Mastering OpenLDAP: Configuring, Securing and Integrating Directory Services
eBook - ePub

Mastering OpenLDAP: Configuring, Securing and Integrating Directory Services

Matt Butcher

Share book
  1. 484 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

Mastering OpenLDAP: Configuring, Securing and Integrating Directory Services

Matt Butcher

Book details
Book preview
Table of contents
Citations

About This Book

In Detail

This book is the ideal introduction to using OpenLDAP for Application Developers and will also benefit System Administrators running OpenLDAP. It prepares the reader to build a directory using OpenLDAP, and then employ this directory in the context of the network, taking a practical approach that emphasizes how to get things done. On occasion, it delves into theoretical aspects of LDAP, but only where understanding the theory helps to answer practical questions. The reader requires no knowledge of OpenLDAP, but even readers already familiar with the technology will find new things and techniques.

This book is organized into three major sections: the first section covers the basics of LDAP directory services and the OpenLDAP server; the second focuses on building directory services with OpenLDAP; in the third section of the book, we look at how OpenLDAP is integrated with other applications and services on the network. This book not only demystifies OpenLDAP, but gives System Administrators and Application Developers a solid understanding of how to make use of OpenLDAP's directory services.

The OpenLDAP directory server is a mature product that has been around (in one form or another) since 1995. It is an open-source server that provides network clients with directory services. All major Linux distributions include the OpenLDAP server, and many major applications, both open-source and proprietary, are directory aware and can make use of the services provided by OpenLDAP.

The OpenLDAP directory server can be used to store organizational information in a centralized location, and make this information available to authorized applications. Client applications connect to OpenLDAP using the Lightweight Directory Access Protocol (LDAP) and can then search the directory and (if they have appropriate access) modify and manipulate records.

LDAP servers are most frequently used to provide network-based authentication services for users; but there are many other uses for an LDAP server, including using the directory as an address book, a DNS database, an organizational tool, or even as a network object store for applications.

Approach

This book has been written from the application developer's perspective, tackling the topics that will be most important to helping the application developer understand OpenLDAP, and get it set up as securely and quickly as possible. It shows how OpenLDAP interoperates with other UNIX/Linux services (DNS, NIS, Samba, etc.).

Who this book is for

The target audience will require basic Linux system administration knowledge, but no prior knowledge of LDAP or OpenLDAP is assumed. If you are web savvy and are interested in using OpenLDAP for web applications and services like client interaction then this is the book for you

Frequently asked questions

How do I cancel my subscription?
Simply head over to the account section in settings and click on “Cancel Subscription” - it’s as simple as that. After you cancel, your membership will stay active for the remainder of the time you’ve paid for. Learn more here.
Can/how do I download books?
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
What is the difference between the pricing plans?
Both plans give you full access to the library and all of Perlego’s features. The only differences are the price and subscription period: With the annual plan you’ll save around 30% compared to 12 months on the monthly plan.
What is Perlego?
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Do you support text-to-speech?
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Is Mastering OpenLDAP: Configuring, Securing and Integrating Directory Services an online PDF/ePUB?
Yes, you can access Mastering OpenLDAP: Configuring, Securing and Integrating Directory Services by Matt Butcher in PDF and/or ePUB format, as well as other popular books in Computer Science & Information Technology. We have over one million books available in our catalogue for you to explore.

Information

Publisher
Packt Publishing
Year
2007
ISBN
9781847191021
Edition
1
Topic
Computer Science
Subtopic
Information Technology
Index
Computer Science

