|
Related YoLinux Tutorials:
° OpenLDAP 2/1.2 configuration
° LDAP client authentication
° LDAP password protection
° LDAP web front-end
|
| The /etc/openldap/slapd.conf file: |
-
...
..
.
#######################################################################
# Applies to all backends
#######################################################################
defaultaccess read
access to attr="userpassword" by self write
by * compare
#######################################################################
# ldbm database definitions
#######################################################################
database ldbm - First Database definition.
lastmod on
suffix "o=CompanyA.com"
rootdn "cn=AManager,o=CompanyA.com"
rootpw secretwordA
directory /var/lib/ldap/CompanyA
index sn
database ldbm - Second Database definition.
lastmod on
suffix "o=CompanyB.com"
rootdn "cn=BManager,o=CompanyB.com"
rootpw secretwordB
directory /var/lib/ldap/CompanyB
index graduatingYear,sn
access to dn=".*,o=CompanyB.com" filter="deptno=dept100"
by self write
by dn="cn=Admin100,o=CompanyB.com" write
- Grant authorization to Admin100 for all in dept100
attribute deptno cis - OpenLDAP V1.2 style attribute and object class definition
objectclass bemployee
requires sn,
cn,
graduatingYear,
objectclass
allows mail,
o,
l,
st,
postalcode,
c,
givenname,
deptno,
userPassword
...
..
.
|
Note that each database is separate and resides in separate directories.
Each has its own rootdn and thus two separate admins and passwords.
Also note that access has been granted to Admin100 to modify (write) information
for those in dept100.
-
dn: o=CompanyB.com
objectclass: top
objectclass: organization
o: CompanyB.com
dn: cn=BManager,o=CompanyB.com
cn: BManager
sn: BManager
objectclass: top
objectclass: person
dn: cn=Admin100,o=CompanyB.com
cn: Admin100
sn: Admin100
objectclass: top
objectclass: person
userPassword: admin100secret
dn: cn=Albert Abama,o=CompanyB.com
cn: Albert Abama
sn: Abama
objectclass: top
objectclass: person
objectclass: bemployee
mail: albert@CompanyB.com
l: Dallas
st: TX
postalCode: 76111
c: US
deptno: dept100
dn: cn=Mary Bama,o=CompanyB.com
cn: Mary Bama
sn: Bama
objectclass: top
objectclass: person
objectclass: bemployee
mail: Mary@CompanyB.com
l: Dallas
st: TX
postalCode: 76111
c: US
deptno: dept200
|
| Start the ldap server and load: |
ldapadd -cv -D "cn=AManager,o=CompanyA.com" -W < companya.ldif
ldapadd -cv -D "cn=BManager,o=CompanyB.com" -W < companyb.ldif
Test it:
ldapsearch -v -L -b "o=CompanyB.com" "objectclass=*"
This shows access to attribute userpassword by self write:
ldapsearch -v -L -D "cn=Admin100,o=CompanyB.com" -b "o=CompanyB.com" "objectclass=*" -W
This shows no password because it is not authenticated as an authorized person who can view passwords:
ldapsearch -v -L -b "o=CompanyB.com" "cn=Admin100"
This Fails: AManager does not have authority to modify entry in CompanyB.com
database.
ldapmodify -v -D "cn=AManager,o=CompanyA.com" -h localhost -W -f entrymods100
This is successful:
ldapmodify -v -D "cn=BManager,o=CompanyB.com" -h localhost -W -f entrymods100
This is also successful:
ldapmodify -v -D "cn=Admin100,o=CompanyB.com" -h localhost -W -f entrymods100
File entrymods100:
dn: cn=Albert Abama,o=CompanyB.com
changetype: modify
replace: mail
mail: albet@MegaMail.com
This fails:
ldapmodify -v -D "cn=Admin100,o=CompanyB.com" -h localhost -W -f entrymods200
File entrymods200:
dn: cn=Mary Bama,o=CompanyB.com
changetype: modify
replace: mail
mail: mary@MegaMail.com
 Books: |
-
 |
"Understanding And Deploying LDAP Directory Services",
by Timothy A. Howes,Phd, Mark C. Smith and Gordon S. Good,
ISBN 0672323168, Addison-Wesley Pub Co
Second edition. It is general in nature but complete
in that it covers all concepts in depth.
It is a good book for those wanting to understand everything
about LDAP, schema development and its' capabilities.
|
|
 |
"Understanding And Deploying LDAP Directory Services",
by Timothy A. Howes,Phd, Mark C. Smith and Gordon S. Good,
ISBN 1-57870-070-1, MacMillan Technical Publishing
First edition out of print. (Used only) See second
edition above. This is the largest LDAP book I own. It is general in
nature but complete in that it covers all concepts in depth. It is NOT
a good programmers reference but it is good for those wanting to
understand everything about LDAP, schema development and its'
capabilities. Netscape centric.
|
|
 |
"Programming Directory-Enabled Applications with Lightweight Directory
Access Protocol"
by Timothy A. Howes,Phd and Mark C. Smith
ISBN 1-57870-000-0, MacMillan Technical Publishing
Excellent programmers reference for those using the LDAP C language API.
Also covers search filters and LDAP URL's.
The OpenLDAP source code is so poorly commented that I found this book
often was the only source for an explanation of what was happening in the
code.
|
|
 |
"Implementing LDAP",
Mark Wilcok
ISBN 1-861002-21-1, WROK Press
This book covers all aspects of LDAP from LDIF to the LDAP SDK
in C, PERL and JAVA. It has a strong Netscape Directory server bias.
|
|
 |
"LDAP System Administration",
Gerald Carter
ISBN 1565924916, O'Reilly & Associates
This book covers the use of OpenLDAP and the integration of services.
|
|
 |
"LDAP Programming, Management and Integration",
Clayton Donley
ISBN 1930110405, Manning Publications; 1st edition
This book covers LDAP administration as well as introductory information.
It covers the directory services markup language (DSML), PERL LDAP module as
well as JAVA JNDI.
|
|
 |
"Understanding LDAP" - IBM-Redbooks
Heinz Johner, Larry Brown, Franz-Stefan Hinner, Wolfgang Reis, Johan Westman
IBM Redbook #SG24-4986-00
A reference to ldap, available as PDF as well. This book has a bias towards
IBM's E-network LDAP Directory server. Tight, terse, but covers everything.
|
|
|
"LDAP Implementation Cookbook"
IBM Redbook #SG24-5110-00
|
|
|
