30
© 2006 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice GET CONNECTED People. Training. Technology. HP Technology Forum 2006 Installing & Configuring OpenLDAP Michael Lamont Senior Software Engineer, Process Software

Installing & Configuring OpenLDAP (Hands On Lab)

Embed Size (px)

Citation preview

Page 1: Installing & Configuring OpenLDAP (Hands On Lab)

© 2006 Hewlett-Packard Development Company, L.P.

The information contained herein is subject to change without notice

GET CONNECTED People. Training. Technology.

HP Technology Forum 2006

Installing & Configuring OpenLDAP

Michael Lamont Senior Software Engineer, Process Software

Page 2: Installing & Configuring OpenLDAP (Hands On Lab)

2 18 July 2014

Agenda

• Introduction to OpenLDAP

• Installing OpenLDAP

• Configuring OpenLDAP

• Populating an LDAP directory

• Basic searching

Page 3: Installing & Configuring OpenLDAP (Hands On Lab)

3 18 July 2014

OpenLDAP

• OpenLDAP is one of the most popular LDAP packages in use today.

• OpenLDAP is:

− Free

− Open source

− Standards-compliant (LDAPv3)

− Portable (runs pretty much anywhere)

Page 4: Installing & Configuring OpenLDAP (Hands On Lab)

4 18 July 2014

Obtaining OpenLDAP

• OpenLDAP is available from http://www.openldap.org/

• Always use the latest version available.

• As of now, 2.3.27 is latest.

Page 5: Installing & Configuring OpenLDAP (Hands On Lab)

5 18 July 2014

Obtaining OpenLDAP

• Download OpenLDAP (and example LDIF):

$ ftp cheese.process.com

Name (cheese.process.com): hp

Password: hp

ftp> prompt

ftp> bi

ftp> mget *

ftp> quit

$

Page 6: Installing & Configuring OpenLDAP (Hands On Lab)

6 18 July 2014

Installing OpenLDAP

• Uncompress and un-archive:

$ gzip -d openldap-2.3.27.tgz

$ tar xfv openldap-2.3.27.tar

Page 7: Installing & Configuring OpenLDAP (Hands On Lab)

7 18 July 2014

Installing OpenLDAP

• Change directories to the distribution directory, and run the configure script:

$ cd openldap-2.3.27

$ ./configure –-prefix=/usr/local/

Page 8: Installing & Configuring OpenLDAP (Hands On Lab)

8 18 July 2014

Installing OpenLDAP

• Run make depend to build some internal programs that the OpenLDAP build process depends on:

$ make depend

Page 9: Installing & Configuring OpenLDAP (Hands On Lab)

9 18 July 2014

Installing OpenLDAP

• Build OpenLDAP by running make:

$ make

Page 10: Installing & Configuring OpenLDAP (Hands On Lab)

10 18 July 2014

Installing OpenLDAP

• Run the OpenLDAP test suite to make sure everything was built correctly:

$ make test

Page 11: Installing & Configuring OpenLDAP (Hands On Lab)

11 18 July 2014

Installing OpenLDAP

• Run make install as root to install OpenLDAP:

$ su

Password: bill+dave

# make install

Page 12: Installing & Configuring OpenLDAP (Hands On Lab)

12 18 July 2014

Configuring OpenLDAP

• Main configuration file is slapd.conf in /usr/local/etc/openldap/

• Contains list of configuration variables and their values.

• Detailed info about every configuration variable is in OpenLDAP Administrator’s Guide.

Page 13: Installing & Configuring OpenLDAP (Hands On Lab)

13 18 July 2014

Configuring OpenLDAP

include /usr/local/etc/openldap/schema/core.schema

include /usr/local/etc/openldap/schema/cosine.schema

include /usr/local/etc/openldap/schema/inetorgperson.schema

• A schema describes objects that can exist in an LDAP directory.

• core.schema and cosine.schema files include definitions for basic LDAP objects.

• inetorgperson.schema describes inetOrgPerson object that lots of LDAP-integrated software uses.

Page 14: Installing & Configuring OpenLDAP (Hands On Lab)

14 18 July 2014

Configuring OpenLDAP

loglevel 264

pidfile /usr/local/var/run/slapd.pid

argsfile /usr/local/var/run/slapd.args

•loglevel is bitmask that sets the level of LDAP debugging.

• OpenLDAP’s process ID is stored in pidfile - used by scripts.

•argsfile contains command line arguments that OpenLDAP will automatically use when started.

Page 15: Installing & Configuring OpenLDAP (Hands On Lab)

15 18 July 2014

Configuring OpenLDAP

database bdb

• The database variable specifies the backend database used by OpenLDAP to store data.

• The bdb module supports the Berkeley DB, which OpenLDAP uses by default.

Page 16: Installing & Configuring OpenLDAP (Hands On Lab)

16 18 July 2014

Configuring OpenLDAP

suffix "dc=apes.example,dc=com"

• Specifies the name of the base entry in the directory.

• All other directory entries descend from this object.

• Should be based on the local domain name.

Page 17: Installing & Configuring OpenLDAP (Hands On Lab)

17 18 July 2014

Configuring OpenLDAP

rootdn "cn=Directory Manager,dc=apes.example,dc=com"

rootpw secret

• The root Distinguished Name (DN) is the directory administrator.

• Can read, write, and search any part of the directory.

• Value of suffix should be part of DN.

•rootpw is the password used to access the rootDN account.

Page 18: Installing & Configuring OpenLDAP (Hands On Lab)

18 18 July 2014

Configuring OpenLDAP

directory /usr/local/var/openldap-data

index objectClass eq

•directory specifies where the directory database files are located.

− Must exist

− Should only be accessible by user OpenLDAP runs as.

•index specifies attributes that OpenLDAP should maintain indexes for.

• Indexes speed up searches that use an indexed attribute.

Page 19: Installing & Configuring OpenLDAP (Hands On Lab)

19 18 July 2014

Starting OpenLDAP

• Run slapd as root to start OpenLDAP:

# /usr/local/libexec/slapd

Page 20: Installing & Configuring OpenLDAP (Hands On Lab)

20 18 July 2014

Starting OpenLDAP

• Run ps –ef and look for the slapd process to verify that it’s running:

$ ps –ef | grep slapd

root 23932 1 09:52:03 ? 0:00 slapd

$

Page 21: Installing & Configuring OpenLDAP (Hands On Lab)

21 18 July 2014

Stopping OpenLDAP

• Shut down OpenLDAP by sending slapd an interrupt signal (SIGINT).

• This lets OpenLDAP shut down gracefully.

• NEVER use kill –9 to shut down OpenLDAP – you can corrupt the directory databases.

# kill -INT \

`cat /usr/local/var/run/slapd.pid`

Page 22: Installing & Configuring OpenLDAP (Hands On Lab)

22 18 July 2014

Populating OpenLDAP

• An LDAP directory without any entries isn’t very useful.

•ldapmodify is used to add or modify directory entries.

• New entries are specified using an LDIF file.

• We’re going to use a sample LDIF file that contains:

− A root entry

− A “people” organizational unit (ou)

− Two inetOrgPerson objects

Page 23: Installing & Configuring OpenLDAP (Hands On Lab)

23 18 July 2014

Sample LDIF File

• Root entry:

dn: dc=apes.example,dc=com

dc: apes.example

objectClass: dcObject

objectClass: organizationalUnit

ou: Apes Incorporated

Page 24: Installing & Configuring OpenLDAP (Hands On Lab)

24 18 July 2014

Sample LDIF File

• “people” organizational unit:

dn: ou=people,dc=apes.example,dc=com

ou: people

objectClass: organizationalUnit

Page 25: Installing & Configuring OpenLDAP (Hands On Lab)

25 18 July 2014

Sample LDIF File

• First inetOrgPerson:

dn: cn=Charlton

Heston,ou=people,dc=apes.example,dc=com

cn: Charlton Heston

sn: Heston

mail: [email protected]

telephoneNumber: 508-555-1212

objectclass: inetOrgPerson

Page 26: Installing & Configuring OpenLDAP (Hands On Lab)

26 18 July 2014

Sample LDIF File

• Second inetOrgPerson:

dn: cn=Roddy

McDowall,ou=people,dc=apes.example,dc=com

cn: Roddy McDowall

sn: McDowall

mail: [email protected]

telephoneNumber: 508-555-1234

objectclass: inetOrgPerson

Page 27: Installing & Configuring OpenLDAP (Hands On Lab)

27 18 July 2014

LDIF File “Gotchas”

• Very important: each entry in LDIF file has to be separated by exactly one blank line.

• Blank line can’t have spaces, tabs, or any other kind of white space on it.

• “value provided more than once” errors will occur if line isn’t completely blank.

Page 28: Installing & Configuring OpenLDAP (Hands On Lab)

28 18 July 2014

Adding Entries To The Directory

• The ldapmodify command is used to add entries to the directory.

• OpenLDAP has to be running for ldapmodify to work.

• Supply ldapmodify with root DN and password, since it needs write access to the directory.

$ ldapmodify –D \

"cn=Directory Manager,dc=apes.example,dc=com” \

-w secret -x -a -f hptf2006.ldif

Page 29: Installing & Configuring OpenLDAP (Hands On Lab)

29 18 July 2014

Verify Entries Added

• The ldapsearch tool can be used to verify that the new entries were added.

$ ldapsearch -x \

-b "dc=apes.example,dc=com"

Page 30: Installing & Configuring OpenLDAP (Hands On Lab)

30 18 July 2014