#LyX 1.6.1 created this file. For more info see http://www.lyx.org/
\lyxformat 345
\begin_document
\begin_header
\textclass article
\use_default_options true
\language english
\inputencoding auto
\font_roman default
\font_sans default
\font_typewriter default
\font_default_family default
\font_sc false
\font_osf false
\font_sf_scale 100
\font_tt_scale 100
\graphics default
\paperfontsize default
\use_hyperref false
\papersize default
\use_geometry false
\use_amsmath 1
\use_esint 1
\cite_engine basic
\use_bibtopic false
\paperorientation portrait
\secnumdepth 3
\tocdepth 3
\paragraph_separation indent
\defskip medskip
\quotes_language english
\papercolumns 1
\papersides 1
\paperpagestyle default
\tracking_changes false
\output_changes false
\author ""
\author ""
\end_header
\begin_body
\begin_layout Title
opensync-plugin-ldap-0.39
\end_layout
\begin_layout Author
by Juergen Leising (c) 2009
\end_layout
\begin_layout Standard
\begin_inset CommandInset toc
LatexCommand tableofcontents
\end_inset
\end_layout
\begin_layout Standard
\begin_inset Newpage newpage
\end_inset
\end_layout
\begin_layout Part
Installation
\end_layout
\begin_layout Section
Compiling the source code with cmake
\end_layout
\begin_layout Subsection
Regular build
\end_layout
\begin_layout LyX-Code
tar -xvjf libopensync-plugin-ldap-0.39.tar.bz2
\end_layout
\begin_layout LyX-Code
cd libopensync-plugin-ldap-0.39
\end_layout
\begin_layout LyX-Code
mkdir build
\end_layout
\begin_layout LyX-Code
cd build
\end_layout
\begin_layout LyX-Code
PKG_CONFIG_PATH="/usr/local/lib/pkgconfig/" cmake -DCMAKE_INSTALL_PREFIX=/usr/lo
cal -DUPDATE_TYPE=svn /home/user1/libopensync-plugin-ldap-0.39
\end_layout
\begin_layout LyX-Code
make -s
\end_layout
\begin_layout LyX-Code
sudo make -s install
\end_layout
\begin_layout LyX-Code
sudo ldconfig
\end_layout
\begin_layout LyX-Code
cd ../..
\end_layout
\begin_layout Subsection
Debug build
\end_layout
\begin_layout LyX-Code
tar -xvjf libopensync-plugin-ldap-0.39.tar.bz2
\end_layout
\begin_layout LyX-Code
cd libopensync-plugin-ldap-0.39
\end_layout
\begin_layout LyX-Code
mkdir build_debug
\end_layout
\begin_layout LyX-Code
cd build_debug
\end_layout
\begin_layout LyX-Code
PKG_CONFIG_PATH="/usr/local/lib/pkgconfig/" cmake -DCMAKE_INSTALL_PREFIX=/usr/lo
cal -DUPDATE_TYPE=svn -DCMAKE_BUILD_TYPE=Debug -DCMAKE_VERBOSE_MAKEFILE=ON
/home/user1/libopensync-plugin-ldap-0.39
\end_layout
\begin_layout LyX-Code
make -s
\end_layout
\begin_layout LyX-Code
sudo make -s install
\end_layout
\begin_layout LyX-Code
sudo ldconfig
\end_layout
\begin_layout LyX-Code
cd ../..
\end_layout
\begin_layout Subsection
Build doxygen based documentation of the source code
\end_layout
\begin_layout LyX-Code
cd build
\end_layout
\begin_layout LyX-Code
make doxygen
\end_layout
\begin_layout LyX-Code
firefox doc/html/index.html &
\end_layout
\begin_layout Section
Tests
\end_layout
\begin_layout Standard
There is a "test" target.
It is primarily intended for developers.
Tests which I expect to fail are commented out in the CMakeLists.txt.
\end_layout
\begin_layout Subsection
Required software
\end_layout
\begin_layout Standard
The tests make use of external tools, most notably:
\end_layout
\begin_layout Itemize
xmllint
\end_layout
\begin_layout Itemize
xsltproc
\end_layout
\begin_layout Itemize
ldapsearch
\end_layout
\begin_layout Itemize
ldapadd
\end_layout
\begin_layout Itemize
ldapmodify
\end_layout
\begin_layout Itemize
ldapdelete
\end_layout
\begin_layout Itemize
valgrind
\end_layout
\begin_layout Standard
Also required is a running and adequately configured LDAP server.
This server must be configured in a way that allows sufficient access to
the user that is set in the $AUTH variable in tests/test.conf.
Moreover, the
\begin_inset Quotes eld
\end_inset
dc=example,dc=com
\begin_inset Quotes erd
\end_inset
DN must exist in the DIT.
This requires in /etc/openldap/slapd.conf at least
\end_layout
\begin_layout LyX-Code
database bdb
\end_layout
\begin_layout LyX-Code
suffix "dc=example,dc=com"
\end_layout
\begin_layout Standard
If you prefer a different DN, you must change
\end_layout
\begin_layout Itemize
tests/test.conf and
\end_layout
\begin_layout Itemize
tests/*.ldif
\end_layout
\begin_layout Standard
accordingly.
More about how to configure the LDAP server: see below under
\begin_inset CommandInset ref
LatexCommand ref
reference "configure_ldap_server"
\end_inset
\end_layout
\begin_layout Standard
Moreover the configuration as laid out in src/ldap-sync must correspond
with the settings of the LDAP server.
If necessary change src/ldap-sync as needed (username, password, authentication
method, base names etc.).
\end_layout
\begin_layout Subsection
Running the tests
\end_layout
\begin_layout LyX-Code
mkdir build_debug
\end_layout
\begin_layout LyX-Code
cd build_debug
\end_layout
\begin_layout LyX-Code
PKG_CONFIG_PATH="/usr/local/lib/pkgconfig/" cmake -DCMAKE_INSTALL_PREFIX=/usr/lo
cal -DUPDATE_TYPE=svn -DCMAKE_BUILD_TYPE=Debug -DCMAKE_VERBOSE_MAKEFILE=ON
-DRUN_LONG_TESTS=off /home/user1/libopensync-0.39/libopensync-plugin-ldap-0.39
\end_layout
\begin_layout Standard
or:
\end_layout
\begin_layout LyX-Code
PKG_CONFIG_PATH="/usr/local/lib/pkgconfig/" cmake -DCMAKE_INSTALL_PREFIX=/usr/lo
cal -DUPDATE_TYPE=svn -DCMAKE_BUILD_TYPE=Debug -DCMAKE_VERBOSE_MAKEFILE=ON
-DRUN_LONG_TESTS=on /home/user1/libopensync-0.39/libopensync-plugin-ldap-0.39
\end_layout
\begin_layout Standard
and then:
\end_layout
\begin_layout LyX-Code
make
\end_layout
\begin_layout LyX-Code
make test
\end_layout
\begin_layout Standard
Tests with valgrind take quite some time: They are run only when cmake is
run with "-DRUN_LONG_TESTS=on".
\end_layout
\begin_layout LyX-Code
reset; time make test
\end_layout
\begin_layout LyX-Code
(...)
\end_layout
\begin_layout LyX-Code
100% tests passed, 0 tests failed out of 162
\end_layout
\begin_layout LyX-Code
real 277m22.568s
\end_layout
\begin_layout LyX-Code
user 217m33.966s
\end_layout
\begin_layout LyX-Code
sys 24m59.372s
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout Subsection
Display a list of tests
\end_layout
\begin_layout LyX-Code
cd build
\end_layout
\begin_layout LyX-Code
ctest -N
\end_layout
\begin_layout Subsection
Run only one particular test
\end_layout
\begin_layout LyX-Code
cd build
\end_layout
\begin_layout LyX-Code
ctest -I 51,51
\end_layout
\begin_layout LyX-Code
ctest -R remove_test_ldifs
\end_layout
\begin_layout LyX-Code
reset; time ctest -R "^add_mod_del_contact1_and_fastsync"
\end_layout
\begin_layout Standard
And in case of problems:
\end_layout
\begin_layout LyX-Code
ctest -I 51,51 -V
\end_layout
\begin_layout LyX-Code
ctest -R remove_test_ldifs -V
\end_layout
\begin_layout LyX-Code
reset; time ctest -R "^add_mod_del_contact1_and_fastsync" -V
\end_layout
\begin_layout Part
Configuration
\end_layout
\begin_layout Section
Prepare the LDAP server
\begin_inset Quotes eld
\end_inset
slapd
\begin_inset Quotes erd
\end_inset
\end_layout
\begin_layout Subsection
Configure the LDAP server
\begin_inset CommandInset label
LatexCommand label
name "configure_ldap_server"
\end_inset
\end_layout
\begin_layout Standard
vim /etc/openldap/slapd.conf
\end_layout
\begin_layout LyX-Code
(...)
\end_layout
\begin_layout LyX-Code
include /etc/openldap/schema/core.schema
\end_layout
\begin_layout LyX-Code
include /etc/openldap/schema/inetorgperson.schema
\end_layout
\begin_layout LyX-Code
include /etc/openldap/schema/evolutionperson.schema
\end_layout
\begin_layout LyX-Code
(...)
\end_layout
\begin_layout LyX-Code
database bdb
\end_layout
\begin_layout LyX-Code
suffix "dc=example,dc=com"
\end_layout
\begin_layout LyX-Code
checkpoint 1024 15
\end_layout
\begin_layout LyX-Code
####### Root
\begin_inset CommandInset label
LatexCommand label
name "rootdn"
\end_inset
account,
\begin_inset Quotes eld
\end_inset
simple
\begin_inset Quotes erd
\end_inset
authentication
\end_layout
\begin_layout LyX-Code
rootdn "cn=root,dc=example,dc=com"
\end_layout
\begin_layout LyX-Code
rootpw password
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
### Mappings to gain the bind-DN's in order
\end_layout
\begin_layout LyX-Code
### to answer the question about access rights
\end_layout
\begin_layout LyX-Code
### for SASL based authentication:
\end_layout
\begin_layout LyX-Code
authz-regexp
\end_layout
\begin_layout LyX-Code
uid=([^,]*),cn=digest-md5,cn=auth
\end_layout
\begin_layout LyX-Code
cn=$1,dc=example,dc=com
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
authz-regexp
\end_layout
\begin_layout LyX-Code
uid=([^,]*),cn=cram-md5,cn=auth
\end_layout
\begin_layout LyX-Code
cn=$1,dc=example,dc=com
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
authz-regexp
\end_layout
\begin_layout LyX-Code
uid=([^,]*),cn=plain,cn=auth
\end_layout
\begin_layout LyX-Code
cn=$1,dc=example,dc=com
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
authz-regexp
\end_layout
\begin_layout LyX-Code
uid=([^,]*),cn=login,cn=auth
\end_layout
\begin_layout LyX-Code
cn=$1,dc=example,dc=com
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
authz-regexp
\end_layout
\begin_layout LyX-Code
uid=([^,]*),cn=gssapi,cn=auth
\end_layout
\begin_layout LyX-Code
cn=$1,dc=example,dc=com
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
authz-regexp
\end_layout
\begin_layout LyX-Code
email=([^@]+)@host
\backslash
.([^.]+)
\backslash
.([^,]+),cn=host
\backslash
.example
\backslash
.com,ou=[^#]+[^
\backslash
]+
\backslash
ldap
\backslash
client
\backslash
[^,]+,o=a
\backslash
private
\backslash
site
\backslash
.,st=city,c=us
\end_layout
\begin_layout LyX-Code
cn=$1,dc=$2,dc=$3
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
sasl-host host.example.com
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
### Minimal access rights for a given bind-DN:
\end_layout
\begin_layout LyX-Code
access to dn.subtree="ou=addressbook,dc=example,dc=com" by users write
\end_layout
\begin_layout LyX-Code
access to dn.subtree="ou=calendar,dc=example,dc=com" by users write
\end_layout
\begin_layout LyX-Code
access to dn.subtree="ou=todo,dc=example,dc=com" by users write
\end_layout
\begin_layout LyX-Code
access to dn.subtree="o=notes,dc=example,dc=com" by users write
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
access to dn.base="cn=Subschema" by * read
\end_layout
\begin_layout LyX-Code
access to dn.one="ou=people,dc=example,dc=com" by * read
\end_layout
\begin_layout LyX-Code
directory /var/lib/ldap
\end_layout
\begin_layout LyX-Code
(...)
\end_layout
\begin_layout Standard
An alternative configuration file in case you want to provide only
\begin_inset Quotes eld
\end_inset
ldap_user
\begin_inset Quotes erd
\end_inset
with access, but no other users, even though they may have authenticated
themselves.
Note: The following configuration grants access to the
\begin_inset Quotes eld
\end_inset
ldap_user
\begin_inset Quotes erd
\end_inset
only, if he has authenticated himself using an SASL based mechanism.
