vinay
/
blog
1
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
12 Commits
1 Branch
499 KiB
Tree: 6045e00579
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '6045e00579'
${ noResults }
blog/content/docs/openldap.md

459 lines
16 KiB
Raw Normal View History

docs/openldap
1 year ago
add ldapvi
1 year ago
docs/openldap
1 year ago
add ldapvi
1 year ago
docs/openldap
1 year ago
add ldapvi
1 year ago
docs/openldap
1 year ago
add ldapvi
1 year ago
docs/openldap
1 year ago
add ldapvi
1 year ago
docs/openldap
1 year ago
 
  1. ---
  2. title: OpenLDAP 
  3. next: /docs/selfhosting/nextcloud
  4. prev: /docs/interception-vimproved
  5. ---
  6. 

  7. ### Directory Service

  8. 

  9. {{< callout type="info" >}}
  10. [Difference between a folder and a directory](https://stackoverflow.com/questions/5078676/what-is-the-difference-between-a-directory-and-a-folder)
  11. Folder is for grouping items.
  12. Directory has index. It is for finding specific item,Directory is a filesystem concept.
  13. In simple terms think ```directory``` like a telephone directory which is in a hierarchial structure.
  14. {{< /callout >}}
  15. 

  16. The term directory service refers to the collection of software, hardware, and processes that store information about an enterprise, subscribers, or both, and make that information available to users. A directory service consists of at least one instance of Directory Server and at least one directory client program. Client programs can access names, phone numbers, addresses, and other data stored in the directory service.
  17. 

  18. A directory is similar to database,which is attribute-based data;where data is read more often than write.
  19. 

  20. Directory Server provides Global Directory Services which means it provides information to wide variety of applications,rather than using databases with different applications,which is very hard to administrate.Directory server is a single solution to manage the same information
  21. {{<callout type="info">}}
  22. For example, an organization has three different applications running like nextcloud,email and matrix server and all the applications are accessed by same credentials,if separate database schema's are used for each application it would be hard to manage,if user requesting a password change in one application maybe not be replicated into another application;this problem is solved single,centralized repository of directory information.
  23. {{</callout>}}
  24. 

  25. LDAP provides a common language that client applications and servers use to communicate with one another. LDAP is a "lightweight" version of the Directory Access Protocol (DAP)
  26. 

  27. ### RDBMS vs Directory Service

  28. 

  29. {{% details title="1. How often does your data change?"%}}
  30. Directory servers are used for ```reads```,if your data changes often and have many write operations directory service is not a ideal choice,RDBMS would be the ideal choice.
  31. {{% /details %}}
  32. 

  33. 

  34. {{% details title="2. Type of Data? "%}}
  35. If data is defined in ```Key:Value``` pair or ```Attribute:Value``` pair, Directory service would be the best choice,like user profile.
  36. {{% /details %}}
  37. 

  38. {{% details title="3. Data in Hierarchial tree like structure" %}}
  39. If data can be modeled into a tree like structure,accessing the parent and child node in the tree,directory service 
  40. {{% /details %}}
  41. 

  42. ### OpenLDAP

  43. LDAP stands for Lightweight Directory Access Protocol, for accessing directory services.OpenLDAP is the implementation of the LDAP protocol,is a communications protocol that defines the methods in which a directory service can be accessed. 
  44. The LDAP information model is based on entries, which is a collection of attributes that has a globally unique Distinguished Name```(DN)```
  45. OpenLDAP is the implementation of the LDAP protocol which belong to User Management and Authentication in tech.
  46. 

  47. The LDAP protocol both authenticates and authorize's users to their resources.The protocol authenticates users with a bind operation that allows users to communicate with LDAP directory
  48. then authorizes the authenticated user to resources they need if they have access that are defined in rules.Once a user is successfully authenticated, they need to be authorized to access the resource(s) requested. 
  49. With OpenLDAP, for example, users belong to groups that can be assigned different permissions. If the authenticating user is assigned the correct permissions to access a certain resource, the LDAP protocol will authorize them to it; if not, the protocol will deny access.
  50. #### LDAP Data components

  51. 

  52. 1. Directory: an LDAP server
  53. 

  54. 2. DIT: the tree of entries stored within a directory server
  55. 

  56. 3. Attributes 
  57. 

