5991-7504

8/9/2019 5991-7504

1/36

HP Open Source Middleware StacksBlueprint:

Directory Services on HP ProLiant Servers with SUSELinux Enterprise Server 10

HP Part Number: 5991-7504Published: July 2007Edition: 2.0

8/9/2019 5991-7504

2/36

Copyright 2007 Hewlett-Packard Development Company, L.P.

Legal Notice

Confidential computersoftware. Valid license fromHP requiredfor possession, use or copying. Consistent withFAR12.211and 12.212, Commercial

Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under

vendor's standard commercial license.

The information containedherein is subjectto changewithoutnotice. The only warranties forHP products and services areset forth in theexpress

warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP

shall not be liable for technical or editorial errors or omissions contained herein.Acknowledgments

Java is a U.S. trademark of Sun Microsystems, Inc.

Microsoft and Windows are U.S. registered trademarks of Microsoft Corporation.

8/9/2019 5991-7504

3/36

Table of ContentsIntroduction............................................................................................................................................5

Executive Summary...........................................................................................................................5Intended Audience............................................................................................................................5Scope and Purpose............................................................................................................................5HP Services........................................................................................................................................5

Typographic Conventions.......... ........ ........ ........ ........ ........ ........ ........ ........ ........ ........ ........ ........ ........ ....6HP Encourages Your Comments............................................................................................................6Overview of HP Directory Services OSMS.............................................................................................6

Stack Components.............................................................................................................................6Hardware Environment....................................................................................................................7

Installing and Configuring Symas CDS and Apache Modules..............................................................8Pre-Installation..................................................................................................................................8Installing CDS....................................................................................................................................8Configuring the CDS Server..............................................................................................................9Configuring the CDS Client............................................................................................................11

Managing the Symas CDS Server.........................................................................................................11

Using CDS Server Script Options ...................................................................................................11Debugging the CDS Server..............................................................................................................12Performing Common CDS Server Operations................................................................................12

Performing Backups and Recovery with Berkeley DB.........................................................................15Performing a Hot Backup and Reloading the Berkeley DB............................................................15Recovering the Berkeley DB ...........................................................................................................16Obtaining Statistics for the Berkeley DB ........................................................................................17

Configuring the Master-Slave Replication............................................................................................17Setting Up the Replication...............................................................................................................18Monitoring the Replication Status...................................................................................................18

Using the slapd Debugging Level..............................................................................................18Using the contextCSN Method for Comparison........................................................................19

Scaling CDS Using a Load Balancer................................................................................................19Integrating the Apache HTTP Server with the mod_authnz_ldap and mod_ldap Modules..............19

Verifying the Installations...............................................................................................................19Testing LDAP Authentication with the Apache HTTP Server........................................................20Testing the Secure SSL-Enabled LDAP Connections......................................................................21

Setting up Security for the CDS Server ................................................................................................22File System Security.........................................................................................................................22Network Security.............................................................................................................................22

Using Simple Authenticating and Security Layer.....................................................................22Configuring SASL with DIGEST-MD5.................................................................................23Mapping SASL Users to Distinguish Names........................................................................23

Using TLS ..................................................................................................................................25Configuring TLS for Network Encryption ...........................................................................25Using the EXTERNAL Authentication Mechanism with TLS .............................................26

Directory Security ...........................................................................................................................28Monitoring OpenLDAP with the HP OpenView Operations CDS Gallery SPIs............. ........ ........ ....31

Software Prerequisites and Reference Guides.................................................................................32Using the SPIs ............................................................................................................................33

Table of Contents 3

8/9/2019 5991-7504

4/36

4

8/9/2019 5991-7504

5/36

Introduction

Executive SummaryThe HP Open Source Integrated Portfolio (HP OSIP) comprises a range of products and servicesdesigned to ensure that customers can successfully realize the cost and feature benefits of adoptingopen source software in their IT environments. HP Open Source Foundation components include

the base components of an open source-based ecosystem: HP servers and storage are validatedto run the Linux operating system together with commercial Linux distributions from Novell.

The HP Open Source Middleware Stack (OSMS) for DirectoryServices is an enhanced OpenLDAPsolutions based on HP industry standard hardware and software platforms using SymasConnexitor Directory Services (CDS) for secure, flexible, and scalable enterprise directory services.This blueprint for HP Directory Services OSMS provides general instruction on using SymasConnexitor Directory Services (CDS) on HP ProLiant servers.

Intended AudienceThe intended audience for this document is HP field personnel who support customers that areseriously evaluating or deploying open source Directory Services on HP ProLiant and Integrity

servers running SUSE Linux Enterprise Server Service Version 10 (SLES10).

Scope and PurposeThis white paper provides a technical blueprint for the implementation of the HP DirectoryServices OSMS. It covers installation, configuration, replication, backup and recovery, security,monitoring and integration with an Apache HTTP Server. The software components describedin this paper are tested and validated to run on HP ProLiant servers.

HP ServicesHP Open Source Consulting Services can help you build and integrate open source and commercial

software across multiple operating systems (OS) environments. Additionally, HP Open SourceSupport Services provide industry leading technical support for all the products HP sells,including hardware, operating systems, and open source middleware.

To learn more about HP Open Source Consulting and Support Services, contact your local HPsales representative or visit the HP Business and IT Services Web site at:

http://www.hp.com/hps

Introduction 5
http://www.hp.com/hpshttp://www.hp.com/hps

8/9/2019 5991-7504

6/36

Typographic ConventionsThis document uses the following typographical conventions.

Command A command name or qualified command phrase.

ComputerOut Text displayed by the computer.

Ctrl-x A key sequence. A sequence such as Ctrl-x indicates thatyou must hold down the key labeled Ctrl while you pressanother key or button.

ENVIRONVAR The name of an environment variable, for example, PATH.

[ERRORNAME] The name of an error, usually returned in the errnovariable.

Key The name of a keyboard key. Return and Enterboth referto the same key.

Term The defined use of an important word or phrase.

UserInput Commands and other text that you type.

VARIABLE The name of a placeholder in a command, function, orother syntax display that you replace with an actual value.

\ (continuation character) A backslash (\) at the end of a line of code (such as a

command) indicates that the following line of code iscontiguous, and you must not insert a line break. Thisconvention facilitates the typesetting of long lines of codeexamples on a printed page. If you cut and paste samplecode from this publication, ensure that you remove

backslash characters at line endings.

... The preceding element can be repeated an arbitrary numberof times.

| Separates items in a list of choices.

HP Encourages Your CommentsHP encourages your comments concerning this document. We are committed to providingdocumentation that meets your needs. Send any errors found, suggestions for improvement, orcompliments to:

[email protected]

Include the document title, manufacturing part number, and any comment, error found, orsuggestion for improvement you have concerning this document.

Overview of HP Directory Services OSMS

Stack Components

The HP Directory Services OSMS stack consists of software packages from the following threesources:

Commercial open source vendors, such as Symas

Community open source packages, such as Apache modules

Proprietary software, such as HP OpenView Operations (OVO) Gallery Smart Plug-Ins (SPI)

Symas Connexitor Directory Services (CDS) software is a complete directory and authenticationservices package that is powered by the open source Open Source Lightweight Directory AccessProtocol (OpenLDAP) project and is packaged for easy installation including all the dependentadditional packages necessary for installation. CDS is compiled with support for Secure SocketsLayer (SSL), Simple Authentication and Security Layer (SASL), and the Symas-developed

high-performance back-bdb and back-hdb back ends, that are based on the Berkeley database

6
mailto:[email protected]:[email protected]

8/9/2019 5991-7504

7/36

(Berkely DB) package. CDS also includes a comprehensive set of modules which implemententerprise features, such as password policy management, referential integrity, and attributeuniqueness.

HP Directory Services OSMS stack includes the Symas CDS Gold Edition bundled components,a commercial open source software. Depending on the architecture used in the stack, Symas CDSuses different versions of the various packages, as displayed in Table 1.