If he used the simple authentication mechanism, the following access rules
would NOT be sufficient:
\end_layout
\begin_layout LyX-Code
access to dn.subtree="ou=addressbook,dc=example,dc=com" by dn="cn=ldap_user,dc=ex
ample,dc=com" write by dn="cn=ldap_user,ou=people,dc=example,dc=com" write
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
access to dn.subtree="ou=calendar,dc=example,dc=com" by dn="cn=ldap_user,dc=examp
le,dc=com" write by dn="cn=ldap_user,ou=people,dc=example,dc=com" write
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
access to dn.subtree="ou=todo,dc=example,dc=com" by dn="cn=ldap_user,dc=example,d
c=com" write by dn="cn=ldap_user,ou=people,dc=example,dc=com" write
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
access to dn.subtree="o=notes,dc=example,dc=com" by dn="cn=ldap_user,dc=example,d
c=com" write by dn="cn=ldap_user,ou=people,dc=example,dc=com" write
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
access to dn.base="cn=Subschema" by * read
\end_layout
\begin_layout LyX-Code
access to dn.one="ou=people,dc=example,dc=com" by * read
\end_layout
\begin_layout Standard
A second alternative of the access rights section: Only the
\begin_inset Quotes eld
\end_inset
ldap_user
\begin_inset Quotes erd
\end_inset
is granted access to the addressbook etc, but he may be allowed to use
both an SASL based authentication mechanism and the simple one:
\end_layout
\begin_layout LyX-Code
access to dn.subtree="ou=addressbook,dc=example,dc=com" by dn="cn=ldap_user,dc=ex
ample,dc=com" write
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
access to dn.subtree="ou=calendar,dc=example,dc=com" by dn="cn=ldap_user,dc=examp
le,dc=com" write
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
access to dn.subtree="ou=todo,dc=example,dc=com" by dn="cn=ldap_user,dc=example,d
c=com" write
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
access to dn.subtree="o=notes,dc=example,dc=com" by dn="cn=ldap_user,dc=example,d
c=com" write
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
access to dn.base="cn=Subschema" by * read
\end_layout
\begin_layout LyX-Code
access to dn.one="ou=people,dc=example,dc=com" by * read
\end_layout
\begin_layout Subsection
Syntax test of the configuration file
\end_layout
\begin_layout LyX-Code
slapd -Ttest
\end_layout
\begin_layout Subsection
Build the directory information tree (= DIT)
\end_layout
\begin_layout Standard
We are going to create a hierarchical tree like this one:
\end_layout
\begin_layout Standard
\begin_inset Graphics
filename /tmp/dit1.tiff
\end_inset
\end_layout
\begin_layout Standard
ou=people will contain the user accounts for the so-called
\begin_inset Quotes eld
\end_inset
simple
\begin_inset Quotes erd
\end_inset
authentication method.
\end_layout
\begin_layout Standard
ou=addressbook is intended to store entries for object type
\begin_inset Quotes eld
\end_inset
contact
\begin_inset Quotes erd
\end_inset
(object type here is a libopensync specific term; not to be confused with
\begin_inset Quotes eld
\end_inset
object class
\begin_inset Quotes erd
\end_inset
, which is an LDAP specific term).
\end_layout
\begin_layout Standard
ou=calendar is for object type
\begin_inset Quotes eld
\end_inset
event
\begin_inset Quotes erd
\end_inset
.
\end_layout
\begin_layout Standard
ou=todo is for object type
\begin_inset Quotes eld
\end_inset
todo
\begin_inset Quotes erd
\end_inset
.
Applications often refer to this as
\begin_inset Quotes eld
\end_inset
tasks
\begin_inset Quotes erd
\end_inset
.
\end_layout
\begin_layout Standard
o=notes is for object type
\begin_inset Quotes eld
\end_inset
note
\begin_inset Quotes erd
\end_inset
.
The object class
\begin_inset Quotes eld
\end_inset
organization
\begin_inset Quotes erd
\end_inset
has been chosen here just to demonstrate that this decision has been made
in an arbitrary way.
A dedicated LDAP schema is currently used for object
\begin_inset Quotes eld
\end_inset
contact
\begin_inset Quotes erd
\end_inset
, only.
All the other object types currently use general object classes, which
will hopefully be changed eventually.
\end_layout
\begin_layout Standard
Establish the root subtree
\begin_inset Quotes eld
\end_inset
dc=example,dc=com
\begin_inset Quotes erd
\end_inset
, which is to hold the people subtree, the addressbook subtree, the todo
subtree and the notes subtree.
\end_layout
\begin_layout LyX-Code
vim root1.ldif
\end_layout
\begin_layout LyX-Code
dn: dc=example,dc=com
\end_layout
\begin_layout LyX-Code
objectClass: top
\end_layout
\begin_layout LyX-Code
objectClass: dcObject
\end_layout
\begin_layout LyX-Code
objectClass: organizationalUnit
\end_layout
\begin_layout LyX-Code
dc: example
\end_layout
\begin_layout LyX-Code
ou: top node of LDAP Server
\end_layout
\begin_layout Standard
Now add this to the DIT:
\end_layout
\begin_layout LyX-Code
ldapadd -x -D "cn=root,dc=example,dc=com" -w password -a -f root1.ldif
\end_layout
\begin_layout Subsubsection
Establish an addressbook
\end_layout
\begin_layout Standard
We use the LDAP root DN and the LDAP root password to establish an addressbook:
\end_layout
\begin_layout LyX-Code
vim addressbook.ldif
\end_layout
\begin_layout LyX-Code
dn: ou=addressbook,dc=example,dc=com
\end_layout
\begin_layout LyX-Code
objectClass: top
\end_layout
\begin_layout LyX-Code
objectClass: organizationalUnit
\end_layout
\begin_layout LyX-Code
ou: addressbook
\end_layout
\begin_layout LyX-Code
description: Personal Addressbook
\end_layout
\begin_layout Standard
Now add this LDIF file:
\end_layout
\begin_layout LyX-Code
ldapadd -x -D "cn=root,dc=example,dc=com" -w password -a -f addressbook.ldif
\end_layout
\begin_layout Subsubsection
Establish a calendar
\end_layout
\begin_layout LyX-Code
vim calendar1.ldif
\end_layout
\begin_layout LyX-Code
dn: ou=calendar,dc=example,dc=com
\end_layout
\begin_layout LyX-Code
objectClass: top
\end_layout
\begin_layout LyX-Code
objectClass: organizationalUnit
\end_layout
\begin_layout LyX-Code
ou: calendar
\end_layout
\begin_layout LyX-Code
description: Calendar
\end_layout
\begin_layout Standard
Now add this LDIF file:
\end_layout
\begin_layout LyX-Code
ldapadd -x -D "cn=root,dc=example,dc=com" -w password -a -f calendar1.ldif
\end_layout
\begin_layout Subsubsection
Establish the todo's
\end_layout
\begin_layout LyX-Code
vim todo1.ldif
\end_layout
\begin_layout LyX-Code
dn: ou=todo,dc=example,dc=com
\end_layout
\begin_layout LyX-Code
objectClass: top
\end_layout
\begin_layout LyX-Code
objectClass: organizationalUnit
\end_layout
\begin_layout LyX-Code
ou: todo
\end_layout
\begin_layout LyX-Code
description: Calendar
\end_layout
\begin_layout Standard
Now add this LDIF file to the DIT:
\end_layout
\begin_layout LyX-Code
ldapadd -x -D "cn=root,dc=example,dc=com" -w password -a -f todo1.ldif
\end_layout
\begin_layout Subsubsection
Establish notes
\end_layout
\begin_layout LyX-Code
vim notes.ldif
\end_layout
\begin_layout LyX-Code
dn: o=notes,dc=example,dc=com
\end_layout
\begin_layout LyX-Code
objectClass: top
\end_layout
\begin_layout LyX-Code
objectClass: dcObject
\end_layout
\begin_layout LyX-Code
objectClass: organization
\end_layout
\begin_layout LyX-Code
dc: notes
\end_layout
\begin_layout LyX-Code
o: notes
\end_layout
\begin_layout LyX-Code
description: Notes
\end_layout
\begin_layout Standard
Now add this LDIF file:
\end_layout
\begin_layout LyX-Code
ldapadd -x -D "cn=root,dc=example,dc=com" -w password -a -f notes.ldif
\end_layout
\begin_layout Section
The different authentication methods with the LDAP server
\end_layout
\begin_layout Subsection
The
\begin_inset Quotes eld
\end_inset
simple
\begin_inset Quotes erd
\end_inset
authentication
\end_layout
\begin_layout Standard
\begin_inset CommandInset label
LatexCommand label
name "simple_authentication"
\end_inset
The credentials for the
\begin_inset Quotes eld
\end_inset
simple
\begin_inset Quotes erd
\end_inset
authentication can be configured either in slapd.conf itself or in the LDAP
DIT, i.e.
in a particular database.
We have already used the first method for the LDAP root DN (see above
\begin_inset CommandInset ref
LatexCommand ref
reference "rootdn"
\end_inset
).
Now we are going to use the second method for an ordinary user
\begin_inset Quotes eld
\end_inset
ldap_user
\begin_inset Quotes erd
\end_inset
:
\end_layout
\begin_layout LyX-Code
vim ldap_user.ldif
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
dn: ou=people,dc=example,dc=com
\end_layout
\begin_layout LyX-Code
objectClass: organizationalUnit
\end_layout
\begin_layout LyX-Code
description: LDAP user accounts.
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
dn: cn=ldap_user,ou=people,dc=example,dc=com
\end_layout
\begin_layout LyX-Code
objectClass: inetOrgPerson
\end_layout
\begin_layout LyX-Code
cn: ldap_user
\end_layout
\begin_layout LyX-Code
sn: ldap_user
\end_layout
\begin_layout LyX-Code
givenname: ldap_user
\end_layout
\begin_layout LyX-Code
mail: ldap_user@example.com
\end_layout
\begin_layout LyX-Code
telephonenumber: 000-000-0001
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout Standard
We use the LDAP root DN and the LDAP root password to add this entry to
the DIT:
\end_layout
\begin_layout LyX-Code
ldapadd -x -D "cn=root,dc=example,dc=com" -w "password" -f ldap_user.ldif
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout Standard
Provide
\begin_inset Quotes eld
\end_inset
ldap_user
\begin_inset Quotes erd
\end_inset
with the password
\begin_inset Quotes eld
\end_inset
secret
\begin_inset Quotes erd
\end_inset
.
Note the difference between -w and -s: We authenticate ourselves as root
(in terms of LDAP: root-DN with the corresponding password as configured
in slapd.conf)
\end_layout
\begin_layout LyX-Code
ldappasswd -x -D "cn=root,dc=example,dc=com" -w "password" -s "secret" "cn=ldap_
user,ou=people,dc=example,dc=com"
\end_layout
\begin_layout Subsection
Configure the SASL library
\end_layout
\begin_layout Standard
\begin_inset CommandInset label
LatexCommand label
name "sasl_in_general"
\end_inset
Which SASL mechanisms does the SASL library offer?
\end_layout
\begin_layout LyX-Code
sasl2-shared-mechlist
\end_layout
\begin_layout LyX-Code
Available mechanisms: DIGEST-MD5,GSSAPI,CRAM-MD5,LOGIN,PLAIN,ANONYMOUS
\end_layout
\begin_layout LyX-Code
Library supports: EXTERNAL,ANONYMOUS,PLAIN,LOGIN,CRAM-MD5,GSSAPI,DIGEST-MD5
\end_layout
\begin_layout Standard
\begin_inset CommandInset label
LatexCommand label
name "sasl_mechanisms_offered_by_slapd"
\end_inset
Which SASL mechanisms are supported by the LDAP server slapd with unencrypted
sessions?
\end_layout
\begin_layout LyX-Code
ldapsearch -x -b "" -s base -LLL supportedSASLMechanisms
\end_layout
\begin_layout LyX-Code
dn:
\end_layout
\begin_layout LyX-Code
supportedSASLMechanisms: DIGEST-MD5
\end_layout
\begin_layout LyX-Code
supportedSASLMechanisms: GSSAPI
\end_layout
\begin_layout LyX-Code
supportedSASLMechanisms: CRAM-MD5
\end_layout
\begin_layout Standard
Which SASL mechanisms are supported by the LDAP server slapd with encrypted
sessions:
\end_layout
\begin_layout LyX-Code
ldapsearch -x -b "" -s base -LLL -Z supportedSASLMechanisms
\end_layout
\begin_layout LyX-Code
dn:
\end_layout
\begin_layout LyX-Code
supportedSASLMechanisms: DIGEST-MD5
\end_layout
\begin_layout LyX-Code
supportedSASLMechanisms: GSSAPI
\end_layout
\begin_layout LyX-Code
supportedSASLMechanisms: CRAM-MD5
\end_layout
\begin_layout LyX-Code
supportedSASLMechanisms: LOGIN
\end_layout
\begin_layout LyX-Code
supportedSASLMechanisms: PLAIN
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout Standard
Configure SASL:
\end_layout
\begin_layout Standard
The SASL library is configured with respect to slapd in a file called
\begin_inset Quotes eld
\end_inset
slapd.conf
\begin_inset Quotes erd
\end_inset
.
This file is located in /usr/lib/sasl2/ and it MUST NOT be confused with
/etc/openldap/slapd.conf.
\end_layout
\begin_layout Standard
The mech_list in the following file determines which authentication mechanisms
are to be supported by libsasl:
\end_layout
\begin_layout Standard
Cf.
cyrus-sasl-lib-2.1.22/options.html in the source code of the sasl library.
\end_layout
\begin_layout LyX-Code
vim /usr/lib/sasl2/slapd.conf
\end_layout
\begin_layout LyX-Code
pwcheck_method: saslauthd auxprop
\end_layout
\begin_layout LyX-Code
mech_list: plain login cram-md5 digest-md5 gssapi external anonymous
\end_layout
\begin_layout LyX-Code
keytab: /etc/krb5.keytab
\end_layout
\begin_layout LyX-Code
log_level: 7
\end_layout
\begin_layout Standard
\begin_inset CommandInset label
LatexCommand label
name "sasldb_account"
\end_inset
Create the account for
\begin_inset Quotes eld
\end_inset
ldap_user
\begin_inset Quotes erd
\end_inset
in the SASL database as root:
\end_layout
\begin_layout LyX-Code
saslpasswd2 -c ldap_user
\end_layout
\begin_layout Standard
Check the result as root:
\end_layout
\begin_layout LyX-Code
sasldblistusers2
\end_layout
\begin_layout LyX-Code
ldap_user@host.example.com: userPassword
\end_layout
\begin_layout Standard
Do the various mechanisms work as expected?
