YoLinux Tutorial: Using Open LDAP (V1.2) - examples:


There have been two versions of Open LDAP (Version 1.x and 2.x) and the two are configured differently. This tutorial covers the configuration of OpenLDAP Version 1.2. Red Hat 6.x distributions shipped with OpenLDAP 1.x while Red Hat Linux version 7.x an 8.0 have shipped with OpenLDAP 2.x. This tutorial covers the older OpenLDAP 1.2. For a tutorial coverning the newer OpenLDAP 2.x.
See:

The scenario in this tutorial utilizes two LDAP organizations or domains, each with its' own database and administrator. This example will also show how to assign granular administrative security to a group administrator within a database. This will be a group administrator within a subset of one of the database schemas as defined by a search filer.

Related YoLinux Tutorials:

° OpenLDAP 2/1.2 configuration

° LDAP client authentication

° LDAP password protection

° LDAP web front-end




Free Information Technology Magazines and Document Downloads
TradePub link image


The /etc/openldap/slapd.conf file:

    ...
    ..
    .
    #######################################################################
    # Applies to all backends
    #######################################################################

    defaultaccess   read
    access to attr="userpassword"  by self write
           by * compare

    #######################################################################
    # ldbm database definitions
    #######################################################################

    database        ldbm             - First Database definition.
    lastmod on
    suffix          "o=CompanyA.com"
    rootdn          "cn=AManager,o=CompanyA.com"
    rootpw           secretwordA
    directory       /var/lib/ldap/CompanyA
    index           sn

    database        ldbm             - Second Database definition.
    lastmod on
    suffix          "o=CompanyB.com"
    rootdn          "cn=BManager,o=CompanyB.com"
    rootpw          secretwordB
    directory       /var/lib/ldap/CompanyB
    index           graduatingYear,sn
    access to dn=".*,o=CompanyB.com" filter="deptno=dept100"
           by self write
           by dn="cn=Admin100,o=CompanyB.com" write 
              - Grant authorization to Admin100 for all in dept100

    attribute deptno		cis    - OpenLDAP V1.2 style attribute and object class definition

    objectclass bemployee
       requires sn,
                cn,
                graduatingYear,
                objectclass
      allows    mail,
                o,
                l,
                st,
                postalcode,
                c,
                givenname,
                deptno,
                userPassword

    ...
    ..
    .
                
Note that each database is separate and resides in separate directories. Each has its own rootdn and thus two separate admins and passwords.

Also note that access has been granted to Admin100 to modify (write) information for those in dept100.

Company B ldif file:

dn: o=CompanyB.com
objectclass: top
objectclass: organization
o: CompanyB.com

dn: cn=BManager,o=CompanyB.com
cn: BManager
sn: BManager
objectclass: top
objectclass: person

dn: cn=Admin100,o=CompanyB.com
cn: Admin100
sn: Admin100
objectclass: top
objectclass: person
userPassword: admin100secret

dn: cn=Albert Abama,o=CompanyB.com
cn: Albert Abama
sn: Abama
objectclass: top
objectclass: person
objectclass: bemployee
mail: albert@CompanyB.com
l: Dallas
st: TX
postalCode: 76111
c: US
deptno: dept100

dn: cn=Mary Bama,o=CompanyB.com
cn: Mary Bama
sn: Bama
objectclass: top
objectclass: person
objectclass: bemployee
mail: Mary@CompanyB.com
l: Dallas
st: TX
postalCode: 76111
c: US
deptno: dept200


                


Start the ldap server and load:

ldapadd -cv -D "cn=AManager,o=CompanyA.com" -W < companya.ldif
ldapadd -cv -D "cn=BManager,o=CompanyB.com" -W < companyb.ldif

Test it: ldapsearch -v -L -b "o=CompanyB.com" "objectclass=*"

This shows access to attribute userpassword by self write:
ldapsearch -v -L -D "cn=Admin100,o=CompanyB.com" -b "o=CompanyB.com" "objectclass=*" -W

This shows no password because it is not authenticated as an authorized person who can view passwords:
ldapsearch -v -L -b "o=CompanyB.com" "cn=Admin100"


Modify:

This Fails: AManager does not have authority to modify entry in CompanyB.com database.
ldapmodify -v -D "cn=AManager,o=CompanyA.com" -h localhost -W -f entrymods100

This is successful:
ldapmodify -v -D "cn=BManager,o=CompanyB.com" -h localhost -W -f entrymods100

This is also successful:
ldapmodify -v -D "cn=Admin100,o=CompanyB.com" -h localhost -W -f entrymods100

File entrymods100:

   dn: cn=Albert Abama,o=CompanyB.com
changetype: modify
replace: mail
mail: albet@MegaMail.com

This fails:
ldapmodify -v -D "cn=Admin100,o=CompanyB.com" -h localhost -W -f entrymods200

File entrymods200:

   dn: cn=Mary Bama,o=CompanyB.com
changetype: modify
replace: mail
mail: mary@MegaMail.com


LDAP Book ListBooks:

Understanding And Deploying LDAP Directory Services "Understanding And Deploying LDAP Directory Services",
by Timothy A. Howes,Phd, Mark C. Smith and Gordon S. Good,
ISBN 0672323168, Addison-Wesley Pub Co

Second edition. It is general in nature but complete in that it covers all concepts in depth. It is a good book for those wanting to understand everything about LDAP, schema development and its' capabilities.

Amazon.com
Understanding And Deploying LDAP Directory Services "Understanding And Deploying LDAP Directory Services",
by Timothy A. Howes,Phd, Mark C. Smith and Gordon S. Good,
ISBN 1-57870-070-1, MacMillan Technical Publishing

First edition out of print. (Used only) See second edition above. This is the largest LDAP book I own. It is general in nature but complete in that it covers all concepts in depth. It is NOT a good programmers reference but it is good for those wanting to understand everything about LDAP, schema development and its' capabilities. Netscape centric.

Amazon.com
Programming Directory-Enabled Applications with Lightweight Directory Access Protocol "Programming Directory-Enabled Applications with Lightweight Directory Access Protocol"
by Timothy A. Howes,Phd and Mark C. Smith
ISBN 1-57870-000-0, MacMillan Technical Publishing

Excellent programmers reference for those using the LDAP C language API. Also covers search filters and LDAP URL's. The OpenLDAP source code is so poorly commented that I found this book often was the only source for an explanation of what was happening in the code.

Amazon.com
Implementing LDAP "Implementing LDAP",
Mark Wilcok
ISBN 1-861002-21-1, WROK Press

This book covers all aspects of LDAP from LDIF to the LDAP SDK in C, PERL and JAVA. It has a strong Netscape Directory server bias.

Amazon.com
LDAP System Administration "LDAP System Administration",
Gerald Carter
ISBN 1565924916, O'Reilly & Associates

This book covers the use of OpenLDAP and the integration of services.

Amazon.com
LDAP Programming, Management and Integration "LDAP Programming, Management and Integration",
Clayton Donley
ISBN 1930110405, Manning Publications; 1st edition

This book covers LDAP administration as well as introductory information. It covers the directory services markup language (DSML), PERL LDAP module as well as JAVA JNDI.

Amazon.com
"Understanding LDAP - Design and Implementation" - IBM-Redbooks
Heinz Johner, Larry Brown, Franz-Stefan Hinner, Wolfgang Reis, Johan Westman
IBM Redbook #SG24-4986-00

A reference to ldap, available as PDF as well. This book has a bias towards IBM's E-network LDAP Directory server. Tight, terse, but covers everything.

IBM Redbook #SG24-6193-00 "LDAP Implementation and Practical Use"
IBM Redbook #SG24-6193-00

   

    Bookmark and Share


Advertisements





 


Return to YoLinux LDAP Tutorial
Copyright © 2000, 2001 by Greg Ippolito