Chapter 36. LDAP—A Directory Service

Chapter 36. LDAP—A Directory Service¶

Contents

36.1. LDAP versus NIS
36.2. Structure of an LDAP Directory Tree
36.3. Server Configuration with slapd.confsles;slprof
36.4. Data Handling in the LDAP Directorysles;slprof
36.5. Configuring an LDAP Server with YaSTslprof;sles
36.6. Configuring an LDAP Client with YaST
36.7. Configuring LDAP Users and Groups in YaST
36.8. Browsing the LDAP Directory Tree
36.9. For More Information

Abstract

The Lightweight Directory Access Protocol (LDAP) is a set of protocols designed to access and maintain information directories. LDAP can be used for numerous purposes, such as user and group management, system configuration management, or address management. This chapter provides a basic understanding of how OpenLDAP works and how to manage LDAP data with YaST. While there are several implementations of the LDAP protocol, this chapter focuses entirely on the OpenLDAP implementation.

It is crucial within a networked environment to keep important information structured and quickly available. This can be done with a directory service that, like the common yellow pages, keeps information available in a well-structured, quickly searchable form.

In the ideal case, a central server keeps the data in a directory and distributes it to all clients using a certain protocol. The data is structured in a way that allows a wide range of applications to access it. That way, it is not necessary for every single calendar tool and e-mail client to keep its own database—a central repository can be accessed instead. This notably reduces the administration effort for the information. The use of an open and standardized protocol like LDAP ensures that as many different client applications as possible can access such information.

A directory in this context is a type of database optimized for quick and effective reading and searching:

To make numerous concurrent reading accesses possible, write access is limited to a small number of updates by the administrator. Conventional databases are optimized for accepting the largest possible data volume in a short time.
Because write accesses can only be executed in a restricted fashion, a directory service is used to administer mostly unchanging, static information. Data in a conventional database typically changes very often (dynamic data). Phone numbers in a company directory do not change nearly as often as, for example, the figures administered in accounting.
When static data is administered, updates of the existing data sets are very rare. When working with dynamic data, especially when data sets like bank accounts or accounting are concerned, the consistency of the data is of primary importance. If an amount should be subtracted from one place to be added to another, both operations must happen concurrently, within a transaction, to ensure balance over the data stock. Databases support such transactions. Directories do not. Short-term inconsistencies of the data are quite acceptable in directories.

The design of a directory service like LDAP is not laid out to support complex update or query mechanisms. All applications accessing this service should gain access quickly and easily.

36.1. LDAP versus NIS¶

The Unix system administrator traditionally uses the NIS service for name resolution and data distribution in a network. The configuration data contained in the files in /etc and the directories group, hosts, mail, netgroup, networks, passwd, printcap, protocols, rpc, and services are distributed by clients all over the network. These files can be maintained without major effort because they are simple text files. The handling of larger amounts of data, however, becomes increasingly difficult due to nonexistent structuring. NIS is only designed for Unix platforms. This means it is not suitable as a centralized data administration tool in heterogeneous networks.

Unlike NIS, the LDAP service is not restricted to pure Unix networks. Windows servers (from 2000) support LDAP as a directory service. Application tasks mentioned above are additionally supported in non-Unix systems.

The LDAP principle can be applied to any data structure that should be centrally administered. A few application examples are:

Employment as a replacement for the NIS service
Mail routing (postfix, sendmail)
Address books for mail clients, like Mozilla, Evolution, and Outlook
Administration of zone descriptions for a BIND9 name server
User authentication with Samba in heterogeneous networks

This list can be extended because LDAP is extensible, unlike NIS. The clearly-defined hierarchical structure of the data eases the administration of large amounts of data, because it can be searched more easily.

36.2. Structure of an LDAP Directory Tree¶

To get a deep background knowledge on how an LDAP server works and how the data are stored, it is vital to understand the way the data are organized on the server and how this structure enables LDAP to provide fast access to the data you need. To successfully operate an LDAP setup, you also need to be familiar with some basic LDAP terminology. This section introduces the basic layout of an LDAP directory tree and provides the basic terminology used in an LDAP context. Skip this introductory section, if you already have some LDAP background knowledge and just want to learn how to set up an LDAP environment in SUSE Linux Enterprise.Read on at Section 36.5, “Configuring an LDAP Server with YaST” or Section 36.3, “Server Configuration with slapd.conf”, respectively.

An LDAP directory has a tree structure. All entries (called objects) of the directory have a defined position within this hierarchy. This hierarchy is called the directory information tree (DIT). The complete path to the desired entry, which unambiguously identifies it, is called distinguished name or DN. A single node along the path to this entry is called relative distinguished name or RDN. Objects can generally be assigned to one of two possible types:

container: These objects can themselves contain other objects. Such object classes are root (the root element of the directory tree, which does not really exist), c (country), ou (organizational unit), and dc (domain component). This model is comparable to the directories (folders) in a file system.
leaf: These objects sit at the end of a branch and have no subordinate objects. Examples are person, InetOrgPerson, or groupofNames.

