Chapter 36
Lightweight Directory Access Protocol (LDAP)
Lightweight Directory Access Protocol (LDAP, pronounced “ell-dap”) is one of those technologies that, although hidden, forms part of the core infrastructure in much of enterprise computing. Its job is simple: It stores information about users. However, its power comes from the fact that it can be linked into dozens of other services. LDAP can power login authentication, public key distribution, email routing, and address verification. More recently, it has formed the core of the push toward single sign-on technology.
Tip
Most people find the concept of LDAP easier to grasp when they think of it as a highly specialized form of database server. Behind the scenes, Ubuntu uses a database for storing all its LDAP information; however, LDAP does not offer anything as straightforward as SQL for data manipulation.
OpenLDAP uses Sleepycat Software’s Berkeley DB (BDB), and sticking with that default is highly recommended. However, alternatives exist that might be better for you if you have specific needs.
This chapter looks at a relatively basic installation of an LDAP server, including how to host a company-wide directory service that contains the names and email addresses of employees. LDAP is a client/server system, meaning that an LDAP server hosts the data, and an LDAP client queries it. Ubuntu comes with OpenLDAP as its LDAP server, along with several LDAP-enabled email clients, including Evolution and Mozilla Thunderbird. This chapter covers all three of these applications.
Because LDAP data is usually available over the Internet—or at least your local network—it is imperative that you make every effort to secure your server. This chapter gives specific instruction on password configuration for OpenLDAP, and we recommend that you follow the instructions closely.
Configuring the Server
If you have been using LDAP for years, you will be aware of its immense power and flexibility. But if you are just trying LDAP for the first time, it will seem like the most broken component you could imagine. LDAP has specific configuration requirements, is vastly lacking in graphical tools, and has a large number of acronyms to remember. On the bright side, all the hard work you put in is worth it because when it works, LDAP improves your networking experience immensely. You should read this entire chapter and understand it before you go any further. Then read the README file in /etc/ldap/schema before you begin configuring your server.
The first step in configuring your LDAP server is to install the client and server applications. When you install the slapd and ldap-utils packages from the Ubuntu repositories, you also install the libodbc1 package.
By default, Ubuntu configures slapd with the minimum options necessary to run the daemon. This chapter shows how to configure everything from that bare-bones installation up to where it will be useful.
Now you need to know the fully qualified domain name (FQDN) of your server. In a moment, you will begin to write/modify some configuration files, and this will be a vital part of that process. The example uses matthewhelmke.com. Whenever you see that, change it to your FQDN.
From the FQDN you acquire your domain component, which is the name of your domain, as stored in DNS. This is abbreviated as dc. LDAP considers each part of a domain name (separated by dots) to be a domain component. In the example, there are two dc items in matthewhelmke.com: matthewhelmke and com.
OpenLDAP uses a separate directory that contains the cn=config directory information tree (DIT) to configure the slapd daemon dynamically. This enables you to modify schema definitions, indexes, and so on without stopping and restarting the service, as was required in earlier versions. You need two files for this configuration: a back end that has only a minimal configuration and a front end that uses a traditional format that is compatible with and accessed by external programs, using established standards.
Creating Your Schema
Start creating your schema by loading some premade schema files. This makes configuration faster and easier by preloading some settings. If you are building an enterprise server, read the official OpenLDAP documentation and start from scratch so that you know precisely what everything on your server is doing and why. For the example in this chapter, load these three files into the directory using the following commands:
matthew@seymour:~$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/ [ic:ccc]cosine.ldif matthew@seymour:~$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/ [ic:ccc]nis.ldif matthew@seymour:~$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/ [ic:ccc]inetorgperson.ldif
Next, create a file called backend.matthewhelmke.com.ldif with these contents:
# Load dynamic backend modules
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib/ldap
olcModuleload: back_hdb
# Database settings
dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcSuffix: dc=matthewhelmke,dc=com
olcDbDirectory: /var/lib/ldap
olcRootDN: cn=admin,dc=matthewhelmke,dc=com
olcRootPW: changeMEtoSOMETHINGbetter
olcDbConfig: set_cachesize 0 2097152 0
olcDbConfig: set_lk_max_objects 1500
olcDbConfig: set_lk_max_locks 1500
olcDbConfig: set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcAccess: to attrs=userPassword by dn="cn=admin,dc=matthewhelmke,dc=com" write by
anonymous auth by self write by * none
olcAccess: to attrs=shadowLastChange by self write by * read
olcAccess: to dn.base="" by * read
olcAccess: to * by dn="cn=admin,dc=matthewhelmke,dc=com" write by * read
Make sure you change all instances of matthewhelmke and com to fit your FQDN and change the entry for olcRootPW to a more secure password of your choosing. Then add the new file to the directory, which you do as follows, assuming that you are entering this command from the directory where the file was created:
matthew@seymour:~$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f backend.example.com.ldif
Populating Your Directory
