OpenLDAP - community developed LDAP software

OpenLDAP glossary

Common Name (CN)
Domain Components (DC)
dc=openldap,dc=org for domain openldap.org
Distinguished Name (DN)
This is basically the concatenation of the naming elements (attributes?), from the bottom to the top of the tree : cn=...,ou=...,dc=...,dc=.... The DN is the unique identifier of an entity (like the absolute path of a file)
For example, the DN of the leftmost entry on the bottom row would be uid=ann,ou=People,dc=example,dc=com.
Organizational Unit (OU)
Relative Distinguished Name (RDN)
A RDN is to a DN what a file relative path is to its absolute path.
Object ID (OID)
Unique ID (UID)

OpenLDAP

Packages

  • slapd : the OpenLDAP server
  • ldap-utils : utilities such as ldapsearch, ldapmodify, ldap...
  • PHPLDAPAdmin : web-based LDAP administration interface

Configuration

Files
  • server side :
    • /etc/ldap/slapd.conf : LDAP daemon slapd
  • client side :
    • /etc/ldap/ldap.conf : for host-specific options
    • ~/.ldaprc : for user-specific options
encrypt LDAP admin password :

slappasswd -s "admin_password" -h {CRYPT}

With output looking like : {CRYPT}vplKS/g3SDPiE
CRYPT specifies which encryption algorithm to use. Other algorithms available : MD5, SHA, ...
You can now copy this into /etc/ldap/slapd.conf as the line : #rootpw "{CRYPT}vplKS/g3SDPiE"
test configuration and restart slapd if OK
  • Debianoids : slaptest -v -f /etc/ldap/slapd.conf && /etc/init.d/slapd restart
  • RedHatoids : slaptest -v -f /etc/openldap/slapd.conf && /etc/init.d/slapd restart
Other files
  • data : /var/lib/ldap/*
  • logs :
    • Debianoids : /var/log/syslog (For the impatients : tail -f /var/log/syslog | grep ldap)
    • RedHatoids : /var/log/secure (For the impatients : tail -f /var/log/secure | grep ldap)
  • authentication logs : /var/log/auth.log

In case of ldap_bind: Invalid credentials (49) (source)

Credentials are messed up because of a change on the OpenLDAP config tree/files. To fix this :
  1. make the /etc/openldap/slapd.d/ directory unavailable : rename it, chmod it, ...
  2. mkdir /etc/openldap/slapd.d/
  3. Run slaptest to test the configuration file and create new configuration in /etc/openldap/slapd.d/ :
    slaptest -f /etc/openldap/ldap.conf -F /etc/openldap/slapd.d
  4. Set rights/ownership : chown -R ldap:ldap /etc/openldap/slapd.d && chmod -R 700 /etc/openldap/slapd.d
  5. Finally, delete or rename /etc/openldap/ldap.conf

LDAP commands

There are 2 types of commands allowing to interact with LDAP data :
  • the slapxxx commands directly affects the DB files. Must be executed while the daemon is stopped. Local use only.
  • the ldapxxx commands are executed through the LDAP protocol. slapd must be running. Local and remote use.

dump / restore of the DB

method 1 :
  • Commands
    • slapcat > backup.ldif
    • slapadd < backup.ldif
  • comments
    • must be executed on the server hosting LDAP (as this requires access to the DB files)
    • should be done only when slapd is down
    • when restoring the backup (most likely as "root"), the DB files will belong to root, and won't be accessible to the "openldap" user. Error message like : DB_NOTFOUND: No matching key/data pair found.
    • data is not clean LDIF data, so the backup is only usable with slapadd
method 2 :
  • Commands
    • ldapsearch -W -D "cn=admin,dc=capen,dc=sis" -x -H ldap://localhost -b "dc=capen,dc=sis" "(objectClass=*)" > backup.ldif
    • ldapadd -W -D "cn=admin,dc=capen,dc=sis" -x -H ldap://localhost -f backup.ldif
  • Comments
    • can be performed either locally or remotely (this uses the LDAP protocol to access the DB)
    • outputs clean LDIF data that can be processed by any LDAP client tool

Manipulate LDAP data with command lines :

flag usage
-W prompt for password
-D launch command as the following user
-x Use simple authentication instead of SASL
-H apply command to the following LDAP server
  • initialize the DB :

    ldapadd -W -D "cn=admin,dc=capen,dc=sis" -x -H ldap://localhost -f /etc/ldap/TP_files/file01-initialize_LDAP_DB.ldif

