Newer
Older
<chapter annotations="slide" version="5.1" xml:id="sdiLdap"
xmlns="http://docbook.org/ns/docbook"
xmlns:xila="http://www.w3.org/2001/XInclude/local-attributes"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:svg="http://www.w3.org/2000/svg"
xmlns:ns="http://docbook.org/ns/transclusion"
xmlns:m="http://www.w3.org/1998/Math/MathML"
xmlns:html="http://www.w3.org/1999/xhtml"
xmlns:db="http://docbook.org/ns/docbook">
<figure xml:id="sdi_ldap_readings">
<title>Recommended readings</title>
<itemizedlist>
<listitem>
<para><uri xlink:href="http://www.zytrax.com/books/ldap">LDAP for
Rocket Scientists</uri></para>
</listitem>
<listitem>
<para><uri
xlink:href="https://www.novell.com/coolsolutions/feature/15359.html">An
Introduction to LDAP: Part 1</uri></para>
</listitem>
<listitem>
<para><uri
xlink:href="http://quark.humbug.org.au/publications/ldap/ldap_tut.html">Introduction
to LDAP</uri></para>
</listitem>
<listitem>
<para><uri
xlink:href="http://ldapman.org/articles/intro_to_ldap.html">ldapman.org,
An Introduction to LDAP</uri></para>
</listitem>
</itemizedlist>
</figure>
<figure xml:id="sdi_ldap_opendapDoc">
<title><productname>Openldap</productname> server documentation</title>
<para>Exercises are based on the <uri
xlink:href="http://www.openldap.org">OpenLDAP</uri> server
implementation.</para>
<para>Related material at <uri
xlink:href="http://www.openldap.org">http://www.openldap.org</uri>.</para>
</figure>
<figure xml:id="sdi_ldap_whatIsLdap">
<title>What is LDAP anyway?</title>
<itemizedlist>
<listitem>
<para><emphasis role="red">L</emphasis>ightweight <emphasis
role="red">D</emphasis>irectory <emphasis role="red">A</emphasis>ccess
<emphasis role="red">P</emphasis>rotocol</para>
</listitem>
<listitem>
<para>Vendor independent</para>
</listitem>
<listitem>
<para><link xlink:href="https://tools.ietf.org/html/rfc4511">IETF
standard</link>:</para>
<blockquote>
<para>Clients interact with servers using a directory access
protocol</para>
</blockquote>
</listitem>
</itemizedlist>
</figure>
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
<figure xml:id="sdi_ldap_bind">
<title>LDAP Server cli bind</title>
<informaltable border="1" width="100%">
<colgroup width="50%"/>
<colgroup width="50%"/>
<tr>
<th>Command</th>
<th>Result</th>
</tr>
<tr>
<td valign="top"><screen><command
xlink:href="https://linux.die.net/man/1/ldapsearch">ldapsearch</command> \
-h localhost <co linkends="sdi_ldap_bind-1.2" xml:id="sdi_ldap_bind-1.2-co"/> \
-D "cn=admin,dc=betrayer,dc=com" <co linkends="sdi_ldap_bind-2.2"
xml:id="sdi_ldap_bind-2.2-co"/>\
-w password -x <co linkends="sdi_ldap_bind-3.2"
xml:id="sdi_ldap_bind-3.2-co"/>\
-b "dc=betrayer,dc=com" <co linkends="sdi_ldap_bind-4.2"
xml:id="sdi_ldap_bind-4.2-co"/>\
-s sub <co linkends="sdi_ldap_bind-5.2" xml:id="sdi_ldap_bind-5.2-co"/> \
-LLL <co linkends="sdi_ldap_bind-6.2" xml:id="sdi_ldap_bind-6.2-co"/></screen></td>
<td valign="top"><screen>dn: dc=betrayer,dc=com <co
linkends="sdi_ldap_bind-7" xml:id="sdi_ldap_bind-7-co"/>
objectClass: top
objectClass: dcObject
objectClass: organization
o: Betrayers heaven <co linkends="sdi_ldap_bind-8" xml:id="sdi_ldap_bind-8-co"/>
dc: betrayer
dn: cn=admin,dc=betrayer,dc=com <co linkends="sdi_ldap_bind-9"
xml:id="sdi_ldap_bind-9-co"/>
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin <co linkends="sdi_ldap_bind-10" xml:id="sdi_ldap_bind-10-co"/>
description: LDAP administrator
userPassword:: e1NT...dE53N1E= <co linkends="sdi_ldap_bind-11"
xml:id="sdi_ldap_bind-11-co"/></screen></td>
</tr>
</informaltable>
<informaltable role="slideExclude" width="100%">
<colgroup width="50%"/>
<colgroup width="50%"/>
<tr>
<td valign="top"><calloutlist role="slideExclude">
<callout arearefs="sdi_ldap_bind-1.2-co"
xml:id="sdi_ldap_bind-1.2">
<para>An <xref linkend="glo_LDAP"/> server's <xref
linkend="glo_DNS"/> name or IP address (<emphasis
role="bold">h</emphasis>ost).</para>
</callout>
<callout arearefs="sdi_ldap_bind-2.2-co"
xml:id="sdi_ldap_bind-2.2">
<para>The bind <xref linkend="glo_DN"/>. This path is being
required to uniquely identify an existent user entry on the
server in question. This corresponds to a login name when using
<abbrev>e.g.</abbrev> web <acronym>gui</acronym>
authentication.</para>
</callout>
<callout arearefs="sdi_ldap_bind-3.2-co"
xml:id="sdi_ldap_bind-3.2">
<para>The corresponding password to the given bind <xref
linkend="glo_DN"/>. The user entry must contain a corresponding
userPassword hash value. The <option>-x</option> indicates using
simple password based rather than <acronym
xlink:href="https://en.wikipedia.org/wiki/Simple_Authentication_and_Security_Layer">SASL</acronym>
authentication.</para>
</callout>
<callout arearefs="sdi_ldap_bind-4.2-co"
xml:id="sdi_ldap_bind-4.2">
<para>The search will start from this uniquely defined node
within the servers <xref linkend="glo_DIT"/>. In the current
example we simply choose the tree's top level node.</para>
</callout>
<callout arearefs="sdi_ldap_bind-5.2-co"
xml:id="sdi_ldap_bind-5.2">
<para>The search scope. See <link
xlink:href="https://ldap.com/the-ldap-search-operation">The LDAP
Search Operation</link> for details.</para>
</callout>
<callout arearefs="sdi_ldap_bind-6.2-co"
xml:id="sdi_ldap_bind-6.2">
<para>Suppress verbose search information.</para>
</callout>
</calloutlist></td>
<td valign="top"><calloutlist role="slideExclude">
<callout arearefs="sdi_ldap_bind-7-co" xml:id="sdi_ldap_bind-7">
<para>The <xref linkend="glo_DIT"/>'s top level node.</para>
</callout>
<callout arearefs="sdi_ldap_bind-8-co" xml:id="sdi_ldap_bind-8">
<para>Your organization's name</para>
</callout>
<callout arearefs="sdi_ldap_bind-9-co" xml:id="sdi_ldap_bind-9">
<para>The administrative user of the server. This entry will
typically be created at installation time.</para>
</callout>
<callout arearefs="sdi_ldap_bind-10-co" xml:id="sdi_ldap_bind-10">
<para>The administrative user's <quote>common name</quote>. Note
this entry corresponds to <coref
linkend="sdi_ldap_bind-4.2-co"/> on the <quote>Command</quote>
side of this table.</para>
</callout>
<callout arearefs="sdi_ldap_bind-11-co" xml:id="sdi_ldap_bind-11">
<para>The administrative user password's hash value. Note the
double colon <code>::</code> indicating a base64 encoded binary
value.</para>
</callout>
</calloutlist></td>
</tr>
</informaltable>
</figure>
<title>Document Information Tree (<abbrev>DIT</abbrev>)</title>
</imageobject>
</mediaobject>
</figure>
<figure xml:id="sdi_ldap_relAbsDn">
<title><productname>Relative and absolute DNs</productname></title>
<mediaobject>
<imageobject>
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
</imageobject>
</mediaobject>
</figure>
<figure xml:id="sdi_ldap_userExample">
<title>User example</title>
<programlisting language="none">dn: <emphasis role="red">uid=clark,ou=finance,dc=betrayer,dc=de</emphasis> <co
linkends="sdi_ldap_userExample-1" xml:id="sdi_ldap_userExample-1-co"/>
cn: Sandy Clark
homeDirectory: /home/clark
sn: Clark
<emphasis role="red">uid</emphasis>: <emphasis role="red">clark</emphasis> <co
linkends="sdi_ldap_userExample-2" xml:id="sdi_ldap_userExample-2-co"/>
uidNumber: 21101
givenName: Sandy
loginShell: /bin/bash
<emphasis role="red">mail: clark@betrayer.com</emphasis> <co
linkends="sdi_ldap_userExample-3" xml:id="sdi_ldap_userExample-3-co"/>
<emphasis role="red">mail: finance@betrayer.com</emphasis>
postOfficeBox: 10G
userPassword: {SSHA}noneOfYourBusiness</programlisting>
<calloutlist role="slideExclude">
<callout arearefs="sdi_ldap_userExample-1-co"
xml:id="sdi_ldap_userExample-1">
<para>The entry's absolute distinguished name (<xref
linkend="glo_DN"/>). This name/value list uniquely identifies an entry
(an its position) within a given <xref linkend="glo_DIT"/>.</para>
</callout>
<callout arearefs="sdi_ldap_userExample-2-co" role="slideExclude"
xml:id="sdi_ldap_userExample-2">
<para>This key/value combination is guaranteed to be unique within
respect to the given parent node. It allows to identify each node with
respect to its parent. So in a relational model the
<quote><code>clark</code></quote> entry would become a weak entity
having an identifying ownership relation to its parent organisational
unit by virtue of its <code>uid</code> value.</para>
<para>In other words: There is only one such entry below <emphasis
role="red">ou=finance,dc=betrayer,dc=de</emphasis> having an <emphasis
role="red">uid</emphasis> attribute of value <emphasis
role="red">clark</emphasis>.</para>
</callout>
<callout arearefs="sdi_ldap_userExample-3-co"
xml:id="sdi_ldap_userExample-3">
<para><xref linkend="glo_LDAP"/> allows for multi valued
attributes.</para>
</callout>
</calloutlist>
</figure>
<figure xml:id="sdi_ldap_objectClasses">
<title>objectClass</title>
<itemizedlist>
<listitem>
<para>Structuring <xref linkend="glo_LDAP"/> entry data.</para>
</listitem>
<listitem>
<para>Categories:</para>
<itemizedlist>
<listitem>
<para>Structural</para>
</listitem>
<listitem>
<para>Auxiliary</para>
</listitem>
<listitem>
<para>Abstract</para>
</listitem>
</itemizedlist>
</listitem>
</itemizedlist>
</figure>
<figure xml:id="sdi_ldap_objectClassesClarification">
<title>objectClass clarifications</title>
<informaltable border="0">
<tr>
<td valign="top"><glosslist>
<glossentry>
<glossterm>Abstract classes:</glossterm>
<glossdef>
<para>To be extended by other classes</para>
</glossdef>
</glossentry>
<glossentry>
<glossterm>Structural classes:</glossterm>
<glossdef>
<itemizedlist>
<listitem>
<para>Each entry requires exactly one.</para>
</listitem>
<listitem>
<para>Specify the <quote>main</quote> type of
object.</para>
</listitem>
<listitem>
<para>Must not inherit from auxiliary classes.</para>
</listitem>
</itemizedlist>
</glossdef>
</glossentry>
</glosslist></td>
<td valign="top"><glosslist>
<glossentry>
<glossterm>Auxiliary classes:</glossterm>
<glossdef>
<itemizedlist>
<listitem>
<para>Provide non-conflicting supplementary
information.</para>
</listitem>
<listitem>
<para>Think of (<xref linkend="glo_Java"/>)
interfaces.</para>
</listitem>
<listitem>
<para>Must not inherit from structural classes.</para>
</listitem>
</itemizedlist>
</glossdef>
</glossentry>
</glosslist></td>
</tr>
</informaltable>
</figure>
<figure xml:id="sdi_ldap_auxiliaryExample">
<title>Augmenting <classname>inetOrgPerson</classname> by
<classname>posixAccount</classname></title>
<programlisting language="none">Class | Instance <emphasis
role="red">uid=clark,ou=finance,dc=betrayer,dc=de</emphasis>
----------------------------+---------------------------------------------------
inetOrgPerson (structural) |
sn | sn: Clark
cn | cn: Sandy Clark
... | <emphasis role="red">▲</emphasis>
| <emphasis role="red">┃</emphasis>
posixAccount (auxiliary) | <emphasis role="red">┃</emphasis>
cn | <emphasis role="red">see above</emphasis> <co
linkends="sdi_ldap_auxiliaryExample-1"
xml:id="sdi_ldap_auxiliaryExample-1-co"/>
gidNumber | gidNumber: 23113
homeDirectory | homeDirectory: /home/clark
uid | uid: clark
uidNumber | uidNumber: 21101
