LDAP: Difference between revisions
No edit summary |
m (→FAQ) |
||
(73 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
'''L'''ightweight '''D'''irectory '''A'''ccess '''P'''rotocol | '''L'''ightweight '''D'''irectory '''A'''ccess '''P'''rotocol | ||
In [http://en.wikipedia.org/wiki/computer_networking computer networking], the '''Lightweight Directory Access Protocol''', or '''LDAP''' ("ell-dap"), is a [http://en.wikipedia.org/wiki/networking_protocol networking protocol] for querying and modifying [http://en.wikipedia.org/wiki/directory_service directory service]s running over [http://en.wikipedia.org/wiki/Internet_protocol_suite TCP/IP]. | In [http://en.wikipedia.org/wiki/computer_networking computer networking], the '''Lightweight Directory Access Protocol''', or '''LDAP''' ("ell-dap"), is a [http://en.wikipedia.org/wiki/networking_protocol networking protocol] for querying and modifying [http://en.wikipedia.org/wiki/directory_service directory service]s running over [http://en.wikipedia.org/wiki/Internet_protocol_suite TCP/IP]. An LDAP directory usually follows the [http://en.wikipedia.org/wiki/X.500 X.500] model: it is a tree of entries, each of which consists of a set of named attributes with values. While some services use a more complicated "forest" model, the vast majority use a simple starting point for their database organization. | ||
An LDAP directory often reflects various political, geographic, and/or organizational boundaries, depending on the model chosen. LDAP deployments today tend to use [http://en.wikipedia.org/wiki/Domain_Name_System Domain Name System] (DNS) names for structuring the most simple levels of the hierarchy. Further into the directory might appear entries representing people, organizational units, printers, documents, groups of people or anything else which represents a given tree entry, or multiple entries. | |||
Its current version is LDAPv3. LDAPv3 is specified in a series of [http://en.wikipedia.org/wiki/IETF IETF] Standard Track [http://en.wikipedia.org/wiki/Request_for_Comments RFC]s as detailed in RFC 4510. | |||
= Interfaces = | |||
*[http://directory.apache.org/studio/ Apache Directory Studio] | |||
*[http://lam.sourceforge.net/ LAM (LDAP Account Manager)] | |||
*[http://phpldapadmin.sourceforge.net phpldapadmin] | |||
*ldapvi | |||
= Tutorials and docs = | |||
*[https://ldapwiki.com/wiki/ LDAP wiki] | |||
*[[Pam-ldap|Pam-ldap]] | |||
*[http://www.zytrax.com/books/ldap/ http://www.zytrax.com/books/ldap/] | |||
*[http://tuxick.net/ldap.html http://tuxick.net/ldap.html] | |||
*[http://ldapadministrator.com http://ldapadministrator.com] | |||
*[https://www.calmblue.net/blog/server/linux/openldap-server-on-debian-using-olc OpenLDAP server on Debian using OLC] | |||
*[http://thomas-howard.com/Reference/Articles/Apache+AD/ Apache Authentication with Active Directory] | |||
*[http://www.gentoo.org/doc/en/ldap-howto.xml LDAP authentication on Gentoo (slightly outdated)] | |||
*[[LDAP_Replication|LDAP Replication]] | |||
*[http://www.linuxtopia.org/online_books//network_administration_guides/ldap_administration/appendix-common-errors_Common_causes_of_LDAP_errors.html Common causes of LDAP errors] | |||
*[http://www.oav.net/mirrors/LDAP-ObjectClasses.html Objectclasses] | |||
*[http://www.zytrax.com/books/ldap/ LDAP for Rocket Scientists] | |||
*[http://moduli.net/sysadmin/sarge-ldap-auth-howto.html http://moduli.net/sysadmin/sarge-ldap-auth-howto.html] | |||