The top of the directory hierarchy has a root element root. This can contain c (country), dc (domain component), or o (organization) as subordinate elements. The relations within an LDAP directory tree become more evident in the following example, shown in Figure 36.1, “Structure of an LDAP Directory”.

Figure 36.1. Structure of an LDAP Directory¶

The complete diagram is a fictional directory information tree. The entries on three levels are depicted. Each entry corresponds to one box in the picture. The complete, valid distinguished name for the fictional employee Geeko Linux, in this case, is cn=Geeko Linux,ou=doc,dc=example,dc=com. It is composed by adding the RDN cn=Geeko Linux to the DN of the preceding entry ou=doc,dc=example,dc=com.

The types of objects that should be stored in the DIT are globally determined following a scheme. The type of an object is determined by the object class. The object class determines what attributes the concerned object must or can be assigned. A scheme, therefore, must contain definitions of all object classes and attributes used in the desired application scenario. There are a few common schemes (see RFC 2252 and 2256). It is, however, possible to create custom schemes or to use multiple schemes complementing each other if this is required by the environment in which the LDAP server should operate.

Table 36.1, “Commonly Used Object Classes and Attributes” offers a small overview of the object classes from core.schema and inetorgperson.schema used in the example, including required attributes and valid attribute values.

Table 36.1. Commonly Used Object Classes and Attributes¶

Object Class	Meaning	Example Entry	Required Attributes
dcObject	domainComponent (name components of the domain)	example	dc
organizationalUnit	organizationalUnit (organizational unit)	doc	ou
inetOrgPerson	inetOrgPerson (person-related data for the intranet or Internet)	Geeko Linux	sn and cn

Example 36.1, “Excerpt from schema.core ” shows an excerpt from a scheme directive with explanations (line numbering for explanatory reasons).

Example 36.1. Excerpt from schema.core ¶

#1 attributetype (2.5.4.11 NAME ( 'ou' 'organizationalUnitName')
#2        DESC 'RFC2256: organizational unit this object belongs to'
#3        SUP name )

...
#4 objectclass ( 2.5.6.5 NAME 'organizationalUnit'
#5        DESC 'RFC2256: an organizational unit'
#6        SUP top STRUCTURAL
#7        MUST ou
#8 MAY (userPassword $ searchGuide $ seeAlso $ businessCategory 
    $ x121Address $ registeredAddress $ destinationIndicator 
    $ preferredDeliveryMethod $ telexNumber 
    $ teletexTerminalIdentifier $ telephoneNumber 
    $ internationaliSDNNumber $ facsimileTelephoneNumber 
    $ street $ postOfficeBox $ postalCode $ postalAddress 
    $ physicalDeliveryOfficeName
    $ st $ l $ description) )
...

The attribute type organizationalUnitName and the corresponding object class organizationalUnit serve as an example here. Line 1 features the name of the attribute, its unique OID (object identifier) (numerical), and the abbreviation of the attribute.

Line 2 gives a brief description of the attribute with DESC. The corresponding RFC on which the definition is based is also mentioned here. SUP in line 3 indicates a superordinate attribute type to which this attribute belongs.

The definition of the object class organizationalUnit begins in line 4, like in the definition of the attribute, with an OID and the name of the object class. Line 5 features a brief description of the object class. Line 6, with its entry SUP top, indicates that this object class is not subordinate to another object class. Line 7, starting with MUST, lists all attribute types that must be used in conjunction with an object of the type organizationalUnit. Line 8, starting with MAY, lists all attribute types that are permitted in conjunction with this object class.

A very good introduction to the use of schemes can be found in the documentation of OpenLDAP. When installed, find it in /usr/share/doc/packages/openldap2/admin-guide/index.html.

36.3. Server Configuration with slapd.conf¶

Your installed system contains a complete configuration file for your LDAP server at /etc/openldap/slapd.conf. The single entries are briefly described here and necessary adjustments are explained. Entries prefixed with a hash (#) are inactive. This comment character must be removed to activate them.

36.3.1. Global Directives in slapd.conf¶

Example 36.2. slapd.conf: Include Directive for Schemes¶

include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/rfc2307bis.schema
include         /etc/openldap/schema/yast.schema

This first directive in slapd.conf, shown in Example 36.2, “slapd.conf: Include Directive for Schemes”, specifies the scheme by which the LDAP directory is organized. The entry core.schema is required. Additionally required schemes are appended to this directive. Find information in the included OpenLDAP documentation.

Example 36.3. slapd.conf: pidfile and argsfile¶

pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args

These two files contain the PID (process ID) and some of the arguments with which the slapd process is started. There is no need for modifications here.