Table 1 Commercial Open Source Packages

OpenSSLVersion

SASL VersionBerkely DB VersionOpenLDAPVersion

CDS VersionArchitecture

0.9.712.1.224.2.522.3.303.6.1SLES10 on x86_64

NOTE: The OpenLDAP and Berkely DB packages contain selected patches and enhancements.

The Apache mod_ldap and mod_authnz_ldap modules are community open source softwarefrom the SLES10 distribution. To integrate the Apache HTTP server and CDS, themod_authnz_ldap andmod_ldap connectors are used in the stack as part of the Apache HTTPserver.

HP OpenView Operations (OVO) Gallery Smart Plug-Ins (SPI) is a proprietary software includedin the HP Directory Services OSMS. The HP OVO Gallery SPI software can be found at:

http://h20229.www2.hp.com/products/spi

Hardware EnvironmentThe software contained in the HP Directory Services OSMS stack are installed on HP ProLiantand BladeSystem servers with locally attached SCSI or SATA disks. The hardware environmentis described in Figure 1.

Figure 1 Hardware Environment

The diagram illustrates a basic configuration consisting of a master directory server and one ormore replicas. The LDAP applications that are running on the Apache HTTP server, with the

Overview of HP Directory Services OSMS 7
http://h20229.www2.hp.com/products/spihttp://h20229.www2.hp.com/products/spi

8/9/2019 5991-7504

8/36

mod_ldap and mod_authnz_ldap modules enabled, are routed through a load balancer to areplica.

During a read operation, the replica returns the requested information. During a write operation,the replica returns a reference to the master server. Replicas are kept up to date with the mastercontent using the LDAP Content Synchronization protocol through the syncrepl directive inthe replicas configuration. An additional Windows-based server is required to host HP OVOfor manageability through the OpenLDAP SPI.

Installing and Configuring Symas CDS and Apache ModulesPre-Installation

Before you start to install the HP Directory Services OSMS components, make sure the SLES10distribution, with full packages, is installed. Apache HTTP server version 2.2.0 is a bundledpackage in the SLES10distribution. Themod_authnz_ldap andmod_ldapmodules are includedin the Apache HTTP server package. To verify the modules are installed, see Integrating theApache HTTP Server with the mod_authnz_ldap and mod_ldap Modules (page 19). To obtainthe Symas CDS Gold Edition products and additional instructions, see the website located at:

http://www.symas.com/cds.shtml

Verify that you obtained the correct version of the installation packages according to yourarchitecture, as shown in Table 1.

Installing CDSThe CDS LDAP server can co-exist with OpenLDAP that is bundled with the SLES10 distribution.If the CDS LDAP service is used, verify that all LDAP-related commands and daemons areobtained from the CDS LDAP server installation and not the SLES10 distribution.

Table 2 CDS Components

DescriptionCDS Component

CDS Gold LDAP and replication server daemons and utilitiescdsgserver*.rpm

CDS LDAP Gold client tools and librariescdsgclient*.rpm

CDS header and documentation filescdsdevel*.rpm

Connexitor public key services and certificate authoritycpkgca*.rpm

NOTE: The * represent the version number and architecture type.

1. Thecdsgserver package is dependent on the cdsgclient package. Therefore, install thecdsgclient package first by entering the following command:

# rpm ivh cdsgclient*.rpm

2. Install the following packages by entering the commands provided.

a. To install the cdsgserver package, enter:

# rpm ivh cdsgserver*.rpm

b. To install the cdsdevel package, enter:

# rpm ivh cdsdevel*.rpm

c. To install the cpkgca package, enter:

# rpm ivh cpkgca*.rpm

3. Add the CDS BIN path (the default is /opt/symas/bin) by entering the following:

# export PATH=/opt/symas/bin:$PATH

8
http://www.symas.com/cds.shtmlhttp://www.symas.com/cds.shtml

8/9/2019 5991-7504

9/36

Configuring the CDS Server1. Change the working directory to /opt/symas/etc/openldap.

2. Copy the file slapd.conf.default to slapd.conf in the CDS configuration directory(the default directory is /opt/symas/etc/openldap).

3. Edit theslapd.conf file by replacing the section Sample bdb database definitionswith the following lines:

database bdb

suffix "dc=example,dc=com"rootdn "cn=Manager,dc=example,dc=com"rootpw secret

The values ofrootdn androotpw can be used in simple authentication. The database value,in this example Berkeley DB (bdb), specifies the type of storage LDAP uses, for example sqlor bdb.

4. Copy the file cds.conf.default to cds.conf.

5. Edit the cds.conf file by setting the parameters as follows:

SLAPD_USER=rootSLAPD_GROUP=rootSLURPD_USER=rootSLURPD_GROUP=rootHOST_LIST="ldap://Your Ip Address:389/"

The parameters, SLURPD_USER (used for the slapd daemon that provides LDAP service)

and SLURPD_GROUP (used for the slurpd daemon which is in charge of replication) set

the users and groups of the SLAPD and SLURPD daemons. The HOST_LISTparameter sets

the listeners that the LDAP daemon starts.

NOTE: If needed for security reasons, you can use a different user instead of root. If youchoose to do this, grant write permission to all the directories and files for which slapdrequires access.

6. Copy the file/opt/symas/etc/openldap/DB_CONFIG.default to the directory specifiedin the slapd.conf file (for example, /var/symas/openldap-data/example/)andthen change the file name to DB_CONFIG.

7. Start the LDAP server by entering the following command:

# /etc/init.d/cdsserver start

8. Enter the following command to ensure the SLAPD daemon is running:

# ps ef|grep slapd

Installing and Configuring Symas CDS and Apache Modules 9

8/9/2019 5991-7504

10/36

9. To verify the LDAP server is configured properly and prepare test data for upcomingexamples, add initial entries to the directory by performing the following substeps.

a. Stop the LDAP server by entering the following command:

# /etc/init.d/cdsserver stop

b. Modify the /opt/symas/etc/openldap/slapd.conf file by uncommenting thefollowing lines:

include /opt/symas/etc/openldap/schema/ppolicy.schema

include /opt/symas/etc/openldap/schema/cosine.schema

include /opt/symas/etc/openldap/schema/inetorgperson.schema

c. Using a text editor, create an LDIF file, save it as /tmp/example.ldif, and add thefollowing content:

NOTE: The following abbreviations are used in the file content: Distinguished Name(dn), Domain Component (dc), and Common Name (cn).

dn: dc=example,dc=comobjectClass: dcObjectobjectClass: organization

dc: exampleo: example

dn: dc=osm,dc=example,dc=comobjectClass: dcObjectobjectClass: organizationalUnitdc: osmou: osm

dn: ou=people,dc=osm,dc=example,dc=comobjectClass: organizationalUnitou: people

dn: uid=benw,ou=people,dc=osm,dc=example,dc=comobjectClass: inetOrgPersonuid: benwsn: bencn: ben wonmail: [email protected]: ben

dn: ou=groups,dc=osm,dc=example,dc=comobjectClass: organizationalUnitou: groups

dn: cn=tomcat,ou=groups,dc=osm,dc=example,dc=comobjectClass: groupOfUniqueNames

cn: tomcatuniqueMember: uid=benw,ou=people,dc=osm,dc=example,dc=com

d. Add the entries in theexample.ldif file to the LDAP server by entering the followingcommand:

# /opt/symas/bin/slapadd f /tmp/example.ldif

NOTE: Verify that the CDS server has been stopped before running the slapaddcommand.

e. Start the CDS server and verify the entries were added by entering the following:


10

8/9/2019 5991-7504

11/36

# /opt/symas/bin/slapcat

Configuring the CDS Client1. Copy the ldap.conf.default file to ldap.conf in the /opt/symas/etc/openldap

directory.

2. Edit the ldap.conf file by changing the following parameters:

BASE dc=example,dc=comURI ldap://Your_LDAP_Server_IP_Address

3. Restart the CDS server by entering the following command:

# /etc/init.d/cdsserver restart

4. From the client, enter the following command to verify the CDS client can connect to CDSserver by entering the following:

# /opt/symas/bin/ldapsearch x b s base objectclass=* \

namingContexts

The command should return the following:

dn:namingContexts: dc=example,dc=com

Managing the Symas CDS Server

Using CDS Server Script OptionsLog in as the root user to execute the script commands.

Starting the CDS Server

To start the CDS server and verify the daemon is running, enter the following commands:# /etc/init.d/cdsserver start

# ps ef | grep slapd

Stopping the CDS Server

To stop the CDS server and verify the daemon has stopped running, enter the followingcommands:



Restarting the CDS ServerTo restart the CDS server and verify the daemon is running, enter the following commands:



Checking the Status of the CDS Server

To check the CDS server status, enter the following command:

# /etc/init.d/cdsserver status

Managing the Symas CDS Server 11

8/9/2019 5991-7504

12/36

Debugging the CDS ServerTo print the log of the CDS server to a single file, use the following steps:

1. Edit the file /etc/syslog-ng/syslog-ng.conf by changing the following line:filter f_local { facility(local0, local1, local2, local3,local4, local5, local6, local7); };

to:

filter f_local { facility(local0, local1, local2, local3,local5, local6, local7); };

Next, add the following new lines to the file:

filter f_ldap { facility(local4); };destination ldap { file("/var/log/ldap.log" owner(root) group(root)); };log { source(src); filter(f_ldap); destination(ldap); };

2. Restart the syslog daemon by entering:

# /etc/init.d/syslog restart

3. Edit the file/opt/symas/etc/openldap/slapd.conf and add the appropriate log level.

The OpenLDAP Web site provides the following log level descriptions which can be usedto determine which log level is appropriate, for example, log level 8.

Debugging LevelsLevel Description

-1 enable all debugging0 no debugging1 trace function calls2 debug packet handling4 heavy trace debugging8 connection management16 print out packets sent and received32 search filter processing64 configuration file processing128 access control list processing256 stats log connections/operations/results512 stats log entries sent1024 print communication with shell backends2048 print entry parsing debugging16384 syncrepl consumer processing

4. Restart the CDS server by entering the following command:


5. Retrieve the basic information for function calls in the file /var/log/ldap.log

NOTE: The resulting debug message can create very large log files in a short period oftime. Therefore, use the debug option carefully and take precautions to prevent your logfiles from unbounded growth. Additional information on the debug levels is located at:

http://www.openldap.org/doc/admin23/slapdconf2.html

Performing Common CDS Server OperationsThis section describes some common operations of CDS clients.

NOTE: For the steps that follow, when you are prompted for a password, enter the passwordspecified in the slapd.conf file. The default password is secret. Assume that the value ofthe suffix Directive in slapd.conf is "dc=example,dc=com".

Adding an Entry to the Directory

1. Use a text editor to create an LDIF file and save it as /tmp/add.ldif, with the following

content:

12
http://www.openldap.org/doc/admin23/slapdconf2.htmlhttp://www.openldap.org/doc/admin23/slapdconf2.html

8/9/2019 5991-7504

13/36

dn: dc=example,dc=comobjectClass: dcObjectobjectClass: organizationdc: exampleo: example

dn: dc=osm,dc=example,dc=comobjectClass: dcObjectobjectClass: organizationalUnitdc: osm

ou: osm

dn: uid=tomy,dc=osm,dc=example,dc=comobjectClass: inetOrgPersonuid: tomysn: tomcn: tom yanmail: [email protected]: sea4321userPassword: tom

NOTE: If there are any trailing spaces in the LDIF file, the ldapadd command fails.

2. Enter the following command to add the entry to the directory:

# /opt/symas/bin/ldapadd x D cn=Manager,dc=example,dc=com\

W f /tmp/add.ldif

Figure 2 Adding the Entries

NOTE: For the commands listed in this and proceeding sections, the following options areused:

-D specifies the Distinguished Name (DN) that is bound to the LDAP directory.

-x specifies simple authentication.

-Wspecifies a prompt for the bind password (for simple authentication).

-fspecifies read operations from a file.

-b specifies the base DN as the starting point for the search.

-s specifies the scope of the search. The search can be base, one or sub to specify a base object, orone-level or a subtree search.

For additional information, see the ldap man page.

Searching for an Entry in the Directory

To search for the new entry you added in the previous step, use the ldapsearch command asfollows:

# /opt/symas/bin/ldapsearch -x -D "cn=Manager,dc=example,dc=com" W \

"cn=tom yan"

Managing the Symas CDS Server 13

8/9/2019 5991-7504

14/36

Figure 3 Searching for an Entry

Modifying an Entry in the Directory

1. Use a text editor to create an LDIF file, saved as /tmp/modify.ldif, with the followingcontent:

dn: uid=tomy,dc=osm,dc=example,dc=comchangetype: modifyreplace: mailmail: [email protected]: titletitle: added title-

delete: carLicense

2. Enter the following command:

# /opt/symas/bin/ldapmodify -x -D "cn=Manager,dc=example,dc=com" \

-W -f /tmp/modify.ldif

Figure 4 Modifying an Entry

3. To verify the modification, use the ldapsearch command by entering the following:

# /opt/symas/bin/ldapsearch -x -D "cn=Manager,dc=example,dc=com" \

-W "cn=tom yan"

Deleting an Entry from the Directory

1. To delete one or more entries in the directory, run the ldapdelete command as follows:

# /opt/symas/bin/ldapdelete -x -D "cn=Manager,dc=example,dc=com" \

14

8/9/2019 5991-7504

15/36

-W "uid=tomy,dc=osm,dc=example,dc=com"

2. To verify the deletion, enter the following command:


-W "uid=tomy"

Modifying the Relative Distinguished Name for an Entry in the Directory

1.To modify the Relative Distinguished Name (RDN) for an entry, run the

ldapmodrdncommand as follows:

# /opt/symas/bin/ldapmodrdn -x -D "cn=Manager,dc=example,dc=com" \

-W "uid=tomy,dc=osm,dc=example,dc=com" "uid=tomy-modified"

Figure 5 Modifying an RDN for Entry

2. To verify the modification, use the ldapsearch command by entering the following:


-W "cn=tom yan"

Performing Backups and Recovery with Berkeley DB

Performing a Hot Backup and Reloading the Berkeley DBHot backups offer a convenient way to back up data when the CDS server is running. Performinga hot backup does not require downtime and it does not impact the CDS server. Use theslapcatcommand, which is provided with the CDS distributions, to perform a hot backup. The followingsteps explain how to perform a hot backup and, when the Berkeley DB is damaged, reload data.

CAUTION: If data is being altered or updated when you perform a hot backup, a mismatchcan occur between the backup file and CDS server's final data. There is a risk of inconsistent datawhen performing a hot backup.

1. To view the data in the Berkeley Database, enter the following command:


2. To perform a hot backup of the Berkeley Database to an LDIF file, while the CDS server isrunning enter the following command:

# /opt/symas/bin/slapcat l backup.ldif

3. To view the file, enter the following command:

# vi backup.ldif

4. When the CDS server has a problem or the data file is damaged, the data can be reloadedfrom the LDIF file. To mimic a damaged data file for this example, manually delete the datausing the following command:

# /opt/symas/bin/ldapdelete -x -D 'cn=Manager,dc=example,dc=com' \

-w secret -r dc=example,dc=com

5. Verify the data has been deleted using the slapcat command. The query result should beempty.


Performing Backups and Recovery with Berkeley DB 15

8/9/2019 5991-7504

16/36

6. Before you reload the data from the LDIF file, shut down the CDS server by entering thefollowing command:


7. Reload data from the LDIF file using theslapadd utility by entering the following command:

# /opt/symas/bin/slapadd -l backup.ldif

8. Restart the CDS server and check the restored data by entering the following commands:

# /etc/init.d/cdsserver start# /opt/symas/bin/slapcat

Recovering the Berkeley DBThe db_archive and db_recover utilities are used for normal recovery or disaster recoveryfor the Berkeley DB data, which is the back-end database of CDS server. The following exampleprocedure shows how to use the db_archive and db_recover utilities to backup and recoverdata.

1. Stop the CDS server and force a checkpoint of the log or archive using the db_checkpointutility by entering the following commands:

# /etc/init.d/cdsserver stop# /opt/symas/bin/db_checkpoint -1 -h /var/symas/openldap-data/example/

2. Archive the data files by entering the following command:

# /opt/symas/bin/db_archive -s -h /var/symas/openldap-data/example/

3. To back up the Berkeley DB data files, copy these files to another directory or server, forexample /databackup, using the following commands:

#mkdir /databackup

# cp /var/symas/openldap-data/example/*db.00* /databackup

# cp /var/symas/openldap-data/example/*.bdb /databackup

4. Archive and copy the log files by entering the following commands:

#mkdir /logbackup

# /opt/symas/bin/db_archive -l -h /var/symas/openldap-data/example/

# cp /var/symas/openldap-logs/example/log.0000000001 /logbackup

5. For the test in this example, delete all CDS data manually and verify the results by enteringthe following commands:


# /opt/symas/bin/ldapdelete -x -D 'cn=Manager,dc=example,dc=com' \

-w secret -r dc=example,dc=com


6. To recover the data from the backup using the db_recover utility, restore data files fromthe backup media by entering the following commands:


# cp /databackup/*db.00* /var/symas/openldap-data/example/

# cp /databackup/*.bdb /var/symas/openldap-data/example/

7. Restore the transaction log files from the backup media by entering the following command:

# cp /logbackup/log.0000000001 /var/symas/openldap-logs/example/

16

8/9/2019 5991-7504

17/36

8. To place the data files and log files in a consistent state, run the following command:

# /opt/symas/bin/db_recover c h /var/symas/openldap-data/example/

9. Start the CDS server and verify the recover results by entering the following commands:



Obtaining Statistics for the Berkeley DBUse the db_stat utility, contained in the CDS distribution, to obtain statistics and stateinformation for the Berkeley DB environment. The db_stat utility is located in the/opt/symas/bin directory.

1. To get the Berkeley database version information, enter the following command:

# /opt/symas/bin/db_stat -V

2. Display the lock region parameter and information for the Berkeley database by enteringthe following command:

# /opt/symas/bin/db_stat -C A -h /var/symas/openldap-data/example

3. To display detailed statistical information for a specified file, use the db_stat utility withthe d option as follows:

# /opt/symas/bin/db_stat -d dn2id.bdb -h \

/var/symas/openldap-data/example

4. To monitor the current transaction's information, use thedb_statutility with thet optionas follows:

# /opt/symas/bin/db_stat -t -h /var/symas/openldap-data/example

5. To check additional Berkeley DB information, such as environment version, log region, lockregion, and transaction region, enter the following command:

# /opt/symas/bin/db_stat -e -h /var/symas/openldap-data/example

Configuring the Master-Slave ReplicationSymas CDS replication is used to address high availability and performance requirements.Although the CDS server is optimal for handling querying operations, with the help of replication,the CDS server can also provide performance improvement, reduce query latency by locatingreplicas close to clients, and assist with lowering the risk of a single point of failure.

In most cases, the optimal, scalable solution is the master-slave replication configuration, inwhich one master manages all directory update operations and the slave servers handle alldirectory query operations. This configuration is supported natively by OpenLDAP, and therefore,CDS. Additional slave servers can be added with limited effort after the CDS server is configured

and running.The CDS server supports two mechanisms for the master-slave replication: first, a typicalimplementation by slurpd daemon and second, a new method from OpenLDAP version 2.2called content-synchronization or syncrepl. This document focuses on the new syncrepl method.For more information about the two replication methods, visit the Web site at:

http://www.openldap.org/faq/data/cache/1170.html

The syncrepl method uses the LDAP content synchronization protocol as the synchronizationprotocol to maintain a Directory Information Tree (DIT) fragment copy of the master CDS server.The syncrepl engine is a slave-side replication engine, which supports both polling and listeningmodes of synchronization. If the refreshOnly mode is used, the syncrepl engine is triggeredperiodically and checks whether to perform synchronization operations. If the

Configuring the Master-Slave Replication 17
http://www.openldap.org/faq/data/cache/1170.htmlhttp://www.openldap.org/faq/data/cache/1170.html

8/9/2019 5991-7504

18/36

refreshAndPersist mode is used, the engine is always ready to handle persistentsynchronization messages from the master server.

Setting Up the ReplicationThe syncrepl method uses a slave-side replication engine. To set up a syncrepl replication inrefreshOnly mode, enable the syncrepl engine on the CDS slave server. Additionally, enablethe syncprov overlay feature on the CDS master server.

The following example provides the detailed steps required to set up a syncrepl replication forcontents under binddn dc=example, dc=com in refreshOnly mode:

1. To configure the slave server's slapd.conf file, add the following contents:

database bdb...index entryCSN,entryUUID eqsyncrepl rid=1 provider=ldap://master_side_IP binddn=dc=example,dc=combindmethod=simple credentials=secret searchbase=dc=example,dc=com

type=refreshOnly interval=00:00:02:00

For more information, see the slapd.conf(5) manpage.

2. To enable the syncprov overlay feature on the master server, use the following

configuration in the master server's slapd.conf file:moduleload syncprov.la...database bdb...index entryCSN,entryUUID eqoverlay syncprovsyncprov-checkpoint 100 10syncprov-sessionlog 100

For more information, see the slapo-syncprov(5)manpage.

3. After setting the configurations, restart the master-side server and then restart the slave-sideservers.

At this point, the binddn directory contents of the slave server should be the same as themaster server. Adding or removing the corresponding contents on the master server leadsto the same results on the slave server after the interval period.

Monitoring the Replication StatusThere is no formal tool to monitor the syncrepl replication status. However, there are two methodsyou can use to verify that the replication is complete.

Use the slapd debugging level to view slapd debug information.

Use the ldapsearch command and compare the contextCSN of the master and slaveservers. The syncrepl method stamps each write operation with a Change Sequence Number(CSN). Each CDS server maintains a contextCSN attribute which records the largest CSNstored. You can determine whether the replication is complete by comparing thecontextCSNfor both the master and slave servers.

Using the slapd Debugging Level

Start the slave-side slapd process with debugging enabled, for this example set the debug levelto 'syncrepl consumer processing ' (level 16384), by entering the following command:

# /etc/init.d/cdssserver start d 16384

Once a replication occurs, the message do_syncrep2: displays.

If a replication finishes, the following messages display:

18

8/9/2019 5991-7504

19/36

syncrepl_entry: 'dn_of_the_last_entry' syncrepl_entry: be_add(0)

NOTE: For a list of the different levels of debugging messages, see Debugging the CDS Server(page 12).

Using the contextCSN Method for Comparison

List the contextCSN by entering the following commands:

For the following commands:# ldapsearch x D dc=example,dc=com w secret H \

ldap://slave_side_IPb dc=example,dc=com s base contextCSN

# ldapsearch x D dc=example,dc=com w secret H \

ldap://master_side_IPb dc=example,dc=com s base contextCSN

Compare the contextCSN tags. If they are the same, the replication is finished, otherwise thereplication is not finished.

NOTE: The contextCSN on the slave server only synchronizes with the master server. It doesnot change during the initial replication process, which happens right after the CDS slave server

is started, because the contextCSN on the master server is not changing at this time.

Scaling CDS Using a Load BalancerReplication can scale out CDS with the help of a load balancer, such as the Linux Virtual Server(LVS). LVS defines the network packet stream that goes through a certain network port as aservice. It simply intercepts these packets and distributes them to different servers. For theinstallation and configuration of LVS, see the LVS documentation at:

http://www.linuxvirtualserver.org/Documents.html

Figure 1 (page 7)illustrates a typical CDS scale-out configuration. In this case, the LDAP clientssend query requirements through the client network to the application server, and then LVS

receives the read requests and sends them to the CDS slaves with the round robin assignedpolicy.

Integrating the Apache HTTP Server with the mod_authnz_ldap andmod_ldap Modules

The Apache HTTP server is distributed as a bundled pack in the SLES10 distribution. Themod_authnz_ldap and mod_ldap modules are included in the Apache HTTP server package.The following procedure provides the steps to verify installation and test the integration of themodules with the Apache HTTP Server.

Verifying the Installations1. Verify that the Apache HTTP server is installed correctly by entering the following command:# rpm -q apache2

The version installed should display:

apache2-2.2.0-21.2

2. The mod_ldap.so and mod_authnz_ldap.so modules were installed as part of thedistribution and should exist in the/usr/lib64/apache2 directory. Verify this by enteringthe following commands:

# rpm -qil apache2 | grep mod_ldap

The following values is returned:

Integrating the Apache HTTP Server with the mod_authnz_ldap and mod_ldap Modules 19
http://www.linuxvirtualserver.org/Documents.htmlhttp://www.linuxvirtualserver.org/Documents.html

8/9/2019 5991-7504

20/36

/usr/lib64/apache2/mod_ldap.so

# rpm -qil apache2 | grep mod_authnz_ldap

The following value is returned:

/usr/lib64/apache2/mod_authnz_ldap.so

3. Edit the file /etc/sysconfig/apache2 by adding mod_ldap and mod_authnz_ldapto the value ofAPACHE_MODULES. Once completed, it should look like the following:

APACHE_MODULES="actions alias authnz_ldap ldap auth_basicauthn_file authz_hostauthz_groupfile authz_default authz_userauthn_dbm autoindex cgi dir env expires include log_configmime negotiation setenvif ssl suexec userdir php5"

Testing LDAP Authentication with the Apache HTTP ServerThe Apache document root for SLES10 is /srv/www/htdocs. For this example, assume youneed to restrict access to the directory /srv/www/htdocs/ldaptest and also grant access tothe directory for the user tomy with the password tom. For information on adding a user to anLDAP server, see Performing Common CDS Server Operations (page 12).

1. Create an HTML file named /srv/www/htdocs/ldaptest/index.html and add the

following lines to it.

The LDAP support worked!

2. Add the following contents to the file /etc/apache2/default-server.conf :

Options Indexes FollowSymLinksAllowOverride Noneorder allow,deny

allow from allAuthType BasicAuthName InternalAuthBasicAuthoritative offAuthBasicProvider ldapAuthzLDAPAuthoritative offAuthLDAPURL ldap:///dc=osm,dc=example,dc=com?uid??(objectclass=*)require valid-userAuthLDAPBindDN cn=Manager,dc=example,dc=comAuthLDAPBindPassword secret

AuthLDAPBindDN is therootdn configured in the LDAP server.AuthLDAPBindPasswordis the password for simple authentication in the LDAP Server.

The values of the two attributes are set in the /opt/symas/etc/openldap/slapd.conffile on the LDAP server. See Installing and Configuring Symas CDS and Apache Modules(page 8) for more details about CDS server configuration.

The mod_authnz_ldap manual about these directives is located at:

http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html

3. Restart the Apache HTTP server by entering the following command:

# /etc/init.d/apache2 restart

4. Launcha browser windowand navigate tohttp://Your_Web_Server_IP/ldaptest/.

5. At the prompt, log in with the user name tomy and the password tom.

20
http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.htmlhttp://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html

8/9/2019 5991-7504

21/36

Figure 6 Log In Prompt

If the log in fails, the following message is displayed:Authorization Required

If the log in succeeds, the following message is displayed: The LDAP support worked!

Testing the Secure SSL-Enabled LDAP ConnectionsFor this example, assume you need to restrict access to the directory/srv/www/htdocs/ldapssltest and grant access to the directory for the user tomy withthe password tom.

1. Create an HTML file named /srv/www/htdocs/ldapssltest/index.html with thefollowing content:

The LDAP SSL support worked!

2. Copy the Certificate Authority file from the CDS server to the /etc/apache2 directoryand name it cacert.pem. SeeSetting up Security for the CDS Server (page 22) for moredetails about the secure CDS server configuration and Certificate Authority file generation.

3. Add the following contents to the file /etc/apache2/default-server.conf:LDAPTrustedGlobalCert CA_BASE64 /etc/apache2/cacert.pemOptions Indexes FollowSymLinksAllowOverride Noneorder allow,deny

allow from allAuthType BasicAuthName ldaptestAuthBasicAuthoritative offAuthBasicProvider ldapAuthzLDAPAuthoritative offAuthLDAPURL ldaps:///dc=osm,dc=example,dc=com?uid??( objectclass=*)require valid-userAuthLDAPBindDN cn=Manager,dc=example,dc=comAuthLDAPBindPassword secret

4. Restart the Apache HTTP server by entering the following command:

# /etc/init.d/apache2 restart

Integrating the Apache HTTP Server with the mod_authnz_ldap and mod_ldap Modules 21

8/9/2019 5991-7504

22/36

5. Launch a browser window and navigate to:

http://Your_Web_Server_IP/ldapssltest/

6. At the prompt, log in with the user name tomy and password tom.

If the log in fails, the following message is displayed:Authorization Required

If the log in succeeds, the following message is displayed: The LDAP SSL supportworked!

Setting up Security for the CDS ServerCDS runs in different computing environments from tightly controlled local networks to theglobal Internet. It supports many security mechanisms to protect the data stored in the directoryservers. Generally, there are three levels of security to configure: file system security, networksecurity, and directory security. This section describes these three security levels respectively.

File System SecurityConfiguration of file system security is dependent on the security mechanisms of the specificoperating system. For example, you can secure CDS configuration files, database files, and othermiscellaneous files by setting the ownership and read/write permission of these files. Generally,

file system security is configured according to the following rules.

All CDS-related files should be owned by the user that executes slapd. This user is usuallyroot.

Other users should have read permission only on the ldap.conf file, certificate files, andUNIX sockets. Other users should never be granted write/execute permissions on anyCDS-related files.

The database directory and the slapd and slapd.conf files and private keys should beaccessible to only the owner.

The security configuration of these files is summarized in Table 3.

Table 3 File Security Configurations

Other userOwnerFile

ReadRead/Writeldap.conf

ReadRead/WriteCertificate files

ReadRead/WriteUNIX sockets

N/ARead/WriteDatabase directory

N/ARead/Write/Executeslapd

N/ARead/Writeslapd.conf

N/ARead/WritePrivate keys

Network SecurityBecause CDS runs in many types of networks, network security is critical. CDS supports twomechanisms which can be used to configure network security: Simple Authenticating and SecurityLayer (SASL) framework and Transport Layer Security (TLS).

Using Simple Authenticating and Security Layer

SASL supports several industry-standard authentication mechanisms, including GSSAPI forKerberos V, DIGEST-MD5, PLAIN, and EXTERNAL for use with TLS. By default, all LDAPcommands use SASL for authentication. Use the -x option with the LDAP commands if you

want to select Simple Authentication security instead of SASL.

22

8/9/2019 5991-7504

23/36

This section provides the steps for configuring SASL with the DIGEST-MD5 and EXTERNALmechanism.

Configuring SASL with DIGEST-MD5

In the DIGEST-MD5 security mechanism, when authentication begins, the server generates asecure message and the client sends a response proving it knows the secure message. Becausethe secure message is not sent over the wire, this mechanism is more secure than SimpleAuthentication.

1. Verify that the CDS test data is imported in to the directory server and slapd is runningproperly.

2. Use the saslpasswd2 command on the CDS server to create a test user named osmsusrby entering the following:

# /opt/symas/bin/saslpasswd2 -c osmsusr

3. At the prompt, enter abc123 for the password.

If no user domain is provided to saslpasswd2, the host name of the machine is used asthe default domain. If the host name is master, then the user osmsusr@master is created.If you need to use a new domain instead of the default, enter the following command:

# /opt/symas/bin/saslpasswd2 -c osmsusr -u cds.test

After the password is entered, the user [email protected] is created.

4. Run the sasldblistusers2 command to verify that the test user is successfully stored inthe SASL sasldb database:

# /opt/symas/bin/sasldblistusers2

The following is displayed:

osmsusr@master: userPassword

5. On the CDS client machine, use the ldapsearch command with DIGEST-MD5 to querythe directory server, on host master, by entering the following:

# /opt/symas/ldapsearch -Y digest-md5 -U osmsusr@master -h \master -b 'dc=example,dc=com' -s base -LLL

6. For the user osmsusr@master, enter the test password abc123


SASL/DIGEST-MD5 authentication startedPlease enter your password:SASL username: osmsusr@masterSASL SSF: 128SASL installing layersdn: dc=example,dc=comobjectClass: dcObjectobjectClass: organizationdc: exampleo: example

Mapping SASL Users to Distinguish Names

When DIGEST-MD5 is used for authentication, all user names are stored in SASL's own database.The user names are in the namespace of the authentication mechanism, and not in the normalLDAP namespace. Each user name is reformatted into a request Distinguish Name (DN) in thefollowing form:

uid=, cn=, cn=, cn=auth

If no realm is used, which means no sasl-realm property is configured in the slapd.conf

file, then the request of DNs for SASL users is in the following form:

Setting up Security for the CDS Server 23

8/9/2019 5991-7504

24/36

uid=, cn=, cn=auth

The ldapwhoami command can be used to check the identity for a user.

The following steps describe how to map the SASL user, osmsusr@master, to a DN in theLDAP namespace that is in the form:

uid=osmsusr,ou=people,dc=osm,dc=example,dc=com

1. Use the ldapadd command to add the following entry to the CDS server based on the testdata:

# /opt/symas/bin/ldapadd -x -D rootdn -w rootpw -h cds_server

dn: uid=osmsusr,ou=people,dc=osm,dc=example,dc=comobjectClass: inetOrgPersonuid: osmsusrsn: osms usercn: osms usermail: [email protected]

2. Use the ldapwhoami command to check the current identity of osmsusr@master byentering the following:

# /opt/symas/bin/ldapwhoami -Y digest-md5 -U osmsusr@master -h master

3. At the prompt, enter the password. The following is displayed:SASL/DIGEST-MD5 authentication startedPlease enter your password:SASL username: osmsusr@masterSASL SSF: 128SASL installing layersdn:uid=osmsusr@master,cn=digest-md5,cn=authResult: Success (0)

Currently the requested DN associated with osmsusr@master isuid=osmsusr@master,cn=digest-md5,cn=auth because the user is not mapped toany DN in the LDAP namespace.

4. Edit the slapd.conf in the CDS server by adding the following content:

authz-regexp uid="([^,]*)@master",cn=digest-md5,cn=authuid=$1,ou=people,dc=osm,dc=example,dc=com

This regular expression maps all users with the domain of master to the DNs ofuid=$1,ou=people,dc=osm,dc=example,dc=com.

5. Restart the CDS service and verify that no errors occurred by entering the followingcommand:


6. Use the ldapwhoami command to determine the identity ofosmsusr@masterby enteringthe following command:

# /opt/symas/bin/ldapwhoami -Y digest-md5 -U osmsusr@master -h masterThe following is displayed:

SASL/DIGEST-MD5 authentication startedPlease enter your password:SASL username: osmsusr@masterSASL SSF: 128SASL installing layersdn:uid=osmsusr,ou=people,dc=osm,dc=example,dc=comResult: Success (0)

Now the requested DN of osmsusr@master isuid=osmsusr,ou=people,dc=osm,dc=example,dc=com . Anyprivileges andrestrictionson this DN cause the same effect on osmsusr@master.

24

8/9/2019 5991-7504

25/36

Using TLS

TLS is almost identical to SSL. It provides lower network security services and integrity andconfidentiality protections for directory servers. Combined with the EXTERNAL mechanism ofSASL, TLS can offer strong authentication.

TLS uses the X.509 certificates to carry client and server identities. All servers must have validcertificates, but client certificates are optional. If SASL EXTERNAL is used for authentication,clients must own valid certificates as well. All certificates can be created and managed by the

cpksca package provided by CDS.Configuring TLS for Network Encryption

1. To verify the cpksca package has been installed on the Certificate Authority (CA) server,which might be the same machine as the CDS server, enter the following command:

# rpm -qa|grep cpksca

If the cpksca package is not found, download the appropriate version for the cpkscapackage from the OSMS distribution and use the rpm command to install.

2. Edit the cds.conf file in the CDS server and make CDS listen on port 636 with the LDAPSprotocol by entering the following command to replace the host name or IP address of theCDS server:

HOST_LIST="ldap://:389/ldaps://:636/"

3. Create a new CA file on the CA server by entering the following command:

# /opt/symas/bin/CA.sh -newca

NOTE: A CA is only valid for one year. All certificates signed by this CA become invalidon the date this CA expires.

4. Enter the full CA server name as Common Name at the appropriate prompts.

Document the PEM pass phrase because it is required when you try to sign a server certificate.By default, the CA file, cacert.pem, is created in /opt/symas/ssl/

5. Copy the CA file created in step 3 to both the CDS client and the CDS server. For bothmachines, place the file in the /opt/symas/ssl/ directory.

6. Edit the ldap.conf file on the CDS client by setting TLS_CACERT to the path of the CAfile as follows:

TLS_CACERT /opt/symas/ssl/cacert.pem

7. Edit the slapd.conf file on the CDS server to set the value of TLSCACertificateFileas follows:

TLSCACertificateFile /opt/symas/ssl/cacert.pem

8. Generate a certificate for the CDS server by entering the following command:

# /opt/symas/bin/CA.sh -newreq

9. At the appropriate prompts, enter the fully qualified domain name of the CDS server asCommon Name. By default, the certificate request and a private key are stored in a new filenamed newreq.pem.

10. Sign the certificate created in step 8 by entering the following command:

# /opt/symas/bin/CA.sh -signreq

When prompted for the the PEM pass phrase, enter the phrase from step 4. After twoconfirmations, a signed certificate is created in the file newcert.pem.


8/9/2019 5991-7504

26/36

11. Copy the newreq.pem file created in step 9 and the newcert.pem file in step 10 to theCDS server, and put them in the /opt/symas/ssl/ directory. On the CDS server, renamethe file newreq.pem to serverkey.pem and rename the file newcert.pem toservercert.pem

12. Add the paths of the server certificate file and key file to the slapd.conf file by setting thevalues as follows:

TLSCertificateFile /opt/symas/ssl/servercert.pem

TLSCertificateKeyFile /opt/symas/ssl/serverkey.pem13. Restart the CDS server by entering the following command:


14. On the CDS client, use the openssl command to verify that the CA file works by enteringthe following:

# /opt/symas/bin/openssl verify -CAfile /opt/symas/ssl/cacert.pem\

/opt/symas/ssl/cacert.pem

The following displays:

../ssl/cacert.pem: OKThe output might contain the following error message:

error 9 at 0 depth lookup:certificate is not yet valid

If this message is displayed, it means the date of the client machine is invalid for the CA fileand you need to adjust the client date to a value later than the date of the CA server.

15. To verify that TLS is operating correctly, enter the following command on the CDS client:

# /opt/symas/bin/ldapsearch -x -D rootdn -w rootpw -h master \

-b 'dc=example,dc=com' -s base -ZZ -LLL

The option -ZZ instructs the command to start the TLS request.

The following is displayed:dn: dc=example,dc=comobjectClass: dcObjectobjectClass: organizationdc: exampleo: example

Using the EXTERNAL Authentication Mechanism with TLS

TLS provides strong authentication when used with the EXTERNAL mechanism. CDS clientsmust have a valid certificate to identify themselves. All authentication information for clientsmust be written to a configuration file that is specified by the environment variable LDAPRC. The

following steps describe how to configure the EXTERNAL mechanism with TLS.1. Verify that all the steps in Configuring TLS for Network Encryption (page 25) passed so

that TLS is working correctly.

2. Create and sign the CDS client certificate on the CA server by repeating steps 8 through 10in Configuring TLS for Network Encryption .

The difference is that the full domain name of the CDS client should be entered as CommonName. Verify that the Email Address is [email protected]. If it is empty,enter this e-mail address. Also, verify that the key and the signed certificate are stored inthe newreq.pem and newcert.pem files, respectively.

26

8/9/2019 5991-7504

27/36

3. Copy the files newreq.pem and newcert.pem, which were created in step 2, to the CDSclient and move them to the /opt/symas/ssl/ directory. Rename the file newreq.pemto clientkey.pem and the file newcert.pem to clientcert.pem.

4. Set the environment variables by running the following commands:

# export LDAPCONF=home_directory

# export LDAPRC=ldap.rc

The ldap.rc file should be created in the home_directory. If the current login name on

the CDS client is root, and the home directory for root is /root, then the commands areas follows:

# export LDAPCONF=/root

# export LDAPRC=ldap.rc

5. Edit the ldap.rc file by adding the following contents:

URI ldaps://:636/BASE dc=example,dc=comSASL_MECH EXTERNALTLS_CERT /opt/symas/ssl/clientcert.pemTLS_KEY /opt/symas/ssl/clientkey.pem

Where CDS_SERVER is the host name or IP address of the CDS server.

6. Add the following directive to the slapd.conf file:

TLSVerifyClient demand

This directive tells the CDS client to provide a valid certificate. If no certificate is providedor the certificate is invalid, the session is terminated immediately.

7. Restart the CDS server.

8. Use the ldapsearch command on the CDS client to verify that the EXTERNALauthentication mechanism is working by entering the following command:

# /opt/symas/bin/ldapsearch -b 'dc=osm,dc=example,dc=com' \

-s base -LLL

The following displays:

SASL/EXTERNAL authentication startedSASL username: [email protected],CN=cdsclient.test,O=Internet Widgits Pty Ltd,ST=Some-State,C=AUSASL SSF: 0dn: dc=osm,dc=example,dc=comobjectClass: dcObjectobjectClass: organizationalUnitdc: osm

9. Use the ldapwhoami command to check the DN for the user by entering the following:

# /opt/symas/bin/ldapwhoamiThe following is displayed:

SASL/EXTERNAL authentication startedSASL username: [email protected],CN=cdsclient.test,O=Internet Widgits Pty Ltd,ST=Some-State,C=AUSASL SSF: 0dn:[email protected],cn=cdsclient.test,o=internet widgits pty ltd,st=some-state,c=auResult: Success (0)

The DN for the [email protected],cn=cdsclient.test,o=internet widgitspty ltd,st=some-state,c=au can be mapped to the DN in the LDAP namespace by


8/9/2019 5991-7504

28/36

following the steps in Mapping SASL Users to Distinguish Names (page 23). The onlydifference is that the directive in slapd.conf is sasl-regexp instead ofauthz-regexp.

Directory SecurityAccess to the slapd entries and attributes stored in the CDS server is controlled by the AccessControl Lists (ACLs) which are configured by access directives in the file slapd.conf. Thestructure of the access control directives is as follows:

access to [ by [ ] ]The field specifies the entries or attributes the access directive applies to. It can have thefollowing forms:

dn.=filter=attrs=

The field means what types of users the access directive applies to. There may be multiple fields in an access directive, indicating different users are granted different privileges onthe same resource. It can have the following forms:

*anonymous

usersselfdn.=dnattr=group=peername=sockname=domain=sockurl=

The field indicates the specific privileges is granted. It can have one of thefollowing values:

none

authcomparesearchreadwrite

The field is optional. It controls the flow of the access rule application. It can haveone of the following values:

stopcontinuebreak

For more information on access directives, visit the Web site located at:

http://www.openldap.org/doc/admin23/slapdconf2.html#Access%20Control

In the following example, five DNs are created as the users. They are granted different privilegeson the ou attribute and the userPassword attribute of dc=osm,dc=example,dc=com.

1. Verify that the CDS test data has been added to the CDS server by entering the followingcommand on the CDS server:

# /opt/symas/bin/ldapsearch -b 'dc=osm,dc=example,dc=com' -s base

2. Add the following DNs as the test users using the ldapadd command as follows:

# /opt/symas/bin/ldapadd -x -D rootdn -w rootpw -h CDS_SERVER

dn: dc=dn1,dc=example,dc=com

objectClass: dcObject

28
http://www.openldap.org/doc/admin23/slapdconf2.html#Access%20Controlhttp://www.openldap.org/doc/admin23/slapdconf2.html#Access%20Control

8/9/2019 5991-7504

29/36

objectClass: organizationalUnitdc: dn1ou: dn1

dn: dc=dn2,dc=example,dc=comobjectClass: dcObjectobjectClass: organizationalUnitdc: dn2ou: dn2



dn: dc=dn5,dc=example,dc=com

objectClass: dcObjectobjectClass: organizationalUnitdc: dn5ou: dn5

3. For each DN created in step 2, set the test password to abc123 using the ldappasswdcommand. For example, enter the following command to set a password fordc=dn1,dc=example,dc=com:

# /opt/symas/bin/ldappasswd -x -D rootdn -w rootpw \

-h cds_server -s abc123 dc=dn1,dc=example,dc=com

4. Add the following access directives to the slapd.conf file:

access to dn="dc=osm,dc=example,dc=com" attrs=ou,userPasswordby dn="dc=dn1,dc=example,dc=com" noneby anonymous authby dn="dc=dn2,dc=example,dc=com" compareby dn="dc=dn3,dc=example,dc=com" searchby dn="dc=dn4,dc=example,dc=com" readby dn="dc=dn5,dc=example,dc=com" write

NOTE: You must input a tab before the line " by dn=" otherwise the ACL will not work.

These directives should be placed before the default access directives:

access to *by self write

by users readby anonymous auth

5. Restart the CDS server and verify that no errors occurred by entering the following command:


6. Use theldapcompare command with 'dc=dn1,dc=example,dc=com ' as the user to verifythat the user has no privileges to perform compare operations on the DN:

# /opt/symas/bin/ldapcompare -x -D 'dc=dn1,dc=example,dc=com' \

-w abc123 -h cds_server dc=osm,dc=example,dc=com ou:osm

Because the user 'dc=dn1,dc=example,dc=com' is assigned a privilege value of none, itcannot perform any operations on the specified resource.


8/9/2019 5991-7504

30/36

The following output displays:

Compare Result: Insufficient access (50)

UNDEFINED

7. To test the compare privilege of the user 'dc=dn2,dc=example,dc=com' use theldapcompare by entering the following:

# /opt/symas/bin/ldapcompare -x -D 'dc=dn2,dc=example,dc=com' \

-w abc123 -h cds_server dc=osm,dc=example,dc=com ou:osm

The return value,TRUE indicates that the user 'dc=dn2,dc=example,dc=com' can performthe compare operation on the ou attribute ofdc=osm,dc=example,dc=com and the valueof the ou attribute is equal to osm.

8. Use the ldapsearch command to verify that the user 'dc=dn2,dc=example,dc=com'cannot perform the search operation on the specific resource by entering the following:

# /opt/symas/bin/ldapsearch -x -D 'dc=dn2,dc=example,dc=com' \

-w abc123 -h cds_server ou=osm


# extended LDIF

## LDAPv3# base with scope subtree# filter: ou=osm# requesting: ALL#

# search resultsearch: 2result: 0 Success

# numResponses: 1

No DNs are displayed even though the DN 'dc=osm,dc=example,dc=com' withou equal

to osm does exist in the CDS database, indicating that the userdc=dn2,dc=example,dc=com is not granted the search privilege.

9. Use the ldapsearch command with the user 'dc=dn3,dc=example,dc=com' to verifythe search privilege has been granted and takes effect:


-w abc123 -h cds_server ou=osm -LLL


dn: dc=osm,dc=example,dc=comobjectClass: dcObjectobjectClass: organizationalUnit

dc: osmThe DN dc=osm,dc=example,dc=com is searched out but the attributes of ou anduserPassword are not listed because the user 'dc=dn3,dc=example,dc=com' does nothave read privileges on these two attributes.

10. Use the ldapsearch command with 'dc=dn4,dc=example,dc=com' to test the user'sread privilege by entering the following command:


-w abc123 -h cds_server ou=osm -LLL


dn: dc=osm,dc=example,dc=com

objectClass: dcObject

30

8/9/2019 5991-7504

31/36

objectClass: organizationalUnitdc: osmou: osmuserPassword:: e1NTSEF9ajJBQjhFUmNvZitTV0V5Rkp3ZGtjWE5va0J6ODFYa0g=

Because the user dc=dn4,dc=example,dc=com is granted the read privilege, the ou anduserPassword attributes are displayed in the results.