userPassword | userPassword: {SSHA}noneOfYourBusiness
.....</programlisting>
<calloutlist role="slideExclude">
<callout arearefs="sdi_ldap_auxiliaryExample-1-co"
xml:id="sdi_ldap_auxiliaryExample-1">
<para>The <property>cn</property> attribute is being defined both in
object class <classname>inetOrgPerson</classname> and
<classname>posixAccount</classname>. This requires data type
definitions to be compatible.</para>
</callout>
</calloutlist>
</figure>
<figure xml:id="sdi_ldap_structuralObjectClasses">
<title>Structural objectClass definitions</title>
<mediaobject>
<imageobject>
<imagedata fileref="Fig/structuralOcInherit.multi.svg"/>
</imageobject>
</mediaobject>
</figure>
<figure xml:id="sdi_ldap_filter">
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
<para><link xlink:href="https://tools.ietf.org/html/rfc4520">RFC
4520</link> defines <link
xlink:href="https://www.iana.org/assignments/ldap-parameters/ldap-parameters.xhtml#ldap-parameters-9">three
<acronym>LDAP</acronym> search scopes</link>:</para>
<itemizedlist>
<listitem>
<para><link
xlink:href="https://ldapwiki.com/wiki/BaseObject">baseObject</link>
(<code>base</code>)</para>
</listitem>
<listitem>
<para><link
xlink:href="https://ldapwiki.com/wiki/SingleLevel">singleLevel</link>
(<code>one</code>)</para>
</listitem>
<listitem>
<para><link
xlink:href="https://ldapwiki.com/wiki/WholeSubtree">wholeSubtree</link>
(sub)</para>
</listitem>
</itemizedlist>
</figure>
<figure xml:id="sdi_ldap_filterPredicates">
<title>Predicate based queries</title>
<para><link xlink:href="https://tools.ietf.org/html/rfc4520">RFC
4520</link> defines <link
xlink:href="https://ldapwiki.com/wiki/LDAP%20Filter%20Choices">predicate
based queries</link> using <link
xlink:href="https://en.wikipedia.org/wiki/Reverse_Polish_notation">RPN</link>
style:</para>
<itemizedlist>
<listitem>
<para><code>(| (cn=k*) (uidNumber < 2000))</code></para>
</listitem>
</itemizedlist>
</figure>
<figure xml:id="sdi_ldap_bindTypes">
<title>LDAP bind types</title>
<itemizedlist>
<listitem>
<para>Anonymous bind: No user credentials.</para>
<para>Note: This typically provides limited privileges.</para>
</listitem>
<listitem>
<para>Simple bind: User's <xref linkend="glo_DN"/> + password:</para>
<programlisting language="none">DN: <emphasis role="red">uid=clark,ou=finance,dc=betrayer,dc=de</emphasis>
password: <emphasis role="red">123456789</emphasis></programlisting>
</listitem>
</itemizedlist>
</figure>
<figure xml:id="sdi_ldap_ldif">
<title>LDIF exchange format</title>
<itemizedlist>
<listitem>
<para><emphasis role="red">L</emphasis>dap <emphasis
role="red">D</emphasis>ata <emphasis role="red">I</emphasis>nterchange
<emphasis role="red">F</emphasis>ormat.</para>
</listitem>
<listitem>
<para>Importing and exporting <xref linkend="glo_LDAP"/> Data.</para>
</listitem>
<listitem>
<para>Modifying existing entries (CRUD operations).</para>
</listitem>
<listitem>
<para>Pure <xref linkend="glo_ASCII"/>.</para>
</listitem>
</itemizedlist>
</figure>
<figure xml:id="sdi_ldap_ldifSample">
<title>LDIF sample</title>
<programlisting language="none">dn: uid=clark,ou=finance,dc=betrayer,dc=de
objectClass: posixAccount
objectClass: inetOrgPerson
cn: Sandy Clark
homeDirectory: /home/clark
sn: Clark
uid: clark
uidNumber: 21101
givenName: Sandy
loginShell: /bin/bash
mail: clark@betrayer.com
mail: finance@betrayer.com
postOfficeBox: 10G
userPassword: {SSHA}noneOfYourBusiness</programlisting>
</figure>
<figure xml:id="sdi_ldap_ditConfigDb">
<title>OpenLdap server architecture</title>
<mediaobject>
<imageobject>
</imageobject>
</mediaobject>
<itemizedlist role="slideExclude">
<listitem>
<para>An OpenLdap server may host multiple <xref linkend="glo_DIT"/>s
