Professional Documents
Culture Documents
Kefa Rabah
Global Open Versity, Vancouver Canada
krabah@globalopenversity.org
www.globalopenversity.org
1.0 Introduction 1
Topics Covered 2
1
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
7.0 Summary 27
8.0 References: 27
1.0 Introduction
LDAP is an acronym for Lightweight Directory Access Protocol; it is a simplified version of the X.500
protocol. It’s lean mean and powerful with capability to support current exponential increased internet
traffic, electronic commerce and time-critical content on the web. The LDAP directory setup in this training
manual will be used for authentication, shared directory (for mail clients), contacts and addressbooks, etc.
Today, LDAP directories and LDAP authentication have become one of the enterprise user infrastructure
cornerstones. As the enterprise has digitized and opened itself up to customer, business partner, vendor
and wide-spread employee access to pieces of most enterprise applications, the need to know who the
user is has significantly increased from a security perspective. Who is the user trying to access an
application? What is the strength of authentication by which the application can trust the user trying to
access the application? What are the user's authorization privileges?
That is, an enterprise-wide LDAP implementation can enable almost any application, running on almost
any computer platform, to obtain information from your LDAP directory. And that directory can be used to
store a broad range of data: email address and mail routing information, HR data, public security keys,
contact lists, and much more. By making an LDAP directory a focal point in your systems integration,
you're providing one-stop shopping whenever people go looking for information within your company -
even if the primary source of the data lives elsewhere – i.e., they sign in once – via Single-Sign-On (SSO)
Identity Management – and thereafter they have access to all LDAP linked services and resources they
have permission to.
OpenLDAP Software is a free, open source implementation of the Lightweight Directory Access Protocol
(LDAP) developed by the OpenLDAP Project. It is released under its own BSD-style license called the
OpenLDAP Public License. LDAP is a platform-independent protocol.
Historically the OpenLDAP server (slapd, the Standalone LDAP Daemon) architecture was split between
a frontend (LDAP client) which handles network access and protocol processing, and a backend (LDAP
server) which deals strictly with data storage. The architecture is modular and many different backends
are available for interfacing to other technologies, not just traditional databases.
Proper design implementation and deployment of enterprise LDAP authentication right from the beginning
is very crucial and critical to the eventual success centralized identity management and therefore SSO.
Failure to do so can be very detrimental in terms of security. For example, it is very important that before
LDAP authentication is implemented the enterprise should first determine which system or application will
be authoritative for the identity data. And which users will be in super users’ categories and what kind of
privileges allocated to them. Not implementing things correctly in the end could mean cleaning up the
1
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
associated business processes dealing with identity creation, role changes and terminations. Often the
authoritative identity source will have many identities in their data stores listed as active but who are no
longer active. This can create undetected and sometimes hidden security holes in any large enterprise
LDAP authentication.
In this hands-on training manual, we’ll through step-by-step on how to successful plan, design, implement
& deploy OpenLDAP server and OpenLDAP client on separate Linux CentOS5 machines. It’s assumed in
this lab session that you have a good understanding of Linux and also know to setup DNS servers and
messaging mail servers. If not you can check up the following four articles to give you a quick start and
get you going.
Topics Covered
2
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
Organization (o) or
Domain Controller (dc) example.com
Node
Organizational
IT Sales
Unit (OU) Node
Person (cn)
Node Joe Johns Rick Doug Sarah Smith Kate Jude Will Smith
Fig. 1.2: A data tree with root, branch and leaf nodes
3
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
• Directory Levels
• Domain component (dc) or organization (o)
• Organizational Unit (ou)
• Common names (cn)
Fig. 3: An organizational data tree with root, branch and leaf nodes
dn: dc=example,dc=com
dn: ou=IT, dc=example,dc=com
dn: cn=Joe Johns, ou=IT, dc=example,dc=com
dn: cn=Rick Doug, ou=IT, dc=example,dc=com
4
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
LDAP Server
Client
Query
slapd
TCP/389
Directory
Fig. 5: Clients can query and modify data in the Directory using commands.
2. Redhat RPMs.
• On a Linux Server:
5
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
openldap
openldap-servers
openldap-clients
nss_ldap
• On a Linux Client:
openldap
openldap-clients
nss_ldap
]# rpm –qa | grep openldap* \\ the star * allows you to parse all
installed openldap files
[root@server04 ~]# rpm -qa | grep openldap*
openldap-servers-2.3.43-3.el5
openldap-servers-sql-2.3.43-3.el5
openldap-2.3.27-8.el5_2.4
openldap-2.3.43-3.el5
openldap-devel-2.3.43-3.el5
openldap-servers-overlays-2.3.43-3.el5
openldap-clients-2.3.43-3.el5
[root@server04 ~]#
2. In case you get blank result, then openldap is not installed. Best way to get OpenLDAP is to compile
it from the source file. However, I have found that the RPM files obtained via Yum, if you use
CentOS5/RHE5 contain all the required files. To install all OpenLDAP files with CentOS5, do the
following:
[root@server04 ~]# yum install openldap* -y
6
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
suffix "dc=beemtech,dc=edu"
rootdn "cn=Manager,dc=beemtech,dc=edu"
rootpw password
directory /var/lib/ldap
• Note: To avoid storing the password in plain-text, convert the password to a hash by using the
command "slappasswd -s password" and paste the resulting hash into the file.
]# cd /etc/openldap/
]# cp DB_CONFIG.example /var/lib/ldap/DB_CONFIG
5. Create a file named base.ldif containing the lines below and save it into your home directory.
# File: base.ldif
## Root node
dn: dc=beemtech,dc=edu
objectclass: organization
objectclass: dcObject
o: beemtech.edu
dc: beemtech
7. To verify that the service is working, try the following query command:
# filter: (objectClass=*)
# requesting: namingContexts
#
#
dn:
namingContexts: dc=beemtech,dc=edu
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
[root@server04 ~]#
• Kldap
• KDirAdm
• Directory Administrator.
• GQ
• LDAP Browser/Editor
• JXplorer
The full document has moved to Docstoc.com. You may download it from here:
http://www.docstoc.com/docs/46024785/Install-Guide-OpenLDAP-for-Enterprise-Identity-Management-
and-SSO
-----------------------------------------------
Kefa Rabah is the Founder and CIO, of Serengeti Systems Group Inc. Kefa is knowledgeable in
several fields of Science & Technology, IT Security Compliance and Project Management, and
Renewable Energy Systems. He is also the founder of Global Open Versity, a place to enhance
your educating and career goals using the latest innovations and technologies.
8
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada