Paranoid Penguin - Authenticate with LDAP

The directory server is running, so now it's time to configure crypto and add some users.

Second, whenever I create a user record, I need to make sure that an objectclass: inetOrgPerson statement is present.

Creating and Adding User Records

So, how do you create user records? Ideally, with the GUI of your choice. Last month I mentioned gq, which is a standard package in many distros; another excellent tool is ldapbrowser, available at www.iit.edu/~gawojar/ldap. Initially, however, you'll probably want to add at least your organizational entry manually, by creating an ldif file and writing it to the database via the ldapadd command. An ldif file is a text file containing a list of attribute/object class declarations, one per line; a simple one follows:

dn: dc=wiremonkeys,dc=org
objectclass: top
objectclass: organization
o: Wiremonkeys of St. Paul

Here, we're defining the organization wiremonkeys.org. We specify its distinguished name, associate it with the object classes' top (mandatory for all records) and organization and specify the organization's name (Wiremonkeys of St. Paul), which is the only mandatory attribute for these two object classes.

To write this record to the database, issue this command:


bash-$ ldapadd -x -H ldaps://localhost/ \
-D "cn=ldapguy,dc=wiremonkeys,dc=org" \
-W -f wiremonkeys_init.ldif

As with most OpenLDAP commands, -x specifies simple password authentication, -H specifies the LDAP server's URL, -D specifies the DN of the administrator account and -W causes a prompt for the administrator's password. The -f option specifies the path to our ldif file.

Confused yet? I've packed a lot of information into this month's column, but our LDAP server is very nearly done. To finish yours without waiting for next month, see the OpenLDAP Administrator's Guide at www.openldap.org/doc for more information about TLS, startup flags, schema and ldif files.

Mick Bauer, CISSP, is Linux Journal's security editor and an IS security consultant for Upstream Solutions LLC in Minneapolis, Minnesota. Mick spends his copious free time chasing little kids (strictly his own) and playing music, sometimes simultaneously. Mick is author of Building Secure Servers With Linux (O'Reilly & Associates, 2002).

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Nice tutorial...

Mike's picture

I wish you had published this a couple months ago before I started my expedition on making this work at my site. Most of the info is out there, Mick has done a great job filtering through and compiling it all in one place. I look forward to part 3!

One comment on the section titled "slapd Startup Options". I'm running OpenLDAP 2.2.13 on RHEL 4. When it came to locking down plaintext connections and enforcing TLS/LDAPS, I had to manually change the following line in /etc/init.d/ldap:

daemon ${slapd} -u ldap -h '"ldap:/// ldaps:///"' $OPTIONS $SLAPD_OPTIONS

to

daemon ${slapd} -u ldap -h '"ldap://127.0.0.1/ ldaps:///"' $OPTIONS $SLAPD_OPTIONS

Great tutorial

R07h3m's picture

Very good, clear and simple, thanks for this howto.

Re: Paranoid Penguin: Authenticate with LDAP

Anonymous's picture

Thank you Mick for excellent tutorials.....

In this tutorial when addding ldap data e.g.

dn: dc=wiremonkeys,dc=org
objectclass: top
objectclass: organization
o: Wiremonkeys of St. Paul

I had to add the following to be able to get the data into ldap:

dn: dc=wiremonkeys,dc=org
objectclass: top
objectclass: organization
objectclass: dcObject
o: Wiremonkeys of St. Paul
dc: wiremonkeys

I've commented only in that others may get the same errors I did... namely "attribute 'dc' not allowed" or "naming attribute 'dc' is not present in entry".

Thanks for the tutorial....

White Paper
Linux Management with Red Hat Satellite: Measuring Business Impact and ROI

Linux has become a key foundation for supporting today's rapidly growing IT environments. Linux is being used to deploy business applications and databases, trading on its reputation as a low-cost operating environment. For many IT organizations, Linux is a mainstay for deploying Web servers and has evolved from handling basic file, print, and utility workloads to running mission-critical applications and databases, physically, virtually, and in the cloud. As Linux grows in importance in terms of value to the business, managing Linux environments to high standards of service quality — availability, security, and performance — becomes an essential requirement for business success.

Learn More

Sponsored by Red Hat

White Paper
Private PaaS for the Agile Enterprise

If you already use virtualized infrastructure, you are well on your way to leveraging the power of the cloud. Virtualization offers the promise of limitless resources, but how do you manage that scalability when your DevOps team doesn’t scale? In today’s hypercompetitive markets, fast results can make a difference between leading the pack vs. obsolescence. Organizations need more benefits from cloud computing than just raw resources. They need agility, flexibility, convenience, ROI, and control.

Stackato private Platform-as-a-Service technology from ActiveState extends your private cloud infrastructure by creating a private PaaS to provide on-demand availability, flexibility, control, and ultimately, faster time-to-market for your enterprise.

Learn More

Sponsored by ActiveState