    If ldapadd returns
    ldap_bind: Invalid DN syntax (34)
    additional info: invalid DN
    something may be wrong with the credentials.
  • add a new entry :

    ldapadd -W -D "cn=admin,dc=capen,dc=sis" -x -H ldap://localhost -f /etc/ldap/TP_files/file02-add_LDAP_entry.ldif

  • search an entry :
    • users with name starting by b :

      ldapsearch -W -D "cn=admin,dc=capen,dc=sis" -x -H ldap://localhost -b "dc=capen,dc=sis" "(uid=b*)"

    • users with name containing sa :

      ldapsearch -W -D "cn=admin,dc=capen,dc=sis" -x -H ldap://localhost -b "dc=capen,dc=sis" "(uid=*sa*)"

    • users with GID=100 :

      ldapsearch -W -D "cn=admin,dc=capen,dc=sis" -x -H ldap://localhost -b "dc=capen,dc=sis" "(gidNumber=100)"

      object attributes are defined in schemas that indicate which kind of comparison operation is allowed on each attribute during search. (look for "EQUALITY" in /etc/ldap/schema/nis.schema). Trying to perform a ">=" test on a uid or gid attribute is illegal.
    • home directory of records representing user accounts and with condition on GID :

      ldapsearch -W -D "cn=admin,dc=capen,dc=sis" -x -H ldap://localhost -b "dc=capen,dc=sis" "(&(gidNumber=100)(objectClass=posixAccount))" homeDirectory

  • delete an entry :

    ldapdelete -W -D "cn=admin,dc=capen,dc=sis" -x -H ldap://localhost "uid=,ou=,dc=capen,dc=sis"

  • add an entry with ldapmodify :

    ldapmodify -W -D "cn=admin,dc=capen,dc=sis" -x -H ldap://localhost -f /etc/ldap/TP_files/file03-modify_add_LDAP_entry.ldif

  • delete an entry with ldapmodify :

    ldapmodify -W -D "cn=admin,dc=capen,dc=sis" -x -H ldap://localhost -f /etc/ldap/TP_files/file04-modify_delete_LDAP_entry.ldif

  • add an attribute :

    ldapmodify -W -D "cn=admin,dc=capen,dc=sis" -x -H ldap://localhost -f /etc/ldap/TP_files/file05-modify_add_attribute.ldif

  • remove an attribute :

    ldapmodify -W -D "cn=admin,dc=capen,dc=sis" -x -H ldap://localhost -f /etc/ldap/TP_files/file06-modify_delete_attribute.ldif

  • modify a single attribute :

    ldapmodify -W -D "cn=admin,dc=capen,dc=sis" -x -H ldap://localhost -f /etc/ldap/TP_files/file07-modify_attribute.ldif

  • modify several attributes at once :

    ldapmodify -W -D "cn=admin,dc=capen,dc=sis" -x -H ldap://localhost -f /etc/ldap/TP_files/file08-modify_several_attributes.ldif

  • rename an entry (=modify its RDN) :

    ldapmodrdn -W -D "cn=admin,dc=capen,dc=sis" -x -H ldap://localhost "uid=bart,ou=users,dc=capen,dc=sis" "uid=bartolome"

  • change a user's password (as "LDAP root") and prompt for the new password (requires ldap-utils) :

    ldappasswd -W -D "cn=admin,dc=capen,dc=sis" -x -H ldap://localhost "cn=pam_nss,ou=applications,ou=people,dc=capen,dc=sis" -S

PHPLDAPAdmin

  • install : apt-get install phpldapadmin php5-ldap
  • connect to : http://192.168.3.50/phpldapadmin/

On the "LDAP client" side

What is called a LDAP client here is a LDAP data consumer. But these are mainly other servers.
NSSWITCH (Name Service Switch) forwards name requests to names repositories. A name request could be :
  • get UID from login
  • get IP from hostname
  • get the home directory of a user
The source providing such data is usually a file (/etc/passwd, /etc/shadow, /etc/host), but this can also be a DB, or LDAP. Here, we just need the library allowing to resolve data through LDAP : apt-get install libnss-ldap.