Mastering OpenLDAP Configuring, Securing, and Integrating Directory Services Matt Butcher BIRMINGHAM - MUMBAI Mastering OpenLDAP Copyright © 2007 Packt Publishing All rights reserved No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews Every effort has been made in the preparation of this book to ensure the accuracy of the information presented However, the information contained in this book is sold without warranty, either express or implied Neither the author, Packt Publishing, nor its dealers or distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book Packt Publishing has endeavored to provide trademark information about all the companies and products mentioned in this book by the appropriate use of capitals However, Packt Publishing cannot guarantee the accuracy of this information First published: August 2007 Production Reference: 1230807 Published by Packt Publishing Ltd 32 Lincoln Road Olton Birmingham, B27 6PA, UK ISBN 978-1-847191-02-1 www.packtpub.com Cover Image by Ronald R McDaniel (rmcdaniel@indata.us) Credits Author Matt Butcher Reviewers Aaron Richton Project Manager Patricia Weir Project Coordinator Abhijeet Deobhakta George K Thiruvathukal Quanah Gibson-Mount Indexer Bhushan Pangaonkar Development Editor Douglas Paterson Proofreader Rebecca Paterson Assistant Development Editor Nikhil Bangera Production Coordinator Shantanu Zagade Technical Editor Ved Prakash Jha Cover Designer Shantanu Zagade Editorial Manager Dipali Chittar About the Author Matt Butcher is the principal consultant for Aleph-Null, Inc., a systems integrator that specializes in Free and Open Source solutions He is also a member of the Emerging Technologies Lab at Loyola University Chicago, where he is currently finishing a Ph.D in philosophy Matt has written two other books for Packt: Managing and Customizing OpenCms Websites (ISBN: 978-1-904811-76-3), and Building Websites with OpenCms (ISBN: 1-904811-04-3) Matt has also contributed articles to Newsforge.com, TheServerSide.com, and LinuxDevices.com Anyone who actively works with Free and Open Source software knows that any good project is the result of the contributions of a wide variety of people I hope it is evident in this book that I have taken this lesson to heart I would like to thank Bob Krumland for introducing me to LDAP in 1997 I owe a great debt of gratitude to Quanah Gibson-Mount and Aaron Richton, who both generously lent their technical expertise to make this a better book I would like to thank Jon Hodge for his time and assistance Also, I’d like to thank Mark Patterson, Paul Beam, George Peavy, Ed Mattson, and Kevin Reilly And thanks to the members of the Emerging Technology Lab at Loyola University, especially George Thiruvathukal for his comments The members of the OpenLDAP mailing list have been tremendously helpful, especially Kurt Zeilenga, Howard Chu, Pierangelo Masarati, and Aaron Richton And, of course, thanks to Claire, Anna, and Angie for their continual support, encouragement, and crayon-colored pictures About the Reviewers Aaron Richton is a Systems Administrator for the Rutgers University campus in New Brunswick/Piscataway, NJ He has used OpenLDAP since the 2.1 series The OpenLDAP servers he administers are responsible for the authentication of over 60,000 accounts Richton holds degrees in Electrical and Computer Engineering and Computer Science from the Rutgers University School of Engineering George K Thiruvathukal Ph.D is an associate professor of computer science at Loyola University Chicago, where he directs the departmental computing and infrastructure He has held positions in industry (at Fortune 500 companies such as R.R Donnelley and Sons and Tellabs, both in the Chicago area) and in academia, including the Illinois Institute of Technology and Argonne National Laboratory He has co-authored two books on advanced software development for Prentice Hall PTR and Sun Microsystems press, including High-Performance Java Platform Computing: Threads and Networking (see http://hpjpc.googlecode.com) and Web Programming in Python (see http://slither.googlecode.com) His research interests include parallel/distributed systems, programming languages/paradigms/patterns, and experimental computing His teaching interests include most of the modern computer science curriculum and computing history For more information, see http://www.cs.luc.edu/gkt Quanah Gibson-Mount graduated from the University of Alaska, Fairbanks with a B.S in Computer Science Quanah has been working with OpenLDAP