each being represented by its own database backend.</para>
</listitem>
<listitem>
<para>The server's configuration is itself being stored as a separate
tree.</para>
</listitem>
<listitem>
<para>Each tree refers to a separate database backend. Thus the above
example featuring two trees is being implemented by two database
instances.</para>
</listitem>
</itemizedlist>
</figure>
<section xml:id="ldapPrepare">
<title>Recommended Preparations</title>
<para>The following questions might arise when starting practical
work:</para>
<itemizedlist>
<listitem>
<para>What is the <acronym>LDAP</acronym> Protocol? What is the
difference between the two protocols <acronym>ldap</acronym> and
<acronym>ldaps </acronym>?</para>
</listitem>
<listitem>
<para>What does the acronym <acronym>dc</acronym> in
<acronym>dc=somedomain, dc=org</acronym> stand for?</para>
</listitem>
<listitem>
<para>What is the role of <acronym>LDAP</acronym>
<property>objectclass</property> definitions? How do they relate to
<acronym>LDAP</acronym> schema definitions?</para>
</listitem>
<listitem>
<para>Describe the relationship between <acronym>LDAP</acronym>
entries and <code>objectClass</code> values.</para>
</listitem>
<listitem>
<para>Is it possible to dynamically change an entries
structure?</para>
</listitem>
<listitem>
<para>What does the term <quote>bind to an
<acronym>LDAP</acronym></quote> server mean? What is an
<quote>anonymous</quote> bind?</para>
</listitem>
<listitem>
<para>Do <acronym>LDAP</acronym> servers in general support database
features like transactions, ACID semantic etc.?</para>
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
</listitem>
<listitem>
<para>Explain the term <quote>replication</quote> in an
<acronym>LDAP</acronym> server context.</para>
</listitem>
<listitem>
<para>Why do organizations sometimes prefer <acronym>LDAP</acronym>
data repositories rather than using relational database
systems?</para>
</listitem>
<listitem>
<para>How is the <acronym>LDIF</acronym> format being organized?
Explain the practical use of <acronym>LDIF</acronym> data when running
a <acronym>LDAP</acronym> service.</para>
</listitem>
<listitem>
<para><acronym>LDAP</acronym> filters</para>
<itemizedlist>
<listitem>
<para>How do <acronym>LDAP</acronym> filters work?</para>
</listitem>
<listitem>
<para>What is the meaning of the term <emphasis>scope</emphasis>
?</para>
</listitem>
<listitem>
<para>How do predicate based filters connected by logical
<emphasis role="bold">and/or/not</emphasis> look like?</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para><productname>OpenLDAP</productname> server software specific
questions</para>
<itemizedlist>
<listitem>
<para>What does the term <quote>database backend</quote> refer to
with respect to <productname>OpenLDAP</productname> server
implementation?</para>
<para>Why is <acronym>LDAP</acronym> replication important?</para>
</listitem>
<listitem>
<para>How do you restrict access to <acronym>LDAP</acronym>
directories?</para>
</listitem>
<listitem>
<para>How do you speed up predicate based queries?</para>
</listitem>
</itemizedlist>
</listitem>
</itemizedlist>
</section>
<section xml:id="ldapExercises">
<title>Exercises</title>
<section xml:id="sdiBrowseExistingLdap">
<title>Browse an existing <xref linkend="glo_LDAP"/> Server</title>
<para>Reading data from an existing server requires a suitable client
software. We recommend using <productname
xlink:href="https://directory.apache.org/studio">Apache Directory
<itemizedlist>
<listitem>
<para>Setup Apache Directory Studio to anonymously connect to
<code>ldap1.hdm-stuttgart.de</code> using <xref linkend="glo_TLS"/>.
