Calendar
Tag Cloud
Active Directory AD ADAM Amanda Asterisk Benchmark Blog Catalyst DBIC DBIx-Class Digium Directory Services Disaster Recovery Dojo eDirectory Encrypted Backups Enterprise Backups Enterprise Directory Fedora Fedora Directory Server Fedora DS Flexi Time Flexitime Gnome IAM Identity Management IDM IP Telephony Isode JavaScript LDAP ldap LDAP Replication LDAP Schema Linux linux M-Vault Microsoft Microsoft FUD MirrorMode MySQL NBD OID OpenDS OpenLDAP openldap OpenLDAP Newsletter OpenLDAP Quick Tips Open Source Oracle Oracle Internet Directory PABX Perl PostgreSQL Quad-Core RDBMS Red Hat Replication Request Tracker RT Samba Sendmail SSO Sun Sun Microsystems SunOne Suretec Symas Ubuntu UC UM Unified Communications VoIP X.500
Quicksearch
Powered by
OpenLDAP Quick Tips: Get Your Own Private Enterprise Number for LDAP Schemas
Friday, November 21. 2008
Hi All,
Here's my 8th tip in the "OpenLDAP Quick Tips" series:
"You want to create your own LDAP[?] Schema for your directory server":
The golden rule:
Under no circumstances should you hijack name space belonging to others!
When you want to extend or create one yourself, get your own OID or PEN using the Private Enterprise Number (PEN) Request Template.
It takes around 2 weeks and you will then always be listed on the PRIVATE ENTERPRISE NUMBERS page if you forget the number and it means your namespace will never clash with others.
Anyone in the LDAP field that is worth their salt should be listed, we are (Suretec Systems Ltd.).
Thanks,
Gavin.
If you have an entry for our "OpenLDAP Quick Tips" series, why not e-mail your tip to us.
P.S. For direct access to this section, you can click OpenLDAP Quick Tips.
Here's my 8th tip in the "OpenLDAP Quick Tips" series:
"You want to create your own LDAP[?] Schema for your directory server":
The golden rule:
Under no circumstances should you hijack name space belonging to others!
When you want to extend or create one yourself, get your own OID or PEN using the Private Enterprise Number (PEN) Request Template.
It takes around 2 weeks and you will then always be listed on the PRIVATE ENTERPRISE NUMBERS page if you forget the number and it means your namespace will never clash with others.
Anyone in the LDAP field that is worth their salt should be listed, we are (Suretec Systems Ltd.).
Thanks,
Gavin.
If you have an entry for our "OpenLDAP Quick Tips" series, why not e-mail your tip to us.
P.S. For direct access to this section, you can click OpenLDAP Quick Tips.
Posted by Gavin Henry
in Open Source, OpenLDAP, Suretec
at
21:04
| Comments (0)
| Trackbacks (0)
Defined tags for this entry: Directory Services
, Enterprise Backups
, Enterprise Directory
, IAM
, IDM
, Identity Management
, LDAP
, LDAP Replication
, LDAP Schema
, Linux
, Open Source
, OpenLDAP
, OpenLDAP Newsletter
, OpenLDAP Quick Tips
, Replication
, Suretec
, Symas
, X.500
, ldap
, openldap
, Enterprise Backups, Enterprise Directory, IAM, IDM, Identity Management, LDAP, LDAP Replication, LDAP Schema, Linux, Open Source, OpenLDAP, OpenLDAP Newsletter, OpenLDAP Quick Tips, Replication, Suretec, Symas, X.500, ldap, openldapOpenLDAP Quick Tips: Testing your Access Control Lists (ACLs)
Thursday, November 20. 2008
Hi All,
Here's my 7th tip in the "OpenLDAP Quick Tips" series:
"You want to check your Access Control Lists configured in your directory server":
Previously we covered slaptest and slappasswd, so next is slapacl
Let's take a standard ACL example for protecting access to the userPassword attribute:
We can verify that this does what is expected by using the slapacl tool:
Here we point to our config file, stating that the entry we want to test against is the ghenry user entry and that the user we want to test that has access permissions is the ghenry user. Because we have self write access, we can obviously read that attribute too.
Now if we try to access someone elses password, we get:
I'm not allowed to see the laura users password.
Of course, the rootdn user by passes all ACLs, so as expected, they can read the userPassword attribute:
This should give you a taster of how to test your ACLs on the command line.
Thanks,
Gavin.
If you have an entry for our "OpenLDAP Quick Tips" series, why not e-mail your tip to us.
P.S. For direct access to this section, you can click OpenLDAP Quick Tips.
Here's my 7th tip in the "OpenLDAP Quick Tips" series:
"You want to check your Access Control Lists configured in your directory server":
Previously we covered slaptest and slappasswd, so next is slapacl
Let's take a standard ACL example for protecting access to the userPassword attribute:
CODE:
access to * attrs=userPassword
by self write
by anonymous auth
by * none
We can verify that this does what is expected by using the slapacl tool:
CODE:
[root@suretec ~]# /usr/local/sbin/slapacl -f /usr/local/etc/openldap/slapd.conf -b "uid=ghenry,ou=users,ou=oxobjects,dc=suretecsystems,dc=com" -D "uid=ghenry,ou=users,ou=OxObjects,dc=suretecsystems,dc=com" "userPassword/read:"
authcDN: "uid=ghenry,ou=users,ou=oxobjects,dc=suretecsystems,dc=com"
read access to userPassword=: ALLOWED
Here we point to our config file, stating that the entry we want to test against is the ghenry user entry and that the user we want to test that has access permissions is the ghenry user. Because we have self write access, we can obviously read that attribute too.
Now if we try to access someone elses password, we get:
CODE:
[root@suretec ~]# /usr/local/sbin/slapacl -f /usr/local/etc/openldap/slapd.conf -b "uid=laura,ou=users,ou=oxobjects,dc=suretecsystems,dc=com" -D "uid=ghenry,ou=users,ou=OxObjects,dc=suretecsystems,dc=com" "userPassword/read:"
authcDN: "uid=ghenry,ou=users,ou=oxobjects,dc=suretecsystems,dc=com"
read access to userPassword=: DENIED
I'm not allowed to see the laura users password.
Of course, the rootdn user by passes all ACLs, so as expected, they can read the userPassword attribute:
CODE:
[root@suretec ~]# /usr/local/sbin/slapacl -f /usr/local/etc/openldap/slapd.conf -b "uid=laura,ou=users,ou=oxobjects,dc=suretecsystems,dc=com" -D "cn=admin,dc=suretecsystems,dc=com" "userPassword/read:"
authcDN: "cn=admin,dc=suretecsystems,dc=com"
read access to userPassword=: ALLOWED
This should give you a taster of how to test your ACLs on the command line.
Thanks,
Gavin.
If you have an entry for our "OpenLDAP Quick Tips" series, why not e-mail your tip to us.
P.S. For direct access to this section, you can click OpenLDAP Quick Tips.
Posted by Gavin Henry
in Open Source, OpenLDAP, Suretec
at
11:47
| Comments (2)
| Trackbacks (0)
Defined tags for this entry: Directory Services, Enterprise Backups, Enterprise Directory, IAM, IDM, Identity Management, LDAP, LDAP Replication, LDAP Schema, Linux, Open Source, OpenLDAP, OpenLDAP Newsletter, OpenLDAP Quick Tips, Replication, Suretec, Symas, X.500, ldap, openldap
, Enterprise Backups, Enterprise Directory, IAM, IDM, Identity Management, LDAP, LDAP Replication, LDAP Schema, Linux, Open Source, OpenLDAP, OpenLDAP Newsletter, OpenLDAP Quick Tips, Replication, Suretec, Symas, X.500, ldap, openldapOpenLDAP Quick Tips: Creating encrypted passwords
Wednesday, November 19. 2008
Hi All,
Here's my 6th tip in the "OpenLDAP Quick Tips" series:
"You want to encrypt the passwords that are stored in your directory server":
Previously we covered slaptest, so the next one we will cover in the slap* set of command lines tools is slappasswd
To create an encrypted password for a password "testing", we do:
The default is SSHA encryption, which is the recommended. You can also generate a random password with the -g option:
Thanks,
Gavin.
If you have an entry for our "OpenLDAP Quick Tips" series, why not e-mail your tip to us.
P.S. For direct access to this section, you can click OpenLDAP Quick Tips.
Here's my 6th tip in the "OpenLDAP Quick Tips" series:
"You want to encrypt the passwords that are stored in your directory server":
Previously we covered slaptest, so the next one we will cover in the slap* set of command lines tools is slappasswd
To create an encrypted password for a password "testing", we do:
CODE:
[root@suretec ~]# slappasswd
New password:
Re-enter new password:
{SSHA}4Q/jfwS2oPJtQDq7bmHozKOWkgDJNLEb
The default is SSHA encryption, which is the recommended. You can also generate a random password with the -g option:
CODE:
[ghenry@suretec ~]$ /usr/local/sbin/slappasswd -g
t5e7xEJE
Thanks,
Gavin.
If you have an entry for our "OpenLDAP Quick Tips" series, why not e-mail your tip to us.
P.S. For direct access to this section, you can click OpenLDAP Quick Tips.
Posted by Gavin Henry
in Open Source, OpenLDAP, Suretec
at
11:47
| Comments (0)
| Trackbacks (0)
Defined tags for this entry: Directory Services, Enterprise Backups, Enterprise Directory, IAM, IDM, Identity Management, LDAP, LDAP Replication, LDAP Schema, Linux, Open Source, OpenLDAP, OpenLDAP Newsletter, OpenLDAP Quick Tips, Replication, Suretec, Symas, X.500, ldap, openldap
, Enterprise Backups, Enterprise Directory, IAM, IDM, Identity Management, LDAP, LDAP Replication, LDAP Schema, Linux, Open Source, OpenLDAP, OpenLDAP Newsletter, OpenLDAP Quick Tips, Replication, Suretec, Symas, X.500, ldap, openldapOpenLDAP Quick Tips: LDAP Schema Viewer
Tuesday, November 18. 2008
Hi All,
Here's my 5th tip in the "OpenLDAP Quick Tips" series:
"You are not sure what LDAP[?] attributes to chose and what LDAP ObjectClasses they belong to":
The online LDAP Schema Viewer resource is great for quickly browsing what belongs to what.
You can of course use the LDAP Schema browser of any decent LDAP GUI
Thanks,
Gavin.
If you have an entry for our "OpenLDAP Quick Tips" series, why not e-mail your tip to us.
P.S. For direct access to this section, you can click OpenLDAP Quick Tips.
Here's my 5th tip in the "OpenLDAP Quick Tips" series:
"You are not sure what LDAP[?] attributes to chose and what LDAP ObjectClasses they belong to":
The online LDAP Schema Viewer resource is great for quickly browsing what belongs to what.
You can of course use the LDAP Schema browser of any decent LDAP GUI
Thanks,
Gavin.
If you have an entry for our "OpenLDAP Quick Tips" series, why not e-mail your tip to us.
P.S. For direct access to this section, you can click OpenLDAP Quick Tips.
Posted by Gavin Henry
in Open Source, OpenLDAP, Suretec
at
12:16
| Comments (0)
| Trackbacks (0)
Defined tags for this entry: Directory Services, Enterprise Backups, Enterprise Directory, IAM, IDM, Identity Management, LDAP, LDAP Replication, LDAP Schema, Linux, Open Source, OpenLDAP, OpenLDAP Newsletter, OpenLDAP Quick Tips, Replication, Suretec, Symas, X.500, ldap, openldap
, Enterprise Backups, Enterprise Directory, IAM, IDM, Identity Management, LDAP, LDAP Replication, LDAP Schema, Linux, Open Source, OpenLDAP, OpenLDAP Newsletter, OpenLDAP Quick Tips, Replication, Suretec, Symas, X.500, ldap, openldapOpenLDAP Quick Tips: Always test your slapd configuration
Monday, November 17. 2008
Hi All,
Here's my forth tip in the "OpenLDAP Quick Tips" series:
"You want to test your configuration for your directory server":
The OpenLDAP Software Suite comes with many great command line tools which we will cover in the OpenLDAP Quick Tips series. The first one you should always use is slaptest:
The above means our configuration is all good. If we are using dynamic configuration, we would use -F. For more information, always use the -d flag which we will cover in another tip.
For some errors like below, it's obvious what's wrong:
Thanks,
Gavin.
If you have an entry for our "OpenLDAP Quick Tips" series, why not e-mail your tip to us.
P.S. For direct access to this section, you can click OpenLDAP Quick Tips.
Here's my forth tip in the "OpenLDAP Quick Tips" series:
"You want to test your configuration for your directory server":
The OpenLDAP Software Suite comes with many great command line tools which we will cover in the OpenLDAP Quick Tips series. The first one you should always use is slaptest:
CODE:
[root@suretec src]# /usr/local/sbin/slaptest -f /usr/local/etc/openldap/slapd.conf
config file testing succeeded
The above means our configuration is all good. If we are using dynamic configuration, we would use -F. For more information, always use the -d flag which we will cover in another tip.
For some errors like below, it's obvious what's wrong:
CODE:
[root@suretec src]# /usr/local/sbin/slaptest -f /usr/local/etc/openldap/slapd.conf
could not stat config file "/usr/local/etc/openldap/schema/suretec.schema": No such file or directory (2)
slaptest: bad configuration file!
Thanks,
Gavin.
If you have an entry for our "OpenLDAP Quick Tips" series, why not e-mail your tip to us.
P.S. For direct access to this section, you can click OpenLDAP Quick Tips.
Posted by Gavin Henry
in Open Source, OpenLDAP, Suretec
at
13:45
| Comments (0)
| Trackbacks (0)
Defined tags for this entry: Directory Services, Enterprise Backups, Enterprise Directory, IAM, IDM, Identity Management, LDAP, LDAP Replication, LDAP Schema, Linux, Open Source, OpenLDAP, OpenLDAP Newsletter, OpenLDAP Quick Tips, Replication, Suretec, Symas, X.500, ldap, openldap
, Enterprise Backups, Enterprise Directory, IAM, IDM, Identity Management, LDAP, LDAP Replication, LDAP Schema, Linux, Open Source, OpenLDAP, OpenLDAP Newsletter, OpenLDAP Quick Tips, Replication, Suretec, Symas, X.500, ldap, openldapOpenLDAP Quick Tips: Using syslog or syslog-ng with slapd for OpenLDAP logging
Friday, November 14. 2008
Hi All,
Here's my third tip in the "OpenLDAP Quick Tips" series:
"You want to enable logging via syslog or syslog-ng for your directory server":
For syslog, depending on your distro, you would edit /etc/syslog.conf or /etc/rsyslog.conf:
and then restart syslog/rsyslog:
For syslog-ng, the following will work:
You can also add:
and then restart as per your distro tools.
Thanks,
Gavin.
If you have an entry for our "OpenLDAP Quick Tips" series, why not e-mail your tip to us.
Here's my third tip in the "OpenLDAP Quick Tips" series:
"You want to enable logging via syslog or syslog-ng for your directory server":
For syslog, depending on your distro, you would edit /etc/syslog.conf or /etc/rsyslog.conf:
CODE:
# LDAP[?] logs
LOCAL4.* -/var/log/openldap.log
and then restart syslog/rsyslog:
CODE:
/etc/init.d/syslog restart
For syslog-ng, the following will work:
CODE:
source s_all { unix-stream("/dev/log"); internal(); };
destination d_ldap { file("/var/log/ldap[?].log"); };
filter f_syslog { not facility(auth, authpriv) and not
match(slapd); };
filter f_ldap { match("slapd"); };
log { source(s_all); filter(f_syslog); destination(d_syslog); };
log { source(s_all); filter(f_ldap); destination(d_ldap); };
You can also add:
CODE:
options { sync(n); };
and then restart as per your distro tools.
Thanks,
Gavin.
If you have an entry for our "OpenLDAP Quick Tips" series, why not e-mail your tip to us.
Posted by Gavin Henry
in Open Source, OpenLDAP, Suretec
at
10:40
| Comments (2)
| Trackback (1)
Defined tags for this entry: Directory Services, Enterprise Backups, Enterprise Directory, IAM, IDM, Identity Management, LDAP, LDAP Replication, LDAP Schema, Linux, Open Source, OpenLDAP, OpenLDAP Newsletter, OpenLDAP Quick Tips, Replication, Suretec, Symas, X.500, ldap, openldap
, Enterprise Backups, Enterprise Directory, IAM, IDM, Identity Management, LDAP, LDAP Replication, LDAP Schema, Linux, Open Source, OpenLDAP, OpenLDAP Newsletter, OpenLDAP Quick Tips, Replication, Suretec, Symas, X.500, ldap, openldapOpenLDAP Quick Tips: Changing your rootdn password without slapd.conf
Friday, November 7. 2008
Hi All,
Here's my second tip in the "OpenLDAP Quick Tips" series:
"You want to manage the rootdn users password using the same tools as you use for normal users in your OpenLDAP directory server":
You would normally set your rootpw in slapd.conf like so:
If you leave out the rootpw line and add the rootdn user as a normal user with a userPassword attribute:
This then means you can change the rootdn password with tools like ldappasswd etc.
