ACC SHELL
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 4. LDAP—A Directory Service</title><link rel="stylesheet" href="susebooks.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="Documentation"><link rel="up" href="part.auth.html" title="Part I. Authentication"><link rel="prev" href="cha.nis.html" title="Chapter 3. Using NIS"><link rel="next" href="cha.security.ad.html" title="Chapter 5. Active Directory Support"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header" border="0" class="bctable"><tr><td width="80%"><div class="breadcrumbs"><p><a href="index.html"> Documentation</a><span class="breadcrumbs-sep"> > </span><a href="book.security.html">Security Guide</a><span class="breadcrumbs-sep"> > </span><a href="part.auth.html">Authentication</a><span class="breadcrumbs-sep"> > </span><strong><a accesskey="p" title="Chapter 3. Using NIS" href="cha.nis.html"><span>◀</span></a> <a accesskey="n" title="Chapter 5. Active Directory Support" href="cha.security.ad.html"><span>▶</span></a></strong></p></div></td></tr></table></div><div class="chapter" title="Chapter 4. LDAP—A Directory Service"><div class="titlepage"><div><div><h2 class="title"><a name="cha.security.ldap"></a>Chapter 4. LDAP—A Directory Service<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#cha.security.ldap">¶</a></span></h2></div></div></div><div class="toc"><p><b>Contents</b></p><dl><dt><span class="sect1"><a href="cha.security.ldap.html#sec.security.ldap.vs_nis">4.1. LDAP versus NIS</a></span></dt><dt><span class="sect1"><a href="cha.security.ldap.html#sec.security.ldap.tree">4.2. Structure of an LDAP Directory Tree</a></span></dt><dt><span class="sect1"><a href="cha.security.ldap.html#sec.security.ldap.yast">4.3. Configuring an LDAP Server with YaST</a></span></dt><dt><span class="sect1"><a href="cha.security.ldap.html#sec.security.ldap.yast.client">4.4. Configuring an LDAP Client with YaST</a></span></dt><dt><span class="sect1"><a href="cha.security.ldap.html#sec.security.ldap.yast.usergr">4.5. Configuring LDAP Users and Groups in YaST</a></span></dt><dt><span class="sect1"><a href="cha.security.ldap.html#sec.security.ldap.browse">4.6. Browsing the LDAP Directory Tree</a></span></dt><dt><span class="sect1"><a href="cha.security.ldap.html#sec.security.ldap.slapd">4.7. Manually Configuring an LDAP Server</a></span></dt><dt><span class="sect1"><a href="cha.security.ldap.html#sec.security.ldap.data">4.8. Manually Administering LDAP Data</a></span></dt><dt><span class="sect1"><a href="cha.security.ldap.html#sec.security.ldap.info">4.9. For More Information</a></span></dt></dl></div><a class="indexterm" name="idx.LDAP"></a><a class="indexterm" name="id566674"></a><a class="indexterm" name="id432972"></a><a class="indexterm" name="id318507"></a><div class="abstract" title="Abstract"><p class="title"><b>Abstract</b></p><p>
The Lightweight Directory Access Protocol (LDAP) is a set of protocols
designed to access and maintain information directories. LDAP can be used
for user and group management, system configuration management, address
management, and more. This chapter provides a basic understanding of how
OpenLDAP works and how to manage LDAP data with YaST.
</p></div><p>
It is crucial within a network environment to keep important information
structured and to serve it quickly. A directory service—like the
common yellow pages, keeps information available in a well-structured and
readily-searchable form.
</p><p>
Ideally, a central server stores the data in a directory and distributes
it to all clients using a well-defined protocol. The structured data allow
a wide range of applications to access them. A central repository reduces
the necessary administrative effort. The use of an open and standardized
protocol like LDAP ensures that as many different client applications as
possible can access such information.
</p><p>
A directory in this context is a type of database optimized for quick and
effective reading and searching:
</p><div class="itemizedlist"><ul class="itemizedlist" type="bullet"><li class="listitem" style="list-style-type: disc"><p>
To make multiple concurrent reading accesses possible, the number of
updates is usually very low. The number of read and write accesses is
often limited to a few users with administrative privileges.
Conventional databases are optimized for accepting the largest possible
data volume in a short time.
</p></li><li class="listitem" style="list-style-type: disc"><p>
When static data is administered, updates of the existing data sets are
very rare. When working with dynamic data, especially when data sets
like bank accounts or accounting are concerned, the consistency of the
data is of primary importance. If an amount should be subtracted from
one place to be added to another, both operations must happen
concurrently, within one <span class="emphasis"><em>transaction</em></span>, to ensure
balance over the data stock. Traditional relational databases usually
have a very strong focus on data consistency, such as the referential
integrity support of transactions. Conversely, short-term
inconsistencies are usually acceptable in LDAP directories. LDAP
directories often do not have such strong consistency requirements as
relational databases.
</p></li></ul></div><p>
The design of a directory service like LDAP is not laid out to support
complex update or query mechanisms. All applications are guaranteed to
access this service quickly and easily.
</p><div class="sect1" title="4.1. LDAP versus NIS"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sec.security.ldap.vs_nis"></a>4.1. LDAP versus NIS<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.security.ldap.vs_nis">¶</a></span></h2></div></div></div><p>
Unix system administrator traditionally use NIS (Network Information
Service) for name resolution and data distribution in a network. The
configuration data contained in the files <code class="filename">group</code>,
<code class="filename">hosts</code>, <code class="filename">mail</code>,
<code class="filename">netgroup</code>, <code class="filename">networks</code>,
<code class="filename">passwd</code>, <code class="filename">printcap</code>,
<code class="filename">protocols</code>, <code class="filename">rpc</code>, and
<code class="filename">services</code> in the <code class="filename">/etc</code> directory
are distributed by clients
all over the network. These files can be maintained without major effort
because they are simple text files. The handling of larger amounts of
data, however, becomes increasingly difficult due to nonexistent
structuring. NIS is only designed for Unix platforms, and is not suitable
as a centralized data administration tool in heterogeneous networks.
</p><p>
Unlike NIS, the LDAP service is not restricted to pure Unix networks.
Windows servers (from 2000) support LDAP as a directory service. The
application tasks mentioned above are additionally supported in non-Unix
systems.
</p><p>
The LDAP principle can be applied to any data structure that needs to be
centrally administered. A few application examples are:
</p><div class="itemizedlist"><ul class="itemizedlist" type="bullet"><li class="listitem" style="list-style-type: disc"><p>
Replacement for the NIS service
</p></li><li class="listitem" style="list-style-type: disc"><p>
Mail routing (postfix, sendmail)
</p></li><li class="listitem" style="list-style-type: disc"><p>
Address books for mail clients, like Mozilla, Evolution, and Outlook
</p></li><li class="listitem" style="list-style-type: disc"><p>
Administration of zone descriptions for a BIND9 name server
</p></li><li class="listitem" style="list-style-type: disc"><p>
User authentication with Samba in heterogeneous networks
</p></li></ul></div><p>
This list can be extended because LDAP is extensible, unlike NIS. The
clearly-defined hierarchical structure of the data eases the
administration of large amounts of data, as it can be searched more
easily.
</p></div><div class="sect1" title="4.2. Structure of an LDAP Directory Tree"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sec.security.ldap.tree"></a>4.2. Structure of an LDAP Directory Tree<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.security.ldap.tree">¶</a></span></h2></div></div></div><a class="indexterm" name="id572789"></a><p>
To get background knowledge on how a LDAP server works and how the data
is stored, it is vital to understand the way the data is organized on the
server and how this structure enables LDAP to provide fast access to the
data. To successfully operate an LDAP setup, you also need to be familiar
with some basic LDAP terminology. This section introduces the basic
layout of an LDAP directory tree and provides the basic terminology used
with respect to LDAP. Skip this introductory section if you already have
some LDAP background knowledge and just want to learn how to set up an
LDAP environment in openSUSE.<span> Read on at
<a class="xref" href="cha.security.ldap.html#sec.security.ldap.yast" title="4.3. Configuring an LDAP Server with YaST">Section 4.3, “Configuring an LDAP Server with YaST”</a> or
<a class="xref" href="cha.security.ldap.html#sec.security.ldap.slapd" title="4.7. Manually Configuring an LDAP Server">Section 4.7, “Manually Configuring an LDAP Server”</a>.</span>
</p><p>
An LDAP directory has a tree structure. All entries (called objects) of
the directory have a defined position within this hierarchy. This
hierarchy is called the <span class="emphasis"><em>directory information tree</em></span>
(DIT). The complete path to the desired entry, which unambiguously
identifies it, is called the <span class="emphasis"><em>distinguished name</em></span> or
DN. A single node along the path to this entry is called
<span class="emphasis"><em>relative distinguished name</em></span> or RDN.
</p><p>
The relations within an LDAP directory tree become more evident in the
following example, shown in <a class="xref" href="cha.security.ldap.html#fig.ldap.tree" title="Figure 4.1. Structure of an LDAP Directory">Figure 4.1, “Structure of an LDAP Directory”</a>.
</p><div class="figure"><a name="fig.ldap.tree"></a><p class="title"><b>Figure 4.1. Structure of an LDAP Directory</b><span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#fig.ldap.tree">¶</a></span></p><div class="figure-contents"><div class="mediaobject"><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="85%"><tr><td><img src="images/ldap_tree.png" width="100%" alt="Structure of an LDAP Directory"></td></tr></table></div></div></div><br class="figure-break"><p>
The complete diagram is a fictional directory information tree. The
entries on three levels are depicted. Each entry corresponds to one box
in the image. The complete, valid <span class="emphasis"><em>distinguished name</em></span>
for the fictional employee <code class="systemitem">Geeko
Linux</code>, in this case, is <code class="literal">cn=Geeko
Linux,ou=doc,dc=example,dc=com</code>. It is composed by adding the
RDN <code class="literal">cn=Geeko Linux</code> to the DN of the preceding entry
<code class="literal">ou=doc,dc=example,dc=com</code>.
</p><p>
The types of objects that can be stored in the DIT are globally
determined following a <span class="emphasis"><em>Schema</em></span>. The type of an object
is determined by the <span class="emphasis"><em>object class</em></span>. The object class
determines what attributes the relevant object must or can be assigned.
The Schema, therefore, must contain definitions of all object classes and
attributes used in the desired application scenario. There are a few
common Schemas (see RFC 2252 and 2256). The LDAP RFC defines a few
commonly used Schemas (see e.g., RFC4519). Additionally there are Schemas
available for many other use cases (e.g., Samba, NIS replacement, etc.).
It is, however, possible to create custom Schemas or to use multiple
Schemas complementing each other (if this is required by the environment
in which the LDAP server should operate).
</p><p>
<a class="xref" href="cha.security.ldap.html#tab.ldap.schema" title="Table 4.1. Commonly Used Object Classes and Attributes">Table 4.1, “Commonly Used Object Classes and Attributes”</a> offers a small overview of the object
classes from <code class="filename">core.schema</code> and
<code class="filename">inetorgperson.schema</code> used in the example, including
required attributes and valid attribute values.
</p><div class="table"><a name="tab.ldap.schema"></a><p class="title"><b>Table 4.1. Commonly Used Object Classes and Attributes</b><span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#tab.ldap.schema">¶</a></span></p><div class="table-contents"><table summary="Commonly Used Object Classes and Attributes" border="1"><colgroup><col><col><col><col></colgroup><thead><tr><th>
<p>
Object Class
</p>
</th><th>
<p>
Meaning
</p>
</th><th>
<p>
Example Entry
</p>
</th><th>
<p>
Required Attributes
</p>
</th></tr></thead><tbody><tr><td>
<p>
dcObject
</p>
</td><td>
<p>
<span class="emphasis"><em>domainComponent</em></span> (name components of the domain)
</p>
</td><td>
<p>
example
</p>
</td><td>
<p>
dc
</p>
</td></tr><tr><td>
<p>
organizationalUnit
</p>
</td><td>
<p>
<span class="emphasis"><em>organizationalUnit</em></span> (organizational unit)
</p>
</td><td>
<p>
doc
</p>
</td><td>
<p>
ou
</p>
</td></tr><tr><td>
<p>
inetOrgPerson
</p>
</td><td>
<p>
<span class="emphasis"><em>inetOrgPerson</em></span> (person-related data for the
intranet or Internet)
</p>
</td><td>
<p>
Geeko Linux
</p>
</td><td>
<p>
sn and cn
</p>
</td></tr></tbody></table></div></div><br class="table-break"><p>
<a class="xref" href="cha.security.ldap.html#aus.ldap.schema.help" title="Example 4.1. Excerpt from schema.core">Example 4.1, “Excerpt from schema.core”</a> shows an excerpt from a Schema
directive with explanations.
</p><div class="example"><a name="aus.ldap.schema.help"></a><p class="title"><b>Example 4.1. Excerpt from schema.core</b><span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#aus.ldap.schema.help">¶</a></span></p><div class="example-contents"><pre class="screen">attributetype (2.5.4.11 NAME ( 'ou' 'organizationalUnitName') <a name="co.ldap.schema.core.att_type"></a><img src="callouts/1.png" alt="1" border="0">
DESC 'RFC2256: organizational unit this object belongs to' <a name="co.ldap.schema.core.desc"></a><img src="callouts/2.png" alt="2" border="0">
SUP name ) <a name="co.ldap.schema.core.sup"></a><img src="callouts/3.png" alt="3" border="0">
...
objectclass ( 2.5.6.5 NAME 'organizationalUnit' <a name="co.ldap.schema.core.oc"></a><img src="callouts/4.png" alt="4" border="0">
DESC 'RFC2256: an organizational unit' <a name="co.ldap.schema.core.desc.oc"></a><img src="callouts/5.png" alt="5" border="0">
SUP top STRUCTURAL <a name="co.ldap.schema.core.sup.oc"></a><img src="callouts/6.png" alt="6" border="0">
MUST ou <a name="co.ldap.schema.core.must.oc"></a><img src="callouts/7.png" alt="7" border="0">
MAY (userPassword $ searchGuide $ seeAlso $ businessCategory <a name="co.ldap.schema.core.may.oc"></a><img src="callouts/8.png" alt="8" border="0">
$ x121Address $ registeredAddress $ destinationIndicator
$ preferredDeliveryMethod $ telexNumber
$ teletexTerminalIdentifier $ telephoneNumber
$ internationaliSDNNumber $ facsimileTelephoneNumber
$ street $ postOfficeBox $ postalCode $ postalAddress
$ physicalDeliveryOfficeName
$ st $ l $ description) )
...</pre></div></div><br class="example-break"><p>
The attribute type <code class="literal">organizationalUnitName</code> and the
corresponding object class <code class="literal">organizationalUnit</code> serve as
an example here.
</p><div class="calloutlist"><table border="0" summary="Callout list"><tr><td width="5%" valign="top" align="left"><p><a href="#co.ldap.schema.core.att_type"><img src="callouts/1.png" alt="1" border="0"></a> </p></td><td valign="top" align="left"><p>
The name of the attribute, its unique OID (<span class="emphasis"><em>object
identifier</em></span>) (numerical), and the abbreviation of the
attribute.
</p></td></tr><tr><td width="5%" valign="top" align="left"><p><a href="#co.ldap.schema.core.desc"><img src="callouts/2.png" alt="2" border="0"></a> </p></td><td valign="top" align="left"><p>
A brief description of the attribute with <code class="literal">DESC</code>. The
corresponding RFC on which the definition is based is also mentioned
here.
</p></td></tr><tr><td width="5%" valign="top" align="left"><p><a href="#co.ldap.schema.core.sup"><img src="callouts/3.png" alt="3" border="0"></a> </p></td><td valign="top" align="left"><p>
<code class="literal">SUP</code> indicates a superordinate attribute type to
which this attribute belongs.
</p></td></tr><tr><td width="5%" valign="top" align="left"><p><a href="#co.ldap.schema.core.oc"><img src="callouts/4.png" alt="4" border="0"></a> </p></td><td valign="top" align="left"><p>
The definition of the object class
<code class="literal">organizationalUnit</code> begins—the same as in the
definition of the attribute—with an OID and the name of the
object class.
</p></td></tr><tr><td width="5%" valign="top" align="left"><p><a href="#co.ldap.schema.core.desc.oc"><img src="callouts/5.png" alt="5" border="0"></a> </p></td><td valign="top" align="left"><p>
A brief description of the object class.
</p></td></tr><tr><td width="5%" valign="top" align="left"><p><a href="#co.ldap.schema.core.sup.oc"><img src="callouts/6.png" alt="6" border="0"></a> </p></td><td valign="top" align="left"><p>
The <code class="literal">SUP top</code> entry indicates that this object class
is not subordinate to another object class.
</p></td></tr><tr><td width="5%" valign="top" align="left"><p><a href="#co.ldap.schema.core.must.oc"><img src="callouts/7.png" alt="7" border="0"></a> </p></td><td valign="top" align="left"><p>
With <code class="literal">MUST</code> list all attribute types that must be used
in conjunction with an object of the type
<code class="literal">organizationalUnit</code>.
</p></td></tr><tr><td width="5%" valign="top" align="left"><p><a href="#co.ldap.schema.core.may.oc"><img src="callouts/8.png" alt="8" border="0"></a> </p></td><td valign="top" align="left"><p>
With <code class="literal">MAY</code> list all attribute types that are permitted
in conjunction with this object class.
</p></td></tr></table></div><p>
A very good introduction to the use of Schemas can be found in the
OpenLDAP documentation. When installed, find it in
<code class="filename">/usr/share/doc/packages/openldap2/guide/admin/guide.html</code>.
</p></div><div class="sect1" title="4.3. Configuring an LDAP Server with YaST"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sec.security.ldap.yast"></a>4.3. Configuring an LDAP Server with YaST<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.security.ldap.yast">¶</a></span></h2></div></div></div><a class="indexterm" name="id573512"></a><a class="indexterm" name="id573524"></a><a class="indexterm" name="id573537"></a><p>
Use YaST to set up an LDAP server. Typical use cases for LDAP servers
include the management of user account data and the configuration of
mail, DNS, and DHCP servers.
</p><div class="figure"><a name="fig.ldap.y2.wizard.general.settings"></a><p class="title"><b>Figure 4.2. YaST LDAP Server Configuration</b><span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#fig.ldap.y2.wizard.general.settings">¶</a></span></p><div class="figure-contents"><div class="mediaobject"><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="75%"><tr><td><img src="images/yast2_ldap_wizard_general_settings.png" width="100%" alt="YaST LDAP Server Configuration"></td></tr></table></div></div></div><br class="figure-break"><div class="figure"><a name="fig.ldap.y2.wizard.db.settings"></a><p class="title"><b>Figure 4.3. YaST LDAP Server—New Database</b><span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#fig.ldap.y2.wizard.db.settings">¶</a></span></p><div class="figure-contents"><div class="mediaobject"><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="75%"><tr><td><img src="images/yast2_ldap_wizard_db_settings.png" width="100%" alt="YaST LDAP Server—New Database"></td></tr></table></div></div></div><br class="figure-break"><p>
To set up an LDAP server for user account data, make sure the
<code class="systemitem">yast2-ldap-server</code> and
<code class="systemitem">openldap2</code> packages and packages they depend on
are installed. Then proceed as follows:
</p><div class="procedure"><ol class="procedure" type="1"><li><p>
Start YaST as <code class="systemitem">root</code> and select <span class="guimenu">Network
Services</span>+<span class="guimenu">LDAP Server</span> to
invoke the configuration wizard.
</p></li><li><p>
Configure the <span class="guimenu">Global Settings</span> of your LDAP server
(you can change these settings later)—see
<a class="xref" href="cha.security.ldap.html#fig.ldap.y2.wizard.general.settings" title="Figure 4.2. YaST LDAP Server Configuration">Figure 4.2, “YaST LDAP Server Configuration”</a>:
</p><ol type="a" class="substeps"><li><p>
Set LDAP to be started.
</p></li><li><p>
If the LDAP server should announce its services via SLP, check
<span class="guimenu">Register at an SLP Daemon</span>.
</p></li><li><p>
Configure <span class="guimenu">Firewall Settings</span>.
</p></li><li><p>
Click <span class="guimenu">Next</span>.
</p></li></ol></li><li><p>
Select the server type: stand-alone server, master server in a
replication setup, or replication (slave) server.
</p></li><li><p>
Select security options (<span class="guimenu">TLS Settings</span>).
</p><p>
Consider to <span class="guimenu">Enable TLS</span>. TLS is an encryption
technology. For more information, see
<a class="xref" href="cha.security.ldap.html#step.ldap.server.config.tls" title="Step 4">Step 4</a>.
</p><p>
Also consider to use LDAP over SSL and certificates.
</p></li><li><p>
Confirm <span class="guimenu">Basic Database Settings</span> with entering an
<span class="guimenu">LDAP Administrator Password</span> and then clicking
<span class="guimenu">Next</span>—see
<a class="xref" href="cha.security.ldap.html#fig.ldap.y2.wizard.general.settings" title="Figure 4.2. YaST LDAP Server Configuration">Figure 4.2, “YaST LDAP Server Configuration”</a>.
</p></li><li><p>
Check the <span class="guimenu">LDAP Server Configuration Summary</span> and
click <span class="guimenu">Finish</span> to exit the configuration wizard.
</p></li></ol></div><div class="figure"><a name="fig.ldap.y2.server.cfg"></a><p class="title"><b>Figure 4.4. YaST LDAP Server Configuration</b><span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#fig.ldap.y2.server.cfg">¶</a></span></p><div class="figure-contents"><div class="mediaobject"><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="75%"><tr><td><img src="images/yast2_ldap_server_cfg.png" width="100%" alt="YaST LDAP Server Configuration"></td></tr></table></div></div></div><br class="figure-break"><p>
For changes or additional configuration start the LDAP server module
again and in the left pane expand <span class="guimenu">Global Settings</span> to
make subentries visible—see
<a class="xref" href="cha.security.ldap.html#fig.ldap.y2.server.cfg" title="Figure 4.4. YaST LDAP Server Configuration">Figure 4.4, “YaST LDAP Server Configuration”</a>:
</p><div class="procedure"><ol class="procedure" type="1"><li><p>
With <span class="guimenu">Log Level Settings</span>, configure the degree of
logging activity (verbosity) of the LDAP server. From the predefined
list, select or deselect the logging options according to your needs.
The more options are enabled, the larger your log files grow.
</p></li><li><p>
From <span class="guimenu">Allow/Disallow Features</span> determine the
connection types the LDAP server should allow. Choose from:
</p><div class="variablelist"><dl><dt><span class="term">LDAPv2 Bind Requests</span></dt><dd><p>
This option enables connection requests (bind requests) from clients
using the previous version of the protocol (LDAPv2).
</p></dd><dt><span class="term">Anonymous Bind When Credentials Not Empty</span></dt><dd><p>
Normally the LDAP server denies any authentication attempts with
empty credentials (DN or password). Enabling this option, however,
makes it possible to connect with a password and no DN to establish
an anonymous connection.
</p></dd><dt><span class="term">Unauthenticated Bind When DN Not Empty</span></dt><dd><p>
Enabling this option makes it possible to connect without
authentication (anonymously) using a DN but no password.
</p></dd><dt><span class="term">Unauthenticated Update Options to Process</span></dt><dd><p>
Enabling this option allows non-authenticated (anonymous) update
operations. Access is restricted according to ACLs and other rules
.
</p></dd></dl></div></li><li><p>
Then from <span class="guimenu">Allow/Disallow Features</span> determine which
flags the LDAP server should disallow. Choose from:
</p><div class="variablelist"><dl><dt><span class="term">Disable Acceptance of Anonymous Bind Requests</span></dt><dd><p>
The Server will no longer accept anonymous bind request. Note, that
this does not generally prohibit anonymous directory access.
</p></dd><dt><span class="term">Disable Simple Bind Authentication</span></dt><dd><p>
Completely disable Simple Bind authentication.
</p></dd><dt><span class="term">Disable Forcing Session to Anonymous Status upon StartTLS Operation Receipt</span></dt><dd><p>
The server will no longer force an authenticated connection back to
the anonymous state when receiving the StartTLS operation.
</p></dd><dt><span class="term">Disallow the StartTLS Operation if Authenticated</span></dt><dd><p>
The server will disallow the StartTLS operation on already
authenticated connections.
</p></dd></dl></div></li><li id="step.ldap.server.config.tls"><p>
To configure secure communication between client and server, proceed
with <span class="guimenu">TLS Settings</span>:
</p><ol type="a" class="substeps"><li><p>
Activate <span class="guimenu">Enable TLS</span> to enable TLS and SSL
encryption of the client/server communication.
</p></li><li><p>
Either <span class="guimenu">Import Certificate</span> by specifying the exact
path to its location or enable the <span class="guimenu">Use Common Server
Certificate</span>. If the <span class="guimenu">Use Common Server
Certificate</span> is not available because it has not been
created during installation, go for <span class="guimenu">Launch CA Management
Module</span> first— for more information, see
<a class="xref" href="cha.security.yast_ca.html#sec.security.yast_ca.module" title="16.2. YaST Modules for CA Management">Section 16.2, “YaST Modules for CA Management”</a>.
</p></li></ol></li></ol></div><p>
Add Schema files to be included in the server's configuration by
selecting <span class="guimenu">Schema Files</span> in the left part of the dialog.
The default selection of schema files applies to the server providing a
source of YaST user account data.
