Title
Talk Overview
- What is LDAP?
- How can it be used?
- Configuration
- Importing Data and Testing the Server
- Client Configuration
- Maintaining LDAP
- Resources
- Questions and Answers
What is LDAP?
- Not a “Mexican Spackle”
- Lightweight Directory Access Protocol
- An open-standard protocol for accessing X.500 directory services
- Directory vs. database – optimized for reads
- Organized in tree format
LDAP Terminology
- Organizational Unit (ou) – a directory partition
- Distinguished Name (dn) – unique identifier
- Basedn – DN used as a search starting place
- Binddn – DN authenticating with the server
- ObjectClass - definition of an object that can be stored in a directory
- Suffix (domain components)
More LDAP Terminology
- Slapd – the LDAP server process
- Slurpd – the LDAP replication process
- LDIF – LDAP Data Interchange Format -the textual representation of an LDAP entry
How can it be used?
- For just about anything! It can be the glue that “binds” your organization together.
- System accounts (Unix & Samba/Windows)
- Company directory
- Mail server
- Web or firewall authentication
- Physical access
How do I configure it?
Configuration – slapd.conf
- /etc/openldap/slapd.conf
- TLS Certificates
- Access Control Lists
- suffix
- Rootdn & rootpw
- /etc/ldap.conf
- /etc/nsswitch.conf
- /etc/pam.d
Configuration - ldap.conf
- /etc/ldap.conf (and /etc/openldap/ldap.conf)
- Host, Base & Port
- URI
- Bind Timelimit
- pam_filter (for bigger directories)
- SSL
Configuration – nsswitch.conf
- /etc/nsswitch.conf
- Passwd, shadow, groups, etc.
- Knock yourself out!
- Order is important
Configuration – pam.d
- Most services use pam for authentication
- /etc/pam.d/system_auth – covers most
- Auth, account, password, session entries
Importing Data
- Choosing a suffix
- Unique UIDs
- Mailserver makes a good template
- migrate_all_offline.sh
- In /usr/share/openldap/migration, on RH systems
- Check permissions on /var/lib/ldap/ files !!!
Testing The Server
- Service ldap start
- Debug mode and logging
- ldapsearch -x -h localhost “(objectclass=*)”
- Binding non-anonymously (user and rootdn)
- Add -D “cn=root,dc=lulu,dc=com” -W , or -D “uid=markt,ou=People,dc=lulu,dc=com” -W to above line
Client Configuration
- System accounts (ldap.conf, nsswitch.conf)
- Mail clients (Address books)
- Sendmail
- CVS
Client Configuration – Systems
- ldap.conf, nsswitch.conf, pam.d
- Check nameservices using “id” command
- Ldapsearch -x -h ldap “uid=markt,ou=people,dc=lulu,dc=com” to check ldap settings
- Try logging in!
- /etc/auto.home
Client Configuration, Mail Clients
- Evolution
- Mozilla
- Microsoft Outlook
Client Configuration – Evolution
- Click on “Contacts” on left
- Choose “Tools-Addressbook sources” from top menu
- Add an “account name” for this source (i.e., your company name)
- Enter ldap server's address in the “server” box
- Check port (636 for ldaps) and search base (i.e., “ou=people,dc=lulu,dc=com”)
Client Configuration – Mozilla
- Choose “Edit-Preferences” from menu and choose “Mail & Newsgroups – Addressing” in the left box
- Select “directory server.” Click “Edit directories” and click “Add”
- Enter an arbitrary name in “name,” put your server name in “host name,” and enter appropriate values for “base dn” and “port number”
- No “bind dn” results in anonymous bind (good)
Service Configuration – Sendmail
- In /etc/sendmail.cf
- O LDAPDefaultSpec =-h ldap
- Users and aliases can now live entirely in LDAP
- Sendmail -bt
- /parse markt@lulu.com
- CTRL-D to exit
Maintaining LDAP
- GQ – GTK client – biot.com/gq
- Directory Administrator – GNOME (under the System Settings menu)
- ldapadd, ldapsearch, ldapmodify, etc.
- PerLDAP
- Many others
Resources
Questions And Answers