INTRODUCTION

To get started with LDAP, you first need to know what a directory is. A directory is a specialized list that lets you quickly look up information about the things the directory references. For example, a telephone directory is an alphabetic list of people and

The OpenLDAP Logo

The OpenLDAP Logo (Photo credit: Wikipedia)

organizations with phone numbers, and often addresses, too. A corporate directory is a database of people, network resources, organizations, and so forth. The corporate database probably holds not just phone numbers, but also other information like email addresses, employee and department numbers, and application configuration data. The corporate directory is managed by a directory server, which takes requests from client applications and serves them back directory data from the database.

LDAP, Lightweight Directory Access Protocol, provides a standard language that directory client applications and directory servers use to communicate with one another about data in directories. LDAP applications can search, add, delete and modify directory data. LDAP is a lightweight version of the earlier DAP, Directory Access Protocol, used by the International Organization for Standardization X.500 standard. DAP gives any application access to the directory through an extensible and robust information framework, but at a high administrative cost. DAP does not use the Internet standard TCP/IP protocol, has complicated directory naming conventions, and generally requires a big investment. LDAP preserves most features of DAP at lower cost. LDAP uses an open directory access protocol running over TCP/IP and uses simplified encoding methods. LDAP retains the X.500 standard data model and can support millions of entries for a comparatively modest investment in hardware and network infrastructure. LDAP directories differ from relational databases. In LDAP, you do not look data up in tables. Instead, you look data up in trees, similar to the tree you get if you diagram the contents of a file system.

The LDAP directory service model is based on entries. An entry is a collection of attributes that describing it. Each attribute has a name, type and one or more values. For example, attributes describing a person might include person’s name (common name, or cn), telephone number, and email address.

In LDAP, directory entries are arranged in a hierarchical tree-like structure, starting at a root and then branching down into individual entries. At the top level of the hierarchy, entries represent larger organizations. Under these larger organization in the hierarchy might be entries for smaller organizations. The hierarchy might end with entries for individual people or resources.

To describe LDAP quickly, all information is stored in a tree structure. With OpenLDAP you have freedom to determine the directory arborescence (the Directory Information Tree: the DIT) yourself. We will begin with a basic tree containing two nodes below the root:

  • “People” node where your users will be stored
  • “Groups” node where your groups will be stored

Before beginning, you should determine what the root of your LDAP directory will be. By default, your tree will be determined by your Fully Qualified Domain Name (FQDN). If your domain is arthar.com (which we will use in this example), your root node will be dc=arthar,dc=com.

INSTALLATION

# yum   install    openldap-servers   openldap-clients   openldap-devel  openldap-servers-sql   compat-openldap   migrationtools

# vi   /etc/sysconfig/ldap

SLAPD_LDAPI=yes

#vi   /etc/openldap/slapd.conf

pidfile     /var/run/openldap/slapd.pid

argsfile    /var/run/openldap/slapd.args

# rm  -rf   /etc/openldap/slapd.d/*

# slaptest    -f   /etc/openldap/slapd.conf     -F    /etc/openldap/slapd.d

#vi      /etc/openldap/slapd.d/cn=config/olcDatabase\={0}config.ldif

####line 4: change####
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break

3

#vi      /etc/openldap/slapd.d/cn=config/olcDatabase\={1}monitor.ldif

####create new####

dn: olcDatabase={1}monitor
objectClass: olcDatabaseConfig
olcDatabase: {1}monitor
olcAccess: {1}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
olcAddContentAcl: FALSE
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcReadOnly: FALSE
olcMonitoring: FALSE
structuralObjectClass: olcDatabaseConfig
creatorsName: cn=config
modifiersName: cn=config

# chown   -R    ldap.    /etc/openldap/slapd.d

# chmod    -R     700     /etc/openldap/slapd.d

# /etc/rc.d/init.d/slapd     start

# chkconfig    slapd   on

Populating LDAP

OpenLDAP uses a separate directory which contains the cn=config Directory Information Tree (DIT). The cn=config DIT is used to dynamically configure the slapd daemon, allowing the modification of schema definitions, indexes, ACLs, etc without stopping the service.

The backend cn=config directory has only a minimal configuration and will need additional configuration options in order to populate the frontend directory. The frontend will be populated with a “classical” scheme that will be compatible with address book applications and with Unix Posix accounts. Posix accounts will allow authentication to various applications, such as web applications, email Mail Transfer Agent (MTA) applications, etc.

First, some additional schema files need to be loaded. In a terminal enter:

# ldapadd   -Y    EXTERNAL     -H      ldapi:///   -f     /etc/openldap/schema/core.ldif
# ldapadd     -Y   EXTERNAL     -H     ldapi:///    -f   /etc/openldap/schema/cosine.ldif
#ldapadd     -Y   EXTERNAL      -H    ldapi:///    -f   /etc/openldap/schema/nis.ldif
#ldapadd     -Y  EXTERNAL   -H   ldapi:///    -f   /etc/openldap/schema/inetorgperson.ldif

# slappasswd

4

#vi   backend.ldif

#### create new####
####replace the section “dc=***,dc=***” to your own suffix####
####replace the section “olcRootPW: ***” to your own password generated by slappasswd above####
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib64/openldap
olcModuleload: back_hdb
dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcSuffix: dc=arthar,dc=com
olcDbDirectory: /var/lib/ldap
olcRootDN: cn=admin,dc=arthar,dc=com
olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx
olcDbConfig: set_cachesize 0 2097152 0
olcDbConfig: set_lk_max_objects 1500
olcDbConfig: set_lk_max_locks 1500
olcDbConfig: set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcLastMod: TRUE
olcMonitoring: TRUE
olcDbCheckpoint: 512 30
olcAccess: to attrs=userPassword by dn=”cn=admin,dc=arthar,dc=com” write by anonymous auth by self write by * none
olcAccess: to attrs=shadowLastChange by self write by * read
olcAccess: to dn.base=”” by * read
olcAccess: to * by dn=”cn=admin,dc=arthar,dc=com” write by * read

5

#ldapadd    -Y     EXTERNAL   -H    ldapi:///   -f    backend.ldif

The frontend directory is now ready to be populated. Create a frontend.ldif with the following contents

#vi  frontend.ldif

#### create new ####
#### replace the section “dc=***,dc=***” to your own suffix ####
#### replace the section “userPassword: ***” to your own password generated by slappasswd above ####
dn: dc=arthar,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: arthar com
dc: arthar
dn: cn=admin,dc=arthar,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
userPassword: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx
dn: ou=people,dc=arthar,dc=com
objectClass: organizationalUnit
ou: people
dn: ou=groups,dc=arthar,dc=com
objectClass: organizationalUnit
ou: groups

6

#ldapadd  -x   -D   cn=admin,dc=arthar,dc=com  -W   -f   frontend.ldif

Migrate local users to LDAP

# grep   root   /etc/passwd >  /etc/openldap/passwd.root
# grep   arthar  /etc/passwd >  /etc/openldap/passwd.arthar
# grep   ben   /etc/passwd > /etc/openldap/passwd.ben

####Repeat the same for the rest of users####

 

#vi  /usr/share/migrationtools/migrate_common.ph

$DEFAULT_MAIL_DOMAIN = “arthar.com”;
$DEFAULT_BASE = “dc=arthar,dc=com”;

####convert    passwd.file  to ldif (LDAP data interchange format) file####

#/usr/share/migration/migrate_passwd.pl   /etc/openldap/passwd.root   /etc/openldap/root.ldif
#/usr/share/migration/migrate_passwd.pl   /etc/openldap/passwd.arthar   /etc/openldap/arthar.ldif
#/usr/share/migration/migrate_passwd.pl   /etc/openldap/passwd.ben  /etc/openldap/ben.ldif

####Repeat the same for the rest of users####

Import all users in to the LDAP

#ldapadd   -x    -D    cn=admin,dc=arthar,dc=com  -W   -f    /etc/openldap/root.ldif
#ldapadd    -x    -D    cn=admin,dc=arthar,dc=com    -W    -f    /etc/openldap/arthar.ldif
#ldapadd      -x      -D    cn=admin,dc=arthar,dc=com    -W   -f    /etc/openldap/ben.ldif

7

otherwise you can use automatic script to add user to the ldap

#vi ldapuser.sh
####extract local users who have 500-999 digit UID####
####replace “SUFFIX=***” to your own suffix####
####this is an example####
#!/bin/bash
SUFFIX=’dc=arthar,dc=com’
LDIF=’ldapuser.ldif’
echo -n > $LDIF
for line in `grep “x:[5-9][0-9][0-9]:” /etc/passwd | sed -e “s/ /%/g”`
do
UID1=`echo $line | cut -d: -f1`
NAME=`echo $line | cut -d: -f5 | cut -d, -f1`
if [ ! “$NAME” ]
then
NAME=$UID1
else
NAME=`echo $NAME | sed -e “s/%/ /g”`
fi
SN=`echo $NAME | awk ‘{print $2}’`
if [ ! “$SN” ]
then
SN=$NAME
fi
GIVEN=`echo $NAME | awk ‘{print $1}’`
UID2=`echo $line | cut -d: -f3`
GID=`echo $line | cut -d: -f4`
PASS=`grep $UID1: /etc/shadow | cut -d: -f2`
SHELL=`echo $line | cut -d: -f7`
HOME=`echo $line | cut -d: -f6`
EXPIRE=`passwd -S $UID1 | awk ‘{print $7}’`
FLAG=`grep $UID1: /etc/shadow | cut -d: -f9`
if [ ! “$FLAG” ]
then
FLAG=”0″
fi
WARN=`passwd -S $UID1 | awk ‘{print $6}’`
MIN=`passwd -S $UID1 | awk ‘{print $4}’`
MAX=`passwd -S $UID1 | awk ‘{print $5}’`
LAST=`grep $UID1: /etc/shadow | cut -d: -f3`

echo “dn: uid=$UID1,ou=people,$SUFFIX” >> $LDIF
echo “objectClass: inetOrgPerson” >> $LDIF
echo “objectClass: posixAccount” >> $LDIF
echo “objectClass: shadowAccount” >> $LDIF
echo “uid: $UID1” >> $LDIF
echo “sn: $SN” >> $LDIF
echo “givenName: $GIVEN” >> $LDIF
echo “cn: $NAME” >> $LDIF
echo “displayName: $NAME” >> $LDIF
echo “uidNumber: $UID2” >> $LDIF
echo “gidNumber: $GID” >> $LDIF
echo “userPassword: {crypt}$PASS” >> $LDIF
echo “gecos: $NAME” >> $LDIF
echo “loginShell: $SHELL” >> $LDIF
echo “homeDirectory: $HOME” >> $LDIF
echo “shadowExpire: $EXPIRE” >> $LDIF
echo “shadowFlag: $FLAG” >> $LDIF
echo “shadowWarning: $WARN” >> $LDIF
echo “shadowMin: $MIN” >> $LDIF
echo “shadowMax: $MAX” >> $LDIF
echo “shadowLastChange: $LAST” >> $LDIF
echo >> $LDIF
done

#sh ldapuser.sh


NOTE:use unix2dos  (to convert UNIX to DOS text file if any problem occurs in the script)

#ldapadd   -x    -D    cn=admin,dc=arthar,dc=com    -W    -f    ldapuser.ldif

#service slapd restart

Test LDAP Server

# ldapsearch    -x   -b   ‘dc=arthar,dc=com’   ‘(objectclass=*)’