Servidores de Directorio
OpenLDAP
LDAP
(Protocolo de Acceso a Directorio de Peso Ligero) es un conjunto de protocolos abiertos usados para el acceso a información almacenada de forma centralizada en una red. Se basa en el estándar X.500
para compartir directorios, pero es menos complejo e intensivo en recursos. Por esta razón, LDAP es a veces denominado "X.500 Lite".
Como X.500, LDAP organiza la información de una forma jerárquica usando directorios. Estos directorios pueden almacenar diversa información como nombres, direcciones o números de teléfono y puede ser utilizado de manera similar al Servicio de Información de Red (NIS), habilitando a cualquiera a acceder a su cuenta desde cualquier máquina en la red habilitada LDAP.
LDAP se usa comúnmente para usuarios y grupos administrados centralmente, autenticación de usuario o configuración del sistema. Puede también servir como un directorio de teléfonos virtual, permitiendo a los usuarios acceder fácilmente a la información de contacto de otros usuarios. Adicionalmente, puede remitir a un usuario a otros servidores LDAP a través del mundo y de este modo suministrar un repositorio global ad-hoc de información. Sin embargo, se usa más frecuentemente dentro de organizaciones individuales como universidades, departamentos gubernamentales y compañías privadas.
Esta sección cubre la instalación y configuración de OpenLDAP 2.4, una implementación de código abierto de los protocolos LDAPv2 y LDAPv3.
Introducción a LDAP
Usando una arquitectura cliente-servidor, LDAP proporciona un medio confiable de crear un directorio de información central accesible desde la red. Cuando un cliente intenta modificar información dentro de este directorio el servidor verifica que el usuario tiene permisos para hacer el cambio y después añade o actualiza la entrada como se ha pedido. Para asegurar que la comunicación es segura se puede usar el protocolo criptográfico Seguridad de la Capa de Transporte (Transport Layer Security) (TLS) para evitar que un atacante intercepte la transmisión.
Usando Mozilla NSS
The OpenLDAP suite in Fedora 27 no longer uses OpenSSL. Instead, it uses the Mozilla implementation of Network Security Services (NSS). OpenLDAP continues to work with existing certificates, keys, and other TLS configuration. For more information on how to configure it to use Mozilla certificate and key database, see How do I use TLS/SSL with Mozilla NSS. |
El servidor LDAP soporta diversos sistemas de bases de datos que le dan a los administradores la flexibilidad para elegir la mejor solución a medida para el tipo de información que está planeando servir. Por un cliente Interfaz de Programación de Aplicaciones (API) bien definido, el número de aplicaciones capaces de comunicar con un servidor LDAP son numerosas e incrementan tanto la cantidad como la calidad.
LDAP Terminology
Lo siguiente es una lista de términos específicos de LDAP que se utilizan dentro de este capítulo:
- entrada
-
Una única unidad dentro de un directorio LDAP. Cada entrada se identifica por su único Nombre Distintivo (DN).
- atributo
-
Información directamente asociada con una entrada. Por ejemplo, si una organización está representada como una entrada LDAP, los atributos asociados con esa organización podrían incluir una dirección, un número de fax, etc. De manera similar, las personas pueden ser representadas como entradas con un atributo común como su número de teléfono personal o su dirección de correo electrónico.
Un atributo puede tener un único valor o una lista de valores separados por espacios desordenada. MIentras que ciertos atributos son opcionales otros son requeridos. Los atributos requeridos son especificados usando la definición
objectClass
y se pueden encontrar en ficheros esquema localizados en el directorio/etc/openldap/slapd.d/cn=config/cn=schema/
directory.
