1 I'm using [LDAP][] ([RFC 4510][rfc4510]) to maintain a centralized
2 address book at home. Here are my setup notes, mostly following
3 Gentoo's [LDAP howto][howto].
5 Install [OpenLDAP][] with the `ldap` USE flag enabled:
9 If you get complaints about a `cyrus-sasl` ↔ `openldap` dependency
10 cycle, you should temporarily (or permanently) disable the `ldap` USE
11 flag for `cyrus-sasl`:
13 # echo 'dev-libs/cyrus-sasl -ldap' > /etc/portage/package.use/ldap
14 # -ldap" emerge -av1 cyrus-sasl
17 Generate an administrative password:
21 Re-enter new password:
22 {SSHA}EzP6I82DZRnW+ou6lyiXHGxSpSOw2XO4
24 Configure the `slapd` LDAP server. Here is a very minimal
25 configuration, read the [OpenLDAP Admin Guide][admin] for details:
27 # emacs /etc/openldap/slapd.conf
28 # cat /etc/openldap/slapd.conf
29 include /etc/openldap/schema/core.schema
30 include /etc/openldap/schema/cosine.schema
31 include /etc/openldap/schema/inetorgperson.schema
32 pidfile /var/run/openldap/slapd.pid
33 argsfile /var/run/openldap/slapd.args
35 suffix "dc=example,dc=com"
37 rootdn "cn=Manager,dc=example,dc=com"
38 rootpw {SSHA}EzP6I82DZRnW+ou6lyiXHGxSpSOw2XO4
39 directory /var/lib/openldap-data
42 [inetOrgPerson][] is huge, but it's standardized. I think it's better
43 to pick a big standard right off, than to outgrow something smaller
46 Gentoo creates the default database directory for you, so you can
47 ignore warnings about needing to create it yourself.
49 Configure LDAP client access. Again, read the docs for details on
50 adapting this to your particular situation:
52 # emacs /etc/openldap/ldap.conf
53 $ cat /etc/openldap/ldap.conf
54 BASE dc=example,dc=com
55 URI ldap://ldapserver.example.com
57 You can edit '/etc/conf.d/slapd' if you want command line options
58 passed to `slapd` when the service starts, but the defaults looked
63 # /etc/init.d/slapd start
65 Add it to your default runlevel:
67 # eselect rc add /etc/init.d/slapd default
71 $ ldapsearch -x -b '' -s base '(objectclass=*)'
73 Build a hierarchy in your database (this will depend on your
74 organizational structure):
76 $ emacs /tmp/people.ldif
77 $ cat /tmp/people.ldif
80 dn: dc=example, dc=com
82 objectClass: organization
86 dn: ou=people, dc=example,dc=com
87 objectClass: organizationalUnit
89 description: All people in organisation
91 dn: cn=Manager, dc=example,dc=com
92 objectClass: organizationalRole
94 description: Directory Manager
95 $ ldapadd -D "cn=Manager,dc=example,dc=com" -xW -f /tmp/people.ldif
101 If you currently keep your addresses in [abook][], you can export them
104 $ abook --convert --infile ~/.abook/addressbook --outformat ldif \
105 | abook-ldif-cleanup.py --basedn 'ou=people,dc=example,dc=com' > dump.ldif
107 where [[abook-ldif-cleanup.py]] does some compatibility processing
108 using the [python-ldap][] module.
110 Add the people to your LDAP database:
112 $ ldapadd -D "cn=Manager,dc=example,dc=com" -xW -f dump.ldif
114 To check if that worked, you can list all the entries in your
117 $ ldapsearch -x -b 'dc=example,dc=com' '(objectclass=*)'
119 Then remove the temporary files:
126 Ok, we've put lots of people into the `people` OU, but what if we want
127 to assign them to another department? We can use aliases ([RFC
128 4512][rfc4512]), the symlinks of the LDAP world. To see how this
129 works, lets create a test OU to play with:
131 $ emacs /tmp/test.ldif
134 dn: ou=test, dc=example,dc=com
135 objectClass: organizationalUnit
137 $ ldapadd -D "cn=Manager,dc=example,dc=com" -xW -f /tmp/test.ldif
140 Now assign one of your people to that group:
142 $ emacs /tmp/alias.ldif
143 $ cat /tmp/alias.ldif
145 dn: cn=Jane Doe, ou=test,dc=example,dc=com
147 aliasedObjectName: cn=Jane Doe, ou=people,dc=example,dc=com
148 $ ldapadd -D "cn=Manager,dc=example,dc=com" -xW -f /tmp/alias.ldif
151 The `extensibleObject` class allows us to add the DN field, without it
154 $ ldapadd -D "cn=Manager,dc=example,dc=com" -xW -f /tmp/alias.ldif
156 adding new entry "cn=Jane Doe, ou=test,dc=example,dc=com"
157 ldap_add: Object class violation (65)
158 additional info: attribute 'cn' not allowed
160 You can search for all entries (including aliases) with
162 $ ldapsearch -x -b 'ou=test, dc=example,dc=com' '(objectclass=*)'
164 dn: cn=Jane Doe,ou=test,dc=example,dc=com
166 objectClass: extensibleObject
167 aliasedObjectName:: Y249TWljaGVsIFZhbGxpw6hyZXMsb3U9cGVvcGxlLGRjPXRyZW1pbHksZGM9dXM=
170 You can control dereferencing with the `-a` option:
172 $ ldapsearch -x -a always -b 'ou=test, dc=example,dc=com' '(objectclass=*)'
174 dn: cn=Jane Doe,ou=people,dc=example,dc=com
179 Once you've played around, you can remove the `test` OU and its
182 $ ldapdelete -D "cn=Manager,dc=example,dc=com" -xW -r ou=test,dc=example,dc=com
187 There are a number of tools to make it easier to manage LDAP
188 databases. Command line junkies will probably like [shelldap][]:
190 $ shelldap --server ldapserver.example.com
196 dn: cn=Manager,dc=example,dc=com
197 objectClass: organizationalRole
203 Shelldap's `edit` command spawns your `EDITOR` on a temporary file
204 populated by the entry you're editing. You can either alter the entry
205 as you see fit, or try something fancier in [LDIF][].
207 JPEG photos and binary data
208 ---------------------------
210 [inetOrgPerson][] has a [jpegPhoto][] attribute, which holds a base64
211 encoded JPEG. The easiest way to set this attribute is to use the
212 `:<` delimiter mentioned in `ldif(5)` and [RFC 2849][rfc2849]:
216 dn: cn=Jane Doe,ou=people,dc=example,dc=com
219 jpegPhoto:< file:///tmp/jdoe.jpeg
221 $ ldapmodify -f thumb.ldif
223 You can extract the thumbnail from the database using:
225 $ ldapsearch -tT /tmp "cn=Jane Doe"
227 jpegPhoto:< file:///tmp/ldapsearch-jpegPhoto-Vvg2Ot
230 Which dumps non-printable values (like our `jpegPhoto`) to temporary
233 If you just want to look up someone's picture, take a look at my
234 [[ldap-jpeg.py]] script. It searches for a query string in any of
235 [cn][], [uid][], or [mail][], and for matching entries with a
236 `jpegPhoto` attribute, it uses your [[mailcap]]-specified viewer to
242 If you use the [[Mutt]] email client (or just want a simple way to
243 query email addresses from the command line) there are a [number of
244 scripts][mutts] available. Pick whichever sounds most appealing to
245 you. I wrote up [[mutt-ldap.py|mutt-ldap]], which has since seen
246 contributions from others and been pulled out into its own repository.
251 You can configure Apple's [Address Book][aab] to search an LDAP
252 directory. See [[Humanizing_OS_X]] for details.
