Mastering OpenLDAP: Configuring, Securing and Integrating Directory Services电子书

Mastering OpenLDAP

Table of Contents

Mastering OpenLDAP

Credits

About the Author

About the Reviewers

Preface

What This Book Covers

What You Need for This Book

Conventions

Reader Feedback

Customer Support

Downloading the Example Code for the Book

Errata

Questions

1. Directory Servers and LDAP

LDAP Basics

What is a Directory?

The Structure of a Directory Entry

A Unique Name: The DN

An Example LDAP Entry

The Object Class Attribute

Operational Attributes

The Directory Information Tree

What to Do with an LDAP Server

The History of LDAP and OpenLDAP

A Technical Overview of OpenLDAP

The Server

Clients

Utilities

Libraries

Summary

2. Installation and Configuration

Before Getting Started

OpenLDAP Binaries for Operating Systems

Commercial OpenLDAP Distribution

Source Code Compilation

A Quick Note on Versions

Installation

Dependencies

Installing OpenLDAP

Configuring the SLAPD Server

Basics

Schemas

More Directives

Module Directives

Database Configuration

ACLs

Verifying a Configuration File

Starting and Stopping the Server

Using the Init Script

Running SLAPD Directly

Configuring the LDAP Clients

A Basic ldap.conf File

Size and Time Limits

Testing the Server

Summary

3. Using OpenLDAP

A Brief Survey of the LDAP Suite

LDAP from the Server Side

SLAPD

The Binding Operation

The Search Operation

More Operations: Additions, Modifications, and Deletions

The Addition Operation

The Modification Operation

The Delete Operation

Infrequent Operations

The ModifyDN Operation

The Compare Operation

The Extended Operation

SLAPD Summary

SLURPD

Creating Directory Data

The LDIF File Format

Anatomy of an LDIF File

Representing Attribute Values in LDIF

Example.Com in LDIF

Defining the Base DN Record

Structuring the Directory with Organizational Units

Theory 1: Directory as Organizational Chart

Theory 2: Directory as IT Service

Expressing the OUs in LDIF

Adding User Records

Adding System Records

Adding Group Records

The Complete LDIF File

Using the Utilities to Prepare the Directory

slapadd

When Should slapadd be Used?

What Does slapadd Do?

Loading the LDIF File

Stopping the Server

Running ldapadd in Test Mode

Importing the Records Using slapadd

Restarting the Directory

If Something Went Wrong...

Destroying and Recreating the Directory Files

slapindex

slapcat

Operational Attributes

slapacl

slapauth

slapdn

slappasswd

Storing and Using Passwords in OpenLDAP

Generating a Password with slappasswd

slaptest

Performing Directory Operations Using the Clients

Common Command-Line Flags

Common Flags

Setting Defaults in ldap.conf

ldapsearch

A Simple Search

Restricting Returned Fields

Requesting Operational Attributes

Searching Using a File

ldapadd

Adding Records from a File

ldapmodify

Adding a Record with ldapmodify

Modifying Existing Records

Modifying the Relative DN

Moving a Record with modrdn

Deleting Entire Records

ldapdelete

ldapcompare

ldapmodrdn

Modifying the Superior DN with ldapmodrdn

ldappasswd

ldapwhoami

Summary

4. Securing OpenLDAP

LDAP Security: The Three Aspects

Securing Network-Based Directory Connections with SSL/TLS

The Basics of SSL and TLS

Authenticity

Encryption

StartTLS

Creating an SSL/TLS CA

Creating a Certificate

Creating a New Certificate Request

Signing the Certificate Request

Configuring and Installing the Certificates

Remove the Pass Phrase from the Key

Relocate the Certificates

Install the CA Certificate

Optional: Clean Up

Configuring StartTLS

Configuring Client TLS

Configuring LDAPS

Debugging with the OpenSSL Client

Using Security Strength Factors

The security Directive

A Fine-Grained security Directive

Authenticating Users to the Directory

Simple Binding

Using an Authentication User for Simple Binding

SASL Binding

Configuring Cyrus SASL

The SASL Configuration File

Setting a User Password

Configuring SLAPD for SASL Support

Using a Replacement String in authz-regexp

Using a Search Filter in authz-regexp

A Note on ACLs and Search Filters

Failure of Mapping

Removing the Need to Specify the Realm

Debugging the SASL Configuration

Using Client SSL/TLS Certificates to Authenticate

Creating a New Client Certificate

Configuring the Client

Configuring the Server

Testing with ldapwhoami

Going Further with SASL

Controlling Authorization with ACLs

The Basics of ACLs

Access to [resources]

Access using DN

Access using attrs

Access using Filters

Combining Access Specifiers

By [who] [type of access granted] [control]

