Mastering OpenLDAP
The OpenLDAP directory server is a mature product that has been around (in
one form or another) since 1995. All of the major Linux distributions include the
OpenLDAP server, and many major applications, both, Open Source and
proprietary, are directory aware, and can make use of the services provided by
OpenLDAP. And yet the OpenLDAP server seems to be shrouded in mystery,
known and understood only by the gurus and hackers. This book is meant not
only to demystify OpenLDAP, but to give the system administrator and software
developer a solid understanding of how to make use, in the practical realm, of
OpenLDAP’s directory services.
OpenLDAP is an Open Source server that provides network clients with directory
services. The directory server can be used to store organizational information in
a centralized location, and make this information available to authorized
applications. Client applications can connect to OpenLDAP using the Lightweight
Directory Access Protocol (LDAP). They can then search the directory and (if
they have appropriate access) modify and manipulate records in the directory.
LDAP servers are most frequently used to provide network-based authentication
services for users. But there are many other uses for an LDAP, including using
the directory as an address book, a DNS database, an organizational tool, or
even as a network object store for applications. We will look at some of these
uses in this book.
The goal of this book is to prepare a system administrator or software developer
for building a directory using OpenLDAP, and then employing this directory in the
context of the network. To that end, this book will take a practical approach,
emphasizing how to get things done. On occasion, we will delve into theoretical
aspects of LDAP, but such discussions will only occur where understanding the
theory helps us answer practical questions.
What This Book Covers
In Chapter 1 we look at general concepts of directory servers and LDAP, cover
the history of LDAP and the lineage of the OpenLDAP server, and finish up with
a technical overview of OpenLDAP.
The next set of chapters focus on building directory services with OpenLDAP,
and we take a close look at the OpenLDAP server in these chapters.
Chapter 2 begins with the process of installing OpenLDAP on a GNU/Linux
server. Once we have the server installed, we do the basic post-installation
configuration necessary to have the server running.
Chapter 3 covers the basic use of the OpenLDAP server. We use the
OpenLDAP command-line tools to add records to our new directory, search the
directory, and modify records. This chapter introduces many of the key concepts
involved in working with LDAP data.
Chapter 4 covers security, including handling authentication to the directory,
configuring Access Control Lists (ACLs), and securing network-based directory
connections with Secure Sockets Layer (SSL) and Transport Layer Security
(TLS).
Chapter 5 deals with advanced configuration of the OpenLDAP server. Here, we
take a close look at the various backend database options and also look at
performance tuning settings, as well as the recently introduced technology of
directory overlays.
Chapter 6 focuses on extending the directory structure by creating and
implementing LDAP schemas. Schemas provide a procedure for defining new
attributes and structures to extend the directory and provide records tailor-made
to your needs.
Chapter 7 focuses on directory replication and different ways of getting directory
servers to interoperate over a network. OpenLDAP can replicate its directory
contents from a master server to any number of subordinate servers. In this
chapter, we set up a replication process between two servers.
Chapter 8 deals with configuring other tools to interoperate with OpenLDAP. We
begin with the Apache web server, using LDAP as a source of authentication and
authorization. Next, we install phpLDAPadmin, a web-based program for
managing directory servers. Then we look at the main features, and do some
custom tuning.
The appendices include a step-by-step guide to building OpenLDAP from source
(Appendix A), a guide to using LDAP URLs (Appendix B), and a compendium of
useful LDAP client commands (Appendix C).
Installation and Configuration
In this chapter we will walk through the process of installing and configuring the
OpenLDAP suite of tools. Here we will only cover basic configuration of the SLAPD
server. This will serve as a base for subsequent chapters (particularly Chapters 4 to
7), where we will explore advanced configuration options. The specific topics that we
will cover include:
- Installing binary OpenLDAP packages
- Configuring the LDAP server with the slapd.conf file
- Verifying the slapd.conf configuration with slaptest
- Starting and stopping the server
- Configuring client tools with the ldap.conf file
- Fetching the root DSE entry from the directory with ldapsearch
Before Getting Started
OpenLDAP is maintained by the OpenLDAP Foundation. The foundation maintains
a suite of tools that we will call as OpenLDAP suite. As we saw in Chapter 1, the
OpenLDAP suite includes the following classes of tools:
- Daemons (slapd and slurpd)
- Libraries (notably libldap)
- Client applications (ldapsearch, ldapadd, ldapmodify, and others)
- Supporting utilities (slapcat, slapauth, and others)
The official OpenLDAP source distribution includes all of these in one download.
