Next Previous Contents

6. Aditional Informations and Features

On this section you will find information about the Netscape Address Book, a LDAP client that can be used to query your Directory. Also is presented details on how to implement Roaming Access using the Netscape Navigator, version 4.5 or above and your LDAP server. There have been a lot of talk on the OpenLDAP mailing lists about the Roaming Access, since this is a feature that is not totally implemented. Most part of the people don't like the way Netscape Navigator operates with the LDAP server while making downloads and uploads to it. So, if after reading this you find that the Roaming Access is not working the way you would like, nevermind, a lot of people passed through this situation already. The purpose of introducing this feature here is more for giving people an idea about the capabilities of the LDAP protocol. To finish you will see some information about killing safely the slapd process and about slapd logs.

6.1 Roaming Access

The goal of Roaming Access is that wherever you are on the Net, you can retrieve your bookmarks, preferences, mail filters, etc. using a Netscape Navigator and a LDAP server. This is a very nice feature, imagine that wherever you access the Web, you can have your own settings on the browser. If you will travell and you need to access that currency site that is stored on your local bookmarks, don't worry, upload the bookmarks and other configuration files to a LDAP server and you can retrieve them all later independent of the place you will be.

To implement the Roaming Access you have to follow these steps :

- Changing the attributes file : You need to add new attributes on the attribute list present on the file slapd.at.conf (this is a file you include on your slapd.conf and it's normally located at /usr/local/etc/openldap) :

attribute       nsLIPtrURL              ces 
attribute       nsLIPrefs               ces 
attribute       nsLIProfileName         cis 
attribute       nsLIData                bin 
attribute       nsLIElementType         cis 
attribute       nsLIServerType          cis 
attribute       nsLIVersion             cis 

- Changing the objectclass file : You also have to add some new classes to your slapd.oc.conf (this is another file you include on your slapd.conf and it's normally located at /usr/local/etc/openldap) in order to enable the roaming access :

objectclass nsLIPtr 
requires 
        objectclass 
allows 
        nsliptrurl, 
        owner 

objectclass nsLIProfile 
requires 
        objectclass, 
        nsliprofilename 
allows 
        nsliprefs, 
        uid, 
        owner 

objectclass nsLIProfileElement 
requires 
        objectclass, 
        nslielementtype 
allows 
        owner, 
        nslidata, 
        nsliversion 

objectclass nsLIServer 
requires 
        objectclass, 
        serverhostname 
allows 
        description, 
        cn, 
        nsserverport, 
        nsliservertype, 
        serverroot 

- Changing the LDIF file : Now you have to modify your LDIF file, adding profiles entries to each user that wish to try the Roaming Access feature of Netscape. Look an example of a simple LDIF file with profiles entries :

dn: o=myOrg,c=NL 
o: myOrg 
objectclass: organization 

dn: cn=seallers,ou=People,o=myOrg,c=NL 
cn: seallers 
userpassword: myPassword 
objectclass: top 
objectclass: person 

dn: nsLIProfileName=seallers,ou=Roaming,o=myOrg,c=NL 
changetype: add 
objectclass: top 
owner: cn=seallers,ou=People,o=myOrg,c=NL 
objectclass: top 
objectclass: nsLIProfile 
The next step is to configure Netscape to enable the Roaming Access against your LDAP server. Just follow the sequence :

- Go to Menu Edit -> Preferences -> Roaming User

Now you have to first Enable the Roaming Access for this profile, clicking on the checkbox correspondent to this option.

- Fill the username box with an appropiate value, for instance john

Pull down the arrow of the Roaming User option on the left side of the Preferences Window, so see the suboptions of Roaming Access.

- Click on Server Information and enable the option LDAP Server and fill the boxes with the following information :

Address: ldap://myHost/nsLIProfileName=$USERID,ou=Roaming,o=myOrg,c=NL

User DN: cn=$USERID,ou=People,o=myOrg,c=NL

IMPORTANT : Netscape automatically substitutes the $USERID variable for the name of the profile you selected before running the browser. So if you selected the profile seallers, it will substitute $USERID for seallers, if you selected profile gonzales, if will substitute $USERID for gonzales. If you are not familiar with profiles, run the Profile Manager aplication that comes on the Netscape Comunicator package. It's an application designed to satisfy the multiple users of a browser on the same machine, so each one can have their on settings on the browser.

The final step is to restart the server, take a look on the section 6.6 to see how you do that safely and on section 4 to see how to start it again.

6.2 Netscape Address Book

Once you have your LDAP server up and running, you can access it with many diferent clients (e.g. ldapsearch command line utility). A very interesting one is the Netscape Address Book. It's avaiable from version 4.x of Netscape but you have to use the 4.5 or above version for a stable interoperation with your LDAP server.

Just follow the sequence :

Open Netscape Navigator -> Go to Communicator Menu -> Address Book

The Netscape Address Book will be launched with some default LDAP directories. You have to add your own LDAP directory too !

Go to File Menu -> New Directory

Fill the boxes with your server information. For example :

- Description : TUDelft

- LDAP Server : dutedin.et.tudelft.nl

- Server Root : o=TUDelft, c=NL

The default LDAP port is 389, don't change it, at least if you changed this option while building your server.

Now, make simple queries to your server, using the box Show Names Containing, or advanced queries, using the Search for button.

