Andrew Hudson - Fedora™ Unleashed, 2008 edition

Because LDAP data is usually available over the Internet — or at least your local network — it is imperative that you make every effort to secure your server. This chapter gives specific instruction on password configuration for OpenLDAP, and we recommend you follow our instructions closely.

If you have been using LDAP for years, you are aware of its immense power and flexibility. On the other hand, if you are just trying LDAP for the first time, it will seem like the most broken component you could imagine. LDAP has very specific configuration requirements, is vastly lacking in graphical tools, and has a large number of acronyms to remember. On the bright side, all the hard work you put in will be worth it because, when it works, LDAP will hugely improve your networking experience.

The first step in configuring your LDAP server is to install the client and server applications. Select Add/Remove Applications, click the Details button next to Network Servers, and check openldap-servers. Then click the Details button next to System Tools and select openldap-clients. After you have installed them, close the dialog box and bring up a terminal.

Now switch to the root user and edit /etc/openldap/slapd.confin the text editor of your choice. This is the primary configuration file for slapd, the OpenLDAP server daemon. Scroll down until you see the lines database, suffix, and rootdn.

This is the most basic configuration for your LDAP system. What is the name of your server? The dcstands for domain component, which is the name of your domain as stored in DNS — for example, example.com. For our examples, we used hudzilla.org. LDAP considers each part of a domain name (separated by a period) to be a domain component, so the domain hudzilla.orgis made up of a domain component hudzillaand a domain component org.

Change the suffix line to match your domain components, separated by commas. For example:

suffix "dc=hudzilla,dc=org"

The next line defines the root DN, which is another LDAP acronym meaning distinguished name . A DN is a complete descriptor of a person in your directory: her name and the domain in which she resides. For example:

rootdn "cn=root,dc=hudzilla,dc=org"

CN is yet another LDAP acronym, this time meaning common name. A common name is just that — the name a person is usually called. Some people have several common names. Andrew Hudson is a common name, but that same user might also have the common name Andy Hudson. In our rootdn line, we define a complete user: common name rootat domain hudzilla.org. These lines are essentially read backward. LDAP goes to orgfirst, searches orgfor hudzilla, and then searches hudzillafor root.

The rootdnis important because it is more than just another person in your directory. The root LDAP user is like the root user in Linux. It is the person who has complete control over the system and can make whatever changes he wants to.

Now comes a slightly more complex part: The LDAP root user needs to be given a pass word. The easiest way to do this is to open a new terminal window alongside your existing one. Switch to root in the new terminal also, and type slappasswd . This tool generates password hashes for OpenLDAP, using the SHA1 hash algorithm. Enter a password when it prompts you. When you have entered and confirmed your password, you should see output like this:

{SSHA}qMVxFT2K1UUmrA89Gd7z6EK3gRLDIo2W

That is the password hash generated from your password. Yours will be different from the one shown here, but what is important is that it has {SSHA}at the beginning to denote it uses SHA1. You now need to switch back to the other terminal (the one editing slapd.conf) and add this line below the rootdnline:

rootpw < your password hash >

You should replace < your password hash >with the full output from slappasswd, like this:

rootpw {SSHA}qMVxFT2K1UUmrA89Gd7z6EK3gRLDIo2W

That sets the LDAP root password to the one you just generated with slappasswd. That is the last change you need to make in the slapd.conffile, so save your changes and close your editor.

Back in the terminal, run the slaptestcommand. This checks your slapd.conffile for errors and ensures you edited it correctly. Presuming there are no errors, run these two commands:

chkconfig ldap on

service ldap start

These tell Fedora to start OpenLDAP each time you boot up, and to start it right now.

The final configuration step is to tell Fedora which DN it should use if none is specified. You do so by going to System Settings and selecting Authentication. In the dialog box that appears, check Enable LDAP Support in both the User Information tab and Authentication tab. Next, click the Configure LDAP button, enter your DCs (for example, dc=hudzilla,dc=org ) for the LDAP Search Base DN, and enter 127.0.0.1 for the LDAP Server. Click OK and then click OK again.

Checking Enable LDAP Support does not actually change the way in which your users log in. Behind the scenes, this forces Fedora to set up the ldap.conffile in /etc/openldapso that LDAP searches that do not specify a base search start point are directed to your DC.

With LDAP installed, configured, and running, you can now fill the directory with people. This involves yet more LDAP acronyms and is by no means an easy task, so do not worry if you have to reread this several times before it sinks in.

First, create the file base.ldif. You use this file to define the base components of your system: the domain and the address book. LDIF is an acronym standing for LDAP Data Interchange Format, and it is the standard way of recording user data for insertion into an LDAP directory. Here are the contents we used for our example:

dn: dc=hudzilla,dc=org

objectClass: top

objectClass: dcObject

objectClass: organization

dc: hudzilla

o: Hudzilla Dot Org

dn: ou=People,dc=hudzilla,dc=org

ou: People objectClass:

top objectClass: organizationalUnit

This file contains two individual entities, separated by an empty line. The first is the organization, hudzilla.org. The dnlines you know already; they define each object uniquely in the scope of the directory. The objectClassdirective specifies which attributes should be allowed for this entity and which attributes should be required. In this case, we use it to set the DC to hudzillaand to set o(the name of the organization) to Hudzilla Dot Org.

The next entity defines the address book, People, in which all our people will be stored. It is defined as an organizational unit, which is what the oustands for. An organizational unit really is just an arbitrary partition of your company. You might have OUs for marketing, accounting, and management, for example.

You need to customize the file to your own requirements. Specifically, change the DCs to those you specified in your slapd.conf.