Configuring the Server

 < Day Day Up > 

If you have been using LDAP for years, you will be aware of its immense power and flexibility. On the other hand, if you are just trying LDAP for the first time, it will seem like the most broken component you could imagine. LDAP has very specific configuration requirements, is vastly lacking in graphical tools, and has a large number of acronyms to remember. On the bright side, all the hard work you put in will be worth it because, when it works, LDAP will hugely improve your networking experience.

The first step in configuring your LDAP server is to install the client and server applications. Select Add/Remove Applications, click the Details button next to Network Servers, and check openldap-servers. Then click the Details button next to System Tools and select openldap-clients. After you have installed them, close the dialog box and bring up a terminal.

Now, switch to the root user and edit /etc/openldap/slapd.conf in the text editor of your choice. This is the primary configuration file for slapd, the OpenLDAP server daemon. Scroll down until you see the lines database, suffix, and rootdn.

This is the most basic configuration for your LDAP system. What is the name of your server? The dc stands for domain component, which is the name of your domain as stored in DNS for example, example.com. For our examples, we used hudzilla.org. LDAP considers each part of a domain name (separated by a period) to be a domain component, so the domain hudzilla.org is made up of a domain component hudzilla and a domain component org.

Change the suffix line to match your domain components, separated by commas. For example:

 suffix   "dc=hudzilla,dc=org" 

The next line defines the root DN, which is another LDAP acronym meaning distinguished name. A DN is a complete descriptor of a person in your directory: her name and the domain in which she resides. For example

 rootdn    "cn=root,dc=hudzilla,dc=org" 

CN is yet another LDAP acronym, this time meaning common name. A common name is just that the name a person is usually called. Some people have several common names. Andrew Hudson is a common name, but that same user might also have the common name Andy Hudson. In our rootdn line, we define a complete user: common name root at domain hudzilla.org. These lines are essentially read backward. LDAP goes to org first, searches org for hudzilla, and then searches hudzilla for root.

The rootdn is important because it is more than just another person in your directory. The root LDAP user is like the root user in Linux. It is the person who has complete control over the system and can make whatever changes he wants to.

Now comes a slightly more complex part: We need to give the LDAP root user a password. The easiest way to do this is to open a new terminal window alongside your existing one. Switch to root in the new terminal also, and type slappasswd. This tool generates password hashes for OpenLDAP using the SHA1 hash algorithm. Enter a password when it prompts you. When you have entered and confirmed your password, you should see output like this:

 {SSHA}qMVxFT2K1UUmrA89Gd7z6EK3gRLDIo2W 

That is the password hash generated from your password. Yours will be different from the one shown here, but what is important is that it has {SSHA} at the beginning to denote it uses SHA1. You now need to switch back to the other terminal (the one editing slapd.conf) and add this line below the rootdn line:

 rootpw <your password hash> 

You should replace <your password hash> with the full output from slappasswd, like this:

 rootpw {SSHA}qMVxFT2K1UUmrA89Gd7z6EK3gRLDIo2W 

That sets the LDAP root password to the one you just generated with slappaswd. That is the last change you need to make in the slapd.conf file, so save your changes and close your editor.

Back in the terminal, run the slaptest command. This checks your slapd.conf file for errors and ensures you edited it correctly. Presuming there are no errors, run these two commands:

 chkconfig ldap on service ldap start 

These tell Fedora to start OpenLDAP each time you boot up, and to start it right now.

The final configuration step is to tell Fedora which DN it should use if none is specified. This is done by going to System Settings and selecting Authentication. In the dialog box that appears, check Enable LDAP Support in both the User Information tab and Authentication tab. Next, click the Configure LDAP button, enter your DCs (for example, dc=hudzilla,dc=org) for the LDAP Search Base DN, and enter 127.0.0.1 for the LDAP Server. Click OK and then click OK again.

TIP

Checking Enable LDAP Support does not actually change the way in which your users log in. Behind the scenes, this forces Fedora to set up the ldap.conf file in /etc/openldap so that LDAP searches that do not specify a base search start point are directed to your DC.


Populating Your Directory

With LDAP installed, configured, and running, you can now fill the directory with people. This involves yet more LDAP acronyms and is by no means an easy task, so do not worry if you have to reread this several times before it sinks in.

First, create the file base.ldif. You will use this to define the base components of your system: the domain and the address book. LDIF is an acronym standing for LDAP Data Interchange Format, and it is the standard way of recording user data for insertion into an LDAP directory. Here are the contents we used for our example:

 dn: dc=hudzilla,dc=org objectClass: top objectClass: dcObject objectClass: organization dc: hudzilla o: Hudzilla Dot Org dn: ou=People,dc=hudzilla,dc=org ou: People objectClass: top objectClass: organizationalUnit 

This file contains two individual entities, separated by an empty line. The first is our organization, hudzilla.org. The dn lines you know already, as they define each object uniquely in the scope of the directory. The objectClass directive specifies which attributes should be allowed for this entity and which attributes should be required. In this case, we use it to set the DC to hudzilla and to set o (the name of the organization) to Hudzilla Dot Org.