\end_layout
\begin_layout Standard
As root in an xterm:
\end_layout
\begin_layout LyX-Code
sasl2-sample-server -s ldap
\end_layout
\begin_layout LyX-Code
(...)
\end_layout
\begin_layout LyX-Code
DIGEST-MD5 GSSAPI CRAM-MD5 LOGIN PLAIN ANONYMOUS
\end_layout
\begin_layout Standard
As a simple user in another xterm:
\end_layout
\begin_layout LyX-Code
sasl2-sample-client -m PLAIN localhost
\end_layout
\begin_layout LyX-Code
sasl2-sample-client -m DIGEST-MD5 localhost
\end_layout
\begin_layout LyX-Code
sasl2-sample-client -m CRAM-MD5 localhost
\end_layout
\begin_layout LyX-Code
sasl2-sample-client -m LOGIN localhost
\end_layout
\begin_layout LyX-Code
sasl2-sample-client -m ANONYMOUS localhost
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout Standard
Assuming the Kerberos V5 system is already configured.
See below
\begin_inset CommandInset ref
LatexCommand ref
reference "kerberosv5"
\end_inset
.
\end_layout
\begin_layout LyX-Code
kinit -V ldap_user
\end_layout
\begin_layout LyX-Code
sasl2-sample-client -s ldap -m GSSAPI host.example.com
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout Standard
\end_layout
\begin_layout Subsection
SASL/DIGEST-MD5
\end_layout
\begin_layout Standard
\begin_inset CommandInset label
LatexCommand label
name "digest_md5"
\end_inset
SASL using DIGEST-MD5 with the password being stored in the sasldb as shown
above under
\begin_inset CommandInset ref
LatexCommand ref
reference "sasldb_account"
\end_inset
.
For the authentication itself nothing else has to be configured.
\end_layout
\begin_layout Standard
For the access rules to work the authentication identifier (bind-DN) can
be rewritten by these lines in /etc/openldap/slapd.conf:
\end_layout
\begin_layout LyX-Code
authz-regexp
\end_layout
\begin_layout LyX-Code
uid=([^,]*),cn=digest-md5,cn=auth
\end_layout
\begin_layout LyX-Code
cn=$1,dc=example,dc=com
\end_layout
\begin_layout Standard
Configure the opensync-plugin-ldap:
\end_layout
\begin_layout LyX-Code
osynctool --configure "sync_ldap_with_evolution" 2
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
authcid
\end_layout
\begin_layout LyX-Code
string
\end_layout
\begin_layout LyX-Code
ldap_user
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
password
\end_layout
\begin_layout LyX-Code
string
\end_layout
\begin_layout LyX-Code
secret
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
anonymous
\end_layout
\begin_layout LyX-Code
string
\end_layout
\begin_layout LyX-Code
0
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
authmech
\end_layout
\begin_layout LyX-Code
string
\end_layout
\begin_layout LyX-Code
DIGEST-MD5
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout Standard
Any configuration setting performed by
\begin_inset Quotes eld
\end_inset
osynctool --configure ...
\begin_inset Quotes erd
\end_inset
must additionally be set into effect by:
\end_layout
\begin_layout LyX-Code
osynctool --discover "sync_ldap_with_evolution"
\end_layout
\begin_layout Subsection
SASL/CRAM-MD5
\end_layout
\begin_layout Standard
SASL using CRAM-MD5 with the password being stored in the sasldb as shown
above under
\begin_inset CommandInset ref
LatexCommand ref
reference "sasldb_account"
\end_inset
.
For the authentication itself nothing else has to be configured.
\end_layout
\begin_layout Standard
For the access rules to work the authentication identifier (bind-DN) can
be rewritten by these lines in /etc/openldap/slapd.conf:
\end_layout
\begin_layout LyX-Code
authz-regexp
\end_layout
\begin_layout LyX-Code
uid=([^,]*),cn=cram-md5,cn=auth
\end_layout
\begin_layout LyX-Code
cn=$1,dc=example,dc=com
\end_layout
\begin_layout Standard
Configure the opensync-plugin-ldap:
\end_layout
\begin_layout LyX-Code
osynctool --configure "sync_ldap_with_evolution" 2
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
authcid
\end_layout
\begin_layout LyX-Code
string
\end_layout
\begin_layout LyX-Code
ldap_user
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
password
\end_layout
\begin_layout LyX-Code
string
\end_layout
\begin_layout LyX-Code
secret
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
anonymous
\end_layout
\begin_layout LyX-Code
string
\end_layout
\begin_layout LyX-Code
0
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
authmech
\end_layout
\begin_layout LyX-Code
string
\end_layout
\begin_layout LyX-Code
CRAM-MD5
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout Standard
Any configuration setting performed by
\begin_inset Quotes eld
\end_inset
osynctool --configure ...
\begin_inset Quotes erd
\end_inset
must additionally be set into effect by:
\end_layout
\begin_layout LyX-Code
osynctool --discover "sync_ldap_with_evolution"
\end_layout
\begin_layout Subsection
SASL/PLAIN over an encrypted connection
\end_layout
\begin_layout Standard
SASL using the PLAIN mechanism with the password being stored in the sasldb.
The default configuration of newer slapd versions does not accept such
an insecure authentication method without encryption.
See above under
\begin_inset CommandInset ref
LatexCommand ref
reference "sasl_mechanisms_offered_by_slapd"
\end_inset
.
As a consequence the ldap plugin must establish an encrypted connection.
This can be configured EITHER by setting the option
\begin_inset Quotes eld
\end_inset
encryption
\begin_inset Quotes erd
\end_inset
to 1 OR by setting a network connection that leads to a port used for encrypted
sessions only:
\end_layout
\begin_layout LyX-Code
osynctool --configure "sync_ldap_with_evolution" 2
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
authcid
\end_layout
\begin_layout LyX-Code
string
\end_layout
\begin_layout LyX-Code
ldap_user
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
password
\end_layout
\begin_layout LyX-Code
string
\end_layout
\begin_layout LyX-Code
secret
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
anonymous
\end_layout
\begin_layout LyX-Code
string
\end_layout
\begin_layout LyX-Code
0
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
authmech
\end_layout
\begin_layout LyX-Code
string
\end_layout
\begin_layout LyX-Code
PLAIN
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
(...)
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
encryption
\end_layout
\begin_layout LyX-Code
string
\end_layout
\begin_layout LyX-Code
1
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
(...)
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\begin_inset CommandInset label
LatexCommand label
name "encrypted_connection1"
\end_inset
Network
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
host.example.com
\end_layout
\begin_layout LyX-Code
636
\end_layout
\begin_layout LyX-Code
ldaps
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout Standard
Any configuration setting performed by
\begin_inset Quotes eld
\end_inset
osynctool --configure ...
\begin_inset Quotes erd
\end_inset
must additionally be set into effect by:
\end_layout
\begin_layout LyX-Code
osynctool --discover "sync_ldap_with_evolution"
\end_layout
\begin_layout Standard
For the access rules to work the authentication identifier (bind-DN) can
be rewritten by these lines in /etc/openldap/slapd.conf:
\end_layout
\begin_layout LyX-Code
authz-regexp
\end_layout
\begin_layout LyX-Code
uid=([^,]*),cn=plain,cn=auth
\end_layout
\begin_layout LyX-Code
cn=$1,dc=example,dc=com
\end_layout
\begin_layout Subsection
SASL/LOGIN over an encrypted connection
\end_layout
\begin_layout Standard
SASL using LOGIN with the password being stored in the sasldb.
The default configuration of newer slapd versions does not accept such
an insecure authentication method without encryption.
See above under
\begin_inset CommandInset ref
LatexCommand ref
reference "sasl_mechanisms_offered_by_slapd"
\end_inset
.
As a consequence the ldap plugin must establish an encrypted connection.
This can be configured EITHER by setting the option
\begin_inset Quotes eld
\end_inset
encryption
\begin_inset Quotes erd
\end_inset
to 1 OR by setting a network connection that leads to a port used for encrypted
sessions only:
\end_layout
\begin_layout LyX-Code
osynctool --configure "sync_ldap_with_evolution" 2
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
(...)
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
authcid
\end_layout
\begin_layout LyX-Code
string
\end_layout
\begin_layout LyX-Code
ldap_user
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
password
\end_layout
\begin_layout LyX-Code
string
\end_layout
\begin_layout LyX-Code
secret
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
anonymous
\end_layout
\begin_layout LyX-Code
string
\end_layout
\begin_layout LyX-Code
0
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
authmech
\end_layout
\begin_layout LyX-Code
string
\end_layout
\begin_layout LyX-Code
PLAIN
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
(...)
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
encryption
\end_layout
\begin_layout LyX-Code
string
\end_layout
\begin_layout LyX-Code
1
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
(...)
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
Network
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
host.example.com
\end_layout
\begin_layout LyX-Code
636
\end_layout
\begin_layout LyX-Code
ldaps
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout Standard
Any configuration setting performed by
\begin_inset Quotes eld
\end_inset
osynctool --configure ...
\begin_inset Quotes erd
\end_inset
must additionally be set into effect by:
\end_layout
\begin_layout LyX-Code
osynctool --discover "sync_ldap_with_evolution"
\end_layout
\begin_layout Standard
For the access rules to work the authentication identifier (bind-DN) can
be rewritten by these lines in /etc/openldap/slapd.conf:
\end_layout
\begin_layout LyX-Code
authz-regexp
\end_layout
\begin_layout LyX-Code
uid=([^,]*),cn=login,cn=auth
\end_layout
\begin_layout LyX-Code
cn=$1,dc=example,dc=com
\end_layout
\begin_layout Subsection
SASL/GSSAPI (KERBEROS V5)
\end_layout
\begin_layout Standard
\begin_inset CommandInset label
LatexCommand label
name "kerberosv5"
\end_inset
SASL using GSSAPI with the password being stored in the kerberos subsystem.
This has the advantage that the password is not sent over the connection
to the LDAP server.
\end_layout
\begin_layout Subsubsection
Preparing KERBEROS V5
\end_layout
\begin_layout Paragraph
DNS configuration
\end_layout
\begin_layout Standard
Check resolver settings:
\end_layout
\begin_layout LyX-Code
vim /etc/nsswitch.conf
\end_layout
\begin_layout LyX-Code
(...)
\end_layout
\begin_layout LyX-Code
hosts: files dns
\end_layout
\begin_layout LyX-Code
(...)
\end_layout
\begin_layout Standard
Add "kerberos" host name to DNS:
\end_layout
\begin_layout LyX-Code
vim /etc/hosts
\end_layout
\begin_layout LyX-Code
192.168.1.2 host.example.com host www kerberos
\end_layout
\begin_layout Standard
Propagate KDCs via SRV record types in terms of RFC 2782:
\end_layout
\begin_layout LyX-Code
vim /etc/dnsmasq.conf
\end_layout
\begin_layout LyX-Code
srv-host=_kerberos._udp,host.example.com,88
\end_layout
\begin_layout LyX-Code
srv-host=_kerberos-master._udp,host.example.com,88
\end_layout
\begin_layout LyX-Code
srv-host=_kerberos-adm._tcp,host.example.com,749
\end_layout
\begin_layout LyX-Code
srv-host=_kpasswd._udp,host.example.com,464
\end_layout
\begin_layout Standard
Make changes effective:
\end_layout
\begin_layout LyX-Code
service dnsmasq restart
\end_layout
\begin_layout Standard
Test it:
\end_layout
\begin_layout LyX-Code
host kerberos
\end_layout
\begin_layout Paragraph
Determine realm on a fedora 10 system
\end_layout
\begin_layout LyX-Code
vim /etc/sysconfig/krb5kdc
\end_layout
\begin_layout LyX-Code
KRB5KDC_ARGS=
\end_layout
\begin_layout LyX-Code
KRB5REALM=EXAMPLE.COM
\end_layout
\begin_layout Paragraph
Configure main configuration file for kerberos
\end_layout
\begin_layout LyX-Code
vim /etc/krb5.conf
\end_layout
\begin_layout LyX-Code
[libdefaults]
\end_layout
\begin_layout LyX-Code
default_realm = EXAMPLE.COM
\end_layout
\begin_layout LyX-Code
dns_lookup_realm = false
\end_layout
\begin_layout LyX-Code
dns_lookup_kdc = false
\end_layout
\begin_layout LyX-Code
ticket_lifetime = 24h
\end_layout
\begin_layout LyX-Code
forwardable = yes
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
[realms]
\end_layout
\begin_layout LyX-Code
EXAMPLE.COM = {
\end_layout
\begin_layout LyX-Code
kdc = host.example.com:88
\end_layout
\begin_layout LyX-Code
kdc = kerberos.example.com:88
\end_layout
\begin_layout LyX-Code
kdc = localhost.localdomain:88
\end_layout
\begin_layout LyX-Code
kdc = localhost
\end_layout
\begin_layout LyX-Code
admin_server = kerberos.example.com:749
\end_layout
\begin_layout LyX-Code
default_domain = example.com
\end_layout
\begin_layout LyX-Code
}
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
[domain_realm]
\end_layout
\begin_layout LyX-Code
.example.com = EXAMPLE.COM
\end_layout
\begin_layout LyX-Code
example.com = EXAMPLE.COM
\end_layout
\begin_layout LyX-Code
localdomain = EXAMPLE.COM
\end_layout
\begin_layout LyX-Code
.localdomain = EXAMPLE.COM
\end_layout
\begin_layout Paragraph
Configure configuration file of the KDC, i.e.
for issuing tickets per realm
\end_layout
\begin_layout LyX-Code
vim /var/kerberos/krb5kdc/kdc.conf
\end_layout
\begin_layout LyX-Code
[kdcdefaults]
\end_layout
\begin_layout LyX-Code
v4_mode = nopreauth
\end_layout
\begin_layout LyX-Code
kdc_ports = 88,750
\end_layout
\begin_layout LyX-Code
kdc_tcp_ports = 88
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
[realms]
\end_layout
\begin_layout LyX-Code
EXAMPLE.COM = {
\end_layout
\begin_layout LyX-Code
acl_file = /var/kerberos/krb5kdc/kadm5.acl
\end_layout
\begin_layout LyX-Code
dict_file = /usr/share/dict/words
\end_layout
\begin_layout LyX-Code
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
\end_layout
\begin_layout LyX-Code
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:norm
al arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:norma
l des-cbc-crc:v4 des-cbc-crc:afs3
\end_layout
\begin_layout LyX-Code
}
\end_layout
\begin_layout Paragraph
Create the database for this particular realm EXAMPLE.COM and a stash file
for the server to authenticate itself using the password
\begin_inset Quotes eld
\end_inset
master
\begin_inset Quotes erd
\end_inset
\end_layout
\begin_layout Standard
If you choose not to install a stash file, the KDC will prompt you for the
master key each time it starts up.
This means that the KDC will not be able to start automatically, such as
after a system reboot.
\end_layout
\begin_layout LyX-Code
kdb5_util create -r EXAMPLE.COM -s
\end_layout
\begin_layout LyX-Code
(...)
\end_layout
\begin_layout LyX-Code
Enter KDC database master key: master
\end_layout
\begin_layout LyX-Code
Re-enter KDC database master key to verify: master
\end_layout
\begin_layout Paragraph
Grant administrative access
\end_layout
\begin_layout LyX-Code
vim /var/kerberos/krb5kdc/kadm5.acl
\end_layout
\begin_layout LyX-Code
*/admin@EXAMPLE.COM *
\end_layout
\begin_layout Paragraph
Add administrative principals to the Kerberos database
\end_layout
\begin_layout LyX-Code
kadmin.local -q "addprinc root/admin"
\end_layout
\begin_layout LyX-Code
(...)
\end_layout
\begin_layout Paragraph
Create service principal "ldap/host.example.com"
\end_layout
\begin_layout LyX-Code
kadmin.local -q "addprinc ldap/host.example.com"
\end_layout
\begin_layout LyX-Code
(...)
\end_layout
\begin_layout Paragraph
Create keytab file for service principal "ldap"
\end_layout
\begin_layout LyX-Code
kadmin.local -q "ktadd ldap/host.example.com"
\end_layout
\begin_layout LyX-Code
(...)
\end_layout
\begin_layout Paragraph
Adjust permissions: The keytab file must be readable by the LDAP server
\end_layout
\begin_layout Standard
For a dissenting opinion on this (suggests building a second keytab file):
Cf.
\begin_inset CommandInset href
LatexCommand href
name "http://www.openldap.org/faq/index.cgi?_highlightWords=keytab&file=630"
target "http://www.openldap.org/faq/index.cgi?_highlightWords=keytab&file=630"
\end_inset
\end_layout
\begin_layout LyX-Code
chown root:ldap /etc/krb5.keytab
\end_layout
\begin_layout LyX-Code
chmod g+r /etc/krb5.keytab
\end_layout
\begin_layout Paragraph
Create the user principal "ldap_user" with password "secret"
\end_layout
\begin_layout LyX-Code
useradd ldap_user
\end_layout
\begin_layout LyX-Code
(...)
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
passwd ldap_user
\end_layout
\begin_layout LyX-Code
(...)
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
kadmin.local -q "addprinc ldap_user"
\end_layout
\begin_layout LyX-Code
(...)
\end_layout
\begin_layout Paragraph
Useful commands
\end_layout
\begin_layout LyX-Code
kadmin.local -q "list_principals"
\end_layout
\begin_layout LyX-Code
(...)
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
ktutil
\end_layout
\begin_layout LyX-Code
ktutil: read_kt /etc/krb5.keytab
\end_layout
\begin_layout LyX-Code
ktutil: list
\end_layout
\begin_layout LyX-Code
(...)
\end_layout
\begin_layout LyX-Code
ktutil: quit
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
kadmin.local -q "get_principal ldap"
\end_layout
\begin_layout LyX-Code
(...)
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
kadmin.local -q "get_principal ldap_user"
\end_layout
\begin_layout LyX-Code
(...)
\end_layout
\begin_layout Paragraph
Adjust SELinux
\end_layout
\begin_layout LyX-Code
setsebool -P allow_kerberos 1
\end_layout
\begin_layout Paragraph
Start up the kdc on a fedora system
\end_layout
\begin_layout LyX-Code
chkconfig --level 345 kadmin on
\end_layout
\begin_layout LyX-Code
chkconfig --level 345 krb5kdc on
\end_layout
\begin_layout LyX-Code
service krb5kdc start
\end_layout
\begin_layout LyX-Code
service kadmin start
\end_layout
\begin_layout Paragraph
Kerberos related log files
\end_layout
\begin_layout LyX-Code
tail -f /var/log/krb5kdc.log
\end_layout
\begin_layout LyX-Code
(...)
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
tail -f /var/log/kadmind.log
\end_layout
\begin_layout LyX-Code
(...)
\end_layout
\begin_layout Subsubsection
Configure the opensync-plugin-ldap:
\end_layout
\begin_layout LyX-Code
osynctool --configure "sync_ldap_with_evolution" 2
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
(...)
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
authcid
\end_layout
\begin_layout LyX-Code
string
\end_layout
\begin_layout LyX-Code
ldap_user
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
(...)
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
anonymous
\end_layout
\begin_layout LyX-Code
string
\end_layout
\begin_layout LyX-Code
0
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
authmech
\end_layout
\begin_layout LyX-Code
string
\end_layout
\begin_layout LyX-Code
GSSAPI
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout Standard
Any configuration setting performed by
\begin_inset Quotes eld
\end_inset
osynctool --configure ...
\begin_inset Quotes erd
\end_inset
must additionally be set into effect by:
\end_layout
\begin_layout LyX-Code
osynctool --discover "sync_ldap_with_evolution"
\end_layout
\begin_layout Standard
For the access rules to work the authentication identifier (bind-DN) can
be rewritten by these lines in /etc/openldap/slapd.conf:
\end_layout
\begin_layout LyX-Code
authz-regexp
\end_layout
\begin_layout LyX-Code
uid=([^,]*),cn=gssapi,cn=auth
\end_layout
\begin_layout LyX-Code
cn=$1,dc=example,dc=com
\end_layout
\begin_layout Subsubsection
Using KERBEROS with SASL
\end_layout
\begin_layout Standard
Retrieve a ticket-granting ticket:
\end_layout
\begin_layout LyX-Code
kinit -V ldap_user
\end_layout
\begin_layout LyX-Code
Password for ldap_user@EXAMPLE.COM: secret
\end_layout
\begin_layout LyX-Code
Authenticated to Kerberos v5
\end_layout
\begin_layout Standard
Get to know the expiration date:
\end_layout
\begin_layout LyX-Code
klist
\end_layout
\begin_layout LyX-Code
(...)
\end_layout
\begin_layout Standard
Run osynctool:
\end_layout
\begin_layout LyX-Code
osynctool --configure ...
\end_layout
\begin_layout LyX-Code
osynctool --discover ...
\end_layout
\begin_layout LyX-Code
osynctool --sync ...
\end_layout
\begin_layout Subsection
SASL/EXTERNAL using the TLS cert used in a TLS encrypted connection
\end_layout
\begin_layout Standard
SASL using the EXTERNAL mechanism with both the identifier and the password
being stored in the SSL/TLS subsystem.
\end_layout
\begin_layout Subsubsection
Generate server and client certificates
\end_layout
\begin_layout LyX-Code
\begin_inset CommandInset label
LatexCommand label
name "tls_certs"
\end_inset
cd /etc/openldap/cacerts/
\end_layout
\begin_layout Standard
Create server certificate signing request and server key
\end_layout
\begin_layout LyX-Code
openssl req -new -nodes -out server.csr -keyout server.key
\end_layout
\begin_layout Standard
Sign the server certificate
\end_layout
\begin_layout LyX-Code
openssl ca -policy policy_anything -out server.crt -infiles ./server.csr
\end_layout
\begin_layout Standard
Display contents of the LDAP server certificate
\end_layout
\begin_layout LyX-Code
openssl x509 -text -in server.crt
\end_layout
\begin_layout Standard
Create client certificate signing request and client key
\end_layout
\begin_layout LyX-Code
openssl req -new -nodes -out client.csr -keyout client.key
\end_layout
\begin_layout Standard
Sign the client certificate
\end_layout
\begin_layout LyX-Code
openssl ca -out client.crt -infiles ./client.csr
\end_layout
\begin_layout Standard
Display contents of the LDAP client certificate
\end_layout
\begin_layout LyX-Code
openssl x509 -text -in client.crt
\end_layout
\begin_layout Subsubsection
Configuration of the LDAP server
\end_layout
\begin_layout Standard
Tell slapd about the TLS key and the TLS certificate:
\end_layout
\begin_layout LyX-Code
vim /etc/openldap/slapd.conf
\end_layout
\begin_layout LyX-Code
TLSCACertificatePath /etc/openldap/cacerts
\end_layout
\begin_layout LyX-Code
TLSCipherSuite HIGH:MEDIUM:+SSLv2:RSA
\end_layout
\begin_layout LyX-Code
TLSCertificateFile /etc/openldap/cacerts/server.crt
\end_layout
\begin_layout LyX-Code
TLSCertificateKeyFile /etc/openldap/cacerts/server.key
\end_layout
\begin_layout Standard
Change slapd start up options on a fedora 10 system
\end_layout
\begin_layout LyX-Code
vim /etc/sysconfig/ldap
\end_layout
\begin_layout LyX-Code
SLAPD_LDAP=no
\end_layout
\begin_layout LyX-Code
SLAPD_LDAPS=yes
\end_layout
\begin_layout Standard
For the access rules to work the authentication identifier (bind-DN) can
be rewritten by these lines in /etc/openldap/slapd.conf:
\end_layout
\begin_layout LyX-Code
authz-regexp
\end_layout
\begin_layout LyX-Code
email=([^@]+)@host
\backslash
.([^.]+)
\backslash
.([^,]+),cn=host
\backslash
.example
\backslash
.com,ou=[^#]+[^
\backslash
]+
\backslash
ldap
\backslash
client
\backslash
[^,]+,o=a
\backslash
private
\backslash
site
\backslash
.,st=city,c=us
\end_layout
\begin_layout LyX-Code
cn=$1,dc=$2,dc=$3
\end_layout
\begin_layout Standard
Check syntax of slapd.conf
\end_layout
\begin_layout LyX-Code
slapd -Ttest
\end_layout
\begin_layout Subsubsection
Configuration of the LDAP client side
\end_layout
\begin_layout LyX-Code
vim /etc/openldap/ldap.conf
\end_layout
\begin_layout LyX-Code
URI ldaps://host.example.com/
\end_layout
\begin_layout LyX-Code
BASE dc=example,dc=com
\end_layout
\begin_layout Standard
The TLS_* variables MUST NOT be configured in /etc/openldap/ldap.conf.
\end_layout
\begin_layout Standard
They MUST be configured in ~/ldaprc or ~/.ldaprc:
\end_layout
\begin_layout LyX-Code
vim /home/user1/.ldaprc
\end_layout
\begin_layout LyX-Code
TLS_CACERTDIR /etc/openldap/cacerts
\end_layout
\begin_layout LyX-Code
TLS_CACERT /etc/openldap/cacerts/server.crt
\end_layout
\begin_layout LyX-Code
TLS_CERT /etc/openldap/cacerts/client.crt
\end_layout
\begin_layout LyX-Code
TLS_KEY /etc/openldap/cacerts/client.key
\end_layout
\begin_layout LyX-Code
TLSCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP
\end_layout
\begin_layout LyX-Code
TLS_REQCERT never
\end_layout
\begin_layout Subsubsection
Configure the opensync-plugin-ldap
\end_layout
\begin_layout LyX-Code
osynctool --configure "sync_ldap_with_evolution" 2
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
(...)
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
anonymous
\end_layout
\begin_layout LyX-Code
string
\end_layout
\begin_layout LyX-Code
0
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
authmech
\end_layout
\begin_layout LyX-Code
string
\end_layout
\begin_layout LyX-Code
EXTERNAL
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
(...)
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
encryption
\end_layout
\begin_layout LyX-Code
string
\end_layout
\begin_layout LyX-Code
1
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
(...)
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
Network
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
host.example.com
\end_layout
\begin_layout LyX-Code
636
\end_layout
\begin_layout LyX-Code
ldaps
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout Standard
Any configuration setting performed by
\begin_inset Quotes eld
\end_inset
osynctool --configure ...
\begin_inset Quotes erd
\end_inset
must additionally be set into effect by:
\end_layout
\begin_layout LyX-Code
osynctool --discover "sync_ldap_with_evolution"
\end_layout
\begin_layout Section
Proxy authorization (authzid)
\end_layout
\begin_layout Standard
\begin_inset Quotes eld
\end_inset
Proxy
\begin_inset Quotes erd
\end_inset
in this context does not have anything to do with a proxy server for http
et al., like squid.
Proxy authorization means, the user authenticates as one particular person,
but acts as a different person.
The user acts on behalf of this other person.
\end_layout
\begin_layout Standard
In short:
\end_layout
\begin_layout Itemize
Authentication: answers the question who is basically allowed to do something
\end_layout
\begin_layout Itemize
Authorization: answers the question to what precisely a particular person
is entitled to do something.
This is about the amount of rights someone has.
How far do his permissions reach.
\end_layout
\begin_layout Standard
Authorization is the second step.
