value for a particular attribute, such as a UID.
Directory entry templates define which object classes a newly created entry will belong to and which attributes and attribute values will be included in entry creation forms by default. Entry templates can be added, modified, deleted, copied, and renamed by choosing Manage entry templates from the Edit menu and performing those operations in the resulting dialog box.
An entry template can be created either from scratch or from an existing entry in the directory that is similar to some new entries that you plan to create.
To create a directory entry template:
From the main window, select a model entry.
Click on the New button in the template management directory.
Enter a template name and then define the template in the resulting template definition form.
The template definition form allows you to add the attributes and default values that will appear in future entry creation forms based upon this template. The Edit menu provides an option for adding new attributes to the form, and buttons next to each attribute value allow those values to be deleted or additional values to be added. Use the arrow buttons in the form to change the ordering of attributes. The attribute in the top row will be used as the RDN value for new entries created with this template, so be sure to adjust the attribute ordering accordingly.
From the main window, choose an entry to serve as the search base.
From the View menu, select Search.
The resulting search form prompts for the following information:
Base DN — The base node for the search
Search filter — A standard LDAP search filter. The default of (objectclass=*) will match any entry.
Attributes — A list of attributes that the search should return. These attributes will be displayed in columns that can be used as the basis for sorting the search results. A list of attribute names separated by spaces or commas should be provided; for example, cn uid description.
Search scope — Select whether the search will match only entries a one level below the search base or match entries at any level below the search base.
Initiate the search by clicking on the Search button or alternatively by pressing the Return key when focus is in any of the text fields.
Once the search results are obtained, the following operations can be performed:
Sort the results — Click on any column header to sort the results based upon the data in that column. Click on the column header again to perform a reverse sort based upon the column data. Column data is treated as text strings for sorting purposes, so attributes that contain numerical data might not sort in the expected manner.
View a full entry — Select an entry and then choose View entry from the search window's View menu or from the entry's context-sensitive pop-up menu. Alternatively, double-click on the entry to view it.
Modify an entry — Select an entry and then choose Modify entry from the search window's Edit menu or from the entry's context-sensitive pop-up menu.
Delete an entry — Select an entry and then choose Delete entry from the search window's Edit menu or from the entry's context-sensitive pop-up menu.
To view information about the attributes defined by a directory server's schema, follow these steps:
The LDAP Browser stores its configuration information in the file .ldapbrowser.xml in the user's home directory. The contents of this file should not be edited directly.
If the LDAP Browser encounters startup errors, one possible cause is that this file has been hand-edited incorrectly or otherwise corrupted. You can attempt to fix the problem by removing or renaming the file and restarting the LDAP Browser.
The OpenLDAP Directory Server Version 2.0.19 is an Open Source LDAP implementation based on the LDAP Version 3 protocol. For extensive information about OpenLDAP, including a searchable FAQ page, visit the following Web sites:
|
http://www.openldap.org http://www.openldap.org/doc/admin |
|
Using the Internet Express Administration utility, you can:
Start or stop the OpenLDAP Directory Server (see Section : Controlling the OpenLDAP Directory Server)
Configure the OpenLDAP Directory Server (see Section : Configuring the OpenLDAP Directory Server)
To control the OpenLDAP Directory Server, follow these steps:
From the Administration utility Main menu, choose Manage Components.
Under Directory Services on the Manage Components menu, choose OpenLDAP Administration.
From the OpenLDAP Server Administration page, choose Start/Stop the OpenLDAP Directory Server.
If the server is currently running, you can:
Stop the server by clicking on Stop
Restart the server by clicking on Restart
If the server is currently stopped, you can start the server by clicking on Start.
To configure the OpenLDAP Directory Server, follow these steps:
From the Administration utility Main menu, choose Manage Components.
Under Directory Services on the Manage Components menu, choose OpenLDAP Administration.
From the OpenLDAP Server Administration page, choose Configure the OpenLDAP Directory Server.
The current values for Organization name, Root Distinguished Name, and Administration Password are listed.
If desired, change the value for Organization Name.
Enter the Organization name, or list of domain components (dc=) which denotes the root of the hierarchy for your LDAP data (also known as Searchbase or suffix). This value can be in the o=<organization> form, or the dc=<component1>[,dc=<component2>...] form.
If desired, change the value for Root Distinguished Name.
Enter the distinguished name to be used when connecting to the LDAP server for administrative purposes. The Root Distinguished Name is not subject to access control or administrative limit restrictions for operations on this database.
If desired, change the value for Administration Password.
Click on Submit.
Use the /usr/internet/openldap/config_openldap.sh script to configure the /usr/internet/openldap/etc/slapd.conf file and to initialize an LDAP database. You will need to provide an Organization Name, used as the searchbase, a Distinguished Name, used for connections to the server, and an Administrative password.
Once this script has run, use the /sbin/init.d/openldap start command to start the OpenLDAP slapd daemon on your system.
You may run the config_openldap.sh file more than once. However the script will attempt to reinitialize the database each time it is run and you might lose the existing data. To preserve existing data before reinitializing, either use the provided script, /usr/internet/openldap/sbin/dump_db.sh, or the /usr/internet/openldap/sbin/slapcat utility. See the slapcat(8) reference page for more information.