The back end is ready. Now you need to populate the front-end directory to make this useful. Create another file called frontend.matthewhelmke.com.ldif with the following contents:
# Create top-level object in domain dn: dc=matthewhelmke,dc=com objectClass: top objectClass: dcObject objectclass: organization o: Example Organization dc: Example description: LDAP Example # Admin user. dn: cn=admin,dc=matthewhelmke,dc=com objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator userPassword: changeMEtoSOMETHINGbetter dn: ou=people,dc=example,dc=com objectClass: organizationalUnit ou: people dn: ou=groups,dc=matthewhelmke,dc=com objectClass: organizationalUnit ou: groups dn: uid=john,ou=people,dc=matthewhelmke,dc=com objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount uid: matthew sn: Helmke givenName: Matthew cn: Matthew Helmke displayName: Matthew Helmke uidNumber: 1000 gidNumber: 10000 userPassword: changeMEtoSOMETHINGbetter gecos: Matthew Helmke loginShell: /bin/bash homeDirectory: /home/matthew shadowExpire: -1 shadowFlag: 0 shadowWarning: 7 shadowMin: 8 shadowMax: 999999 shadowLastChange: 10877 mail: [email protected] postalCode: 85711 l: Tucson o: Example mobile: +1 (520) xxx-xxxx homePhone: +1 (520) xxx-xxxx title: System Administrator postalAddress: I'm not putting it in the book. initials: MH dn: cn=example,ou=groups,dc=example,dc=com objectClass: posixGroup cn: example gidNumber: 10000
Remember to change the details to fit your information. Then add this file to the LDAP directory:
matthew@seymour:~$ sudo ldapadd -x -D cn=admin,dc=example,dc=com -W -f frontend. example.com.ldif
To check that your content has been added to the LDAP directory correctly, you can use ldapsearch, as follows:
matthew@seymour:~$ ldapsearch -xLLL -b "dc=example,dc=com" uid=john sn givenName cn dn: uid=matthew,ou=people,dc=matthewhelmke,dc=com cn: Matthew Helmke sn: Helmke givenName: Matthew
In this example, dn stands for distinguished name, uid refers to user identification, ou is the organizational unit, dc represents domain component, cn is common name, sn is the family or surname, and many cultures know givenName as your first name.
When you use LDAP, you can organize your data in many ways. You can use a number of currently existing schemas, such as in the previous example using the LDIF files you loaded at the start, or you can write your own. The /etc/ldap/schemas directory has many fine examples in the files with a .schema suffix and a few that have been converted to LDAP Data Interchange Format (LDIF). To be used with LDAP, a file must be an LDIF file (with the .ldif filename extension). You can convert one of the sample schemas or create your own schema.
Configuring Clients
Although Ubuntu comes with a selection of email clients, there is not enough room here to cover them all. The two most frequently used clients are Thunderbird, the default, and Evolution. Both are powerful messaging solutions, and both work well with LDAP. Of the two, Thunderbird seems to be the easier to configure and, as the default, is the one we choose to show here.
To enable Thunderbird to use LDAP, go to the menu, click Preferences, and then select Composition from the tabs along the top.
From the Addressing subtab, check the Directory Server box and click the Edit Directories button to its right. In the dialog box that appears, click Add to add a new directory. You can give it any name you want because this is merely for display purposes. As shown in Figure 36.1, set the Hostname field to be the IP address of your LDAP server (or 127.0.0.1 if you are working on the server). Set the Base DN field to the DN for your address book (for instance, ou=People,dc=matthewhelmke,dc=com) and leave Port Number set to 389. Click OK three times to get back to the main interface.
FIGURE 36-1 Thunderbird’s options allow you to download the LDAP directory for offline use.
LDAP Administration
After you have your LDAP server and clients set up, they require little maintenance until something changes externally. Specifically, if someone in your directory changes jobs, changes her phone number, gets married (changing her last name [surname]), quits, or experiences some other change, you need to be able to update your directory to reflect the change.
You installed some useful utilities with the ldap-utils package earlier:
▸ ldapsearch—Opens a connection to an LDAP server and searches its directory for requested information
▸ ldapmodify—Opens a connection to an LDAP server and allows you to add or modify entries
▸ ldapadd—Opens a connection to an LDAP server and allows you to add an entry
▸ ldapdelete—Opens a connection to an LDAP server and allows you to delete one or more entries
Each of these utilities requires administration privileges, so use sudo with them all. None of these utilities are simple to use, but they all come with moderate amounts of documentation in their man pages.
A much smarter option is to use phpLDAPadmin, which is an LDAP administration tool that enables you to add and modify entries entirely through your web browser. The program is available in the Ubuntu software repositories as phpldapadmin.
Starting, stopping, or restarting the slapd daemon is done in the usual way:
sudo systemctl start/stop/restart slapd
References
▸ www.openldap.org—The home page of the OpenLDAP project, where you can download the latest version of the software and meet other users
▸ https://ldap.perl.org—The home of the Perl library for interacting with LDAP, which provides comprehensive documentation to get you started
▸ https://help.ubuntu.com/lts/serverguide/openldap-server.html—Official Ubuntu Server documentation for OpenLDAP
▸ https://phpldapadmin.sourceforge.net—The official documentation for phpLDAPadmin
▸ LDAP System Administration by Gerald Carter—The definitive book on LDAP and an absolute must for the bookshelf of any Linux LDAP administrator
▸ LDAP Directories Explained by Brian Arkills—More general reading, with a much stronger focus on the Microsoft Active Directory LDAP implementation