Depending on your location this may require <link
xlink:href="https://wiki.mi.hdm-stuttgart.de/doku.php?id=studium:infrastruktur:vpn">VPN</link>.</para>
<listitem>
<para>Browse the <xref linkend="glo_DIT"/>.</para>
</listitem>
<para>Use a filter like <code>(uid=xy234)</code> to find your
personal entry beneath
<code>ou=userlist,dc=hdm-stuttgart,dc=de</code>. Use the
corresponding <xref linkend="glo_DN"/> <abbrev>e.g.</abbrev>
<code>uid=xy234, ou=userlist,dc=hdm-stuttgart,dc=de</code> to
reconnect using password authentication.</para>
<itemizedlist>
<listitem>
<para>Then browse your own entry again. Can you spot any
difference? </para>
</listitem>
<listitem>
<para>Then browse your colleague's entry. Can you spot any
difference? </para>
</listitem>
</itemizedlist>
<para>Repeat the previous steps by using the command line
<command>ldapsearch</command> utility.</para>
<section xml:id="ldapServerSetup">
<title>Set up an <productname>OpenLdap</productname> server</title>
xlink:href="https://ubuntu.com/server/docs/service-ldap">OpenLDAP
Server</link> provides a good introduction how to install and
<listitem>
<para><link
xlink:href="http://krams915.blogspot.de/2011/01/ldap-apache-directory-studio-basic.html">http://krams915.blogspot.de/2011/01/ldap-apache-directory-studio-basic.html</link>
provides some more details on populating your server with
data.</para>
</listitem>
<listitem>
<para>See <link
xlink:href="http://chee-yang.blogspot.de/2012/03/ldap-introduction-to-openldap.html">http://chee-yang.blogspot.de/2012/03/ldap-introduction-to-openldap.html</link>
for enabling OpenLdap server configuration by e.g. Apache Directory
Studio.</para>
</listitem>
</itemizedlist>
<orderedlist>
<listitem>
<para>Depending on your systems installation state you may want to
add the dialog package which allows for feeding additional
parameters during package installations (e.g. admin's credentials
and base <xref linkend="glo_DN"/>).</para>
</listitem>
<listitem>
<para>The <link
xlink:href="https://help.ubuntu.com/lts/serverguide/openldap-server.html#openldap-server-installation">installation
section</link> hints at your host system defined <xref
linkend="glo_DNS"/> domain being used for deriving your server's
<xref linkend="glo_DIT"/> root. You may circumvent this obstacle
by calling <command>dpkg-reconfigure</command>
<option>slapd</option> after installation allowing to specify
additional parameters manually.</para>
</listitem>
<listitem>
<para>In case you **ever** loose your master <code>admin</code>
password see <link
xlink:href="http://techiezone.rottigni.net/2011/12/change-root-dn-password-on-openldap">Change
Root DN Password on OpenLDAP</link> for troubleshooting.</para>
</listitem>
</orderedlist>
<para>You may have to install the dialog package as a prerequisite to
the <productname>openldap</productname> server package:</para>
<screen>aptitude install dialog
aptitude install slapd</screen>
<para>based on the <xref linkend="glo_DNS"/> domain
<code>mi.hdm-stuttgart.de</code> the default <command>slapd</command>
package installer configures a <xref linkend="glo_DIT"/> having
<code>dc=mi,dc=hdm-stuttgart,dc=de</code> as root by default. Change
this to <code>dc=betrayer,dc=com</code> by executing
<command>dpkg-reconfigure</command> <option>slapd</option>.</para>
<title>Populating your <xref linkend="glo_DIT"/>.</title>
<para>Our aim is to populate our <acronym>LDAP</acronym> Server by the
following company structure of organisational units and persons:</para>
<figure xml:id="sdiLdapBetrayerComTree">
<title>An example <acronym>LDAP</acronym> Tree</title>
</imageobject>
</mediaobject>
</figure>
<para>The <productname
xlink:href="https://directory.apache.org/studio">Apache Directory
Studio</productname> allows for conveniently accessing and modifying
your server's <xref linkend="glo_LDAP"/> trees.</para>
<tip>
<para>You may want to adjust occurrences of
<code>dc=betrayer;dc=com</code> by your configured <xref
linkend="glo_DIT"/> root.</para>
<orderedlist>
<listitem>
<para>You need your initial configuration <code>admin</code>
password to perform a bind operation using the
<code>cn=admin,dc=betrayer,dc=com</code> <xref
linkend="glo_DN"/>.</para>
</listitem>
<listitem>
<para>If you choose <quote>Use existing entry as template</quote>
don't forget to purge your copy's <property>entryCsn</property>
attribute belonging to your template data record being unique
within your <xref linkend="glo_DIT"/>.</para>
</listitem>
attribute choices:</para>
<glosslist>
<glossentry>
<glossterm>Organisational units
<property>department</property>,
<property>software</property>, <property>financial</property>,
<property>devel</property>,
<property>testing</property></glossterm>
<glossdef>
<glosslist>
<glossentry>
<glossterm><property>objectClass</property>:</glossterm>
<glossdef>
<para><property>organizationalUnit</property></para>
</glossdef>
</glossentry>
<glossentry>
</glossdef>
</glossentry>
</glosslist>
</glossdef>
</glossentry>
<glossentry>
<glossterm>Employees Jim Smith, Audrey Bean:</glossterm>
<glossdef>
<glosslist>
<glossentry>
<glossterm><property>objectClass</property>:</glossterm>
<glossdef>
<para><property>inetOrgPerson</property></para>
</glossdef>
</glossentry>
<glossentry>
attribute:</glossterm>
<glossdef>
<para><property>uid</property></para>
</glossdef>
</glossentry>
<glossentry>
<glossterm>Other attributes:</glossterm>
<glossdef>
<para><property>sn</property>,
<property>cn</property>,
<property>givenName</property>,
m<property>ail</property></para>
</glossdef>
</glossentry>
</glosslist>
</glossdef>
</glossentry>
</glosslist>
</listitem>
</orderedlist>
</tip>
xlink:href="https://directory.apache.org/studio">Apache Directory
Studio</productname> export dump of your tree might look like:</para>
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
<programlisting language="ldif">dn: dc=betrayer,dc=com
objectClass: organization
objectClass: dcObject
objectClass: top
dc: betrayer
o: betrayer.com
dn: cn=admin,dc=betrayer,dc=com
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: admin
userPassword:: e1NTSEF9cEhFK0VQT0cyZ3lSeU9nanZGcXNXT2I1ekdzR2w5Q0Q=
description: LDAP administrator
dn: ou=departments,dc=betrayer,dc=com
objectClass: top
objectClass: organizationalUnit
ou: departments
dn: ou=software,ou=departments,dc=betrayer,dc=com
objectClass: top
objectClass: organizationalUnit
ou: software
dn: ou=financial,ou=departments,dc=betrayer,dc=com
objectClass: top
objectClass: organizationalUnit
ou: financial
dn: ou=devel,ou=software,ou=departments,dc=betrayer,dc=com
objectClass: top
objectClass: organizationalUnit
ou: devel
dn: ou=testing,ou=software,ou=departments,dc=betrayer,dc=com
objectClass: top
objectClass: organizationalUnit
ou: testing
dn: uid=bean,ou=devel,ou=software,ou=departments,dc=betrayer,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: Jim Bean
sn: Bean
givenName: Jim
mail: bean@betrayer.com
userPassword:: e3NtZDV9YVhKL2JlVkF2TDRENk9pMFRLcDhjM3ovYTZQZzBXeHA=
dn: uid=smith,ou=financial,ou=software,ou=departments,dc=betrayer,dc=com
...</programlisting>
<title>Testing a bind operation as non - <code>admin</code> user</title>
xlink:href="https://directory.apache.org/studio">Apache Directory
Studio</productname> to supply a <property>userPassword</property> to
e.g.
<code>uid=bean,ou=devel,ou=software,ou=departments,dc=betrayer;dc=com</code>
(still binding as <code>cn=admin,dc=betrayer,dc=com</code>).</para>
<para>Then configure a second <productname
xlink:href="https://directory.apache.org/studio">Apache Directory
<code>uid=bean,ou=devel,ou=software,ou=departments,dc=betrayer,dc=com</code>.</para>
<para>Beware: Some password hash types may not be supported. SMD5 is
known to work.</para>
<section xml:id="ldapExtendPosixAccount">
<title>Extending an existing entry</title>
<para>This exercise sheds some insight on schema support. <xref
linkend="glo_LDAP"/> supports building types similar to classes in
<acronym>OO</acronym> languages by means of <code>objectClass</code>
definitions. On contrary these types are not static but allow for run
time modification during an <xref linkend="glo_LDAP"/> object's life
span.</para>
<para>The entry
<code>uid=bean,ou=devel,ou=software,ou=departments,dc=betrayer;dc=com</code>
may be extended by the <code>objectclass</code>
<code>posixAccount</code>. Construct a <acronym>LDIF</acronym> file to
add the attributes <code>uidNumber</code>, <code>gidNumber</code> and
<code>homeDirectory</code> by a modify/add operation.</para>
</section>