Various binary versions however, may break these out into sub-packages.
Commonly the suite is split into three packages: libraries, clients, and servers.
OpenLDAP compiles and runs on a wide variety of operating systems. However,
the OpenLDAP project itself does not provide binary versions of their software. As
a result, different vendors and operating system maintainers compile and provide
their own binary versions. There are versions of OpenLDAP compiled for most
UNIX variants (including Mac OS X), as well as versions for the Windows operating
system. Some binary distributions even come with commercial support.
OpenLDAP Binaries for Operating Systems
In this book, we will be using Ubuntu Linux as the operating system of choice.
Ubuntu is a GNU/Linux distribution based on the venerable Debian Project. Like
Debian (and the multitude of other Debian-based distributions) Ubuntu uses the
Debian package format. Thus, if you are using another Debian-based distribution,
the installation process should be largely familiar.
Ubuntu is a user-friendly Linux distribution. You can learn more about
Ubuntu at http://www.ubuntu.com/. To learn more about the Debian
Project, on which Ubuntu is based, visit http://debian.org/.
Almost every major Linux and BSD distribution includes official support for
OpenLDAP. You may want to consult the documentation for your chosen
distribution to find out more information on getting and installing OpenLDAP. In
some cases, OpenLDAP is installed with the base operating system.
For Windows, Mac, and other variants of UNIX, the best way to find a list of available
binary packages is by perusing the list of distributions maintained in the OpenLDAP
Faq-O-Matic (http://www.openldap.org/faq/data/cache/108.html).
Commercial OpenLDAP Distribution
If you need a commercially supported OpenLDAP distribution, you may want to
consider the offerings from Symas. Symas (http://www.symas.com/) is owned
and operated by many of the same folks who contribute to the OpenLDAP suite.
They provide a commercial binary version of the OpenLDAP suite, distributed as
Connexitor Directory Services (CDS).
Several different CDS editions are available, with each edition tuned and optimized
for specific organizational needs. Their Platinum Edition, for instance, is optimized for
directories with more than 150 million records! Symas also provides LDAP training,
maintenance and support services, and consulting.
Source Code Compilation
Instead of installing a binary file, you may wish to simply compile the OpenLDAP
source code yourself. This process is outlined in simple steps in Appendix A of
this book.
The primary advantage of building from source code is that you will benefit from
many improvements long before these revisions are made available in mainstream
packages. The focus of development on the stable branch of OpenLDAP is bug fixes.
Thus, building from source generally improves OpenLDAP stability.
A Quick Note on Versions
Currently, the stable branch for OpenLDAP is 2.3 branch (2.4 is in early beta).
However, some Linux distributions still use the aging 2.2 version, originally released
in 2003. If the latest package for your chosen operating system is still in the 2.2
branch, you may want to consider looking for unofficial versions of 2.3 for your
platform, or even compiling a custom binary (see Appendix A).
Installation
In this section, we will walk through the process of installing on a system running
Ubuntu Linux 7.04. Later, Ubuntu distributions will likely follow the same
installation pattern.
Dependencies
The basic OpenLDAP configuration in Ubuntu requires a few extra libraries and
packages. These are as follows:
- The Berkeley Database (bdb4) version 4.2 (but not 4.3, which has stability
issues): In the Ubuntu default configuration, OpenLDAP stores the directory
inside a BDB database. The Berkeley Database is often simply called BDB.
- The OpenSSL libraries: These provide SSL and TLS security. SSL and TLS
provide encryption for network connections to the directory.
- The Cyrus SASL library: This provides support for secure
SASL authentication.
- The Perl programming language: This can provide custom
back-end scripting.
- The iODBC database connectivity layer: OpenLDAP can store the directory
in a relational database (RDBMS). The iODBC library is used to connect to
the RDBMS.
OpenLDAP also relies on some standard system library packages (such as libc6)
that are installed on all UNIX/Linux distributions. In its default installation, Ubuntu
includes BDB, OpenSSL, and Perl. Installation of other dependencies is handled
automatically by the package manager, so don't worry about manually installing any
of these.
|
