[deployment-guide/comm-rel: 698/727] Updated the Overview of LDAP Packages section.
Jaromir Hradilek
jhradile at fedoraproject.org
Tue Oct 19 13:24:28 UTC 2010
commit 720b9a8c552282558a3e0e5ea8f89739c338f499
Author: Jaromir Hradilek <jhradile at redhat.com>
Date: Thu Sep 30 16:09:44 2010 +0200
Updated the Overview of LDAP Packages section.
.../Lightweight_Directory_Access_Protocol_LDAP.xml | 485 +++++++++++++-------
1 files changed, 323 insertions(+), 162 deletions(-)
---
diff --git a/en-US/Lightweight_Directory_Access_Protocol_LDAP.xml b/en-US/Lightweight_Directory_Access_Protocol_LDAP.xml
index 07a2010..e2f7166 100644
--- a/en-US/Lightweight_Directory_Access_Protocol_LDAP.xml
+++ b/en-US/Lightweight_Directory_Access_Protocol_LDAP.xml
@@ -108,190 +108,351 @@
</section>
</section>
<section id="s1-ldap-daemonsutils">
- <title>OpenLDAP Daemons and Utilities</title>
+ <title>Overview of LDAP Packages</title>
<para>
- The suite of OpenLDAP libraries and tools are included within the following packages:
+ The suite of OpenLDAP libraries and tools is provided by the following packages:
</para>
- <itemizedlist>
- <listitem>
- <para>
- <filename>openldap</filename> — Contains the libraries necessary to run the OpenLDAP server and client applications.
- </para>
- </listitem>
- <listitem>
- <para>
- <filename>openldap-clients</filename> — Contains command line tools for viewing and modifying directories on an LDAP server.
- </para>
- </listitem>
- <listitem>
- <para>
- <filename>openldap-servers</filename> — Contains the servers and other utilities necessary to configure and run an LDAP server.
- </para>
- </listitem>
- </itemizedlist>
+ <table id="table-ldap-packages-openldap">
+ <title>List of OpenLDAP packages</title>
+ <tgroup cols="2">
+ <colspec colname="package" colnum="1" colwidth="30*" />
+ <colspec colname="description" colnum="2" colwidth="60*" />
+ <thead>
+ <row>
+ <entry>
+ Package
+ </entry>
+ <entry>
+ Description
+ </entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>
+ <package>openldap</package>
+ </entry>
+ <entry>
+ A package containing the libraries necessary to run the OpenLDAP server and client applications.
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <package>openldap-clients</package>
+ </entry>
+ <entry>
+ A package containing the command line utilities for viewing and modifying directories on an LDAP server.
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <package>openldap-servers</package>
+ </entry>
+ <entry>
+ A package containing both the services and utilities to configure and run an LDAP server. This includes the <firstterm>Standalone LDAP Daemon</firstterm>, <systemitem class="service">slapd</systemitem>.
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <package>compat-openldap</package>
+ </entry>
+ <entry>
+ A package containing the OpenLDAP compatibility libraries.
+ </entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
<para>
- There are two servers contained in the <filename>openldap-servers</filename> package: the <firstterm>Standalone LDAP Daemon</firstterm> (<command>/usr/sbin/slapd</command>) and the <firstterm>Standalone LDAP Update Replication Daemon</firstterm> (<command>/usr/sbin/slurpd</command>).
+ Additionally, the following packages are commonly used along with the LDAP server, and extend its functionality:
</para>
+ <table id="table-ldap-packages-additional">
+ <title>List of additional LDAP packages</title>
+ <tgroup cols="2">
+ <colspec colname="package" colnum="1" colwidth="30*" />
+ <colspec colname="description" colnum="2" colwidth="60*" />
+ <thead>
+ <row>
+ <entry>
+ Package
+ </entry>
+ <entry>
+ Description
+ </entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>
+ <package>nss-pam-ldapd</package>
+ </entry>
+ <entry>
+ A package containing <systemitem class="service">nslcd</systemitem>, a local LDAP name service that allows a user to perform local LDAP queries.
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <package>mod_authz_ldap</package>
+ </entry>
+ <entry>
+ <para>
+ A package containing <systemitem class="resource">mod_authz_ldap</systemitem>, the LDAP authorization module for the Apache HTTP Server. This module uses the short form of the distinguished name for a subject and the issuer of the client SSL certificate to determine the distinguished name of the user within an LDAP directory. It is also capable of authorizing users based on attributes of that user's LDAP directory entry, determining access to assets based on the user and group privileges of the asset, and denying access for users with expired passwords. Note that the <systemitem class="resource">mod_ssl</systemitem> module is required when using the <systemitem class="resource">mod_authz_ldap</systemitem> module.
+ </para>
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <package>php-ldap</package>
+ </entry>
+ <entry>
+ A package containing the <systemitem class="resource">ldap</systemitem> module, which allows PHP scripts to access information stored in an LDAP directory.
+ </entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
<para>
- The <command>slapd</command> daemon is the standalone LDAP server while the <command>slurpd</command> daemon is used to synchronize changes from one LDAP server to other LDAP servers on the network. The <command>slurpd</command> daemon is only used when dealing with multiple LDAP servers.
+ To install the OpenLDAP packages, type the following at a shell prompt:
</para>
+ <screen>~]# <command>yum instal openldap openldap-clients openldap-servers compat-openldap</command></screen>
<para>
- To perform administrative tasks, the <filename>openldap-servers</filename> package installs the following utilities into the <filename>/usr/sbin/</filename> directory:
+ Note that you must have superuser privileges (that is, you must be logged in as <systemitem class="username">root</systemitem>) to run this command. For more information on how to install new packages in &MAJOROS;, refer to <xref linkend="sec-Installing" />.
</para>
- <itemizedlist>
- <listitem>
- <para>
- <command>slapadd</command> — Adds entries from an LDIF file to an LDAP directory. For example, the command <command>/usr/sbin/slapadd -l <replaceable>ldif-input</replaceable></command> reads in the LDIF file, <filename><replaceable>ldif-input</replaceable></filename>, containing the new entries.
- </para>
- <important>
- <title>Important</title>
- <para>
- Only the root user may use <command>/usr/sbin/slapadd</command>. However, the directory server runs as the <filename>ldap</filename> user. Therefore the directory server is unable to modify any files created by <command>slapadd</command>. To correct this issue, after using <command>slapadd</command>, type the following command:
- </para>
- <screen>chown -R ldap /var/lib/ldap</screen>
- </important>
- </listitem>
- <listitem>
- <para>
- <command>slapcat</command> — Pulls entries from an LDAP directory in the default format, <firstterm>Sleepycat Software's Berkeley DB</firstterm> system, and saves them in an LDIF file. For example, the command <command>/usr/sbin/slapcat -l <replaceable>ldif-output</replaceable></command> outputs an LDIF file called <filename><replaceable>ldif-output</replaceable></filename> containing the entries from the LDAP directory.
- </para>
- </listitem>
- <listitem>
- <para>
- <command>slapindex</command> — Re-indexes the <command>slapd</command> directory based on the current content. This tool should be run whenever indexing options within <filename>/etc/openldap/slapd.conf</filename> are changed.
- </para>
- </listitem>
- <listitem>
- <para>
- <command>slappasswd</command> — Generates an encrypted user password value for use with <command>ldapmodify</command> or the <command>rootpw</command> value in the <command>slapd</command> configuration file, <filename>/etc/openldap/slapd.conf</filename>. Execute the <command>/usr/sbin/slappasswd</command> command to create the password.
- </para>
- </listitem>
- </itemizedlist>
- <warning>
- <title>Warning</title>
+ <section id="s2-ldap-packages-openldap-servers">
+ <title>Server Utilities</title>
<para>
- You must stop <command>slapd</command> by issuing the <command>/sbin/service ldap stop</command> command before using <command>slapadd</command>, <command>slapcat</command> or <command>slapindex</command>. Otherwise, the integrity of the LDAP directory is at risk.
+ To perform administrative tasks, the <package>openldap-servers</package> package installs the following utilities along with the <systemitem class="service">slapd</systemitem> service:
</para>
- </warning>
- <para>
- For more information on using these utilities, refer to their respective man pages.
- </para>
- <para>
- The <filename>openldap-clients</filename> package installs tools into <filename>/usr/bin/</filename> which are used to add, modify, and delete entries in an LDAP directory. These tools include the following:
- </para>
- <itemizedlist>
- <listitem>
- <para>
- <command>ldapadd</command> — Adds entries to an LDAP directory by accepting input via a file or standard input; <command>ldapadd</command> is actually a hard link to <command>ldapmodify -a</command>.
- </para>
- </listitem>
- <listitem>
- <para>
- <command>ldapdelete</command> — Deletes entries from an LDAP directory by accepting user input at a shell prompt or via a file.
- </para>
- </listitem>
- <listitem>
- <para>
- <command>ldapmodify</command> — Modifies entries in an LDAP directory, accepting input via a file or standard input.
- </para>
- </listitem>
- <listitem>
- <para>
- <command>ldappasswd</command> — Sets the password for an LDAP user.
- </para>
- </listitem>
- <listitem>
- <para>
- <command>ldapsearch</command> — Searches for entries in an LDAP directory using a shell prompt.
- </para>
- </listitem>
- <listitem>
- <para>
- <command>ldapcompare</command> — Opens a connection to an LDAP server, binds, and performs a comparison using specified parameters.
- </para>
- </listitem>
- <listitem>
+ <table id="table-ldap-packages-openldap-servers">
+ <title>List of OpenLDAP server utilities</title>
+ <tgroup cols="2">
+ <colspec colname="command" colnum="1" colwidth="30*" />
+ <colspec colname="description" colnum="2" colwidth="60*" />
+ <thead>
+ <row>
+ <entry>
+ Command
+ </entry>
+ <entry>
+ Description
+ </entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>
+ <command>slapacl</command>
+ </entry>
+ <entry>
+ Allows you to check the access to a list of attributes.
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>slapadd</command>
+ </entry>
+ <entry>
+ Allows you to add entries from an LDIF file to an LDAP directory.
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>slapauth</command>
+ </entry>
+ <entry>
+ Allows you to check a list of IDs for authentication and authorization permissions.
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>slapcat</command>
+ </entry>
+ <entry>
+ Allows you to pull entries from an LDAP directory in the default format and save them in an LDIF file.
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>slapindex</command>
+ </entry>
+ <entry>
+ Allows you to re-index the <systemitem class="service">slapd</systemitem> directory based on the current content. Run this utility whenever you change indexing options in the configuration file.
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>slappasswd</command>
+ </entry>
+ <entry>
+ Allows you to create an encrypted user password to be used with the <command>ldapmodify</command> utility, or in the <systemitem class="service">slapd</systemitem> configuration file.
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>slapschema</command>
+ </entry>
+ <entry>
+ Allows you to check the compliance of a database with the corresponding schema.
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>slaptest</command>
+ </entry>
+ <entry>
+ Allows you to check the LDAP server configuration.
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>slapd_db_archive</command>,
+ <command>slapd_db_checkpoint</command>,
+ <command>slapd_db_deadlock</command>,
+ <command>slapd_db_dump</command>,
+ <command>slapd_db_hotbackup</command>,
+ <command>slapd_db_load</command>,
+ <command>slapd_db_printlog</command>,
+ <command>slapd_db_recover</command>,
+ <command>slapd_db_sql</command>,
+ <command>slapd_db_stat</command>,
+ <command>slapd_db_upgrade</command>,
+ <command>slapd_db_verify</command>
+ </entry>
+ <entry>
+ Provides a set of tools to work with <firstterm>Berkeley DB</firstterm> (BDB).
+ </entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+ <important>
+ <title>Important: Make Sure the Files Have Correct Owner</title>
<para>
- <command>ldapwhoami</command> — Opens a connection to an LDAP server, binds, and performs a <command>whoami</command> operation.
+ Although only <systemitem class="username">root</systemitem> can run <command>slapadd</command>, the <systemitem class="service">slapd</systemitem> service runs as the <systemitem class="username">ldap</systemitem> user. Because of this, the directory server is unable to modify any files created by <command>slapadd</command>. To correct this issue, after running the <command>slapd</command> utility, type the following at a shell prompt:
</para>
- </listitem>
- <listitem>
+ <screen>~]# <command>chown -R ldap:ldap /var/lib/ldap</command></screen>
+ </important>
+ <warning>
+ <title>Caution: Stop the <systemitem class="service">slapd</systemitem> Service Before Using these Utilities</title>
<para>
- <command>ldapmodrdn</command> — Opens a connection to an LDAP server, binds, and modifies the RDNs of entries.
+ To preserve the data integrity, stop the <systemitem class="service">slapd</systemitem> service before using <command>slapadd</command>, <command>slapcat</command>, or <command>slapindex</command>. You can do so by typing the following at a shell prompt:
</para>
- </listitem>
- </itemizedlist>
- <para>
- With the exception of <command>ldapsearch</command>, each of these utilities is more easily used by referencing a file containing the changes to be made rather than typing a command for each entry to be changed within an LDAP directory. The format of such a file is outlined in the man page for each utility.
- </para>
- <section id="s2-ldap-pam-nss">
- <title>NSS, PAM, and LDAP</title>
- <para>
- In addition to the OpenLDAP packages, &MAJOROS; includes a package called <filename>nss_ldap</filename>, which enhances LDAP's ability to integrate into both Linux and other UNIX environments.
- </para>
- <para>
- The <filename>nss_ldap</filename> package provides the following modules (where <replaceable><version></replaceable> refers to the version of <filename>libnss_ldap</filename> in use):
- </para>
- <itemizedlist>
- <listitem>
- <para>
- <filename>/lib/libnss_ldap-<replaceable><version></replaceable>.so</filename>
- </para>
- </listitem>
- <listitem>
- <para>
- <filename>/lib/security/pam_ldap.so</filename>
- </para>
- </listitem>
- </itemizedlist>
- <para>The <filename>nss_ldap</filename> package provides the following modules for 64-bit architectures:</para>
- <itemizedlist>
- <listitem>
- <para>
- <filename>/lib64/libnss_ldap-<replaceable><version></replaceable>.so</filename>
- </para>
- </listitem>
- <listitem>
- <para>
- <filename>/lib64/security/pam_ldap.so</filename>
- </para>
- </listitem>
- </itemizedlist>
- <para>
- The <filename>libnss_ldap-<replaceable><version></replaceable>.so</filename> module allows applications to look up users, groups, hosts, and other information using an LDAP directory via the <firstterm>Nameservice Switch</firstterm> (NSS) interface of <command>glibc</command>. NSS allows applications to authenticate using LDAP in conjunction with the NIS name service and flat authentication files.
- </para>
- <para>
- The <filename>pam_ldap</filename> module allows PAM-aware applications to authenticate users using information stored in an LDAP directory. PAM-aware applications include console login, POP and IMAP mail servers, and Samba. By deploying an LDAP server on a network, all of these applications can authenticate using the same user ID and password combination, greatly simplifying administration.
- </para>
- <para>
- For more information about configuring PAM, refer to refer to the <citetitle pubwork="chapter">Pluggable Authentication Modules (PAM)</citetitle> chapter of the &MAJOROSVER; 6 <citetitle>Security Guide</citetitle> and the PAM man pages.
- </para>
+ <screen>~]# <command>service slapd stop</command>
+Stopping slapd: [ OK ]</screen>
+ </warning>
</section>
- <section id="s2-ldap-other-apps">
- <title>PHP4, LDAP, and the Apache HTTP Server</title>
- <para>
- &MAJOROS; includes a package containing an LDAP module for the PHP server-side scripting language.
- </para>
+ <section id="s2-ldap-packages-ldap-clients">
+ <title>Client Utilities</title>
<para>
- The <filename>php-ldap</filename> package adds LDAP support to the PHP4 HTML-embedded scripting language via the <filename>/usr/lib/php4/ldap.so</filename> module. This module allows PHP4 scripts to access information stored in an LDAP directory.
+ The <package>openldap-clients</package> package installs the following utilities which can be used to add, modify, and delete entries in an LDAP directory:
</para>
+ <table id="table-ldap-packages-openldap-clients">
+ <title>List of OpenLDAP client utilities</title>
+ <tgroup cols="2">
+ <colspec colname="command" colnum="1" colwidth="30*" />
+ <colspec colname="description" colnum="2" colwidth="60*" />
+ <thead>
+ <row>
+ <entry>
+ Command
+ </entry>
+ <entry>
+ Description
+ </entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>
+ <command>ldapadd</command>
+ </entry>
+ <entry>
+ Allows you to add entries to an LDAP directory, either from a file, or from standard input. It is a symbolic link to <command>ldapmodify -a</command>.
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>ldapcompare</command>
+ </entry>
+ <entry>
+ Allows you to compare given attribute with an LDAP directory entry.
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>ldapdelete</command>
+ </entry>
+ <entry>
+ Allows you to delete entries from an LDAP directory.
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>ldapexop</command>
+ </entry>
+ <entry>
+ Allows you to perform extended LDAP operations.
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>ldapmodify</command>
+ </entry>
+ <entry>
+ Allows you to modify entries in an LDAP directory, either from a file, or from standard input.
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>ldapmodrdn</command>
+ </entry>
+ <entry>
+ Allows you to modify the RDN value of an LDAP directory entry.
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>ldappasswd</command>
+ </entry>
+ <entry>
+ Allows you to set or change the password for an LDAP user.
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>ldapsearch</command>
+ </entry>
+ <entry>
+ Allows you to search LDAP directory entries.
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>ldapurl</command>
+ </entry>
+ <entry>
+ Allows you to compose or decompose LDAP URLs.
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>ldapwhoami</command>
+ </entry>
+ <entry>
+ Allows you to perform a <option>whoami</option> operation on an LDAP server.
+ </entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
<para>
- &MAJOROS; ships with the <filename>mod_authz_ldap</filename> module for the Apache HTTP Server. This module uses the short form of the distinguished name for a subject and the issuer of the client SSL certificate to determine the distinguished name of the user within an LDAP directory. It is also capable of authorizing users based on attributes of that user's LDAP directory entry, determining access to assets based on the user and group privileges of the asset, and denying access for users with expired passwords. The <filename>mod_ssl</filename> module is required when using the <filename>mod_authz_ldap</filename> module.
+ With the exception of <command>ldapsearch</command>, each of these utilities is more easily used by referencing a file containing the changes to be made rather than typing a command for each entry to be changed within an LDAP directory. The format of such a file is outlined in the man page for each utility.
</para>
- <important>
- <title>Important</title>
- <para>
- The <filename>mod_authz_ldap</filename> module does not authenticate a user to an LDAP directory using an encrypted password hash. This functionality is provided by the experimental <filename>mod_auth_ldap</filename> module, which is not included with &MAJOROS;. Refer to the Apache Software Foundation website online at <ulink url="http://www.apache.org/" /> for details on the status of this module.
- </para>
- </important>
</section>
<section id="s2-ldap-applications">
- <title>LDAP Client Applications</title>
- <para>
- There are graphical LDAP clients available which support creating and modifying directories, but they are <emphasis>not</emphasis> included with &MAJOROS;.
- </para>
+ <title>Client Applications</title>
<para>
- Other LDAP clients access directories as read-only, using them to reference, but not alter, organization-wide information. Some examples of such applications are Sendmail, <application>Mozilla</application>, <application>Ekiga</application>, and <application>Evolution</application>.
+ Although there are various graphical LDAP clients capable of creating and modifying directories on the server, none of them is included in &MAJOROS;. Popular applications that can access directories in a read-only mode include <application>Mozilla Thunderbird</application>, <application>Evolution</application>, or <application>Ekiga</application>.
</para>
</section>
</section>
More information about the docs-commits
mailing list