Example 36.4. slapd.conf: Access Control¶

# Sample Access Control
#       Allow read access of root DSE
# Allow self write access
#       Allow authenticated users read access
#       Allow anonymous users to authenticate
# access to dn="" by * read
  access to * by self write
              by users read
              by anonymous auth
#
# if no access controls are present, the default is:
#       Allow read by all
#
# rootdn can always write!

Example 36.4, “slapd.conf: Access Control” is the excerpt from slapd.conf that regulates the access permissions for the LDAP directory on the server. The settings made here in the global section of slapd.conf are valid as long as no custom access rules are declared in the database-specific section. These would overwrite the global declarations. As presented here, all users have read access to the directory, but only the administrator (rootdn) can write to this directory. Access control regulation in LDAP is a highly complex process. The following tips can help:

Every access rule has the following structure:
```
access to <what> by <who> <access>
```
what is a placeholder for the object or attribute to which access is granted. Individual directory branches can be protected explicitly with separate rules. It is also possible to process regions of the directory tree with one rule by using regular expressions. slapd evaluates all rules in the order in which they are listed in the configuration file. More general rules should be listed after more specific ones—the first rule slapd regards as valid is evaluated and all following entries are ignored.

who determines who should be granted access to the areas determined with what. Regular expressions may be used. slapd again aborts the evaluation of who after the first match, so more specific rules should be listed before the more general ones. The entries shown in Table 36.2, “User Groups and Their Access Grants” are possible.

Table 36.2. User Groups and Their Access Grants¶

Tag	Scope
`*`	All users without exception
`anonymous`	Not authenticated (“anonymous”) users
`users`	Authenticated users
`self`	Users connected with the target object
`dn.regex=<regex>`	All users matching the regular expression

access specifies the type of access. Use the options listed in Table 36.3, “Types of Access”.
Table 36.3. Types of Access¶
Tag
Scope of Access
none
No access
auth
For contacting the server
compare
To objects for comparison access
search
For the employment of search filters
read
Read access
write
Write access

slapd compares the access right requested by the client with those granted in slapd.conf. The client is granted access if the rules allow a higher or equal right than the requested one. If the client requests higher rights than those declared in the rules, it is denied access.

Tag	Scope of Access
`none`	No access
`auth`	For contacting the server
`compare`	To objects for comparison access
`search`	For the employment of search filters
`read`	Read access
`write`	Write access

Example 36.5, “slapd.conf: Example for Access Control” shows an example of a simple access control that can be arbitrarily developed using regular expressions.

Example 36.5. slapd.conf: Example for Access Control¶

access to  dn.regex="ou=([^,]+),dc=example,dc=com" 
by dn.regex="cn=Administrator,ou=$1,dc=example,dc=com" write  
by user read 
by * none

This rule declares that only its respective administrator has write access to an individual ou entry. All other authenticated users have read access and the rest of the world has no access.

	Establishing Access Rules
If there is no `access to` rule or no matching `by` directive, access is denied. Only explicitly declared access rights are granted. If no rules are declared at all, the default principle is write access for the administrator and read access for the rest of the world.

Find detailed information and an example configuration for LDAP access rights in the online documentation of the installed openldap2 package.

Apart from the possibility to administer access permissions with the central server configuration file (slapd.conf), there is access control information (ACI). ACI allows storage of the access information for individual objects within the LDAP tree. This type of access control is not yet common and is still considered experimental by the developers. Refer to http://www.openldap.org/faq/data/cache/758.html for information.

36.3.2. Database-Specific Directives in slapd.conf¶

Example 36.6. slapd.conf: Database-Specific Directives¶

database bdb
suffix "dc=example,dc=com" 
checkpoint      1024    5
cachesize       10000
rootdn "cn=Administrator,dc=example,dc=com" 
# Cleartext passwords, especially for the rootdn, should 
# be avoided.  See slappasswd(8) and slapd.conf(5) for details. 
# Use of strong authentication encouraged.
rootpw secret 
# The database directory MUST exist prior to running slapd AND 
# should only be accessible by the slapd/tools. Mode 700 recommended. 
directory /var/lib/ldap 
# Indices to maintain 
index   objectClass     eq
overlay ppolicy
ppolicy_default "cn=Default Password Policy,dc=example,dc=com"
ppolicy_hash_cleartext
ppolicy_use_lockout

