OpenLDAP configuration tips for working smarter, evading common stress

OpenLDAP configuration isn't for the faint of heart. LDAP pros weigh in on what you should and shouldn't do when deploying the directory server.

OpenLDAP configuration is difficult for some, but your implementation may not be the source of the problem.

Those who lament OpenLDAP configuration are actually having issues with Lightweight Directory Access Protocol (LDAP), said Howard Chu, chief architect of OpenLDAP.

"It's a very broadly applicable protocol and that tends to leave people lost, wondering where to begin," Chu said. He advised IT pros installing LDAP to read, research and experiment.

We asked OpenLDAP users to answer some frequently asked questions on configuring and deploying the protocol.

Are there any easily avoided configuration problems that you would warn other IT pros about regarding encryption, certificates, etc.?

Beware the arduous secure sockets layer (SSL) tasks. Configure applications without SSL certifications first to ensure that everything works, advised Ian Kaufman, research systems administrator in the Jacobs School of Engineering (JSOE) at the University of California, San Diego. Certificate management can cause distress for certain operating systems, especially Solaris, he said.

"We wanted something fairly easily implemented and managed, but also something very extensible and customizable," said Kaufman. UCSD's engineering school runs OpenLDAP on their four Ubuntu 12.04 servers, and had previously run OpenLDAP on Oracle Solaris 10 systems.

We wanted something fairly easily implemented and managed, but also something very extensible and customizable

Ian Kaufman

Kaufman cautioned that Pluggable Authentication Module is difficult to deal with; it is even more challenging than setting up OpenLDAP, but you have to use it. JSOE had an integrated OpenLDAP and Kerberos set up, so instead of embedding Kerberos in LDAP itself, Kaufman made life easier by "making sure the local UNIX/Linux passwd command actually updated the Kerberos password, and discovering pam_listfile," which enumerates who can access which machines, Kaufman said. While he notes there are many ways to manage and restrict access to machines with LDAP, pam_listfile offered the flexibility they needed.

As long as the system administrator builds OpenLDAP associated with OpenSSL, the open source security protocols, they won't have problems when configuring encryption or setting up certificates, said Quanah Gibson-Mount, server architect for Zimbra Inc.

"Both Red Hat and Debian [Linux distributions] link their OpenLDAP builds to fundamentally flawed alternate SSL implementations, which is one of the many reasons to avoid those builds," he said. "We've seen this cause significant problems for OpenLDAP users."

For optimal compatibility, only use OpenLDAP commands. The open source LDAP is a key component of the Zimbra Collaboration Suite software, Gibson-Mount noted. They support Ubuntu, Red Hat Enterprise Linux, and SUSE Linux Enterprise Server environments.

Is it possible to cause problems down the road with configuration choices, even if those choices are acceptable at the time?

The Jacobs School of Engineering determined that using the Kerberos network authentication protocol overcomplicated things. When the school moved from older generations of Ubunto to  Ubuntu 12.04 LTS, they dropped MIT Kerberos, although they could have migrated Kerberos along as well if needed, Kaufman noted. The original system prevented the UCSD Jacobs School from using certain Apache plugins to permit their Web apps to use LDAP authentication. They recreated the LDAP infrastructure minus Kerberos, which Kaufman said was fairly straightforward, but not perfect.

"One thing we miss by not having Kerberos is the integrated use of NFSv4 [network file system version 4]." The switch was not without some problems and required creativity. "But really, I would say that is a push-- the complication of Kerberos vs. the gains of NFSv4."

Admins coming from Microsoft Active Directory often fear "irreversible administrative actions, requiring a full reload of the OS to recover," Chu said, and it holds them back with OpenLDAP. If you experiment in a dedicated development environment before rolling LDAP deployments out to production systems, mistakes have no consequences: "just delete the data in the development OpenLDAP installation and reload." Once the changes made in the dev environment are exactly what you want, move those to production.

Are there any supporting tools or utilities that make it easier to work with OpenLDAP?

When it comes to actual directory administration, command-line proficiency will prove handy. A shell script or other scripting language lets systems administrators accomplish complex tasks, Chu said. Write tools in Perl to automate tasks with the Net::LDAP and Net::LDAPapi modules, Gibson-Mount suggested.

Apache Directory Studio is beneficial when managing and modifying data in OpenLDAP, Kaufman said. Apache Directory Studio handled the Jacobs School of Engineering's custom setup with multiple organizational units and integrated Kerberos well. Many OpenLDAP administrators have a graphical user interface -- Apache Directory Studio in particular -- that they favor for simpler tasks, Chu said.

This was first published in March 2014

Dig deeper on Configuration and change management tools

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchWindowsServer

SearchEnterpriseLinux

SearchServerVirtualization

SearchCloudComputing

Close