Weight | 4 |
Description | Candidates should be able to configure a basic OpenLDAP server including knowledge of LDIF format and essential access controls. An understanding of the role of SSSD in authentication and identity management is included. |
Key Knowledge Areas:
- OpenLDAP
- Access Control
- Distinguished Names
- Changetype Operations
- Schemas and Whitepages
- Directories
- Object IDs, Attributes and Classes
- Awareness of System Security Services Daemon (SSSD)
The following is a partial list of the used files, terms and utilities:
- slapd
- slapd.conf
- LDIF
- slapadd
- slapcat
- slapindex
- /var/lib/ldap/*
- loglevel
In this video we are going to install and configure the openLDAP server on the Raspberry Pi. The RPi in may ways makes a great openLDAP server where the demands of the directory or not massive. I am using the model b with 512MB RAM and that is sufficient for a small to medium directory and this can power your authentication and directory needs.
On Raspbian there is a little auto-configuration that happens during the installation of openLDAP; a local directory is created with the DN taken form the domain name of the host. For this reason we should configure the 127.0.1.1 entry in the /etc/hosts file with the host and domain name the we would like the LDAP server to host. For example if we would like to create a directory for dc=tup,dc=com then we would ensure the entry in the hosts files was similar to the following:
127.0.1.1 raspberrypi.tup.com raspberrypi
This only needs to be in place for the installation and if required it can be reverted once the installation has completed.
With the naming infrastructure in place we can proceed with the install of openLDAP: using apt-get we will install both the server, slapd and the tools, ldap-utils. At the end of the installation we will be prompted for the administrator password for the openLDAP server, this in my case will be the account: cn=admin,dc=tup,dc=com . The password can be anything, but try to keep it secure and separate from the root users password.
Configuration of openLDAP is stored in the directory itself. This can only be access by root and is done using the command:
sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dn:
Explained:
- -Q SASL Authentication
- -LLL Output in LDIF format, ignore comments and ignore version
- -Y EXTERNAL SASL authentication method
- -H host to connect to
- –b is the LDAP base to search. The ldapi method will take us to the configuration Directory and we look to list the config folder
- dn: List just the distinguished name attributes.
Next we can use similar syntax to connect to the actual tup Directory, with this we can run ldapsearch as a normal user as we authenticate to the directory rather than using using the root account. We can additionally, for this search run without authentication as we can read elements of the Directory as a public account.
ldapsearch -x -LLL -H ldap:/// -b dc=tup,dc=com
The -x is using simple authentication and the method of access now it ldap to the localhost rather than ldapi. The base dn that we search is the top container, and currently the only container in the Directory, dc=tup,dc=com.
The final part of this lesson is to create OUs, Organizational Units for users and groups, the usual names ou=people and ou=groups. The add entries to the Directory we use and LDIF file and ldapadd. The LDIF file has to be created and here I use a file I have named structure.ldif.
structure.ldif
dn: ou=people,dc=tup,dc=com objectClass: organizationalUnit ou: people dn: ou=groups,dc=tup,dc=com objectClass: organizationalUnit ou: groups
We then need to import this using the admin name and password entered when we installed openLDAP, of course we cannot use the anonymous account we used for the search. The option -W will prompt for the password.
ldapadd -W -D cn=admin,dc=tup,dc-com -f structure.ldif