Amazon Cluster LDAP Installation
Reference #1: http://www.zytrax.com/books/ldap/ch1/
Reference #2: https://help.ubuntu.com/8.04/serverguide/C/openldap-server.html
Reference #3: http://www.openldap.org/doc/admin24/
Reference #1 is the most current and covers in minimal detail the use of ApacheDS
over the older openLDAP server. Most organizations use a full directory server such
as Lotus Domino or MSFT Active Directory in comparison to an openLDAP server
only.
Getting a user to authenticate against a web form is a simplistic view of what occurs
in typical enterprise application environment. An authentication architecture
consists of LDAP servers, SSO and JAAS services working together to form an
environment which allows multiple applications to use a single sign on service.
LDAP is the core of directory services. Organizations use an LDAP server to
centralize user login and authentication to keep is separate from applications. For
example if an employee leaves an organization an administrator can make a change
to an LDAP server which is propagated to other LDAP server instead of interacting
with each application developer and having to add/remove entries from a SQL
database.
LDAP databases are organized in tress vs. tables for SQL databases. The root of the
tree is called the BaseNode. LDAP databases are optimized for read operations.
Services which require authentication pass their requests through a PAM(pluggable
authentication module) or NSS (name service switch).
start an Ubuntu instance, use ami-a7509dce
user login name is ssh –I keypairname.pem ubuntu@public ip address
2) sudo apt-get install slapd migrationtools ldap-utils
This installs the slapd Open Ldap server and sets the administrator password
1)
3) Do an ldapsearch to make sure you can access the ldap server before
proceeding further. This verifies the installation and AMI configuration is
stable. You should be able to replicate the results below verbatim since we
haven’t added any user specific configuration yet.
Note the space between the –b and double single tick marks
ubuntu@domU-12-31-39-03-29-97:~$ ldapsearch -x -b '' -s base
'(objectclass=*)' namingContexts
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: namingContexts
#
#
dn:
namingContexts: dc=compute-1,dc=internal
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
4) If you are reinstalling slapd or have the directory /etc/init.d/ make sure you
delete it before running the next step.
sudo rm –rf /etc/ldap/slapd.d
5) sudo dpkg-reconfigure slapd
This command stops the LDAP server, sets the ldap domain(root node) using
the dns name of the server, starts the server and allows us to run search
queries vs. the server from our client. After this configuration our LDAP
browser should also work.
Hit return for all the screens except the 4 below:
Configure the following. Do not accept the defaults for the following 2
screens:
2 more screens for password and confirm password, enter your password
You should see the following after the command is completed and the
window prompts stop:
If you see an error message indicating the directory slapd.d has not been
deleted, start over and make sure the directory is deleted first as shown in
the previous step, step #5.
6) Run a ldapsearch query to make sure everything is still consistent.
ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
7) Copy and paste the ldif entries from the url at referene #2 to an ldif file and
add it. I copied this to test.ldif.
Run ldapsearch to retrieve the user “John”
8) Open port 389 on the default security group so we can see the LDAP server
from our dev machine
9) Install an open source LDAP browser. We are going to use the browser to
verify we have entered/removed data correctly in the labs.
10)Sudo apt-get install splapd, dpkg-reconfigure –plow splapd
Slapd.conf. configures the ldap server configuration file for the LDAP Serverl
Configure slapd.conf to include the following at a minimum:
A LDAP database consists of a collection of trees or DITs (Directory information
Tree). A DIT is an object oriented tree where each node can contain a set of user
specified fields enclosed in an objectClass .
In our DIT we are going to create a root node then an objectClass node under the
root node which represents a person. This is close to our example of using our DIT
for user login.
Entries can be added through the command line or using a ldif file.
The openLDAP implementation which we just installed, slapd contains protocols for
authentication. This is not part of the openLDAP specification. SASL is provided by
the Cyrus SASL which supports DIGEST-MD5, EXTERNAL and GSSAPI.
Another type of security layer is called TLS or transport layer security. Slapd
supports OpenSSL, GnuTLS or MozNSS.
ApacheDS
https://cwiki.apache.org/DIRxSRVx11/13-installing-and-starting-the-server.html
OpenLDAP and SASL
OpenLDAP was originally designed for email accounts and holding contact
information. When using LDAP for user login and authentication LDAP is run in
conjunction with a SASL protocol such as Kerberos.