Menu
▾
▴
[Opensync-commits] r5333 - plugins/ldap-sync
|
From: <svn...@op...> - 2009-03-26 00:13:24
|
Author: scriptor Date: Thu Mar 26 01:13:12 2009 New Revision: 5333 URL: http://www.opensync.org/changeset/5333 Log: Initial version of the LDAP plugin having been ported to libopensync-0.3x. Added: plugins/ldap-sync/README.txt (contents, props changed) Added: plugins/ldap-sync/README.txt ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ plugins/ldap-sync/README.txt Thu Mar 26 01:13:12 2009 (r5333) @@ -0,0 +1,3167 @@ +opensync-plugin-ldap-0.39 + +by Juergen Leising (c) 2009 + +Table of Contents + +Part I Installation + 1 Compiling the source code with cmake + 1.1 The following cmake modules are required for the LDAP plugin + 1.2 Regular build + 1.3 Debug build + 1.4 Build doxygen based documentation of the source code + 2 Tests + 2.1 Required software + 2.2 Running the tests + 2.3 Display a list of tests + 2.4 Run only one particular test +Part II Configuration + 3 Prepare the LDAP server “slapd” + 3.1 Configure the LDAP server + 3.2 Syntax test of the configuration file + 3.3 Build the directory information tree (= DIT) + 3.3.1 Establish an addressbook + 3.3.2 Estalish a calendar + 3.3.3 Establish the todo's + 3.3.4 Establish notes + 4 The different authentication methods with the LDAP server + 4.1 The “simple” authentication + 4.2 Configure the SASL library + 4.3 SASL/DIGEST-MD5 + 4.4 SASL/CRAM-MD5 + 4.5 SASL/PLAIN over an encrypted connection + 4.6 SASL/LOGIN over an encrypted connection + 4.7 SASL/GSSAPI (KERBEROS V5) + 4.7.1 Preparing KERBEROS V5 + DNS configuration + Determine realm on a fedora 10 system + Configure main configuration file for kerberos + Configure configuration file of the KDC, i.e. for issuing tickets per realm + Create the database for this particular realm EXAMPLE.COM and a stash file for the server to authenticate itself using the password “master” + Grant administrative access + Add administrative principals to the Kerberos database + Create service principal "ldap/host.example.com" + Create keytab file for service principal "ldap" + Adjust permissions: The keytab file must be readable by the LDAP server + Create the user principal "ldap_user" with password "secret" + Useful commands + Adjust SELinux + Start up the kdc on a fedora system + Kerberos related log files + 4.7.2 Configure the opensync-plugin-ldap: + 4.7.3 Using KERBEROS with SASL + 4.8 SASL/EXTERNAL using the TLS cert used in a TLS encrypted connection + 4.8.1 Generate server and client certificates + 4.8.2 Configuration of the LDAP server + 4.8.3 Configuration of the LDAP client side + 4.8.4 Configure the opensync-plugin-ldap +Part III Usage + 5 Synchronizing between evolution and LDAP + 6 Useful LDAP commands + 7 Extra section: How to integrate mutt with the LDAP server + 7.1 Installation of LBDB on fedora 10 + 7.2 Configure lbdb + 7.3 Configure mutt + 7.4 Using mutt + 7.5 Links +Part IV Development + 8 Function names + 9 Error messages + 10 Format/mapping problems + 11 Documentation +Part V Troubleshooting + 12 Enable debug output + 12.1 Enable trace files with libopensync and libopensync-plugin-ldap + 12.2 Enable trace files with libsyncml + 12.3 Enable debug output with the LDAP server slapd on fedora 10 + 12.4 How to debug the format conversions with the ldap-sync plugin + 13 CMakeError: MACRO_ENSURE_OUT_OF_SOURCE_BUILD + 14 Debugging hints for SASL + 14.1 Which SASL mechanisms are supported by the LDAP library + 14.1.1 With unencrypted sessions + 14.1.2 With encrypted sessions + 14.2 Display the TLS certificates + 14.3 Make the debug output of slapd visible + 15 Debugging the style sheets + 15.1 How to observe the mapping step from xmlformat_contact to ldap_inetorgperson + 15.2 Example file contact4.xml + 15.3 Check the mapping step from xmlformat_contact to ldap_inetorgperson + 15.4 Alternative parsers + 16 ERROR: (mod->mod_vals.modv_strvals) is NULL + 17 LDAP ERROR: No such object (32) + 18 LDAP ERROR: Invalid credentials (49) +Part VI References + + + + + +Installation + +1 Compiling the source code with cmake + +1.1 The following cmake modules are required for the LDAP plugin + +• FindLibLdap.cmake + +• FindLibGCrypt.cmake + +• FindLibSASL2.cmake + +• FindLibGSSAPIV2.cmake + +See the directory cmake/modules. + +1.2 Regular build + +tar -xvjf libopensync-plugin-ldap-0.39.tar.bz2 + +cd libopensync-plugin-ldap-0.39 + +mkdir build + +cd build + +PKG_CONFIG_PATH="/usr/local/lib/pkgconfig/" cmake +-DCMAKE_INSTALL_PREFIX=/usr/local -DUPDATE_TYPE=svn +/home/user1/libopensync-plugin-ldap-0.39 + +make -s + +sudo make -s install + +sudo ldconfig + +cd ../.. + +1.3 Debug build + +tar -xvjf libopensync-plugin-ldap-0.39.tar.bz2 + +cd libopensync-plugin-ldap-0.39 + +mkdir build_debug + +cd build_debug + +PKG_CONFIG_PATH="/usr/local/lib/pkgconfig/" cmake +-DCMAKE_INSTALL_PREFIX=/usr/local -DUPDATE_TYPE=svn +-DCMAKE_BUILD_TYPE=Debug -DCMAKE_VERBOSE_MAKEFILE=ON +/home/user1/libopensync-plugin-ldap-0.39 + +make -s + +sudo make -s install + +sudo ldconfig + +cd ../.. + +1.4 Build doxygen based documentation of the source code + +cd build + +make doxygen + +firefox doc/html/index.html & + +2 Tests + +There is a "test" target. It is primarily intended for +developers. Tests which I expect to fail are commented out in the +CMakeLists.txt. + +2.1 Required software + +The tests make use of external tools, most notably: + +• xmllint + +• xsltproc + +• ldapsearch + +• ldapadd + +• ldapmodify + +• ldapdelete + +• valgrind + +2.2 Running the tests + +cd build + +make test + +2.3 Display a list of tests + +cd build + +ctest -N + +2.4 Run only one particular test + +cd build + +ctest -I 51,51 + +ctest -R remove_test_ldifs + +Configuration + +3 Prepare the LDAP server “slapd” + +3.1 Configure the LDAP server + +vim /etc/openldap/slapd.conf + +(...) + +include /etc/openldap/schema/core.schema + +include /etc/openldap/schema/inetorgperson.schema + +include /etc/openldap/schema/evolutionperson.schema + +(...) + +database bdb + +suffix "dc=example,dc=com" + +checkpoint 1024 15 + +####### Root<rootdn> account, “simple” authentication + +rootdn "cn=root,dc=example,dc=com" + +rootpw password + + + +### Mappings to gain the bind-DN's in order + +### to answer the question about access rights + +### for SASL based authentication: + +authz-regexp + + uid=([^,]*),cn=digest-md5,cn=auth + + cn=$1,dc=example,dc=com + + + +authz-regexp + + uid=([^,]*),cn=cram-md5,cn=auth + + cn=$1,dc=example,dc=com + + + +authz-regexp + + uid=([^,]*),cn=plain,cn=auth + + cn=$1,dc=example,dc=com + + + +authz-regexp + + uid=([^,]*),cn=login,cn=auth + + cn=$1,dc=example,dc=com + + + +authz-regexp + + uid=([^,]*),cn=gssapi,cn=auth + + cn=$1,dc=example,dc=com + + + +authz-regexp + + +email=([^@]+)@host\.([^.]+)\.([^,]+),cn=host\.example\.com,ou=[^#]+[^\ +]+\ ldap\ client\ [^,]+,o=a\ private\ site\.,st=city,c=us + + cn=$1,dc=$2,dc=$3 + + + +sasl-host host.example.com + + + +### Minimal access rights for a given bind-DN: + +access to dn.subtree="ou=addressbook,dc=example,dc=com" by users +write + +access to dn.subtree="ou=calendar,dc=example,dc=com" by users +write + +access to dn.subtree="ou=todo,dc=example,dc=com" by users write + +access to dn.subtree="o=notes,dc=example,dc=com" by users write + + + +access to dn.base="cn=Subschema" by * read + +access to dn.one="ou=people,dc=example,dc=com" by * read + +directory /var/lib/ldap + +(...) + +3.2 Syntax test of the configuration file + +slapd -Ttest + +3.3 Build the directory information tree (= DIT) + +We are going to create a hierarchical tree like this one: + +<Graphics file: /tmp/dit1.tiff> + +ou=people will contain the user accounts for the so-called “ +simple” authentication method. + +ou=addressbook is intended to store entries for object type “ +contact” (object type here is a libopensync specific term; not to +be confused with “object class”, which is an LDAP specific term). + +ou=calendar is for object type “event”. + +ou=todo is for object type “todo”. Applications often refer to +this as “tasks”. + +o=notes is for object type “note”. The object class “organization” + has been chosen here just to demonstrate that this decision has +been made in an arbitrary way. A dedicated LDAP schema is +currently used for object “contact”, only. All the other object +types currently use general object classes, which will hopefully +be changed eventually. + +Establish the root subtree “dc=example,dc=com”, which is to hold +the people subtree, the addressbook subtree, the todo subtree and +the notes subtree. + +vim root1.ldif + +dn: dc=example,dc=com + +objectClass: top + +objectClass: dcObject + +objectClass: organizationalUnit + +dc: example + +ou: top node of LDAP Server + +Now add this to the DIT: + +ldapadd -x -D "cn=root,dc=example,dc=com" -w password -a -f +root1.ldif + +3.3.1 Establish an addressbook + +We use the LDAP root DN and the LDAP root password to establish +an addressbook: + +vim addressbook.ldif + +dn: ou=addressbook,dc=example,dc=com + +objectClass: top + +objectClass: organizationalUnit + +ou: addressbook + +description: Personal Addressbook + +Now add this LDIF file: + +ldapadd -x -D "cn=root,dc=example,dc=com" -w password -a -f +addressbook.ldif + +3.3.2 Estalish a calendar + +vim calendar1.ldif + +dn: ou=calendar,dc=example,dc=com + +objectClass: top + +objectClass: organizationalUnit + +ou: calendar + +description: Calendar + +Now add this LDIF file: + +ldapadd -x -D "cn=root,dc=example,dc=com" -w password -a -f +calendar1.ldif + +3.3.3 Establish the todo's + +vim todo1.ldif + +dn: ou=todo,dc=example,dc=com + +objectClass: top + +objectClass: organizationalUnit + +ou: todo + +description: Calendar + +Now add this LDIF file to the DIT: + +ldapadd -x -D "cn=root,dc=example,dc=com" -w password -a -f +todo1.ldif + +3.3.4 Establish notes + +vim notes.ldif + +dn: o=notes,dc=example,dc=com + +objectClass: top + +objectClass: dcObject + +objectClass: organization + +dc: notes + +o: notes + +description: Notes + +Now add this LDIF file: + +ldapadd -x -D "cn=root,dc=example,dc=com" -w password -a -f +notes.ldif + +4 The different authentication methods with the LDAP server + +4.1 The “simple” authentication + +<simple_authentication>The credentials for the “simple” +authentication can be configured either in slapd.conf itself or +in the LDAP DIT, i.e. in a particular database. We have already +used the first method for the LDAP root DN (see above [rootdn]). +Now we are going to use the second method for an ordinary user “ +ldap_user”: + +vim ldap_user.ldif + + + +dn: ou=people,dc=example,dc=com + +objectClass: organizationalUnit + +description: LDAP user accounts. + + + +dn: cn=ldap_user,ou=people,dc=example,dc=com + +objectClass: inetOrgPerson + +cn: ldap_user + +sn: ldap_user + +givenname: ldap_user + +mail: lda...@ex... + +telephonenumber: 000-000-0001 + + + +We use the LDAP root DN and the LDAP root password to add this +entry to the DIT: + +ldapadd -x -D "cn=root,dc=example,dc=com" -w "password" -f +ldap_user.ldif + + + +Provide “ldap_user” with the password “secret”. Note the +difference between -w and -s: We authenticate ourselves as root +(in terms of LDAP: root-DN with the corresponding password as +configured in slapd.conf) + +ldappasswd -x -D "cn=root,dc=example,dc=com" -w "password" -s +"secret" "cn=ldap_user,ou=people,dc=example,dc=com" + +4.2 Configure the SASL library + +<sasl_in_general>Which SASL mechanisms does the SASL library +offer? + +sasl2-shared-mechlist + +Available mechanisms: +DIGEST-MD5,GSSAPI,CRAM-MD5,LOGIN,PLAIN,ANONYMOUS + +Library supports: +EXTERNAL,ANONYMOUS,PLAIN,LOGIN,CRAM-MD5,GSSAPI,DIGEST-MD5 + +<sasl_mechanisms_offered_by_slapd>Which SASL mechanisms are +supported by the LDAP server slapd with unencrypted sessions? + +ldapsearch -x -b "" -s base -LLL supportedSASLMechanisms + +dn: + +supportedSASLMechanisms: DIGEST-MD5 + +supportedSASLMechanisms: GSSAPI + +supportedSASLMechanisms: CRAM-MD5 + +Which SASL mechanisms are supported by the LDAP server slapd with +encrypted sessions: + +ldapsearch -x -b "" -s base -LLL -Z supportedSASLMechanisms + +dn: + +supportedSASLMechanisms: DIGEST-MD5 + +supportedSASLMechanisms: GSSAPI + +supportedSASLMechanisms: CRAM-MD5 + +supportedSASLMechanisms: LOGIN + +supportedSASLMechanisms: PLAIN + + + +Configure SASL: + +The SASL library is configured with respect to slapd in a file +called “slapd.conf”. This file is located in /usr/lib/sasl2/ and +it MUST NOT be confused with /etc/openldap/slapd.conf. + +The mech_list in the following file determines which +authentication mechanisms are to be supported by libsasl: + +Cf. cyrus-sasl-lib-2.1.22/options.html in the source code of the +sasl library. + +vim /usr/lib/sasl2/slapd.conf + +pwcheck_method: saslauthd auxprop + +mech_list: plain login cram-md5 digest-md5 gssapi external +anonymous + +keytab: /etc/krb5.keytab + +log_level: 7 + +<sasldb_account>Create the account for “ldap_user” in the SASL +database as root: + +saslpasswd2 -c ldap_user + +Check the result as root: + +sasldblistusers2 + +ld...@ho...: userPassword + +Do the various mechanisms work as expected? + +As root in an xterm: + +sasl2-sample-server -s ldap + +(...) + +DIGEST-MD5 GSSAPI CRAM-MD5 LOGIN PLAIN ANONYMOUS + +As a simple user in another xterm: + +sasl2-sample-client -m PLAIN localhost + +sasl2-sample-client -m DIGEST-MD5 localhost + +sasl2-sample-client -m CRAM-MD5 localhost + +sasl2-sample-client -m LOGIN localhost + +sasl2-sample-client -m ANONYMOUS localhost + + + +Assuming the Kerberos V5 system is already configured. See below [kerberosv5] +. + +kinit -V ldap_user + +sasl2-sample-client -s ldap -m GSSAPI host.example.com + + + + + +4.3 SASL/DIGEST-MD5 + +<digest_md5>SASL using DIGEST-MD5 with the password being stored +in the sasldb as shown above under [sasldb_account]. For the +authentication itself nothing else has to be configured. + +For the access rules to work the authentication identifier +(bind-DN) can be rewritten by these lines in +/etc/openldap/slapd.conf: + +authz-regexp + + uid=([^,]*),cn=digest-md5,cn=auth + + cn=$1,dc=example,dc=com + +Configure the opensync-plugin-ldap: + + osynctool --configure "sync_ldap_with_evolution" 2 + + + +<AdvancedOption> + + <MaxOccurs>2147483647</MaxOccurs> + + <Max>2147483647</Max> + + <Name>authcid</Name> + + <Type>string</Type> + + <Value>ldap_user</Value> + +</AdvancedOption> + +<AdvancedOption> + + <MaxOccurs>2147483647</MaxOccurs> + + <Max>2147483647</Max> + + <Name>password</Name> + + <Type>string</Type> + + <Value>secret</Value> + +</AdvancedOption> + +<AdvancedOption> + + <MaxOccurs>2147483647</MaxOccurs> + + <Max>2147483647</Max> + + <Name>anonymous</Name> + + <Type>string</Type> + + <Value>0</Value> + +</AdvancedOption> + +<AdvancedOption> + + <MaxOccurs>2147483647</MaxOccurs> + + <Max>2147483647</Max> + + <Name>authmech</Name> + + <Type>string</Type> + + <Value>DIGEST-MD5</Value> + +</AdvancedOption> + +Any configuration setting performed by “osynctool --configure ...” + must additionally be set into effect by: + +osynctool --discover "sync_ldap_with_evolution" + +4.4 SASL/CRAM-MD5 + +SASL using CRAM-MD5 with the password being stored in the sasldb +as shown above under [sasldb_account]. For the authentication +itself nothing else has to be configured. + +For the access rules to work the authentication identifier +(bind-DN) can be rewritten by these lines in +/etc/openldap/slapd.conf: + +authz-regexp + + uid=([^,]*),cn=cram-md5,cn=auth + + cn=$1,dc=example,dc=com + +Configure the opensync-plugin-ldap: + +osynctool --configure "sync_ldap_with_evolution" 2 + + + +<AdvancedOption> + + <MaxOccurs>2147483647</MaxOccurs> + + <Max>2147483647</Max> + + <Name>authcid</Name> + + <Type>string</Type> + + <Value>ldap_user</Value> + +</AdvancedOption> + +<AdvancedOption> + + <MaxOccurs>2147483647</MaxOccurs> + + <Max>2147483647</Max> + + <Name>password</Name> + + <Type>string</Type> + + <Value>secret</Value> + +</AdvancedOption> + +<AdvancedOption> + + <MaxOccurs>2147483647</MaxOccurs> + + <Max>2147483647</Max> + + <Name>anonymous</Name> + + <Type>string</Type> + + <Value>0</Value> + +</AdvancedOption> + +<AdvancedOption> + + <MaxOccurs>2147483647</MaxOccurs> + + <Max>2147483647</Max> + + <Name>authmech</Name> + + <Type>string</Type> + + <Value>CRAM-MD5</Value> + +</AdvancedOption> + +Any configuration setting performed by “osynctool --configure ...” + must additionally be set into effect by: + +osynctool --discover "sync_ldap_with_evolution" + +4.5 SASL/PLAIN over an encrypted connection + +SASL using the PLAIN mechanism with the password being stored in +the sasldb. The default configuration of newer slapd versions +does not accept such an insecure authentication method without +encryption. See above under [sasl_mechanisms_offered_by_slapd]. +As a consequence the ldap plugin must establish an encrypted +connection. This can be configured EITHER by setting the option “ +encryption” to 1 OR by setting a network connection that leads to +a port used for encrypted sessions only: + +osynctool --configure "sync_ldap_with_evolution" 2 + + + +<AdvancedOption> + + <MaxOccurs>2147483647</MaxOccurs> + + <Max>2147483647</Max> + + <Name>authcid</Name> + + <Type>string</Type> + + <Value>ldap_user</Value> + +</AdvancedOption> + +<AdvancedOption> + + <MaxOccurs>2147483647</MaxOccurs> + + <Max>2147483647</Max> + + <Name>password</Name> + + <Type>string</Type> + + <Value>secret</Value> + +</AdvancedOption> + +<AdvancedOption> + + <MaxOccurs>2147483647</MaxOccurs> + + <Max>2147483647</Max> + + <Name>anonymous</Name> + + <Type>string</Type> + + <Value>0</Value> + +</AdvancedOption> + +<AdvancedOption> + + <MaxOccurs>2147483647</MaxOccurs> + + <Max>2147483647</Max> + + <Name>authmech</Name> + + <Type>string</Type> + + <Value>PLAIN</Value> + +</AdvancedOption> + + + +(...) + + + +<AdvancedOption> + + <MaxOccurs>2147483647</MaxOccurs> + + <Max>2147483647</Max> + + <Name>encryption</Name> + + <Type>string</Type> + + <Value>1</Value> + +</AdvancedOption> + + + +(...) + + + +<Connection> + + <encrypted_connection1> +<ActiveConnection>Network</ActiveConnection> + + <Network> + + <Address>host.example.com</Address> + + <Port>636</Port> + + <Protocol>ldaps</Protocol> + + </Network> + +</Connection> + +Any configuration setting performed by “osynctool --configure ...” + must additionally be set into effect by: + +osynctool --discover "sync_ldap_with_evolution" + +For the access rules to work the authentication identifier +(bind-DN) can be rewritten by these lines in +/etc/openldap/slapd.conf: + +authz-regexp + + uid=([^,]*),cn=plain,cn=auth + + cn=$1,dc=example,dc=com + +4.6 SASL/LOGIN over an encrypted connection + +SASL using LOGIN with the password being stored in the sasldb. +The default configuration of newer slapd versions does not accept +such an insecure authentication method without encryption. See +above under [sasl_mechanisms_offered_by_slapd]. As a consequence +the ldap plugin must establish an encrypted connection. This can +be configured EITHER by setting the option “encryption” to 1 OR +by setting a network connection that leads to a port used for +encrypted sessions only: + +osynctool --configure "sync_ldap_with_evolution" 2 + + + +(...) + + + +<AdvancedOption> + + <MaxOccurs>2147483647</MaxOccurs> + + <Max>2147483647</Max> + + <Name>authcid</Name> + + <Type>string</Type> + + <Value>ldap_user</Value> + +</AdvancedOption> + +<AdvancedOption> + + <MaxOccurs>2147483647</MaxOccurs> + + <Max>2147483647</Max> + + <Name>password</Name> + + <Type>string</Type> + + <Value>secret</Value> + +</AdvancedOption> + +<AdvancedOption> + + <MaxOccurs>2147483647</MaxOccurs> + + <Max>2147483647</Max> + + <Name>anonymous</Name> + + <Type>string</Type> + + <Value>0</Value> + +</AdvancedOption> + +<AdvancedOption> + + <MaxOccurs>2147483647</MaxOccurs> + + <Max>2147483647</Max> + + <Name>authmech</Name> + + <Type>string</Type> + + <Value>PLAIN</Value> + +</AdvancedOption> + + + +(...) + + + +<AdvancedOption> + + <MaxOccurs>2147483647</MaxOccurs> + + <Max>2147483647</Max> + + <Name>encryption</Name> + + <Type>string</Type> + + <Value>1</Value> + +</AdvancedOption> + + + +(...) + + + +<Connection> + + <ActiveConnection>Network</ActiveConnection> + + <Network> + + <Address>host.example.com</Address> + + <Port>636</Port> + + <Protocol>ldaps</Protocol> + + </Network> + +</Connection> + +Any configuration setting performed by “osynctool --configure ...” + must additionally be set into effect by: + +osynctool --discover "sync_ldap_with_evolution" + +For the access rules to work the authentication identifier +(bind-DN) can be rewritten by these lines in +/etc/openldap/slapd.conf: + +authz-regexp + + uid=([^,]*),cn=login,cn=auth + + cn=$1,dc=example,dc=com + +4.7 SASL/GSSAPI (KERBEROS V5) + +<kerberosv5>SASL using GSSAPI with the password being stored in +the kerberos subsystem. This has the advantage that the password +is not sent over the connection to the LDAP server. + +4.7.1 Preparing KERBEROS V5 + + DNS configuration + +Check resolver settings: + +vim /etc/nsswitch.conf + +(...) + +hosts: files dns + +(...) + +Add "kerberos" host name to DNS: + +vim /etc/hosts + +192.168.1.2 host.example.com host www kerberos + +Propagate KDCs via SRV record types in terms of RFC 2782: + +vim /etc/dnsmasq.conf + +srv-host=_kerberos._udp,host.example.com,88 + +srv-host=_kerberos-master._udp,host.example.com,88 + +srv-host=_kerberos-adm._tcp,host.example.com,749 + +srv-host=_kpasswd._udp,host.example.com,464 + +Make changes effective: + +service dnsmasq restart + +Test it: + +host kerberos + + Determine realm on a fedora 10 system + +vim /etc/sysconfig/krb5kdc + +KRB5KDC_ARGS= + +KRB5REALM=EXAMPLE.COM + + Configure main configuration file for kerberos + +vim /etc/krb5.conf + +[libdefaults] + + default_realm = EXAMPLE.COM + + dns_lookup_realm = false + + dns_lookup_kdc = false + + ticket_lifetime = 24h + + forwardable = yes + + + +[realms] + + EXAMPLE.COM = { + + kdc = host.example.com:88 + + kdc = kerberos.example.com:88 + + kdc = localhost.localdomain:88 + + kdc = localhost + + admin_server = kerberos.example.com:749 + + default_domain = example.com + + } + + + +[domain_realm] + + .example.com = EXAMPLE.COM + + example.com = EXAMPLE.COM + + localdomain = EXAMPLE.COM + + .localdomain = EXAMPLE.COM + + Configure configuration file of the KDC, i.e. for issuing + tickets per realm + +vim /var/kerberos/krb5kdc/kdc.conf + +[kdcdefaults] + + v4_mode = nopreauth + + kdc_ports = 88,750 + + kdc_tcp_ports = 88 + + + +[realms] + + EXAMPLE.COM = { + + acl_file = /var/kerberos/krb5kdc/kadm5.acl + + dict_file = /usr/share/dict/words + + admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab + + supported_enctypes = aes256-cts:normal aes128-cts:normal +des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal +des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 +des-cbc-crc:afs3 + + } + + Create the database for this particular realm EXAMPLE.COM and a + stash file for the server to authenticate itself using the + password “master” + +If you choose not to install a stash file, the KDC will prompt +you for the master key each time it starts up. This means that +the KDC will not be able to start automatically, such as after a +system reboot. + +kdb5_util create -r EXAMPLE.COM -s + +(...) + +Enter KDC database master key: master + +Re-enter KDC database master key to verify: master + + Grant administrative access + +vim /var/kerberos/krb5kdc/kadm5.acl + +*/ad...@EX... * + + Add administrative principals to the Kerberos database + +kadmin.local -q "addprinc root/admin" + +(...) + + Create service principal "ldap/host.example.com" + +kadmin.local -q "addprinc ldap/host.example.com" + +(...) + + Create keytab file for service principal "ldap" + +kadmin.local -q "ktadd ldap/host.example.com" + +(...) + + Adjust permissions: The keytab file must be readable by the + LDAP server + +For a dissenting opinion on this (suggests building a second +keytab file): Cf. [http://www.openldap.org/faq/index.cgi?_highlightWords=keytab&file=630||http://www.openldap.org/faq/index.cgi?_highlightWords=keytab&file=630] + +chown root:ldap /etc/krb5.keytab + +chmod g+r /etc/krb5.keytab + + Create the user principal "ldap_user" with password "secret" + +useradd ldap_user + +(...) + + + +passwd ldap_user + +(...) + + + +kadmin.local -q "addprinc ldap_user" + +(...) + + Useful commands + +kadmin.local -q "list_principals" + +(...) + + + +ktutil + +ktutil: read_kt /etc/krb5.keytab + +ktutil: list + +(...) + +ktutil: quit + + + +kadmin.local -q "get_principal ldap" + +(...) + + + +kadmin.local -q "get_principal ldap_user" + +(...) + + Adjust SELinux + +setsebool -P allow_kerberos 1 + + Start up the kdc on a fedora system + +chkconfig --level 345 kadmin on + +chkconfig --level 345 krb5kdc on + +service krb5kdc start + +service kadmin start + + Kerberos related log files + +tail -f /var/log/krb5kdc.log + +(...) + + + +tail -f /var/log/kadmind.log + +(...) + +4.7.2 Configure the opensync-plugin-ldap: + +osynctool --configure "sync_ldap_with_evolution" 2 + + + +(...) + +<AdvancedOption> + + <MaxOccurs>2147483647</MaxOccurs> + + <Max>2147483647</Max> + + <Name>authcid</Name> + + <Type>string</Type> + + <Value>ldap_user</Value> + +</AdvancedOption> + + + +(...) + + + +<AdvancedOption> + + <MaxOccurs>2147483647</MaxOccurs> + + <Max>2147483647</Max> + + <Name>anonymous</Name> + + <Type>string</Type> + + <Value>0</Value> + +</AdvancedOption> + +<AdvancedOption> + + <MaxOccurs>2147483647</MaxOccurs> + + <Max>2147483647</Max> + + <Name>authmech</Name> + + <Type>string</Type> + + <Value>GSSAPI</Value> + +</AdvancedOption> + +Any configuration setting performed by “osynctool --configure ...” + must additionally be set into effect by: + +osynctool --discover "sync_ldap_with_evolution" + +For the access rules to work the authentication identifier +(bind-DN) can be rewritten by these lines in +/etc/openldap/slapd.conf: + +authz-regexp + + uid=([^,]*),cn=gssapi,cn=auth + + cn=$1,dc=example,dc=com + +4.7.3 Using KERBEROS with SASL + +Retrieve a ticket-granting ticket: + +kinit -V ldap_user + +Password for lda...@EX...: secret + +Authenticated to Kerberos v5 + +Get to know the expiration date: + +klist + +(...) + +Run osynctool: + +osynctool --configure ... + +osynctool --discover ... + +osynctool --sync ... + +4.8 SASL/EXTERNAL using the TLS cert used in a TLS encrypted + connection + +SASL using the EXTERNAL mechanism with both the identifier and +the password being stored in the SSL/TLS subsystem. + +4.8.1 Generate server and client certificates + +<tls_certs>cd /etc/openldap/cacerts/ + +Create server certificate signing request and server key + +openssl req -new -nodes -out server.csr -keyout server.key + +Sign the server certificate + +openssl ca -policy policy_anything -out server.crt -infiles +./server.csr + +Display contents of the LDAP server certificate + +openssl x509 -text -in server.crt + +Create client certificate signing request and client key + +openssl req -new -nodes -out client.csr -keyout client.key + +Sign the client certificate + +openssl ca -out client.crt -infiles ./client.csr + +Display contents of the LDAP client certificate + +openssl x509 -text -in client.crt + +4.8.2 Configuration of the LDAP server + +Tell slapd about the TLS key and the TLS certificate: + +vim /etc/openldap/slapd.conf + +TLSCACertificatePath /etc/openldap/cacerts + +TLSCipherSuite HIGH:MEDIUM:+SSLv2:RSA + +TLSCertificateFile /etc/openldap/cacerts/server.crt + +TLSCertificateKeyFile /etc/openldap/cacerts/server.key + +Change slapd start up options on a fedora 10 system + +vim /etc/sysconfig/ldap + +SLAPD_LDAP=no + +SLAPD_LDAPS=yes + +For the access rules to work the authentication identifier +(bind-DN) can be rewritten by these lines in +/etc/openldap/slapd.conf: + +authz-regexp + + +email=([^@]+)@host\.([^.]+)\.([^,]+),cn=host\.example\.com,ou=[^#]+[^\ +]+\ ldap\ client\ [^,]+,o=a\ private\ site\.,st=city,c=us + + cn=$1,dc=$2,dc=$3 + +Check syntax of slapd.conf + +slapd -Ttest + +4.8.3 Configuration of the LDAP client side + +vim /etc/openldap/ldap.conf + +URI ldaps://host.example.com/ + +BASE dc=example,dc=com + +The TLS_* variables MUST NOT be configured in +/etc/openldap/ldap.conf. + +They MUST be configured in ~/ldaprc or ~/.ldaprc: + +vim /home/user1/.ldaprc + +TLS_CACERTDIR /etc/openldap/cacerts + +TLS_CACERT /etc/openldap/cacerts/server.crt + +TLS_CERT /etc/openldap/cacerts/client.crt + +TLS_KEY /etc/openldap/cacerts/client.key + +TLSCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP + +TLS_REQCERT never + +4.8.4 Configure the opensync-plugin-ldap + +osynctool --configure "sync_ldap_with_evolution" 2 + + + +(...) + + + +<AdvancedOption> + + <MaxOccurs>2147483647</MaxOccurs> + + <Max>2147483647</Max> + + <Name>anonymous</Name> + + <Type>string</Type> + + <Value>0</Value> + +</AdvancedOption> + +<AdvancedOption> + + <MaxOccurs>2147483647</MaxOccurs> + + <Max>2147483647</Max> + + <Name>authmech</Name> + + <Type>string</Type> + + <Value>EXTERNAL</Value> + +</AdvancedOption> + + + +(...) + + + +<AdvancedOption> + + <MaxOccurs>2147483647</MaxOccurs> + + <Max>2147483647</Max> + + <Name>encryption</Name> + + <Type>string</Type> + + <Value>1</Value> + +</AdvancedOption> + + + +(...) + + + +<Connection> + + <ActiveConnection>Network</ActiveConnection> + + <Network> + + <Address>host.example.com</Address> + + <Port>636</Port> + + <Protocol>ldaps</Protocol> + + </Network> + +</Connection> + +Any