since the early stages of the OpenLDAP 2.1 release He is currently a Principal Software Engineer with Zimbra, Inc, where he focuses on OpenLDAP configuration and Release Engineering He is also the release engineer for the OpenLDAP project, and in his spare (paid for) time teaches classes on LDAP and OpenLDAP for Symas Corp Prior to his employment with Zimbra, Quanah worked at Stanford University, where one of his primary tasks was that of Directory Architect I'd like to thank my wife Karen for all of her support in these many endeavors Table of Contents Preface Chapter 1: Directory Servers and LDAP LDAP Basics What is a Directory? The Structure of a Directory Entry A Unique Name: The DN An Example LDAP Entry 10 11 12 The Directory Information Tree What to Do with an LDAP Server The History of LDAP and OpenLDAP A Technical Overview of OpenLDAP The Server Clients Utilities Libraries Summary 15 17 19 20 21 22 22 22 22 The Object Class Attribute Operational Attributes Chapter 2: Installation and Configuration Before Getting Started OpenLDAP Binaries for Operating Systems Commercial OpenLDAP Distribution Source Code Compilation A Quick Note on Versions Installation Dependencies Installing OpenLDAP Configuring the SLAPD Server Basics 14 15 23 23 24 24 25 25 25 25 26 26 28 Table of Contents Schemas More Directives Module Directives 29 29 30 Database Configuration ACLs Verifying a Configuration File Starting and Stopping the Server Using the Init Script Running SLAPD Directly Configuring the LDAP Clients A Basic ldap.conf File 31 34 38 40 41 41 43 44 Testing the Server Summary 46 50 Size and Time Limits 46 Chapter 3: Using OpenLDAP 51 A Brief Survey of the LDAP Suite LDAP from the Server Side SLAPD The Binding Operation The Search Operation More Operations: Additions, Modifications, and Deletions Infrequent Operations SLAPD Summary 51 52 52 53 54 58 60 61 SLURPD Creating Directory Data The LDIF File Format 62 62 63 Example.Com in LDIF 69 Anatomy of an LDIF File Representing Attribute Values in LDIF 64 66 Defining the Base DN Record Structuring the Directory with Organizational Units Adding User Records Adding System Records Adding Group Records The Complete LDIF File Using the Utilities to Prepare the Directory slapadd When Should slapadd be Used? What Does slapadd Do? Loading the LDIF File slapindex slapcat 70 73 78 82 84 87 89 90 90 91 91 97 98 Operational Attributes 99 slapacl 101 [ ii ] Table of Contents slapauth slapdn slappasswd Storing and Using Passwords in OpenLDAP Generating a Password with slappasswd slaptest Performing Directory Operations Using the Clients Common Command-Line Flags Common Flags Setting Defaults in ldap.conf 102 103 104 104 105 107 108 108 109 110 ldapsearch 110 ldapadd 119 ldapmodify 121 ldapdelete ldapcompare ldapmodrdn 128 129 130 A Simple Search Restricting Returned Fields Requesting Operational Attributes Searching Using a File 110 113 114 116 Adding Records from a File 120 Adding a Record with ldapmodify Modifying Existing Records Modifying the Relative DN Deleting Entire Records 121 122 125 128 Modifying the Superior DN with ldapmodrdn ldappasswd ldapwhoami Summary Chapter 4: Securing OpenLDAP LDAP Security: The Three Aspects Securing Network-Based Directory Connections with SSL/TLS The Basics of SSL and TLS Authenticity Encryption StartTLS 131 133 135 136 137 137 138 139 139 141 142 Creating an SSL/TLS CA Creating a Certificate 143 147 Configuring StartTLS Configuring Client TLS Configuring LDAPS 152 153 155 Creating a New Certificate Request Signing the Certificate Request Configuring and Installing the Certificates [ iii ] 147 149 150 Appendix C Rebuilding a Database (BDB, HDB) Sometimes it is necessary to rebuild a backend database This process differs depending on the database backend For instance, with a SQL backend, it might entail dumping, dropping, and re-creating tables in the database Moving to a new server and transferring contents to a new slave server are also processes similar to rebuilding a database, and the differences are mentioned within the text here The most commonly-used backends for OpenLDAP are the HDB and BDB backends (both based on the Berkeley DB lightweight database) In this section, I want to cover the process of rebuilding these databases This process consists of five steps: Stop SLAPD Dump the directory data into a file Delete the old directory files Create a new database Start SLAPD None of these steps is particularly difficult In fact, for a small to medium-sized directory, this process can