All notes
Ldap

Intro

LDAP: lightweight directory access protocol. It is a slim-down version of X.500.

Installation in Cent OS

Client: edit /etc/openldap/ldap.conf, /etc/nsswitch.conf, /etc/pam.d/* to add ldap.

Organisational structure for GenFic, a Fictional Gentoo company

dc:         com
             |
dc:        genfic         ## (Organisation)
          /      \
ou:   People   servers    ## (Organisational Units)
      /    \     ..
uid: ..   John            ## (OU-specific data)

A common LDIF file looks like this:

dn: o=TUDelft, c=NL
o: TUDelft
objectclass: organization
dn: cn=Luiz Malere, o=TUDelft, c=NL
cn: Luiz Malere
sn: Malere
mail: [email protected]
objectclass: person

Vocabularies

Each attribute has a corresponding syntax definition. The syntax definition describes the type of information provided by the attribute, for instance:

Usually objectclass and attribute definitions reside on schema files, on the subdirectory schema under the OpenLDAP installation home.

LDIF

The LDAP Data Interchange Format (LDIF) is used to represent LDAP entries in a simple text format.

http://www.tldp.org/HOWTO/LDAP-HOWTO/moreonldif.html.

Ref

dn: cn=sample user,ou=people,dc=example,dc=com
objectClass: top
objectClass: inetOrgPerson
cn: sample user
uid: sampleuser
is not the same entry as:
dn: uid=sampleuser,ou=people,dc=example,dc=com
objectClass: top
objectClass: inetOrgPerson
cn: sample user
uid: sampleuser

LDAP server

CentOS help in setting ldap server.

# Must include below two lines, or it will complain
# ln: 正在访问"/var/run/openldap/slapd.pid": 没有那个文件或目录
pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

database        bdb
suffix          "dc=me,dc=com"
checkpoint      1024 15
rootdn          "cn=root,dc=me,dc=com"
rootpw          {SSHA}aaaaaaaa

Phpldapadmin

Open to edit the config: sudo nano /etc/phpldapadmin/config.php.

$servers->setValue('server','host','domain_nam_or_IP_address');
$servers->setValue('server','base',array('dc=test,dc=com'));
$servers->setValue('login','bind_id','cn=admin,dc=test,dc=com');
$config->custom->appearance['hide_template_warning'] = true;

There are good references for configure Phpldapadmin:

Schema

http://www.openldap.org/doc/admin24/schema.html.

Distributed Schema Files

You can use include directive to include these schema files.

Table 8.1: Provided Schema Specifications
File Description
core.schema OpenLDAP core (required)
cosine.schema Cosine and Internet X.500 (useful)
inetorgperson.schema InetOrgPerson (useful)
misc.schema Assorted (experimental)
nis.schema Network Information Services (FYI)
openldap.schema OpenLDAP Project (experimental)

Extended schema

You can add a customized schema in local.schema file. There are five steps to defining new schema:

1. obtain Object Identifier
2. choose a name prefix
3. create local schema file
4. define custom attribute types (if necessary)
5. define custom object classes

In addition to assigning a unique object identifier to each schema element, you should provide at least one textual name for each element.
Names should be registered with the IANA or prefixed with "x-" to place in the "private use" name space.

Attribute Type Description is defined by the following ABNF (Augmented Backus-Naur Form).

AttributeTypeDescription = "(" whsp
	numericoid whsp              ; AttributeType identifier
	[ "NAME" qdescrs ]             ; name used in AttributeType
	[ "DESC" qdstring ]            ; description
	[ "OBSOLETE" whsp ]
	[ "SUP" woid ]                 ; derived from this other
	                               ; AttributeType
	[ "EQUALITY" woid              ; Matching Rule name
	[ "ORDERING" woid              ; Matching Rule name
	[ "SUBSTR" woid ]              ; Matching Rule name
	[ "SYNTAX" whsp noidlen whsp ] ; Syntax OID
	[ "SINGLE-VALUE" whsp ]        ; default multi-valued
	[ "COLLECTIVE" whsp ]          ; default not collective
	[ "NO-USER-MODIFICATION" whsp ]; default user modifiable
	[ "USAGE" whsp AttributeUsage ]; default userApplications
	whsp ")"