</p><p>
YaST allows to add traditional Schema files (usually with a name ending
in <code class="literal">.schema</code>) or LDIF files containing Schema
definitions in OpenLDAP's LDIF Schema format.
</p><div class="figure"><a name="fig.ldap.y2.server.db.cfg"></a><p class="title"><b>Figure 4.5. YaST LDAP Server Database Configuration</b><span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#fig.ldap.y2.server.db.cfg">¶</a></span></p><div class="figure-contents"><div class="mediaobject"><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="75%"><tr><td><img src="images/yast2_ldap_server_db_cfg.png" width="100%" alt="YaST LDAP Server Database Configuration"></td></tr></table></div></div></div><br class="figure-break"><p>
To configure the databases managed by your LDAP server, proceed as
follows:
</p><div class="procedure"><ol class="procedure" type="1"><li><p>
Select the <span class="guimenu">Databases</span> item in the left part of the
dialog.
</p></li><li><p>
Click <span class="guimenu">Add Database</span> to add the new database.
</p></li><li><p>
Enter the requested data:
</p><div class="variablelist"><dl><dt><span class="term"><span class="guimenu">Base DN</span>
</span></dt><dd><p>
Enter the base DN of your LDAP server.
</p></dd><dt><span class="term"><span class="guimenu">Administrator DN</span>
</span></dt><dd><p>
Enter the DN of the administrator in charge of the server. If you
check <span class="guimenu">Append Base DN</span>, only provide the
<code class="literal">cn</code> of the administrator and the system fills in
the rest automatically.
</p></dd><dt><span class="term">LDAP Administrator Password</span></dt><dd><p>
Enter the password for the database administrator.
</p></dd><dt><span class="term">Use This Database as the Default for OpenLDAP Clients</span></dt><dd><p>
For convenience, check this option if wanted.
</p></dd></dl></div></li><li><p>
In the next dialog configure replication settings.
</p></li><li><p>
In the next dialog, enable enforcement of password policies to provide
extra security to your LDAP server:
</p><ol type="a" class="substeps"><li><p>
Check <span class="guimenu">Enable Password Policies</span> to be able to
specify a password policy.
</p></li><li><p>
Activate <span class="guimenu">Hash Clear Text Passwords</span> to have clear
text passwords be hashed before they are written to the database
whenever they are added or modified.
</p></li><li><p>
<span class="guimenu">Disclose "Account Locked" Status</span> provides a
relevant error message for bind requests to locked accounts.
</p><div class="warning"><table border="0" cellpadding="3" cellspacing="0" width="100%" summary="Warning: Locked Accounts in Security Sensitive Environments"><tr class="head"><td width="32"><img alt="[Warning]" src="admon/warning.png"></td><th align="left">Locked Accounts in Security Sensitive Environments</th></tr><tr><td colspan="2" align="left" valign="top"><p>
Do not use the <span class="guimenu">Disclose "Account Locked" Status</span>
option if your environment is sensitive to security issues, because
the <span class="quote">“<span class="quote">Locked Account</span>”</span> error message provides
security-sensitive information that can be exploited by a potential
attacker.
</p></td></tr></table></div></li><li><p>
Enter the DN of the default policy object. To use a DN other than the
one suggested by YaST, enter your choice. Otherwise, accept the
default settings.
</p></li></ol></li><li><p>
Complete the database configuration by clicking
<span class="guimenu">Finish</span>.
</p></li></ol></div><p>
If you have not opted for password policies, your server is ready to run
at this point. If you chose to enable password policies, proceed with the
configuration of the password policy in detail. If you chose a password
policy object that does not yet exist, YaST creates one:
</p><div class="procedure"><ol class="procedure" type="1"><li><p>
Enter the LDAP server password. In the navigation tree below
<span class="guimenu">Databases</span> expand your database object and activate
the <span class="guimenu">Password Policy Configuration</span> item.
</p></li><li><p>
Make sure <span class="guimenu">Enable Password Policies</span> is activated.
Then click <span class="guimenu">Edit Policy</span>.
</p></li><li><p>
Configure the password change policies:
</p><ol type="a" class="substeps"><li><p>
Determine the number of passwords stored in the password history.
Saved passwords may not be reused by the user.
</p></li><li><p>
Determine if users will be able to change their passwords and if they
will need to change their passwords after a reset by the
administrator. Require the old password for password changes
(optional).
</p></li><li><p>
Determine whether and to what extent passwords should be subject to
quality checking. Set the minimum password length that must be met
before a password is valid. If you select <span class="guimenu">Accept Uncheckable
Passwords</span>, users are allowed to use encrypted passwords,
even though the quality checks cannot be performed. If you opt for
<span class="guimenu">Only Accept Checked Passwords</span> only those passwords
that pass the quality tests are accepted as valid.
</p></li></ol></li><li><p>
Configure the password time-limit policies:
</p><ol type="a" class="substeps"><li><p>
Determine the minimum password time-limit (the time that needs to
pass between two valid password changes) and the maximum password
time-limit.
</p></li><li><p>
Determine the time between a password expiration warning and the
actual password expiration.
</p></li><li><p>
Set the number of postponement uses of an expired password before the
password expires permanently.
</p></li></ol></li><li><p>
Configure the lockout policies:
</p><ol type="a" class="substeps"><li><p>
Enable password locking.
</p></li><li><p>
Determine the number of bind failures that trigger a password lock.
</p></li><li><p>
Determine the duration of the password lock.
</p></li><li><p>
Determine the length of time that password failures are kept in the
cache before they are purged.
</p></li></ol></li><li><p>
Apply your password policy settings with <span class="guimenu">OK</span>.
</p></li></ol></div><p>
To edit a previously created database, select its base DN in the tree to
the left. In the right part of the window, YaST displays a dialog
similar to the one used for the creation of a new database (with the main
difference that the base DN entry is grayed out and cannot be changed).
</p><p>
After leaving the LDAP server configuration by selecting
<span class="guimenu">Finish</span>, you are ready to go with a basic working
configuration for your LDAP server. To fine-tune this setup, make use of
OpenLDAP's dynamic configuration backend.
</p><p>
The OpenLDAP's dynamic configuration backend stores the configuration in
an LDAP database. That database consists of a set of
<code class="literal">.ldif</code> files in
<code class="filename">/etc/openldap/slapd.d</code>. There is no need to access
these files directly. To access the settings you can either use the
YaST LDAP server module (the <code class="systemitem">yast2-ldap-server</code>
package) or an LDAP client such as <span class="command"><strong>ldapmodify</strong></span> or
<span class="command"><strong>ldapsearch</strong></span>. For more information on the dynamic
configuration of OpenLDAP, see the OpenLDAP Administration Guide.
</p></div><div class="sect1" title="4.4. Configuring an LDAP Client with YaST"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sec.security.ldap.yast.client"></a>4.4. Configuring an LDAP Client with YaST<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.security.ldap.yast.client">¶</a></span></h2></div></div></div><a class="indexterm" name="id570366"></a><a class="indexterm" name="id570378"></a><a class="indexterm" name="id570390"></a><a class="indexterm" name="id570402"></a><p>
YaST includes a module to set up LDAP-based user management. If you did
not enable this feature during the installation, start the module by
selecting <span class="guimenu">Network Services</span>+<span class="guimenu">LDAP
Client</span>. YaST automatically enables any PAM and
NSS-related changes as required by LDAP and installs the necessary files.
Simply connect your client to the server and let YaST manage users over
LDAP. This basic setup is described in
<a class="xref" href="cha.security.ldap.html#sec.security.ldap.yast.client.conf.basic" title="4.4.1. Configuring Basic Settings">Section 4.4.1, “Configuring Basic Settings”</a>.
</p><p>
Use the YaST LDAP client to further configure the YaST group and user
configuration modules. This includes manipulating the default settings
for new users and groups and the number and nature of the attributes
assigned to a user or group. LDAP user management allows you to assign
far more and different attributes to users and groups than traditional
user or group management solutions. This is described in
<a class="xref" href="cha.security.ldap.html#sec.security.ldap.yast.client.conf.mod" title="4.4.2. Configuring the YaST Group and User Administration Modules">Section 4.4.2, “Configuring the YaST Group and User Administration Modules”</a>.
</p><div class="sect2" title="4.4.1. Configuring Basic Settings"><div class="titlepage"><div><div><h3 class="title"><a name="sec.security.ldap.yast.client.conf.basic"></a>4.4.1. Configuring Basic Settings<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.security.ldap.yast.client.conf.basic">¶</a></span></h3></div></div></div><p>
The basic LDAP client configuration dialog
(<a class="xref" href="cha.security.ldap.html#fig.ldap.y2.clconf" title="Figure 4.6. YaST: LDAP Client Configuration">Figure 4.6, “YaST: LDAP Client Configuration”</a>) opens during installation if you
choose LDAP user management or when you select <span class="guimenu">Network Services</span>+<span class="guimenu">LDAP Client</span> in the YaST Control Center in the installed system.
</p><div class="figure"><a name="fig.ldap.y2.clconf"></a><p class="title"><b>Figure 4.6. YaST: LDAP Client Configuration</b><span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#fig.ldap.y2.clconf">¶</a></span></p><div class="figure-contents"><div class="mediaobject"><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="75%"><tr><td><img src="images/ldap_y2_clconf.png" width="100%" alt="YaST: LDAP Client Configuration"></td></tr></table></div></div></div><br class="figure-break"><div class="procedure"><p>
To authenticate users of your machine against an OpenLDAP server and to
enable user management via OpenLDAP, proceed as follows:
</p><ol class="procedure" type="1"><li><p>
Click <span class="guimenu">Use LDAP</span> to enable the use of LDAP. Select
<span class="guimenu">Use LDAP but Disable Logins</span> if instead you want to
use LDAP for authentication, but do not want other users to log in to
this client.
</p></li><li><p>
Enter the IP address of the LDAP server to use.
</p></li><li><p>
Enter the <span class="guimenu">LDAP Base DN</span> to select the search base on
the LDAP server. To retrieve the base DN automatically, click
<span class="guimenu">Fetch DN</span>. YaST then checks for any LDAP database
on the server address specified above. Choose the appropriate base DN
from the search results given by YaST.
</p></li><li><p>
If TLS or SSL-protected communication with the server is required,
select <span class="guimenu">LDAP TLS/SSL</span>. Click <span class="guimenu">Download CA
Certificate</span> to download a certificate in PEM format from a
URL.
</p></li><li><p>
Select <span class="guimenu">Start Automounter</span> to mount remote
directories on your client, such as a remotely managed
<code class="filename">/home</code>.
</p></li><li><p>
Select <span class="guimenu">Create Home Directory on Login</span> to have a
user's home automatically created on the first user login.
</p></li><li><p>
Click <span class="guimenu">Ok</span> to apply your settings.
</p></li></ol></div><p>
To modify data on the server as administrator, click <span class="guimenu">Advanced
Configuration</span>. The following dialog is split into two tabs.
See <a class="xref" href="cha.security.ldap.html#fig.ldap.y2.adconf" title="Figure 4.7. YaST: Advanced Configuration">Figure 4.7, “YaST: Advanced Configuration”</a>.
</p><div class="figure"><a name="fig.ldap.y2.adconf"></a><p class="title"><b>Figure 4.7. YaST: Advanced Configuration</b><span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#fig.ldap.y2.adconf">¶</a></span></p><div class="figure-contents"><div class="mediaobject"><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="75%"><tr><td><img src="images/ldap_y2_adconf.png" width="100%" alt="YaST: Advanced Configuration"></td></tr></table></div></div></div><br class="figure-break"><div class="procedure"><ol class="procedure" type="1"><li><p>
In the <span class="guimenu">Client Settings</span> tab, adjust the following
settings according to your needs:
</p><ol type="a" class="substeps"><li><p>
If the search base for users, passwords, and groups differs from the
global search base specified in the <span class="guimenu">LDAP base DN</span>,
enter these different naming contexts in <span class="guimenu">User
Map</span>, <span class="guimenu">Password Map</span>, and <span class="guimenu">Group
Map</span>.
</p></li><li><p>
Specify the password change protocol. The standard method to use
whenever a password is changed is <code class="systemitem">crypt</code>,
meaning that password hashes generated by <span class="command"><strong>crypt</strong></span>
are used. For details on this and other options, refer to the
<code class="systemitem">pam_ldap</code> man page.
</p></li><li><p>
Specify the LDAP group to use with <span class="guimenu">Group Member
Attribute</span>. The default value for this is
<code class="literal">member</code>.
</p></li><li><p>
If a secure connection requires certificate checking, specify where
your <span class="guimenu">CA Certificate File</span> in PEM format is
located. Or specify a directory with certificates.
</p></li><li><p>
If the LDAP server still uses LDAPv2, enable the use of this
protocol version by selecting <span class="guimenu">LDAP Version 2</span>.
</p></li></ol></li><li><p>
In <span class="guimenu">Administration Settings</span>, adjust the following
settings:
</p><ol type="a" class="substeps"><li><p>
Set the base for storing your user management data via
<span class="guimenu">Configuration Base DN</span>.
</p></li><li><p>
Enter the appropriate value for <span class="guimenu">Administrator DN</span>.
This DN must be identical with the <code class="literal">rootdn</code> value
specified in <code class="filename">/etc/openldap/slapd.conf</code> to enable
this particular user to manipulate data stored on the LDAP server.
Enter the full DN (such as
<code class="literal">cn=Administrator,dc=example,dc=com</code>) or activate
<span class="guimenu">Append Base DN</span> to have the base DN added
automatically when you enter <code class="literal">cn=Administrator</code>.
</p></li><li><p>
Check <span class="guimenu">Create Default Configuration Objects</span> to
create the basic configuration objects on the server to enable user
management via LDAP.
</p></li><li><p>
If your client machine needs to act as a file server for home
directories across your network, check <span class="guimenu">Home Directories on
This Machine</span>.
</p></li><li><p>
Use the <span class="guimenu">Password Policy</span> section to select, add,
delete, or modify the password policy settings to use. The
configuration of password policies with YaST is part of the LDAP
server setup.
</p></li><li><p>
Click <span class="guimenu">OK</span> to leave the <span class="guimenu">Advanced
Configuration</span>, then <span class="guimenu">Finish</span> to apply
your settings.
</p></li></ol></li></ol></div><p>
Use <span class="guimenu">Configure User Management Settings</span> to edit
entries on the LDAP server. Access to the configuration modules on the
server is then granted according to the ACLs and ACIs stored on the
server. Follow the procedures outlined in
<a class="xref" href="cha.security.ldap.html#sec.security.ldap.yast.client.conf.mod" title="4.4.2. Configuring the YaST Group and User Administration Modules">Section 4.4.2, “Configuring the YaST Group and User Administration Modules”</a>.
</p></div><div class="sect2" title="4.4.2. Configuring the YaST Group and User Administration Modules"><div class="titlepage"><div><div><h3 class="title"><a name="sec.security.ldap.yast.client.conf.mod"></a>4.4.2. Configuring the YaST Group and User Administration Modules<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.security.ldap.yast.client.conf.mod">¶</a></span></h3></div></div></div><p>
Use the YaST LDAP client to adapt the YaST modules for user and
group administration and to extend them as needed. Define templates with
default values for the individual attributes to simplify the data
registration. The presets created here are stored as LDAP objects in the
LDAP directory. The registration of user data is still done with the
regular YaST modules for user and group management. The registered
data is stored as LDAP objects on the server.
</p><div class="figure"><a name="fig.ldap.y2.modconf1"></a><p class="title"><b>Figure 4.8. YaST: Module Configuration</b><span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#fig.ldap.y2.modconf1">¶</a></span></p><div class="figure-contents"><div class="mediaobject"><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="75%"><tr><td><img src="images/ldap_y2_modconf1.png" width="100%" alt="YaST: Module Configuration"></td></tr></table></div></div></div><br class="figure-break"><p>
The dialog for module configuration
(<a class="xref" href="cha.security.ldap.html#fig.ldap.y2.modconf1" title="Figure 4.8. YaST: Module Configuration">Figure 4.8, “YaST: Module Configuration”</a>) allows the creation of new
modules, selection and modification of existing configuration modules,
and design and modification of templates for such modules.
</p><div class="procedure"><p>
To create a new configuration module, proceed as follows:
</p><ol class="procedure" type="1"><li><p>
In the <span class="guimenu">LDAP Client Configuration</span> click
<span class="guimenu">Advanced Configuration</span>, then open the
<span class="guimenu">Administration Settings</span> tab. Click
<span class="guimenu">Configure User Management Settings</span> and enter the
LDAP server credentials.
</p></li><li><p>
Click <span class="guimenu">New</span> and select the type of module to create.
For a user configuration module, select
<code class="literal">suseUserConfiguration</code> and for a group configuration
choose <code class="literal">suseGroupConfiguration</code>.
</p></li><li><p>
Choose a name for the new template (e.g.,
<code class="literal">userConfig</code>). The content view then features a table
listing all attributes allowed in this module with their assigned
values. Apart from all set attributes, the list also contains all
other attributes allowed by the current Schema, but currently not
used.
</p></li><li><p>
Accept the preset values or adjust the defaults to use in group and
user configurations by selecting the relevant attribute, pressing
<span class="guimenu">Edit</span>, and entering the new value. Rename a module
by changing the <code class="systemitem">cn</code> attribute of the module.
Clicking <span class="guimenu">Delete</span> deletes the currently selected
module.
</p></li><li><p>
After you click <span class="guimenu">OK</span>, the new module is added to the
selection menu.
</p></li></ol></div><div class="procedure"><p>
The YaST modules for group and user administration embed templates
with standard values. To edit a template associated with a
configuration module, start the object template configuration
(<a class="xref" href="cha.security.ldap.html#fig.ldap.y2.objtemp" title="Figure 4.9. YaST: Configuration of an Object Template">Figure 4.9, “YaST: Configuration of an Object Template”</a>):
</p><ol class="procedure" type="1"><li><p>
In the <span class="guimenu">Module Configuration</span> dialog, click
<span class="guimenu">Configure Template</span>.
</p></li><li><p>
Determine the values of the general attributes assigned to this
template according to your needs or leave them empty. Empty attributes
are deleted on the LDAP server.
</p></li><li><p>
Modify, delete, or add new default values for new objects (user or
group configuration objects in the LDAP tree).
</p></li></ol></div><div class="figure"><a name="fig.ldap.y2.objtemp"></a><p class="title"><b>Figure 4.9. YaST: Configuration of an Object Template</b><span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#fig.ldap.y2.objtemp">¶</a></span></p><div class="figure-contents"><div class="mediaobject"><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="75%"><tr><td><img src="images/ldap_y2_objtemp.png" width="100%" alt="YaST: Configuration of an Object Template"></td></tr></table></div></div></div><br class="figure-break"><p>
Connect the template to its module by setting the
<code class="literal">susedefaulttemplate</code> attribute value of the module to
the DN of the adapted template.
</p><div class="tip"><table border="0" cellpadding="3" cellspacing="0" width="100%" summary="Tip"><tr class="head"><td width="32"><img alt="[Tip]" src="admon/tip.png"></td><th align="left"></th></tr><tr><td colspan="2" align="left" valign="top"><p>
The default values for an attribute can be created from other
attributes by using a variable instead of an absolute value. For
example, when creating a new user, <code class="literal">cn=%sn %givenName</code>
is created automatically from the attribute values for
<code class="literal">sn</code> and <code class="literal">givenName</code>.
</p></td></tr></table></div><p>
Once all modules and templates are configured correctly and ready to
run, new groups and users can be registered in the usual way with
YaST.
</p></div></div><div class="sect1" title="4.5. Configuring LDAP Users and Groups in YaST"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sec.security.ldap.yast.usergr"></a>4.5. Configuring LDAP Users and Groups in YaST<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.security.ldap.yast.usergr">¶</a></span></h2></div></div></div><a class="indexterm" name="id574856"></a><a class="indexterm" name="id574863"></a><p>
The actual registration of user and group data differs only slightly from
the procedure when not using LDAP. The following instructions relate to
the administration of users. The procedure for administering groups is
analogous.
</p><div class="procedure"><ol class="procedure" type="1"><li><p>
Access the YaST user administration with <span class="guimenu">Security and Users</span>+<span class="guimenu">User and Group
Management</span>.
</p></li><li><p>
Use <span class="guimenu">Set Filter</span> to limit the view of users to the
LDAP users and enter the password for Root DN.
</p></li><li><p>
Click <span class="guimenu">Add</span> and enter the configuration of a new user.
A dialog with four tabs opens:
</p><ol type="a" class="substeps"><li><p>
Specify username, login, and password in the <span class="guimenu">User
Data</span> tab.
</p></li><li><p>
Check the <span class="guimenu">Details</span> tab for the group membership,
login shell, and home directory of the new user. If necessary, change
the default to values that better suit your needs. The default values
(as well as those of the password settings) can be defined with the
procedure described in
<a class="xref" href="cha.security.ldap.html#sec.security.ldap.yast.client.conf.mod" title="4.4.2. Configuring the YaST Group and User Administration Modules">Section 4.4.2, “Configuring the YaST Group and User Administration Modules”</a>.
</p></li><li><p>
Modify or accept the default <span class="guimenu">Password Settings</span>.
</p></li><li><p>
Enter the <span class="guimenu">Plug-Ins</span> tab, select the LDAP plug-in,
and click <span class="guimenu">Launch</span> to configure additional LDAP
attributes assigned to the new user (see
<a class="xref" href="cha.security.ldap.html#fig.ldap.y2.adset" title="Figure 4.10. YaST: Additional LDAP Settings">Figure 4.10, “YaST: Additional LDAP Settings”</a>).
</p></li></ol></li><li><p>
Click <span class="guimenu">OK</span> to apply your settings and leave the user
configuration.
</p></li></ol></div><div class="figure"><a name="fig.ldap.y2.adset"></a><p class="title"><b>Figure 4.10. YaST: Additional LDAP Settings</b><span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#fig.ldap.y2.adset">¶</a></span></p><div class="figure-contents"><div class="mediaobject"><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="75%"><tr><td><img src="images/ldap_y2_adset.png" width="100%" alt="YaST: Additional LDAP Settings"></td></tr></table></div></div></div><br class="figure-break"><p>
The initial input form of user administration offers <span class="guimenu">LDAP
Options</span>. This allows you to apply LDAP search filters to the
set of available users (or go to the module for the configuration of LDAP
users and groups by selecting <span class="guimenu">LDAP User and Group
Configuration</span>).
</p></div><div class="sect1" title="4.6. Browsing the LDAP Directory Tree"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sec.security.ldap.browse"></a>4.6. Browsing the LDAP Directory Tree<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.security.ldap.browse">¶</a></span></h2></div></div></div><p>
To conveniently browse the LDAP directory tree and all its entries, use
the YaST LDAP Browser:
</p><div class="procedure"><ol class="procedure" type="1"><li><p>
Log in as <code class="systemitem">root</code>.
</p></li><li><p>
Start <span class="guimenu">YaST</span>+<span class="guimenu">Network
Services</span>+<span class="guimenu">LDAP Browser</span>.
</p></li><li><p>
Enter the address of the LDAP server, the Administrator DN, and the
password for the Root DN of this server (if you need both to read and
write the data stored on the server).
</p><p>
Alternatively, choose <span class="guimenu">Anonymous Access</span> and do not
provide the password to gain read access to the directory.
</p><p>
The <span class="guimenu">LDAP Tree</span> tab displays the content of the LDAP
directory to which your machine connected. Click to expand each item's
submenu.
</p><div class="figure"><a name="fig.ldap.browsetree"></a><p class="title"><b>Figure 4.11. Browsing the LDAP Directory Tree</b><span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#fig.ldap.browsetree">¶</a></span></p><div class="figure-contents"><div class="mediaobject"><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="85%"><tr><td><img src="images/ldap_y2_browsetree.png" width="100%" alt="Browsing the LDAP Directory Tree"></td></tr></table></div></div></div><br class="figure-break"></li><li><p>
To view any entry in detail, select it in the <span class="guimenu">LDAP
Tree</span> view and open the <span class="guimenu">Entry Data</span> tab.
</p><p>
All attributes and values associated with this entry are displayed.
</p><div class="figure"><a name="fig.ldap.browsedata"></a><p class="title"><b>Figure 4.12. Browsing the Entry Data</b><span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#fig.ldap.browsedata">¶</a></span></p><div class="figure-contents"><div class="mediaobject"><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="85%"><tr><td><img src="images/ldap_y2_browsedata.png" width="100%" alt="Browsing the Entry Data"></td></tr></table></div></div></div><br class="figure-break"></li><li><p>
To change the value of any of these attributes, select the attribute,
click <span class="guimenu">Edit</span>, enter the new value, click
<span class="guimenu">Save</span>, and provide the Root DN password when
prompted.
</p></li><li><p>
Leave the LDAP browser with <span class="guimenu">Close</span>.
</p></li></ol></div></div><div class="sect1" title="4.7. Manually Configuring an LDAP Server"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sec.security.ldap.slapd"></a>4.7. Manually Configuring an LDAP Server<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.security.ldap.slapd">¶</a></span></h2></div></div></div><a class="indexterm" name="id575254"></a><a class="indexterm" name="id575265"></a><p>
YaST uses OpenLDAP's dynamic configuration database
(<code class="systemitem">back-config</code>) to store the LDAP server's
configuration. For details about the dynamic configuration backend please
see the <code class="systemitem">slapd-config(5)</code> man page or the OpenLDAP
Software 2.4 Administrator's Guide located at
<code class="filename">/usr/share/doc/packages/openldap2/guide/admin/guide.html</code>
on this system if the <code class="systemitem">openldap2</code> package is
installed.
</p><div class="tip"><table border="0" cellpadding="3" cellspacing="0" width="100%" summary="Tip: Upgrading an Old OpenLDAP Installation"><tr class="head"><td width="32"><img alt="[Tip]" src="admon/tip.png"></td><th align="left">Upgrading an Old OpenLDAP Installation</th></tr><tr><td colspan="2" align="left" valign="top"><p>
YaST does not use <code class="filename">/etc/openldap/slapd.conf</code> to
store the OpenLDAP configuration anymore. In case of a system upgrade, a
copy of the original <code class="filename">/etc/openldap/slapd.conf</code> file
will get created as
<code class="filename">/etc/openldap/slapd.conf.YaSTsave</code>.
</p></td></tr></table></div><p>
To conveniently access the configuration backend, you use SASL external
authentication. For example, the following <span class="command"><strong>ldapsearch</strong></span>
command executed as <code class="systemitem">root</code> can be used to show the
complete <span class="command"><strong>slapd</strong></span> configuration:
</p><pre class="screen">ldapsearch -Y external -H ldapi:/// -b cn=config</pre><div class="sect2" title="4.7.1. Starting and Stopping the Servers"><div class="titlepage"><div><div><h3 class="title"><a name="sec.security.ldap.slapd.start"></a>4.7.1. Starting and Stopping the Servers<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.security.ldap.slapd.start">¶</a></span></h3></div></div></div><p>
Once the LDAP server is fully configured and all desired entries have
been made according to the pattern described in
<a class="xref" href="cha.security.ldap.html#sec.security.ldap.data" title="4.8. Manually Administering LDAP Data">Section 4.8, “Manually Administering LDAP Data”</a>, start the LDAP server as
<code class="systemitem">root</code> by entering
<span class="command"><strong>rcldap <code class="option">start</code></strong></span>. To stop the server
manually, enter the command <span class="command"><strong>rcldap
<code class="option">stop</code></strong></span>. Request the status of the running LDAP
server with <span class="command"><strong>rcldap <code class="option">status</code></strong></span>.
</p><p>
Use the YaST runlevel editor, described in
Section “Configuring System Services (Runlevel) with YaST” (Chapter 16, <i>Booting and Configuring a Linux System</i>, ↑Reference), to have the server started
and stopped automatically on system bootup and shutdown. It is also
possible to create the corresponding links to the start and stop scripts
with the <span class="command"><strong>insserv</strong></span> command from a command prompt as
described in Section “Init Scripts” (Chapter 16, <i>Booting and Configuring a Linux System</i>, ↑Reference).
</p></div></div><div class="sect1" title="4.8. Manually Administering LDAP Data"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sec.security.ldap.data"></a>4.8. Manually Administering LDAP Data<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.security.ldap.data">¶</a></span></h2></div></div></div><p>
OpenLDAP offers a series of tools for the administration of data in the
LDAP directory. The four most important tools for adding to, deleting
from, searching through and modifying the data stock are explained in
this section.
</p><div class="sect2" title="4.8.1. Inserting Data into an LDAP Directory"><div class="titlepage"><div><div><h3 class="title"><a name="sec.security.ldap.data.add"></a>4.8.1. Inserting Data into an LDAP Directory<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.security.ldap.data.add">¶</a></span></h3></div></div></div><a class="indexterm" name="id575404"></a><a class="indexterm" name="id575412"></a><p>
Once your LDAP server
is correctly configured (it features appropriate entries for
<code class="literal">suffix</code>, <code class="literal">directory</code>,
<code class="literal">rootdn</code>, <code class="literal">rootpw</code> and
<code class="literal">index</code>), proceed to entering records. OpenLDAP offers
the <span class="command"><strong>ldapadd</strong></span> command for this task. If possible, add
the objects to the database in bundles (for practical reasons). LDAP is
able to process the LDIF format (LDAP data interchange format) for this.
An LDIF file is a simple text file that can contain an arbitrary number
of attribute and value pairs.
The LDIF file for creating a rough framework for the example in
<a class="xref" href="cha.security.ldap.html#fig.ldap.tree" title="Figure 4.1. Structure of an LDAP Directory">Figure 4.1, “Structure of an LDAP Directory”</a> would look like the one in
<a class="xref" href="cha.security.ldap.html#dat.ldap.ldif" title="Example 4.2. An LDIF File">Example 4.2, “An LDIF File”</a>.
</p><div class="important"><table border="0" cellpadding="3" cellspacing="0" width="100%" summary="Important: Encoding of LDIF Files"><tr class="head"><td width="32"><img alt="[Important]" src="admon/important.png"></td><th align="left">Encoding of LDIF Files</th></tr><tr><td colspan="2" align="left" valign="top"><p>
LDAP works with UTF-8 (Unicode). Umlauts must be encoded correctly.
Otherwise, avoid umlauts and other special characters or use
<span class="command"><strong>iconv</strong></span> to convert the input to UTF-8.
</p></td></tr></table></div><div class="example"><a name="dat.ldap.ldif"></a><p class="title"><b>Example 4.2. An LDIF File</b><span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#dat.ldap.ldif">¶</a></span></p><div class="example-contents"><pre class="screen"># The Organization
dn: dc=example,dc=com
objectClass: dcObject
objectClass: organization
o: Example dc: example
# The organizational unit development (devel)
dn: ou=devel,dc=example,dc=com
objectClass: organizationalUnit
ou: devel
# The organizational unit documentation (doc)
dn: ou=doc,dc=example,dc=com
objectClass: organizationalUnit
ou: doc
# The organizational unit internal IT (it)
dn: ou=it,dc=example,dc=com
objectClass: organizationalUnit
ou: it</pre></div></div><br class="example-break"><p>
Save the file with the <code class="filename">.ldif</code> suffix then pass it to
the server with the following command:
</p><pre class="screen">ldapadd -x -D <em class="replaceable"><code>dn_of_the_administrator</code></em> -W -f <em class="replaceable"><code>file</code></em>.ldif</pre><a class="indexterm" name="id575500"></a><p>
<code class="literal">-x</code> switches off the authentication with SASL in this
case. <code class="literal">-D</code> declares the user that calls the operation.
The valid DN of the administrator is entered here just like it has been
configured in <code class="filename">slapd.conf</code>. In the current example,
this is <code class="literal">cn=Administrator,dc=example,dc=com</code>.
<code class="literal">-W</code> circumvents entering the password on the command
line (in clear text) and activates a separate password prompt.
The <code class="literal">-f</code> option passes the filename. See the details of
running <span class="command"><strong>ldapadd</strong></span> in
<a class="xref" href="cha.security.ldap.html#aus.ldap.addentry" title="Example 4.3. ldapadd with example.ldif">Example 4.3, “ldapadd with example.ldif”</a>.
</p><div class="example"><a name="aus.ldap.addentry"></a><p class="title"><b>Example 4.3. ldapadd with example.ldif</b><span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#aus.ldap.addentry">¶</a></span></p><div class="example-contents"><pre class="screen">ldapadd -x -D cn=Administrator,dc=example,dc=com -W -f example.ldif
Enter LDAP password:
adding new entry "dc=example,dc=com"
adding new entry "ou=devel,dc=example,dc=com"
adding new entry "ou=doc,dc=example,dc=com"
adding new entry "ou=it,dc=example,dc=com"</pre></div></div><br class="example-break"><p>
The user data of individuals can be prepared in separate LDIF files.
<a class="xref" href="cha.security.ldap.html#aus.ldap.addtux" title="Example 4.4. LDIF Data for Tux">Example 4.4, “LDIF Data for Tux”</a> adds
<code class="systemitem">Tux</code> to the new LDAP directory.
</p><div class="example"><a name="aus.ldap.addtux"></a><p class="title"><b>Example 4.4. LDIF Data for Tux</b><span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#aus.ldap.addtux">¶</a></span></p><div class="example-contents"><pre class="screen"># coworker Tux
dn: cn=Tux Linux,ou=devel,dc=example,dc=com
objectClass: inetOrgPerson
cn: Tux Linux
givenName: Tux
sn: Linux
mail: tux@example.com
uid: tux
telephoneNumber: +49 1234 567-8</pre></div></div><br class="example-break"><p>
An LDIF file can contain an arbitrary number of objects. It is possible
at once to pass directory branches (entirely or in part) to the server
as shown in the example of individual objects. If it is necessary to
modify some data relatively often, a fine subdivision of single objects
is recommended.
