Warning Livedoc is no longer being updated and will be deprecated shortly. Please refer to https://documentation.tjhsst.edu.


Jump to: navigation, search


266 bytes added, 10:06, 6 June 2013
redo headings, add See Also section, remove stub template
'''OpenLDAP''' is the LDAP server currently used to provide both NSS LDAP (on openldap1 and openldap2) as well as Iodine's student information database (on iodine-ldap). The actual OpenLDAP daemon is called slapd (Stand-alone LDAP daemon) and many of the OpenLDAP server management utilities begin with slap (eg, slapcat, slapadd) as a result.
We currently run OpenLDAP with Kerberos and SASL support to allow for GSSAPI passwordless authentication. To install this configuration on Gentoo, run:
<nowiki>echo "net-nds/openldap kerberos sasl overlays" >> /etc/portage/package.use
Note that at the time of this writing, OpenLDAP will only compile with Kerberos support using the MIT implementation. Therefore, if the system you are using for an OpenLDAP server is running the Heimdal implementation of Kerberos, you will need to uninstall it and install the MIT implementation before installing Cyrus-SASL and OpenLDAP.
/etc/openldap/slapd.conf is the primary configuration file for the OpenLDAP server. The config file is well-commented, however, the following configuration options are notable. For security reasons, the exact values for some options are not listed here.
*sasl-realm: This should be set to the kerberos realm that the server is in; in our case, almost certainly CSL.TJHSST.EDU.
*sasl-regexp: These lines are used to map Kerberos principals to LDAP DNs as part of the SASL binding process. They are processed in order and the first matching regex is used.
*index: These lines indicate which Indexes should be maintained by OpenLDAP to speed up searches. Note that if these options are changed, slapd must be stopped and slapindex must be used to regenerate the database indexes or searches that attempt to use the new Indexes may fail.
/etc/conf.d/slapd is used by Gentoo to setup the environment for running the OpenLDAP server.
#The keytab should contain the principal ldap/<Server FQDN> and should readable only by the user slapd runs as (by default, ldap)
export KRB5_KTNAME="FILE:/etc/openldap/ldap.keytab"</nowiki>
#These options are used to tune the cache size and connection parameters
#will be difficult or impossible
set_flags DB_LOG_AUTOREMOVE</nowiki>
We currently use one-way replication to propagate a copy of the NSS LDAP information from openldap1 (the master server or provider) to openldap2 (the slave server or consumer). To configure replication, first add the following lines to slapd.conf on the master server in the appropriate sections:
#This line redirects any ldapadd/ldapmodify commands made against openldap2 to openldap1
updateref ldap://openldap1.tjhsst.edu</nowiki>
==See Also==
*[[NSS LDAP Templates]] - Template LDIFs and commands for various NSS LDAP changes
*[[NSS LDAP]] - Configuration and layout of NSS LDAP
*[[Integrated Authentication]] - Information on the Integration Authentication between the LOCAL and CSL systems.

Navigation menu