Hello, Would appreciate being pointed to good documentation for adding users to LDAP directory and testing user authentication? Thank you!
--On Friday, February 12, 2016 7:17 PM +0000 Mary Kao wmcic@yahoo.com wrote:
Hello,
Would appreciate being pointed to good documentation for adding users to LDAP directory and testing user authentication?
"ldapadd" is a good utility for adding users. "ldapwhoami" is a good way to test.
Your question unfortunately lacks the detail to help you much beyond that. For example, we do not know what type of "user" you are asking about? A "person" object? An "account" object? etc.
You might find the following in the Admin guide of use:
http://www.openldap.org/doc/admin24/guide.html#The%20LDIF%20text%20entry%20format
The critical thing to keep in mind, is that you have to determine what requirements /you/ have for your "user" entries. We can't determine those for you. It could be something very simply (An account entry with very few attributes) or complex (A person using inetOrgPerson, with numerous attributes from inetOrgPerson plus other attributes that inetOrgPerson inherts from) to something entirely custom (an account or person entry that's been extended by a custom schema, etc).
The OpenLDAP source tarball includes a "tests" directory that has LDIF entries used in testing, including various types of account and/or user type entries. They may be of help to you as /examples/ as well, like:
If you can provide more information on your goals, we may be able to help you further with your request. Hope this helps!
--Quanah
--
Quanah Gibson-Mount Platform Architect Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration A division of Synacor, Inc
Hello, I have very simple requirements for "users" e.g. representative of user accounts with userid and password. I have a web application which we are currently using Apache's htpasswd flat file database for userid's and password. We'd like to be able to have Apache point to LDAP for user authentication from the web app. Any pointers how to get going in this direction would be greatly appreciated. Regards,Mary
On Saturday, February 13, 2016 1:33 PM, Quanah Gibson-Mount quanah@zimbra.com wrote:
--On Friday, February 12, 2016 7:17 PM +0000 Mary Kao wmcic@yahoo.com wrote:
Hello,
Would appreciate being pointed to good documentation for adding users to LDAP directory and testing user authentication?
"ldapadd" is a good utility for adding users. "ldapwhoami" is a good way to test.
Your question unfortunately lacks the detail to help you much beyond that. For example, we do not know what type of "user" you are asking about? A "person" object? An "account" object? etc.
You might find the following in the Admin guide of use:
http://www.openldap.org/doc/admin24/guide.html#The%20LDIF%20text%20entry%20format
The critical thing to keep in mind, is that you have to determine what requirements /you/ have for your "user" entries. We can't determine those for you. It could be something very simply (An account entry with very few attributes) or complex (A person using inetOrgPerson, with numerous attributes from inetOrgPerson plus other attributes that inetOrgPerson inherts from) to something entirely custom (an account or person entry that's been extended by a custom schema, etc).
The OpenLDAP source tarball includes a "tests" directory that has LDIF entries used in testing, including various types of account and/or user type entries. They may be of help to you as /examples/ as well, like:
If you can provide more information on your goals, we may be able to help you further with your request. Hope this helps!
--Quanah
--
Quanah Gibson-Mount Platform Architect Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration A division of Synacor, Inc
Mary,
Am 16.02.2016 um 14:56 Uhr schrieb Mary Kao:
I have very simple requirements for "users" e.g. representative of user accounts with userid and password.
a "user" for "authentication" in LDAP ist mostly an object you can bind to. The easiest way to bind to an LDAP server is "simple" bind, by which you send the DN of the object and the password. In this case the object has a password field - userpassword.
So choose an objectclass with userpassword - i.e. inetorgperson - and create an object with this.
If you need a GUI try Apache Directory Studio.
Start from there.
I have a web application which we are currently using Apache's htpasswd flat file database for userid's and password. We'd like to be able to have Apache point to LDAP for user authentication from the web app.
Go for it! :)
Any pointers how to get going in this direction would be greatly appreciated.
Apache HTTPd is very flexible in the use of LDAP. https://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html
To understand what AuthLDAPURL does, read about LDAP filters.
What apache does, is - do a search in your DIT to find the user object in AuthLDAPURL and get the DN - bind with the DN and given password
For information about how to set up openldap in general, read the openLDAP Admin Guide. For hot to set up on you favorite linux distrubition, check the documentation there.