configuration setting performed by “osynctool --configure ...” + must additionally be set into effect by: + +osynctool --discover "sync_ldap_with_evolution" + +Usage + +5 Synchronizing between evolution and LDAP + +If you want to start from scratch: + +osynctool --delgroup "sync_ldap_with_evolution" + +The very first configuration step: Choose a name for a particular +synchronization group: + +osynctool --addgroup "sync_ldap_with_evolution" + +Which plugins could we use for this synchronization group? + +osynctool --listplugins + +Available plugins: + +ldap-sync + +syncml-http-server + +syncml-http-client + +syncml-obex-client + +file-sync + +evo2-sync + +Here we choose the “evo2-sync” and the “ldap-sync” plugin: + +osynctool --addmember "sync_ldap_with_evolution" evo2-sync + + + +osynctool --addmember "sync_ldap_with_evolution" ldap-sync + +Which formats are available for configuring each plugin? + +osynctool --listformats + +(...) + +Format: ldap-evolutionperson + + Object Type: contact + +Format: ldap-inetorgperson + + Object Type: contact + +Format: ldap-event + + Object Type: event + +Format: ldap-todo + + Object Type: todo + +Format: ldap-note + + Object Type: note + +(...) + +Configure the evo2-sync plugin: + +osynctool --configure "sync_ldap_with_evolution" 1 + +(...) + +Configure the “ldap-sync” plugin: The following configuration +lets only the objtype “contact” be enabled. It chooses +SASL/DIGEST-MD5 as authentication mechanism with the authcid +being “ldap_user” and the password “secret”. It connects to a +host “host.example.com” on port 389 with the protocol “ldap”. + +For how to set up an encrypted connection see above [encrypted_connection1] + and [tls_certs]. + +For the “simple” authentication see above [simple_authentication] +. + +For SASL/DIGEST-MD5 see also above [digest_md5] and for how to +configure the SASL library see above [sasl_in_general]. + +osynctool --configure "sync_ldap_with_evolution" 2 + +<?xml version="1.0"?> + +<config version="1.0"> + + <AdvancedOptions> + + <AdvancedOption> + + <MaxOccurs>2147483647</MaxOccurs> + + <Max>2147483647</Max> + + <Name>binddn</Name> + + <Type>string</Type> + + <Value>cn=ldap_user,ou=people,dc=example,dc=com</Value> + + </AdvancedOption> + + <AdvancedOption> + + <MaxOccurs>2147483647</MaxOccurs> + + <Max>2147483647</Max> + + <Name>authcid</Name> + + <Type>string</Type> + + <Value>ldap_user</Value> + + </AdvancedOption> + + <AdvancedOption> + + <MaxOccurs>2147483647</MaxOccurs> + + <Max>2147483647</Max> + + <Name>password</Name> + + <Type>string</Type> + + <Value>secret</Value> + + </AdvancedOption> + + <AdvancedOption> + + <MaxOccurs>2147483647</MaxOccurs> + + <Max>2147483647</Max> + + <Name>anonymous</Name> + + <Type>string</Type> + + <Value>0</Value> + + </AdvancedOption> + + <AdvancedOption> + + <MaxOccurs>2147483647</MaxOccurs> + + <Max>2147483647</Max> + + <Name>authmech</Name> + + <Type>string</Type> + + <Value>DIGEST-MD5</Value> + + </AdvancedOption> + + <AdvancedOption> + + <MaxOccurs>2147483647</MaxOccurs> + + <Max>2147483647</Max> + + <Name>encryption</Name> + + <Type>string</Type> + + <Value>0</Value> + + </AdvancedOption> + + <AdvancedOption> + + <MaxOccurs>2147483647</MaxOccurs> + + <Max>2147483647</Max> + + <Name>ldap_read</Name> + + <Type>string</Type> + + <Value>1</Value> + + </AdvancedOption> + + <AdvancedOption> + + <MaxOccurs>2147483647</MaxOccurs> + + <Max>2147483647</Max> + + <Name>ldap_write</Name> + + <Type>string</Type> + + <Value>1</Value> + + </AdvancedOption> + + <AdvancedOption> + + <MaxOccurs>2147483647</MaxOccurs> + + <Max>2147483647</Max> + + <Name>searchbase_contact</Name> + + <Type>string</Type> + + <Value>ou=addressbook,dc=example,dc=com</Value> + + </AdvancedOption> + + <AdvancedOption> + + <MaxOccurs>2147483647</MaxOccurs> + + <Max>2147483647</Max> + + <Name>searchfilter_contact</Name> + + <Type>string</Type> + + <Value></Value> + + </AdvancedOption> + + <AdvancedOption> + + <MaxOccurs>2147483647</MaxOccurs> + + <Max>2147483647</Max> + + <Name>storebase_contact</Name> + + <Type>string</Type> + + <Value></Value> + + </AdvancedOption> + + <AdvancedOption> + + <MaxOccurs>2147483647</MaxOccurs> + + <Max>2147483647</Max> + + <Name>searchbase_event</Name> + + <Type>string</Type> + + <Value>ou=calendar,dc=example,dc=com</Value> + + </AdvancedOption> + + <AdvancedOption> + + <MaxOccurs>2147483647</MaxOccurs> + + <Max>2147483647</Max> + + <Name>searchfilter_event</Name> + + <Type>string</Type> + + <Value></Value> + + </AdvancedOption> + + <AdvancedOption> + + <MaxOccurs>2147483647</MaxOccurs> + + <Max>2147483647</Max> + + <Name>storebase_event</Name> + + <Type>string</Type> + + <Value></Value> + + </AdvancedOption> + + <AdvancedOption> + + <MaxOccurs>2147483647</MaxOccurs> + + <Max>2147483647</Max> + + <Name>searchbase_todo</Name> + + <Type>string</Type> + + <Value>ou=todo,dc=example,dc=com</Value> + + </AdvancedOption> + + <AdvancedOption> + + <MaxOccurs>2147483647</MaxOccurs> + + <Max>2147483647</Max> + + <Name>searchfilter_todo</Name> + + <Type>string</Type> + + <Value></Value> + + </AdvancedOption> + + <AdvancedOption> + + <MaxOccurs>2147483647</MaxOccurs> + + <Max>2147483647</Max> + + <Name>storebase_todo</Name> + + <Type>string</Type> + + <Value></Value> + + </AdvancedOption> + + <AdvancedOption> + + <MaxOccurs>2147483647</MaxOccurs> + + <Max>2147483647</Max> + + <Name>searchbase_note</Name> + + <Type>string</Type> + + <Value>o=notes,dc=example,dc=com</Value> + + </AdvancedOption> + + <AdvancedOption> + + <MaxOccurs>2147483647</MaxOccurs> + + <Max>2147483647</Max> + + <Name>searchfilter_note</Name> + + <Type>string</Type> + + <Value></Value> + + </AdvancedOption> + + <AdvancedOption> + + <MaxOccurs>2147483647</MaxOccurs> + + <Max>2147483647</Max> + + <Name>storebase_note</Name> + + <Type>string</Type> + + <Value></Value> + + </AdvancedOption> + + </AdvancedOptions> + + <Connection> + + <ActiveConnection>Network</ActiveConnection> + + <Network> + + <Address>host.example.com</Address> + + <Port>389</Port> + + <Protocol>ldap</Protocol> + + </Network> + + </Connection> + + <Resources> + + <Resource> + + <Enabled>1</Enabled> + + <Formats> + + <Format> + + <Name>ldap-inetorgperson</Name> + + </Format> + + </Formats> + + <ObjType>contact</ObjType> + + </Resource> + + <Resource> + + <Enabled>1</Enabled> + + <Formats> + + <Format> + + <Name>ldap-event</Name> + + </Format> + + </Formats> + + <ObjType>event</ObjType> + + </Resource> + + <Resource> + + <Enabled>1</Enabled> + + <Formats> + + <Format> + + <Name>ldap-todo</Name> + + </Format> + + </Formats> + + <ObjType>todo</ObjType> + + </Resource> + + <Resource> + + <Enabled>1</Enabled> + + <Formats> + + <Format> + + <Name>ldap-note</Name> + + </Format> + + </Formats> + + <ObjType>note</ObjType> + + </Resource> + + </Resources> + +</config> + + + + + + + +Make the configuration become effective: + +osynctool --discover "sync_ldap_with_evolution" 1 + +osynctool --discover "sync_ldap_with_evolution" 2 + +osynctool --discover "sync_ldap_with_evolution" + +(...) + +Quickly check the “members”: + +osynctool --showgroup "sync_ldap_with_evolution" + +Group: sync_ldap_with_evolution + +Member 2: ldap-sync + +Member 1: evo2-sync + +And the object types available: + +osynctool --showobjtypes "sync_ldap_with_evolution" + +(...) + +Ok. Now we can try and synchronize the LDAP server with +evolution2: + +osynctool --sync "sync_ldap_with_evolution" + +If we want to avoid any modification and deletion, we can choose “ +--slow-sync”. This has not so much to do with just a slower +synchronization speed. It rather enforces the change type “ADDED” +for each entry of each peer. This is the best way to avoid any +data loss even in cases when problems arise: + +osynctool --sync "sync_ldap_with_evolution" --slow-sync "contact" + +osynctool --sync "sync_ldap_with_evolution" --slow-sync "event" + +6 Useful LDAP commands + +Display addressbook with anonymous access to the LDAP server: + +ldapsearch -x -LLL -s sub -b 'ou=addressbook,dc=example,dc=com' + +-x Use simple authentication instead of SASL. + +-s base|one|sub|children + +Specify the scope of the search to be one of base, one, sub, or + +children to specify a base object, one-level, subtree, or chil- + +dren search. The default is sub. Note: children scope requires + +LDAPv3 subordinate feature extension. + +-b searchbase + +Use searchbase as the starting point for the search instead of + +the default. + +Note: Anonymous access is NOT possible, if you have configured +slapd only with the access rules as proposed above. + + +Display the addressbook authenticating as ldap_user with the +simple authentication method: + +ldapsearch -x -D "cn=ldap_user,ou=people,dc=example,dc=com" -w +"secret" -LLL -s sub -b 'ou=calendar,dc=example,dc=com' + +Display the addressbook using SASL for authenticating without +specifying any particular mechanism: + +ldapsearch -U "ldap_user" -w "secret" -LLL -s sub -b +'ou=addressbook,dc=example,dc=com' + +Display the addressbook and choose explicitly CRAM-MD5 as SASL +mechanism: + +ldapsearch -Y CRAM-MD5 -U "ldap_user" -w "secret" -LLL -s sub -b +'ou=addressbook,dc=example,dc=com' + +Display the addressbook via GSSAPI after having retrieved a +ticket-granting ticket by kinit -V ldap_user: + +ldapsearch -Y GSSAPI -LLL -s sub -b +'ou=addressbook,dc=example,dc=com' + +Display one particular entry in the addressbook: + +ldapsearch -x -LLL -s sub -b 'ou=addressbook,dc=example,dc=com' +'uid=pas-id-496CB33100000065' + + ++ To get the “operational attributes”, as well. + +ldapsearch -x -LLL -s sub -b +'uid=pas-id-496CB33100000065,ou=addressbook,dc=example,dc=com' +'ou=Revision' + + +Add an entry to the addressbook: + +vim contact1.ldif + +dn: uid=pas-id-4971256100000127,ou=addressbook,dc=example,dc=com + +cn: user4 + +givenName: user4 + +mail: user4@localhost + +sn: user4 + +uid: pas-id-4971256100000127 + +homePhone: 0000000000000 + +objectClass: evolutionPerson + + +ldapadd -a -w password -x -D "cn=root,dc=example,dc=com" -f +contact1.ldif + +Modify this entry: + +vim /tmp/entrymods + +dn: uid=pas-id-4971256100000127,ou=addressbook,dc=example,dc=com + +replace: homePhone + +homePhone: 0000000000001 + + +ldapmodify -x -D "cn=root,dc=example,dc=com" -w password -f +/tmp/entrymods + +Delete right this entry from the addressbook: + +ldapdelete -x -w password -D "cn=root,dc=example,dc=com" -r +"uid=pas-id-4971256100000127,ou=addressbook,dc=example,dc=com" + +Display calendar accessing the LDAP server anonymously: + +ldapsearch -x -LLL -s sub -b 'ou=calendar,dc=example,dc=com' + +Display todo's: + +ldapsearch -x -LLL -s sub -b 'ou=todo,dc=example,dc=com' + +Display notes (everything, including the base): + +ldapsearch -x -LLL -s sub -b 'o=notes,dc=example,dc=com' + +Display notes, only the base: + +ldapsearch -x -LLL -s base -b 'o=notes,dc=example,dc=com' + +Display all the entries under o=notes (i.e. all of the "notes", +without any subentries and withou the base): + +ldapsearch -x -LLL -s one -b 'o=notes,dc=example,dc=com' + +Display the subentries of one particular entry under o=notes: + +ldapsearch -x -LLL -s children -b +'documentIdentifier=200...@ho...,o=notes,dc=example,dc=com' + + +ldapsearch -x -LLL -s sub -b 'o=notes,dc=example,dc=com' +'(documentidentifier=200...