Using OpenLDAP
OpenLDAP is a cross-platform, free, and open source implementation of a Lightweight Directory Access Protocol (LDAP) server, released under a BSD license. It was started in 1998 and since then has had active development and constant releases, being widely adopted by many commercial-grade systems and applications.
Although WebLogic server includes its own embedded LDAP server for default security management, it's neither used nor recommended for application-specific security management. That's when third-party LDAP servers and products are recommended and offer much more flexibility and features for a real-world scenario.
Tip
Note that you can use WebLogic embedded LDAP for the examples in this book, although we do recommend the experience of creating and configuring an Authentication Provider outside WebLogic.
In this section we're going to provide general guidelines for OpenLDAP configuration, but due to the way different operating systems package the software, some configuration files may not be present at the same paths. Such differences may not impact the ideas expressed in this section.
Installing OpenLDAP
The OpenLDAP software is available to several operating systems: Microsoft Windows, Debian, SuSE Linux Enterprise Server, Red Hat, Solaris, Mac OS X, and so on.
It can easily be installed through package managers such as RPM, APT, or MacPorts on Linux and Mac using the following commands:
For Linux with APT:
sudo apt-get install slapd ldap-utils
For RPM-based systems:
sudo yum install openldap-servers openldap-clients nss_ldap
For Mac OSX:
sudo port install openldap
Windows users can download and install the executable package available at http://userbooster.de/en/download/openldap-for-windows.aspx.
Tip
The installation may ask for a password that will be used for the rootdn user, which is the main user for an OpenLDAP installation. Take note of this password as we're going to use it later.
We are currently using version 2.4.35 but any 2.4+ release of OpenLDAP will be sufficient for the features we're going to implement.
Configuring an OpenLDAP server
Under some distributions, OpenLDAP provides ldap.conf and slapd.conf files with standard values. There are cases where these files must be copied or renamed from default files that come as part of the distribution. For example, on a Mac OS X system, the following files must be copied or renamed:
/private/etc/openldap/ldap.conf.defaulttoldap.conf/private/etc/openldap/slapd.conf.defaulttoslapd.conf/private/var/db/openldap/openldap-data/DB_CONFIG.exampletoDB_CONFIG
On Ubuntu Linux, these steps can be skipped as the configuration files are already at the /etc/ldap directory.
Tip
It's worth mentioning that there are even YouTube videos explaining how to do the basic setup of an LDAP server on Ubuntu and other popular Linux distributions. Refer to them if you have problems on performing the basic operations and check this section again in order to make the specific configurations for our usage.
Files ldap.conf and slapd.conf are the most important ones on an OpenLDAP configuration, with DB_CONFIG being the file-based database that stores runtime configuration such as users and groups.
After copying or renaming the files, open the ldap.conf (under /private/etc/openldap on Mac or /etc/ldap/ldap.conf on Ubuntu/Linux) so we can set or uncomment the BASE value used for an LDAP tree. Note that we're going to use example.com as our base domain values:
## Make sure you have the BASE uncommented BASE dc=example,dc=com #URI ldap://ldap.example.com ldap://ldap-master.example.com:666
Use the command slappasswd to generate an encoded password or use the default password secret when asked for a password on the next command. Depending on your OS you may have already set this password during the installation.
Example:
$ slappasswd -s welcome1 {SSHA}Pcvcy4CpSL4BVLA0MWLtKM9XbV3Tw3q+
Tip
Note that this hash will change every time this command is executed.
Now we're going to use this hashed value on rootpw variable in the configuration file. Also check or set suffix and rootdn values on slapd.conf as follows:
suffix "dc=example,dc=com"
rootdn "cn=Manager,dc=example,dc=com"
# Use of strong authentication is encouraged
rootpw {SSHA}Pcvcy4CpSL4BVLA0MWLtKM9XbV3Tw3q+
Still in slapd.conf there is a section that includes schemas used by this instance of OpenLDAP. Enable additional schemas to store other commonly required information and structures under the directory service:
# # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /private/etc/openldap/schema/core.schema include /private/etc/openldap/schema/cosine.schema include /private/etc/openldap/schema/nis.schema include /private/etc/openldap/schema/inetorgperson.schema
Tip
On Ubuntu these steps can be done through the following commands:
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
In order to test what we have configured so far, we need to restart the OpenLDAP server by issuing a command like the following:
sudo /etc/init.d/slapd restart
Or as follows:
sudo /usr/libexec/slapd -d3
Tip
A common error when setting these under Linux environments is when the starting script does not load your configuration files. In order to prevent those problems take a quick look at the code present under /etc/init.d/slapd.
Loading sample entries and testing
Now you can load the default entries from the export file provided with the book bundle using the following command:
sudo ldapadd -c -D "cn=Manager,dc=example,dc=com" -W -fldap_export.ldif
And after that you can list all the entries using a command like this:
ldapsearch -z 0 -b "dc=example,dc=com" -D "cn=Manager,dc=example,dc=com" -W "(objectclass=*)"
If you followed all the steps and imported the file we're providing with the book, the output should look like this:
Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=example,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL # # example.com dn: dc=example,dc=com objectClass: organizationalUnit objectClass: dcObject dc: example ou: example # people, example.com dn: ou=people,dc=example,dc=com objectClass: top objectClass: organizationalUnit ou: people # groups, example.com dn: ou=groups,dc=example,dc=com objectClass: top objectClass: organizationalUnit ou: groups # robert@example.com, people, example.com dn: cn=robert@example.com,ou=people,dc=example,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson cn: robert@example.com sn: Robert mail: robert@example.com userPassword: XXXX # admin, groups, example.com dn: cn=admin,ou=groups,dc=example,dc=com objectClass: top objectClass: groupOfNames cn: admin member: cn=superuser@example.com,ou=people,dc=example,dc=com ou: admin # john@example.com, people, example.com dn: cn=john@example.com,ou=people,dc=example,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson cn: john@example.com sn: john userPassword:: XXXX
Tip
As with other commands in this section, the command to test may change depending on your operating system.
And that's it, we now have every required piece of software installed and configured.
- C++程序設計教程
- Scala Design Patterns
- PyTorch自然語言處理入門與實戰(zhàn)
- Apache Spark 2 for Beginners
- Blender 3D Incredible Machines
- Julia Cookbook
- Python機器學習:手把手教你掌握150個精彩案例(微課視頻版)
- PhoneGap Mobile Application Development Cookbook
- Python數(shù)據(jù)可視化之Matplotlib與Pyecharts實戰(zhàn)
- 名師講壇:Spring實戰(zhàn)開發(fā)(Redis+SpringDataJPA+SpringMVC+SpringSecurity)
- Modular Programming in Java 9
- Expert Data Visualization
- 用戶體驗增長:數(shù)字化·智能化·綠色化
- Test-Driven Development with Django
- 深入淺出Go語言編程