LDAP System Administration
Page 34
RFC 3112
" LDAP Authentication Password Schema". K. Zeilenga. May 2001. Status: Experimental.
RFC 3296
"Named Subordinate References in Lightweight Directory Access Protocol (LDAP) Directories". K. Zeilenga. July 2002. Status: Proposed Standard.
RFC 3377
"Lightweight Directory Access Protocol (v3): Technical Specification". J. Hodges and R. Morgan. September 2002. Status: Proposed Standard.
RFC 3383
"Internet Assigned Numbers Authority (IANA) Considerations for the Lightweight Directory Access Protocol (LDAP)". K. Zeilenga. September 2002. Status: Best Common Practices.
Internet-Drafts (I-Ds) are temporary by nature, although this often does not stop vendors from implementing parts or all of the functionality that a draft outlines. The I-Ds listed here are included for their relevance to topics covered in one or more chapters in this book. The absence of an I-D from this list should not be interpreted to mean it may or may not be relevant in future LDAP deployments.
Nonexpired I-Ds can be found at http://rfc-editor.org/. Expired drafts can be found online at various archive sites, such as http://www.watersprings.org/. Search engines such as Google.com are normally able to locate several such archives.
draft-lachman-laser-ldap-mail-routing-xx.txt
"LDAP Schema for Intranet Mail Routing". H. Lachman and G. Shapiro. Expires: July 2001.
draft-ietf-ldapext-ldap-c-api-xx.txt
"The C LDAP Application Program Interface". M. Smith (ed.) et al. Expires: May 2001.
draft-weltman-ldapv3-proxy-xx.txt
"LDAP Proxied Authorization Control". R. Weltman. Expires: November 2002.
draft-fleming-ldap-printer-schema-xx.txt
"Lightweight Directory Access Protocol (LDAP): Schema for Printer Services". Pat Fleming and I. McDonald. Expires: December 2002.
draft-howard-rfc2307bis-xx.txt
"An Approach for Using LDAP as a Network Information Service". L. Howard and M. Ansari. Expires: April 2003.
draft-ietf-ldapext-ldapv3-vlv-xx.txt
"LDAP Extensions for Scrolling View Browsing of Search Results". D. Boreham, J. Sermersheim, and A. Kashi. Expires: November 2002.
draft-ietf-ldapext-acl-model-xx.txt
"Access Control Model for LDAPv3". E. Stokes et al. Expires: January 2001.
Mailing Lists
OpenLDAP.org hosts several public mailing lists, all of which are described at http://www.openldap.org/lists/. The two most frequented lists are openldap-software (discussions about software created as part of the OpenLDAP project) and openldap-devel (technical discussions relating to OpenLDAP development). You can subscribe to a list by sending an email to openldap--request@OpenLDAP.org, in which
is either software or devel, with the word "subscribe" in the body of the message.
The University of Michigan hosts a general LDAP mailing list. You can subscribe to its list by sending email to ldap-request@umich.edu with the word "subscribe" as the subject or by accessing the web interface found at http://listserver.itd.umich.edu/.
Appendix E. slapd.conf ACLs
This appendix is provided as a quick reference to the access control rule syntax used in slapd.conf. The general syntax of an access control rule is:
access to what {by who
how-much [control]}+
Three syntax items are referred to frequently in the tables found in this appendix:
dnstyle
Can be one of [regex | base | one | subtree | children]
style
Can be one of [regex | base]
regex
Will be expanded as described by the regex(7) manpage
What?
Table E-1 presents a summary of access rule targets.
Table E-1. Summary of access rule targets
What?
Description
*
Everything
dn[.dnstyle ]= regex
The entries specified by the style beginning at the suffix regex
filter= ldapfilter
The entries returned by applying the RFC 2254 LDAP filter to the directory
attrs= attribute_list
The list of attributes specified
Who?
Table E-2 presents a summary of access rule entities.
Table E-2. Summary of access rule entities
Who?
Description
*
Everyone (including anonymous connections)
anonymous
Non-authenticated connections
users
Authenticated connections
self
The user represented by the DN of the target entry
dn[ dnstyle ]= regex
The user represented by the specified DN.
dnattr= attribute_name
The user represented by the DN stored in the specified attribute in the target entry
group[/ obj [/ attr ]][.style ]= pattern
The members of the group represented by pattern
peername[.style ]= pattern
sockname[.style ]= pattern
domain[.style [,modifier ]]= pattern
sockurl[.style ]= pattern
Host-/filesystem-based access mechanisms
ssf= n
transport_ssf= n
tls_ssf= n
sasl_ssf= n
Defined minimum security levels for access to be granted
How Much?
