ldapv3.pdf 7947KB Apr 17 2013 11:30:42 AM - mirror omadata

More documents

Recommendations

Info

OpenLDAP + SASL + GSSAPI (OpenLDAP SASL support for Kerberos V) OpenLDAP integrates seemlessly with the Kerberos V single-signon security mechanism via SASL's GSSAPI module. You must create a principle on the KDC for the LDAP service: ldap/fqhostname@KERBEROS.DOMAIN With MIT Kerberos this is done using the kadmin utility and a command like: addprinc -randkey ldap/ldap.example.com@WHITEMICE.ORG This principle must be written to a keytab file on the LDAP host that can be read by the security context under which LDAP operates. This principle should not be written to the system keytab file (usually /etc/krb5.keytab). With MIT Kerberos: kadmin -q "ktadd -k /etc/openldap/slapd.keytab ldap/estate1.whitemice.org" chown ldap.ldap /etc/openldap/ldap.keytab chmod 600 /etc/openldap/ldap.keytab
OpenLDAP + SASL + GSSAPI (OpenLDAP SASL support for Kerberos V) The OpenLDAP service must be able to locate the keytab it is intended to use, this is best accomplished by setting the KRB5_KTN<strong>AM</strong>E environment variable in the script that starts the LDAP service. export KRB5_KTN<strong>AM</strong>E="FILE:/etc/openldap/ldap.keytab" Instruct slapd to use the GSSAPI module by defining the following SASL directives in /etc/openldap/slapd.conf - Keytab file srvtab /etc/openldap/ldap.keytab sasl-realm WHITEMICE.ORG Kerberos Realm sasl-host estate1.whitemice.org KDC For more information see: http://www.bayour.com/LDAPv3-HOWTO.html
Page 1 and 2:
LDAP and OpenLDAP (on the Linux Pla
Page 3 and 4:
KLUG The master copy of this docume
Page 5:
Versions For the most part this doc
Page 8 and 9:
What is a directory? A directory is
Page 10 and 11:
¤¥ § ¨ © ¨ ¨ £¡ ¡
Page 12 and 13:
Requirements An LDAPv3 compliant di
Page 14 and 15:
Gotcha: “requested“ protocol ve
Page 16 and 17:
Multi-Valued RDNs While most object
Page 19 and 20:
Schema A directory has a schema sim
Page 21 and 22:
1.1.x It is true that the 1.1.x OID
Page 23 and 24:
WARNING (Object Class Type) Early O
Page 25 and 26:
Attribute Schema OID Name (alias fo
Page 27 and 28:
Attribute Syntaxes Data Type OID De
Page 29: The OID is the truth. The names of
Page 32 and 33: Illegal Partitions The law of parti
Page 34: Subordinate Information Subordinate
Page 37 and 38: Operational ACI Attributes If your
Page 39 and 40: subSchema One of the most useful bi
Page 41 and 42: The ManageDsaIT Control OID: 2.16.8
Page 43 and 44: The "alias" object The alias object
Page 45 and 46: Start TLS Extended Operation OID: 1
Page 47: 2.1.x hasSubordinates Only implemen
Page 50 and 51: Supported `Advanced' Features Featu
Page 52 and 53: The Config Files Configuration file
Page 54 and 55: slapd.conf (defaultsearchbase) The
Page 56 and 57: equire The require configuration di
Page 58 and 59: loglevel The loglevel directive con
Page 60 and 61: Checking the SSL Configuration Once
Page 62: Supported Bind Types Depending on h
Page 65 and 66: SASL RPMs Redhat 8.0 is the first t
Page 67 and 68: SASL Methods PLAIN (AUXPROP, SASLAU
Page 69 and 70: C? KP Q >C >GP X O X > NN>K?[ TM >P
Page 71 and 72: saslpasswd & saslpasswd2 saslpasswd
Page 73 and 74: PLAIN Authentication PLAIN SASL aut
Page 75 and 76: 2.1.x Authentication Request DN Map
Page 77 and 78: 2.1.x sasl-regexp rewrite pattern s
Page 79: OpenLDAP + SASL + PAM 1. Make sure
Page 83 and 84: OpenLDAP + SASL + GSSAPI (OpenLDAP
Page 86 and 87: slapd.conf (Database) # ldbm databa
Page 88 and 89: ack-ldbm back-ldbm is the standard
Page 90 and 91: ack-bdb back-bdb configuration dire
Page 92 and 93: ack-sql The SQL backend is not buil
Page 94 and 95: ack-shell The back-shell backend al
Page 96 and 97: LDAP Indexes pres - An index of wha
Page 99 and 100: Buffer Stuffing (Single Threaded In
Page 101 and 102: Filesystem Since the LDAP database
Page 103 and 104: Journalized Filesystems Journalized
Page 106 and 107: The purpose of back-sql The back-sq
Page 108 and 109: Mapping Concept back-sql uses a set
Page 110 and 111: Objectclass Mappings ldap_oc_mappin
Page 112 and 113: Attribute Mappings Stored procedure
Page 114 and 115: Objectclass Mapping ldap_entry_objc
Page 116 and 117: Stored Procedures
Page 118: Using Triggers & Events
Page 121 and 122: Replication Diagram Replication Dia
Page 123 and 124: Populating Slaves One of the most d
Page 125 and 126: The Replication Log On serveral dis
Page 127 and 128: The Rejection Log The rejection log
Page 129 and 130: Chasing Referrals If a client submi
Page 132 and 133:
The ACL Stack Access control for ob
Page 134 and 135:
Default Access defaultaccess { none
Page 136 and 137:
Examples The following are example
Page 138 and 139:
dnattr The dnattr matching construc
Page 140 and 141:
{}|~ € ‚ z x¢y w ttuv z ‡ ˆ
Page 142 and 143:
children & entry The ability to cre
Page 144:
A Limitation? One "limitation" of O
Page 147 and 148:
Advantages of ACI The single bigges
Page 149 and 150:
OpenLDAPacl & OpenLDAPaci Every obj
Page 151 and 152:
The ACI ACL (OpenLDAPaci) In order
Page 153 and 154:
OpenLDAPaci: Rights The rights fiel
Page 156 and 157:
RFC2798 (inetOrgPerson) The inetOrg
Page 158 and 159:
RFC2739 http://www.faqs.org/rfcs/rf
Page 160 and 161:
Hierarchy: cosine.schema dSA pilotD
Page 162 and 163:
Hierarchy: Kerberos V & Samba krb5-
Page 165 and 166:
syslog On most platforms OpenLDAP u
Page 167 and 168:
etc/openldap/ldap.conf The defaults
Page 169 and 170:
The LDAP PAM Module PAM is a system
Page 171 and 172:
A PAM LDAP login file #%PAM-1.0 aut
Page 173 and 174:
etc/ldap.conf timelimit 30 The maxi
Page 175 and 176:
passwd PAM file (/etc/pam.d/passwd)
Page 178 and 179:
Migration Scripts PADL.com (Luke Ho
Page 180 and 181:
Using the scripts... Once the prope
Page 182:
What can be migrated? The stock mig
Page 187 and 188:
An entry of posixAccount Object stu
Page 189 and 190:
ipHost Object An entry of 127.0.0.1
Page 191 and 192:
oncRpc Object An entry of fypxfrd60
Page 194 and 195:
What is an SRV record? Traditionall
Page 196 and 197:
1123 vs. 2181 SRV protocol and serv
Page 198 and 199:
SRV and nss_ldap To use SRV records
Page 201 and 202:
Root Referrals To configure with Op
Page 204 and 205:
Loading Tip: Objectclass When loadi
Page 206 and 207:
Misc. Data Loading Tips 1. If a lin
Page 208 and 209:
Non-English Data If your data conta
Page 211 and 212:
OpenLDAP Utilities ldapsearch Allow
Page 213 and 214:
LDAP Queries ldapsearch "(&(uid=awi
Page 215 and 216:
Requesting Attributes If you do not
Page 217 and 218:
ldapmodrdn While the dn of an objec
Page 219 and 220:
slapadd slapadd is used to initiall
Page 222 and 223:
gq gq is an LDAP v3 utility for Gna
Page 224 and 225:
gq (Schema browser)
Page 226 and 227:
HAD Hyperactive Directory Administr
Page 228 and 229:
Directory Administrator (http://www
Page 230 and 231:
LDAP Browser / Editor (http://www.i
Page 232 and 233:
LDIF To VCard http://www.pawebworld
Page 234 and 235:
From the cpu manual page CPU (http:
Page 236 and 237:
Wallal (http://www.mnot.net/wallal/
Page 238 and 239:
mod_auth_ldap (http://nona.net/soft
Page 240 and 241:
Gnarwl (http://www.oss.billiton.de/
Page 242 and 243:
š š š
Page 244 and 245:
MaxWare Directory Explorer Version
Page 246 and 247:
ActiveX LDAP Client http://www.polo
Page 249 and 250:
saslauthd saslauthd is a stand alon
Page 251 and 252:
saslauthd Options saslauthd a authm
Page 253 and 254:
RedHat's saslauthd The RedHat Cyrus
Page 255 and 256:
saslauthd -a ldap LDAP related sasl
Page 257 and 258:
saslauthd -a ldap saslauthd -a ldap
Page 260 and 261:
m4: LDAPDefaultSpec The first m4 va
Page 262 and 263:
m4: LDAPROUTE_DOMAIN The m4 sendmai
Page 264 and 265:
¨ Ÿ ¦ «° µ¬ ¨ Ÿ ¦ «° µ
Page 266 and 267:
RFC822 rfc822 defines a the concept
Page 268 and 269:
LDAP + sendmail You can also define
Page 270 and 271:
LDAP SMTP Access Control cn=Allow S
Page 272 and 273:
The Sendmail Schema
Page 274 and 275:
sendmailMTAHost attributetype ( 1.3
Page 276 and 277:
sendmailMTAKey attributetype ( 1.3.
Page 278 and 279:
sendmailMTAMapValue attributetype (
Page 280 and 281:
sendmailMTAMapObject objectclass (
Page 282 and 283:
sendmailMTAAlias objectclass ( 1.3.
Page 284 and 285:
sendmailMTAClassName & sendmailMTAC
Page 286 and 287:
Installing GNARWL GNARWL in an LDAP
Page 288 and 289:
GNARWL Integration
Page 290 and 291:
This information now exclusively ap
Page 292 and 293:
Building Samba 1. Grab the latest s
Page 294 and 295:
[globals] encrypt passwords = yes d
Page 296 and 297:
The Admin And His Secrets Since the
Page 298 and 299:
Samba Users Samba users must be UN*
Page 300 and 301:
Samba User Attributes profilePath -
Page 302 and 303:
Samba Times The sambaAccount object
Page 304 and 305:
Samba Security The ntpassword and l
Page 306 and 307:
Samba Attribute Indexes For good pe
Page 309 and 310:
What is Squid? http://www.squid-cac
Page 311 and 312:
Authentication Helpers Squid uses h
Page 313 and 314:
squid_ldap_auth The helper for dire
Page 315 and 316:
squid_ldap_match The squid_ldap_mat
Page 317 and 318:
squid_ldap_match squid_ldap_match -
Page 319:
Example Squid Configuration auth_pa
Page 322 and 323:
DNS & Cosine The Cosine schema (inc
Page 324 and 325:
objectclass: dNSZone (¼) DNS recor
Page 326 and 327:
objectclass: dNSZone (¾) dNSTTL (1
Page 328 and 329:
objectclass: dNSZone (5/6) dn: rela
Page 330 and 331:
Configuring sbd ldap zone "3.168.19
Page 332 and 333:
Ü Misc. Points Features LDAP URLS
Page 335 and 336:
The ISC DHCP Server http://www.isc.
Page 337 and 338:
LDAP DHCP Configuration In order to
Page 339 and 340:
Indexes /etc/openldap/slapd.conf in
Page 341 and 342:
dhcpServer & dhcpService dn:cn=esta
Page 343 and 344:
dhcpGroup Object dn: cn=group,cn=wh
Page 347 and 348:
What is pppd? The pppd daemon is an
Page 349 and 350:
Challenge Host Authentication Proto
Page 351 and 352:
LDAP chap-secrets entry If you are
Page 353 and 354:
Other LDAP enabled pppds ftp://ftp.
Page 356 and 357:
What is Turba? Turba is a web addre
Page 358 and 359:
Source Parameters The params array
Page 360 and 361:
Turba Source Search Keys The search
Page 362 and 363:
Turba LDAP Personal Address Books L
