Documentation for a newer release is available. View Latest

Servidores de diretório

OpenLDAP

LDAP (Protocolo de Acesso a Diretório Leve) é definido para protocolos aberto usado para acessar armazenamento de informação centralizada sob uma rede. É baseada no padrão X.500 para compartilhamento de diretório, mas é menos complexo e com uso intensivo de recurso. Por essa razão, o LDAP é as vezes referenciado como "X.500 Lite".

Assim como o X.500, o LDAP organiza informações de forma hierárquica usando diretórios. Esses diretórios podem armazenar uma variedade de informações, como nomes, endereços ou números de telefone, e até mesmo serem usados de maneira semelhante ao Network Information Service (NIS), permitindo que qualquer pessoa acesse sua conta de qualquer máquina na rede habilitada para LDAP.

LDAP é normalmente usado para administração centralizada de usuários e grupos, autenticação de usuário ou configuração de sistema. Pode também servir como um diretório telefônico virtual, permitindo usuários à um acesso mais fácil para obter informações de contato para outros usuários. Adicionalmente, pode se referir à um usuário para outros servidores LDAP pelo mundo, e isso provê um repositório de informação ad-hoc global. No entanto, isso muito frequentemente usado dentro de organizações individuais assim como universidades, departamentos governamentais, e companhias privadas.

Essa seção cobre a instalação e configuração do OpenLDAP 2.4, uma implementação de código aberto dos protocolos LDAPv2 e LDAP3.

Introdução ao LDAP

Usando uma arquitetura cliente-servidor, LDAP provê um meio confiável para criar um diretório de informação centralizado acessível a partir da rede. Quando um cliente tenta modificar informação dentro desse diretório, o servidor verifica o usuário que possui permissão para alterar, e então adiciona ou atualiza a entrada conforme requisitado. Para garantir uma comunicação segura, o protocolo de criptografia Transport Layer Security (TLS) pode ser usado para evitar um ataque de comunicação interceptada.

Usando o Mozilla NSS

A suite do OpenLDAP em 29 não utiliza mais o OpenSSL. Vez dele, utiliza implementações da Mozilla do Network Security Services (NSS). OpenLDAP continua trabalhando com os certificados existentes, chave e outras configurações de TLS. Para mais informações de como configurar para certificado Mozilla e chave de banco de dados, veja How do I use TLS/SSL with Mozilla NSS.

O servidor LDAP suporta diversos sistemas de banco de dados, que provê aos administradores um meio flexível para escolher a melhor solução para o tipo de informação que eles são definidos servir. Porque um cliente Application Programming Interface (API) bem definido, o número de aplicações pode se comunicar com o servidor LDAP é numeroso, e aumenta em ambos, quantidade e qualidade.

Terminologia LDAP

A seguir uma lista de termos específicos do LDAP que são utilizados dentro desse capítulo:

· · · · · · · · · · · entrada: Uma única unidade dentro do diretório LDAP. Cada entrada é identificada sendo sua unique Distinguished Name (DN).
· · · · · · · · · · · atributo: Informação diretamente associada com uma entrada. Por exemplo, se uma organização está representando com uma entrada LDAP, atributos associados com essa organização pode incluir um endereço, um número de fax, etc. Similarmente, pessoas podem ser representados com entradas com atributos comuns por exemplo número de telefone pessoal ou endereço de email.

Um atributo que pode ter um único valor, ou uma lista de valores separados por espaço desordenado. Enquanto certos atributos não opcional, outros são requisitados. Requisitado atributos que são especificado usando a definição objectClass, e pode ser entrado em um arquivo de esquema localizado no diretório /etc/openldap/slapd.d/cn=config/cn=schema/ directory. ·+ A afirmação de um atributo e seu valor correspondente é também referenciado como Relative Distinguished Name (RDN). A menos nomes distinguidos que não único globalmente, um relativo nome distinguido é somente único por entrada.
· · · · · · · · · · · · LDIF: O LDAP Data Interchange Format (LDIF) é um texto plano de representação de uma entrada LDAP. E segue com o seguinte formato:

id dn: distinguished_name
attribute_type: attribute_value…
attribute_type: attribute_value…
…

+
  O _id_ opcional é um número determinado pela aplicação que é usado para
  editar a entrada. Cada entrada pode conter como principal
  _attribute_type_ and _attribute_value_ par como necessário, se eles são
  todos definidos em um arquivo de esquema correspondente. Uma linha em
  branco determina o fim de uma entrada.

Funcionalidade do OpenLDAP

A suite do OpenLDAP provê um número de funcionalidades importantes:

Suporte LDAPv3 — Muitas das alterações no protocolo desde a versão 2 do LDAP são designadas para fazer o LDAP mais seguro. Entre outras melhorias, isso inclui o suporte para protocolos Simples Autenticação da Camada de Segurança (SASL), Segurança da Camada de Transporte (TLS), e Camada de Soquete de Segurança (SSL).
LDAP sob IPC — O uso de comunicação entre processo (IPC) melhora a segurança eliminando a necessidade de comunicação sob uma rede.
Suporte IPv6 — OpenLDAP é compatível com a versão 6 do Protocolo de Internet (IPv6), a próxima geração do Protocolo de Internet.
Suporte LDIFv1 — OpenLDAP é totalmente compatível com a versão 1 do LDIF.
Atualizado C API — O atual C API melhora o modo que programados podem se conectar para e usar os servidores de diretório LDAP.
Um Servidor LDAP Autônomo — Isso inclui um sistema de controle de acesso atualizado, agrupando subprocessos, melhorando ferramentas, e muito mais.

Configuração de Servidor OpenLDAP

Os passos típicos de configurar um servidor LDAP Fedora da seguinte forma:

Instalar a suite OpenLDAP. Veja Installing the OpenLDAP Suite para mais informações sobre pacotes requeridos.
Customize a configuração como descrito no Configuring an OpenLDAP Server.
Inicie o serviço slapd como descrito em Running an OpenLDAP Server.
Use o utilitário ldapadd para adicionar uma entrada para o diretório LDAP.
Use o utilitário ldapsearch para verificar que o serviço slapd para acessar a informação corretamente.

Instalando a Suite OpenLDAP

A suite das biblioteca do OpenLDAP e as ferramentas que são providas pelos seguintes pacotes:

Tabela 1. Lista de pacotes OpenLDAP
Package	Description
openldap	A package containing the libraries necessary to run the OpenLDAP server and client applications.
openldap-clients	A package containing the command line utilities for viewing and modifying directories on an LDAP server.
openldap-servers	A package containing both the services and utilities to configure and run an LDAP server. This includes the Standalone LDAP Daemon, `slapd`.
openldap-servers-sql	A package containing the SQL support module.

Adicionalmente, os seguintes pacotes são normalmente usados ao longo do servidor LDAP:

Tabela 2. Lista dos pacotes LDAP adicionais normalmente instalados
Package	Description
nss-pam-ldapd	A package containing `nslcd`, a local LDAP name service that allows a user to perform local LDAP queries.
mod_ldap	A package containing the `mod_authnz_ldap` and `mod_ldap` modules. The `mod_authnz_ldap` module is the LDAP authorization module for the Apache HTTP Server. This module can authenticate users' credentials against an LDAP directory, and can enforce access control based on the user name, full DN, group membership, an arbitrary attribute, or a complete filter string. The `mod_ldap` module contained in the same package provides a configurable shared memory cache, to avoid repeated directory access across many HTTP requests, and also support for SSL/TLS.

Para instalar esses pacotes, use o comando dnf da seguinte forma:

dnf install package…

Por exemplo, para realizar uma instalação básica de um servidor LDAP, digite o seguinte no terminal como 'root':

~]# dnf install openldap openldap-clients openldap-servers

Note que você deve possuir o privilégio de super usuário (para isso, você deve estar logado como 'root') para executar esse comando. Para mais informações de como instalar novos pacotes em Fedora, see Installing Packages.

Visão Geral das Utilidades do Servidor OpenLDAP

Para realizar tarefas administrativas, o pacote openldap-servers instala o seguinte utilitário junto com o serviço slapd:

Tabela 3. Lista dos utilitário do servidor OpenLDAP
Command	Description
slapacl	Allows you to check the access to a list of attributes.
slapadd	Allows you to add entries from an LDIF file to an LDAP directory.
slapauth	Allows you to check a list of IDs for authentication and authorization permissions.
slapcat	Allows you to pull entries from an LDAP directory in the default format and save them in an LDIF file.
slapdn	Allows you to check a list of Distinguished Names (DNs) based on available schema syntax.
slapindex	Allows you to re-index the `slapd` directory based on the current content. Run this utility whenever you change indexing options in the configuration file.
slappasswd	Allows you to create an encrypted user password to be used with the ldapmodify utility, or in the `slapd` configuration file.
slapschema	Allows you to check the compliance of a database with the corresponding schema.
slaptest	Allows you to check the LDAP server configuration.

Para uma descrição detalhada desses utilitários a seu uso, veja as páginas do manual correspondente como referido em Installed Documentation.

Certifique-se que os arquivos possui um dono correto

Apesar de somente o 'root' pode executar o slapadd o serviço slapd executa como usuário ldap. Por causa disso, o servidor de diretório é possível de modificar qualquer arquivo criado por slapadd. Para corrigir esse problema, depois de executar o utilitário slapadd, digite o seguinte no terminal:

chown -R ldap:ldap /var/lib/ldap

Pare o slapd antes de usar esses utilitários

Para preservar a integridade dos dados, pare o serviço slapd antes de usar slapadd, slapcat, ou slapindex. Você pode fazer isso também digitando o seguinte no terminal como root:

~]# systemctl stop slapd.service

Para mais informações de como iniciar, parar, reiniciar, e verificar o status atual do serviço slapd, veja Running an OpenLDAP Server.

Visão Geral do Utilitários do Cliente OpenLDAP

O pacote openldap-clients instala o seguintes utilitários que podem ser utilizados para adicionar, modificar e deletar entradas em um diretório LDAP:

Tabela 4. Lista dos utilitários do cliente OpenLDAP
Command	Description
ldapadd	Allows you to add entries to an LDAP directory, either from a file, or from standard input. It is a symbolic link to ldapmodify -a.
ldapcompare	Allows you to compare given attribute with an LDAP directory entry.
ldapdelete	Allows you to delete entries from an LDAP directory.
ldapexop	Allows you to perform extended LDAP operations.
ldapmodify	Allows you to modify entries in an LDAP directory, either from a file, or from standard input.
ldapmodrdn	Allows you to modify the RDN value of an LDAP directory entry.
ldappasswd	Allows you to set or change the password for an LDAP user.
ldapsearch	Allows you to search LDAP directory entries.
ldapurl	Allows you to compose or decompose LDAP URLs.
ldapwhoami	Allows you to perform a `whoami` operation on an LDAP server.

With the exception of ldapsearch, each of these utilities is more easily used by referencing a file containing the changes to be made rather than typing a command for each entry to be changed within an LDAP directory. The format of such a file is outlined in the man page for each utility.

Visão Geral das Aplicações Comuns do Cliente LDAP

Although there are various graphical LDAP clients capable of creating and modifying directories on the server, none of them is included in Fedora. Popular applications that can access directories in a read-only mode include Mozilla Thunderbird, Evolution, or Ekiga.

Configurando um Servidor OpenLDAP

Por padrão, a configuração do OpenLDAP é armazenada no diretório /etc/openldap/. A seguinte tabela destaca os mais importantes diretórios e arquivos dentro desse diretório:

Tabela 5. Lista de arquivos de configuração e diretório do OpenLDAP
Path	Description
`/etc/openldap/ldap.conf`	The configuration file for client applications that use the OpenLDAP libraries. This includes ldapadd, ldapsearch, Evolution, etc.
`/etc/openldap/slapd.d/`	The directory containing the `slapd` configuration.

Note that OpenLDAP no longer reads its configuration from the /etc/openldap/slapd.conf file. Instead, it uses a configuration database located in the /etc/openldap/slapd.d/ directory. If you have an existing slapd.conf file from a previous installation, you can convert it to the new format by running the following command as root:

~]# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/

The slapd configuration consists of LDIF entries organized in a hierarchical directory structure, and the recommended way to edit these entries is to use the server utilities described in Overview of OpenLDAP Server Utilities.

Do not edit LDIF files directly

An error in an LDIF file can render the slapd service unable to start. Because of this, it is strongly advised that you avoid editing the LDIF files within the /etc/openldap/slapd.d/ directly.

Changing the Global Configuration

Global configuration options for the LDAP server are stored in the /etc/openldap/slapd.d/cn=config.ldif file. The following directives are commonly used:

olcAllows: The olcAllows directive allows you to specify which features to enable. It takes the following form:

olcAllows: feature…

It accepts a space-separated list of features as described in Available olcAllows options. The default option is bind_v2.

Tabela 6. Available olcAllows options
Option	Description
`bind_v2`	Enables the acceptance of LDAP version 2 bind requests.
`bind_anon_cred`	Enables an anonymous bind when the Distinguished Name (DN) is empty.
`bind_anon_dn`	Enables an anonymous bind when the Distinguished Name (DN) is not empty.
`update_anon`	Enables processing of anonymous update operations.
`proxy_authz_anon`	Enables processing of anonymous proxy authorization control.

Exemplo 1. Using the olcAllows directive

olcAllows: bind_v2 update_anon

olcConnMaxPending: The olcConnMaxPending directive allows you to specify the maximum number of pending requests for an anonymous session. It takes the following form:

olcConnMaxPending: number

The default option is 100.

Exemplo 2. Using the olcConnMaxPending directive

olcConnMaxPending: 100

olcConnMaxPendingAuth: The olcConnMaxPendingAuth directive allows you to specify the maximum number of pending requests for an authenticated session. It takes the following form:

olcConnMaxPendingAuth: number

The default option is 1000.

Exemplo 3. Using the olcConnMaxPendingAuth directive

olcConnMaxPendingAuth: 1000

olcDisallows: The olcDisallows directive allows you to specify which features to disable. It takes the following form:

olcDisallows: feature…

It accepts a space-separated list of features as described in Available olcDisallows options. No features are disabled by default.

Tabela 7. Available olcDisallows options
Option	Description
`bind_anon`	Disables the acceptance of anonymous bind requests.
`bind_simple`	Disables the simple bind authentication mechanism.
`tls_2_anon`	Disables the enforcing of an anonymous session when the STARTTLS command is received.
`tls_authc`	Disallows the STARTTLS command when authenticated.

Exemplo 4. Using the olcDisallows directive

olcDisallows: bind_anon

olcIdleTimeout: The olcIdleTimeout directive allows you to specify how many seconds to wait before closing an idle connection. It takes the following form:

olcIdleTimeout: number

This option is disabled by default (that is, set to 0).

Exemplo 5. Using the olcIdleTimeout directive

olcIdleTimeout: 180

olcLogFile: The olcLogFile directive allows you to specify a file in which to write log messages. It takes the following form:

olcLogFile: file_name

The log messages are written to standard error by default.

Exemplo 6. Using the olcLogFile directive

olcLogFile: /var/log/slapd.log

olcReferral: The olcReferral option allows you to specify a URL of a server to process the request in case the server is not able to handle it. It takes the following form:

olcReferral: URL

This option is disabled by default.

Exemplo 7. Using the olcReferral directive

olcReferral: ldap://root.openldap.org

olcWriteTimeout: The olcWriteTimeout option allows you to specify how many seconds to wait before closing a connection with an outstanding write request. It takes the following form:

olcWriteTimeout

This option is disabled by default (that is, set to 0).

Exemplo 8. Using the olcWriteTimeout directive

olcWriteTimeout: 180

Changing the Database-Specific Configuration

By default, the OpenLDAP server uses Berkeley DB (BDB) as a database back end. The configuration for this database is stored in the /etc/openldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif file. The following directives are commonly used in a database-specific configuration:

olcReadOnly: The olcReadOnly directive allows you to use the database in a read-only mode. It takes the following form:

olcReadOnly: boolean

It accepts either TRUE (enable the read-only mode), or FALSE (enable modifications of the database). The default option is FALSE.

Exemplo 9. Using the olcReadOnly directive

olcReadOnly: TRUE

olcRootDN: The olcRootDN directive allows you to specify the user that is unrestricted by access controls or administrative limit parameters set for operations on the LDAP directory. It takes the following form:

olcRootDN: distinguished_name

It accepts a Distinguished Name (DN). The default option is cn=Manager,dn=my-domain,dc=com.

Exemplo 10. Using the olcRootDN directive

olcRootDN: cn=root,dn=example,dn=com

olcRootPW: The olcRootPW directive allows you to set a password for the user that is specified using the olcRootDN directive. It takes the following form:

olcRootPW: password

It accepts either a plain text string, or a hash. To generate a hash, type the following at a shell prompt:

~]$ slappaswd
New password:
Re-enter new password:
{SSHA}WczWsyPEnMchFf1GRTweq2q7XJcvmSxD

Exemplo 11. Using the olcRootPW directive

olcRootPW: {SSHA}WczWsyPEnMchFf1GRTweq2q7XJcvmSxD

olcSuffix: The olcSuffix directive allows you to specify the domain for which to provide information. It takes the following form:

olcSuffix: domain_name

It accepts a fully qualified domain name (FQDN). The default option is dc=my-domain,dc=com.

Exemplo 12. Using the olcSuffix directive

olcSuffix: dc=example,dc=com

Extending Schema

Since OpenLDAP 2.3, the /etc/openldap/slapd.d/ directory also contains LDAP definitions that were previously located in /etc/openldap/schema/. It is possible to extend the schema used by OpenLDAP to support additional attribute types and object classes using the default schema files as a guide. However, this task is beyond the scope of this chapter. For more information on this topic, see https://www.openldap.org/doc/admin/schema.html.

Establishing a Secure Connection

OpenLDAP clients and servers can be secured using the Transport Layer Security (TLS) framework. TLS is a cryptographic protocol designed to provide communication security over the network. As noted above, OpenLDAP suite in Fedora uses Mozilla NSS as the TLS implementation.

To establish a secure connection using TLS, obtain the required certificates as described in How do I use TLS/SSL with Mozilla NSS. Then, a number of options must be configured on both the client and the server. At a minimum, a server must be configured with the Certificate Authority (CA) certificates and also its own server certificate and private key. The clients must be configured with the name of the file containing all the trusted CA certificates.

Typically, a server only needs to sign a single CA certificate. A client may want to connect to a variety of secure servers, therefore it is common to specify a list of several trusted CAs in its configuration.

Server Configuration

This section lists global configuration directives for slapd that need to be specified in the /etc/openldap/slapd.d/cn=config.ldif file on an OpenLDAP server in order to establish TLS.

While the old style configuration uses a single file, normally installed as /usr/local/etc/openldap/slapd.conf, the new style uses a slapd backend database to store the configuration. The configuration database normally resides in the /usr/local/etc/openldap/slapd.d/ directory.

The following directives are also valid for establishing SSL. In addition to TLS directives, you need to enable a port dedicated to SSL on the server side – typically it is port 636. To do so, edit the /etc/sysconfig/slapd file and append the ldaps:/// string to the list of URLs specified with the SLAPD_URLS directive.

olcTLSCACertificateFile: The olcTLSCACertificateFile directive specifies the file encoded with Privacy-Enhanced Mail (PEM) schema that contains trusted CA certificates. The directive takes the following form:

olcTLSCACertificateFile: path

Replace path either with a path to the CA certificate file, or, if you use Mozilla NSS, with a certificate name.

olcTLSCACertificatePath: The olcTLSCACertificatePath directive specifies the path to a directory containing individual CA certificates in separate files. This directory must be specially managed with the OpenSSL c_rehash utility that generates symbolic links with the hashed names that point to the actual certificate files. In general, it is simpler to use the olcTLSCACertificateFile directive instead.

If Mozilla NSS is used, olcTLSCACertificatePath accepts a path to the Mozilla NSS database (as shown in Using olcTLSCACertificatePath with Mozilla NSS). In such a case, c_rehash is not needed.
The directive takes the following form:

olcTLSCACertificatePath: path

Replace path with a path to the directory containing the CA certificate files, or with a path to a Mozilla NSS database file.

Exemplo 13. Using olcTLSCACertificatePath with Mozilla NSS

With Mozilla NSS, the olcTLSCACertificatePath directive specifies the path of the directory containing the NSS certificate and key database files. For example:

olcTLSCACertificatePath: sql:/home/nssdb/sharednssdb

The certutil command is used to add a CA certificate to these NSS database files:

certutil -d sql:/home/nssdb/sharednssdb -A -n "CA_certificate" -t CT,, -a -i certificate.pem

The above command adds a CA certificate stored in a PEM-formatted file named certificate.pem. The -d option specifies the database directory containing the certificate and key database files, the -n option sets a name for the certificate, -t CT,, means that the certificate is trusted to be used in TLS clients and servers. The -A option adds an existing certificate to a certificate database, the -a option allows the use of ASCII format for input or output, and the -i option passes the certificate.pem input file to the command.

olcTLSCertificateFile: The olcTLSCertificateFile directive specifies the file that contains the slapd server certificate. The directive takes the following form:

olcTLSCertificateFile: path

Replace path with a path to the slapd server certificate file, or, if you use Mozilla NSS, with a certificate name.

Exemplo 14. Using olcTLSCertificateFile with Mozilla NSS

When using Mozilla NSS with certificate and key database files specified with the olcTLSCACertificatePath directive, olcTLSCertificateFile is used to specify the name of the certificate to use. First, execute the following command to view a list of certificates available in your NSS database file:

certutil -d sql:/home/nssdb/sharednssdb -L

Select a certificate from the list and pass its name to olcTLSCertificateFile. For example:

olcTLSCertificateFile slapd_cert

olcTLSCertificateKeyFile: The olcTLSCertificateKeyFile directive specifies the file that contains the private key that matches the certificate stored in the file specified with olcTLSCertificateFile. Note that the current implementation does not support encrypted private keys, and therefore the containing file must be sufficiently protected. The directive takes the following form:

olcTLSCertificateKeyFile: path

Replace path with a path to the private key file if you use PEM certificates. When using Mozilla NSS, path stands for the name of a file that contains the password for the key for the certificate specified with the olcTLSCertificateFile directive (see Using olcTLSCertificateKeyFile with Mozilla NSS).

Exemplo 15. Using olcTLSCertificateKeyFile with Mozilla NSS

When using Mozilla NSS, this directive specifies the name of a file that contains the password for the key for the certificate specified with olcTLSCertificateFile:

olcTLSCertificateKeyFile: slapd_cert_key

The modutil command can be used to turn off password protection or to change the password for NSS database files. For example:

modutil -dbdir sql:/home/nssdb/sharednssdb -changepw

Client Configuration

Specify the following directives in the /etc/openldap/ldap.conf configuration file on the client system. Most of these directives are parallel to the server configuration options. Directives in/etc/openldap/ldap.conf are configured on a system-wide basis, however, individual users may override them in their ~/.ldaprc files.

The same directives can be used to establish an SSL connection. The ldaps:// string must be used instead of ldap:// in OpenLDAP commands such as ldapsearch. This forces commands to use the default port for SSL, port 636, configured on the server.

TLS_CACERT: The TLS_CACERT directive specifies a file containing certificates for all of the Certificate Authorities the client will recognize. This is equivalent to the olcTLSCACertificateFile directive on a server. TLS_CACERT should always be specified before TLS_CACERTDIR in /etc/openldap/ldap.conf. The directive takes the following form:

TLS_CACERT path

Replace path with a path to the CA certificate file.

TLS_CACERTDIR: The TLS_CACERTDIR directive specifies the path to a directory that contains Certificate Authority certificates in separate files. As with olcTLSCACertificatePath on a server, the specified directory must be managed with the OpenSSL c_rehash utility. Path to Mozilla NSS database file is also accepted, c_rehash is not needed in such case. The directive takes the following form:

TLS_CACERTDIR directory

Replace directory with a path to the directory containing CA certificate files. With Mozilla NSS, directory stands for a path to the certificate or key database file.

TLS_CERT: The TLS_CERT specifies the file that contains a client certificate. This directive can only be specified in a user’s ~/.ldaprc file. With Mozilla NSS, this directive specifies the name of the certificate to be chosen from the database specified with the aforementioned TLS_CACERTDIR directive. The directive takes the following form:

TLS_CERT path

Replace path with a path to the client certificate file, or with a name of a certificate from the NSS database.

TLS_KEY: The TLS_KEY specifies the file that contains the private key that matches the certificate stored in the file specified with the TLS_CERT directive. As with olcTLSCertificateFile on a server, encrypted key files are not supported, so the file itself must be carefully protected. This option is only configurable in a user’s ~/.ldaprc file.

When using Mozilla NSS, TLS_KEY specifies the name of a file that contains the password for the private key that protects the certificate specified with the TLS_CERT directive. Similarly to the olcTLSCertificateKeyFile directive on a server (see Using olcTLSCertificateKeyFile with Mozilla NSS), you can use the modutil command to manage this password.
The TLS_KEY directive takes the following form:

TLS_KEY path

Replace path with a path to the client certificate file or with a name of the password file in the NSS database.

Setting Up Replication

Replication is the process of copying updates from one LDAP server (provider) to one or more other servers or clients (consumers). A provider replicates directory updates to consumers, the received updates can be further propagated by the consumer to other servers, so a consumer can also act simultaneously as a provider. Also, a consumer does not have to be an LDAP server, it may be just an LDAP client. In OpenLDAP, you can use several replication modes, most notable are mirror and sync. For more information on OpenLDAP replication modes, see the OpenLDAP Software Administrator’s Guide installed with openldap-servers package (see Installed Documentation).

To enable a chosen replication mode, use one of the following directives in /etc/openldap/slapd.d/ on both provider and consumers.

olcMirrorMode: The olcMirrorMode directive enables the mirror replication mode. It takes the following form:

olcMirrorMode on

This option needs to be specified both on provider and consumers. Also a serverID must be specified along with syncrepl options. Find a detailed example in the 18.3.4. MirrorMode section of the OpenLDAP Software Administrator’s Guide (see Installed Documentation).

olcSyncrepl: The olcSyncrepl directive enables the sync replication mode. It takes the following form:

olcSyncrepl on

The sync replication mode requires a specific configuration on both the provider and the consumers. This configuration is thoroughly described in the 18.3.1. Syncrepl section of the OpenLDAP Software Administrator’s Guide (see Installed Documentation).

Loading Modules and Backends

You can enhance the slapd service with dynamically loaded modules. Support for these modules must be enabled with the --enable-modules option when configuring slapd. Modules are stored in files with the .la extension:

module_name.la

Backends store or retrieve data in response to LDAP requests. Backends may be compiled statically into slapd, or when module support is enabled, they may be dynamically loaded. In the latter case, the following naming convention is applied:

back_backend_name.la

To load a module or a backend, use the following directive in /etc/openldap/slapd.d/:

olcModuleLoad: The olcModuleLoad directive specifies a dynamically loadable module to load. It takes the following form:

olcModuleLoad: module

Here, module stands either for a file containing the module, or a backend, that will be loaded.

SELinux Policy for Applications Using LDAP

SELinux is an implementation of a mandatory access control mechanism in the Linux kernel. By default, SELinux prevents applications from accessing an OpenLDAP server. To enable authentication through LDAP, which is required by several applications, the allow_ypbind SELinux Boolean needs to be enabled. Certain applications also demand an enabled authlogin_nsswitch_use_ldap Boolean in this scenario. Execute the following commands to enable the aforementioned Booleans:

~]# setsebool -P allow_ypbind=1

~]# setsebool -P authlogin_nsswitch_use_ldap=1

The -P option makes this setting persistent across system reboots. See the Red Hat Enterprise Linux 7 SELinux User’s and Administrator’s Guide for more detailed information about SELinux.

Running an OpenLDAP Server

This section describes how to start, stop, restart, and check the current status of the Standalone LDAP Daemon. For more information on how to manage system services in general, see Services and Daemons.

Starting the Service

To start the slapd service in the current session, type the following at a shell prompt as root:

~]# systemctl start slapd.service

To configure the service to start automatically at the boot time, use the following command as root:

~]# systemctl enable slapd.service

See Services and Daemons for more information on how to configure services in Fedora.

Stopping the Service

To stop the running slapd service in the current session, type the following at a shell prompt as root:

~]# systemctl stop slapd.service

To prevent the service from starting automatically at the boot time, type as root:

~]# systemctl disable slapd.service
rm '/etc/systemd/system/multi-user.target.wants/slapd.service'

See Services and Daemons for more information on how to configure services in Fedora.

Restarting the Service

To restart the running slapd service, type the following at a shell prompt as root:

~]# systemctl restart slapd.service

This stops the service and immediately starts it again. Use this command to reload the configuration.

Verifying the Service Status

To verify that the slapd service is running, type the following at a shell prompt:

~]$ systemctl is-active slapd.service
active

Configuring a System to Authenticate Using OpenLDAP

In order to configure a system to authenticate using OpenLDAP, make sure that the appropriate packages are installed on both LDAP server and client machines. For information on how to set up the server, follow the instructions in Installing the OpenLDAP Suite and Configuring an OpenLDAP Server. On a client, type the following at a shell prompt as root:

~]# dnf install openldap openldap-clients nss-pam-ldapd

Migrating Old Authentication Information to LDAP Format

The migrationtools package provides a set of shell and Perl scripts to help you migrate authentication information into an LDAP format. To install this package, type the following at a shell prompt as root:

~]# dnf install migrationtools

This will install the scripts to the /usr/share/migrationtools/ directory. Once installed, edit the /usr/share/migrationtools/migrate_common.ph file and change the following lines to reflect the correct domain, for example:

# Default DNS domain
$DEFAULT_MAIL_DOMAIN = "example.com";

# Default base
$DEFAULT_BASE = "dc=example,dc=com";

Alternatively, you can specify the environment variables directly on the command line. For example, to run the migrate_all_online.sh script with the default base set to dc=example,dc=com, type:

~]# export DEFAULT_BASE="dc=example,dc=com" \
/usr/share/migrationtools/migrate_all_online.sh

To decide which script to run in order to migrate the user database, see Commonly used LDAP migration scripts.

Tabela 8. Commonly used LDAP migration scripts
Existing Name Service	Is LDAP Running?	Script to Use
`/etc` flat files	yes	`migrate_all_online.sh`
`/etc` flat files	no	`migrate_all_offline.sh`
NetInfo	yes	`migrate_all_netinfo_online.sh`
NetInfo	no	`migrate_all_netinfo_offline.sh`
NIS (YP)	yes	`migrate_all_nis_online.sh`
NIS (YP)	no	`migrate_all_nis_offline.sh`

For more information on how to use these scripts, see the README and the migration-tools.txt files in the /usr/share/doc/migrationtools/ directory.

Recursos adicionais

The following resources offer additional information on the Lightweight Directory Access Protocol. Before configuring LDAP on your system, it is highly recommended that you review these resources, especially the OpenLDAP Software Administrator’s Guide.

Documentação Instalada

The following documentation is installed with the openldap-servers package:

/usr/share/doc/openldap-servers/guide.html — A copy of the OpenLDAP Software Administrator’s Guide.
/usr/share/doc/openldap-servers/README.schema — A README file containing the description of installed schema files.

Additionally, there is also a number of manual pages that are installed with the openldap, openldap-servers, and openldap-clients packages:

Client Applications

ldapadd(1) — The manual page for the ldapadd command describes how to add entries to an LDAP directory.
ldapdelete(1) — The manual page for the ldapdelete command describes how to delete entries within an LDAP directory.
ldapmodify(1) — The manual page for the ldapmodify command describes how to modify entries within an LDAP directory.
ldapsearch(1) — The manual page for the ldapsearch command describes how to search for entries within an LDAP directory.
ldappasswd(1) — The manual page for the ldappasswd command describes how to set or change the password of an LDAP user.
ldapcompare(1) — Describes how to use the ldapcompare tool.
ldapwhoami(1) — Describes how to use the ldapwhoami tool.
ldapmodrdn(1) — Describes how to modify the RDNs of entries.

Server Applications

slapd(8C) — Describes command line options for the LDAP server.

Administrative Applications

slapadd(8C) — Describes command line options used to add entries to a slapd database.
slapcat(8C) — Describes command line options used to generate an LDIF file from a slapd database.
slapindex(8C) — Describes command line options used to regenerate an index based upon the contents of a slapd database.
slappasswd(8C) — Describes command line options used to generate user passwords for LDAP directories.

Arquivos de Configuração

ldap.conf(5) — The manual page for the ldap.conf file describes the format and options available within the configuration file for LDAP clients.
slapd-config(5) — Describes the format and options available within the /etc/openldap/slapd.d configuration directory.

Documentação online

https://www.openldap.org/doc/admin24/: The current version of the OpenLDAP Software Administrator’s Guide.
https://www.kingsmountain.com/ldapRoadmap.shtml: Jeff Hodges' LDAP Roadmap & FAQ containing links to several useful resources and emerging news concerning the LDAP protocol.
http://www.ldapman.org/articles/: A collection of articles that offer a good introduction to LDAP, including methods to design a directory tree and customizing directory structures.
https://www.padl.com/: A website of developers of several useful LDAP tools.

OpenLDAP by Example by John Terpstra and Benjamin Coles; Prentice Hall.: A collection of practical exercises in the OpenLDAP deployment.
Implementing LDAP by Mark Wilcox; Wrox Press, Inc.: A book covering LDAP from both the system administrator’s and software developer’s perspective.
Understanding and Deploying LDAP Directory Services by Tim Howes et al.; Macmillan Technical Publishing.: A book covering LDAP design principles, as well as its deployment in a production environment.

Want to help? Learn how to contribute to Fedora Docs ›