LDAP System Administration
Page 1
LDAP System Administration
Table of Contents
A Note Regarding Supplemental Files
Preface
How This Book Is Organized
Part I : LDAP Basics
Part II : Application Integration
Part III: Appendixes
Conventions Used in This Book
Comments and Questions
Acknowledgments
I. LDAP Basics
1. "Now where did I put that...?", or "What is a directory?"
1.1. The Lightweight Directory Access Protocol
1.2. What Is LDAP?
1.2.1. Lightweight
1.2.2. Directory
1.2.3. Access Protocol
1.3. LDAP Models
2. LDAPv3 Overview
2.1. LDIF
2.1.1. Distinguished Names and Relative Distinguished Names
2.1.2. Back to Our Regularly Scheduled Program . . .
2.2. What Is an Attribute?
2.2.1. Attribute Syntax
2.2.2. What Does the Value of the objectClass Attribute Mean?
2.3. What Is the dc Attribute?
2.3.1. Where Is dc=org?
2.4. Schema References
2.5. Authentication
2.5.1. Anonymous Authentication
2.5.2. Simple Authentication
2.5.3. Simple Authentication Over SSL/TLS
2.5.4. Simple Authentication and Security Layer (SASL)
2.6. Distributed Directories
2.7. Continuing Standardization
3. OpenLDAP
3.1. Obtaining the OpenLDAP Distribution
3.2. Software Requirements
3.2.1. Threads
3.2.2. SSL/TLS Libraries
3.2.3. Database Backend Modules
3.2.4. SASL Libraries
3.3. Compiling OpenLDAP 2
3.4. OpenLDAP Clients and Servers
3.5. The slapd.conf Configuration File
3.5.1. Schema Files
3.5.2. Logging
3.5.3. SASL Options
3.5.4. SSL/TLS Options
3.5.5. More Security-Related Parameters
3.5.6. Serving Up Data
3.6. Access Control Lists (ACLs)
4. OpenLDAP: Building a Company White Pages
4.1. A Starting Point
4.2. Defining the Schema
4.3. Updating slapd.conf
4.4. Starting slapd
4.5. Adding the Initial Directory Entries
4.5.1. Verifying the Directory's Contents
4.5.2. Updating What Is Already There
4.6. Graphical Editors
5. Replication, Referrals, Searching, and SASL Explained
5.1. More Than One Copy Is "a Good Thing"
5.1.1. Building slurpd
5.1.2. Replication in a Nutshell
5.1.3. Configuring the Master Server
5.1.4. Configuring the Replica Server
5.1.5. slurpd's replogfile
5.2. Distributing the Directory
5.3. Advanced Searching Options
5.3.1. Following Referrals with ldapsearch
5.3.2. Limiting Your Searches
5.4. Determining a Server's Capabilities
5.5. Creating Custom Schema Files for slapd
5.6. SASL and OpenLDAP
II. Application Integration
6. Replacing NIS
6.1. More About NIS
6.2. Schemas for Information Services
6.3. Information Migration
6.4. The pam_ldap Module
6.4.1. Configuring /etc/ldap.conf
6.5. The nss_ldap Module
6.6. OpenSSH, PAM, and NSS
6.7. Authorization Through PAM
6.7.1. One Host and a Group of Users
6.7.2. One User and a Group of Hosts
6.8. Netgroups
6.9. Security
6.10. Automount Maps
6.11. PADL's NIS/LDAP Gateway
7. Email and LDAP
7.1. Representing Users
7.2. Email Clients and LDAP
7.2.1. Mozilla Mail
7.2.2. Pine 4
7.2.3. Eudora
7.2.4. Microsoft Outlook Express
7.3. Mail Transfer Agents (MTAs)
7.3.1. Sendmail
7.3.2. Postfix
7.3.3. Exim
8. Standard Unix Services and LDAP
8.1. The Directory Namespace
8.2. An FTP/HTTP Combination
8.2.1. ProFTPD
8.2.2. Apache
8.3. User Authentication with Samba
8.3.1. Configuring Samba
8.3.2. Adding and Using a sambaAccount
8.4. FreeRadius
8.4.1. FreeRadius and OpenLDAP
8.5. Resolving Hosts
8.6. Central Printer Management
9. LDAP Interoperability
9.1. Interoperability or Integration?
9.2. Directory Gateways
9.3. Cross-Platform Authentication Services
9.3.1. A Short Discussion About Kerberos
9.4. Distributed, Multivendor Directories
9.5. Metadirectories
9.6. Push/Pull Agents for Directory Synchronization
9.6.1. The Directory Services Markup Language
10. Net::LDAP and Perl
10.1. The Net::LDAP Module
10.2. Connecting, Binding, and Searching
10.3. Working with Net::LDAP::LDIF
10.4. Updating the Directory
10.4.1. Adding New Entries
10.4.2. Deleting Entries
10.4.3. Modifying Entries
10.5. Advanced Net::LDAP Scripting
10.5.1. References and Referrals
10.5.2. Scripting Authentication with SASL
10.5.3. Extensions and Controls
III. Appendixes
A. PAM and NSS
A.1. Pluggable Authentication Modules
A.1.1. Configuring PAM
A.2. Name Service Switch (NSS)
B. OpenLDAP Command-Line Tools
B.1. Debugging Options
B.2. Slap Tools
B.2.1. slapadd(8c)
B.2.2. slapcat(8c)
B.2.3. slapindex(8c)
B.2.4. slappasswd(8c)
B.3. LDAP Tools
B.3.1. ldapadd(1), ldapmodify(1)
B.3.2. ldapcompare(1)
B.3.3. ldapdelete(1)
B.3.4. ldapmodrdn(1)
B.3.5. ldappasswd(1)
B.3.6. ldapsearch(1)
C. Common Attributes and Objects
C.1. Schema Files
C.2. Attributes
C.3. Object Classes
D. LDAP RFCs, Internet-Drafts, and Mailing Lists
D.1. Requests for Comments
D.2. Mailing Lists
E. slapd.conf ACLs
E.1. What?
