LDAP System Administration Read online

  LDAP System Administration

  Table of Contents

  A Note Regarding Supplemental Files

  Preface

  How This Book Is Organized

  Part I : LDAP Basics

  Part II : Application Integration

  Part III: Appendixes

  Conventions Used in This Book

  Comments and Questions

  Acknowledgments

  I. LDAP Basics

  1. "Now where did I put that...?", or "What is a directory?"

  1.1. The Lightweight Directory Access Protocol

  1.2. What Is LDAP?

  1.2.1. Lightweight

  1.2.2. Directory

  1.2.3. Access Protocol

  1.3. LDAP Models

  2. LDAPv3 Overview

  2.1. LDIF

  2.1.1. Distinguished Names and Relative Distinguished Names

  2.1.2. Back to Our Regularly Scheduled Program . . .

  2.2. What Is an Attribute?

  2.2.1. Attribute Syntax

  2.2.2. What Does the Value of the objectClass Attribute Mean?

  2.3. What Is the dc Attribute?

  2.3.1. Where Is dc=org?

  2.4. Schema References

  2.5. Authentication

  2.5.1. Anonymous Authentication

  2.5.2. Simple Authentication

  2.5.3. Simple Authentication Over SSL/TLS

  2.5.4. Simple Authentication and Security Layer (SASL)

  2.6. Distributed Directories

  2.7. Continuing Standardization

  3. OpenLDAP

  3.1. Obtaining the OpenLDAP Distribution

  3.2. Software Requirements

  3.2.1. Threads

  3.2.2. SSL/TLS Libraries

  3.2.3. Database Backend Modules

  3.2.4. SASL Libraries

  3.3. Compiling OpenLDAP 2

  3.4. OpenLDAP Clients and Servers

  3.5. The slapd.conf Configuration File

  3.5.1. Schema Files

  3.5.2. Logging

  3.5.3. SASL Options

  3.5.4. SSL/TLS Options

  3.5.5. More Security-Related Parameters

  3.5.6. Serving Up Data

  3.6. Access Control Lists (ACLs)

  4. OpenLDAP: Building a Company White Pages

  4.1. A Starting Point

  4.2. Defining the Schema

  4.3. Updating slapd.conf

  4.4. Starting slapd

  4.5. Adding the Initial Directory Entries

  4.5.1. Verifying the Directory's Contents

  4.5.2. Updating What Is Already There

  4.6. Graphical Editors

  5. Replication, Referrals, Searching, and SASL Explained

  5.1. More Than One Copy Is "a Good Thing"

  5.1.1. Building slurpd

  5.1.2. Replication in a Nutshell

  5.1.3. Configuring the Master Server

  5.1.4. Configuring the Replica Server

  5.1.5. slurpd's replogfile

  5.2. Distributing the Directory

  5.3. Advanced Searching Options

  5.3.1. Following Referrals with ldapsearch

  5.3.2. Limiting Your Searches

  5.4. Determining a Server's Capabilities

  5.5. Creating Custom Schema Files for slapd

  5.6. SASL and OpenLDAP

  II. Application Integration

  6. Replacing NIS

  6.1. More About NIS

  6.2. Schemas for Information Services

  6.3. Information Migration

  6.4. The pam_ldap Module

  6.4.1. Configuring /etc/ldap.conf

  6.5. The nss_ldap Module

  6.6. OpenSSH, PAM, and NSS

  6.7. Authorization Through PAM

  6.7.1. One Host and a Group of Users

  6.7.2. One User and a Group of Hosts

  6.8. Netgroups

  6.9. Security

  6.10. Automount Maps

  6.11. PADL's NIS/LDAP Gateway

  7. Email and LDAP

  7.1. Representing Users

  7.2. Email Clients and LDAP

  7.2.1. Mozilla Mail

  7.2.2. Pine 4

  7.2.3. Eudora

  7.2.4. Microsoft Outlook Express

  7.3. Mail Transfer Agents (MTAs)

  7.3.1. Sendmail

  7.3.2. Postfix

  7.3.3. Exim

  8. Standard Unix Services and LDAP

  8.1. The Directory Namespace

  8.2. An FTP/HTTP Combination

  8.2.1. ProFTPD

  8.2.2. Apache

  8.3. User Authentication with Samba

  8.3.1. Configuring Samba

  8.3.2. Adding and Using a sambaAccount

  8.4. FreeRadius

  8.4.1. FreeRadius and OpenLDAP

  8.5. Resolving Hosts

  8.6. Central Printer Management

  9. LDAP Interoperability

  9.1. Interoperability or Integration?

  9.2. Directory Gateways

  9.3. Cross-Platform Authentication Services

  9.3.1. A Short Discussion About Kerberos

  9.4. Distributed, Multivendor Directories

  9.5. Metadirectories

  9.6. Push/Pull Agents for Directory Synchronization

  9.6.1. The Directory Services Markup Language

  10. Net::LDAP and Perl

  10.1. The Net::LDAP Module

  10.2. Connecting, Binding, and Searching

  10.3. Working with Net::LDAP::LDIF

  10.4. Updating the Directory

  10.4.1. Adding New Entries

  10.4.2. Deleting Entries

  10.4.3. Modifying Entries

  10.5. Advanced Net::LDAP Scripting

  10.5.1. References and Referrals

  10.5.2. Scripting Authentication with SASL

  10.5.3. Extensions and Controls

  III. Appendixes

  A. PAM and NSS

  A.1. Pluggable Authentication Modules

  A.1.1. Configuring PAM

  A.2. Name Service Switch (NSS)

  B. OpenLDAP Command-Line Tools

  B.1. Debugging Options

  B.2. Slap Tools

  B.2.1. slapadd(8c)

  B.2.2. slapcat(8c)

  B.2.3. slapindex(8c)

  B.2.4. slappasswd(8c)

  B.3. LDAP Tools

  B.3.1. ldapadd(1), ldapmodify(1)

  B.3.2. ldapcompare(1)

  B.3.3. ldapdelete(1)

  B.3.4. ldapmodrdn(1)

  B.3.5. ldappasswd(1)

  B.3.6. ldapsearch(1)

  C. Common Attributes and Objects

  C.1. Schema Files

  C.2. Attributes

  C.3. Object Classes

  D. LDAP RFCs, Internet-Drafts, and Mailing Lists

  D.1. Requests for Comments

  D.2. Mailing Lists

  E. slapd.conf ACLs

  E.1. What?

  E.2. Who?

  E.3. How Much?

  E.4. Examples

  LDAP System Administration

  Gerald Carter

  Editor

  Mike Loukides

  Copyright © 2009 O'Reilly Media, Inc.

  O'Reilly Media

  * * *

  A Note Regarding Supplemental Files

  Supplemental files and examples for this book can be found at http://examples.oreilly.com/9781565924918/. Please use a standard desktop web browser to access these files, as they may not be accessible from all ereader devices.

  All code files or examples referenced in the book will be available online. For physical books that ship with an accompanying disc, whenever possible, we’ve posted all CD/DVD content. Note that while we provide as much of the media content as we are able via free download, we are sometimes limit
ed by licensing restrictions. Please direct any questions or concerns to [email protected].

  Preface

  In 1999 I began experimenting with the Lightweight Directory Access Protocol (LDAP) and immediately became frustrated by lack of documentation. I set out to write the book that I needed, and I believe that I accomplished that goal. After teaching instructional courses on LDAP for the past few years, I have come to the belief that many people share the same frustration I felt at the beginning of my LDAP career. Managers and administrators alike can sometimes be dazzled (or disgusted) by the plethora of acronyms in the IT industry. The goal of this book is to cut through the glossy vendor brochures and give you the knowledge and tools necessary to deploy a working directory on your network complete with integrated client applications.

  Directory services have been a part of networks in one way or another for a long time. LDAP directories have been growing roots in networks for as long as people have been proclaiming the current year to be the "year of LDAP." With increasing support from vendors in the form of clients and servers, LDAP has already become a staple for many networks. Because of this gradual but steady growth, people waiting for the LDAP big bang may be disappointed. You may wake up one morning and find that one of your colleagues has already deployed an LDAP-based directory service. If so, this book will help you understand how you can use the services that LDAP provides. If you are at the beginning of a project, this book will help you focus on the important points that are necessary to succeed.

  How This Book Is Organized

  This book is divided into two sections of five chapters each and a section of appendixes. You will most likely get the most out of this book if you implement the example directories as they are covered. With only a few exceptions, all client and server applications presented here are freely available or in common use.

  Part I : LDAP Basics

  Part I focuses on getting acquainted with LDAP and with the OpenLDAP server. In this part, I answer questions such as: "What is lightweight about LDAP?," "What security mechanisms does LDAP support for preventing unauthorized access to data?," and "How can I build a fault-tolerant directory service?" In addition, the first part of the book helps you gain practical experience with your own directory using the community-developed and freely available OpenLDAP server.

  Chapter 1 is a high-level overview of directory services and LDAP in particular.

  Chapter 2 digs into the details of the Lightweight Directory Access Protocol.

  Chapter 3 uses the free server distribution from OpenLDAP.org as an example to present practical experience with an LDAP directory.

  Chapter 4 provides some hands-on experience adding, modifying, and deleting information from a working directory service.

  Chapter 5 wraps up the loose ends of some of the more advanced LDAPv3 and OpenLDAP features.

  Part II : Application Integration

  Part II is all about implementation. Rather than present an LDAP cookbook, I bring different applications together in such a way that information common to one or more clients can be shared via the directory. You will see how to use LDAP as a practical data store for items such as user and group accounts, host information, general contact information, and application configurations. I also discuss integration with other directory services such as Microsoft's Active Directory, and how to develop your own Perl scripts to manage your directory service.

  Chapter 6 explains how an LDAP directory can be used to replace Sun's Network Information Service (NIS) as the means to distribute user and group accounts, host information, automount maps, and other system files.

  Chapter 7 presents information related to both mail clients (Eudora, Mozilla, Outlook, and Pine) and servers (Sendmail, Postfix, and Exim).

  Chapter 8 explains how to use an LDAP directory to share information among essential network services such as FTP, HTTP, LPD, RADIUS, DNS, and Samba.

  Chapter 9 examines what to do when your LDAP directory must coexist with other directory technologies.

  Chapter 10 provides the information necessary to roll your own LDAP management tools using Perl and the Net::LDAP module.

  Part III: Appendixes

  The appendixes provide a quick reference for LDAP standards, common schema items used in this book, and the command-line syntax for OpenLDAP client tools.

  Conventions Used in This Book

  The following conventions are used in this book:

  Italic

  Used for file, directory, user, and group names. It is also used for URLs and to emphasize new terms and concepts when they are introduced.

  Constant Width

  Used for code examples, system output, parameters, directives, and attributes.

  Constant Width Italic

  Used in examples for variable input or output (e.g., a filename).

  Constant Width Bold

  Used in code examples for user input and for emphasis.

  * * *

  Tip

  This icon designates a note, which is an important aside to the nearby text.

  * * *

  * * *

  Warning

  This icon designates a warning relating to the nearby text.

  * * *

  Comments and Questions

  We at O'Reilly have tested and verified the information in this book to the best of our abilities, but you may find that features have changed (or even that we have made mistakes!). Please let us know about any errors you find, as well as your suggestions for future editions, by writing to: