The Lightweight Directory Access Protocol (LDAP) is an Internet standard distributed client/server directory service protocol that runs over TCP/IP. An LDAP server manages entries in a directory, and makes the information available to LDAP clients across the network. An LDAP server can be used as a central repository of user information to identify and authenticate users.
This appendix contains the following information:
An LDAP server is similar to Network Information Services (NIS), but has the following advantages:
An LDAP directory is highly scalable.
LDAP directories are dynamically updated, saving administrators time because it is not necessary to rebuild maps and push them onto the network. Also, changes are available virtually immediately.
An LDAP directory database can be used to centralize management of user related information.
The ability to modify an attribute can be controlled at the attribute level. Users can be allowed to modify noncritical information (such as their preferred login shell or mail forwarding address) on their own. Modifications to more sensitive information (such as UID, GID, or a user's home directory) can be restricted to authorized directory managers only.
You can set up multiple LDAP servers to make the data in the directory highly available. Through a process called replication, you can ensure that all LDAP servers have identical copies of the directory. The LDAP servers bind to one another and through standard LDAP commands, propagate changes to the directory.
The Tru64 UNIX system can be configured as an LDAP client and server. This section describes how to configure Tru64 UNIX as an LDAP client and requires that an LDAP server already be configured. See your LDAP server documentation for LDAP server configuration information.
When a user enters their user name and password to log in to Tru64 UNIX
system that is configured as an LDAP client, the LDAP client sends the user
information to the LDAP server for authentication.
The LDAP server checks
the user information with the entries in the LDAP directory.
If there is a
matching entry and the password is correct, the authentication succeeds and
the user can login.
If there is no matching entry or if the password is incorrect,
the authentication fails and the user cannot login.
The LDAP server returns
the authentication results to the LDAP client.
D.2 Installing the Tru64 UNIX LDAP Client Software
To install the LDAP client software, you must install the optional
LDAP Authentication (Network-Server/Communications) subset (OSFLDPAUTHnnn).
This subset is located on the
CD-ROM containing the Tru64 UNIX base operating system software.
The nnn represents the Tru64 UNIX
version number.
See
Release Notes
for the current version number.
See
Installation Guide
for information on installing subsets.
D.3 Configuring the Tru64 UNIX LDAP Client Software
You must configure the LDAP client software. Configuring the LDAP client software requires:
Updating the
/etc/ldapcd.conf
LDAP client
configuration file to provide information about the LDAP server that it will
use for authentication.
A default
/etc/ldapcd.conf
file
is provided when you install the LDAP client software.
Setting the LDAP client runtime configuration variable.
D.3.1 Updating the ldapcd.conf File
In the
/etc/ldapcd.conf
file there are several attributes
for which you can use the default value or provide a value; however, you must
provide a value for the following attributes:
directoryHost name of the LDAP directory server to be used for user authentication.
searchbaseThe root of the branch in the directory server's database where user information is stored.
portThe default directory server port; this must match the port you are using for the directory server.
machine_dn
and
machine_passwordThe
machine_dn
(distinguished name) and
machine_password
are what the
ldapcd
caching
daemon uses to bind to the directory server to do searches and retrievals
of information from the directory.
These values are set when you initially
configure the directory server during installation.
Typically, you use the
root distinguished name and password as specified in the directory server's
configuration file (sladpd.conf).
You update the
/etc/ldapcd.conf
file in the following
ways:
Use the SysMan Menu options.
Expand the menu and select
General Tasks - Setup LDAP Configuration.
When you select this option,
a window titled
LDAP Configuration
is displayed, containing
a list of the LDAP configuration attributes.
When you select an attribute
from the list, a dialog box is diplayed showing the current attribute value
and providing an area for you to enter a new attribute value.
Select OK to update the attribute values and exit the
LDAP
Configuration
window and return to the SysMan Menu.
Use a text editor to modify the
/etc/ldapcd.conf
file.
A sample
ldapcd.conf
configuration file is shown
in
Example D-1.
HP recommends that you use the SysMan
Menu options to modify the
/etc/ldapcd.conf
file.
If you
modify the value of an attribute in the
ldapcd.conf
file,
you must restart the LDAP client daemon .
See
Section D.4
for information on restarting the LDAP client daemon.
Example D-1: Sample ldapcd.conf File
# # directory server and port, active ldap connections cached # by the daemon, max worker threads started # directory: host.xyz.com [1] searchbase: "o=XYZCompany" [2] port: 389 [3] connections: 6 [4] max_threads: 64 [5] # # max entries in cache, and number of seconds before entries # expire in the cache # pw_cachesize: 2000 [6] pw_expirecache: 120 gr_cachesize: 100 gr_expirecache: 600
.
.
.
machine_dn: "cn=Directory Manager" [7] machine_pass: "password" #
.
.
.
# the objectClass name of a password entry pw_oclass: posixAccount [8] # name mappings for password attribute fields pw_username: uid [9] pw_password: userPassword [10] pw_uid: uidNumber pw_gid: gidNumber pw_quota: pw_comment: description pw_gecos: gecos pw_homedir: homedirectory pw_shell: loginshell # the objectClass name of a group entry gr_oclass: posixGroup [11] # name mappings for group attribute fields gr_oclass: unixGroup [12] gr_name: cn gr_password: userPassword gr_gid: gidNumber gr_members: MemberUID
Host name of the LDAP directory server to be used for user authentication. [Return to example]
The root of the branch in the directory server's database where user information is stored. [Return to example]
The default directory server port; this must match the port you are using for the directory server. [Return to example]
Maximum number of open connections
to the directory server maintained by the
ldapcd
caching
daemon.
[Return to example]
Maximum number of threads maintained
by the
ldapcd
caching daemon.
Each thread handles one connection
to a local program.
Allowing a higher number of threads may enable better
response from the LDAP caching daemon, but requires more memory.
If you are
running a service that requires a large number of connections (for example,
a mail service), set the maximum number of threads to 64 or greater (if your
system has sufficient memory).
[Return to example]
The value of
pw_cachesize
determines how many individual
passwd
entries
are allowed to be cached.
The value of
pw_expirecache
determines the maximum length of time that the
ldapcd
caching daemon will check the cache for an individual
passwd
entry.
When the value of
pw_expirecache
is exceeded, the
ldapcd
daemon returns to the server to
look for the requested
passwd
entry.
The values for
gr_cachesize
and
gr_expirecache
work similarly to
pw_cachesize
and
pw_expirecache, but they work for
group
entries.
[Return to example]
The value of
machine_dn
is the distinguished name by which the
ldapcd
caching daemon
binds to the directory to do searches and retrievals of information from the
directory.
By requiring each system to use a particular DN, you can determine
which machines are accessing the directory and for what purpose.
Further,
you can also control read and search access to the directory on a machine-account
basis.
[Return to example]
The name for the object class that defines the attributes for a UNIX account in the extended schema on your server. [Return to example]
LDAP attribute names (on the right)
are mapped to fields (on the left) in the
passwd
structure
returned by a call to
getpwent.
[Return to example]
Only the encrypted password is stored
in the
userPassword
attribute.
[Return to example]
The name for the object class that defines the attributes for a UNIX group in the extended schema defined on your server. [Return to example]
LDAP attribute names (on the right)
are mapped to fields (on the left) in the
group
structure
returned by a call to
getgrent(3)
After you initially update the
/etc/ldapcd.conf
file
and before you start the LDAP client deamon, you must enter the following
command to set the LDAP runtime configuration variable:
# /usr/sbin/rcmgr set LDAPCD_CONF yes
You only need to enter this command once.
Changes to the
/etc/ldapcd.conf
file do not require that you reenter this command.
D.4 Managing the LDAP Client Daemon
Enter the following command to start the LDAP client daemon:
# /sbin/init.d/ldapcd start
The LDAP client daemon does the following when you start it for the first time:
Updates the
/etc/sia/matrix.conf
file
to include the LDAP Security Integration Architecture (SIA) mechanism.
Adds the following entry to the
/etc/inittab
file to automatically start the LDAP client daemon when the system starts.
ldapcd:34:respawn:/usr/sbin/ldapcd -D > /dev/console 2>&1
Enter the following command to stop the LDAP client daemon:
# /sbin/init.d/ldapcd stop
Enter the following command to restart the LDAP client daemon:
# /sbin/init.d/ldapcd restart
By default, users
defined in the LDAP database can log into every system that uses that database
in conjunction with the LDAP Authentication.
If you want to limit user access
to specific systems, use the access control files
/etc/ldapusers.deny
and
/etc/ldapusers.allow.
D.5.1 The ldapusers.deny File
The
/etc/ldapusers.deny
is a text file in which
you enter the name of a Tru64 UNIX user who will not be authenticated by
LDAP authentication.
Users listed in the
ldapusers.deny
file are authenticated by the Tru64 UNIX security mechanisms configured
on the system and are exempt from LDAP authentication.
A default
/etc/ldapusers.deny
file is provided when
you install the LDAP client software.
You must enter only one user name per
line and the user name must exactly match a user name in the
/etc/passwd
file.
To create comments, use the number sign (#).
Any characters
after a number sign are ignored to the end of the line.
Blank lines and any
leading or trailing white space on a line are also ignored.
Example D-2
shows the default
/etc/ldapusers.deny
file.
Example D-2: Default ldapusers.deny File
# ldapusers.deny - list of users who area not allowed to # authenticate on this system via LDAP authentication # (libsialdap.so & ldapcd) # # Account names must match exactly the user account name in the # /etc/passwd file. # # Syntax: account_1 # . # . # . # account_n # root nobody nobodyV daemon bin uucp uucpa auth cron lp tcb adm ris wnn pop imap ftp anonymous
D.5.2 The ldapusers.allow File
If you want to disallow access to all but a few users, you must create
the
/etc/ldapusers.allow
file.
The
/etc/ldapusers.allow
is a text file in which you enter the name of a Tru64 UNIX user
who will only be authenticated by LDAP authentication.
If the
/etc/ldapusers.allow
file exists on a system, only users listed in that file are allowed
to log in using LDAP authentication.
Note that this is true even if
/etc/ldapusers.allow
is empty — its very existence invokes
the stricter access control rules.
You must enter only one user name per line and the user name must exactly
match a user name in the
/etc/passwd
file.
To create
comments, use the number sign (#).
Any characters after a number sign are
ignored to the end of the line.
Blank lines and any leading or trailing white
space on a line are also ignored.