E.2. Who?
E.3. How Much?
E.4. Examples
LDAP System Administration
Gerald Carter
Editor
Mike Loukides
Copyright © 2009 O'Reilly Media, Inc.
O'Reilly Media
* * *
A Note Regarding Supplemental Files
Supplemental files and examples for this book can be found at http://examples.oreilly.com/9781565924918/. Please use a standard desktop web browser to access these files, as they may not be accessible from all ereader devices.
All code files or examples referenced in the book will be available online. For physical books that ship with an accompanying disc, whenever possible, we’ve posted all CD/DVD content. Note that while we provide as much of the media content as we are able via free download, we are sometimes limit
ed by licensing restrictions. Please direct any questions or concerns to booktech@oreilly.com.
Preface
In 1999 I began experimenting with the Lightweight Directory Access Protocol (LDAP) and immediately became frustrated by lack of documentation. I set out to write the book that I needed, and I believe that I accomplished that goal. After teaching instructional courses on LDAP for the past few years, I have come to the belief that many people share the same frustration I felt at the beginning of my LDAP career. Managers and administrators alike can sometimes be dazzled (or disgusted) by the plethora of acronyms in the IT industry. The goal of this book is to cut through the glossy vendor brochures and give you the knowledge and tools necessary to deploy a working directory on your network complete with integrated client applications.
Directory services have been a part of networks in one way or another for a long time. LDAP directories have been growing roots in networks for as long as people have been proclaiming the current year to be the "year of LDAP." With increasing support from vendors in the form of clients and servers, LDAP has already become a staple for many networks. Because of this gradual but steady growth, people waiting for the LDAP big bang may be disappointed. You may wake up one morning and find that one of your colleagues has already deployed an LDAP-based directory service. If so, this book will help you understand how you can use the services that LDAP provides. If you are at the beginning of a project, this book will help you focus on the important points that are necessary to succeed.
How This Book Is Organized
This book is divided into two sections of five chapters each and a section of appendixes. You will most likely get the most out of this book if you implement the example directories as they are covered. With only a few exceptions, all client and server applications presented here are freely available or in common use.
Part I : LDAP Basics
Part I focuses on getting acquainted with LDAP and with the OpenLDAP server. In this part, I answer questions such as: "What is lightweight about LDAP?," "What security mechanisms does LDAP support for preventing unauthorized access to data?," and "How can I build a fault-tolerant directory service?" In addition, the first part of the book helps you gain practical experience with your own directory using the community-developed and freely available OpenLDAP server.
Chapter 1 is a high-level overview of directory services and LDAP in particular.
Chapter 2 digs into the details of the Lightweight Directory Access Protocol.
Chapter 3 uses the free server distribution from OpenLDAP.org as an example to present practical experience with an LDAP directory.
Chapter 4 provides some hands-on experience adding, modifying, and deleting information from a working directory service.
Chapter 5 wraps up the loose ends of some of the more advanced LDAPv3 and OpenLDAP features.
Part II : Application Integration
Part II is all about implementation. Rather than present an LDAP cookbook, I bring different applications together in such a way that information common to one or more clients can be shared via the directory. You will see how to use LDAP as a practical data store for items such as user and group accounts, host information, general contact information, and application configurations. I also discuss integration with other directory services such as Microsoft's Active Directory, and how to develop your own Perl scripts to manage your directory service.
Chapter 6 explains how an LDAP directory can be used to replace Sun's Network Information Service (NIS) as the means to distribute user and group accounts, host information, automount maps, and other system files.
Chapter 7 presents information related to both mail clients (Eudora, Mozilla, Outlook, and Pine) and servers (Sendmail, Postfix, and Exim).
Chapter 8 explains how to use an LDAP directory to share information among essential network services such as FTP, HTTP, LPD, RADIUS, DNS, and Samba.
Chapter 9 examines what to do when your LDAP directory must coexist with other directory technologies.
Chapter 10 provides the information necessary to roll your own LDAP management tools using Perl and the Net::LDAP module.
Part III: Appendixes
The appendixes provide a quick reference for LDAP standards, common schema items used in this book, and the command-line syntax for OpenLDAP client tools.
Conventions Used in This Book
The following conventions are used in this book:
Italic
Used for file, directory, user, and group names. It is also used for URLs and to emphasize new terms and concepts when they are introduced.
Constant Width
Used for code examples, system output, parameters, directives, and attributes.
Constant Width Italic
Used in examples for variable input or output (e.g., a filename).
Constant Width Bold
Used in code examples for user input and for emphasis.
* * *
Tip
This icon designates a note, which is an important aside to the nearby text.
* * *
* * *
Warning
This icon designates a warning relating to the nearby text.
* * *
Comments and Questions
We at O'Reilly have tested and verified the information in this book to the best of our abilities, but you may find that features have changed (or even that we have made mistakes!). Please let us know about any errors you find, as well as your suggestions for future editions, by writing to: