LDAPd-Draft
SORRY I DIDNT HAVE THAT MUCH TIME TO WRITE THIS: THIS IS A DRAFT!
SORRY I DIDNT HAVE THAT MUCH TIME TO WRITE THIS: THIS IS A DRAFT!
SORRY I DIDNT HAVE THAT MUCH TIME TO WRITE THIS: THIS IS A DRAFT!
SORRY I DIDNT HAVE THAT MUCH TIME TO WRITE THIS: THIS IS A DRAFT!
SORRY I DIDNT HAVE THAT MUCH TIME TO WRITE THIS: THIS IS A DRAFT!
SORRY I DIDNT HAVE THAT MUCH TIME TO WRITE THIS: THIS IS A DRAFT!
SORRY I DIDNT HAVE THAT MUCH TIME TO WRITE THIS: THIS IS A DRAFT!
SORRY I DIDNT HAVE THAT MUCH TIME TO WRITE THIS: THIS IS A DRAFT!
SORRY I DIDNT HAVE THAT MUCH TIME TO WRITE THIS: THIS IS A DRAFT!
SORRY I DIDNT HAVE THAT MUCH TIME TO WRITE THIS: THIS IS A DRAFT!
SORRY I DIDNT HAVE THAT MUCH TIME TO WRITE THIS: THIS IS A DRAFT!
SORRY I DIDNT HAVE THAT MUCH TIME TO WRITE THIS: THIS IS A DRAFT!
SORRY I DIDNT HAVE THAT MUCH TIME TO WRITE THIS: THIS IS A DRAFT!
I'm really not proud of this, I want to improve it, its a dumpster fire.
Introduction
I had a multi-conversation-conversation in #thunderirc and peoples wanted to know to LDAP. So, ehh, heres a basic guide on how to get LDAP setup on base OpenBSD and a little extra information that I found useful.
LDAP stands for Lightweight Directory Access Protocol and is basically a write few, read meany, kind of database. Its useful for if you want to have a central place (directory) to store some information like account credentials for instance and have and have meany other peices of software hook into it for loging in (binds).
In this guide I'll only be focusing on how to get the LDAP daemon included with OpenBSD setup and running and how to test it manually. Future articales may include how to setup access control, how to make prosody use it for logins, and how to make SMTPd use it for logins. No promises on delivery though (spam me (Maddie) if you want it sooner).
Hows
Namespace
First we'll start with picking a namespace, there are basically 2 main types and the one you pick doesn't matter at all, its all functionally the same.
DC type (recommended because thats what I use; and aparently also by some RFC):
O type (good if you're lazy):
This guide will use "ircnow.org" as our pseudo team and the DC type, so our namespace will be `dc=ircnow,dc=org`
Abbreviations
In LDAP, abbreviations are used often, so it helps alot to know what thay stand for. Heres a table for reference:
dn | Distinquished Name |
dc | Domain Component |
o | Organization |
ou | Organizational Unit |
cn | Common Name |
Hows
We'll start with editing `/etc/ldapd.conf`.
By default it contains 2x listen, in this guide I will be useing `listen on ::1 secure` whitch limits access to the local system over IPv6 and asumes all connections to be secure. Then you can just uncomment the example namespace and replace it with your own namespace as discussed earlier.
I recommend changeing rootdn to `cn=admin,your namespace here`.Then chnage rootpw to a password that you will remember for the remainder of this guide. Merely entering a password will make LDAP asume its in plaintext but it could be hash aswell, writeing {CRYPT} in front of it will make LDAP treat it as any string returned by $ encrypt
/etc/ldapd.conf should look a like this by now.
schema "/etc/ldap/core.schema" schema "/etc/ldap/inetorgperson.schema" schema "/etc/ldap/nis.schema" schema "/etc/ldap/bsd.schema" listen on ::1 secure namespace "dc=ircnow,dc=org" { rootdn "cn=admin,dc=ircnow,dc=org" rootpw "{CRYPT}$2b$09$zwo7EEy6Kov96eFzY7mj3OdwlD52qjOAMY.9F8KQV/.b3vqCOwkfa" index sn index givenName index cn index mail }
Run `$ ldapd -n` to check for any configuration errors (possible typos).Then start and enable LDAPd at boot by running `$ rcctl start ldapd` and `$ rcctl enable ldapd`.
Now the last thing required for LDAP to fully work is to add an entry to the root of the namespace.
Simply run `$ ldapadd -x -H ldap://[::1] -D <your ldap root dn> -w <your ldap root password>` and write an entry then press enter.