257 It took me a bit of work to get [SSL/TLS][] working with my
258 [[GnuTLS]]-linked OpenLDAP. First, you'll probably need to generate
259 new SSL/TLS keys (`/etc/openldap/ssl/*`) with [certtool][] (see
260 [[X.509_certificates]]). Then add the following lines to
261 `/etc/openldap/slapd.conf`:
263 TLSCipherSuite NORMAL
264 TLSCACertificateFile /etc/openldap/ssl/ca.crt
265 TLSCertificateFile /etc/openldap/ssl/ldap.crt
266 TLSCertificateKeyFile /etc/openldap/ssl/ldap.key
267 TLSVerifyClient never
269 Where `ca.crt`, `ldap.crt`, and `ldap.key` are your new CA,
270 certificate, and private key. If you want to disable unencrypted
271 connections completely, remove the `ldap://` entry from your `slapd`
272 command line by editing (on Gentoo) `/etc/conf.d/slapd` so it has
274 OPTS="-h 'ldaps:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"
276 Now you should be able to restart `slapd` so it will use the new
279 Have clients running on your server use the local socket by editing
280 `/etc/openldap/ldap.conf` to set:
282 URI ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock
284 Test your server setup by running (on the server)
286 $ ldapsearch -x -b '' -s base '(objectclass=*)'
288 Copy your CA over to any client machines (I put it in
289 `/etc/openldap/ssl/ldapserver.crt`), and set them up with the
290 following two lines in `/etc/openldap/ldap.conf`:
292 URI ldaps://ldapserver.example.com
293 TLS_CACERT /etc/openldap/ssl/ldapserver.crt
295 Test your client setup by running (on the client)
297 $ ldapsearch -x -b '' -s base '(objectclass=*)'
299 You can configure `shelldap` with the following lines in
302 server: ldaps://ldapserver.example.com
304 tls_cacert: /etc/openldap/ssl/ldapserver.crt
306 You can configure `mutt-ldap.py` with the following lines in
312 Access control and authentication
313 ---------------------------------
315 There are a number of possible approaches to authentication for LDAP,
316 so read the [admin manual][admin] for details. I've got [[Kerberos]]
317 setup on my home system, and I'll walk through this setup here.
321 I expose the LDAPS port to the external world through my router, and I
322 don't want anonymous users to be able to download all my contact
323 information. The solution to this is to implement [access
324 control][access]. For my situation, the following
325 `/etc/openldap/slapd.conf` directives seemed appropriate:
336 The first directive allows anonymous users to use the [uid][]
337 attribute when authenticating, and allows authenticated users to read
338 anyone's `uid` attribute. This keeps users from being able to change
341 The second directive allows authenticated users to update their own
342 entry and to read every entry. Anonymous are allowed to authenticate
343 themselves, but have no other privileges.
345 Alright, so how should user's go about [authenticating][security]?
346 We'll want to set `slapd` up as a Kerberos service, and have clients
347 authenticate using [GSSAPI][].
349 For the LDAP service, we'll need a `ldap/<fqdn>@REALM` principal.
350 Because we want that service to start automatically at boot, we need
351 to keep its key in a keytab file.
353 # kadmin.local -p jdoe/admin
354 Authenticating as principal jdoe/admin with password.
355 Password for jdoe/admin@R.EDU:
356 kadmin.local: add_principal -randkey ldap/ldapserver.example.com
357 WARNING: no policy specified for ldap/ldapserver.example.com@R.EDU; defaulting to no policy
358 Principal "ldap/ldapserver.example.com@R.EDU" created.
359 kadmin.local: ktadd -k /etc/openldap/krb5-ldap.keytab ldap/ldapserver.example.com
360 Entry for principal kdap/ldapserver.example.com...
363 # chown ldap:ldap /etc/openldap/krb5-ldap.keytab
365 You need use `kadmin.local` here (instead of `kadmin`) so the process
366 has premission to create and edit the keytab file.
368 You'll need to point your `slapd` server to the new keytab. On
369 [[Gentoo]], you do this by uncommenting
371 KRB5_KTNAME=/etc/openldap/krb5-ldap.keytab
373 in `/etc/conf.d/slapd`. On Red Hat, you add
375 export KRB5_KTNAME=/etc/openldap/ldap.keytab
377 to `/etc/sysconfig/ldap`.