6.3 LDAP Migration Tools

The LDAP Migration Tools are a collection of Perl scripts used to convert configuration files to the LDIF format. The scripts are provided by PADL Software Ltd and I recommend you to take a look on the license terms before using them, even being free. If you plan to use your LDAP server to authenticate users, this tools may be very usefull. Use the Migration Tools to convert your NIS or password archives to the LDIF format, making these files compatible with your LDAP Server. Apply also these Perl Scripts to migrate users, groups, aliases, hosts, netgroups, networks, protocols, RPCs and services from existing nameservices (NIS, flat files and NetInfo) to the LDIF format. To download the LDAP Migration Tools and get more information, go to the following address:

http://www.padl.com/tools.html

The package comes with a README file and the name of the script files are intuitive. Take a first look on the README file and then start aplying the scripts.

6.4 Authentication using LDAP

Your LDAP server can authenticate users using a mechanism called PAM (Pluggable Authentication Modules). Since the beginnings of UNIX, authenticating a user has been accomplished via the user entering a password and the system checking if the entered password corresponds to the encrypted official password that is stored in /etc/passwd.

That was in the beginning. Since then, a number of new ways for authenticating users became popular, including more complicated replacements for the /etc/passwd file and hardware devices called Smart cards. The problem is that each time a new authentication schema is developed, it requires all the necessary programs (login, ftpd etc...) to be rewritten to support it. PAM provides a way to develop programs that are independent of authentication scheme. These programs need "authentication modules" to be attatched to them at run-time in order to work.

The authentication module for LDAP is available as a tar ball on the following address :

http://www.padl.com/pam_ldap.html

Here I assume that your Linux distribution is already PAM prepared. If not take a look on this url : http://www.kernel.org/pub/linux/libs/pam. Actually, the various Linux distributions use different standard settings related to PAM. Usually, the configuration PAM files reside on the /etc/pam.d/ directory. There you can find a file for each service running on your box. As an example, if you want to use the LDAP server for logging users in after your Linux boot up, you should make your Linux PAM compatible (as described on the begin of this paragraph), install the LDAP PAM module and edit a file called login on the PAM configuration directory (/etc/pam.d/) with the following content :

#%PAM-1.0
auth       required     /lib/security/pam_securetty.so
auth       required     /lib/security/pam_nologin.so
auth       sufficient   /lib/security/pam_ldap.so
auth       required     /lib/security/pam_unix_auth.so try_first_pass
account    sufficient   /lib/security/pam_ldap.so
account    required     /lib/security/pam_unix_acct.so
password   required     /lib/security/pam_cracklib.so
password   required     /lib/security/pam_ldap.so
password   required     /lib/security/pam_pwdb.so use_first_pass
session    required     /lib/security/pam_unix_session.so

6.5 Graphical LDAP tools

Kldap is a graphical LDAP client wrote for the KDE desktop environment. Kldap has a nice interface and is able to show all the information tree stored on your Directory. You can check some screenshots from the application and download it at:

http://www.mountpoint.ch/oliver/kldap

GQ is another graphical LDAP client with a simpler interface and that was wrote for the Gnome environment. It also runs under KDE, the same way Kldap runs under Gnome. The address for downloading and getting more information is :

http://biot.com/gq/

6.6 Killing the LDAP server

To kill off slapd safely, you should give a command like this

kill -TERM `cat $(ETCDIR)/slapd.pid`

Killing slapd by a more drastic method may cause its LDBM databases to be corrupted, as it may need to flush various buffers before it exits. Note that slapd writes its pid to a file called slapd.pid in the directory you configured in slapd.conf file, for example : /usr/local/var/slapd.pid

You can change the location of this pid file by changing the SLAPD_PIDFILE variable in include/ldapconfig.h.edit

Slapd will also write its arguments to a file called slapd.args in the directory you configured in slapd.conf file, for example /usr/local/var/slapd.args

You can change the location of the args file by changing the SLAPD_ARGSFILE variable in include/ldapconfig.h.edit.

6.7 Logs

Slapd uses the syslog(8) facility to generate logs. The default user of the syslog(8) facility is LOCAL4, but values from LOCAL0, LOCAL1, up to LOCAL7 are allowed.

In order to enable the generation of logs you have to edit your syslog.conf file, usually located at /etc directory.

Create a line like this :

local4.*     /usr/adm/ldalog

This will use the default user LOCAL4 for the syslog facility. If you are not familiar with the sintax of this line, take a look at the man pages of syslog, syslog.conf and syslogd. If you want to change the default user or to specify the level of the logs generated, you have the following options while starting slapd :

-s syslog-level This option tells slapd at what level debugging statements should be logged to the syslog(8) facility. The level describes the severity of the message, and is a keyword from the following ordered list (higher to lower): emerg, alert, crit, err, warning, notice, info, and debug. Ex : slapd -f myslapd.conf -s debug

-l syslog-local-user Selects the local user of the syslog(8) facility. Values can be LOCAL0, LOCAL1, and so on, up to LOCAL7. The default is LOCAL4. However, this option is only permitted on systems that support local users with the syslog(8) facility.

Now take a look at the logs generated, they can help you a lot to solve problems with queries, updates, binding, etc.


Next Previous Contents