11. Create a modify.ldif file, to verify that the user dc=dn4,dc=example,dc=com cannotmodify the ou attribute of dc=osm,dc=example,dc=com, using the following content:

dn: dc=osm,dc=example,dc=comchangetype: modifyreplace: ouou: osm.test

Notice that in the file, the value of ou is changed to osm.test.

12. Using the ldapmodify command and the user dc=dn4,dc=example,dc=com, apply theentry modification in the modify.ldif created in step 11 by entering the followingcommand:

# /opt/symas/bin/ldapmodify -x -D 'dc=dn4,dc=example,dc=com' \

-w abc123 -h cds_server -f /tmp/modify.ldif

The following is displayed:modifying entry "dc=osm,dc=example,dc=com" ldap_modify: Insufficientaccess (50)

This message means that the userdc=dn4,dc=example,dc=comhas no privileges to writethe ou attribute of dc=osm,dc=example,dc=com.

13. Now, use the same ldapmodify command with the user dc=dn5,dc=example,dc=comto verify the user has been given write privileges, by entering the following command:

# /opt/symas/bin/ldapmodify -x -D 'dc=dn5,dc=example,dc=com' \

-w abc123 -h cds_server -f /tmp/modify.ldif

If write privileges are successfully granted, the following message displays:modifying entry "dc=osm,dc=example,dc=com"

14. Use the ldapsearch command to verify the attributes of dc=osm,dc=example,dc=comhave been successfully changed, by entering the following command:


-w abc123 -h cds_server -b 'dc=osm,dc=example,dc=com' -s base -LLL

The following message is displayed:

dn: dc=osm,dc=example,dc=comobjectClass: dcObjectobjectClass: organizationalUnit

dc: osmuserPassword:: e1NTSEF9ajJBQjhFUmNvZitTV0V5Rkp3ZGtjWE5va0J6ODFYa0g=ou: osm.test

Notice that in the file, the value of ou is changed to osm.test becausedc=dn5,dc=example,dc=com is granted the write privilege. It can also search and readthe values of ou and userPassword, as specified in the ACLs

Monitoring OpenLDAP with the HP OpenView Operations CDS GallerySPIs

HP enhances the OSMS Directory Services by using HP OpenView Operations Gallery SmartPlug-Ins (OVO SPIs).

Monitoring OpenLDAP with the HP OpenView Operations CDS Gallery SPIs 31

8/9/2019 5991-7504

32/36

HP OpenView Operations (OVO) is a distributed, client/server software solution designed toprovide service-driven event and performance management of business-critical enterprisesystems, applications, and services.

The SPI for CDS is a value-add software component for HP OVO. This software is provided freeto all customers of HP OVO for use under the terms and conditions documented on the downloadWeb page. This SPI provides powerful, centralized tools to monitor and manage the operationof multiple installations of CDS servers on SLES10.

The SPI components include the following:

Policies that are designed to monitor key health parameters of the CDS server

Policies that allow you to monitor the overall availability of the CDS server

Tools that let you run commands on the managed CDS installation

NOTE: The HP OVO Management Server runs on either HP-UX or Windows. For the examplesin this blueprint, HP OpenView Operations for Windows (OVOW) was chosen.

Figure 7 displays the SPI architecture and OVOW components.

Figure 7 OVOW Architecture

Software Prerequisites and Reference GuidesBefore attempting to install the CDS SPI, ensure that you have a functional HP OVOW 7.5installation, including an HP OVOW Management Console and the Linux OVO SPI agents for

the CDS server. In addition, the following OVOW patches are required:Table 4 OVOW Software Patches

DependenciesPatchVersionPatch Name

NoneOVOW_00187A.07.31OVO Message Agent andAction Management patch

OVOW_00187OVOW_00198A.07.31Linux ServiceDiscoverySupport patch

32

8/9/2019 5991-7504

33/36

Table 4 OVOW Software Patches (continued)

DependenciesPatchVersionPatch Name

OVOW_00166;OVOW_00068

OVOW_00213A.07.32OVO Message Agent andAction Management patch

NoneOVOW_00234A.07.33OVO Message Agent andAction Management patch

The patches listed in Table 4 can be found on the HP OpenView support website located at:http://support.openview.hp.com/patches/patch_index.jsp

The SPI installation and configuration documents can be found on the HP OpenView Web sitelocated at:

http://managementsoftware.hp.com/products/spi/

For information about installing the HP OVOW agent, see the HP OpenView Operations for WindowsInstallation Guide located at:

http://ovweb.external.hp.com/ovnsmdps/pdf/ovow75_install.pdf

Using the SPIs

The OVOW SPIs support two methodologies to manage the CDS servers: User-driven methods

Event-driven methods

User-Driven Methods

The user-driven functions are accessed from the Tools menu. You can start, stop, and monitorCDS from the OVOW console. The following table provides an overview of the tools in the groupOpenLDAP SPI CDS:

Table 5 Application Labels and Descriptions

DescriptionApplication Label

Extracts and deploys CDS Instrumentation.Configure CDS Instrumentation

Restarts the CDS server.Restart CDS Server

Starts the CDS server on the managed node.Start CDS Server

Stops the CDS server on the managed node.Stop CDS Server

In addition to using the tools listed in Table 5 you can also monitor the summary informationof the following OpenLDAP operations:

Add

Bind

Bytes Sent Compare

Delete

Entries Sent

Initiated

Modify

Read Waits

Referrals Sent

Search

Total Connections

Monitoring OpenLDAP with the HP OpenView Operations CDS Gallery SPIs 33
http://support.openview.hp.com/patches/patch_index.jsphttp://managementsoftware.hp.com/products/spi/http://ovweb.external.hp.com/ovnsmdps/pdf/ovow75_install.pdfhttp://ovweb.external.hp.com/ovnsmdps/pdf/ovow75_install.pdfhttp://managementsoftware.hp.com/products/spi/http://support.openview.hp.com/patches/patch_index.jsp

8/9/2019 5991-7504

34/36

Unbind

Write Waits

For the OpenLDAP-SPI monitor tools to work properly, you must configure the monitor databaseof the respective LDAP server (OpenLDAP or CDS). For example, add the following lines to theslapd.conf file:

# --- monitor backenddatabase monitoraccess to dn.subtree="cn=Monitor"

by dn.exact="dc=example,dc=com" writeby users readby * none

Event-Driven Methods

The event-driven methods are used to manage events that are triggered when certain conditionsare met, for example, if the CDS server process utilizes a greater percentage of CPU bandwidththan the threshold defined in the policy. When a threshold is exceeded, warning messages appearin the management console. Table 6 lists the CDS SPI policy details:

Table 6 CDS Policies in the OpenLDAP CDS Policy Group

DefaultThresholdDefaultPollingInterval

DescriptionPolicy TypePolicy Name

90%30 seconds

Monitors the CPU usage of theCDS server. By default, if the CPUutilization percentage of any CDSprocess exceeds 90%, a criticalmessage is displayed in an activemessage browser of the OVOWconsole.

Measurement ThresholdCDS CPUUsageMonitor

90%30 seconds

Monitors the operating system'smemory usage of the CDS server.By default, if the memory

utilization percentage of any CDSprocess exceeds 90%, a criticalmessage is displayed in activemessage browser of the OVOWconsole.

Measurement ThresholdCDS Memory UsageMonitor

N/A1 minute

Monitors a CDS process. If a CDSprocess is killed, then a message isdisplayed in an active message

browser of the OVOW console.

Scheduled TaskProcess MonitorCDSSPI

N/A5 minutes

Provides an interfacefor displayingCDS server error messages. TheOpen Message Interface policiesare used by other policies and arenot used directly for monitoring.

OpenMessage InterfaceStatus MessageCDSSPI

34

8/9/2019 5991-7504

35/36

35

8/9/2019 5991-7504

36/36

5991-7504

Documents

Transcript of 5991-7504