*[http://www.zytrax.com/books/ldap/ch6/slapd-config.html#intro OpenLDAP using OLC (cn=config)] | |||
*[https://www.ibm.com/support/pages/how-test-ca-certificate-and-ldap-connection-over-ssltls LDAP and SSL certificates] | |||
== Access control == | |||
*[http://www.openldap.org/doc/admin24/access-control.html Access Control] | |||
*[http://www.zytrax.com/books/ldap/ch6/#access http://www.zytrax.com/books/ldap/ch6/#access] | |||
*[http://www.linuxtopia.org/online_books/network_administration_guides/ldap_administration/slapdconf2_Access_Control.html OLC access control] | |||
== ldapmodify == | |||
*[http://www.tldp.org/HOWTO/LDAP-HOWTO/utilities.html http://www.tldp.org/HOWTO/LDAP-HOWTO/utilities.html] | |||
*[http://publib.boulder.ibm.com/infocenter/iseries/v5r3/index.jsp?topic=/rzahy/rzahydeleteobj.htm Delete an objectclass] | |||
| |||
= Links = | |||
*[http://www.openldap.org/ http://www.openldap.org/] | |||
*[http://www.redhat.com/docs/manuals/dir-server/deploy/7.1/deployTOC.html Red Hat Directory Server documentation, worth reading] | |||
*[http://docs.sun.com/source/816-6064-10/ErrorMsg.doc7.html Error messages] | |||
= Client configuration = | |||
In /etc/openldap/ldap.conf | |||
== Ldapsearch == | |||
*[https://theitbros.com/ldapsearch/ https://theitbros.com/ldapsearch/] | |||
*[[ldapsearch]] | |||
| |||
= FAQ = | |||
== OLC == | |||
=== Change OLC config === | |||
ldapmodify -Y EXTERNAL -H ldapi:/// | |||
dn: cn=config | |||
replace: olcLogLevel | |||
olcLogLevel: None | |||
CTRL + D | |||
| |||
=== view configuration in OLC === | |||
slapcat -H "ldap:///cn=config??sub?(olcDatabase=*)" | |||
ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config | |||
=== LdapErr: DSID-0C090AE1, comment: In order to perform this operation a successful bind must be completed on the connection. === | |||
login? | |||
=== ldap_sasl_interactive_bind_s: Unknown authentication method (-6) === | |||
try adding "-x" to the ldapsearch, | |||
| |||
== ldapsearch == | |||
=== LdapErr: DSID-0C09127F, comment: TLS or SSL already in effect, data 0, v3839 === | |||
===TLS certificate verification: Error, unable to get local issuer certificate=== | |||
== add indexes == | |||
[http://forum.zentyal.org/index.php?topic=3006.0 http://forum.zentyal.org/index.php?topic=3006.0] [http://www.zytrax.com/books/ldap/apa/indeces.html http://www.zytrax.com/books/ldap/apa/indeces.html] | |||
NOTE: there is no more need to run slapindex!! | |||
== additional info: structuralObjectClass: no user modification allowed == | |||
use slapadd instead of ldapadd, while slapd is NOT running: | |||
slapadd -v < ldap.ldif | |||
== AttributeType inappropriate matching rule: "integerMatch" == | |||
duh | |||
== Replace LDAP database == | |||
service slapd stop | |||
rm /var/lib/ldap/* | |||
slapadd -l dump.ldif | |||
chown -R openldap.openldap /var/lib/ldap | |||
service slapd start | |||
| |||
== create a new database from ldif file == | |||
slapadd -f dump.ldif | |||
Remember to set rights to the db storage! | |||
== add a record == | |||
ldapadd | |||
== modify a record == | |||
*[http://docs.sun.com/source/816-6400-10/lmodify.html http://docs.sun.com/source/816-6400-10/lmodify.html] | |||
| |||
ldapmodify -x -D "cn=admin, dc=bar, dc=com" -W << EOF | |||
dn: cn=foo, dc=bar, dc=com | |||
changetype: modify | |||
replace: sn | |||
sn: new name | |||
EOF | |||
Or | |||
ldapmodify -D "cn=admin,dc=bar,dc=com" -Y EXTERNAL -H ldapi:/// << EOF | |||
.. | |||
EOF | |||
Or even, also for reconfiguration of OLC | |||
ldapmodify -Y EXTERNAL -H ldapi:/// < foo.ldif | |||
== change olcAccess, olcSuffix etc == | |||
I managed this changing things in following order: | |||
olcAccess{2} | |||
olcAccess{0} | |||
olcRootDN | |||
olcSuffix | |||
| |||
EOF | |||
== add an attribute == | |||
changetype: modify | |||
add: objectClass | |||
objectClass: qmailUser | |||
== search for a record == | |||
[http://docs.sun.com/source/816-6400-10/lsearch.html http://docs.sun.com/source/816-6400-10/lsearch.html] | |||
ldapsearch -x -b '' -s base '(objectclass="*)'" namingContexts'' | |||
ldapsearch -x -b "dc=foo, dc=com" "uid=harry" | |||
*scope? | |||
| |||
== ber_get_next on fd 12 failed errno=0 (Success) == | |||
You're probably trying to use ldapadd without -x | |||
== ber_get_next on fd 15 failed errno=11 (Resource temporarily Unavailable) == | |||
?? | |||
== rootdn is always granted unlimited privileges == | |||
== Error number: 0x50 (LDAP_OTHER) == | |||
=== Internal (implementation specific) error === | |||
You probably ran slapindex as wrong user. Set rights on the directory you find under 'directory' in slapd.conf for the user slapd runs as ( openldap on debian ) | |||
== search filters == | |||
*[http://www.faqs.org/rfcs/rfc2254.html http://www.faqs.org/rfcs/rfc2254.html] | |||
| |||
== main: TLS init def ctx failed: -1 == | |||
Probably no access to one of the certificate files | |||
| |||
== ldif_read_file: checksum error on "/etc/ldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif" == | |||
You edited config file instead of using ldapmodify. This error will go away once you used ldapmodify on it. | |||
| |||
== php and ldap == | |||
===ignore certificates=== | |||
LDAPTLS_REQCERT=never | |||
related to TLS_REQCERT in ldap.conf, so see | |||
man ldap.conf | |||
== check TLS connection == | |||
You might need to set up certs in /etc/openssl/ldap.conf | |||
ldapsearch -x -ZZ -h hostname -p 389 | |||
or | |||
openssl s_client -connect hostname:636 -cert /etc/openldap/certs/clientcert.pem -CAfile /etc/openldap/certs/cacert.pem | |||
or | |||
openssl s_client -starttls ldap -connect hostname:636 | |||
=== ldap_start_tls: Connect error (-11) === | |||
probably some cert missing | |||
= Keywords = | |||
== rootdn == | |||
The user/account with full access | |||
| |||
== | = Tools = | ||
*phpldapadmin | |||
* | *ldapbrowser | ||
*lam | |||
*shelldap | |||
*ldapvi |
Latest revision as of 10:32, 14 June 2023
Lightweight Directory Access Protocol
In computer networking, the Lightweight Directory Access Protocol, or LDAP ("ell-dap"), is a networking protocol for querying and modifying directory services running over TCP/IP. An LDAP directory usually follows the X.500 model: it is a tree of entries, each of which consists of a set of named attributes with values. While some services use a more complicated "forest" model, the vast majority use a simple starting point for their database organization.
An LDAP directory often reflects various political, geographic, and/or organizational boundaries, depending on the model chosen. LDAP deployments today tend to use Domain Name System (DNS) names for structuring the most simple levels of the hierarchy. Further into the directory might appear entries representing people, organizational units, printers, documents, groups of people or anything else which represents a given tree entry, or multiple entries.
Its current version is LDAPv3. LDAPv3 is specified in a series of IETF Standard Track RFCs as detailed in RFC 4510.