OpenLDAP supports two modes of defining access. The general form of the access specifier clause is:
[self]{level|priv}
The special modifier self implies special access to self-owned attributes such as the member attribute in a group.
While the access level model implements incremental access (higher access includes lower access levels), the privilege model requires that an administrator explicitly define access for each permission using the =, +, and - operators to reset, add, and remove permissions, respectively (see Table E-3).
Table E-3. Summary of access and privilege levels from most (top) to least (bottom)
Access level
Privilege
Permission granted
write
w
Access to update attribute values (e.g., change this telephoneNumber to 555-2345).
read
r
Access to read search results (e.g., Show me all the entries with a telephoneNumber of 555*).
search
s
Access to apply search filters (e.g., Are there any entries with a telephoneNumber of 555*?).
compare
c
Access to compare attributes (e.g., Is your telephoneNumber 555-1234?).
auth
x
Access to bind (authenticate). This requires that the client send a username in the form of a DN and some type of credentials to prove his or her identity.
none
No access.
Control flow from one access rule to the next can be managed by the keywords stop, continue, and break (see Table E-4).
Table E-4. Control flow keywords in access rules
Keyword
Meaning
break
Allows other access clauses to be processed
continue
Allows additional "who" clauses within the current access rule to be processed
stop
Stops access check upon a match (default)
Examples
Grant authenticated users the capability to read the cn attribute with the following:
access to attrs=cn
by users read
Grant a single, specified user the capability to write to all posixAccount entries below the ou=people container with the following. This does not include permission to add new entries directly below ou=people.
access to dn.children="ou=people,dc=plainjoe,dc=org"
filter=(objectclass=posixAccount)
by dn="uid=admin,ou=people,dc=plain
joe,dc=org" write
Grant everyone the capability to attempt to authenticate against an entry's password with the following. The owner of the entry should also be given read and write access.
access to attrs=userPassword
by * +x continue
by self +rw
Restrict access to the administration organizational unit to members of the admin groupOfNames object with the following:
access to dn.subtree="ou=administration,dc=plainjoe,dc=org"
by group/groupOfNames/member=
"cn=admin,ou=group,dc=plainjoe,dc=org" write
by * none
Colophon
Our look is the result of reader comments, our own experimentation, and feedback from distribution channels. Distinctive covers complement our distinctive approach to technical topics, breathing personality and life into potentially dry subjects.
The animal on the cover of LDAP System Administration is a mink (Mustela vison). Mink are found throughout the United States and Canada except in Arizona, the Arctic, and some offshore islands. A mink's fur is mostly brown with some white spots around the throat, chin, and chest. Its coat is thick, soft, and waterproof (thanks to guard hairs covered with an oily protective substance). Its body is streamlined and skinny with short legs and an elongated face. As part of its water-loving nature, a mink's toes are partially webbed. Body length varies but is usually around two feet. The tail comprises almost half of a mink's total length.
Females become fertile during the winter and give birth in April or May. A typical litter ranges between one and eight offspring. M. vison is a solitary species; males are particularly intolerant of each other. They mark their territories with a pungent, musky secretion from their oversized anal glands. They are especially active at night and are skilled swimmers and climbers. Mink dig burrows in banks of lakes and rivers, or they may occupy abandoned dens of other mammals, such as muskrats. Their tastes in food changes from season to season, but they tend to dine on small mammals such as mice, rabbits, and shrews, along with fish and duck.
The main threat to the mink's existence continues to be the fur industry. Most U.S. states and all of Canada have limited trapping seasons with strict quotas on catch size. These provisions help keep mink population densities constant. Mink have few natural enemies other than humans. Occasionally, they will be hunted by coyotes, bobcats, and other meat-eaters.
Matt Hutchinson was the production editor and copyeditor for LDAP System Administration. Genevieve d'Entremont proofread the book. Genevieve d'Entremont, Emily Quill and Mary Anne Weeks Mayo provided quality control. Jamie Peppard provided production assistance. Julie Hawks wrote the index.
Emma Colby designed the cover of this book, based on a series design by Edie Freedman. The cover image is a 19th-century engraving from the Dover Pictorial Archive. Emma Colby produced the cover layout with QuarkXPress 4.1 using Adobe's ITC Garamond font.
Bret Kerr designed the interior layout, based on a series design by David Futato. This book was converted by Joe Wizda to FrameMaker 5.5.6 with a format conversion tool created by Erik Ray, Jason McIntosh, Neil Walls, and Mike Sierra that uses Perl and XML technologies. The text font is Linotype Birka; the heading font is Adobe Myriad Condensed; and the code font is LucasFont's TheSans Mono Condensed. The illustrations that appear in this book were produced by Robert Romano and Jessamyn Read using Macromedia FreeHand 9 and Adobe Photoshop 6. The tip and warning icons were drawn by Christopher Bing. This colophon was written by Matt Hutchinson.
The online edition of this book was created by the Safari production group (John Chodacki, Becki Maisch, and Madeleine Newell) using a set of Frame-to-XML conversion and cleanup tools written and maintained by Erik Ray, Benn Salter, John Chodacki, and Jeff Liggett.
Table of Contents
A Note Regarding Supplemental Files
Preface
How This Book Is Organized
Part I : LDAP Basics
Part II : Application Integration
Part III: Appendixes
Conventions Used in This Book
Comments and Questions
Acknowledgments
I. LDAP Basics
1. "Now where did I put that...?", or "What is a directory?"
1.1. The Lightweight Directory Access Protocol
1.2. What Is LDAP?
1.2.1. Lightweight
1.2.2. Directory
1.2.3. Access Protocol
1.3. LDAP Models
2. LDAPv3 Overview
2.1. LDIF
2.1.1. Distinguished Names and Relative Distinguished Names
2.1.2. Back to Our Regularly Scheduled Program . . .
2.2. What Is an Attribute?
2.2.1. Attribute Syntax
2.2.2. What Does the Value of the objectClass Attribute Mean?
2.3. What Is the dc Attribute?
2.3.1. Where Is dc=org?
2.4. Schema References
2.5. Authentication
2.5.1. Anonymous Authentication
2.5.2. Simple Authentication
2.5.3. Simple Authentication Over SSL/TLS
2.5.4. Simple Authentication and Security Layer (SASL)
2.6. Distributed Directories
2.7. Continuing Standardization
3. OpenLDAP
3.1. Obtaining the OpenLDAP Distribution
3.2. Software Requirements
3.2.1. Threads
3.2.2. SSL/TLS Libraries
3.2.3. Database Backend Modules
3.2.4. SASL Libraries
3.3. Compiling OpenLDAP 2
3.4. OpenLDAP Clients and Servers
3.5. The slapd.conf Configuration File
3.5.1. Schema Files
3.5.2. Logging
3.5.3. SASL Options
3.5.4. SSL/TLS Options
3.5.5. More Security-Related Parameters
3.5.6. Serving Up Data
3.6. Access Control Lists (ACLs)
4. OpenLDAP: Building a Company White Pages
4.1. A Starting Point
4.2. Defining the Schema
4.3. Updating slapd.conf
4.4. Starting slapd
4.5. Adding the Initial Directory Entries
4.5.1. Verifying the Directory's Contents
4.5.2. Updating What Is Already There
4.6. Graphical Editors
5. Replication, Referrals, Searching, and SASL Explained
5.1. More Than One Copy Is "a Good Thing"
5.1.1. Building slurpd
5.1.2. Replication in a Nutshell
5.1.3. Configuring the Master Server
5.1.4. Configuring the Replica Server
5.1.5. slurpd's replogfile
5.2. Distributing the Directory
5.3. Advanced Searching Options
5.3.1. Following Referrals with ldapsearch
5.3.2. Limiting Your Searches
5.4. Determining a Server's Capabilities
5.5. Creating Custom Schema Files for slapd
5.6. SASL and OpenLDAP
II. Application Integration
6. Replacing NIS
6.1. More About NIS
6.2. Schemas for Information Services
6.3. Information Migration
6.4. The pam_ldap Module
6.4.1. Configuring /etc/ldap.conf
6.5. The nss_ldap Module
6.6. OpenSSH, PAM, and NSS
6.7. Authorization Through PAM
6.7.1. One Host and a Group of Users
6.7.2. One User and a Group of Hosts
6.8. Netgroups
6.9. Security
6.10. Automount Maps