It does not come to the question about authorization, until someone has
authentiated himself.
\end_layout
\begin_layout Standard
Say, an LDAP server has the following set of access rules:
\end_layout
\begin_layout LyX-Code
vim /etc/openldap/slapd.conf
\end_layout
\begin_layout LyX-Code
(...)
\end_layout
\begin_layout LyX-Code
access to dn.subtree="ou=addressbook,dc=example,dc=com" by dn="cn=ldap_user,dc=ex
ample,dc=com" write
\end_layout
\begin_layout LyX-Code
access to dn.subtree="ou=calendar,dc=example,dc=com" by dn="cn=ldap_user,dc=examp
le,dc=com" write
\end_layout
\begin_layout LyX-Code
access to dn.subtree="ou=todo,dc=example,dc=com" by dn="cn=ldap_user,dc=example,d
c=com" write
\end_layout
\begin_layout LyX-Code
access to dn.subtree="o=notes,dc=example,dc=com" by dn="cn=ldap_user,dc=example,d
c=com" write
\end_layout
\begin_layout LyX-Code
(...)
\end_layout
\begin_layout Standard
With this set of access rules, the user
\begin_inset Quotes eld
\end_inset
fowly
\begin_inset Quotes erd
\end_inset
would not be entitled to write to the addressbook.
However, the admin could establish proxy authorization:
\end_layout
\begin_layout LyX-Code
vim /etc/openldap/slapd.conf
\end_layout
\begin_layout LyX-Code
(...)
\end_layout
\begin_layout LyX-Code
authz-policy From
\end_layout
\begin_layout Standard
This allows the
\begin_inset Quotes eld
\end_inset
ldap_user
\begin_inset Quotes erd
\end_inset
to grant permission to
\begin_inset Quotes eld
\end_inset
fowly
\begin_inset Quotes erd
\end_inset
to act on behalf of him, the
\begin_inset Quotes eld
\end_inset
ldap_user
\begin_inset Quotes erd
\end_inset
:
\end_layout
\begin_layout LyX-Code
vim authz_from.entrymods
\end_layout
\begin_layout LyX-Code
dn: cn=ldap_user,ou=people,dc=example,dc=com
\end_layout
\begin_layout LyX-Code
Replace: authzFrom
\end_layout
\begin_layout LyX-Code
authzFrom: cn=fowly,dc=example,dc=com
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
ldapmodify -x -D "cn=root,dc=example,dc=com" -w password -f authz_from.entrymods
\end_layout
\begin_layout Standard
Quick check (mind the plus sign at the end the command:
\end_layout
\begin_layout LyX-Code
ldapsearch -x -D "cn=ldap_user,ou=people,dc=example,dc=com" -w secret -LLL
-b "cn=ldap_user,ou=people,dc=example,dc=com" +
\end_layout
\begin_layout LyX-Code
(...)
\end_layout
\begin_layout LyX-Code
authzFrom: {0}dn:cn=fowly,dc=example,dc=com
\end_layout
\begin_layout LyX-Code
(...)
\end_layout
\begin_layout Standard
What are the consequences?
\end_layout
\begin_layout Standard
The following does not grant write access:
\end_layout
\begin_layout LyX-Code
ldapadd -U "fowly" -w "hidden" -f contact1.ldif
\end_layout
\begin_layout Standard
whereas this one does:
\end_layout
\begin_layout LyX-Code
ldapadd -U "fowly" -w "hidden" -X "dn: cn=ldap_user,ou=people,dc=example,dc=com"
-f contact1.ldif
\end_layout
\begin_layout Standard
With an LDAP server configured as just shown, the user
\begin_inset Quotes eld
\end_inset
fowly
\begin_inset Quotes erd
\end_inset
could run a typical
\begin_inset Quotes eld
\end_inset
osynctool --configure ...
\begin_inset Quotes erd
\end_inset
and set the
\begin_inset Quotes eld
\end_inset
authzid
\begin_inset Quotes erd
\end_inset
variable to
\begin_inset Quotes eld
\end_inset
dn=ldap_user,ou=people,dc=example,dc=com
\begin_inset Quotes erd
\end_inset
.
\end_layout
\begin_layout Part
Usage
\end_layout
\begin_layout Section
Synchronizing between evolution and LDAP
\end_layout
\begin_layout Standard
If you want to start from scratch:
\end_layout
\begin_layout LyX-Code
osynctool --delgroup "sync_ldap_with_evolution"
\end_layout
\begin_layout Standard
The very first configuration step: Choose a name for a particular synchronizatio
n group:
\end_layout
\begin_layout LyX-Code
osynctool --addgroup "sync_ldap_with_evolution"
\end_layout
\begin_layout Standard
Which plugins could we use for this synchronization group?
\end_layout
\begin_layout LyX-Code
osynctool --listplugins
\end_layout
\begin_layout LyX-Code
Available plugins:
\end_layout
\begin_layout LyX-Code
ldap-sync
\end_layout
\begin_layout LyX-Code
syncml-http-server
\end_layout
\begin_layout LyX-Code
syncml-http-client
\end_layout
\begin_layout LyX-Code
syncml-obex-client
\end_layout
\begin_layout LyX-Code
file-sync
\end_layout
\begin_layout LyX-Code
evo2-sync
\end_layout
\begin_layout Standard
Here we choose the
\begin_inset Quotes eld
\end_inset
evo2-sync
\begin_inset Quotes erd
\end_inset
and the
\begin_inset Quotes eld
\end_inset
ldap-sync
\begin_inset Quotes erd
\end_inset
plugin:
\end_layout
\begin_layout LyX-Code
osynctool --addmember "sync_ldap_with_evolution" evo2-sync
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
osynctool --addmember "sync_ldap_with_evolution" ldap-sync
\end_layout
\begin_layout Standard
Which formats are available for configuring each plugin?
\end_layout
\begin_layout LyX-Code
osynctool --listformats
\end_layout
\begin_layout LyX-Code
(...)
\end_layout
\begin_layout LyX-Code
Format: ldap-evolutionperson
\end_layout
\begin_layout LyX-Code
Object Type: contact
\end_layout
\begin_layout LyX-Code
Format: ldap-inetorgperson
\end_layout
\begin_layout LyX-Code
Object Type: contact
\end_layout
\begin_layout LyX-Code
Format: ldap-event
\end_layout
\begin_layout LyX-Code
Object Type: event
\end_layout
\begin_layout LyX-Code
Format: ldap-todo
\end_layout
\begin_layout LyX-Code
Object Type: todo
\end_layout
\begin_layout LyX-Code
Format: ldap-note
\end_layout
\begin_layout LyX-Code
Object Type: note
\end_layout
\begin_layout LyX-Code
(...)
\end_layout
\begin_layout Standard
Configure the evo2-sync plugin:
\end_layout
\begin_layout LyX-Code
osynctool --configure "sync_ldap_with_evolution" 1
\end_layout
\begin_layout LyX-Code
(...)
\end_layout
\begin_layout Standard
Configure the
\begin_inset Quotes eld
\end_inset
ldap-sync
\begin_inset Quotes erd
\end_inset
plugin: The following configuration lets only the objtype
\begin_inset Quotes eld
\end_inset
contact
\begin_inset Quotes erd
\end_inset
be enabled.
It chooses SASL/DIGEST-MD5 as authentication mechanism with the authcid
being
\begin_inset Quotes eld
\end_inset
ldap_user
\begin_inset Quotes erd
\end_inset
and the password
\begin_inset Quotes eld
\end_inset
secret
\begin_inset Quotes erd
\end_inset
.
It connects to a host
\begin_inset Quotes eld
\end_inset
host.example.com
\begin_inset Quotes erd
\end_inset
on port 389 with the protocol
\begin_inset Quotes eld
\end_inset
ldap
\begin_inset Quotes erd
\end_inset
.
\end_layout
\begin_layout Standard
For how to set up an encrypted connection see above
\begin_inset CommandInset ref
LatexCommand ref
reference "encrypted_connection1"
\end_inset
and
\begin_inset CommandInset ref
LatexCommand ref
reference "tls_certs"
\end_inset
.
\end_layout
\begin_layout Standard
For the
\begin_inset Quotes eld
\end_inset
simple
\begin_inset Quotes erd
\end_inset
authentication see above
\begin_inset CommandInset ref
LatexCommand ref
reference "simple_authentication"
\end_inset
.
\end_layout
\begin_layout Standard
For SASL/DIGEST-MD5 see also above
\begin_inset CommandInset ref
LatexCommand ref
reference "digest_md5"
\end_inset
and for how to configure the SASL library see above
\begin_inset CommandInset ref
LatexCommand ref
reference "sasl_in_general"
\end_inset
.
\end_layout
\begin_layout LyX-Code
osynctool --configure "sync_ldap_with_evolution" 2
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
binddn
\end_layout
\begin_layout LyX-Code
string
\end_layout
\begin_layout LyX-Code
cn=ldap_user,ou=people,dc=example,dc=com
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
authcid
\end_layout
\begin_layout LyX-Code
string
\end_layout
\begin_layout LyX-Code
ldap_user
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
password
\end_layout
\begin_layout LyX-Code
string
\end_layout
\begin_layout LyX-Code
secret
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
anonymous
\end_layout
\begin_layout LyX-Code
string
\end_layout
\begin_layout LyX-Code
0
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
authmech
\end_layout
\begin_layout LyX-Code
string
\end_layout
\begin_layout LyX-Code
DIGEST-MD5
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
encryption
\end_layout
\begin_layout LyX-Code
string
\end_layout
\begin_layout LyX-Code
0
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
ldap_read
\end_layout
\begin_layout LyX-Code
string
\end_layout
\begin_layout LyX-Code
1
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
ldap_write
\end_layout
\begin_layout LyX-Code
string
\end_layout
\begin_layout LyX-Code
1
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
searchbase_contact
\end_layout
\begin_layout LyX-Code
string
\end_layout
\begin_layout LyX-Code
ou=addressbook,dc=example,dc=com
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
searchfilter_contact
\end_layout
\begin_layout LyX-Code
string
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
storebase_contact
\end_layout
\begin_layout LyX-Code
string
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
searchbase_event
\end_layout
\begin_layout LyX-Code
string
\end_layout
\begin_layout LyX-Code
ou=calendar,dc=example,dc=com
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
searchfilter_event
\end_layout
\begin_layout LyX-Code
string
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
storebase_event
\end_layout
\begin_layout LyX-Code
string
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
searchbase_todo
\end_layout
\begin_layout LyX-Code
string
\end_layout
\begin_layout LyX-Code
ou=todo,dc=example,dc=com
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
searchfilter_todo
\end_layout
\begin_layout LyX-Code
string
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
storebase_todo
\end_layout
\begin_layout LyX-Code
string
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
searchbase_note
\end_layout
\begin_layout LyX-Code
string
\end_layout
\begin_layout LyX-Code
o=notes,dc=example,dc=com
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
searchfilter_note
\end_layout
\begin_layout LyX-Code
string
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
2147483647
\end_layout
\begin_layout LyX-Code
storebase_note
\end_layout
\begin_layout LyX-Code
string
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
Network
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
host.example.com
\end_layout
\begin_layout LyX-Code
389
\end_layout
\begin_layout LyX-Code
ldap
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
1
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
ldap-inetorgperson
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
contact
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
1
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
ldap-event
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
event
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
1
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
ldap-todo
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
todo
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
1
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
ldap-note
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
note
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout Standard
Make the configuration become effective:
\end_layout
\begin_layout LyX-Code
osynctool --discover "sync_ldap_with_evolution" 1
\end_layout
\begin_layout LyX-Code
osynctool --discover "sync_ldap_with_evolution" 2
\end_layout
\begin_layout LyX-Code
osynctool --discover "sync_ldap_with_evolution"
\end_layout
\begin_layout LyX-Code
(...)
\end_layout
\begin_layout Standard
Quickly check the
\begin_inset Quotes eld
\end_inset
members
\begin_inset Quotes erd
\end_inset
:
\end_layout
\begin_layout LyX-Code
osynctool --showgroup "sync_ldap_with_evolution"
\end_layout
\begin_layout LyX-Code
Group: sync_ldap_with_evolution
\end_layout
\begin_layout LyX-Code
Member 2: ldap-sync
\end_layout
\begin_layout LyX-Code
Member 1: evo2-sync
\end_layout
\begin_layout Standard
And the object types available:
\end_layout
\begin_layout LyX-Code
osynctool --showobjtypes "sync_ldap_with_evolution"
\end_layout
\begin_layout LyX-Code
(...)
\end_layout
\begin_layout Standard
Ok.
Now we can try and synchronize the LDAP server with evolution2:
\end_layout
\begin_layout LyX-Code
osynctool --sync "sync_ldap_with_evolution"
\end_layout
\begin_layout Standard
If we want to avoid any modification and deletion, we can choose
\begin_inset Quotes eld
\end_inset
--slow-sync
\begin_inset Quotes erd
\end_inset
.
This has not so much to do with just a slower synchronization speed.
It rather enforces the change type
\begin_inset Quotes eld
\end_inset
ADDED
\begin_inset Quotes erd
\end_inset
for each entry of each peer.
This is the best way to avoid any data loss even in cases when problems
arise:
\end_layout
\begin_layout LyX-Code
osynctool --sync "sync_ldap_with_evolution" --slow-sync "contact"
\end_layout
\begin_layout LyX-Code
osynctool --sync "sync_ldap_with_evolution" --slow-sync "event"
\end_layout
\begin_layout Section
Useful LDAP commands
\end_layout
\begin_layout Standard
Display addressbook with anonymous access to the LDAP server:
\end_layout
\begin_layout LyX-Code
ldapsearch -x -LLL -s sub -b 'ou=addressbook,dc=example,dc=com'
\end_layout
\begin_layout Standard
-x Use simple authentication instead of SASL.