be done in less than ten minutes Moving from Server to Server Moving a directory from one server to another is done by a process very similar to that described here Only step three, as mentioned later, differs In this case, instead of deleting directory files, the LDIF file would be transferred from the original server to the new server Steps one and two would be run on the original server, and steps four and five would be done on the new server Step 1: Stop the Server The purpose of stopping the server is to prevent additional changes to the directory information tree while we are working on it [ 453 ] Useful LDAP Commands If you are just dumping the contents of a master directory to import into a shadow server that will use SyncRepl, you need not stop the server Any changes that happen after the directory has been dumped will be retrieved by the shadow server during its first LDAP synchronization operation This can be done either by killing the server's process ID, or by running the startup script with the stop command: $ sudo invoke-rc.d slapd stop Now that the server is stopped, we can dump the database Step 2: Dump the Database In Chapter I covered the OpenLDAP utilities One of the tools I discussed was the slapcat program, which is a tool for dumping the contents of the directory into an LDIF file That is the program we will use in this step Why use slapcat instead of an ldapsearch? There are two reasons First, slapcat preserves all of the attributes (and records for that matter) that the LDAP server uses, including the operational attributes that are stored (Those operational attributes that are generated at runtime are not generated by slapcat, and that is good We wouldn't want to import those, anyway.) Second, slapcat accesses the database directly, instead of opening an LDAP connection to the server That means that ACLs, time and size limits, and other by products of the LDAP connection are not evaluated, and hence will not alter the data The BDB/HDB database is stored in a small set of files located at /var/lib/ldap (or /usr/local/var/openldap-data if you built from source) Usually access to those files is restricted to only the ID of the SLAPD user By default this is root or ldap In order to extract information using slapcat, you will need to have access to those files We have this command: $ sudo slapcat -l /tmp/backup.ldif This command executes slapcat as root The -l flag is used to pass in the name of the output file In this case the file backup.ldif will be created in the /tmp directory [ 454 ] Appendix C You may prefer putting the LDIF file in a folder other than /tmp, especially if you plan on keeping the LDIF file for more than a few minutes In most cases the -l flag is the only one you will need If you have more than one backend and you only want to dump one, you can use the -n flag to specify which backend to dump Once the slapcat is complete, we are done with this step Before continuing however, you may want to check the contents of the LDIF file to make sure that it is not corrupt Do this before deleting the database files Step 3: Delete the Old Database Files If you are re-building a database you will want to delete the old database files before building new ones You not need to this if you are either migrating from an old server to a new server or configuring SyncRepl shadow servers These files are stored at /var/lib/ldap (or /usr/local/var/openldap-data if you built from source) However, not all of the files in that directory should be deleted We only want to delete: • The index files: files that end in '.bdb' • The main database files: files named db.???, where the question marks are replaced by numbers in sequence ( db.001, db.002, and so on) • The alock file: a file used internally for storing locking information (Usually, this can be left with no negative consequences, but if SLAPD crashed, this can be left in an unstable state.) • The BDB log files: files named log.??????????, where the ten question marks are replaced by numbers in sequence: log.0000000001, log.0000000002, and so on There is one file we definitely not want to delete This is our database configuration file, DB_CONFIG Deleting it would cause the BDB engine to use its default settings, which are not tuned to our needs, and generally cause OpenLDAP to perform poorly [ 455 ] Useful LDAP Commands So, to delete the files, we can the following: $ cd /var/lib/ldap $ sudo rm db.* *.bdb alock log.* To reduce the risk of data loss, you may want to backup the db.