379 You should also configure your realm and hostname in
380 `/etc/openldap/slapd.conf`:
383 sasl-host ldapserver.example.com
385 You'll also want to associate user's Kerberos principles to LDAP DNs.
386 The template `slapd` uses is:
388 uid=<primary[/instance]>,cn=<realm>,cn=gssapi,cn=auth
390 so `jdoe@R.EDU` is associated with
392 uid=jdoe,cn=r.edu,cn=gssapi,cn=auth
394 and `jdoe/admin@R.EDU` is associated with
396 uid=jdoe/admin,cn=r.edu,cn=gssapi,cn=auth
398 You'll probably want to [map these authentication DNs][map] to the
399 appropriate directory entry, for example:
401 cn=Jane Doe,ou=people,dc=r,dc=edu
403 There are a number of ways to this, but I chose
406 uid=([^,]*),cn=r.edu,cn=gssapi,cn=auth
407 ldap:///ou=people,dc=r,dc=edu??one?(uid=$1)
411 > This will initiate an internal search of the LDAP database inside
412 > the slapd server. If the search returns exactly one entry, it is
413 > accepted as being the DN of the user. If there are more than one
414 > entries returned, or if there are zero entries returned, the
415 > authentication fails and the user's connection is left bound as the
416 > authentication request DN.
418 [Indexing][index] sounds like a good idea, so we turn it on with
424 If you change your index configuration, you'll have to stop `slapd`
425 and run `slapindex` to regenerate the indexes.
429 Users will have to do the usual `kinit` to get their Ticket Granting
430 Ticket (TGT), and then instruct their client software to use GSSAPI
431 (`-Y GSSAPI` with the OpenLDAP client tools). If you don't want to
432 type `-Y GSSAPI`, you can add
436 to your `~/.ldaprc`. If you're on Gentoo, you'll want the `kerberos`
437 and `sasl` `USE` flags set when you emerge `openldap`.
439 #### Reverse DNS issues
441 Because my SLAPD server runs on a dynamic IP address, I ran into
442 trouble with reverse DNS. The client would resolve the server address
443 into an IP, then resolve that IP address to its canonical name, and
444 asks the ticket granting server (TGS) for authorization to use
445 `ldap/<canonical>@REALM`. Because the dynamic canonical name doesn't
446 match the hostname, the TGS denies the request, leading to output
449 $ ldapwhoami -Y GSSAPI
450 ldap_sasl_interactive_bind_s: Local error (-2)
451 additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server krbtgt/EDU@R.EDU not found in Kerberos database)
455 … krb5kdc[15239](info): TGS_REQ (4 etypes {18 17 16 23}) …: UNKNOWN_SERVER: authtime 0, jdoe@R.EDU for host/some.dynamic.canonical.host.net@R.EDU, Server not found in Kerberos database
457 in the server's KDC log.
459 I tried disabling the reverse DNS lookup with both the `-N` command
460 line option to `ldapwhoami` and the `SASL_NOCANON true` option in
461 `~/.ldaprc`. I also added:
466 to my client's `/etc/krb5.conf`. Even with all of these, I was still
467 getting reverse DNS attempts, so I gave up and just added an entry to
468 `/etc/hosts` to ensure I got the right hostname when the client tried
471 You can get more detailed messages from `ldapwhoami` by increasing the
472 debuglevel (for example, with the `-d 1` option), which helps when
473 you're troubleshooting these kinds of issues. For example:
475 $ ldapwhoami -d 1 -Y GSSAPI
477 ldap_int_sasl_open: host=some.dynamic.canonical.host.net
479 $ ldapwhoami -d 1 -Y GSSAPI -N
481 ldap_int_sasl_open: host=ldapserver.example.com
484 Currently, `ldapwhoami` and friends will ignore the `SASL_NOCANON`
485 configuration option and only respect the `-N` command line option.
486 I've submitted [an OpenLDAP bug][7271] fixing this (included in
487 version 2.4.32, 2012-07-31), but there is still a reverse DNS call
488 happening at some point.
493 I wanted to mirror my home LDAP info on my public Ubuntu server.
494 Here's a quick rundown of the Ubuntu setup. Install OpenLDAP:
496 $ sudo apt-get install slapd ldap-utils
498 Don't serve in the clear:
500 $ cat /etc/default/slapd
502 SLAPD_SERVICES="ldaps:/// ldapi:///"
505 Avoid `Unrecognized database type (hdb)` by loading the `hdb` backend
506 module before declaring `hdb` databases:
508 $ sudo cat /etc/ldap/slapd.conf
514 Convert the old school `slapd.conf` to the new [slapd.d][]:
516 $ sudo mv slapd.d{,.bak}
518 $ sudo slaptest -f slapd.conf -F slapd.d
520 hdb_db_open: database "dc=example,dc=com": db_open(/var/lib/slapd/id2entry.bdb) failed: No such file or directory (2).