\end_layout
\begin_layout Standard
-s base|one|sub|children
\end_layout
\begin_layout Standard
Specify the scope of the search to be one of base, one, sub, or
\end_layout
\begin_layout Standard
children to specify a base object, one-level, subtree, or chil-
\end_layout
\begin_layout Standard
dren search.
The default is sub.
Note: children scope requires
\end_layout
\begin_layout Standard
LDAPv3 subordinate feature extension.
\end_layout
\begin_layout Standard
-b searchbase
\end_layout
\begin_layout Standard
Use searchbase as the starting point for the search instead of
\end_layout
\begin_layout Standard
the default.
\end_layout
\begin_layout Standard
Note: Anonymous access is NOT possible, if you have configured slapd only
with the access rules as proposed above.
\begin_inset Newline newline
\end_inset
\end_layout
\begin_layout Standard
Display the addressbook authenticating as ldap_user with the simple authenticati
on method:
\end_layout
\begin_layout LyX-Code
ldapsearch -x -D "cn=ldap_user,ou=people,dc=example,dc=com" -w "secret"
-LLL -s sub -b 'ou=calendar,dc=example,dc=com'
\end_layout
\begin_layout Standard
Display the addressbook using SASL for authenticating without specifying
any particular mechanism:
\end_layout
\begin_layout LyX-Code
ldapsearch -U "ldap_user" -w "secret" -LLL -s sub -b 'ou=addressbook,dc=example,
dc=com'
\end_layout
\begin_layout Standard
Display the addressbook and choose explicitly CRAM-MD5 as SASL mechanism:
\end_layout
\begin_layout LyX-Code
ldapsearch -Y CRAM-MD5 -U "ldap_user" -w "secret" -LLL -s sub -b 'ou=addressbook
,dc=example,dc=com'
\end_layout
\begin_layout Standard
Display the addressbook via GSSAPI after having retrieved a ticket-granting
ticket by kinit -V ldap_user:
\end_layout
\begin_layout LyX-Code
ldapsearch -Y GSSAPI -LLL -s sub -b 'ou=addressbook,dc=example,dc=com'
\end_layout
\begin_layout Standard
Display one particular entry in the addressbook:
\end_layout
\begin_layout LyX-Code
ldapsearch -x -LLL -s sub -b 'ou=addressbook,dc=example,dc=com' 'uid=pas-id-496C
B33100000065' +
\end_layout
\begin_layout Standard
+ To get the
\begin_inset Quotes eld
\end_inset
operational attributes
\begin_inset Quotes erd
\end_inset
, as well.
\end_layout
\begin_layout LyX-Code
ldapsearch -x -LLL -s sub -b 'uid=pas-id-496CB33100000065,ou=addressbook,dc=exam
ple,dc=com' 'ou=Revision' +
\end_layout
\begin_layout Standard
Add an entry to the addressbook:
\end_layout
\begin_layout LyX-Code
vim contact1.ldif
\end_layout
\begin_layout LyX-Code
dn: uid=pas-id-4971256100000127,ou=addressbook,dc=example,dc=com
\end_layout
\begin_layout LyX-Code
cn: user4
\end_layout
\begin_layout LyX-Code
givenName: user4
\end_layout
\begin_layout LyX-Code
mail: user4@localhost
\end_layout
\begin_layout LyX-Code
sn: user4
\end_layout
\begin_layout LyX-Code
uid: pas-id-4971256100000127
\end_layout
\begin_layout LyX-Code
homePhone: 0000000000000
\end_layout
\begin_layout LyX-Code
objectClass: evolutionPerson
\begin_inset Newline newline
\end_inset
\end_layout
\begin_layout LyX-Code
ldapadd -a -w password -x -D "cn=root,dc=example,dc=com" -f contact1.ldif
\end_layout
\begin_layout Standard
Modify this entry:
\end_layout
\begin_layout LyX-Code
vim /tmp/entrymods
\end_layout
\begin_layout LyX-Code
dn: uid=pas-id-4971256100000127,ou=addressbook,dc=example,dc=com
\end_layout
\begin_layout LyX-Code
replace: homePhone
\end_layout
\begin_layout LyX-Code
homePhone: 0000000000001
\begin_inset Newline newline
\end_inset
\end_layout
\begin_layout LyX-Code
ldapmodify -x -D "cn=root,dc=example,dc=com" -w password -f /tmp/entrymods
\end_layout
\begin_layout Standard
Delete right this entry from the addressbook:
\end_layout
\begin_layout LyX-Code
ldapdelete -x -w password -D "cn=root,dc=example,dc=com" -r "uid=pas-id-49712561
00000127,ou=addressbook,dc=example,dc=com"
\end_layout
\begin_layout Standard
Display calendar accessing the LDAP server anonymously:
\end_layout
\begin_layout LyX-Code
ldapsearch -x -LLL -s sub -b 'ou=calendar,dc=example,dc=com'
\end_layout
\begin_layout Standard
Display todo's:
\end_layout
\begin_layout LyX-Code
ldapsearch -x -LLL -s sub -b 'ou=todo,dc=example,dc=com'
\end_layout
\begin_layout Standard
Display notes (everything, including the base):
\end_layout
\begin_layout LyX-Code
ldapsearch -x -LLL -s sub -b 'o=notes,dc=example,dc=com'
\end_layout
\begin_layout Standard
Display notes, only the base:
\end_layout
\begin_layout LyX-Code
ldapsearch -x -LLL -s base -b 'o=notes,dc=example,dc=com'
\end_layout
\begin_layout Standard
Display all the entries under o=notes (i.e.
all of the "notes", without any subentries and withou the base):
\end_layout
\begin_layout LyX-Code
ldapsearch -x -LLL -s one -b 'o=notes,dc=example,dc=com'
\end_layout
\begin_layout Standard
Display the subentries of one particular entry under o=notes:
\end_layout
\begin_layout LyX-Code
ldapsearch -x -LLL -s children -b 'documentIdentifier=20090103T144254Z-31888-500
-1-0@host.example.com,o=notes,dc=example,dc=com'
\begin_inset Newline newline
\end_inset
\end_layout
\begin_layout LyX-Code
ldapsearch -x -LLL -s sub -b 'o=notes,dc=example,dc=com' '(documentidentifier=20
090103T144254Z-31888-500-1-0@host.example.com)'
\end_layout
\begin_layout Standard
Delete everything under o=notes:
\end_layout
\begin_layout LyX-Code
ldapsearch -x -LLL -s one -A -b "o=notes,dc=example,dc=com" 'dn' | awk 'BEGIN
{RS = "
\backslash
n
\backslash
n"} {gsub("dn: ", ""); gsub(/
\backslash
n /, ""); print}' > /tmp/file
\begin_inset Newline newline
\end_inset
\end_layout
\begin_layout LyX-Code
ldapdelete -x -w password -D "cn=root,dc=example,dc=com" -r -f /tmp/file
\end_layout
\begin_layout Standard
Check the result:
\end_layout
\begin_layout LyX-Code
ldapsearch -x -LLL -s sub -b "o=notes,dc=example,dc=com"
\end_layout
\begin_layout Standard
Or in one step with a pipe:
\end_layout
\begin_layout LyX-Code
ldapsearch -x -LLL -s one -A -b "o=notes,dc=example,dc=com" 'dn' | awk 'BEGIN
{RS = "
\backslash
n
\backslash
n"} {gsub("dn: ", ""); gsub(/
\backslash
n /, ""); print}' | ldapdelete -x -w password -D "cn=root,dc=example,dc=com"
-r
\end_layout
\begin_layout Section
Extra section: How to integrate mutt with the LDAP server
\end_layout
\begin_layout Standard
This section shows how mutt must be extended and configured to be able to
access the email addresses stored in the addressbook of the LDAP server.
Dozens of scripts are out there to achieve this aim.
All of them provide mutt with a read-only access.
This means, that adding new address entries to the LDAP server from inside
mutt requires a different or additional tool (not solved, yet).
\end_layout
\begin_layout Standard
Here is one way how to enable this kind of read-access.
\end_layout
\begin_layout Standard
We make use of the
\begin_inset Quotes eld
\end_inset
Little brother database
\begin_inset Quotes erd
\end_inset
.
LBDB accesses the LDAP server.
\end_layout
\begin_layout Subsection
Installation of LBDB on fedora 10
\end_layout
\begin_layout LyX-Code
rpm -Uvh /dvd/Packages/perl-Convert-ASN1-0.21-3.fc9.noarch.rpm
\end_layout
\begin_layout LyX-Code
rpm -Uvh /usbstick/perl-LDAP-0.34-4.fc9.noarch.rpm
\end_layout
\begin_layout Standard
Download LBDB source code:
\end_layout
\begin_layout LyX-Code
\begin_inset CommandInset href
LatexCommand href
name "http://www.spinnaker.de/debian/lbdb_0.36.tar.gz"
target "http://www.spinnaker.de/debian/lbdb_0.36.tar.gz"
\end_inset
\end_layout
\begin_layout LyX-Code
tar -xvzf lbdb_0.36.tar.gz
\end_layout
\begin_layout LyX-Code
cd lbdb-0.36/
\end_layout
\begin_layout LyX-Code
./configure --prefix=/usr/local --with-gpg --with-ypcat
\end_layout
\begin_layout LyX-Code
make -s
\end_layout
\begin_layout LyX-Code
make -w install
\end_layout
\begin_layout LyX-Code
ldconfig
\end_layout
\begin_layout Subsection
Configure lbdb
\end_layout
\begin_layout LyX-Code
vim /usr/local/etc/lbdb.rc
\end_layout
\begin_layout LyX-Code
METHODS="m_inmail m_ldap m_muttalias m_gpg"
\end_layout
\begin_layout Standard
lbdb makes use of mutt_ldap_query.
Older, but working version:
\end_layout
\begin_layout LyX-Code
cp /usr/share/doc/mutt-1.5.18/mutt_ldap_query /usr/local/lib/
\end_layout
\begin_layout Standard
Other examples:
\end_layout
\begin_layout LyX-Code
\begin_inset CommandInset href
LatexCommand href
name "http://www.courville.org/code/mutt_ldap_query/mutt_ldap_query.pl.in"
target "http://www.courville.org/code/mutt_ldap_query/mutt_ldap_query.pl.in"
\end_inset
\end_layout
\begin_layout LyX-Code
cp mutt_ldap_query.pl.in /usr/local/lib/mutt_ldap_query
\end_layout
\begin_layout LyX-Code
vim /usr/local/lib/mutt_ldap_query
\end_layout
\begin_layout LyX-Code
# hostname of your ldap server
\end_layout
\begin_layout LyX-Code
our $ldap_server = 'host.example.com';
\end_layout
\begin_layout LyX-Code
# ldap base search
\end_layout
\begin_layout LyX-Code
our $search_base = 'ou=addressbook,dc=example,dc=com';
\end_layout
\begin_layout LyX-Code
# list of the fields that will be used for the query
\end_layout
\begin_layout LyX-Code
our $ldap_search_fields = 'uid givenname sn cn mail';
\end_layout
\begin_layout LyX-Code
# list of the fields that will be used for composing the answer
\end_layout
\begin_layout LyX-Code
our $ldap_expected_answers = 'givenname sn mail o';
\end_layout
\begin_layout LyX-Code
# format of the email result based on the expected answers of the ldap query
\end_layout
\begin_layout LyX-Code
our $ldap_result_email = '${mail}';
\end_layout
\begin_layout LyX-Code
# format of the real name result based on the expected answers of the ldap
query
\end_layout
\begin_layout LyX-Code
our $ldap_result_realname = '${givenname} ${sn}';
\end_layout
\begin_layout LyX-Code
# format of the comment result based on the expected answers of the ldap
query
\end_layout
\begin_layout LyX-Code
our $ldap_result_comment = '(${o})';
\end_layout
\begin_layout LyX-Code
# use ignorant (wildcard searching):
\end_layout
\begin_layout LyX-Code
our $ignorant = 0;
\end_layout
\begin_layout LyX-Code
# LDAP bind DN:
\end_layout
\begin_layout LyX-Code
our $ldap_bind_dn = 'cn=ldap_user,ou=people,dc=example,dc=com';
\end_layout
\begin_layout LyX-Code
# LDAP bind password:
\end_layout
\begin_layout LyX-Code
our $ldap_bind_password = 'secret';
\end_layout
\begin_layout Subsection
Configure mutt
\end_layout
\begin_layout LyX-Code
vim ~/.muttrc
\end_layout
\begin_layout LyX-Code
# Little brother database:
\end_layout
\begin_layout LyX-Code
set query_command="/usr/local/bin/lbdbq %s"
\end_layout
\begin_layout Subsection
Using mutt
\end_layout
\begin_layout Standard
SHIFT-Q prompts for a name.
Enter it.
Return.
And the mail address should be displayed, if found, at all.
\end_layout
\begin_layout Standard
In case of any problems:
\end_layout
\begin_layout Standard
Check it from outside of mutt:
\end_layout
\begin_layout LyX-Code
lbdbq user1
\end_layout
\begin_layout Subsection
Links
\end_layout
\begin_layout Standard
Homepage of the
\begin_inset Quotes eld
\end_inset
Little brother database
\begin_inset Quotes erd
\end_inset
:
\end_layout
\begin_layout LyX-Code
\begin_inset CommandInset href
LatexCommand href
name "http://www.spinnaker.de/lbdb/"
target "http://www.spinnaker.de/lbdb/"
\end_inset
\end_layout
\begin_layout Standard
About LBDB:
\end_layout
\begin_layout LyX-Code
\begin_inset CommandInset href
LatexCommand href
name "http://mark.stosberg.com/Tech/mutt.html"
target "http://mark.stosberg.com/Tech/mutt.html"
\end_inset
\end_layout
\begin_layout Part
Development
\end_layout
\begin_layout Section
Function names
\end_layout
\begin_layout Standard
The function name prefixes (uniformly ldap_plugin_...
and ldap_format_...) have been chosen deliberately:
\end_layout
\begin_layout Itemize
in order to make a clear distinction between libldap calls and plugin calls,
\end_layout
\begin_layout Itemize
in order to make a clear distinction between libopensync calls and plugin
calls,
\end_layout
\begin_layout Itemize
and in order to make it easier to detect the plugin functions while reading
any backtraces.