Mastering OpenLDAP

Matt Butcher

Table of Contents

Mastering OpenLDAP
Credits
About the Author
About the Reviewers
Preface
What This Book Covers
What You Need for This Book
Conventions
Reader Feedback
Customer Support
Downloading the Example Code for the Book
Errata
Questions
1. Directory Servers and LDAP
LDAP Basics
What is a Directory?
The Structure of a Directory Entry
A Unique Name: The DN
An Example LDAP Entry
The Object Class Attribute
Operational Attributes
The Directory Information Tree
What to Do with an LDAP Server
The History of LDAP and OpenLDAP
A Technical Overview of OpenLDAP
The Server
Clients
Utilities
Libraries
Summary
2. Installation and Configuration
Before Getting Started
OpenLDAP Binaries for Operating Systems
Commercial OpenLDAP Distribution
Source Code Compilation
A Quick Note on Versions
Installation
Dependencies
Installing OpenLDAP
Configuring the SLAPD Server
Basics
Schemas
More Directives
Module Directives
Database Configuration
ACLs
Verifying a Configuration File
Starting and Stopping the Server
Using the Init Script
Running SLAPD Directly
Configuring the LDAP Clients
A Basic ldap.conf File
Size and Time Limits
Testing the Server
Summary
3. Using OpenLDAP
A Brief Survey of the LDAP Suite
LDAP from the Server Side
SLAPD
The Binding Operation
The Search Operation
More Operations: Additions, Modifications, and Deletions
The Addition Operation
The Modification Operation
The Delete Operation
Infrequent Operations
The ModifyDN Operation
The Compare Operation
The Extended Operation
SLAPD Summary
SLURPD
Creating Directory Data
The LDIF File Format
Anatomy of an LDIF File
Representing Attribute Values in LDIF
Example.Com in LDIF
Defining the Base DN Record
Structuring the Directory with Organizational Units
Theory 1: Directory as Organizational Chart
Theory 2: Directory as IT Service
Expressing the OUs in LDIF
Adding User Records
Adding System Records
Adding Group Records
The Complete LDIF File
Using the Utilities to Prepare the Directory
slapadd
When Should slapadd be Used?
What Does slapadd Do?
Loading the LDIF File
Stopping the Server
Running ldapadd in Test Mode
Importing the Records Using slapadd
Restarting the Directory
If Something Went Wrong...
Destroying and Recreating the Directory Files
slapindex
slapcat
Operational Attributes
slapacl
slapauth
slapdn
slappasswd
Storing and Using Passwords in OpenLDAP
Generating a Password with slappasswd
slaptest
Performing Directory Operations Using the Clients
Common Command-Line Flags
Common Flags
Setting Defaults in ldap.conf
ldapsearch
A Simple Search
Restricting Returned Fields
Requesting Operational Attributes
Searching Using a File
ldapadd
Adding Records from a File
ldapmodify
Adding a Record with ldapmodify
Modifying Existing Records
Modifying the Relative DN
Moving a Record with modrdn
Deleting Entire Records
ldapdelete
ldapcompare
ldapmodrdn
Modifying the Superior DN with ldapmodrdn
ldappasswd
ldapwhoami
Summary
4. Securing OpenLDAP
LDAP Security: The Three Aspects
Securing Network-Based Directory Connections with SSL/TLS
The Basics of SSL and TLS
Authenticity
Encryption
StartTLS
Creating an SSL/TLS CA
Creating a Certificate
Creating a New Certificate Request
Signing the Certificate Request
Configuring and Installing the Certificates
Remove the Pass Phrase from the Key
Relocate the Certificates
Install the CA Certificate
Optional: Clean Up
Configuring StartTLS
Configuring Client TLS
Configuring LDAPS
Debugging with the OpenSSL Client
Using Security Strength Factors
The security Directive
A Fine-Grained security Directive
Authenticating Users to the Directory
Simple Binding
Using an Authentication User for Simple Binding
SASL Binding
Configuring Cyrus SASL
The SASL Configuration File
Setting a User Password
Configuring SLAPD for SASL Support
Using a Replacement String in authz-regexp
Using a Search Filter in authz-regexp
A Note on ACLs and Search Filters
Failure of Mapping
Removing the Need to Specify the Realm
Debugging the SASL Configuration
Using Client SSL/TLS Certificates to Authenticate
Creating a New Client Certificate
Configuring the Client
Configuring the Server
Testing with ldapwhoami
Going Further with SASL
Controlling Authorization with ACLs
The Basics of ACLs
Access to [resources]
Access using DN
Access using attrs
Access using Filters
Combining Access Specifiers
By [who] [type of access granted] [control]
The Access Field
The who Field
The * and anonymous Specifiers
The self Specifier
The users Specifier
The dn Specifier
Groups and Members
Member-Based Record Access
Network, Connections, and Security
Advanced Step: Using the set Specifier
The control Field
Getting More from Regular Expressions
Debugging ACLs
A Practical Example
Summary
5. Advanced Configuration
Multiple Database Backends
The slapd.conf File
Creating and Importing a Second Directory
Performance Tuning
Performance Directives
Global Directives
Time Limits
Idle Timeouts
Size Limits
Threads
Directives in the Database Section
Limits
Read-only and Restrict Directives
Index (BDB/HDB Backends Only)
Controlling the Cache (BDB/HDB Only)
Reducing Disk I/O Latency (BDB/HDB Only)
The DB_CONFIG File
Setting the Cache Size
Configuring the Data Directory
Optimizing BDB/HDB Transaction Logging
Tuning Lock Files
More about Berkeley DB
Directory Overlays
A Brief Tour of the Official Overlays
Configuring an Overlay: denyop
Loading the module
Adding the Overlay
Adding Overlay-Specific Directives
Referential Integrity Overlay
Configuring the Overlay
Modifying the Records
Drawbacks
A Useful Note
The Uniqueness Overlay
Summary
6. LDAP Schemas
Introduction to LDAP Schemas
Why Do They Look So Complicated?
Schema Definitions
Object Classes and Attributes
Object Class Definitions
Attribute Definitions
Object Identifier Definitions
DIT Content Rules
Retrieving the Schemas from SLAPD
The ObjectClass Hierarchy
Attribute Hierarchies
Subordinate Attributes and Searching
Object Class Types: Abstract, Structural, and Auxiliary
The Object Class Hierarchy: An Overview
Abstract Classes
Structural Object Classes
Auxiliary Object Classes
Moving Onward
Schemas: Accesslog and Password Policy Overlays
Logging with the Accesslog Overlay
Loading the accesslog Module
Configuring the Access Log Backend
Creating A Directory for the Access Log Files
Enabling Logging for the Main Backend
The Log Records
Implementing a Complex Overlay: Password Policy
Setting the Global Directives in slapd.conf: Schema and Module
Creating a Password Policy
Configure the Over...

Table of contents