OpenLDAP Everywhere Revisited

Many readers have used our December 2002 article, “OpenLDAP Everywhere”, to achieve unified login company-wide. Since then, OpenLDAP and Linux have progressed. Here, we demonstrate the use of OpenLDAP as the core directory service for a mixed environment. The LDAP server provides a shared e-mail directory, login for Linux and Microsoft Windows clients, automount of home directories and file sharing for all clients. A simple mixed environment used in the examples in this article is shown in (Figure 1).

Figure 1. In the mixed environment, both Linux and Windows clients use a common LDAP infrastructure.

The LDAP server we discuss was installed using RPM binary packages and openldap-2.2.13-2 on Fedora Core 3. The nss_ldap package also is required. For the most recent source from openldap.org, see the on-line Resources. Edit the server configuration file, /etc/openldap/slapd.conf, as shown in Listing 1. Lines beginning with whitespace are interpreted as a continuation of the previous line, so it's not necessary to use a backslash at the end of a long line.

# slapd.conf
# schemas to use
include     /etc/openldap/schema/core.schema
include     /etc/openldap/schema/cosine.schema
include     /etc/openldap/schema/inetorgperson.schema
include     /etc/openldap/schema/nis.schema
include     /etc/openldap/schema/samba.schema
include     /etc/openldap/schema/redhat/autofs.schema

# database definition
database   ldbm
suffix     "dc=foo,dc=com"
rootdn     "cn=Manager,dc=foo,dc=com"
# Cleartext passwords, especially for the rootdn,
# should be avoided.   Use strong authentication.
#rootpw     secret
rootpw     {SSHA}xxxxxxxxxxxxxxxxxxxxx
directory  /var/lib/ldap

# Indices to maintain for this database
index     objectClass,uid,uidNumber,gidNumber,
          memberUid eq
index     cn,mail,surname,givenname eq,subinitial
index     sambaSID eq
index     sambaPrimaryGroupSID eq
index     sambaDomainName eq

# Users can authenticate and change their password
access to attrs=userPassword,sambaNTPassword,
      sambaLMPassword
      by dn="cn=Manager,dc=foo,dc=com" write
      by self write
      by anonymous auth
      by * none
# All other attributes are readable to everybody
access to *
      by self write
      by dn="cn=Manager,dc=foo,dc=com" write
      by * read

The LDAP schema defines object classes and attributes that make up the directory entries. Red Hat's autofs schema fits our needs and was packaged with the RPM installation. If you find that you need to add an objectClass or an attribute to your directory, see the OpenLDAP admin guide.

We use the default database type ldbm. Our example uses the LDAP domain component. So, foo.com becomes dc=foo,dc=com.

The Manager has full write access to LDAP entries. Create the manager's password using /usr/sbin/slappasswd. Paste the encrypted password into the rootpw entry in slapd.conf.

The index lines enhance performance for attributes queried often. Access control restricts access to the userPassword entry. The user and manager may modify the entry. For all other entries, the manager has write access, and everyone else is granted read access.

Each entry in the directory is identified uniquely with a distinguished name (dn). The dn for foo.com is dn: dc=foo, dc=com. The organizationalUnit (ou) provides a method for grouping entries. The directory structure is shown in Listing 2.

+ dc=foo,dc=com
|- ou=People                  Persons
|  |- ou=contacts,ou=people   Email contacts
|- ou=Groups                  System groups
|- ou=auto.master             Automount master map
|- ou=auto.home               Automount map
|- ou=auto.misc               Automount map
|- ou=Computers               Samba domain members
|- cn=NextFreeUnixId          Samba Next Free ID
|- SambaDomainName            Samba domain info object class

We create the top level entries in LDAP Interchange Format (LDIF) and save them to top.ldif, as shown in Listing 3.