For example, the attribute types name and cn are defined in core.schema as:

attributeType ( 2.5.4.41 NAME 'name'
	DESC 'name(s) associated with the object'
	EQUALITY caseIgnoreMatch
	SUBSTR caseIgnoreSubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )
attributeType ( 2.5.4.3 NAME ( 'cn' 'commonName' )
	DESC 'common name(s) assciated with the object'
	SUP name )

slapd.conf

http://www.openldap.org/doc/admin24/slapdconfig.html. Also man slapd.conf. Global directives can be overridden in backend and/or database directives, and backend directives can be overridden by database directives. The format is:

# global configuration directives
<global config directives>

# backend definition
backend <typeA>
<backend-specific directives>

# first database definition & config directives
database <typeA>
<database-specific directives>

Directives

http://www.openldap.org/doc/admin24/slapdconfig.html.

access to <what> [ by <who> [<accesslevel>] [<control>] ]+
Example:
access to * by * read, allows all both authenticated and anonymous users read access.

include <filename>
Careful: there is no small limit on the number of nested include directives, and no loop detection is done.

referral <URI>
This directive specifies the referral to pass back when slapd cannot find a local database to handle a request.
Example:
referral ldap://root.openldap.org

backend type
This directive marks the beginning of a backend declaration.
Database backends include: bdb, hdb(hierarchical bdb), ldap(proxy), meta(Meta directory), passwd(read-only access to passwd), perl, shell, sql.
wcf note: there seems no difference in backend and database, except that backend is at a higher layer.

rootdn DN
The DN may refer to a SASL identity.
Entry-based Example:
	rootdn "cn=Manager,dc=example,dc=com"
SASL-based Example:
	rootdn "uid=root,cn=example.com,cn=digest-md5,cn=auth"

rootpw passwd
Example:
	rootpw {SSHA}ZKKuqbEKJfKSXhUbHG3fG8MDn9j1v4QN
The hash was generated using the command slappasswd -s secret.

suffix <dn suffix>
This directive specifies the DN suffix of queries that will be passed to this backend database.
Example:
	suffix "dc=example,dc=com"
Queries with a DN ending in "dc=example,dc=com" will be passed to this backend.

directory <directory>
This directive specifies the directory where the BDB files containing the database and associated indices live.
Default:
	directory /usr/local/var/openldap-data

Database directives

database type
	Types: bdb, hdb

readonly {on | off}

replica uri=ldap[s]://<hostname>[:<port>] | host=<hostname>[:<port>]
	[bindmethod={simple|kerberos|sasl}]
	["binddn=<DN>"]
	[saslmech=<mech>]
	[authcid=<identity>]
	[authzid=<identity>]
	[credentials=<password>]
	[srvtab=<filename>]	If port is not given, the standard LDAP port number (389 or 636) is used.
	host is deprecated in favor of the uri parameter.

Usual commands

slappasswd

The command
	slappasswd -h {SHA} -s abcd123
will generate
	{SHA}fDYHuOYbzxlE6ehQOmYPIfS28/E=

So, in your entry, an attribute like this could be specified:
	userPassword: {SHA}fDYHuOYbzxlE6ehQOmYPIfS28/E=
Copy the whole line (including the beginning {SSHA}) to LDAP password setting.

but when you do a slapcat or ldapsearch and the output is in LDIF format, the userpassword will be base_64 encoded, and it will look like this:
	userPassword:: e1NIQX1mRFlIdU9ZYnp4bEU2ZWhRT21ZUElmUzI4L0U9
Reference.

ldappasswd

Reference.

ldappasswd [option] [user]

user is the authentication identity, typically a DN. If not specified, the DN specified by the -D option (bind name) is used.

-A:	Prompt for old passwd.
-a oldPasswd
-t oldPasswdFile
-S: Prompt for new passwd.
-s newPasswd
-T newPasswdFile

-x:	Use simple authentication instead of SASL.

-D binddn: Specifies the DN with which to authenticate to the server.
-W:	Prompt for bind passwd.
-w passwd:	Give passwd to bind with.

-H ldapURI
-h ldapHost
-p ldapPort

-Z:	Issue StartTLS extended operation.
-ZZ:	If -Z fails, it will quit.
-P:	Specifies the absolute path, including the filename, of the certificate database of the client. This option is used only with the -Z option.

-n:	Do not set passwd. Dry run.
-d debugLevel

# A user change his/her own passwd.
ldappasswd -x -W -D "cn=test,ou=users,dc=yourComp,dc=com" -a oldpasswd -s newpasswd -h ldapServerIP

# The Directory Manager changes the password of the user uid=tuser1,ou=People,dc=example,dc=com to new_password over SSL.
ldappasswd -Z -h myhost -P /etc/dirsrv/slapd-instance_name/cert8.db -D "cn=Directory Manager" -w dmpassword -s new_password "uid=tuser1,ou=People,dc=example,dc=com"

# The Directory Manager generates the password of the user uid=tuser2,ou=People,dc=example,dc=com over SSL.
ldappasswd -Z -h myhost -P /etc/dirsrv/slapd-instance_name/cert8.db -D "cn=Directory Manager" -w dmpassword "uid=tuser2,ou=People,dc=example,dc=com"

# A user, tuser3, changes the password from old_newpassword to new_password over SSL.
ldappasswd -Z -h myhost -P /etc/dirsrv/slapd-instance_name/cert8.db -D "uid=tuser3,pu=People,dc=example,dc=com" -w old_password -a old_password -s new_password

# A user, tuser4, authenticates with the user certificate and changes the password to new_password over SSL.
ldappasswd -Z -h myhost -P /etc/dirsrv/slapd-instance_name/cert8.db -W dbpassword -N "uid=tuser4" -K /etc/dirsrv/slapd-instance_name/key3.db -s new_password

# A user, tuser5, authenticates with DIGEST-MD5 and changes the password to new_password.
ldappasswd -h myhost -o "mech=DIGEST-MD5" -o "authid=dn:uid=tuser5,ou=People,dc=example,dc=com" -w old_password -s new_password

# A user, who has already authenticated by Kerberos, prompts for the new password. This is not performed over SSL.
ldappasswd -h myhost -o "mech=GSSAPI" -S

slapd

Ref.

-h URLlist
	slapd will by default serve ldap:/// (LDAP over TCP on all interfaces on default LDAP port). That is, it will bind using INADDR_ANY and port 389. The -h option may be used to specify LDAP (and other scheme) URLs to serve. For example, if slapd is given -h "ldap://127.0.0.1:9009/ ldaps:/// ldapi:///", it will listen on 127.0.0.1:9009 for LDAP, 0.0.0.0:636 for LDAP over TLS, and LDAP over IPC (Unix domain sockets). Host 0.0.0.0 rep- resents INADDR_ANY (any interface). A space separated list of URLs is expected.  The URLs should be of the LDAP, LDAPS, or LDAPI schemes, and generally without a DN or other optional parameters (excepting as discussed below). Support for the lat- ter two schemes depends on selected configuration options. Hosts may be specified by name or IPv4 and IPv6 address formats. Ports, if specified, must be numeric. The default ldap:// port is 389 and the default ldaps:// port is 636.

ldapsearch

Ref.

-x     Use simple authentication instead of SASL.
-b searchbase
	Use searchbase as the starting point for the search  instead  of the default.
-s {base|one|sub|children}
	Specify  the scope of the search to be one of base, one, sub, or children to specify a base object, one-level, subtree, or  children search.  The default is sub.  Note: children scope requires LDAPv3 subordinate feature extension.

ldapsearch -x -H ldap://serverIP -s base -b "dc=myCompany,dc=com"

#  "objectclass=*" is a search filter that matches any entry in the directory.
#+ Since every entry must have an object class, and the objectclass attribute is always indexed, this is a useful search filter to return every entry.
ldapsearch -x -H ldap://serverIP -s sub "objectclass=*" -b "dc=myCompany,dc=com"

phpldapadmin

phpldapadmin template.

template path: /usr/share/phpldapadmin/templates
And the template path could also be found at /etc/httpd/conf.d/phpldapadmin.conf

# Restart phpldapadmin
sudo service httpd graceful

Login with uid instead of dn

Ref. "When this value is not dn, PLA will perform an anonymous bind to the LDAP server to find the DN". So if your openldap doesn't support anonymous bind, this will not work.