Warning Livedoc is no longer being updated and will be deprecated shortly. Please refer to https://documentation.tjhsst.edu.

OpenLDAP

From Livedoc - The Documentation Repository
Revision as of 02:48, 13 January 2012 by Andrew Hamilton (talk | contribs) (new page detailing openldap installation/configuration)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

OpenLDAP is the LDAP server currently used to provide both NSS LDAP (on openldap1 and openldap2) as well as Iodine's student information database (on iodine-ldap). The actual OpenLDAP daemon is called slapd (Stand-alone LDAP daemon) and many of the OpenLDAP server management utilities begin with slap (eg, slapcat, slapadd) as a result.

Installation

We currently run OpenLDAP with Kerberos and SASL support to allow for GSSAPI passwordless authentication. To install this configuration on Gentoo, run:

echo "net-nds/openldap kerberos sasl overlays" >> /etc/portage/package.use
echo "dev-libs/cyrus-sasl kerberos ldap" >> /etc/portage/package.use
emerge -a openldap

Note that at the time of this writing, OpenLDAP will only compile with Kerberos support using the MIT implementation. Therefore, if the system you are using for an OpenLDAP server is running the Heimdal implementation of Kerberos, you will need to uninstall it and install the MIT implementation before installing Cyrus-SASL and OpenLDAP.

Configuration

slapd.conf

/etc/openldap/slapd.conf is the primary configuration file for the OpenLDAP server. The config file is well-commented, however, the following configuration options are notable. For security reasons, the exact values for some options are not listed here.

  • sasl-realm: This should be set to the kerberos realm that the server is in; in our case, almost certainly CSL.TJHSST.EDU.
  • sasl-host: This should be set to the hostname of the server.
  • sasl-secprops: we set this to "noanonymous,noplain,noactive" to disable non-GSSAPI SASL authentication methods.
  • sasl-regexp: These lines are used to map Kerberos principals to LDAP DNs as part of the SASL binding process. They are processed in order and the first matching regex is used.
  • index: These lines indicate which Indexes should be maintained by OpenLDAP to speed up searches. Note that if these options are changed, slapd must be stopped and slapindex must be used to regenerate the database indexes or searches that attempt to use the new Indexes may fail.

/etc/conf.d/slapd

/etc/conf.d/slapd is used by Gentoo to setup the environment for running the OpenLDAP server.

#This tells slapd to listen for both regular and SSL connections.
OPTS="-h 'ldap:// ldaps://'"
#This allows slapd to find the keytab that it will use to validate GSSAPI authentication requests
#The keytab should contain the principal ldap/<Server FQDN> and should readable only by the user slapd runs as (by default, ldap)
export KRB5_KTNAME="FILE:/etc/openldap/ldap.keytab"

/var/lib/openldap-data/DB_CONFIG

#These options are used to tune the cache size and connection parameters
set_cachesize 0 2097152 0
set_lk_max_objects 1500
set_lk_max_locks 1500
set_lk_max_lockers 1500
#This flag means that slapd will automatically garbage-collect transaction logs
#Note that if this flag is set, it is critical to have regular backups or recovery of a corrupted database
#will be difficult or impossible
set_flags DB_LOG_AUTOREMOVE

Replication

Management/Administration