522 slap_startup failed (test would succeed using the -u switch)
524 $ sudo chown -R openldap.openldap slapd.d
526 Don't worry about that `db_open` error, the conversion to `slapd.d`
527 will have completed successfully.
529 Set permissions on the database directory (note that the databases
530 should be under `/var/lib/ldap` to match Ubuntu's default apparmor
531 config. Otherwise you'll see `invalid path: Permission denied` errors
532 when `slapd` tries to initialize the databaes).
534 $ sudo chown openldap.openldap /var/lib/ldap/
535 $ sudo chmod 750 /var/lib/ldap/
537 Configure your clients
539 $ cat /etc/ldap/ldap.conf
540 BASE dc=example,dc=com
541 URI ldaps://example.com
542 TLS_CACERT /etc/ldap/ssl/ldapserver.crt
544 Start `slapd` and add it to your default runlevel:
546 $ sudo /etc/init.d/slapd start
547 $ sudo update-rc.d slapd defaults
549 Finally, import your directory data. Dump the data on your master
552 master$ sudo slapcat -b 'dc=example,dc=com' > database.ldif
554 Load the data on your slave:
556 $ sudo /etc/init.d/slapd stop
557 $ sudo slapadd -l database.ldif
558 $ sudo /etc/init.d/slapd start
563 There's a [good overview][schema] of schema and objectclasses by Brian
564 Jones on O'Reilly. If you want to use inetOrgPerson but also include
565 the countryName attribute, ...
567 [LDAP]: http://en.wikipedia.org/wiki/LDAP
568 [rfc4510]: http://tools.ietf.org/html/rfc4510
569 [howto]: http://www.gentoo.org/doc/en/ldap-howto.xml
570 [OpenLDAP]: http://www.openldap.org/
571 [admin]: http://www.openldap.org/doc/admin/
572 [inetOrgPerson]: http://tools.ietf.org/html/rfc2798
573 [abook]: http://abook.sourceforge.net/
574 [LDIF]: http://en.wikipedia.org/wiki/LDAP_Data_Interchange_Format
575 [python-ldap]: http://www.python-ldap.org/
576 [rfc4512]: http://tools.ietf.org/html/rfc4512
577 [shelldap]: http://projects.martini.nu/shelldap/
578 [jpegPhoto]: http://tools.ietf.org/html/rfc2798#section-2.6
579 [cn]: http://tools.ietf.org/html/rfc2798#section-9.1.2
580 [uid]: http://tools.ietf.org/html/rfc2798#page-16
581 [mail]: http://tools.ietf.org/html/rfc2798#section-9.1.3
582 [jpegPhoto]: http://tools.ietf.org/html/rfc2798#section-2.6
583 [rfc2849]: http://tools.ietf.org/html/rfc2849
584 [mutts]: http://wiki.mutt.org/?QueryCommand
585 [aab]: http://support.apple.com/kb/ht2486
586 [SSL/TLS]: http://en.wikipedia.org/wiki/Transport_Layer_Security
587 [certtool]:http://www.gnu.org/software/gnutls/manual/html_node/Invoking-certtool.html#Invoking-certtool
588 [access]: http://www.openldap.org/doc/admin24/access-control.html
589 [security]: http://www.openldap.org/doc/admin24/security.html
590 [GSSAPI]: http://en.wikipedia.org/wiki/Generic_Security_Services_Application_Program_Interface
591 [map]: http://www.openldap.org/doc/admin24/sasl.html#Mapping%20Authentication%20Identities
592 [index]: http://www.openldap.org/doc/admin24/tuning.html#Indexes
593 [7271]: http://www.openldap.org/its/index.cgi?findid=7271
594 [slapd.d]: http://www.openldap.org/doc/admin24/slapdconf2.html
595 [schema]: http://www.oreillynet.com/pub/a/sysadmin/2006/11/09/demystifying-ldap-data.html