Note: this example does not cover cn=config where you can change 99% of OpenLDAP settings and config on the fly. The equivalent rootdn entry in cn=config would look like:
you could use ldapmodify or similar to change above.
If you have an entry for our "OpenLDAP Quick Tips" series, why not e-mail your tip to us.
Here's my second tip in the "OpenLDAP Quick Tips" series:
"You want to manage the rootdn users password using the same tools as you use for normal users in your OpenLDAP directory server":
You would normally set your rootpw in slapd.conf like so:
CODE:
database bdb
directory /usr/local/var/openldap-data
suffix "dc=example,dc=com"
rootdn "cn=admin,dc=example,dc=com"
rootpw testing
If you leave out the rootpw line and add the rootdn user as a normal user with a userPassword attribute:
CODE:
dn: cn=admin,dc=suretecsystems,dc=com
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: admin
description: rootdn user
userPassword: {SSHA}my_encrypted_password_hash_using_slappasswd
This then means you can change the rootdn password with tools like ldappasswd etc.
Note: this example does not cover cn=config where you can change 99% of OpenLDAP settings and config on the fly. The equivalent rootdn entry in cn=config would look like:
CODE:
olcRootDN: cn=admin,dc=example,dc=com
olcRootPW: testing
you could use ldapmodify or similar to change above.
If you have an entry for our "OpenLDAP Quick Tips" series, why not e-mail your tip to us.
Posted by Gavin Henry
in Linux, Open Source, OpenLDAP, Suretec
at
15:09
| Comments (0)
| Trackbacks (2)
Defined tags for this entry: Directory Services, Enterprise Backups, Enterprise Directory, IAM, IDM, Identity Management, LDAP, LDAP Replication, LDAP Schema, Linux, Open Source, OpenLDAP, OpenLDAP Newsletter, OpenLDAP Quick Tips, Replication, Suretec, Symas, X.500, ldap, openldap
, Enterprise Backups, Enterprise Directory, IAM, IDM, Identity Management, LDAP, LDAP Replication, LDAP Schema, Linux, Open Source, OpenLDAP, OpenLDAP Newsletter, OpenLDAP Quick Tips, Replication, Suretec, Symas, X.500, ldap, openldapOpenLDAP Quick Tips: Checking the state of replication
Thursday, November 6. 2008
Hi All,
I might as well start easing back into the OpenLDAP Weekly Newsletter by doing some "OpenLDAP Quick Tips". Here's the first one.
"Check that the synchronisation state indicators of any slaves or masters are the same":
If they are the same, then replication has finished, otherwise replication has not finished or has failed.
For more technical detail, please see http://www.openldap.org/doc/admin24/replication.html#LDAP[?]%20Sync%20Replication
I might as well start easing back into the OpenLDAP Weekly Newsletter by doing some "OpenLDAP Quick Tips". Here's the first one.
"Check that the synchronisation state indicators of any slaves or masters are the same":
CODE:
[ghenry@suretec ~]$ ldapsearch -x -LLL -H ldap[?]://master:389 -s base -b 'dc=suretecsystems,dc=com' contextCSN[?]
dn: dc=suretecsystems,dc=com
contextCSN: 20081025222436.822813Z&000000;000#000000
[ghenry@suretec ~]$ ldapsearch -x -LLL -H ldap://slave:389 -s base -b 'dc=suretecsystems,dc=com' contextCSN
dn: dc=suretecsystems,dc=com
contextCSN: 20081025222436.822813Z&000000;000#000000
If they are the same, then replication has finished, otherwise replication has not finished or has failed.
For more technical detail, please see http://www.openldap.org/doc/admin24/replication.html#LDAP[?]%20Sync%20Replication
Posted by Gavin Henry
in Linux, Open Source, OpenLDAP, Suretec
at
14:46
| Comments (0)
| Trackbacks (0)
Defined tags for this entry: Directory Services, Enterprise Backups, Enterprise Directory, IAM, IDM, Identity Management, LDAP, LDAP Replication, LDAP Schema, Linux, Open Source, <
, Enterprise Backups, Enterprise Directory, IAM, IDM, Identity Management, LDAP, LDAP Replication, LDAP Schema, Linux, Open Source, <