Page 364:
Turba LDAP Personal Address Book De
Page 367 and 368:
Setting Up To Use The DSA DSA Host
Page 369 and 370:
Viewing The Object From the address
Page 372 and 373:
What is evolution? http://www.ximia
Page 374 and 375:
evolutionPerson The evolution sourc
Page 376 and 377:
Calender Entries
Page 378 and 379:
Viewing An LDAP Addressbook LDAP ad
Page 380 and 381:
Contact Details (Dialog relations t
Page 383 and 384:
What is Mozilla?
Page 387 and 388:
What is GQ?
Page 389 and 390:
Drag-n-Drop
Page 391 and 392:
Handling Complex Attribtues Import
Page 394 and 395:
What Is Star Office? What is Open O
Page 396 and 397:
Creating an LDAP Data Source Bring
Page 398 and 399:
Browsing The Address Book Selecting
Page 400 and 401:
Using The Address Book Available da
Page 403 and 404:
ILS The Internet Locator Service is
Page 405 and 406:
ILS and LDAP The Netmeeting Directo
Page 407 and 408:
OpenLDAP as an ILS Agent (OBJECTCLA
Page 409 and 410:
OpenLDAP as an ILS Agent (The secon
Page 411 and 412:
GNOMEMeeting and ILS Before you can
Page 413 and 414:
GNOMEMeeting and ILS GNOME Meeting
Page 415 and 416:
Netmeeting Quibbles The Netmeeting
Page 417:
389 vs. 1002 Prior to Windows 2000
Page 420 and 421:
Why DSML What do directories and XM
Page 422 and 423:
DSML Misc For binary data DSML supp
Page 424 and 425:
DSML Tools A set of DSML utilities
Page 426:
Castor (http://castor.exolab.org/in
Page 429 and 430:
LDAP Authentication Module The LDAP
Page 431 and 432:
Active Directory is a registered tr
Page 433 and 434:
MKSADExtPlugin* (http://www.css-sol
Page 436 and 437:
Using LDAP via PHP Establish Connec
Page 438 and 439:
ldap_connect with URLs If you have
Page 440 and 441:
ldap_set_option / controls if (ldap
Page 442 and 443:
ldap_bind boolean ldap_bind (resour
Page 444 and 445:
ldap_error string ldap_error (resou
Page 446 and 447:
ldap_err2str Error Constant Value L
Page 448 and 449:
ldap_search & dereferencing The der
Page 450 and 451:
ldap_free_result boolean ldap_free_
Page 452 and 453:
ldap_add boolean ldap_add(resource
Page 454 and 455:
ldap_mod_add boolean ldap_mod_add(r
Page 456:
ldap_mod_replace boolean ldap_mod_d
Page 459 and 460:
ldap_init & ldap_open Before any ot
Page 461 and 462:
ldap_bind & ldap_bind_s Once a conn
Page 463 and 464:
ldap_search & ldap_search_s int lda
Page 465 and 466:
ldap_count_entries int ldap_count_e
Page 467 and 468:
ldap_next_entry LDAPMessage* ldap_n
Page 469 and 470:
ldap_first_attribute char* ldap_fir
Page 471 and 472:
ldap_get_values char **ldap_get_val
Page 473 and 474:
void ldap_value_free(char** vals) l
Page 475 and 476:
ldap_unbind & ldap_unbind_s int lda
Page 477 and 478:
#include "stdio.h" #include "stdlib
Page 479 and 480:
la[0] = "givenname"; la[1] = "sn";
Page 481 and 482:
Simple C LDAP Query Walk the Attrib
Page 483 and 484:
ldap_result
Page 485 and 486:
ldap_add & ldap_add_s
Page 487:
ldap_modrdn & ldap_modrdn_s
Page 490 and 491:
NSS LDAP & AIX Since version ~198 P
Page 492 and 493:
Authentication via NSS LDAP on AIX
Page 494 and 495:
The AIX Name Service The NSORDER en
Page 496 and 497:
etc/irs.conf Name spaces: services
Page 498 and 499:
More Information For more informati
Page 500:
More Information... Understanding a
show all

ldapv3.pdf 7947KB Apr 17 2013 11:30:42 AM - mirror omadata

Create successful ePaper yourself

Delete template?

Save as template?