	The type of database, a Berkeley database in this case, is set in the first line of this section (see Example 36.6, “slapd.conf: Database-Specific Directives”).
	`suffix` determines for which portion of the LDAP tree this server should be responsible.
	`checkpoint` determines the amount of data (in KB) that is kept in the transaction log before it is written to the actual database and the time (in minutes) between two write actions.
	`cachesize` sets the number of objects kept in the database's cache.
	`rootdn` determines who owns administrator rights to this server. The user declared here does not need to have an LDAP entry or exist as regular user.
	`rootpw` sets the administrator password. Instead of using `secret` here, it is possible to enter the hash of the administrator password created by slappasswd.
	The `directory` directive indicates the directory in the file system where the database directories are stored on the server.
	The last directive, `index objectClass eq`, results in the maintenance of an index of all object classes. Attributes for which users search most often can be added here according to experience.
	`overlay ppolicy` adds a layer of password control mechanisms. `ppolicy_default` specifies the DN of the pwdPolicy object to use when no specific policy is set on a given user's entry. If there is no specific policy for an entry and no default is given, no policies are enforced. `ppolicy_hash_cleartext` specifies that clear text passwords present in add and modify requests are hashed before being stored in the database. When this option is used, it is recommended to deny compare, search, and read access to the `userPassword` attribute for all directory users, because `ppolicy_hash_cleartext` violates the X.500/LDAP information model. `ppolicy_use_lockout` sends a specific error code when a client tries to connect to a locked account. When your site is sensitive to security issues, disable this option as the error code provides useful information to attackers.

Custom Access rules defined here for the database are used instead of the global Access rules.

36.3.3. Starting and Stopping the Servers¶

Once the LDAP server is fully configured and all desired entries have been made according to the pattern described in Section 36.4, “Data Handling in the LDAP Directory”, start the LDAP server as root by entering rcldap start. To stop the server manually, enter the command rcldap stop. Request the status of the running LDAP server with rcldap status.

The YaST runlevel editor, described in Section 20.2.3, “Configuring System Services (Runlevel) with YaST”, can be used to have the server started and stopped automatically on boot and halt of the system. It is also possible to create the corresponding links to the start and stop scripts with the insserv command from a command prompt as described in Section 20.2.2, “Init Scripts”.

36.4. Data Handling in the LDAP Directory¶

OpenLDAP offers a series of tools for the administration of data in the LDAP directory. The four most important tools for adding to, deleting from, searching through, and modifying the data stock are briefly explained below.

36.4.1. Inserting Data into an LDAP Directory¶

Once the configuration of your LDAP server in /etc/openldap/slapd.conf is correct and ready to go (it features appropriate entries for suffix, directory, rootdn, rootpw, and index), proceed to entering records. OpenLDAP offers the ldapadd command for this task. If possible, add the objects to the database in bundles for practical reasons. LDAP is able to process the LDIF format (LDAP data interchange format) for this. An LDIF file is a simple text file that can contain an arbitrary number of attribute and value pairs. Refer to the schema files declared in slapd.conf for the available object classes and attributes. The LDIF file for creating a rough framework for the example in Figure 36.1, “Structure of an LDAP Directory” would look like that in Example 36.7, “Example for an LDIF File”.

Example 36.7. Example for an LDIF File¶

# The Organization
dn: dc=example,dc=com
objectClass: dcObject
objectClass: organization
o: Example dc: example

# The organizational unit development (devel)
dn: ou=devel,dc=example,dc=com
objectClass: organizationalUnit
ou: devel

# The organizational unit documentation (doc)
dn: ou=doc,dc=example,dc=com
objectClass: organizationalUnit
ou: doc

# The organizational unit internal IT (it)
dn: ou=it,dc=example,dc=com
objectClass: organizationalUnit
ou: it

	Encoding of LDIF Files
LDAP works with UTF-8 (Unicode). Umlauts must be encoded correctly. Use an editor that supports UTF-8, such as Kate or recent versions of Emacs. Otherwise, avoid umlauts and other special characters or use recode to recode the input to UTF-8.

Save the file with the .ldif suffix then pass it to the server with the following command:

ldapadd -x -D <dn of the administrator> -W -f <file>.ldif

-x switches off the authentication with SASL in this case. -D declares the user that calls the operation. The valid DN of the administrator is entered here just like it has been configured in slapd.conf. In the current example, this is cn=Administrator,dc=example,dc=com. -W circumvents entering the password on the command line (in clear text) and activates a separate password prompt. This password was previously determined in slapd.conf with rootpw. -f passes the filename. See the details of running ldapadd in Example 36.8, “ldapadd with example.ldif”.

Example 36.8. ldapadd with example.ldif¶

ldapadd -x -D cn=Administrator,dc=example,dc=com -W -f example.ldif 

Enter LDAP password: 
adding new entry "dc=example,dc=com" 
adding new entry "ou=devel,dc=example,dc=com" 
adding new entry "ou=doc,dc=example,dc=com" 
adding new entry "ou=it,dc=example,dc=com"

The user data of individuals can be prepared in separate LDIF files. Example 36.9, “LDIF Data for Tux” adds Tux to the new LDAP directory.

Example 36.9. LDIF Data for Tux¶

# coworker Tux
dn: cn=Tux Linux,ou=devel,dc=example,dc=com
objectClass: inetOrgPerson
cn: Tux Linux
givenName: Tux
sn: Linux
mail: tux@example.com
uid: tux
telephoneNumber: +49 1234 567-8

An LDIF file can contain an arbitrary number of objects. It is possible to pass entire directory branches to the server at once or only parts of it as shown in the example of individual objects. If it is necessary to modify some data relatively often, a fine subdivision of single objects is recommended.