  58. Data in LDAP system is stored in elements called attributes,like Key Value pair.Data in the attribute must match to the type defined in the attribute's initial declaration.
  59. 

  60. ```bash
  61. mail: user@example.com
  62. dc:example,dc:com
  63. ```
  64. 

  65. 4. Entries 
  66. 

  67. Attributes by themselves are not useful, a group or collection of ```attributes``` under a name represents an entry.
  68. ```bash
  69. dn: ou=people,dc=example,dc=com
  70. objectClass: person
  71. sn: Ramesh
  72. cn: Varma
  73. ```
  74. An example entry displayed in LDIF ( LDAP Data Interchange Format).
  75. ```bash
  76. $ cat ldif/user.ldif 
  77. dn: uid=vinay.m,ou=People,dc=vinay,dc=im
  78. objectClass: top
  79. objectClass: inetOrgPerson
  80. uid: vinay.m
  81. cn: vinay
  82. sn: m
  83. userPassword: test
  84. ou: People
  85. 

  86. dn: uid=akshay,ou=People,dc=vinay,dc=im
  87. objectClass: top
  88. objectClass: inetOrgPerson
  89. uid: akshay
  90. cn: akshay 
  91. sn: p
  92. userPassword: test
  93. ou: People
  94. ```
  95. 

  96. 5. ObjectClass
  97. 

  98. Object class: a collection of required (MUST) and optional (MAY) attributes. Object classes are further subdivided into STRUCTURAL and AUXILIARY classes, and they may inherit from each other.Every entry has a structural Object class which indicates what type of object an entry is and also can have more auxiliary object that have additional characteristics for that entry.
  99. 

  100.  The ObjectClass definitions are stored in the schema files.Object class must have an object identifier (OID)  Object classes may also list a set of required attribute types (so that any entry with that object class must also include those attributes) and/or a set of optional attribute types (so that any entry with that object class may optionally include those attributes).OID's are sequence of numbers separated by periods(.), “1.2.840.113556.1.4.473” 
  101. 

  102. 6. Schema 
  103. 

  104.   Schema's define the directory, specifying the configuration of the directories including syntax,object classes,attribute types and matching rules.
  105. 

  106. #### slapd - Standalone LDAP Daemon

  107. 

  108. ```slapd``` is a LDAP directory server,which stands for Standalone LDAP daemon.Providing simple auth and security layer.
  109. 

  110. ```bash
  111. $ sudo apt install slapd ldapvi ldap-utils
  112. ```
  113. 

  114. {{< callout type="warning" >}}
  115.  when asked for administration password prompt during installation just press ```Enter```,we reconfigure slapd using dpkg-reconfigure after the installation.
  116. {{< /callout >}}
  117. 

  118. ```bash
  119. $sudo dpkg-reconfigure slapd
  120. ```
  121. {{< callout type="info" >}}
  122. Reconfiguration: 
  123. 1. Omit initial LDAP server config : ```No``` we obviously want to create intial configuration.  
  124. 2. DNS Domain Name : domain name to build the base DN of LDAP directory in this case we are choosing ```vinay.im```.  
  125. 3. Organization Name: Type down the organization name( here XYZ Pvt Ltd)
  126. 5. Choose an Admin Password of your choice( for tutorial purpose i've choosed test) and choose MDB as backend database
  127. 6. If asked to purge database when slapd is removed we choose ```No```,will be helpful when we want to switch to a different LDAP server. 
  128. 7. Choose Yes if you want to backup the current existing database to ```/var/backups```.
  129. 

  130. {{< /callout >}}
  131. 

  132. To have a look at the LDAP database , simple execute ```slapcat``` with sudo privileges.
  133. ```bash{filename="$ sudo slapcat"}
  134. $ sudo slapcat
  135. dn: dc=vinay,dc=im
  136. objectClass: top
  137. objectClass: dcObject
  138. objectClass: organization
  139. o: XYZ Pvt Ltd
  140. dc: vinay
  141. structuralObjectClass: organization
  142. entryUUID: 8057316c-ed6e-103d-8b93-b9da23579469
  143. creatorsName: cn=admin,dc=vinay,dc=im
  144. createTimestamp: 20230922083350Z
  145. modifiersName: cn=admin,dc=vinay,dc=im
  146. modifyTimestamp: 20230922083350Z
  147. ```
  148. {{< callout type="info" >}}
  149. Config files are present in ```/etc/ldap``` directory.   
  150.  Schemas can be added within the ```slap.d``` directory for server customization.  
  151.  Database is stored in ```/var/lib/ldap``` having two files ```data.mdb``` and ```lock.mdb```.
  152. {{< /callout >}}
  153. 

  154. ```bash
  155. $ sudo cp /usr/share/doc/slapd/examples/slapd.conf /etc/ldap/
  156. ```
  157. Copy the example config file ```slapd.conf``` to ```/etc/ldap```, and replace DNS domain components ```dc=example``` to ```dc=vinay``` and ```dc=com``` to ```dc=im``` everywhere in the config, also
  158. update ```/etc/default/slapd``` from  ```SLAPD_CONF``` to ```SLAPD_CONF=/etc/ldap/slapd.conf``` and update slapd service by ```sudo systemctl restart slapd``` 
  159. 

  160. In ```/etc/ldap/slapd.conf``` under ```suffix       "dc=vinay,dc=com"``` add the following lines 
  161. ```bash
  162. rootdn          "cn=admin,dc=vinay,dc=com"
  163. rootpw          "test"
  164. ```
  165. Restart the slapd service again.
  166. ```bash
  167. $ sudo systemctl restart slapd
  168. ```
  169. #### ldapsearch

  170. 

  171. ```bash{filename="ldapsearch anonymous query"}
  172. $ldapsearch -x -b "dc=vinay,dc=im"
  173. # vinay.im

  174. dn: dc=vinay,dc=im
  175. objectClass: top
  176. objectClass: dcObject
  177. objectClass: organization
  178. o: XYZ Pvt Ltd
  179. dc: vinay
  180. 

  181. # search result

  182. search: 2
  183. result: 0 Success
  184. 

  185. # numResponses: 2

  186. ```
  187. ```bash{filename="ldapsearch authenticating with admin user"}
  188. $ ldapsearch -D cn=admin,dc=vinay,dc=im -w test -b dc=vinay,dc=im
  189. # extended LDIF

  190. #
  191. # LDAPv3

  192. # base <dc=vinay,dc=im> with scope subtree

  193. # filter: (objectclass=*)

  194. # requesting: ALL

  195. #
  196. 

  197. # vinay.im

  198. dn: dc=vinay,dc=im
  199. objectClass: top
  200. objectClass: dcObject
  201. objectClass: organization
  202. o: XYZ Pvt Ltd
  203. dc: vinay
  204. 

  205. # search result

  206. search: 2
  207. result: 0 Success
  208. 

  209. # numResponses: 2

  210. # numEntries: 1

  211. ```
  212. 1.  ```-D``` {dn} / ```--bindDN``` {dn} — The DN to use to bind to the directory server when performing simple authentication,to use the distinguished binddn name to bind the LDAP directory.
  213. 2. ```-w``` - this option is used to provide the password on the command line for auth, ```-W``` option is used to ask for prompt for typing invisible password without actualling having to type the pass on cli.
  214. 3. ```-b``` - search base as the starting point for the search instead of default.
  215. 4. ```-x``` option in ldapsearch is used for simple authentication instead of SASL.
  216. 

  217. The above command search's through the ldap directory server with ```admin``` distinguished name providing password with the ```-w``` option and setting the searchbase to start from the rootdn.
  218. 

  219. -- To list all users on ldap
  220. ```bash
  221. $ ldapsearch -D "cn=admin,dc=vinay,dc=com" -W -b "dc=vinay,dc=com"
  222. $ slapcat
  223. ```
  224. lists all users from the base dn
  225. 

  226. #### Adding OU (Organization Unit)

  227. 

  228. Organizational units (OUs) are used to organize entries within the directory tree and can be used to delegate administrative responsibilities within your organization. It’s important to keep your directory organized and well-structured from the beginning; otherwise it will quickly become unwieldy and difficult to manage.
  229. 

  230. Create a directory called ldif(LDAP Interchange Format) in ```/etc/ldap``` and create a file called people.ldif and paste the following contents.
  231. ```bash
  232. $ cat /etc/ldap/ldif/people.ldif
  233. dn: ou=People,dc=vinay,dc=com
  234. ou: People
  235. cn: people
  236. sn: people
  237. objectClass: top
  238. objectClass: inetOrgPerson
  239. 