La afirmación de un atributo y su correspondiente valor también se conoce como Nombre Relativo Distinguido (RDN). A diferencia de los nombres distinguidos que son únicos a nivel mundial, un nombre relativo distinguido es solo único por entrada. - LDIF
-
El Formato LDAP de Intercambio de Datos (LDIF) es una representación en texto plano de una entrada LDAP. Toma la siguiente forma:
id dn: distinguished_name attribute_type: attribute_value… attribute_type: attribute_value… …
+ La _id_ opcional es u número determinado por la aplicación que se usa para editar la entrada. Cada entrada puede contener tantos para _attribute_type_ y _attribute_value_ como se necesite, siempre que estén definidos en un fichero esquema correspondiente. Una línea en blanco indica el final de una entrada.
OpenLDAP Features OpenLDAP suite provides a number of important features:
-
Soporte LDAPv3 — Muchos de los cambio en el protocolo desde LDAP versión 2 están diseñados para hacer a LDAP más seguro. Entre otras mejoras incluye el soporte de los protocolos Autenticación Sencilla y Capa de Seguridad (SASL), Seguridad de Capa de Transporte (TLS) y Capa de Enchufes Seguros (SSL).
-
LDAP Sobre IPC — El uso de comunicación entre procesos (IPC) mejora la seguridad por la eliminación de la necesidad de comunicarse sobre la red.
-
Soporte IPv6 — OpenLDAP es compatible con el Protocolo de Internet versión 6 (IPv6), la próxima generación del Protocolo de Internet.
-
Soporte LDIFv1 — OpenLDAP es totalmente compatible con LDIF versión 1.
-
Actualizada C API — La actual API C mejora la forma en que los programadores pueden conectar y usar los servidores de directorio LDAP.
-
Servidor LDAP Autónomo mejorado — Esto incluye una actualización en el sistema de control de acceso, agrupación de subprocesos, mejores herramientas y mucho más.
OpenLDAP Server Setup The typical steps to set up an LDAP server on Fedora are as follows:
-
Instalar el conjunto OpenLDAP. Vea Instalar el Conjunto OpenLDAP para más información sobre los paquetes necesarios.
-
Personalice la configuración como se describe en Configurando un Servidor OpenLDAP.
-
Arranque el servicio
slapd
como se describe en Corriendo un Servidor OpenLDAP. -
Use la utilidad ldapadd para añadir entradas al directorio LDAP.
-
Use the ldapsearch utility to verify that the
slapd
service is accessing the information correctly.
Installing the OpenLDAP Suite
The suite of OpenLDAP libraries and tools is provided by the following packages:
Package | Description |
---|---|
openldap |
A package containing the libraries necessary to run the OpenLDAP server and client applications. |
openldap-clients |
A package containing the command line utilities for viewing and modifying directories on an LDAP server. |
openldap-servers |
A package containing both the services and utilities to configure and run an LDAP server. This includes the Standalone LDAP Daemon, |
openldap-servers-sql |
A package containing the SQL support module. |
Additionally, the following packages are commonly used along with the LDAP server:
Package | Description |
---|---|
nss-pam-ldapd |
A package containing |
mod_ldap |
A package containing the |
To install these packages, use the dnf command in the following form:
dnf install
package…
For example, to perform the basic LDAP server installation, type the following at a shell prompt as root
:
~]# dnf install openldap openldap-clients openldap-servers
Note that you must have superuser privileges (that is, you must be logged in as root
) to run this command. For more information on how to install new packages in Fedora, see Installing Packages.
Overview of OpenLDAP Server Utilities To perform administrative tasks, the openldap-servers package installs the following utilities along with the slapd
service:
Command | Description |
---|---|
slapacl |
Allows you to check the access to a list of attributes. |
slapadd |
Allows you to add entries from an LDIF file to an LDAP directory. |
slapauth |
Allows you to check a list of IDs for authentication and authorization permissions. |
slapcat |
Allows you to pull entries from an LDAP directory in the default format and save them in an LDIF file. |
slapdn |
Allows you to check a list of Distinguished Names (DNs) based on available schema syntax. |
slapindex |
Allows you to re-index the |
slappasswd |
Allows you to create an encrypted user password to be used with the ldapmodify utility, or in the |
slapschema |
Allows you to check the compliance of a database with the corresponding schema. |
slaptest |
Allows you to check the LDAP server configuration. |
For a detailed description of these utilities and their usage, see the corresponding manual pages as referred to in Installed Documentation.
Make sure the files have correct owner
Although only chown -R ldap:ldap /var/lib/ldap
|
Stop slapd before using these utilities
To preserve the data integrity, stop the ~]# systemctl stop slapd.service For more information on how to start, stop, restart, and check the current status of the |
Overview of OpenLDAP Client Utilities The openldap-clients package installs the following utilities which can be used to add, modify, and delete entries in an LDAP directory:
Command | Description |
---|---|
ldapadd |
Allows you to add entries to an LDAP directory, either from a file, or from standard input. It is a symbolic link to ldapmodify -a. |
ldapcompare |
Allows you to compare given attribute with an LDAP directory entry. |
ldapdelete |
Allows you to delete entries from an LDAP directory. |
ldapexop |
Allows you to perform extended LDAP operations. |
ldapmodify |
Allows you to modify entries in an LDAP directory, either from a file, or from standard input. |
ldapmodrdn |
Allows you to modify the RDN value of an LDAP directory entry. |
ldappasswd |
Allows you to set or change the password for an LDAP user. |
ldapsearch |
Allows you to search LDAP directory entries. |
ldapurl |
Allows you to compose or decompose LDAP URLs. |
ldapwhoami |
Allows you to perform a |
With the exception of ldapsearch, each of these utilities is more easily used by referencing a file containing the changes to be made rather than typing a command for each entry to be changed within an LDAP directory. The format of such a file is outlined in the man page for each utility.
Overview of Common LDAP Client Applications Although there are various graphical LDAP clients capable of creating and modifying directories on the server, none of them is included in Fedora. Popular applications that can access directories in a read-only mode include Mozilla Thunderbird, Evolution, or Ekiga.
Configuring an OpenLDAP Server
By default, the OpenLDAP configuration is stored in the /etc/openldap/
directory. The following table highlights the most important directories and files within this directory:
Path | Description |
---|---|
|
The configuration file for client applications that use the OpenLDAP libraries. This includes ldapadd, ldapsearch, Evolution, etc. |
|
The directory containing the |
Note that OpenLDAP no longer reads its configuration from the /etc/openldap/slapd.conf
file. Instead, it uses a configuration database located in the /etc/openldap/slapd.d/
directory. If you have an existing slapd.conf
file from a previous installation, you can convert it to the new format by running the following command as root
:
~]# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
The slapd
configuration consists of LDIF entries organized in a hierarchical directory structure, and the recommended way to edit these entries is to use the server utilities described in Overview of OpenLDAP Server Utilities.
Do not edit LDIF files directly
An error in an LDIF file can render the |
Changing the Global Configuration Global configuration options for the LDAP server are stored in the /etc/openldap/slapd.d/cn=config.ldif
file. The following directives are commonly used:
-
olcAllows
-
The
olcAllows
directive allows you to specify which features to enable. It takes the following form:
olcAllows
: feature…
It accepts a space-separated list of features as described in Available olcAllows options. The default option is bind_v2
.
Option | Description |
---|---|
|
Enables the acceptance of LDAP version 2 bind requests. |
|
Enables an anonymous bind when the Distinguished Name (DN) is empty. |
|
Enables an anonymous bind when the Distinguished Name (DN) is not empty. |
|
Enables processing of anonymous update operations. |
|
Enables processing of anonymous proxy authorization control. |
olcAllows: bind_v2 update_anon
-
olcConnMaxPending
-
The
olcConnMaxPending
directive allows you to specify the maximum number of pending requests for an anonymous session. It takes the following form:
olcConnMaxPending
: number
The default option is 100
.
olcConnMaxPending: 100
-
olcConnMaxPendingAuth
-
The
olcConnMaxPendingAuth
directive allows you to specify the maximum number of pending requests for an authenticated session. It takes the following form:
olcConnMaxPendingAuth
: number
The default option is 1000
.
olcConnMaxPendingAuth: 1000
-
olcDisallows
-
The
olcDisallows
directive allows you to specify which features to disable. It takes the following form:
olcDisallows
: feature…
It accepts a space-separated list of features as described in Available olcDisallows options. No features are disabled by default.
Option | Description |
---|---|
|
Disables the acceptance of anonymous bind requests. |
|
Disables the simple bind authentication mechanism. |
|
Disables the enforcing of an anonymous session when the STARTTLS command is received. |
|
Disallows the STARTTLS command when authenticated. |
olcDisallows: bind_anon
-
olcIdleTimeout
-
The
olcIdleTimeout
directive allows you to specify how many seconds to wait before closing an idle connection. It takes the following form:
olcIdleTimeout
: number
This option is disabled by default (that is, set to 0
).
olcIdleTimeout: 180
-
olcLogFile
-
The
olcLogFile
directive allows you to specify a file in which to write log messages. It takes the following form:
olcLogFile: file_name
The log messages are written to standard error by default.
olcLogFile: /var/log/slapd.log
-
olcReferral
-
The
olcReferral
option allows you to specify a URL of a server to process the request in case the server is not able to handle it. It takes the following form:
olcReferral
: URL
This option is disabled by default.
olcReferral: ldap://root.openldap.org
-
olcWriteTimeout
-
The
olcWriteTimeout
option allows you to specify how many seconds to wait before closing a connection with an outstanding write request. It takes the following form:
olcWriteTimeout
This option is disabled by default (that is, set to 0
).
olcWriteTimeout: 180
Changing the Database-Specific Configuration By default, the OpenLDAP server uses Berkeley DB (BDB) as a database back end. The configuration for this database is stored in the /etc/openldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif
file. The following directives are commonly used in a database-specific configuration:
-
olcReadOnly
-
The
olcReadOnly
directive allows you to use the database in a read-only mode. It takes the following form:
olcReadOnly
: boolean
It accepts either TRUE
(enable the read-only mode), or FALSE
(enable modifications of the database). The default option is FALSE
.
olcReadOnly: TRUE
-
olcRootDN
-
The
olcRootDN
directive allows you to specify the user that is unrestricted by access controls or administrative limit parameters set for operations on the LDAP directory. It takes the following form:
olcRootDN: distinguished_name
It accepts a Distinguished Name (DN). The default option is cn=Manager,dn=my-domain,dc=com
.
olcRootDN: cn=root,dn=example,dn=com
-
olcRootPW
-
The
olcRootPW
directive allows you to set a password for the user that is specified using theolcRootDN
directive. It takes the following form:
olcRootPW
: password
It accepts either a plain text string, or a hash. To generate a hash, type the following at a shell prompt:
~]$ slappaswd
New password:
Re-enter new password:
{SSHA}WczWsyPEnMchFf1GRTweq2q7XJcvmSxD
olcRootPW: \{SSHA}WczWsyPEnMchFf1GRTweq2q7XJcvmSxD
-
olcSuffix
-
The
olcSuffix
directive allows you to specify the domain for which to provide information. It takes the following form:
olcSuffix: domain_name
It accepts a fully qualified domain name (FQDN). The default option is dc=my-domain,dc=com
.
olcSuffix: dc=example,dc=com
Extending Schema Since OpenLDAP 2.3, the /etc/openldap/slapd.d/
directory also contains LDAP definitions that were previously located in /etc/openldap/schema/
. It is possible to extend the schema used by OpenLDAP to support additional attribute types and object classes using the default schema files as a guide. However, this task is beyond the scope of this chapter. For more information on this topic, see http://www.openldap.org/doc/admin/schema.html.
Establishing a Secure Connection OpenLDAP clients and servers can be secured using the Transport Layer Security (TLS) framework. TLS is a cryptographic protocol designed to provide communication security over the network. As noted above, OpenLDAP suite in Fedora uses Mozilla NSS as the TLS implementation.
To establish a secure connection using TLS, obtain the required certificates as described in How do I use TLS/SSL with Mozilla NSS. Then, a number of options must be configured on both the client and the server. At a minimum, a server must be configured with the Certificate Authority (CA) certificates and also its own server certificate and private key. The clients must be configured with the name of the file containing all the trusted CA certificates.
Typically, a server only needs to sign a single CA certificate. A client may want to connect to a variety of secure servers, therefore it is common to specify a list of several trusted CAs in its configuration.
This section lists global configuration directives for slapd
that need to be specified in the /etc/openldap/slapd.d/cn=config.ldif
file on an OpenLDAP server in order to establish TLS.
While the old style configuration uses a single file, normally installed as /usr/local/etc/openldap/slapd.conf
, the new style uses a slapd backend database to store the configuration. The configuration database normally resides in the /usr/local/etc/openldap/slapd.d/
directory.
The following directives are also valid for establishing SSL. In addition to TLS directives, you need to enable a port dedicated to SSL on the server side – typically it is port 636. To do so, edit the /etc/sysconfig/slapd
file and append the ldaps:///
string to the list of URLs specified with the SLAPD_URLS
directive.
olcTLSCACertificateFile
-
The
olcTLSCACertificateFile
directive specifies the file encoded with Privacy-Enhanced Mail (PEM) schema that contains trusted CA certificates. The directive takes the following form:
olcTLSCACertificateFile
: path
Replace path either with a path to the CA certificate file, or, if you use Mozilla NSS, with a certificate name.
olcTLSCACertificatePath
-
The
olcTLSCACertificatePath
directive specifies the path to a directory containing individual CA certificates in separate files. This directory must be specially managed with the OpenSSL c_rehash utility that generates symbolic links with the hashed names that point to the actual certificate files. In general, it is simpler to use theolcTLSCACertificateFile
directive instead.If Mozilla NSS is used,
olcTLSCACertificatePath
accepts a path to the Mozilla NSS database (as shown in Using olcTLSCACertificatePath with Mozilla NSS). In such a case, c_rehash is not needed.
The directive takes the following form:
olcTLSCACertificatePath
: path
Replace path with a path to the directory containing the CA certificate files, or with a path to a Mozilla NSS database file.
With Mozilla NSS, the olcTLSCACertificatePath
directive specifies the path of the directory containing the NSS certificate and key database files. For example:
olcTLSCACertificatePath
:sql:/home/nssdb/sharednssdb
The certutil command is used to add a CA certificate to these NSS database files:
certutil -dsql:/home/nssdb/sharednssdb
-A -n "CA_certificate" -tCT,,
-a -icertificate.pem
The above command adds a CA certificate stored in a PEM-formatted file named certificate.pem. The -d
option specifies the database directory containing the certificate and key database files, the -n
option sets a name for the certificate, -t
CT,,
means that the certificate is trusted to be used in TLS clients and servers. The -A
option adds an existing certificate to a certificate database, the -a
option allows the use of ASCII format for input or output, and the -i
option passes the certificate.pem
input file to the command.
olcTLSCertificateFile
-
The
olcTLSCertificateFile
directive specifies the file that contains theslapd
server certificate. The directive takes the following form:
olcTLSCertificateFile
: path
Replace path with a path to the slapd
server certificate file, or, if you use Mozilla NSS, with a certificate name.
When using Mozilla NSS with certificate and key database files specified with the olcTLSCACertificatePath
directive, olcTLSCertificateFile
is used to specify the name of the certificate to use. First, execute the following command to view a list of certificates available in your NSS database file:
certutil-d
sql:/home/nssdb/sharednssdb
-L
Select a certificate from the list and pass its name to olcTLSCertificateFile
. For example:
olcTLSCertificateFile slapd_cert
olcTLSCertificateKeyFile
-
The
olcTLSCertificateKeyFile
directive specifies the file that contains the private key that matches the certificate stored in the file specified witholcTLSCertificateFile
. Note that the current implementation does not support encrypted private keys, and therefore the containing file must be sufficiently protected. The directive takes the following form:
olcTLSCertificateKeyFile
: path
Replace path with a path to the private key file if you use PEM certificates. When using Mozilla NSS, path stands for the name of a file that contains the password for the key for the certificate specified with the olcTLSCertificateFile
directive (see Using olcTLSCertificateKeyFile with Mozilla NSS).
When using Mozilla NSS, this directive specifies the name of a file that contains the password for the key for the certificate specified with olcTLSCertificateFile
:
olcTLSCertificateKeyFile: slapd_cert_key
The modutil command can be used to turn off password protection or to change the password for NSS database files. For example:
modutil-dbdir
sql:/home/nssdb/sharednssdb
-changepw
Specify the following directives in the /etc/openldap/ldap.conf
configuration file on the client system. Most of these directives are parallel to the server configuration options. Directives in/etc/openldap/ldap.conf
are configured on a system-wide basis, however, individual users may override them in their ~/.ldaprc
files.
The same directives can be used to establish an SSL connection. The ldaps://
string must be used instead of ldap://
in OpenLDAP commands such as ldapsearch. This forces commands to use the default port for SSL, port 636, configured on the server.
TLS_CACERT
-
The
TLS_CACERT
directive specifies a file containing certificates for all of the Certificate Authorities the client will recognize. This is equivalent to theolcTLSCACertificateFile
directive on a server.TLS_CACERT
should always be specified beforeTLS_CACERTDIR
in/etc/openldap/ldap.conf
. The directive takes the following form:
TLS_CACERT path
Replace path with a path to the CA certificate file.
TLS_CACERTDIR
-
The
TLS_CACERTDIR
directive specifies the path to a directory that contains Certificate Authority certificates in separate files. As witholcTLSCACertificatePath
on a server, the specified directory must be managed with the OpenSSL c_rehash utility. Path to Mozilla NSS database file is also accepted, c_rehash is not needed in such case. The directive takes the following form:
TLS_CACERTDIR directory
Replace directory with a path to the directory containing CA certificate files. With Mozilla NSS, directory stands for a path to the certificate or key database file.
TLS_CERT
-
The
TLS_CERT
specifies the file that contains a client certificate. This directive can only be specified in a user’s~/.ldaprc
file. With Mozilla NSS, this directive specifies the name of the certificate to be chosen from the database specified with the aforementionedTLS_CACERTDIR
directive. The directive takes the following form:
TLS_CERT path
Replace path with a path to the client certificate file, or with a name of a certificate from the NSS database.
TLS_KEY
-
The
TLS_KEY
specifies the file that contains the private key that matches the certificate stored in the file specified with theTLS_CERT
directive. As witholcTLSCertificateFile
on a server, encrypted key files are not supported, so the file itself must be carefully protected. This option is only configurable in a user’s~/.ldaprc
file.When using Mozilla NSS,
TLS_KEY
specifies the name of a file that contains the password for the private key that protects the certificate specified with theTLS_CERT
directive. Similarly to theolcTLSCertificateKeyFile
directive on a server (see Using olcTLSCertificateKeyFile with Mozilla NSS), you can use the modutil command to manage this password.
TheTLS_KEY
directive takes the following form:
TLS_KEY path
Replace path with a path to the client certificate file or with a name of the password file in the NSS database.
Setting Up Replication Replication is the process of copying updates from one LDAP server (provider) to one or more other servers or clients (consumers). A provider replicates directory updates to consumers, the received updates can be further propagated by the consumer to other servers, so a consumer can also act simultaneously as a provider. Also, a consumer does not have to be an LDAP server, it may be just an LDAP client. In OpenLDAP, you can use several replication modes, most notable are mirror and sync. For more information on OpenLDAP replication modes, see the OpenLDAP Software Administrator’s Guide installed with openldap-servers package (see Installed Documentation).
To enable a chosen replication mode, use one of the following directives in /etc/openldap/slapd.d/
on both provider and consumers.
olcMirrorMode
-
The
olcMirrorMode
directive enables the mirror replication mode. It takes the following form:
olcMirrorMode
on
This option needs to be specified both on provider and consumers. Also a serverID
must be specified along with syncrepl
options. Find a detailed example in the 18.3.4. MirrorMode section of the OpenLDAP Software Administrator’s Guide (see Installed Documentation).
olcSyncrepl
-
The
olcSyncrepl
directive enables the sync replication mode. It takes the following form:
olcSyncrepl
on
The sync replication mode requires a specific configuration on both the provider and the consumers. This configuration is thoroughly described in the 18.3.1. Syncrepl section of the OpenLDAP Software Administrator’s Guide (see Installed Documentation).
Loading Modules and Backends You can enhance the slapd
service with dynamically loaded modules. Support for these modules must be enabled with the --enable-modules
option when configuring slapd
. Modules are stored in files with the .la extension:
module_name.la
Backends store or retrieve data in response to LDAP requests. Backends may be compiled statically into slapd
, or when module support is enabled, they may be dynamically loaded. In the latter case, the following naming convention is applied:
back_backend_name.la
To load a module or a backend, use the following directive in /etc/openldap/slapd.d/
:
olcModuleLoad
-
The
olcModuleLoad
directive specifies a dynamically loadable module to load. It takes the following form:
olcModuleLoad
: module
Here, module stands either for a file containing the module, or a backend, that will be loaded.
SELinux Policy for Applications Using LDAP
SELinux is an implementation of a mandatory access control mechanism in the Linux kernel. By default, SELinux prevents applications from accessing an OpenLDAP server. To enable authentication through LDAP, which is required by several applications, the allow_ypbind
SELinux Boolean needs to be enabled. Certain applications also demand an enabled authlogin_nsswitch_use_ldap
Boolean in this scenario. Execute the following commands to enable the aforementioned Booleans:
~]# setsebool -P allow_ypbind=1
~]# setsebool -P authlogin_nsswitch_use_ldap=1
The -P
option makes this setting persistent across system reboots. See the Red Hat Enterprise Linux 7 SELinux User’s and Administrator’s Guide for more detailed information about SELinux.
Running an OpenLDAP Server
This section describes how to start, stop, restart, and check the current status of the Standalone LDAP Daemon. For more information on how to manage system services in general, see Services and Daemons.
Starting the Service To start the slapd
service in the current session, type the following at a shell prompt as root
:
~]# systemctl start slapd.service
To configure the service to start automatically at the boot time, use the following command as root
:
~]# systemctl enable slapd.service
See Services and Daemons for more information on how to configure services in Fedora.
Stopping the Service To stop the running slapd
service in the current session, type the following at a shell prompt as root
:
~]# systemctl stop slapd.service
To prevent the service from starting automatically at the boot time, type as root
:
~]# systemctl disable slapd.service rm '/etc/systemd/system/multi-user.target.wants/slapd.service'
See Services and Daemons for more information on how to configure services in Fedora.
Configuring a System to Authenticate Using OpenLDAP
In order to configure a system to authenticate using OpenLDAP, make sure that the appropriate packages are installed on both LDAP server and client machines. For information on how to set up the server, follow the instructions in Installing the OpenLDAP Suite and Configuring an OpenLDAP Server. On a client, type the following at a shell prompt as root
:
~]# dnf install openldap openldap-clients nss-pam-ldapd
Migrating Old Authentication Information to LDAP Format The migrationtools package provides a set of shell and Perl scripts to help you migrate authentication information into an LDAP format. To install this package, type the following at a shell prompt as root
:
~]# dnf install migrationtools
This will install the scripts to the /usr/share/migrationtools/
directory. Once installed, edit the /usr/share/migrationtools/migrate_common.ph
file and change the following lines to reflect the correct domain, for example:
# Default DNS domain $DEFAULT_MAIL_DOMAIN = "example.com"; # Default base $DEFAULT_BASE = "dc=example,dc=com";
Alternatively, you can specify the environment variables directly on the command line. For example, to run the migrate_all_online.sh
script with the default base set to dc=example,dc=com
, type:
~]# export DEFAULT_BASE="dc=example,dc=com" \ /usr/share/migrationtools/migrate_all_online.sh
To decide which script to run in order to migrate the user database, see Commonly used LDAP migration scripts.
Existing Name Service | Is LDAP Running? | Script to Use |
---|---|---|
|
yes |
|
|
no |
|
NetInfo |
yes |
|
NetInfo |
no |
|
NIS (YP) |
yes |
|
NIS (YP) |
no |
|
For more information on how to use these scripts, see the README
and the migration-tools.txt
files in the /usr/share/doc/migrationtools/
directory.
Recursos Adicionales
The following resources offer additional information on the Lightweight Directory Access Protocol. Before configuring LDAP on your system, it is highly recommended that you review these resources, especially the OpenLDAP Software Administrator’s Guide.
The following documentation is installed with the openldap-servers package:
-
/usr/share/doc/openldap-servers/guide.html
— A copy of the OpenLDAP Software Administrator’s Guide. -
/usr/share/doc/openldap-servers/README.schema
— A README file containing the description of installed schema files.
Additionally, there is also a number of manual pages that are installed with the openldap, openldap-servers, and openldap-clients packages:
- Client Applications
-
-
ldapadd(1) — The manual page for the ldapadd command describes how to add entries to an LDAP directory.
-
ldapdelete(1) — The manual page for the ldapdelete command describes how to delete entries within an LDAP directory.
-
ldapmodify(1) — The manual page for the ldapmodify command describes how to modify entries within an LDAP directory.
-
ldapsearch(1) — The manual page for the ldapsearch command describes how to search for entries within an LDAP directory.
-
ldappasswd(1) — The manual page for the ldappasswd command describes how to set or change the password of an LDAP user.
-
ldapcompare(1) — Describes how to use the ldapcompare tool.
-
ldapwhoami(1) — Describes how to use the ldapwhoami tool.
-
ldapmodrdn(1) — Describes how to modify the RDNs of entries.
-
- Aplicaciones para servidores
-
-
slapd(8C) — Describes command line options for the LDAP server.
-
- Administrative Applications
-
-
slapadd(8C) — Describes command line options used to add entries to a slapd database.
-
slapcat(8C) — Describes command line options used to generate an LDIF file from a slapd database.
-
slapindex(8C) — Describes command line options used to regenerate an index based upon the contents of a slapd database.
-
slappasswd(8C) — Describes command line options used to generate user passwords for LDAP directories.
-
- Archivos de Configuración
-
-
ldap.conf(5) — The manual page for the
ldap.conf
file describes the format and options available within the configuration file for LDAP clients. -
slapd-config(5) — Describes the format and options available within the
/etc/openldap/slapd.d
configuration directory.
-
- http://www.openldap.org/doc/admin24/
-
The current version of the OpenLDAP Software Administrator’s Guide.
- http://www.kingsmountain.com/ldapRoadmap.shtml
-
Jeff Hodges' LDAP Roadmap & FAQ containing links to several useful resources and emerging news concerning the LDAP protocol.
- http://www.ldapman.org/articles/
-
A collection of articles that offer a good introduction to LDAP, including methods to design a directory tree and customizing directory structures.
- http://www.padl.com/
-
A website of developers of several useful LDAP tools.
Libros Relacionados
- OpenLDAP by Example by John Terpstra and Benjamin Coles; Prentice Hall.
-
A collection of practical exercises in the OpenLDAP deployment.
- Implementing LDAP by Mark Wilcox; Wrox Press, Inc.
-
A book covering LDAP from both the system administrator’s and software developer’s perspective.
- Understanding and Deploying LDAP Directory Services by Tim Howes et al.; Macmillan Technical Publishing.
-
A book covering LDAP design principles, as well as its deployment in a production environment.
Want to help? Learn how to contribute to Fedora Docs ›