</p></div><div class="sect2" title="4.8.2. Modifying Data in the LDAP Directory"><div class="titlepage"><div><div><h3 class="title"><a name="sec.security.ldap.data.change"></a>4.8.2. Modifying Data in the LDAP Directory<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.security.ldap.data.change">¶</a></span></h3></div></div></div><a class="indexterm" name="id575594"></a><a class="indexterm" name="id575601"></a><p>
The tool <span class="command"><strong>ldapmodify</strong></span> is provided for modifying the
data stock. The easiest way to do this is to modify the corresponding
LDIF file then pass this modified file to the LDAP server. To change the
telephone number of colleague Tux from <code class="literal">+49 1234 567-8</code>
to <code class="literal">+49 1234 567-10</code>, edit the LDIF file like in
<a class="xref" href="cha.security.ldap.html#aus.ldap.ldif.tux" title="Example 4.5. Modified LDIF File tux.ldif">Example 4.5, “Modified LDIF File tux.ldif”</a>.
</p><div class="example"><a name="aus.ldap.ldif.tux"></a><p class="title"><b>Example 4.5. Modified LDIF File tux.ldif</b><span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#aus.ldap.ldif.tux">¶</a></span></p><div class="example-contents"><pre class="screen"># coworker Tux
dn: cn=Tux Linux,ou=devel,dc=example,dc=com
changetype: modify
replace: telephoneNumber
telephoneNumber: +49 1234 567-10</pre></div></div><br class="example-break"><p>
Import the modified file into the LDAP directory with the following
command:
</p><pre class="screen">ldapmodify -x -D cn=Administrator,dc=example,dc=com -W -f tux.ldif</pre><a class="indexterm" name="id575648"></a><p>
Alternatively, pass the attributes to change directly to
<span class="command"><strong>ldapmodify</strong></span> as follows:
</p><div class="procedure"><ol class="procedure" type="1"><li><p>
Start <span class="command"><strong>ldapmodify</strong></span> and enter your password:
</p><pre class="screen">ldapmodify -x -D cn=Administrator,dc=example,dc=com -W
Enter LDAP password:</pre></li><li><p>
Enter the changes while carefully complying with the syntax in the
order presented below:
</p><pre class="screen">dn: cn=Tux Linux,ou=devel,dc=example,dc=com
changetype: modify
replace: telephoneNumber
telephoneNumber: +49 1234 567-10</pre></li></ol></div><p>
For more information about <span class="command"><strong>ldapmodify</strong></span> and its syntax,
see the <span class="command"><strong>ldapmodify</strong></span> man page.
</p></div><div class="sect2" title="4.8.3. Searching or Reading Data from an LDAP Directory"><div class="titlepage"><div><div><h3 class="title"><a name="sec.security.ldap.data.search"></a>4.8.3. Searching or Reading Data from an LDAP Directory<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.security.ldap.data.search">¶</a></span></h3></div></div></div><a class="indexterm" name="id575712"></a><a class="indexterm" name="id575719"></a><p>
OpenLDAP provides, with <span class="command"><strong>ldapsearch</strong></span>, a command line
tool for searching data within an LDAP directory and reading data from
it. This is A simple query:
</p><pre class="screen">ldapsearch -x -b dc=example,dc=com "(objectClass=*)"</pre><a class="indexterm" name="id575737"></a><p>
The <code class="option">-b</code> option determines the search base (the section
of the tree within which the search should be performed). In the current
case, this is <code class="literal">dc=example,dc=com</code>. To perform a more
finely-grained search in specific subsections of the LDAP directory (for
example, only within the <code class="literal">devel</code> department), pass this
section to <span class="command"><strong>ldapsearch</strong></span> with <code class="option">-b</code>.
<code class="option">-x</code> requests activation of simple authentication.
<code class="literal">(objectClass=*)</code> declares that all objects contained
in the directory should be read. This command option can be used after
the creation of a new directory tree to verify that all entries have
been recorded correctly and the server responds as desired. For more
information about the use of <span class="command"><strong>ldapsearch</strong></span>, see the
<code class="systemitem">ldapsearch(1)</code> man page.
</p></div><div class="sect2" title="4.8.4. Deleting Data from an LDAP Directory"><div class="titlepage"><div><div><h3 class="title"><a name="sec.security.ldap.data.del"></a>4.8.4. Deleting Data from an LDAP Directory<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.security.ldap.data.del">¶</a></span></h3></div></div></div><a class="indexterm" name="id575790"></a><a class="indexterm" name="id575798"></a><p>
Delete unwanted entries with <span class="command"><strong>ldapdelete</strong></span>. The syntax
is similar to that of the other commands. To delete, for example, the
complete entry for <code class="literal">Tux Linux</code>, issue the following
command:
</p><pre class="screen">ldapdelete -x -D cn=Administrator,dc=example,dc=com -W cn=Tux \
Linux,ou=devel,dc=example,dc=com</pre><a class="indexterm" name="id575820"></a></div></div><div class="sect1" title="4.9. For More Information"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sec.security.ldap.info"></a>4.9. For More Information<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.security.ldap.info">¶</a></span></h2></div></div></div><p>
More complex subjects (like SASL configuration or establishment of a
replicating LDAP server that distributes the workload among multiple
slaves) were omitted from this chapter. Find detailed information about
both subjects in the <span class="emphasis"><em>OpenLDAP 2.4 Administrator's
Guide</em></span>—see at
<a class="xref" href="cha.security.ldap.html#list.ldap.info.adminguide">OpenLDAP 2.4 Administrator's Guide</a>.
</p><p>
The Web site of the OpenLDAP project offers exhaustive documentation for
beginner and advanced LDAP users:
</p><div class="variablelist"><dl><dt><span class="term">OpenLDAP Faq-O-Matic</span></dt><dd><p>
A detailed question and answer collection applying to the
installation, configuration, and use of OpenLDAP. Find it at
<a class="ulink" href="http://www.openldap.org/faq/data/cache/1.html" target="_top">http://www.openldap.org/faq/data/cache/1.html</a>.
</p></dd><dt><span class="term">Quick Start Guide</span></dt><dd><p>
Brief step-by-step instructions for installing your first LDAP server.
Find it at
<a class="ulink" href="http://www.openldap.org/doc/admin24/quickstart.html" target="_top">http://www.openldap.org/doc/admin24/quickstart.html</a>
or on an installed system in Section 2 of
<code class="filename">/usr/share/doc/packages/openldap2/guide/admin/guide.html</code>.
</p></dd><dt><a name="list.ldap.info.adminguide"></a><span class="term">OpenLDAP 2.4 Administrator's Guide</span></dt><dd><p>
A detailed introduction to all important aspects of LDAP
configuration, including access controls and encryption. See
<a class="ulink" href="http://www.openldap.org/doc/admin24/" target="_top">http://www.openldap.org/doc/admin24/</a> or, on an
installed system,
<code class="filename">/usr/share/doc/packages/openldap2/guide/admin/guide.html</code>.
</p></dd><dt><span class="term">Understanding LDAP</span></dt><dd><p>
A detailed general introduction to the basic principles of LDAP:
<a class="ulink" href="http://www.redbooks.ibm.com/redbooks/pdfs/sg244986.pdf" target="_top">http://www.redbooks.ibm.com/redbooks/pdfs/sg244986.pdf</a>.
</p></dd></dl></div><p>
Printed literature about LDAP:
</p><div class="itemizedlist"><ul class="itemizedlist" type="bullet"><li class="listitem" style="list-style-type: disc"><p>
<em class="citetitle">LDAP System Administration</em> by Gerald Carter
(ISBN 1-56592-491-6)
</p></li><li class="listitem" style="list-style-type: disc"><p>
<em class="citetitle">Understanding and Deploying LDAP Directory
Services</em> by Howes, Smith, and Good (ISBN 0-672-32316-8)
</p></li></ul></div><p>
The ultimate reference material for the subject of LDAP are the
corresponding RFCs (request for comments), 2251 to 2256.
</p><a class="indexterm" name="id575971"></a></div></div><div class="navfooter"><table width="100%" summary="Navigation footer" border="0" class="bctable"><tr><td width="80%"><div class="breadcrumbs"><p><a href="index.html"> Documentation</a><span class="breadcrumbs-sep"> > </span><a href="book.security.html">Security Guide</a><span class="breadcrumbs-sep"> > </span><a href="part.auth.html">Authentication</a><span class="breadcrumbs-sep"> > </span><strong><a accesskey="p" title="Chapter 3. Using NIS" href="cha.nis.html"><span>◀</span></a> <a accesskey="n" title="Chapter 5. Active Directory Support" href="cha.security.ad.html"><span>▶</span></a></strong></p></div></td></tr></table></div></body></html>
ACC SHELL 2018