LDAP Tutorial

7th CEENet Network Technology Workshop; Budapest, Hungary, August 2001

LDAP Tutorial - Exercise with OpenLDAP v2.0.11 on Linux

Peter Gietz, Norbert Klasen, DAASI International, 15.8.2001

This tutorial includes the basic first steps in dealing with the OPenLDAP implementation (www.openldap.org). More information is included in the Linux LDAP HOWTO (http://linuxdoc.org/HOWTO/LDAP-HOWTO.html

1. Start Linux OS on your computer

restart computer
select Linux on the start up
login as user root passwort ceenet
start terminal application by clicking the apropriate icon

2. Getting and installing the software

By far the easiest way to install OpenLDAP is to use the packages provided by the distribution. If an customized build is necessary download the source tar ball from ftp.openldap.org or one of its mirrors or get the latest version (tagged as REL_ENG_2) from anonymous cvs.

Here in this lab the software is already on the computer in a specially made package. So:

go to your terminal window (mouse click)
go to the directory /server by typing:
- cd /server
copy the package to the source directory: cp archive/ldap_pack.tar.gz source
unpack and unzip the package:
- cd source
- gunzip ldap_pack.tar.gz
- tar -xvf ldap_pack.tar
now you will find the script ldap_pre. (ls)
start it with directory parameter: ./ldap_pre /server
this will take some time, so have a look at the script:
- start another terminal by clicking on the shell icon
- go to the new window and type:
- cd /server/source/ldap
- less ldap_pre
- you can see that the script copys some files (including ldap_pre!) around and compiles and installs a database package named db-3.2.9 and openldap-2.0.11. (configure, make depend, make, make install)
- when the script finishes you have everything ready to work with (thanks to Dubravko who wrote the script).

3. Configuring the server

now we will configure the server, which is called slapd (which stands for (standalone LDAP Daemon")
go to the directory /server/ldap/etc/openldap: cd /server/ldap/etc/openldap
edit the main config file slapd.conf with the editor of your choice
make sure that the following lines are included
(if there is a double slash ("//") instead of a single ("/") it doesn't matter):

Slapd.conf:

`include /server/ldap/etc/openldap/schema/core.schema include /server/ldap/etc/openldap/schema/cosine.schema include /server/ldap/etc/openldap/schema/nis.schema include /server/ldap/etc/openldap/schema/inetorgperson.schema`		Schema (objectclasses and attributetypes) which should be supported. These are all important and standardized objectclasses for person entries and other essentials
`pidfile /server/ldap/var/run/slapd.pid argsfile /server/ldap/var/run/slapd.args`		Paths and files which contain the process-id and the parameters of the running slapd
`access to * by * read`	Access configuration which grants read access to everyone. (Note: Always use normalized DNs - no spaces after commas) For more about access control see below
#######	One database for each naming context. We will use ldbm for "dc=ceenet, dc=ceu,dc=hu".
`database ldbm`	Type of database. Default: ldbm. Options: ldap, dnssrv, shell, sql
`suffix "dc=ceenet,dc=ceu,dc=hu"`	DN of the naming context.
`rootdn "cn=Manager,dc=ceenet,dc=ceu,dc=hu" rootpw secret`	DN of the root user and his password. If bound as rootdn, no access and operational restrictions apply. Cleartext passwords, especially for the rootdn, should be avoid. Use of strong authentication is encouraged.
`directory /server/ldap/var/openldap-ldbm`	Directory where OpenLDAP will store the files for this database. This database directory MUST exist prior to running slapd AND should only be accessible by the slapd/tools. Mode 700 recommended.
`index objectClass eq index cn eq,sub`	Indices to maintain
	pres	for use in presence filters (e.g. gn=*)
	eq	equality matching
	sub	substring matching
	approx	approximate matching (not supported in OpenLDAP 2; falls back to equality matching)

4. Starting slapd

You could Use the distributions specific runlevel script
Here please do the following:
start a new terminal and click into it, then type:
/server/ldap/libexec/slapd -h ldap:/// -d 384
This activates logging of access control list processing and stats log connections/operations/results to STDOUT as well as let the process stay in the foreground
leave this terminal window as it is and have a look at it from time to time

Debugging Levels
Level	Description
-1	enable all debugging
0	no debugging
1	trace function calls
2	debug packet handling
4	heavy trace debugging
8	connection management
16	print out packets sent and received
32	search filter processing
64	configuration file processing
128	access control list processing
256	stats log connections/operations/results
512	stats log entries sent
1024	print communication with shell backends
2048	print entry parsing debugging

5. Testing setup

Run ldapsearch on the rootDSE to see if the server is up and operational.