The Access Field

The who Field

The * and anonymous Specifiers

The self Specifier

The users Specifier

The dn Specifier

Groups and Members

Member-Based Record Access

Network, Connections, and Security

Advanced Step: Using the set Specifier

The control Field

Getting More from Regular Expressions

Debugging ACLs

A Practical Example

Summary

5. Advanced Configuration

Multiple Database Backends

The slapd.conf File

Creating and Importing a Second Directory

Performance Tuning

Performance Directives

Global Directives

Time Limits

Idle Timeouts

Size Limits

Threads

Directives in the Database Section

Limits

Read-only and Restrict Directives

Index (BDB/HDB Backends Only)

Controlling the Cache (BDB/HDB Only)

Reducing Disk I/O Latency (BDB/HDB Only)

The DB_CONFIG File

Setting the Cache Size

Configuring the Data Directory

Optimizing BDB/HDB Transaction Logging

Tuning Lock Files

More about Berkeley DB

Directory Overlays

A Brief Tour of the Official Overlays

Configuring an Overlay: denyop

Loading the module

Adding the Overlay

Adding Overlay-Specific Directives

Referential Integrity Overlay

Configuring the Overlay

Modifying the Records

Drawbacks

A Useful Note

The Uniqueness Overlay

Summary

6. LDAP Schemas

Introduction to LDAP Schemas

Why Do They Look So Complicated?

Schema Definitions

Object Classes and Attributes

Object Class Definitions

Attribute Definitions

Object Identifier Definitions

DIT Content Rules

Retrieving the Schemas from SLAPD

The ObjectClass Hierarchy

Attribute Hierarchies

Subordinate Attributes and Searching

Object Class Types: Abstract, Structural, and Auxiliary

The Object Class Hierarchy: An Overview

Abstract Classes

Structural Object Classes

Auxiliary Object Classes

Moving Onward

Schemas: Accesslog and Password Policy Overlays

Logging with the Accesslog Overlay

Loading the accesslog Module

Configuring the Access Log Backend

Creating A Directory for the Access Log Files

Enabling Logging for the Main Backend

The Log Records

Implementing a Complex Overlay: Password Policy

Setting the Global Directives in slapd.conf: Schema and Module

Creating a Password Policy

Configure the Overlay Directives

Test the Overlay

Password Policy Operational Attributes

Summary of ppolicy Operational Attributes

Creating a Schema

Getting an OID

Giving Our OID a Name

Creating Object Classes

Creating Attributes

Loading the New Schema

Troubleshooting Schema Loading

A New Record

Summary

7. Multiple Directories

Replication: An Overview

SyncRepl

Configuring SyncRepl

Configuring the Master Server

Creating a SyncRepl User

Configuring the Shadow Server

The syncrepl Directive

Configuring a Referral

Starting Replication

For Larger Directories...

Delta SyncRepl

The Master Server's Configuration

The Shadow Server's Configuration

Debugging SyncRepl

Starting Over

Strategic Logging

A Few Common Mistakes

Configuring an LDAP Proxy

Using the LDAP Backend

Using Identity Management Features

Turning the Simple Proxy into a Caching Proxy

Notes on the Attribute Sets and Templates

A Translucent Proxy

Summary

8. LDAP and the Web

The LDAP-Aware Application

Apache and LDAP

A Short Guide to Installing Apache

Configuring LDAP Authentication

Loading the Modules

Editing the default Configuration File

The Directory Section—Apache 2.2

Changes in Apache 2.0

Other Features of the Require Parameter

phpLDAPadmin

Prerequisites

Installing phpLDAPadmin

Is Your Package Broken?

Configuring phpLDAPadmin

A Basic Look at Configuration Parameters

Setting a variable

Calling a function

Setting an Array Value

Configuring the LDAP Server Settings

A First Look at phpLDAPadmin

Navigating phpLDAPadmin

Viewing and Modifying a Record

Adding a New Record

Searching with phpLDAPadmin

Summary

A. Building OpenLDAP from Source

Why Build from Source?

Getting the Code

The Tools for Compiling

Build Tools

Installing Dependencies

Compiling OpenLDAP

Configuring

Building with make

Installation

Building Everything

Summary

B. LDAP URLs

The LDAP URL

Common Uses of LDAP URLs

Not all LDAP URLs are for Searching

For More Information on LDAP URLs...

Summary

C. Useful LDAP Commands

Getting Information about the Directory

The Root DSE

The Subschema Record

The Configuration Record

Making a Directory Backup

A Backup Copy of the Directory Database

An LDIF Backup File

Rebuilding a Database (BDB, HDB)

Step 1: Stop the Server

Step 2: Dump the Database

Step 3: Delete the Old Database Files

Step 4: Create a New Database

Step 5: Restart SLAPD

Troubleshooting Rebuilds

Summary

Index