2/26/2010

LDAP with 389 Project and OpenLDAP

The last couple of days, I've been working with LDAP again. Yesterday, I worked with the 389 Project LDAP server from Fedora. It was easy to set up, and easy to integrate with my system authentication. I got it to work with my Apache web server, too. Unfortunately, either it is not supported or Apache doesn't like the self-signed certificate that I used, but I could not get LDAP over SSL to work.

Yet, LDAP over SSL works fine for authentication. In the past, I had trouble even getting that to work with the self-signed certificates, and had to resort to setting up a Certificate Authority on a separate machine to sign the certificate for the LDAP server. The key to making it work now, appears to be the TLS_REQCERT setting. Here's the contents of my /etc/openldap/ldap.conf

URI ldap://localhost.localdomain
BASE dc=fedora,dc=test
TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT allow
HOST localhost.localdomain

Today, I'm attempting to use the openldap-servers package for Fedora. The configuration appears to have changed significantly from what I've used in the past. The /etc/openldap/slapd.conf did not even exist after installation. Instead, there appear to be some auto-generated LDIF files in the /etc/openldap/slapd.d directory. There was a /etc/openldap/slapd.conf.bak file that contained the typical configuration items.

Copyin gthe /etc/openldap/slapd.conf.bak to /etc/openldap/slapd.conf, I searched and replaced the distinguished name for my domain in the suffix and rootdn entries. I used slappasswd to generate an encrypted password like this:

suffix "dc=fedora,dc=test"
rootdn "cn=Manager,dc=fedora,dc=test"
rootpw {SSHA}SqpHzAMFefEQIu4Saw5vZWwTqEZQMkiq

Likewise, I updated the database monitoring section:

# enable monitoring
database monitor

# allow onlu rootdn to read the monitor
access to *
by dn.exact="cn=Manager,dc=fedora,dc=test" read
by * none

Restarting slapd seemed to have no effect! I was attempting to verify unsuccessfully that I could authenticate as Manager using the following command:

[keith@earth fedora.test]$ ldapwhoami -x -D \ cn=Manager,dc=fedora,dc=test -W
Enter LDAP Password:
ldap_bind: Invalid credentials (49)

Reading the man page on slapd, it seems that if you invoke the daemon as follows, then it will convert your configuration file to LDIF in the /etc/openldap/slapd.d directory.

slapd -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d

Now, at last I could verify my ability to authenticate:

[keith@earth fedora.test]$ ldapwhoami -x -D \ cn=Manager,dc=fedora,dc=test -W
Enter LDAP Password:
dn:cn=Manager,dc=fedora,dc=test

While there are many GUI and WBI tools available for LDAP, I wanted to review and practice my CLI tools. Since it's been three years since I took the Redhat Directory Services and Authentication course RH423 and exam EX423, I've been reviewing the Directory Services course that I wrote following that experience to refresh my memory. To begin with, a root entry for the domain was needed in the Directory Information Tree (DIT).

[keith@earth fedora.test]$ ldapadd -x -D \
cn=Manager,dc=fedora,dc=test -W

Enter LDAP Password:
# root entry for Directory Information Tree
dn: dc=fedora,dc=test
objectclass: domain
dc: fedora

adding new entry "dc=fedora,dc=test"

Before adding entries for users or computers, I prepared a file for the needed organizational units and created them like this:

[keith@earth fedora.test]$ cat ou.ldif
# add entries for organizational units
dn: ou=People,dc=fedora,dc=test
objectclass: organizationalUnit
ou: People

dn: ou=Hosts,dc=fedora,dc=test
objectclass: organizationalUnit
ou: Hosts
[keith@earth fedora.test]$ ldapadd -x -D \
cn=Manager,dc=fedora,dc=test -W -f ou.ldif
Enter LDAP Password:
adding new entry "ou=People,dc=fedora,dc=test"

adding new entry "ou=Hosts,dc=fedora,dc=test"


Finally, we can begin to add leaf, or end node, entries to the tree:

[keith@earth fedora.test]$ cat keith.ldif
dn: uid=keith,ou=People,dc=fedora,dc=test
uid: keith
cn: Keith Wright
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$1$2OTQS7Fs$EFizXUzsCFISt9BANTDje/
shadowLastChange: 13363
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 500
gidNumber: 500
homeDirectory: /home/keith

[keith@earth fedora.test]$ ldapadd -x -D cn=Manager,dc=fedora,dc=test -W -f keith.ldif
Enter LDAP Password:
adding new entry "uid=keith,ou=People,dc=fedora,dc=test"

No comments:

About Me - WrightRocket

My photo

I've worked with computers for over 30 years, programming, administering, using and building them from scratch.

I'm an instructor for technical computer courses, an editor and developer of training manuals, and an Android developer.