Skip to content
Snippets Groups Projects
Commit 5649cd71 authored by Goik Martin's avatar Goik Martin
Browse files

LDAP DIT populating

parent 033da5ff
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Doc/Common/glossary.xml
+ 10
0
View file @ 5649cd71
......@@ -388,6 +388,16 @@
Data Interchange Format</link></para>
</glossdef>
</glossentry>
<glossentry xml:id="glo_RDN">
<glossterm><acronym>RDN</acronym></glossterm>
<glossdef>
<para><link
xlink:href="http://www.zytrax.com/books/ldap/apd/index.html#rdn">Relative
Distinguished Name</link></para>
</glossdef>
</glossentry>
</glosslist>
</glossdef>
</glossentry>
......
Doc/Sdi/ldap.xml
+ 171
107
View file @ 5649cd71
......@@ -170,7 +170,7 @@ Ldapmodify erlaubt icht-objectclass konforme Daten</programlisting>
populated with thew following company structure of organisational units
and persons:</para>
<figure xml:id="ldapBetrayerComTree">
<figure xml:id="sdiLdapBetrayerComTree">
<title>An example <acronym>LDAP</acronym> Tree</title>
<mediaobject>
......@@ -183,15 +183,9 @@ Ldapmodify erlaubt icht-objectclass konforme Daten</programlisting>
<section xml:id="sdiBrowseExistingLdap">
<title>Browse an existing <xref linkend="glo_LDAP"/> Server</title>
<!--aptitude install dialog
dpkg-reconfigure slapd
-->
<para>Before setting up we take a tour on <link
xlink:href="https://directory.apache.org/studio/downloads.html">Apache
Directory Studio</link>:</para>
<para>Before setting up we take a tour on <productname
xlink:href="http://directory.apache.org/studio">Apache Directory
Studio</productname>:</para>
<itemizedlist>
<listitem>
......@@ -272,105 +266,146 @@ dpkg-reconfigure slapd
</listitem>
</orderedlist>
</tip>
<para>You may have to install the dialog package as a prerequisite to
the <productname>openldap</productname> server package:</para>
<programlisting language="none">aptitude install dialog
aptitude install slapd</programlisting>
<para>based on the <xref linkend="glo_DNS"/> domain
<code>mi.hdm-stuttgart.de</code> the default <command>slapd</command>
package installer configures a <xref linkend="glo_DIT"/> having
<code>dc=mi,dc=hdm-stuttgart,dc=de</code> as root by default. Change
this to <code>dc=betrayer,dc=com</code> by executing
<command>dpkg-reconfigure</command> <option>slapd</option>.</para>
</section>
<section xml:id="ldapCompanyLdif">
<title>Adding some content file</title>
<para>The following file defines a part of our <code>betrayer.com</code>
directory structure:</para>
<programlisting language="shell">dn:dc=betrayer,dc=com
changetype: add
objectclass: dcObject
objectclass: organizationalUnit
dc: betrayer
ou: config
ou: betrayer Dot com
dn: ou=departments,dc=betrayer;dc=com
changetype: add
objectClass: top
objectClass: organizationalUnit
ou: departments
dn: ou=software,ou=departments,dc=betrayer;dc=com
changetype: add
objectClass: top
objectClass: organizationalUnit
ou: software
dn: ou=devel,ou=software,ou=departments,dc=betrayer;dc=com
changetype: add
objectClass: top
objectClass: organizationalUnit
ou: devel
dn: uid=beam,ou=devel,ou=software,ou=departments,dc=betrayer;dc=com
changetype: add
objectClass: inetOrgPerson
uid: beam
cn: Jim Beam
givenName: Jim
sn: Beam
mail: beam@betrayer.com</programlisting>
<para>For your convenience we have installed the <uri
<title>Populating your <xref linkend="glo_DIT"/>.</title>
<para>Add the content outlined in <xref
linkend="sdiLdapBetrayerComTree"/>.</para>
<para>For your convenience we have installed the <productname
xlink:href="http://directory.apache.org/studio">Apache Directory
Studio</uri> Eclipse plugin. It provides an <acronym>LDIF</acronym>
editor which may assist you to complete the <code>betrayer.com</code>
directory entries. You should also add some more persons to the
<quote>leaf</quote> organisational units.</para>
Studio</productname> Eclipse plugin which allows for convenient editing
of <xref linkend="glo_LDAP"/> trees.</para>
<tip>
<para>You may want to adjust occurrences of
<code>dc=betrayer;dc=com</code> by your configured <xref
linkend="glo_DIT"/> root.</para>
</tip>
</section>
<section xml:id="sdiLdapPopulateData">
<title>Populating the <acronym>LDAP</acronym> server</title>
<para>You may use <uri
xlink:href="http://directory.apache.org/studio">Apache Directory
Studio</uri> for testing a bind to your new <acronym>LDAP</acronym>
server by using <code>cn=admin,dc=...</code> using your server
installation password.</para>
<para>After successful connecting the previously established
<acronym>LDIF</acronym> file may be used to populate the server with
initial data. This may also be achieved on the server side by omitting
the <code>changetype</code> lines in the <acronym>LDIF</acronym> file
and:</para>
<itemizedlist>
<listitem>
<para>Shutdown the <acronym>LDAP</acronym> server</para>
</listitem>
<orderedlist>
<listitem>
<para>You need your initial configuration <code>admin</code>
password to perform a bind operation using the
<code>cn=admin,dc=betrayer,dc=com</code> <xref
linkend="glo_DN"/>.</para>
</listitem>
<listitem>
<para>using <command>slapadd</command> as user <code>ldap</code> to
read the <acronym>LDIF</acronym> data into the server.</para>
</listitem>
<listitem>
<para>If you choose <quote>Use existing entry as template</quote>
don't forget to purge your copy's <property>entryCsn</property>
attribute belonging to your template data record being unique
within your <xref linkend="glo_DIT"/>.</para>
</listitem>
<listitem>
<para>Startup the <acronym>LDAP</acronym> server.</para>
</listitem>
</itemizedlist>
<listitem>
<para>Suitable <property>objectClass</property> and other
attribute choices:</para>
<glosslist>
<glossentry>
<glossterm>Organisational units
<property>department</property>,
<property>software</property>, <property>financial</property>,
<property>devel</property>,
<property>testing</property></glossterm>
<glossdef>
<glosslist>
<glossentry>
<glossterm><property>objectClass</property>:</glossterm>
<glossdef>
<para><property>organizationalUnit</property></para>
</glossdef>
</glossentry>
<glossentry>
<glossterm><xref linkend="glo_RDN"/>
attribute:</glossterm>
<glossdef>
<para><property>uid</property></para>
</glossdef>
</glossentry>
</glosslist>
</glossdef>
</glossentry>
<glossentry>
<glossterm>Employees Jim Smith, Audrey Bean:</glossterm>
<glossdef>
<glosslist>
<glossentry>
<glossterm><property>objectClass</property>:</glossterm>
<glossdef>
<para><property>inetOrgPerson</property></para>
</glossdef>
</glossentry>
<glossentry>
<glossterm><xref linkend="glo_RDN"/>
attribute:</glossterm>
<glossdef>
<para><property>uid</property></para>
</glossdef>
</glossentry>
<glossentry>
<glossterm>Other attributes:</glossterm>
<glossdef>
<para><property>sn</property>,
<property>cn</property>,
<property>givenName</property>,
m<property>ail</property></para>
</glossdef>
</glossentry>
</glosslist>
</glossdef>
</glossentry>
</glosslist>
</listitem>
</orderedlist>
</tip>
</section>
<section xml:id="sdiLdapTestBind">
<title>Testing a bind operation</title>
<title>Testing a bind operation as non - <code>admin</code> user</title>
<para>Use <uri xlink:href="http://directory.apache.org/studio">Apache
Directory Studio</uri> to supply a password to e.g.
<code>uid=beam,ou=devel,ou=software,ou=departments,dc=betrayer;dc=com</code>.</para>
<para>Then try to bind as
<para>Use <productname
xlink:href="http://directory.apache.org/studio">Apache Directory
Studio</productname> to supply a <property>userPassword</property> to
e.g.
<code>uid=beam,ou=devel,ou=software,ou=departments,dc=betrayer;dc=com</code>
using <uri xlink:href="http://directory.apache.org/studio">Apache
Directory Studio</uri>.</para>
(still binding as <code>cn=admin,dc=betrayer,dc=com</code>).</para>
<para>Then configure a second <productname
xlink:href="http://directory.apache.org/studio">Apache Directory
Studio</productname> profile binding as
<code>uid=beam,ou=devel,ou=software,ou=departments,dc=betrayer,dc=com</code>.</para>
<tip>
<para>Beware: Some hash types may not be supported. SMD5 is known to
work.</para>
</tip>
</section>
<section xml:id="ldapTest">
......@@ -391,7 +426,7 @@ mail: beam@betrayer.com</programlisting>
<para>Actually OpenLdap still supports an alternate configuration file
based approach which may be activated. Its use however is discouraged
and according to the documentation:</para>
according to the documentation:</para>
<note xlink:href="http://www.openldap.org/doc/admin24/slapdconf2.html">
<para>The older style slapd.conf(5) file is still supported, but its
......@@ -425,26 +460,27 @@ olcRootPW: {SSHA}7M0gUyHOH7cfK1z9amqgK0uQcn84AuYw</emphasis>
...</programlisting>
<para>The above lines appear near in the tail section. We see two
databases representing two different <xref linkend="glo_DIT"/>s namely
<code>cn=config</code> (the configuration database) and
<code>dc=hdm-stuttgart,dc=de</code> (containing actual directory
data).</para>
databases <code>{0}</code> and <code>{1}</code> representing two
different <xref linkend="glo_DIT"/>s namely <code>cn=config</code> (the
configuration database) and <code>dc=hdm-stuttgart,dc=de</code>
(containing our <quote>actual</quote> directory data).</para>
<para>The configuration database does have an <code>admin</code> entry
<code>olcRootDN: cn=admin,cn=config</code> but a corresponding
<para>The configuration database does have a <code>olcRootDN:
cn=admin,cn=config</code> entry but a corresponding
<parameter>olcRootPW</parameter> attribute is yet missing. This limits
configuration access to <code>localhost</code>.</para>
<para>External access requires adding this credential attribute value.
This first-time configuration change must be done locally by means of an
<xref linkend="glo_LDIF"/> file:</para>
<para>External access e.g. by <productname
xlink:href="http://directory.apache.org/studio">Apache Directory
Studio</productname> requires adding this credential attribute. This
first-time (bootstrapping) configuration must be done locally by means
of an <xref linkend="glo_LDIF"/> file using a different user's hash
value:</para>
<programlisting language="none">root@sdi8a:~# cat ~/add_olcRootPW.ldif
dn: olcDatabase={0}config,cn=config
add: olcRootPW
olcRootPW: {SSHA}7M0gUyHOH7cfK1z9amqgK0uQcn84AuYw
</programlisting>
olcRootPW: {ssha}pHE+EPOG2gyRyOgjvFqsWOb5zGsGl9CD</programlisting>
<para>Activating this configuration my be effected by using <command
xlink:href="http://www.openldap.org/software/man.cgi?query=ldapmodify&amp;apropos=0&amp;sektion=0&amp;manpath=OpenLDAP+2.4-Release&amp;format=html">ldapmodify</command>:</para>
......@@ -495,9 +531,13 @@ modifying entry "olcDatabase={0}config,cn=config"</programlisting>
level: Depending on your success during subsequent exercises you may
want to adjust <parameter
xlink:href="http://www.zytrax.com/books/ldap/ch6/#loglevel">olcLogLevel</parameter>
appropriately. Mind <link
in <code>cn=config</code> appropriately.</para>
<para>Consider <link
xlink:href="http://serverfault.com/questions/324608/how-do-i-get-openldap-on-centos-6-to-write-anything-to-its-log-files#answer-499902">using
olcLogFile</link>.</para>
olcLogFile</link>. Caveat: You <xref linkend="glo_LDAP"/> server daemon
does runs from a non - root <property>uid</property>. Thus you have to
assure sufficient writing permissions.</para>
</section>
<section xml:id="ldapFilter">
......@@ -548,6 +588,30 @@ modifying entry "olcDatabase={0}config,cn=config"</programlisting>
based installation</link>.</para>
</section>
<section xml:id="diSectLdapBackupRestore">
<title>Backup and recovery / restore</title>
<para>Take the hard way to test backup and restore:</para>
<orderedlist>
<listitem>
<para>Set up a <quote>replica</quote> <xref linkend="glo_LDAP"/>
Server on your second host system.</para>
</listitem>
<listitem>
<para>Export both databases (configuration and <quote>real</quote>
data) from your production server using <command
xlink:href="http://linux.die.net/man/8/slapcat">slapcat</command>.</para>
</listitem>
<listitem>
<para> Restore the exported data on your replica using <command
xlink:href="http://linux.die.net/man/8/slapadd">slapadd</command>.</para>
</listitem>
</orderedlist>
</section>
<section xml:id="ldapReplication">
<title>Replication</title>
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment