This page discusses about OpenLDAP and its usage with HIPL i.e. to secure the communication between the server and the client.
Using OpenLDAP with HIP is pretty straight forward thing to do. This file is modified version of the quick start guide found from http://www.openldap.org/doc/admin24/quickstart.html. This file gathers only the most important steps of that guide and for further information on using OpenLDAP refer to the original guide. Tests were made with stable version openldap-2.3.38. I was using Ubuntu 7.04 and Ubuntu 8.04 for these tests, so if you are using different distro the locations of configuration files etc can be different.
In the last section there is a small guide for the ACL part of slapd but it requires a release version 2.4.11 to be compiled and installed (2.4.7 might work the code was already there, but I tested this with a newer version).
1. Compiling
Get the sources from www.openldap.org. Unpack the package and go into
openldap-VERSION folder and start compiling. Compilation is done in the
following way. See ./configure --help for extra options, but remember
the IPv6 support must be on.
./configure
make depend
make
make test
Building and testing OpenLDAP can take a long time. If this succeeds, you can install OpenLDAP with 'sudo make install'.
2. Configuring
The main configuration file is usually located in
'/usr/local/etc/openldap/slapd.conf'. This file contains section like
database bdb
suffix "dc=<MY-DOMAIN>,dc=<COM>"
rootdn "cn=Manager,dc=<MY-DOMAIN>,dc=<COM>"
rootpw secret
directory /usr/local/var/openldap-data
This has to be modified. If you have a domain like example.com, the configuration looks then like this
database bdb
suffix "dc=pc,dc=example,dc=com"
rootdn "cn=Manager,dc=example,dc=com"
rootpw secret
directory /usr/local/var/openldap-data
For further information on configuring see 'man slapd'.
2.1. Defining a password
In the previous section we talked about configuring the slapd and showed
part of the configuration file. The file has a line 'rootpw secret'.
This line has to be changed before the database actually accepts any
inserts. Changing the password can be made for instance like
this, 'slappasswd -s secretword'. This returns you a string like,
'{SSHA}+Ca5v5wgXGKR//tycdcH7VKbFderQbr8'. This has to be copied into the
configuration file so the 'rootpw secret' should look similar to this
'rootpw {SSHA}+Ca5v5wgXGKR//tycdcH7VKbFderQbr8' after the modifications.
2.1 Starting the slapd
Slapd is started with command 'sudo /usr/local/libexec/slapd'.
2.2 Slapd and logging
Slapd can log its events and it may be usefull when playing around
with the configuration or/and monitoring its behaviour. For this to
happen you have to create a folder for the logs and the log file.
#sudo mkdir /var/log/openldap #touch /var/log/openldap/ldap.log
After this you have to tell the logging daemon that it has to log openldap to the file we just created. So edit your '/etc/syslog.conf' to contain the following lines
#logging for openldap local4.* /var/log/openldap/ldap.log
Remember that every time you change these values you have to restart slapd and syslogd ('#sudo /etc/init.d/syslogd restart'). Then you have to set the logging in the global part of the 'slapd.conf' to contain the following line.
loglevel 256
This is the most common option for this. If you want it to log all ACL related stuff you would put 128 instead of 256. The loglevels are powers of 2. So if you want for example to log connections, ldap operations and ACL events you would add 256 and 128 together and then your line would be.
loglevel 384
2.3. Slapd and Berkeley Database
To get the most out of the openldap installation you have to configure
your BDB settings. DB_CONFIG can be found from
'/usr/local/var/openldap-data/'. If it is not created yet there should
be at least an example file that you can modify called
'DB_CONFIG.example'. Also some changes have to be made to 'slapd.conf'
to the BDB part at the end. But I am not going to go into this
issue. For more information see for example 'man 5 slapd-bdb'.
3. Inserting data
Inserting data to ldap can be done with ldif files.
dn: dc=<MY-DOMAIN>,dc=<COM>
objectclass: dcObject
objectclass: organization
o: <MY ORGANIZATION>
dc: <MY-DOMAIN>
dn: cn=Manager,dc=<MY-DOMAIN>,dc=<COM>
objectclass: organizationalRole
cn: Manager
For example if we are inserting 'Company' as organization to example.com, the ldif file should look like this
dn: dc=example,dc=com
objectclass: dcObject
objectclass: organization
o: PC Example
dc: example
dn: cn=Manager,dc=example,dc=con
objectclass: organizationalRole
cn: Manager
Save this as example.ldfi and run next command 'ldapadd -x -D "cn=Manager,dc=<MY-DOMAIN>,dc=<COM>" -W -f example.ldif'. Changing of course the <MY-DOMAIN> and <COM> with the ones you are using. Then ldap asks the passwd set in earlier section.
4. Searching data
Search is simple also. Searching can be done with command
"ldapsearch -x -b 'dc=<MY-DOMAIN>,dc=<COM>' '(objectclass=*)'"
and it also has to be modified to "ldapsearch -x -b 'dc=example,dc=com' '(objectclass=*)'".
5. Searching from remote servers
Searching from remote servers just adds one ldapuri to the command.
"ldapsearch -x -H <LDAPURI> -b 'dc=<MY-DOMAIN>,dc=<COM>' '(objectclass=*)'".
This has to be changed as in the previous examples
and also the ldapuri has to bechanged into "ldap://<IP>". If IPv6 the
ldapuri has to be in format "ldap://[<IPv6>]".
6. Using OpenLDAP with HIP
Simplest way is to run hipd on both machines and just use command like
"hipconf run normal ldapsearch -x -H ldap://<fqdn> -b 'dc=<MY-DOMAIN>,dc=<COM>' '(objectclass=*)'"
The name can be something found from
/etc/hosts and /etc/hip/hosts or you can use OpenDHT to resolve names
to HIT and address.
Search can also be done directly with HIT by command "ldapsearch -x
-H ldap://[<HIT>] -b
'dc=<MY-DOMAIN>,dc=<COM>' '(objectclass=*)'".
You can search also by using the opportunistic mode by using command
"hipconf run opp ldapsearch -x -H ldap://<fqdn> -b 'dc=<MY-DOMAIN>,dc=<COM>' '(objectclass=*)'"
Ldapadd can be used similarly with LDAPURI and HIP.
7. Using HITs in OpenLDAP ACL
Does not work in stable version openldap-2.3.38. Because there is no
IPv6 support in the ACL part of the code. If you need the ACL part to
work With HITs, compile and install release version 2.4.11 or later and it
should work.
You can define ACL rules that restrict the access to information to
certain HITs. This has to be done on one rule per HIT bases. For example
the rule can be like this
access to *
by self write
by peername.ipv6=<HIT_1> anonymous read
by * none
In this example we allow write/read/search to self, anonymous read/search permissions to any process, without authentication, from host from HIT_1 and others get no permissions what so ever. These rules have to be added to '/usr/local/etc/openldap/slapd.conf' or to the slapd.access (see man slapd.access for further information).
All of these manuals/tutorials are provided as is. They worked for me and that is all the help I give with them, so if I forgot something or there is a typo you can inform me but do not expect me to solve your problems :) Oh and almost forgot, use them at your own risk.