/server/ldap/bin/ldapsearch -x -h localhost -s base -b "" +

6. Loading data

Now its time to populate the directory with some data. The file admin.ldif contains an entry for ceenet and the server manager in LDIF format:

dn: dc=ceenet,dc=ceu,dc=hu
objectclass: dcObject
objectclass: organization
dc: ceenet
o: CEENET Workshop 2001

dn:cn=Manager,dc=ceenet,dc=ceu,dc=hu
objectclass: organizationalRole
cn: Manager

Load it with the following steps:

cd /server/ldap
mkdir ldif
cp ../archive/ldif/*.ldif ldif/
bin/ldapmodify -a -x -h localhost -D cn=Manager,dc=ceenet,dc=ceu,dc=hu -w secret -f ldif/admin.ldif
(ldapadd is exactly the same than ldapmodify -a)

Now lets add some more data. There is an LDIF file that contains a new subtree ou=people and some person entries:

sample LDIF (`tutorial.ldif`)

dn: ou=people,dc=ceenet,dc=ceu,dc=hu
objectclass: organizationalUnit
ou: people

dn: uid=scarter,ou=people,dc=ceenet,dc=ceu,dc=hu
cn: Sam Carter
sn: Carter
givenname: Sam
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Accounting
ou: People
l: Sunnyvale
uid: scarter
mail: scarter@tutorial.hu
telephonenumber: +1 408 555 4798
facsimiletelephonenumber: +1 408 555 9751
roomnumber: 4612
userpassword: sprain

dn: uid=tmorris,ou=people,dc=ceenet,dc=ceu,dc=hu
cn: Ted Morris
sn: Morris
givenname: Ted
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Accounting
ou: People
l: Santa Clara
uid: tmorris
mail: tmorris@tutorial.hu
telephonenumber: +1 408 555 9187
facsimiletelephonenumber: +1 408 555 8473
roomnumber: 4117
userpassword: irrefutable

dn: uid=xxx,ou=people,dc=ceenet,dc=ceu,dc=hu
cn: xxx xxx
sn: xxx
givenname: xxx
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: ldap tutorial
ou: People
l: Budapest
uid: xxx
mail: xxx@xxx.hu
telephonenumber: xxx
facsimiletelephonenumber: xxx
roomnumber: 108
userpassword: xxx

edit the file /server/ldap/ldif/tutorial.ldif
replace the "xxx" of the last entry with your data
save the file
now load it to your server:
- cd /server/ldap
- bin/ldapadd -x -h localhost -D cn=Manager,dc=ceenet,dc=ceu,dc=hu -w secret -f ldif/tutorial.ldif

7. Searching in the directory

First find naming context:
- bin/ldapsearch -x -h localhost -s base -b "" +
Then browse through the entries in the direcotry:
- bin/ldapsearch -x -h localhost -b "dc=ceenet,dc=ceu,dc=hu" -s one
Restrict returned attributes. Only return DNs:
- bin/ldapsearch -x -h localhost -b "ou=people,dc=ceenet,dc=ceu,dc=hu" -s one 1.1
Search for all people who work in accounting:
- bin/ldapsearch -x -h localhost -b "dc=ceenet,dc=ceu,dc=hu" "(&(objectclass=person)(ou=accounting))"

8. Using LDAP as addressbook in Netscape

Start netscape
Create a new Server: Communicator -> Address Book -> File -> New Directory
Beware: for Search root instead of dc=tutorial please write dc=ceenet,dc=ceu
Thus: Search Root: ou=people,dc=ceenet,dc=ceu,dc=hu

Search for a person

Double click on a result to see full LDAP entry.

9. LDAP URL

You can also retrieve data by typing in an LDAP URL
Format: ldap://<host>:<portnumber>/<basedn>?<attrlist>?<scope>?<filter>?<extensions>
e.g.: type in the location field of the Netscape browser (usually http://...) following URL:
ldap://localhost:389/ou=people,dc=ceenet,dc=ceu,dc=hu??sub?(objectclass=*)
ldap://localhost:389/ou=people,dc=ceenet,dc=ceu,dc=hu?cn,mail?sub?(objectclass=person)
...

10. Access control

The current access controls provide global read access. We'll now change them, so that only authenticated users can read entries and only members of the administators group can change entries others than their own.

OpenLDAP know different access levels: write, read, search,compare,auth,none. write also grants read which also grants search and so on.

ACL are evaluated on a first match basis.

`access`	`to dn.subtree="dc=ceenet,dc=ceu,dc=hu" attr=userPassword`	this ACL controls the userPassword attribute in the `dc=ceenet,dc=ceu,dc=hu` subtree
	`by self write`	write access, if bound as this entry
	`by dn="cn=Manager,dc=ceenet,dc=ceu,dc=hu" write`	write access for the administators group
	`by anonymous auth`	unauthenticated users can bind as this entry
`access`	`to dn.subtree="dc=ceenet,dc=ceu,dc=hu"`	this ACL controls the `dc=ceenet,dc=ceu,dc=hu` subtree
	`by self write`	write access, if bound as the entry
	`by dn="cn=Manager,dc=ceenet,dc=ceu,dc=hu" write`	write access for the administators group
	`by users read`	read access for authenticated users
`access`	`to *`	all the rest
	`by * read`	read access by all (Note: necessary to make rootDSE readable)

To activate this new access control policy you need to kill and restart the server

To kill the server you could:
- cd /server/ldap
- kill -INT `cat var/slapd.pid`
But since you started slapd with a debug mode which makes it output to stdout and stay in the foreground you can:
- Go to the terminal window with the server outputs (mouse click)
- and then press the key combination: <Ctrl> C
now restart the server with the same command as before (use history function):
/server/ldap/libexec/slapd -h ldap:/// -d 384
Now try searching for data again as described above - with and without authenticating first.

11. PHP

ldap.php is a small php script that demonstrates session based authentication via LDAP. It also gives a list view of person entries in the directory.

copy the file ldap.php /server/archive to /server/httpd/htdocs/ldap:
- cp /server/archive/ldap.php /server/httpd/htdocs/ldap
start netscape
type in following URL:
- http://localhost/ldap/ldap.php