\end_layout
\begin_layout Section
Error messages
\end_layout
\begin_layout Standard
The error messages contain all file name and line number to accelerate debugging.
Null pointers should be recognizable instantaneously without having to
launch a debugger or to grep through the trace files.
The number of error messages, trace messages and debugging messages has
greatly been increased in order to speed up debugging.
\end_layout
\begin_layout Section
Format/mapping problems
\end_layout
\begin_layout Standard
The LDAP format plugin is the place where most of the future development
might have to be done.
\end_layout
\begin_layout Standard
Basically the mapping is done in two steps:
\end_layout
\begin_layout Enumerate
From xmlformat-contact, for example, to an XML format used internally by
the LDAP plugin, only.
This is done by means of an XML style sheet.
This internal XML format is to a certain degree oriented towards LDIF (=
LDAP Data Interchange Format).
\end_layout
\begin_layout Enumerate
From this plugin-internal XML format to C structs by means of functions
in ldap_format.c.
\end_layout
\begin_layout Standard
And, of course, the other way round.
\end_layout
\begin_layout Standard
The alternative would have been a style sheet that maps directly to LDIF.
But this turned out to be too difficult.
XSLT is a rather dumb programming language, actually, not even a programming
language.
And it is, at least in my personal opinion, not really suitable for all
those quirks that will have to be applied when paying attention to all
kinds of LDAP specific requirements.
\end_layout
\begin_layout Standard
The mapping especially with the objtype
\begin_inset Quotes eld
\end_inset
contact
\begin_inset Quotes erd
\end_inset
is still neither loss-free nor bug-free.
The whole concept how to store the data on the LDAP server is not really
compatible with the requirements as laid out in the various *.xsd files.
It is not just a simple mapping, as, for example, from vcard10 to xmlformat-con
tact.
\end_layout
\begin_layout Standard
One and the same element must not appear more than one time in an LDAP entry.
Which conflicts with the
\begin_inset Quotes eld
\end_inset
unbounded
\begin_inset Quotes erd
\end_inset
specification in the XML schema files, obviously.
Certain elements are obligatory on the LDAP side, regardless of whether
they have actually appeared on the side of the peer.
The current implementation has no solution for the problem that certain
elements may appear more than one time.
And the format plugin is not really able to enter deeper levels than the
first one under the ou=addressbook entry, for instance.
Only in exceptional cases, and this has not been coded in a more general
way, yet.
\end_layout
\begin_layout Standard
Several XML elements are not mapped directly to any of the elements offered
by the LDAP schemata.
They are stored in subentries in an unusual way.
For example:
\end_layout
\begin_layout Itemize
This is an example for what I would call a direct or a regular mapping:
....
This can be mapped directly to the LDAP attribute
\begin_inset Quotes eld
\end_inset
birthDate:
\begin_inset Quotes erd
\end_inset
.
But any potential XML attributes can not be stored with this LDAP attribute.
\end_layout
\begin_layout Itemize
And this is an example where an adequate LDAP attribute is simply missing:
Foo.
The style sheet will sort out this one and reformat the XML file:
\begin_inset Newline newline
\end_inset
\begin_inset Newline newline
\end_inset
\begin_inset Newline newline
\end_inset
Foo
\begin_inset Newline newline
\end_inset
\begin_inset Newline newline
\end_inset
\begin_inset Newline newline
\end_inset
And this reformatted XML file is mapped to an LDAP entry located one level
below the entry of objectclass
\begin_inset Quotes eld
\end_inset
evolutionPerson
\begin_inset Quotes erd
\end_inset
(i.e.
mapped to a subentry, which could be called an indirect or irregular mapping):
\end_layout
\begin_layout LyX-Code
dn: ou=Nickname,uid=pas-id-49AD628000000004,ou=addressbook,dc=example,dc=com
\end_layout
\begin_layout LyX-Code
objectClass: organizationalUnit
\end_layout
\begin_layout LyX-Code
description: Foo
\end_layout
\begin_layout LyX-Code
ou: Nickname
\end_layout
\begin_layout Standard
Quite clear, that this is not optimal.
It is a workaround to overcome the incompatibility problem.
\end_layout
\begin_layout Standard
For the time being there is no solution for the problem, either, that the
LDAP schemata
\begin_inset Quotes eld
\end_inset
evolutionperson
\begin_inset Quotes erd
\end_inset
and
\begin_inset Quotes eld
\end_inset
inetorgperson
\begin_inset Quotes erd
\end_inset
have various elements that are not mapped, at all, to any element of the
xmlformat-contact format.
\end_layout
\begin_layout Section
Documentation
\end_layout
\begin_layout Standard
This README has been written in lyx-1.6.0.
Thus the conversion to HTML, PS and PDF is quite easy.
And the authoring is quicker than writing in plain LaTeX.
\end_layout
\begin_layout Standard
The source code has been annotated with doxygen based comments.
\begin_inset Quotes eld
\end_inset
make doxygen
\begin_inset Quotes erd
\end_inset
should lead to a
\begin_inset Quotes eld
\end_inset
doc
\begin_inset Quotes erd
\end_inset
sub directory in the build directory with HTML, man and other subsubdirectories.
\begin_inset Quotes eld
\end_inset
firefox doc/html/index.html
\begin_inset Quotes erd
\end_inset
displays the entry page.
\end_layout
\begin_layout Standard
All of this should save us time.
\end_layout
\begin_layout Part
Troubleshooting
\end_layout
\begin_layout Section
Enable debug output
\end_layout
\begin_layout Subsection
Enable trace files with libopensync and libopensync-plugin-ldap
\end_layout
\begin_layout LyX-Code
mkdir /tmp/trace
\end_layout
\begin_layout LyX-Code
export OSYNC_TRACE=/tmp/trace
\end_layout
\begin_layout LyX-Code
osynctool --listplugins
\end_layout
\begin_layout LyX-Code
(...)
\end_layout
\begin_layout Subsection
Enable trace files with libsyncml
\end_layout
\begin_layout LyX-Code
mkdir /tmp/trace
\end_layout
\begin_layout LyX-Code
export SYNCML_TRACE=/tmp/trace
\end_layout
\begin_layout LyX-Code
(...)
\end_layout
\begin_layout Subsection
Enable debug output with the LDAP server slapd on fedora 10
\end_layout
\begin_layout LyX-Code
vim /etc/rsyslog.conf
\end_layout
\begin_layout LyX-Code
*.* /var/log/debug
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
service syslog restart
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
vim /etc/sysconfig/ldap
\end_layout
\begin_layout LyX-Code
OPTIONS="-d 32767"
\begin_inset Newline newline
\end_inset
\end_layout
\begin_layout LyX-Code
vim /etc/openldap/slapd.conf
\end_layout
\begin_layout LyX-Code
logfile /tmp/slapd.log
\end_layout
\begin_layout LyX-Code
loglevel any
\begin_inset Newline newline
\end_inset
\end_layout
\begin_layout LyX-Code
service ldap configtest
\end_layout
\begin_layout LyX-Code
service ldap restart
\end_layout
\begin_layout LyX-Code
tail -f /tmp/slapd.log
\end_layout
\begin_layout Subsection
How to debug the format conversions with the ldap-sync plugin
\end_layout
\begin_layout Standard
The transformation from the format understood by the libldap API to any
format understood by libopensync is performed in several steps and can
be observed by defining certain DEBUG_* constants:
\end_layout
\begin_layout LyX-Code
LDAP <---> ldap plugin <---> libopensync <---> syncml plugin <---> phone
\end_layout
\begin_layout Standard
The conversation with the LDAP server API for getting data
\end_layout
\begin_layout Standard
out of the directory information tree (DIT) can be watched
\end_layout
\begin_layout Standard
by defining in ldap_plugin.h
\end_layout
\begin_layout LyX-Code
DEBUG_ldapdata_from_server
\end_layout
\begin_layout Standard
The step from the LDAP server API to the xml format internally used
\end_layout
\begin_layout Standard
by the ldap-sync plugin can be observed by this constant:
\end_layout
\begin_layout LyX-Code
DEBUG_convert_ldap2xmldoc
\end_layout
\begin_layout Standard
The step from this plugin-internal xml format to xmlformat-contact,
\end_layout
\begin_layout Standard
for instance, or the other way round:
\end_layout
\begin_layout LyX-Code
DEBUG_do_apply_stylesheet
\end_layout
\begin_layout Standard
The step from xmlformt-contact to the xml format used by the ldap
\end_layout
\begin_layout Standard
plugin internally:
\end_layout
\begin_layout LyX-Code
DEBUG_convert_xmldoc2ldap
\end_layout
\begin_layout Standard
And the way how the ldap plugin talks to the LDAP server API,
\end_layout
\begin_layout Standard
in order to write data into the directory information tree:
\end_layout
\begin_layout LyX-Code
DEBUG_ldapdata_to_server
\begin_inset Newline linebreak
\end_inset
\end_layout
\begin_layout Section
CMakeError: MACRO_ENSURE_OUT_OF_SOURCE_BUILD
\end_layout
\begin_layout Standard
Problem:
\end_layout
\begin_layout LyX-Code
CMake Error at cmake/modules/MacroEnsureOutOfSourceBuild.cmake:13 (MESSAGE):
libopensync-plugin-ldap doesn't allow to build within the source directory.
Please, create a seperate build directory and run 'cmake /home/user1/dev/pl
ugins/ldap-sync [options]'! Call Stack (most recent call first): /usr/local/sh
are/libopensync1/cmake/modules/OpenSyncInternal.cmake:9 (MACRO_ENSURE_OUT_OF_SOUR
CE_BUILD) CMakeLists.txt:50 (INCLUDE)
\end_layout
\begin_layout Standard
Solution:
\end_layout
\begin_layout LyX-Code
tar -xvjf libopensync-plugin-ldap-0.39
\end_layout
\begin_layout LyX-Code
cd libopensync-plugin-ldap-0.39
\end_layout
\begin_layout LyX-Code
mkdir build
\end_layout
\begin_layout LyX-Code
cd build
\end_layout
\begin_layout LyX-Code
cmake ...
\end_layout
\begin_layout LyX-Code
make ...
\end_layout
\begin_layout Standard
Problem: But I did make a separate build directory! Why does cmake not realize
this?
\end_layout
\begin_layout Standard
Solution: Delete all the cache files
\begin_inset Quotes eld
\end_inset
CMakeCache.txt
\begin_inset Quotes erd
\end_inset
that you can find inside the libopensync-plugin-ldap-0.xx source directory.
\end_layout
\begin_layout Section
Debugging hints for SASL
\end_layout
\begin_layout Subsection
Which SASL mechanisms are supported by the LDAP library
\end_layout
\begin_layout Subsubsection
With unencrypted sessions
\end_layout
\begin_layout LyX-Code
ldapsearch -x -b "" -s base -LLL supportedSASLMechanisms
\end_layout
\begin_layout Subsubsection
With encrypted sessions
\end_layout
\begin_layout LyX-Code
ldapsearch -x -b "" -s base -LLL -Z supportedSASLMechanisms
\end_layout
\begin_layout Standard
Test SASL authentication with regard to read access, only
\end_layout
\begin_layout LyX-Code
ldapwhoami -U "ldap_user" -w "secret" -Y DIGEST-MD5
\end_layout
\begin_layout LyX-Code
ldapwhoami -U "ldap_user" -w "secret" -Y CRAM-MD5
\end_layout
\begin_layout LyX-Code
ldapwhoami -U "ldap_user" -w "secret" -Z -Y LOGIN
\end_layout
\begin_layout LyX-Code
ldapwhoami -U "ldap_user" -w "secret" -Z -Y PLAIN
\end_layout
\begin_layout LyX-Code
ldapwhoami -Z -Y EXTERNAL
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
kinit -V ldap_user
\end_layout
\begin_layout LyX-Code
(...)
\end_layout
\begin_layout LyX-Code
ldapwhoami -Y GSSAPI
\end_layout
\begin_layout Standard
In case of any problems, one could add
\begin_inset Quotes eld
\end_inset
-V -d1
\begin_inset Quotes erd
\end_inset
to the ldapwhoami command line.
\end_layout
\begin_layout Subsection
Display the TLS certificates
\end_layout
\begin_layout Standard
of the LDAP server only
\end_layout
\begin_layout LyX-Code
openssl s_client -connect localhost:636 -showcerts
\end_layout
\begin_layout Standard
both of the server and the client
\end_layout
\begin_layout LyX-Code
openssl s_client -connect localhost:636 -cert /etc/openldap/cacerts/client.crt
-key /etc/openldap/cacerts/client.key -showcerts
\end_layout
\begin_layout Subsection
Make the debug output of slapd visible
\end_layout
\begin_layout LyX-Code
vim /etc/rsyslog.conf
\end_layout
\begin_layout LyX-Code
*.* /var/log/debug
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
service syslog restart
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
vim /etc/sysconfig/ldap
\end_layout
\begin_layout LyX-Code
OPTIONS="-d 32767"
\end_layout
\begin_layout Standard
Example of a debug session:
\end_layout
\begin_layout LyX-Code
ldapwhoami -V -d 1 -Z -Y EXTERNAL
\end_layout
\begin_layout LyX-Code
(...)
