LDAPd-Draft


SORRY I DIDNT HAVE THAT MUCH TIME TO WRITE THIS: THIS IS A DRAFT!

SORRY I DIDNT HAVE THAT MUCH TIME TO WRITE THIS: THIS IS A DRAFT!

SORRY I DIDNT HAVE THAT MUCH TIME TO WRITE THIS: THIS IS A DRAFT!

SORRY I DIDNT HAVE THAT MUCH TIME TO WRITE THIS: THIS IS A DRAFT!

SORRY I DIDNT HAVE THAT MUCH TIME TO WRITE THIS: THIS IS A DRAFT!

SORRY I DIDNT HAVE THAT MUCH TIME TO WRITE THIS: THIS IS A DRAFT!

SORRY I DIDNT HAVE THAT MUCH TIME TO WRITE THIS: THIS IS A DRAFT!

SORRY I DIDNT HAVE THAT MUCH TIME TO WRITE THIS: THIS IS A DRAFT!

SORRY I DIDNT HAVE THAT MUCH TIME TO WRITE THIS: THIS IS A DRAFT!

SORRY I DIDNT HAVE THAT MUCH TIME TO WRITE THIS: THIS IS A DRAFT!

SORRY I DIDNT HAVE THAT MUCH TIME TO WRITE THIS: THIS IS A DRAFT!

SORRY I DIDNT HAVE THAT MUCH TIME TO WRITE THIS: THIS IS A DRAFT!

SORRY I DIDNT HAVE THAT MUCH TIME TO WRITE THIS: THIS IS A DRAFT!

I'm really not proud of this, I want to improve it, its a dumpster fire.


Introduction

I had a multi-conversation-conversation in #thunderirc and peoples wanted to know to LDAP. So, ehh, heres a basic guide on how to get LDAP setup on base OpenBSD and a little extra information that I found useful.

LDAP stands for Lightweight Directory Access Protocol and is basically a write few, read meany, kind of database. Its useful for if you want to have a central place (directory) to store some information like account credentials for instance and have and have meany other peices of software hook into it for loging in (binds).

In this guide I'll only be focusing on how to get the LDAP daemon included with OpenBSD setup and running and how to test it manually. Future articales may include how to setup access control, how to make prosody use it for logins, and how to make SMTPd use it for logins. No promises on delivery though (spam me (Maddie) if you want it sooner).

Hows

Namespace

First we'll start with picking a namespace, there are basically 2 main types and the one you pick doesn't matter at all, its all functionally the same.

DC type (recommended because thats what I use; and aparently also by some RFC):

The domain name you want to use (probably your teams homepage) with dc= between each part of the domain. Heres an example: example.com is my team's domain, so I'll use dc=example,dc=com as my namespace.

O type (good if you're lazy):

This one is much simpler but aparently not best pratice. Its just o=any regular string, so if my team is called Example team X, I would use `o=Example team X` as my namespace.

This guide will use "ircnow.org" as our pseudo team and the DC type, so our namespace will be `dc=ircnow,dc=org`

Abbreviations

In LDAP, abbreviations are used often, so it helps alot to know what thay stand for. Heres a table for reference:

dnDistinquished Name
dcDomain Component
oOrganization
ouOrganizational Unit
cnCommon Name

Hows

We'll start with editing `/etc/ldapd.conf`.

By default it contains 2x listen, in this guide I will be useing `listen on ::1 secure` whitch limits access to the local system over IPv6 and asumes all connections to be secure. Then you can just uncomment the example namespace and replace it with your own namespace as discussed earlier.

I recommend changeing rootdn to `cn=admin,your namespace here`.Then chnage rootpw to a password that you will remember for the remainder of this guide. Merely entering a password will make LDAP asume its in plaintext but it could be hash aswell, writeing {CRYPT} in front of it will make LDAP treat it as any string returned by $ encrypt

/etc/ldapd.conf should look a like this by now.

schema "/etc/ldap/core.schema"
schema "/etc/ldap/inetorgperson.schema"
schema "/etc/ldap/nis.schema"
schema "/etc/ldap/bsd.schema"

listen on ::1 secure

namespace "dc=ircnow,dc=org" {
	rootdn		"cn=admin,dc=ircnow,dc=org"
	rootpw		"{CRYPT}$2b$09$zwo7EEy6Kov96eFzY7mj3OdwlD52qjOAMY.9F8KQV/.b3vqCOwkfa"
	index		sn
	index		givenName
	index		cn
	index		mail
}

Run `$ ldapd -n` to check for any configuration errors (possible typos).Then start and enable LDAPd at boot by running `$ rcctl start ldapd` and `$ rcctl enable ldapd`.


Now the last thing required for LDAP to fully work is to add an entry to the root of the namespace.

Simply run `$ ldapadd -x -H ldap://[::1] -D <your ldap root dn> -w <your ldap root password>` and write an entry then press enter.

MVP:

dn: <your namespace here>
objectclass: dcObject
objectclass: organization
o: <the name of your team>
<last component set>

Filled in example:

dn: dc=ircnow,dc=org
objectclass: dcObject
objectclass: organization
o: ircnow
dc: ircnow

THIS IS A DRAFT, but now you should technically have a working LDAPd, add a user or something and search for records.

To add a random guy, run the ldapadd command from above and paste something like this:

dn: cn=dude,<your namespace here>
<last component set>
sn: <a surname>
objectclass: person

To search the LDAP manually `$ ldapsearch -x -H ldap://[::1] -D <your ldap root dn> -w <your ldap root password> -b "<distinquished name>"`






  1. Regular notes below #
  2. LDAP
    1. Resources

https://en.wikipedia.org/wiki/LDAP_Data_Interchange_Format#LDIF_fields https://ldap.com/ldap-oid-reference-guide/ https://openldap.org/doc/admin20/schema.html https://www.rfc-editor.org/rfc/rfc2252

https://www.itu.int/rec/dologin_pub.asp?lang=e&id=T-REC-X.501-201910-I!!PDF-E&type=items

https://www.openldap.org/doc/admin26/appendix-common-errors.html

https://learn.microsoft.com/en-us/previous-versions/windows/desktop/ldap/distinguished-names

Explamation point (!) denotes that the resource is really good IMO.

  1. Notes themself

Objects: ```LDIF this: is an: entry

heres: another ldap: entry ``` Thease key-value pairs are called attributes.

Useing ": " means set this key's value. Useing "=" is refering to a key with that value.

TODO: Find out if attributes are case sensitive (I think not).

There is some weird magic data thing called "objectclass", objectclasses in LDIF specify whitch objectclasses you want to subscribe to, you must subscribe to atleast one STRUCTURAL objectclass.

Suplementing the above statement: The LDAP daemon / system itself is interpreting some of the attributes, so thay are special/magical, those attributes include but is probably not limited to: dc and objectclass.

  1. LDAP classes
    1. Abstract

No entry can use only 1 abstract class.

Abstract class is abstract?

Ignore this type, really only the 'top' object uses it.

See also: ITU X.501 8.3.1 for additional information.

  1. Structural

Each entry must have exactly 1 structural class.

Tells you what you may and must use in the entry.

See also: ITU X.501 8.3.2 for additional information.

  1. Auxiliary

0 or more per entry.

Bascially structural but is not the main structure.

See also: ITU X.501 8.3.3 for additional information.

  1. Copy paste

``` maddie# cat /root/teacup dn: dc=maddie,dc=host,dc=bsdforall,dc=org objectclass: dcObject objectclass: organization dc: maddie o: maddie.host.bsdforall.org LDAP Server description: Root entry for maddie.host.bsdforall.org

dn: cn=Very annoyied tea cup,dc=maddie,dc=host,dc=bsdforall,dc=org cn: Very annoyied tea cup objectclass: thuser accountName: teacup8biscuit userPassword: teaCupsAlwaysUseInsecurePasswordsAparently

dn: cn=Very annoyied tea cup 2,dc=maddie,dc=host,dc=bsdforall,dc=org cn: Very annoyied tea cup 2 objectclass: thuser accountName: teacup8biscuit2 userPassword: teaCupsAlwaysUseInsecurePasswordsAparently

maddie# cat /etc/ldap/test dn: dc=maddie,dc=host,dc=bsdforall,dc=org objectclass: dcObject objectclass: organization o: maddie.host.bsdforall.org dc: maddie

dn: cn=Very annoyied tea cup,dc=maddie,dc=host,dc=bsdforall,dc=org cn: Very annoyied tea cup objectclass: thuser accountName: teacup8biscuit userPassword: teaCupsAlwaysUseInsecurePasswordsAparently

dn: cn=Very annoyied tea cup 2,dc=maddie,dc=host,dc=bsdforall,dc=org cn: Very annoyied tea cup 2 objectclass: thuser accountName: teacup8biscuit2 userPassword: teaCupsAlwaysUseInsecurePasswordsAparently

```

  1. Trouble shooting
    1. Object class violation (65)

Problem: Incorrect class usage.

Possible solution: Make sure you're subscribed to the correct classes as defined above.

Possible solution: Make sure you're complying with the objectclass's rules

  1. Naming violation (64)

<!-- This error has annoyied me for a long ass time

From what I gather the entry isn't unique enough and can be remedied by adding a unique dc (for root), ou (for groups / orginaizational units) or cn (for leafs, I.E. user/peoples/things being identified).

None PG answer I got from a high professional: when 2 *redacted* have the same cn.

Problem: Either 2 DNs are identical or you forgot to add the left most component to the entry.

Possible solution: Make sure you have the left most component of the DN in the entry and that it is identical.

Possible solution: You have 2 identical DNs.