*, *.bdb, and log.* files before removing them Or instead of doing an rm, you may use mv to move the files to a different location: $ cd /var/lib/ldap $ sudo mkdir backup/ $ sudo mv *.bdb log.* alock db.* backup/ Now the database directory has been cleared We are ready to create new database files Step 4: Create a New Database The new database can be created and populated with the data all in one step, using the slapadd utility that we covered in Chapter Still in the OpenLDAP data directory, run the following command: $ sudo slapadd -l /tmp/backup.ldif This will create all of the necessary files, import the LDIF file, and handle all of the data indexing as well If you are running your LDAP server as a user other than root (and it is a good idea to so), you will also need to use chown to change the ownership on all of the files at /var/lib/ldap to be owned by the SLAPD userID: sudo chown openldap *.bdb log.* db.* All we need to now is restart the server Step 5: Restart SLAPD If you stopped the server in step you will need to restart it Restart the server in one of the usual ways Using the init script is usually the best way: $ sudo invoke-rc.d slapd start That's all there is to it Now you should have SLAPD running with a fresh copy of the database [ 456 ] Appendix C Troubleshooting Rebuilds As long as the LDIF file exported with slapcat is good, there is not much that can go wrong in this process Even if you have to delete and recreate several times, as long as the LDIF file is safe, no important data is at risk If SLAPD is running as a user other than root, the main problem with importing is usually the permissions on the database files at /var/lib/ldap Permissions on the configuration files in /etc/ldap directory may also be the source of SLAPD failures Make sure they are owned by the appropriate user When switching versions of OpenLDAP, occasionally an old LDIF file will not be valid in the new server (this happened between OpenLDAP 2.0 and OpenLDAP 2.2, and again between 2.2 and 2.3; it could happen again in the future) While the standard schemas are fairly stable over time, operational attributes, which are not usually standardized, are more volatile, and change from release to release Often, the fix will be tweaking records in the LDIF file to match the attributes used in new version One other common issue has to with starting up the server Sometimes, when using the init script, you will not be able to get the server to start, but no informative message will be sent to the console or the log files (One common reason for the failure to start is the permissions issue I noted earlier) A good first step in solving startup problems is to run slapd from the command line, with debugging enabled: sudo slapd -d trace Summary In this appendix we looked at a couple of useful commands, including some designed to get detailed information about the directory server itself Also, we saw two ways of making directory backups, and examined the process of rebuilding a directory database [ 457 ] Index Symbols [resources], accessing access specifiers, combining 190 attrs used 187, 188 DN used 186 filters used 189 A abstract object class about 296, 298 working of 298-300 Access Control Lists See  ACLs access to phrase 35 accesslog overlay about 308 backend, configuring 309, 310 directory for log files, creating 310, 311 logging, enabling 311-313 logging with 308 log records 313-320 module, loading 308 ACLs [resources], accessing 185-190 about 34 access to phrase 35 access types 36 authorization, controlling 184 basics 184, 185 by phrase 37, 190 debugging 211 example 213-217 regular expressions 209 slapd.conf file structure 221 addition operation 58 Apache Apache 2.0 399 Apache 2.2 directory section 394 installing 389-391 LDAP authentication, configuring 391-401 attribute definition about 267, 274 allowed fields 280, 281 approximation operator 275 COLLECTIVE flag 279 comparison operators 275 entry collections 280 equality operator 275 fields description 274 greater-than-or-equal-to operator 275 indexes 278 less-than-or-equal-to operator 275 NO-USER-MODIFICATION flag 280 OBSOLETE flag 279 SINGLE-VALUE flag 279 SYNTAX parameter 278 USAGE field 280 attribute hierarchy about 293 features 293 searching 294, 295 subordinate attributes 294, 295 attribute sets 380 auxiliary object class about 296, 305 working of 305-307 B binding about 53 distinguished name, verifying 53, 54 SASL binding 54 simple bind 53 by phrase * specifier 195 about 190 access field 191-194 anonymous specifiers 195 connection 199 control field 208, 209 default by phrase 37 dn specifier 196, 197 groups 197-199 member-based record access 199 members 197-199 network 199 regular expressions 201 security 199 self specifier 195 set specifier, using 203-207 specifiers, combining 200 users specifier 196 who field 195 C caching proxy 375 certificate, creating CA certificate, installing 152 Certificate Request, creating 147, 148 Certificate Request, signing 149 configuring 150 installing 150 pass phrase, removing 150 relocating 151 clients, OpenLDAP about 22 common command line flags 108 ldapadd 119 ldapcompare 129 ldapdelete 128 ldapmodify 121 ldapmodrdn 130 ldappasswd 133 ldapsearch 110 ldapwhoami 135 COLLECTIVE flag 279 compare operation 61 configuration parameters, phpLDAPadmin about 405 array value, setting 407, 408 function, calling 406, 407 LDAP server settings, configuring 409-411 variable, setting 405 configuration record about 450 advantages 451 consumer 350 D daemons SLDAP 52 SLURPD 62 database, rebuilding about 453 database, dumping 454 new database, creating 456 old database files, deleting 455, 456 rebuilds, troubleshooting 457 server, stopping 453 SLAPD, restarting 456 database section, directives chache, controlling 241 disk I/O latency, reducing 242 index 238-240 index, rebuilding 240 limits 234 read-only directives 235-237 restrict directives 235-237 DB_CONFIG file about 243 BDB/HDB transaction logging 246, 247 Berkeley DB 243, 248 cache size, setting 245 corrupt BDB/HDB database, recovering 246 data directory, configuring 246 lock files, tuning 248 delete operation 59 Delta SyncRepl about 366 master server configuration 366-368 shadow server configuration 368, 369 [ 460 ] denyop overlay about 250, 252 configuring 252 module, loading 252 overlay, adding 253 specific directives, adding 254 digital signature about 140 X.509 certificate 140 directory about attributes directory entry directory entry, example 12-15 directory entry, structure 10, 11 directory information tree 16 directory server object class attribute 14 operational attribute 15 operations, clients used 108 preparing, utilities used 89 directory, users authenticating about 162 Cyrus SASL, configuring 167 SASL binding 165 simple binding 162 SLAPD configuring, SASL support 168 SSL/TLS certificates, for authentication 175 directory, utilities using about 89 slapacl 101 slapadd 90 slapauth 102 slapcat 98 slapdn 103 slapindex 97 slappasswd 104 slaptest 107 directory backup creating 451 directory database 451 LDIF backup file 452 directory data complete LDIF file 87 creating 62 directory tree, creating 69 LDIF file format 63 directory information tree about 15 base entry 16 subordinate entry 16 superior entry 17 directory operations using clients about 108 command-line flags 108 common flags 109 ldap.com, defaults setting 110 ldapadd 119 ldapcompare 129 ldapdelete 128 ldapmodify 121 ldapmodrdn 130 ldappasswd 133 ldapsearch 110 ldapwhoami 135 directory overlays See  overlays directory tree base DN record, defining 70-72 creating 69 directory, structuring 73-78 group records, adding 84-86 Organizational Units 73 outside requests, handling 72 root defining types 69 system records, adding 82, 83 user records, adding 78-82 distinguished name about 11 relative DN 60 DIT content rules about 268, 284 auxiliary object class 285 NAME field validation 286 structural object class 284 supported fields 290 DN See distinguished name E entry collection about 279 working of 280 Extended operation 61 [ 461 ] F fast bind 163 G global directives about 227 hard limit, time limits 228 idle timeouts 229 size limits 230 soft limit, time limits 228 threads 231 time limits 227 time limits, setting 228 I ID assertion 374 index directive about 238 optimization types 239 rebuild, avoiding 240 schema 239 installation, OpenLDAP See also OpenLDAP, from source code prerequisites 25, 26 L LDAP about Apache, installing 389 application 387 authentication 138 authorization 138 commands 447 connection security 138 directory directory entry structure 10 directory information tree 15 distinguished name 11 LDAP entry 12 object class attribute 14 operational attribute 15 proxy, configuring 371 security 137 server side 52 URLs 443 ldapadd about 119 records, adding from file 120 LDAP authentication configuring 391 modules, loading 392 LDAP clients configuring 43-46 ldapcompare 129 LDAP Data Interchange Format See  LDIF ldapdelete 128 ldapmodify about 121 record, adding 121, 122 record, deleting 128 record, modifying 122-125 record moving, modrdn used 126, 127 relative DN, modifying 125, 126 ldapmodrdn about 130 superior DN, modifying 131-133 ldappasswd 133 LDAP schemas See  schemas ldapsearch about 110 operational attributes, requesting 114-116 returned fields, restricting 113 searching, file using 116-118 simple search 110 LDAP server history 19 SLAPD 52 LDAP suite 51 LDAP syntaxes 268 LDAP URLs about 443 attributes 443 base DN 443 components 443 domain name 443 extension 443 port number 443 protocol 443 scope 443 search filter 443 uses 445 [ 462 ] ldapwhoami 135 LDIF about 63 attribute values, representing 66-69 complete file 87-89 directory tree, creating 69 document object class 65 DSML 63 file anatomy 64 libraries 22 Lightweight Directory Access Protocol See  LDAP log records 313 M master server 350 configuring 354 SyncRepl user, creating 356 matching rule definitions about 268 indexes 278 ordering rule 275 matching rule uses 268 modification operation about 58 add request 58 attributes 58 delete request 59 replace request 59 ModifyDN operation 60 multiple database backends about 219 config file 220 second directory, creating 223-225 second directory, importing 223-225 slapd.conf 220 structure, slapd.conf 220, 221 useful scenarios 219, 220 N name forms 268 NO-USER-MODIFICATION flag 280 O object class definition about 267 attribute name validation 271, 272 example 270 Object Identifier 271 OID 271 Root DSE 271 object class hierarchy about 292 abstract object class 296 attribute hierarchy 293 auxiliary object class 296 object class types 295 overview 296 structural object class 296 object identifiers about 268, 271, 282 advantage 283 schema, creating 283 OBSOLETE flag 279 OpenLDAP building from source 431 clients 22 commercial distribution 24 history 19 installing 25 libraries 22 master server 350 OpenLDAP suite 23 overview 20 passwords, generating 105, 106 passwords, storing 104, 105 passwords, using 104, 105 prerequisites 23 security 137 servers 21, 26 shadow server 350 SLAPD server, configuring 26 source code, compiling 25 using 51 utilities 22 versions 25 OpenLDAP, from source code See also installation, OpenLDAP about 431 building with make 439 build tools 433-435 code, downloading 431, 432 [ 463 ] compiling 437 compiling tools 433 configuring 437, 438 dependencies, installing 436 installing 440, 441 need for 431 OpenLDAP suite 23 operators approximation operator 275 comparison operators 275 equality operator 275 greater-than-or-equal-to operator 275 overlays about 249 accesslog 250, 308 auditlog 250 chain 250 collect 279 denyop 250 denyop, configuting 252-254 dyngroup 250 dynlist 250 glue 250 lastmod 251 official overlays 250 password policy 320 pcache 251 ppolicy 251 refint 251 refint, working with 254-260 retcode 251 rwm 251 stacked overlays 249 syncprov 251 translucent 251 unique 251 unique, working of 261-263 P password policy overlay about 320 attributes used 323 global directives, setting 321, 322 operational attributes 333, 334 overlay directives, configuring 326-330 password policy, creating 322-326 testing 330-333 performance directives about 226 database section directives 233 global directives 227 phpLDAPadmin about 401 array value, setting 407, 408 configuration parameters 405 configuring 403, 404 function, calling 406, 407 installing 402, 403 LDAP server settings, configuring 409-411 navigating 414-416 prerequisites 402 record, adding 422-425 record, modifying 416-422 record, viewing 416-422 recovering 403 searching with 426-430 variable, setting 405 provider 350 proxying attribute sets 380 caching proxy 375-379 identity management 374, 375 LDAP background 372, 373 templates 380 translucent proxy 381-385 R Referential Integrity Overlay See  refint overlay refint overlay about 251, 254 configuring 255, 256 disadvantages 260 records, modifying 257-259 seeAlso 256 replication about 349 graphical representation 351 implementing 351 master server 350 overview 350 pull method 351 [ 464 ] push method 351 shadow server 350 SyncRepl 352 Requests for Comments 19 RFCs 19 root DSE about 447 directory, information getting 447-449 S SASL binding about 165 ACL 172 Cyrus SASL, configuring 167 Kerberos ticket-based authentication 166 mapping failure 173 OTP 166 realm specifying need, removing 173, 174 replacement string, using 169, 170 SASL configuration, debugging 174 SASL configuration file 167 SASL EXTERNAL mechanism 166 search filter, using 171, 172 SLAPD, configuring 168, 169 user password, setting 167 schemas about 265 attribute definition 267 creating 336 definitions 267 difficulties with 266, 267 DIT content rules 268 loading 344 object class definition 267 object identifiers 268 retrieving from SLAPD 290-292 troubleshooting the loading process 345 schemas, creating attributes, creating 342-344 attributes, naming 340 directory string syntax 342 new schemas, loading 344 new schemas, troubleshooting 345 object classes, creating 340, 341 object classes, naming 340 OID, getting 337-339 OID, naming 339 searching attribute descriptions 55 attributes 55 comparison operators 275 components, filters 55, 56 filters 55 filters, creating 55 logical operators for filters 56 prerequisites 54 server response 57 substring search 56 Secure Sockets Layer See  SSL/TLS security about 137 LDAP security 137 network-based directory connections 138 SSL/TLS 138 server performance, tuning about 226 performance directives 226 shadow server 350 configuring 357 configuring, StartTLS used 360 referral, configuring 364, 365 syncrepl directive 359 simple binding about 162 authentication user, using 164, 165 fast bind 163 slow bind 163 SINGLE-VALUE flag 279 slapacl 101 slapadd about 90 directory files, destroying 95, 96 directory files, recreating 95, 96 ldapadd, running in test mode 91-93 LDIF file, loading 91 operational attributes 94 records, importing 93, 94 server, stopping 91 troubleshooting 95 using criteria 90 working 91 slapauth 102 [ 465 ] slapcat about 98 operational attributes 99-101 slapdn 103 SLAPD server about 21, 52 addition operation 58 binding 53 configuring 26 compare operation 61 delete operation 59 Extended operation 61 modification operation 58 ModifyDN operation 60 schemas, retrieving 290 searching 54 slapd.conf 220 slapd.conf file structure 220, 221 starting, init script used 41 starting, SLAPD directory used 41-43 stopping, init script used 41 stopping, SLAPD directory used 41-43 testing 46-50 working of 52 SLAPD server, configuring about 26 ACLs 34-38 basics 28-31 configuration file, verifying 38-40 database, configuring 31-34 directives, basics 29, 30 modules, basics 30, 31 performance, tuning 226 schemas, basics 29 slapindex about 97 using criteria 97 slappasswd about 104 passwords, generating 105, 106 passwords, storing 104, 105 passwords, using 104, 105 slaptest 107 slave server 350 slow bind 163 SLURPD 62 SSL/TLS about 139 authenticity 139 certificate, creating 147 Certificate Authority, creating 143-146 certificates for authentication 175 client TLS, configuring 153-155 digital signature 140 encryption 141 LDAPS, configuring 155-157 OpenSSL client, debugging 157 security 157 security directive 158-161 StartTLS 142 StartTLS, configuring 152 X.509 certificate 140 SSL/TLS certificates, for authentication about 175 client, configuring 178, 179 client certificate, creating 176-178 ldapwhoami, testing 181-183 SASL 183 server, configuring 179-181 StartTLS about 142 configuring 152 shadow server, configuring 360 versus LDAPS 142 structural object class about 296, 300 working of 300-304 structure rules 268 subschema record about 449 directory, information getting 449, 450 substring search 56 SyncRepl about 352 advantages 352 configuring 353 debugging 369 Delta SyncRepl 366 refresh-only operation 352 refresh and persist operation 352 SyncRepl, configuring Delta SyncRepl 366 master server, configuring 354, 355 referral, configuring 364 [ 466 ] replication, starting 365 shadow server, configuring 357-359 StartTLS 360 syncrepl directive 359 user, creating 356 SyncRepl, debugging ACL errors 370 common errors 370 limit errors 370 SASL authentication failure 371 strategic logging 370 untuned DB_CONFIG 371 SYNTAX parameter 278 T translucent proxy 281 Transport Layer Security See  SSL/TLS module, loading 261 USAGE field 280 utilities about 22 directory, preparing 89 slapadd 90 slapauth 102 slapcat 98, 101 slapdn 103 slapindex 97 slappasswd 104 slaptest 107 X X.509 certificate about 140 digital signature 140 U uniqueness overlay about 251, 261 configuring 261-264 [ 467 ] .. .Mastering OpenLDAP Configuring, Securing, and Integrating Directory Services Matt Butcher BIRMINGHAM - MUMBAI Mastering OpenLDAP Copyright © 2007 Packt Publishing... of the OpenLDAP server, and finish up with a technical overview of OpenLDAP The next set of chapters focus on building directory services with OpenLDAP, and we take a close look at the OpenLDAP. .. working with LDAP data Chapter covers security, including handling authentication to the directory, configuring Access Control Lists (ACLs), and securing network-based directory connections with Secure