Marc
--On Tuesday, February 16, 2016 4:00 PM +0100 Marc Patermann hans.moser@ofd-z.niedersachsen.de wrote:
Am 16.02.2016 um 14:56 Uhr schrieb Mary Kao:
I have very simple requirements for "users" e.g. representative of user accounts with userid and password.
a "user" for "authentication" in LDAP ist mostly an object you can bind to. The easiest way to bind to an LDAP server is "simple" bind, by which you send the DN of the object and the password. In this case the object has a password field - userpassword.
So choose an objectclass with userpassword - i.e. inetorgperson - and create an object with this.
I generally dislike the fact people just tend to default to inetOrgPerson. That objectClass is to be used for a person, not accounts, which is what it appears Mary is talking about. A person may have multiple accounts (i.e., there is NOT a 1:1 mapping of between a person and an account). For example, at a previous job, where we deployed with an understanding of the difference, I had a single person account, and multiple account objects (my general account, my test account, my root principle account (we used kerberos)), etc. There may be a number of reasons why a given individual may have more than one account. We used the seeAlso attribute to provide a pointer between account(s) and the person.
--Quanah
--
Quanah Gibson-Mount Platform Architect Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration A division of Synacor, Inc
Hi,
Am 16.02.2016 um 17:42 Uhr schrieb Quanah Gibson-Mount:
--On Tuesday, February 16, 2016 4:00 PM +0100 Marc Patermann hans.moser@ofd-z.niedersachsen.de wrote:
Am 16.02.2016 um 14:56 Uhr schrieb Mary Kao:
I have very simple requirements for "users" e.g. representative of user accounts with userid and password.
a "user" for "authentication" in LDAP ist mostly an object you can bind to. The easiest way to bind to an LDAP server is "simple" bind, by which you send the DN of the object and the password. In this case the object has a password field - userpassword.
So choose an objectclass with userpassword - i.e. inetorgperson - and create an object with this.
I generally dislike the fact people just tend to default to inetOrgPerson.
that's why I wrote "i.e.". :) And tried to explain it a little bit more in general by "an object you can bind to".
That objectClass is to be used for a person, not accounts, which is what it appears Mary is talking about. A person may have multiple accounts (i.e., there is NOT a 1:1 mapping of between a person and an account). For example, at a previous job, where we deployed with an understanding of the difference, I had a single person account, and multiple account objects (my general account, my test account, my root principle account (we used kerberos)), etc. There may be a number of reasons why a given individual may have more than one account. We used the seeAlso attribute to provide a pointer between account(s) and the person.
Of course, you are obsoletely right.
Marc
2016-02-17 13:56 GMT+04:00 Marc Patermann hans.moser@ofd-z.niedersachsen.de:
Of course, you are obsoletely right.
LOL. are you sure you wanted to write that? usually, only dinosaurs are :-)
Hello, How does LDAP know where to search for the user password provided by Apache?
Thanks!
On Tuesday, February 16, 2016 10:01 AM, Marc Patermann hans.moser@ofd-z.niedersachsen.de wrote:
Mary,
Am 16.02.2016 um 14:56 Uhr schrieb Mary Kao:
I have very simple requirements for "users" e.g. representative of user accounts with userid and password.
a "user" for "authentication" in LDAP ist mostly an object you can bind to. The easiest way to bind to an LDAP server is "simple" bind, by which you send the DN of the object and the password. In this case the object has a password field - userpassword.
So choose an objectclass with userpassword - i.e. inetorgperson - and create an object with this.
If you need a GUI try Apache Directory Studio.
Start from there.
I have a web application which we are currently using Apache's htpasswd flat file database for userid's and password. We'd like to be able to have Apache point to LDAP for user authentication from the web app.
Go for it! :)
Any pointers how to get going in this direction would be greatly appreciated.
Apache HTTPd is very flexible in the use of LDAP. https://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html
To understand what AuthLDAPURL does, read about LDAP filters.
What apache does, is - do a search in your DIT to find the user object in AuthLDAPURL and get the DN - bind with the DN and given password
For information about how to set up openldap in general, read the openLDAP Admin Guide. For hot to set up on you favorite linux distrubition, check the documentation there.
Marc
Mary Kao wrote:
How does LDAP know where to search for the user password provided by Apache?
If Apache validates the user's password by sending a simple bind request with clear-text password (most usual case) then slapd internally reads the password (hash) from attribute 'userPassword' and checks that against the clear-text password in the simple bind request.
Ciao, Michael.
openldap-technical@openldap.org
-
Jephte Clain -
Marc Patermann -
Mary Kao -
Michael Ströder -
Quanah Gibson-Mount