Interfaces
Tutorials and docs
- LDAP wiki
- Pam-ldap
- http://www.zytrax.com/books/ldap/
- http://tuxick.net/ldap.html
- http://ldapadministrator.com
- OpenLDAP server on Debian using OLC
- Apache Authentication with Active Directory
- LDAP authentication on Gentoo (slightly outdated)
- LDAP Replication
- Common causes of LDAP errors
- Objectclasses
- LDAP for Rocket Scientists
- http://moduli.net/sysadmin/sarge-ldap-auth-howto.html
- OpenLDAP using OLC (cn=config)
- LDAP and SSL certificates
Access control
ldapmodify
Links
Client configuration
In /etc/openldap/ldap.conf
Ldapsearch
FAQ
OLC
Change OLC config
ldapmodify -Y EXTERNAL -H ldapi:/// dn: cn=config replace: olcLogLevel olcLogLevel: None CTRL + D
view configuration in OLC
slapcat -H "ldap:///cn=config??sub?(olcDatabase=*)" ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config
LdapErr: DSID-0C090AE1, comment: In order to perform this operation a successful bind must be completed on the connection.
login?
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
try adding "-x" to the ldapsearch,
ldapsearch
LdapErr: DSID-0C09127F, comment: TLS or SSL already in effect, data 0, v3839
TLS certificate verification: Error, unable to get local issuer certificate
add indexes
http://forum.zentyal.org/index.php?topic=3006.0 http://www.zytrax.com/books/ldap/apa/indeces.html
NOTE: there is no more need to run slapindex!!
additional info: structuralObjectClass: no user modification allowed
use slapadd instead of ldapadd, while slapd is NOT running:
slapadd -v < ldap.ldif
AttributeType inappropriate matching rule: "integerMatch"
duh
Replace LDAP database
service slapd stop rm /var/lib/ldap/* slapadd -l dump.ldif chown -R openldap.openldap /var/lib/ldap service slapd start
create a new database from ldif file
slapadd -f dump.ldif
Remember to set rights to the db storage!
add a record
ldapadd
modify a record
ldapmodify -x -D "cn=admin, dc=bar, dc=com" -W << EOF dn: cn=foo, dc=bar, dc=com changetype: modify replace: sn sn: new name EOF
Or
ldapmodify -D "cn=admin,dc=bar,dc=com" -Y EXTERNAL -H ldapi:/// << EOF .. EOF
Or even, also for reconfiguration of OLC
ldapmodify -Y EXTERNAL -H ldapi:/// < foo.ldif
change olcAccess, olcSuffix etc
I managed this changing things in following order:
olcAccess{2} olcAccess{0} olcRootDN olcSuffix
EOF
add an attribute
changetype: modify add: objectClass objectClass: qmailUser
search for a record
http://docs.sun.com/source/816-6400-10/lsearch.html
ldapsearch -x -b -s base '(objectclass="*)'" namingContexts ldapsearch -x -b "dc=foo, dc=com" "uid=harry"
- scope?
ber_get_next on fd 12 failed errno=0 (Success)
You're probably trying to use ldapadd without -x
??
rootdn is always granted unlimited privileges
Error number: 0x50 (LDAP_OTHER)
Internal (implementation specific) error
You probably ran slapindex as wrong user. Set rights on the directory you find under 'directory' in slapd.conf for the user slapd runs as ( openldap on debian )
search filters
main: TLS init def ctx failed: -1
Probably no access to one of the certificate files
ldif_read_file: checksum error on "/etc/ldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif"
You edited config file instead of using ldapmodify. This error will go away once you used ldapmodify on it.
php and ldap
ignore certificates
LDAPTLS_REQCERT=never
related to TLS_REQCERT in ldap.conf, so see
man ldap.conf
check TLS connection
You might need to set up certs in /etc/openssl/ldap.conf
ldapsearch -x -ZZ -h hostname -p 389
or
openssl s_client -connect hostname:636 -cert /etc/openldap/certs/clientcert.pem -CAfile /etc/openldap/certs/cacert.pem
or
openssl s_client -starttls ldap -connect hostname:636
ldap_start_tls: Connect error (-11)
probably some cert missing
Keywords
rootdn
The user/account with full access
Tools
- phpldapadmin
- ldapbrowser
- lam
- shelldap
- ldapvi