\end_layout
\begin_layout LyX-Code
ldap_sasl_interactive_bind_s: user selected: EXTERNAL
\end_layout
\begin_layout LyX-Code
ldap_int_sasl_bind: EXTERNAL
\end_layout
\begin_layout LyX-Code
ldap_int_sasl_open: host=host.example.com
\end_layout
\begin_layout LyX-Code
SASL/EXTERNAL authentication started
\end_layout
\begin_layout LyX-Code
ldap_err2string
\end_layout
\begin_layout LyX-Code
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
tail -f /var/log/debug
\end_layout
\begin_layout LyX-Code
Feb 20 13:30:49 host slapd[6298]: connection_get(21): got connid=1
\end_layout
\begin_layout LyX-Code
Feb 20 13:30:49 host slapd[6298]: connection_read(21): checking for input
on id=1
\end_layout
\begin_layout LyX-Code
Feb 20 13:30:50 host slapd[6298]:
\end_layout
\begin_layout LyX-Code
connection_read(21): unable to get TLS client DN, error=49 id=1
\end_layout
\begin_layout LyX-Code
Feb 20 13:30:50 host slapd[6298]: conn=1 fd=21 TLS established tls_ssf=256
ssf=25 6
\end_layout
\begin_layout Standard
Solution:
\end_layout
\begin_layout Standard
The variables TLS_CACERTDIR, TLS_CERT, TLS_KEY, TLSCipherSuite and TLS_REQCERT
MUST NOT be configured in /etc/openldap/ldap.conf.
They MUST be configured in ~/.ldaprc, instead.
\end_layout
\begin_layout Section
Debugging the style sheets
\end_layout
\begin_layout Subsection
How to observe the mapping step from xmlformat_contact to ldap_inetorgperson
\end_layout
\begin_layout Standard
Comment out #undef DEBUG_do_apply_stylesheet so that DEBUG_do_apply_stylesheet
becomes defined:
\end_layout
\begin_layout LyX-Code
vim ldap_plugin.h
\end_layout
\begin_layout LyX-Code
// undef DEBUG_do_apply_stylesheet
\end_layout
\begin_layout Subsection
Example file contact4.xml
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
12345
\end_layout
\begin_layout LyX-Code
userstreet5
\end_layout
\begin_layout LyX-Code
10000 Any City
\end_layout
\begin_layout LyX-Code
user1
\end_layout
\begin_layout LyX-Code
Berlin
\end_layout
\begin_layout LyX-Code
Berlin
\end_layout
\begin_layout LyX-Code
10000
\end_layout
\begin_layout LyX-Code
Germany
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
Mr.
user1
\end_layout
\begin_layout LyX-Code
Any City
\end_layout
\begin_layout LyX-Code
Any State
\end_layout
\begin_layout LyX-Code
10000
\end_layout
\begin_layout LyX-Code
Any Country
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
Mr.
user1
\end_layout
\begin_layout LyX-Code
userstreet5
\end_layout
\begin_layout LyX-Code
10000 Any City
\end_layout
\begin_layout LyX-Code
user1
\end_layout
\begin_layout LyX-Code
Berlin
\end_layout
\begin_layout LyX-Code
Berlin
\end_layout
\begin_layout LyX-Code
10000
\end_layout
\begin_layout LyX-Code
Germany
\end_layout
\begin_layout LyX-Code
Any City, Any State
\end_layout
\begin_layout LyX-Code
10000
\end_layout
\begin_layout LyX-Code
12345
\end_layout
\begin_layout LyX-Code
Any Country
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
user1
\end_layout
\begin_layout LyX-Code
userstreet 5
\end_layout
\begin_layout LyX-Code
Berlin, Berlin
\end_layout
\begin_layout LyX-Code
10000
\end_layout
\begin_layout LyX-Code
10000 Berlin
\end_layout
\begin_layout LyX-Code
Germany
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
20090302
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
workaholic
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
20090301
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
http://blog.example.com/
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
http://calendar.example.com/
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
Hot Contacts
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
user1@home
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
user1
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
user1
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
http://busy.example.com/
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
aim_account
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
icq_account
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
msn_account
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
yahoo_account
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
dude1
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
user1
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
one
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
Here we could any notes.
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
creative.com
\end_layout
\begin_layout LyX-Code
supervisory
\end_layout
\begin_layout LyX-Code
Second floor
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
creator
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
20090315T124347Z
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
Betty
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
0000000000004
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
<Content>Emperor</Content>
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
pas-id-49BCF74000000000
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
http://www.example.com/
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
http://video.example.com/
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
TRUE
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout Subsection
Check the mapping step from xmlformat_contact to ldap_inetorgperson
\end_layout
\begin_layout LyX-Code
xsltproc xmlformat_contact2ldap_inetorgperson.xsl contact4.xml
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
xsltproc xmlformat_contact2ldap_inetorgperson.xsl contact4.xml | xmllint --noout
-
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
xsltproc xmlformat_contact2ldap_inetorgperson.xsl contact4.xml | xsltproc
ldap_inetorgperson2xmlformat_contact.xsl -
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
xsltproc xmlformat_contact2ldap_inetorgperson.xsl contact4.xml | xsltproc
ldap_inetorgperson2xmlformat_contact.xsl - | xmllint --noout -
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
xsltproc xmlformat_contact2ldap_inetorgperson.xsl contact4.xml | xsltproc
ldap_inetorgperson2xmlformat_contact.xsl - | xmllint --noout --schema /usr/local
/share/libopensync1/schemas/xmlformat-contact.xsd -
\end_layout
\begin_layout Subsection
Alternative parsers
\end_layout
\begin_layout LyX-Code
java -jar /usr/share/java/xalan-j2.jar -IN contact4.xml -XSL xmlformat_contact2lda
p_inetorgperson.xsl
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
java -jar /usr/share/java/saxon.jar contact4.xml xmlformat_contact2ldap_inetorgpe
rson.xsl
\end_layout
\begin_layout Section
ERROR: (mod->mod_vals.modv_strvals) is NULL
\end_layout
\begin_layout Standard
This error message:
\end_layout
\begin_layout LyX-Code
ERROR: (mod->mod_vals.modv_strvals) is NULL.
\end_layout
\begin_layout Standard
means that a particular libldap call has not been told to use binary values
rather than strings.
The ldap plugin does NOT use
\begin_inset Quotes eld
\end_inset
modv_strvals
\begin_inset Quotes erd
\end_inset
.
Throughout the whole plugin
\begin_inset Quotes eld
\end_inset
mod->mod_vals.modv_bvals
\begin_inset Quotes erd
\end_inset
, or shorter,
\begin_inset Quotes eld
\end_inset
mod->mod_bvalues
\begin_inset Quotes erd
\end_inset
are used.
So there must always be a prior line
\begin_inset Quotes eld
\end_inset
mod->mod_op = LDAP_MOD_BVALUES
\begin_inset Quotes erd
\end_inset
or
\begin_inset Quotes eld
\end_inset
mod->mod_op = LDAP_MOD_BVALUES | ANY_OTHER_OPTION | ...
\begin_inset Quotes erd
\end_inset
.
Apparently, such a line is missing in this case.
\end_layout
\begin_layout Section
LDAP ERROR: No such object (32)
\end_layout
\begin_layout Standard
This error message may have different reasons, the most common one being
that you simply have a typo in your search:
\end_layout
\begin_layout LyX-Code
ldapsearch -Y GSSAPI -LLL -b "ou=addresssbook,dc=example,dc=com" -s sub
dn
\end_layout
\begin_layout LyX-Code
SASL/GSSAPI authentication started
\end_layout
\begin_layout LyX-Code
SASL username: ldap_user@EXAMPLE.COM
\end_layout
\begin_layout LyX-Code
SASL SSF: 56 SASL data security layer installed.
\end_layout
\begin_layout LyX-Code
No such object (32)
\end_layout
\begin_layout LyX-Code
Matched DN: dc=example,dc=com
\end_layout
\begin_layout Standard
In this example, addressbook has been written with three s rather than with
only two of them.
So this particular object does indeed not exist.
\end_layout
\begin_layout Standard
But the very same error message may also be triggered even in cases, where
the particular object in question does actually exist, but the
\begin_inset Quotes eld
\end_inset
ldap_user
\begin_inset Quotes erd
\end_inset
has not enough access rights to have a view at this object.
Pretty misleading, I must say.
In such a case slapd has most probably to be reconfigured.
Even if ldap_user could authenticate with the LDAP server, this does not
say anything about the degree of rights he has for reading, writing and
so on on the server.
He also needs to have sufficient access rights.
\end_layout
\begin_layout Standard
Finally a third reason for
\begin_inset Quotes eld
\end_inset
No such object
\begin_inset Quotes erd
\end_inset
has absolutely nothing to do with the DIT or with any object, at all: If
the filesystem where the LDAP server has its database stored is running
out of space, the LDAP server is not able to perform regular database action,
any more.
In this case it seems, that the LDAP server reports
\begin_inset Quotes eld
\end_inset
No such object
\begin_inset Quotes erd
\end_inset
.
This is not just a misleading message.
It is simply wrong.
\begin_inset Quotes eld
\end_inset
No space available
\begin_inset Quotes erd
\end_inset
or something similar would have been the correct error message.
\end_layout
\begin_layout Section
LDAP ERROR: Invalid credentials (49)
\end_layout
\begin_layout Standard
The error messages by slapd and libldap are often misleading.
So are they in this case.
You MAY have used wrong user name and/or password.
But it is ALSO possible, that the LDAP server is simply wrongly configured:
All the people, not just the authenticated people, need read access to
"ou=people,dc=example,dc=com", if they are to be allowed to make use of
the simple authentication method (which could very well be forbidden by
the administrator).
Otherwise slapd cannot check user name and password.
\end_layout
\begin_layout Standard
Problems like this one can be debugged by OPTIONS="-d ACL" in /etc/sysconfig/lda
p on a fedora system.
\end_layout
\begin_layout Section
LDAP ERROR: "Cannot modify object class".
structural object class modification from 'inetOrgPerson' to 'evolutionPerson'
not allowed.
\end_layout
\begin_layout Standard
What has happened?
\end_layout
\begin_layout Standard
The database containes an entry for object type "contact", that has originally
been stored as LDAP object class "inetOrgPerson".
This very entry is now to be modified according to one of the peers, say
the file-sync plugin.
However, the LDAP plugin is currently configured to use the format "ldap-evolut
ionperson" for object type "contact".
So it tries to perform the modification by the peer with the "ldap-evolutionper
son" format in mind.
\end_layout
\begin_layout Standard
Solution:
\end_layout
\begin_layout Standard
Simply change the configuration of the LDAP plugin.
Change the format from "ldap-evolutionperson" to "ldap-inetorgperson":
\end_layout
\begin_layout Standard
From:
\end_layout
\begin_layout LyX-Code
(...)
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
1
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
ldap-evolutionperson
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
contact
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
(...)
\end_layout
\begin_layout Standard
To:
\end_layout
\begin_layout LyX-Code
(...)
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
1
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
ldap-inetorgperson
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
contact
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout LyX-Code
(...)
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout Part
References
\end_layout
\begin_layout Standard
Introduction to LDAP (1):
\end_layout
\begin_layout LyX-Code
\begin_inset CommandInset href
LatexCommand href
name "http://www.grennan.com/ldap-HOWTO.html"
target "http://www.grennan.com/ldap-HOWTO.html"
\end_inset
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout Standard
Introduction to LDAP (2):
\end_layout
\begin_layout LyX-Code
\begin_inset CommandInset href
LatexCommand href
name "http://www.yolinux.com/TUTORIALS/LinuxTutorialLDAP.html"
target "http://www.yolinux.com/TUTORIALS/LinuxTutorialLDAP.html"
\end_inset
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout Standard
Quickstart: How to set up an LDAP server with openldap-2.4:
\end_layout
\begin_layout LyX-Code
\begin_inset CommandInset href
LatexCommand href
name "http://www.openldap.org/doc/admin24/quickstart.html"
target "http://www.openldap.org/doc/admin24/quickstart.html"
\end_inset
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout Standard
openldap FAQ:
\end_layout
\begin_layout LyX-Code
\begin_inset CommandInset href
LatexCommand href
name "http://www.openldap.org/faq/"
target "http://www.openldap.org/faq/"
\end_inset
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout Standard
The LDAP scheme
\begin_inset Quotes eld
\end_inset
evolutionPerson
\begin_inset Quotes erd
\end_inset
:
\end_layout
\begin_layout LyX-Code
\begin_inset CommandInset href
LatexCommand href
name "http://svn.gnome.org/viewvc/evolution-data-server/trunk/addressbook/backends/ldap/evolutionperson.schema?view=markup"
target "http://svn.gnome.org/viewvc/evolution-data-server/trunk/addressbook/backends/ldap/evolutionperson.schema?view=markup"
\end_inset
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout Standard
The LDAP scheme
\begin_inset Quotes eld
\end_inset
mozillaAbPersonAlpha
\begin_inset Quotes erd
\end_inset
:
\end_layout
\begin_layout LyX-Code
\begin_inset CommandInset href
LatexCommand href
name "https://wiki.mozilla.org/MailNews:Mozilla_LDAP_Address_Book_Schema"
target "https://wiki.mozilla.org/MailNews:Mozilla_LDAP_Address_Book_Schema"
\end_inset
\end_layout
\begin_layout LyX-Code
\end_layout
\begin_layout Standard
The CYRUS SASL library:
\end_layout
\begin_layout LyX-Code
\begin_inset CommandInset href
LatexCommand href
name "http://asg.web.cmu.edu/sasl/sasl-library.html"
target "http://asg.web.cmu.edu/sasl/sasl-library.html"
\end_inset
\end_layout
\begin_layout LyX-Code
\end_layout
\end_body
\end_document