36.4.2. Modifying Data in the LDAP Directory¶

The tool ldapmodify is provided for modifying the data stock. The easiest way to do this is to modify the corresponding LDIF file then pass this modified file to the LDAP server. To change the telephone number of colleague Tux from +49 1234 567-8 to +49 1234 567-10, edit the LDIF file like in Example 36.10, “Modified LDIF File tux.ldif”.

Example 36.10. Modified LDIF File tux.ldif¶

# coworker Tux
dn: cn=Tux Linux,ou=devel,dc=example,dc=com 
changetype: modify
replace: telephoneNumber 
telephoneNumber: +49 1234 567-10

Import the modified file into the LDAP directory with the following command:

ldapmodify -x -D cn=Administrator,dc=example,dc=com -W -f tux.ldif

Alternatively, pass the attributes to change directly to ldapmodify. The procedure for this is described below:

Start ldapmodify and enter your password:

ldapmodify -x -D cn=Administrator,dc=example,dc=com -W 
Enter LDAP password:

Enter the changes while carefully complying with the syntax in the order presented below:

dn: cn=Tux Linux,ou=devel,dc=example,dc=com
changetype: modify
replace: telephoneNumber
telephoneNumber: +49 1234 567-10

Find detailed information about ldapmodify and its syntax in the ldapmodify man page.

36.4.3. Searching or Reading Data from an LDAP Directory¶

OpenLDAP provides, with ldapsearch, a command line tool for searching data within an LDAP directory and reading data from it. A simple query would have the following syntax:

ldapsearch -x -b dc=example,dc=com "(objectClass=*)"

The -b option determines the search base—the section of the tree within which the search should be performed. In the current case, this is dc=example,dc=com. To perform a more finely-grained search in specific subsections of the LDAP directory (for example, only within the devel department), pass this section to ldapsearch with -b. -x requests activation of simple authentication. (objectClass=*) declares that all objects contained in the directory should be read. This command option can be used after the creation of a new directory tree to verify that all entries have been recorded correctly and the server responds as desired. Find more information about the use of ldapsearch in the corresponding man page (ldapsearch(1)).

36.4.4. Deleting Data from an LDAP Directory¶

Delete unwanted entries with ldapdelete. The syntax is similar to that of the other commands. To delete, for example, the complete entry for Tux Linux, issue the following command:

ldapdelete -x -D cn=Administrator,dc=example,dc=com -W cn=Tux \
Linux,ou=devel,dc=example,dc=com

36.5. Configuring an LDAP Server with YaST¶

Use YaST to set up an LDAP server. Typical use cases for LDAP servers include the management of user account data and the configuration of mail, DNS, and DHCP servers.

Figure 36.2. YaST LDAP Server Configuration

To set up an LDAP server for user account data, proceed as follows:

Log in as root.
Start YaST and select Network Services+LDAP Server.
Set LDAP to be started at system boot.
If the LDAP server should announce its services via SLP, check Register at an SLP Daemon.
Select Configure to configure General Settings and Databases.

To configure the Global Settings of your LDAP server, proceed as follows:

Accept or modify the schema files included in the server's configuration by selecting Schema Files in the left part of the dialog. The default selection of schema files applies to the server providing a source of YaST user account data.
With Log Level Settings, configure the degree of logging activity (verbosity) of the LDAP server. From the predefined list, select or deselect the logging options according to your needs. The more options are enabled, the larger your log files grow.
Determine the connection types the LDAP server should allow. Choose from:
bind_v2
This option enables connection requests (bind requests) from clients using the previous version of the protocol (LDAPv2).
bind_anon_cred
Normally the LDAP server denies any authentication attempts with empty credentials (DN or password). Enabling this option, however, makes it possible to connect with a password and no DN to establish an anonymous connection.
bind_anon_dn
Enabling this option makes it possible to connect without authentication (anonymously) using a DN but no password.
update_anon
Enabling this option allows nonauthenticated (anonymous) update operations. Access is restricted according to ACLs and other rules (see Section 36.3.1, “Global Directives in slapd.conf”).
To configure secure communication between client and server, proceed with TLS Settings:
1. Set TLS Active to Yes to enable TLS and SSL encryption of the client/server communication.
2. Click Select Certificate and determine how to obtain a valid certificate. Choose Import Certificate (import certificate from external source) or Use Common Server Certificate (use the certificate created during installation).
  - If you opted for importing a certificate, YaST prompts you to specify the exact path to its location.
  - If you opted for using the common server certificate and it has not been created during installation, it is subsequently created.

To configure the databases managed by your LDAP server, proceed as follows:

Select the Databases item in the left part of the dialog.
Click Add Database to add the new database.
Enter the requested data:
Base DN
Enter the base DN of your LDAP server.
Root DN
Enter the DN of the administrator in charge of the server. If you check Append Base DN, only provide the cn of the administrator and the system fills in the rest automatically.
LDAP Password
Enter the password for the database administrator.
Encryption
Determine the encryption algorithm to use to secure the password of Root DN. Choose crypt, smd5, ssha, or sha. The dialog also includes a plain option to enable the use of plain text passwords, but enabling this is not recommended for security reasons. To confirm your settings and return to the previous dialog, select OK.

Enable enforcement of password policies to provide extra security to your LDAP server:

Select Password Policy Settings to be able specify a password policy.
Activate Hash Clear Text Passwords to have clear text passwords be hashed before they are written to the database whenever they are added or modified.

Disclose Account Locked Status provides a meaningful error message to bind requests to locked accounts.

	Locked Accounts in Security Sensitive Environments
Do not use the Disclose Account Locked Status option if your environment is sensitive to security issues, because the “Locked Account” error message provides security sensitive information that can be exploited by a potential attacker.

Enter the DN of the default policy object. To use a DN other than the one suggested by YaST, enter your choice. Otherwise accept the default setting.

Complete the database configuration by clicking Finish.

If you have not opted for password policies, your server is ready to run at this point. If you chose to enable password policies, proceed with the configuration of the password policy in detail. If you chose a password policy object that does not yet exist, YaST creates one:

Enter the LDAP server password.
Configure the password change policies:
1. Determine the number of passwords stored in the password history. Saved passwords may not be reused by the user.
2. Determine whether users can change their password and whether they need to change their password after a reset by the administrator. Optionally require the old password for password changes.
3. Determine whether and to what extent passwords should be subject to quality checking. Set a minimum password length that must be met before a password is valid. If you select Accept Uncheckable Passwords, users are allowed to use encrypted passwords although the quality checks cannot be performed. If you opt for Only Accept Checked Passwords only those passwords that pass the quality tests are accepted as valid.
Configure the password aging policies:
1. Determine the minimum password age (the time that needs to pass between two valid password changes) and the maximum password age.
2. Determine the time between a password expiration warning and the actual password expiration.
3. Set the number of grace uses of an expired password before the password expires entirely.
Configure the lockout policies:
1. Enable password locking.
2. Determine the number of bind failures that trigger a password lock.
3. Determine the duration of the password lock.
4. Determine for how long password failures are kept in the cache before they are purged.
Apply your password policy settings with Accept.

To edit a previously created database, select its base DN in the tree to the left. In the right part of the window, YaST displays a dialog similar to the one used for the creation of a new database—with the main difference that the base DN entry is grayed out and cannot be changed.

After leaving the LDAP server configuration by selecting Finish, you are ready to go with a basic working configuration for your LDAP server. To fine-tune this setup, edit the file /etc/openldap/slapd.conf accordingly then restart the server.

36.6. Configuring an LDAP Client with YaST¶

YaST includes a module to set up LDAP-based user management. If you did not enable this feature during the installation, start the module by selecting Network Services+LDAP Client. YaST automatically enables any PAM and NSS related changes as required by LDAP and installs the necessary files.

36.6.1. Standard Procedure¶

Background knowledge of the processes acting in the background of a client machine helps you understand how the YaST LDAP client module works. If LDAP is activated for network authentication or the YaST module is called, the packages pam_ldap and nss_ldap are installed and the two corresponding configuration files are adapted. pam_ldap is the PAM module responsible for negotiation between login processes and the LDAP directory as the source of authentication data. The dedicated module pam_ldap.so is installed and the PAM configuration is adapted (see Example 36.11, “pam_unix2.conf Adapted to LDAP”).

Example 36.11. pam_unix2.conf Adapted to LDAP¶

auth:       use_ldap 
account:    use_ldap
password:   use_ldap 
session:    none

When manually configuring additional services to use LDAP, include the PAM LDAP module in the PAM configuration file corresponding to the service in /etc/pam.d. Configuration files already adapted to individual services can be found in /usr/share/doc/packages/pam_ldap/pam.d/. Copy appropriate files to /etc/pam.d.

glibc name resolution through the nsswitch mechanism is adapted to the employment of LDAP with nss_ldap. A new, adapted file nsswitch.conf is created in /etc with the installation of this package. Find more about the workings of nsswitch.conf in Section 30.7.1, “Configuration Files”. The following lines must be present in nsswitch.conf for user administration and authentication with LDAP. See Example 36.12, “Adaptations in nsswitch.conf”.

Example 36.12. Adaptations in nsswitch.conf¶

passwd: compat
group: compat

passwd_compat: ldap
group_compat: ldap

These lines order the resolver library of glibc first to evaluate the corresponding files in /etc and additionally access the LDAP server as sources for authentication and user data. Test this mechanism, for example, by reading the content of the user database with the command getent passwd. The returned set should contain a survey of the local users of your system as well as all users stored on the LDAP server.

To prevent regular users managed through LDAP from logging in to the server with ssh or login, the files /etc/passwd and /etc/group each need to include an additional line. This is the line +::::::/sbin/nologin in /etc/passwd and +::: in /etc/group.

36.6.2. Configuring the LDAP Client¶

After the initial adjustments of nss_ldap, pam_ldap, /etc/passwd, and /etc/group have been taken care of by YaST, you can simply connect your client to the server and let YaST manage users over LDAP. This basic setup is described in Section 36.6.2.1, “Basic Configuration”.

Use the YaST LDAP client to further configure the YaST group and user configuration modules. This includes manipulating the default settings for new users and groups and the number and nature of the attributes assigned to a user or a group. LDAP user management allows you to assign far more and different attributes to users and groups than traditional user or group management solutions. This is described in Section 36.6.2.2, “Configuring the YaST Group and User Administration Modules”.

36.6.2.1. Basic Configuration¶

The basic LDAP client configuration dialog (Figure 36.3, “YaST: Configuration of the LDAP Client”) opens during installation if you choose LDAP user management or when you select Network Services+LDAP Client in the YaST Control Center in the installed system.

Figure 36.3. YaST: Configuration of the LDAP Client¶

To authenticate users of your machine against an OpenLDAP server and enable user management via OpenLDAP, proceed as follows:

Click Use LDAP to enable the use of LDAP. Select Use LDAP but Disable Logins instead if you want to use LDAP for authentication, but do not want other users to log in to this client.
Enter the IP address of the LDAP server to use.
Enter the LDAP base DN to select the search base on the LDAP server. To retrieve the base DN automatically, click Fetch DN. YaST then checks for any LDAP database on the server address specified above. Choose the appropriate base DN from the search results given by YaST.
If TLS or SSL protected communication with the server is required, select LDAP TLS/SSL.
If the LDAP server still uses LDAPv2, explicitly enable the use of this protocol version by selecting LDAP Version 2.
Select Start Automounter to mount remote directories on your client, such as a remotely managed /home.
Select Create Home Directory on Login to have a user's home automatically created on the first user login.
Click Finish to apply your settings.

Figure 36.4. YaST: Advanced Configuration¶

To modify data on the server as administrator, click Advanced Configuration. The following dialog is split in two tabs. See Figure 36.4, “YaST: Advanced Configuration”.

In the Client Settings tab, adjust the following settings to your needs:
1. If the search base for users, passwords, and groups differs from the global search base specified the LDAP base DN, enter these different naming contexts in User Map, Password Map, and Group Map.
2. Specify the password change protocol. The standard method to use whenever a password is changed is crypt, meaning that password hashes generated by crypt are used. For details on this and other options, refer to the pam_ldap man page.
3. Specify the LDAP group to use with Group Member Attribute. The default value for this is member.
In Administration Settings, adjust the following settings:
1. Set the base for storing your user management data via Configuration Base DN.
2. Enter the appropriate value for Administrator DN. This DN must be identical with the rootdn value specified in /etc/openldap/slapd.conf to enable this particular user to manipulate data stored on the LDAP server. Enter the full DN (such as cn=Administrator,dc=example,dc=com) or activate Append Base DN to have the base DN added automatically when you enter cn=Administrator.
3. Check Create Default Configuration Objects to create the basic configuration objects on the server to enable user management via LDAP.
4. If your client machine should act as a file server for home directories across your network, check Home Directories on This Machine.
5. Use the Password Policy section to select, add, delete, or modify the password policy settings to use. The configuration of password policies with YaST is part of the LDAP server setup.
6. Click Accept to leave the Advanced Configuration then Finish to apply your settings.

Use Configure User Management Settings to edit entries on the LDAP server. Access to the configuration modules on the server is then granted according to the ACLs and ACIs stored on the server. Follow the procedures outlined in Section 36.6.2.2, “Configuring the YaST Group and User Administration Modules”.

36.6.2.2. Configuring the YaST Group and User Administration Modules¶

Use the YaST LDAP client to adapt the YaST modules for user and group administration and to extend them as needed. Define templates with default values for the individual attributes to simplify the data registration. The presets created here are stored as LDAP objects in the LDAP directory. The registration of user data is still done with the regular YaST modules for user and group management. The registered data is stored as LDAP objects on the server.

Figure 36.5. YaST: Module Configuration¶

The dialog for module configuration (Figure 36.5, “YaST: Module Configuration”) allows the creation of new modules, selection and modification of existing configuration modules, and design and modification of templates for such modules.

To create a new configuration module, proceed as follows:

Click New and select the type of module to create. For a user configuration module, select suseuserconfiguration and for a group configuration choose susegroupconfiguration.
Choose a name for the new template. The content view then features a table listing all attributes allowed in this module with their assigned values. Apart from all set attributes, the list also contains all other attributes allowed by the current schema but currently not used.
Accept the preset values or adjust the defaults to use in group and user configuration by selecting the respective attribute, pressing Edit, and entering the new value. Rename a module by simply changing the cn attribute of the module. Clicking Delete deletes the currently selected module.
After you click Accept, the new module is added to the selection menu.

The YaST modules for group and user administration embed templates with sensible standard values. To edit a template associated with a configuration module, proceed as follows:

In the Module Configuration dialog, click Configure Template.
Determine the values of the general attributes assigned to this template according to your needs or leave some of them empty. Empty attributes are deleted on the LDAP server.
Modify, delete, or add new default values for new objects (user or group configuration objects in the LDAP tree).

Figure 36.6. YaST: Configuration of an Object Template¶

Connect the template to its module by setting the susedefaulttemplate attribute value of the module to the DN of the adapted template.


The default values for an attribute can be created from other attributes by using a variable instead of an absolute value. For example, when creating a new user, `cn=%sn %givenName` is created automatically from the attribute values for `sn` and `givenName`.

Once all modules and templates are configured correctly and ready to run, new groups and users can be registered in the usual way with YaST.

36.7. Configuring LDAP Users and Groups in YaST¶

The actual registration of user and group data differs only slightly from the procedure when not using LDAP. The following brief instructions relate to the administration of users. The procedure for administering groups is analogous.

Access the YaST user administration with Security & Users+User Administration.
Use Set Filter to limit the view of users to the LDAP users and enter the password for Root DN.
Click Add and enter the configuration of a new user. A dialog with four tabs opens:
1. Specify username, login, and password in the User Data tab.
2. Check the Details tab for the group membership, login shell, and home directory of the new user. If necessary, change the default to values that better suit your needs. The default values as well as those of the password settings can be defined with the procedure described in Section 36.6.2.2, “Configuring the YaST Group and User Administration Modules”.
3. Modify or accept the default Password Settings.
4. Enter the Plug-Ins tab, select the LDAP plug-in, and click Launch to configure additional LDAP attributes assigned to the new user (see Figure 36.7, “YaST: Additional LDAP Settings”).
Click Accept to apply your settings and leave the user configuration.

Figure 36.7. YaST: Additional LDAP Settings¶

The initial input form of user administration offers LDAP Options. This gives the possibility to apply LDAP search filters to the set of available users or go to the module for the configuration of LDAP users and groups by selecting LDAP User and Group Configuration.

36.8. Browsing the LDAP Directory Tree¶

To browse the LDAP directory tree and all its entries conveniently, use the YaST LDAP Browser:

Log in as root.
Start YaST+Network Services+LDAP Browser.
Enter the address of the LDAP server, the AdministratorDN, and the password for the RootDN of this server if you need both to read and write the data stored on the server.
Alternatively, choose Anonymous Access and do not provide the password to gain read access to the directory.
The LDAP Tree tab displays the content of the LDAP directory to which your machine connected. Click items to unfold their subitems.
Figure 36.8. Browsing the LDAP Directory Tree¶
To view any of the entries in detail, select it in the LDAP Tree view and open the Entry Data tab.
All attributes and values associated with this entry are displayed.
Figure 36.9. Browsing the Entry Data¶
To change the value of any of these attributes, select the attribute, click Edit, enter the new value, click Save, and provide the RootDN password when prompted.
Leave the LDAP browser with Close.

36.9. For More Information¶

More complex subjects, like SASL configuration or establishment of a replicating LDAP server that distributes the workload among multiple slaves, were intentionally not included in this chapter. Detailed information about both subjects can be found in the OpenLDAP 2.2 Administrator's Guide.

The Web site of the OpenLDAP project offers exhaustive documentation for beginning and advanced LDAP users:

OpenLDAP Faq-O-Matic: A very rich question and answer collection concerning installation, configuration, and use of OpenLDAP. Find it at http://www.openldap.org/faq/data/cache/1.html.
Quick Start Guide: Brief step-by-step instructions for installing your first LDAP server. Find it at http://www.openldap.org/doc/admin22/quickstart.html or on an installed system in /usr/share/doc/packages/openldap2/admin-guide/quickstart.html.
OpenLDAP 2.2 Administrator's Guide: A detailed introduction to all important aspects of LDAP configuration, including access controls and encryption. See http://www.openldap.org/doc/admin22/ or, on an installed system, /usr/share/doc/packages/openldap2/admin-guide/index.html.
Understanding LDAP: A detailed general introduction to the basic principles of LDAP: http://www.redbooks.ibm.com/redbooks/pdfs/sg244986.pdf.

Printed literature about LDAP:

LDAP System Administration by Gerald Carter (ISBN 1-56592-491-6)
Understanding and Deploying LDAP Directory Services by Howes, Smith, and Good (ISBN 0-672-32316-8)

The ultimate reference material for the subject of LDAP is the corresponding RFCs (request for comments), 2251 to 2256.