MVP:
dn: <your namespace here> objectclass: dcObject objectclass: organization o: <the name of your team> <last component set>
Filled in example:
dn: dc=ircnow,dc=org objectclass: dcObject objectclass: organization o: ircnow dc: ircnow
THIS IS A DRAFT, but now you should technically have a working LDAPd, add a user or something and search for records.
To add a random guy, run the ldapadd command from above and paste something like this:
dn: cn=dude,<your namespace here> <last component set> sn: <a surname> objectclass: person
To search the LDAP manually `$ ldapsearch -x -H ldap://[::1] -D <your ldap root dn> -w <your ldap root password> -b "<distinquished name>"`
- Regular notes below #
- LDAP
- Resources
https://en.wikipedia.org/wiki/LDAP_Data_Interchange_Format#LDIF_fields https://ldap.com/ldap-oid-reference-guide/ https://openldap.org/doc/admin20/schema.html https://www.rfc-editor.org/rfc/rfc2252
https://www.itu.int/rec/dologin_pub.asp?lang=e&id=T-REC-X.501-201910-I!!PDF-E&type=items
https://www.openldap.org/doc/admin26/appendix-common-errors.html
https://learn.microsoft.com/en-us/previous-versions/windows/desktop/ldap/distinguished-names
Explamation point (!) denotes that the resource is really good IMO.
- Notes themself
Objects: ```LDIF this: is an: entry
heres: another ldap: entry ``` Thease key-value pairs are called attributes.
Useing ": " means set this key's value. Useing "=" is refering to a key with that value.
TODO: Find out if attributes are case sensitive (I think not).
There is some weird magic data thing called "objectclass", objectclasses in LDIF specify whitch objectclasses you want to subscribe to, you must subscribe to atleast one STRUCTURAL objectclass.
Suplementing the above statement: The LDAP daemon / system itself is interpreting some of the attributes, so thay are special/magical, those attributes include but is probably not limited to: dc and objectclass.
- LDAP classes
- Abstract
- LDAP classes
No entry can use only 1 abstract class.
Abstract class is abstract?
Ignore this type, really only the 'top' object uses it.
See also: ITU X.501 8.3.1 for additional information.
- Structural
Each entry must have exactly 1 structural class.
Tells you what you may and must use in the entry.
See also: ITU X.501 8.3.2 for additional information.
- Auxiliary
0 or more per entry.
Bascially structural but is not the main structure.
See also: ITU X.501 8.3.3 for additional information.
- Copy paste
``` maddie# cat /root/teacup dn: dc=maddie,dc=host,dc=bsdforall,dc=org objectclass: dcObject objectclass: organization dc: maddie o: maddie.host.bsdforall.org LDAP Server description: Root entry for maddie.host.bsdforall.org
dn: cn=Very annoyied tea cup,dc=maddie,dc=host,dc=bsdforall,dc=org cn: Very annoyied tea cup objectclass: thuser accountName: teacup8biscuit userPassword: teaCupsAlwaysUseInsecurePasswordsAparently
dn: cn=Very annoyied tea cup 2,dc=maddie,dc=host,dc=bsdforall,dc=org cn: Very annoyied tea cup 2 objectclass: thuser accountName: teacup8biscuit2 userPassword: teaCupsAlwaysUseInsecurePasswordsAparently
maddie# cat /etc/ldap/test dn: dc=maddie,dc=host,dc=bsdforall,dc=org objectclass: dcObject objectclass: organization o: maddie.host.bsdforall.org dc: maddie
dn: cn=Very annoyied tea cup,dc=maddie,dc=host,dc=bsdforall,dc=org cn: Very annoyied tea cup objectclass: thuser accountName: teacup8biscuit userPassword: teaCupsAlwaysUseInsecurePasswordsAparently
dn: cn=Very annoyied tea cup 2,dc=maddie,dc=host,dc=bsdforall,dc=org cn: Very annoyied tea cup 2 objectclass: thuser accountName: teacup8biscuit2 userPassword: teaCupsAlwaysUseInsecurePasswordsAparently
```
- Trouble shooting
- Object class violation (65)
- Trouble shooting
Problem: Incorrect class usage.
Possible solution: Make sure you're subscribed to the correct classes as defined above.
Possible solution: Make sure you're complying with the objectclass's rules
- Naming violation (64)
<!-- This error has annoyied me for a long ass time
From what I gather the entry isn't unique enough and can be remedied by adding a unique dc (for root), ou (for groups / orginaizational units) or cn (for leafs, I.E. user/peoples/things being identified).
None PG answer I got from a high professional: when 2 *redacted* have the same cn.
Problem: Either 2 DNs are identical or you forgot to add the left most component to the entry.
Possible solution: Make sure you have the left most component of the DN in the entry and that it is identical.
Possible solution: You have 2 identical DNs.