The next entity defines the address book, People, in which all our people will be stored. It is defined as an organizational unit, which is what the ou stands for. An organizational unit really is just an arbitrary partition of your company. You might have OUs for marketing, accounting, and management, for example.

You need to customize the file to your own requirements. Specifically, change the DCs to those you specified in your slapd.conf.

Next, create and edit a new file called people.ldif. This is where you will define entries for your address book, also using LDIF. Here are the people we used in our example:

 dn: cn=Paul Hudson,ou=People,dc=hudzilla,dc=org objectClass: inetOrgPerson cn: Paul Hudson cn: Hudzilla mail: paul@hudzilla.org jpegPhoto:< file:///home/paul/paulhudson.jpg sn: Hudson dn: cn=Andrew Hudson,ou=People,dc=hudzilla,dc=org objectClass: inetOrgPerson cn: Andrew Hudson cn: IzAndy mail: andrew@hudzilla.org sn: Hudson dn: cn=Nick Veitch,ou=People,dc=hudzilla,dc=org objectClass: inetOrgPerson cn: Nick Veitch cn: CrackAttackKing mail: nick@hudzilla.org sn: Veitch 

There are three entries there, again separated by empty lines. Each person has a DN that is made up of his common name (CN), organizational unit (OU), and domain components (DCs). He also has an objectClass definition, inetOrgPerson, which gives him standard attributes like an email address, a photograph, and a telephone number. Entities of type inetOrgPerson must have a CN and an SN (surname) so you will see them in this code.

Note also that each person has two common names: his actual name and a nickname. Not all LDAP clients support more than one CN, but there is no harm in having several as long as the main one comes first and is listed in the DN.

TIP

Having multiple key/value pairs, like multiple CNs, is one of the defining features of LDAP. In today's interconnected world, few people can be defined using a single set of attributes because they have home phone numbers, work phone numbers, cell phone numbers, pager numbers, plus several email addresses, and potentially even a selection of offices where they hot desk. Using multiple CNs and other attributes allows you to properly record these complex scenarios.


The jpegPhoto attribute for the first entity has very particular syntax. Immediately after the colon you use an opening angle bracket (<) followed by a space and then the location of the person's picture. Because the picture is local, it is prefixed with file://. It is in /home/paul/paulhudson.jpg, so the whole URL is file:///home/paul/paulhudson.jpg.

After you have edited the file to include the people in your organization, save it and close the editor. As root, issue these two commands:

 ldapadd  x  W  D "cn=root,dc=hudzilla,dc=org"  f base.ldif ldapadd  x  W  D "cn=root,dc=hudzilla,dc=org"  f people.ldif 

The ldapadd command is used to convert LDIF into live directory content and, most importantly, can be executed while your LDAP server is running. The -x parameter means to use only basic authentication, which means you need to supply the root username and password. -W means to prompt you for the password. -D lets you specify a DN for your username, and immediately after the -D, we specify the root DN as set earlier in slapd.conf. Finally, -f means to use the LDIF from the following file.

When you run them, you are prompted for the root password you set earlier. Upon entering it, you should see confirmation messages as your entries are added, like this:

 adding new entry "cn=Paul Hudson,ou=People,dc=hudzilla,dc=org" 

If you see an error such as ldap_bind: Can't contact LDAP server (-1), you need to start the LDAP server by typing service ldap start. The most likely sources of other errors are typing errors. LDIF is a precise format, even down to its use of whitespace.

To test that the directory has been populated and that your configuration settings are correct, run this command:

 ldapsearch  x 'objectclass=*' 

The ldapsearch command does what you might expect: It queries the LDAP directory from the command line. Again, -x means to use simple authentication, although in this situation you do not need to provide any credentials because you are only reading from the directory. The objectclass=* search specifies to return any entry of any objectclass, so the search will return all the entries in your directory.

You can amend the search to be more specific, for example

 ldapsearch  x 'cn=Ni*' 

This returns all people with a common name that begins with Ni. If you get results for your searches, you are ready to configure your clients.

TIP

OpenLDAP needs specific permissions for its files. The /var/lib/ldap directory should be owned by user ldap and group ldap, with permissions 600. If you experience problems, try running chmod 600 /var/lib/ldap.


     < Day Day Up > 


    Red Hat Fedora 4 Unleashed
    Red Hat Fedora 4 Unleashed
    ISBN: 0672327929
    EAN: 2147483647
    Year: 2006
    Pages: 361

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net