  240. $ ldapadd  -D cn=admin,dc=vinay,dc=im -w test -f /etc/ldap/ldif/people.ldif 
  241. adding new entry "ou=People,dc=vinay,dc=im"
  242. ```
  243. now ```slapcat``` command shows the OU added within the command output. 
  244. 

  245. #### Add new User

  246. 

  247. Adding new user within the newly created OU(Organizational Unit)
  248.  
  249.  ```bash{filename="/etc/ldap/john.ldif"}
  250.  # cat john.ldif 
  251. dn: uid=john,ou=People,dc=vinay,dc=com
  252. objectClass: top
  253. objectClass: inetOrgPerson
  254. uid: john
  255. cn: john
  256. ou: People
  257. sn: abraham
  258. mail: john@vinay.com
  259. userPassword: john
  260. ```
  261. Adding the .ldif file using ldapadd command
  262. ```
  263. $ sudo ldapadd -D "cn=admin,dc=vinay,dc=com" -W -f john.ldif 
  264. Enter LDAP Password: 
  265. adding new entry "uid=john,ou=People,dc=vinay,dc=com"
  266. 

  267. ```
  268. 

  269. #### Read entries within OU as admin

  270. 

  271. Now we have added an ```OU``` and a user ```john``` to ```People``` OU,lets try to ```ldapsearch``` the users within the OU as admin
  272. ```bash{filename="display users of an OU as admin"}
  273. $ ldapsearch -D "cn=admin,dc=vinay,dc=com" -w vinay.com -b "ou=People,dc=vinay,dc=com"
  274. 

  275. # extended LDIF

  276. #
  277. # LDAPv3

  278. # base <ou=People,dc=vinay,dc=com> with scope subtree

  279. # filter: (objectclass=*)

  280. # requesting: ALL

  281. #
  282. 

  283. # People, vinay.com

  284. dn: ou=People,dc=vinay,dc=com
  285. ou: People
  286. cn: people
  287. sn: people
  288. objectClass: top
  289. objectClass: inetOrgPerson
  290. 

  291. # john, People, vinay.com

  292. dn: uid=john,ou=People,dc=vinay,dc=com
  293. objectClass: top
  294. objectClass: inetOrgPerson
  295. uid: john
  296. cn: john
  297. ou: People
  298. ou: Support
  299. sn: abraham
  300. mail: john@vinay.com
  301. userPassword:: am9obg==
  302. 

  303. ```
  304. #### Read entries within OU as normal user.

  305. 

  306. ```bash
  307. $ ldapsearch -D "uid=john,ou=People,dc=vinay,dc=com" -w john -b "ou=People,dc=vinay,dc=com"
  308. # extended LDIF

  309. #
  310. # LDAPv3

  311. # base <ou=People,dc=vinay,dc=com> with scope subtree

  312. # filter: (objectclass=*)

  313. # requesting: ALL

  314. #
  315. 

  316. # People, vinay.com

  317. dn: ou=People,dc=vinay,dc=com
  318. ou: People
  319. cn: people
  320. sn: people
  321. objectClass: top
  322. objectClass: inetOrgPerson
  323. 

  324. # john, People, vinay.com

  325. dn: uid=john,ou=People,dc=vinay,dc=com
  326. objectClass: top
  327. objectClass: inetOrgPerson
  328. uid: john
  329. cn: john
  330. ou: People
  331. ou: Support
  332. sn: abraham
  333. mail: john@vinay.com
  334. userPassword:: am9obg==
  335. 

  336. ```
  337. 

  338. #### Modifying existing entries

  339. 

  340. 1. Using ```ldapmodify``` to update entries. 
  341. 

  342. Now to modify an already added record we use ldapmodify and the attributes that are to be modified are put into a separate file,here ```john-modify.ldif``` and to demonstrate here an OU ```Support```
  343. is added to the existing entry,along with ```People``` OU.
  344. 

  345. ```bash{filename="john-modify.ldif"}
  346. $  cat /etc/ldap/ldif/john-modify.ldif 
  347. dn: uid=john,ou=People,dc=vinay,dc=com
  348. changetype: modify
  349. add: ou
  350. ou: Support
  351. ```
  352. 

  353. ```bash{filename="ldapmodify command for john-modify.ldif"}\
  354. $ ldapmodify -D "cn=admin,dc=vinay,dc=com" -W -f john-modify.ldif
  355. Enter LDAP Password: 
  356. modifying entry "uid=john,ou=People,dc=vinay,dc=com"
  357. ```
  358. 

  359. Now running a slapcat command shows the updated OU ```Support```
  360. 

  361. ```bash{linenos=table}
  362. dn: uid=john,ou=People,dc=vinay,dc=com
  363. objectClass: top
  364. objectClass: inetOrgPerson
  365. uid: john
  366. cn: john
  367. ou: People
  368. ou: Support
  369. sn: abraham
  370. mail: john@vinay.com
  371. userPassword:: am9obg==
  372. structuralObjectClass: inetOrgPerson
  373. entryUUID: 50ea0ea8-f23d-103d-816b-4d9c39504958
  374. creatorsName: cn=admin,dc=vinay,dc=com
  375. createTimestamp: 20230928112421Z
  376. entryCSN: 20230928120656.291224Z#000000#000#000000
  377. modifiersName: cn=admin,dc=vinay,dc=com
  378. modifyTimestamp: 20230928120656Z
  379. ```
  380. 

  381. 2.Using ```ldapvi``` to update LDAP entries with a text editor.
  382. 

  383. ```bash{filename="ldapvi example"}
  384. $  ldapvi -d --host vinay.im 
  385. ```
  386. ```ldapvi```  is a ldap client using which we can search,modify and delete entries which is easier than ```ldapmodify```  instead of adding the updated records in a separate ```ldif``` file.
  387. ldapvi prompts to open text editor to modify entries,just similar to text editor.
  388. 

  389. The above command will bind anonmously to hostname, here the hostname is ```vinay.im```.After making necessary changes in the entry save from the text editor.
  390. ```
  391. # ldapvi -d --host nextcloud.vinay.com

  392.       3 entries read                                                                                                                                                                        
  393. add: 0, rename: 0, modify: 1, delete: 0
  394. Action? [yYqQvVebB*rsf+?] b
  395. 

  396. 

  397. --- Login
  398. 

  399. --- Login
  400. 

  401. --- Login
  402. Type M-h for help on key bindings.
  403. 

  404. Filter or DN: cn=admin,dc=vinay,dc=im
  405. 

  406.     Password: *****
  407. 

  408. Bound as cn=admin,dc=vinay,dc=im.
  409. add: 0, rename: 0, modify: 1, delete: 0
  410. Action? [yYqQvVebB*rsf+?] y
  411. Done.
  412. ```
  413. after saving and exiting from text editor, an interactive bash prompt ``` [yYqQvVebB*rsf+?]``` 
  414. 

  415. ```y``` to commit changes.
  416. 

  417. ```e``` to edit changes.
  418. 

  419. ```v``` to view changes as LDIF change records.
  420. 

  421. ```b``` to show login and rebind - we are trying to auth from admin and save the changes to LDAP entries.
  422. 

  423. 

  424. ```
  425. [Reference serverfault] https://serverfault.com/questions/290296/ldapadd-ldapmodify-clarifications-needed-about-these-commands
  426. 

  427. #### Verifying the ```slapd.conf``` Configuration file

  428. 

  429. ```bash
  430. $sudo  slaptest -v -f /etc/ldap/slapd.conf 
  431. config file testing succeeded
  432. ```
  433. 

  434. ```-f``` : Specifying an alternative configuration file.
  435. 

  436. ```-v``` : enable verbose mode.
  437. 

  438. 

  439. 

  440. #### Conventions in OpenLDAP

  441. 

  442. dn - Distinguished Name  
  443. RDN - Relative Distinguished Name  
  444. cn - Common Name  
  445. dc - Domain Component  
  446. mail - Email Address  
  447. ou - Organization Unit  
  448. ldif - LDAP Data Interchange Format  
  449. ldap - Lightweight Directory Access Protocol  
  450. 

  451. ### References

  452. 

  453. 1. https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/deployment_guide/introduction_to_directory_services
  454. 

  455. 2. https://www.zytrax.com/books/ldap
  456. 

  457. 3. https://tylersguides.com/guides/openldap-how-to-add-a-user/
  458. 

  459. 4. https://www.zytrax.com/books/ldap/