@ho...)' + +Delete everything under o=notes: + +ldapsearch -x -LLL -s one -A -b "o=notes,dc=example,dc=com" 'dn' +| awk 'BEGIN {RS = "\n\n"} {gsub("dn: ", ""); gsub(/\n /, ""); +print}' > /tmp/file + + +ldapdelete -x -w password -D "cn=root,dc=example,dc=com" -r -f +/tmp/file + +Check the result: + +ldapsearch -x -LLL -s sub -b "o=notes,dc=example,dc=com" + +Or in one step with a pipe: + +ldapsearch -x -LLL -s one -A -b "o=notes,dc=example,dc=com" 'dn' +| awk 'BEGIN {RS = "\n\n"} {gsub("dn: ", ""); gsub(/\n /, ""); +print}' | ldapdelete -x -w password -D +"cn=root,dc=example,dc=com" -r + +7 Extra section: How to integrate mutt with the LDAP server + +This section shows how mutt must be extended and configured to be +able to access the email addresses stored in the addressbook of +the LDAP server. Dozens of scripts are out there to achieve this +aim. All of them provide mutt with a read-only access. This +means, that adding new address entries to the LDAP server from +inside mutt requires a different or additional tool (not solved, +yet). + +Here is one way how to enable this kind of read-access. + +We make use of the “Little brother database”. LBDB accesses the +LDAP server. + +7.1 Installation of LBDB on fedora 10 + +rpm -Uvh /dvd/Packages/perl-Convert-ASN1-0.21-3.fc9.noarch.rpm + +rpm -Uvh /usbstick/perl-LDAP-0.34-4.fc9.noarch.rpm + +Download LBDB source code: + +[http://www.spinnaker.de/debian/lbdb_0.36.tar.gz||http://www.spinnaker.de/debian/lbdb_0.36.tar.gz] + +tar -xvzf lbdb_0.36.tar.gz + +cd lbdb-0.36/ + +./configure --prefix=/usr/local --with-gpg --with-ypcat + +make -s + +make -w install + +ldconfig + +7.2 Configure lbdb + +vim /usr/local/etc/lbdb.rc + +METHODS="m_inmail m_ldap m_muttalias m_gpg" + +lbdb makes use of mutt_ldap_query. Older, but working version: + +cp /usr/share/doc/mutt-1.5.18/mutt_ldap_query /usr/local/lib/ + +Other examples: + +[http://www.courville.org/code/mutt_ldap_query/mutt_ldap_query.pl.in||http://www.courville.org/code/mutt_ldap_query/mutt_ldap_query.pl.in] + +cp mutt_ldap_query.pl.in /usr/local/lib/mutt_ldap_query + +vim /usr/local/lib/mutt_ldap_query + +# hostname of your ldap server + +our $ldap_server = 'host.example.com'; + +# ldap base search + +our $search_base = 'ou=addressbook,dc=example,dc=com'; + +# list of the fields that will be used for the query + +our $ldap_search_fields = 'uid givenname sn cn mail'; + +# list of the fields that will be used for composing the answer + +our $ldap_expected_answers = 'givenname sn mail o'; + +# format of the email result based on the expected answers of the +ldap query + +our $ldap_result_email = '${mail}'; + +# format of the real name result based on the expected answers of +the ldap query + +our $ldap_result_realname = '${givenname} ${sn}'; + +# format of the comment result based on the expected answers of +the ldap query + +our $ldap_result_comment = '(${o})'; + +# use ignorant (wildcard searching): + +our $ignorant = 0; + +# LDAP bind DN: + +our $ldap_bind_dn = 'cn=ldap_user,ou=people,dc=example,dc=com'; + +# LDAP bind password: + +our $ldap_bind_password = 'secret'; + +7.3 Configure mutt + +vim ~/.muttrc + +# Little brother database: + +set query_command="/usr/local/bin/lbdbq %s" + +7.4 Using mutt + +SHIFT-Q prompts for a name. Enter it. Return. And the mail +address should be displayed, if found, at all. + +In case of any problems: + +Check it from outside of mutt: + +lbdbq user1 + +7.5 Links + +Homepage of the “Little brother database”: + +[http://www.spinnaker.de/lbdb/||http://www.spinnaker.de/lbdb/] + +About LBDB: + +[http://mark.stosberg.com/Tech/mutt.html||http://mark.stosberg.com/Tech/mutt.html] + +Development + +8 Function names + +The function name prefixes (uniformly ldap_plugin_... and +ldap_format_...) have been chosen deliberately: + +• in order to make a clear distinction between libldap calls and + plugin calls, + +• in order to make a clear distinction between libopensync calls + and plugin calls, + +• and in order to make it easier to detect the plugin functions + while reading any backtraces. + +9 Error messages + +The error messages contain all file name and line number to +accelerate debugging. Null pointers should be recognizable +instantaneously without having to launch a debugger or to grep +through the trace files. The number of error messages, trace +messages and debugging messages has greatly been increased in +order to speed up debugging. + +10 Format/mapping problems + +The LDAP format plugin is the place where most of the future +development might have to be done. + +Basically the mapping is done in two steps: + +1. From xmlformat-contact, for example, to an XML format used + internally by the LDAP plugin, only. This is done by means of + an XML style sheet. This internal XML format is to a certain + degree oriented towards LDIF (= LDAP Data Interchange Format). + +2. From this plugin-internal XML format to C structs by means of + functions in ldap_format.c. + +And, of course, the other way round. + +The alternative would have been a style sheet that maps directly +to LDIF. But this turned out to be too difficult. XSLT is a +rather dumb programming language, actually, not even a +programming language. And it is, at least in my personal opinion, +not really suitable for all those quirks that will have to be +applied when paying attention to all kinds of LDAP specific +requirements. + +The mapping especially with the objtype “contact” is still +neither loss-free nor bug-free. The whole concept how to store +the data on the LDAP server is not really compatible with the +requirements as laid out in the various *.xsd files. It is not +just a simple mapping, as, for example, from vcard10 to +xmlformat-contact. + +One and the same element must not appear more than one time in an +LDAP entry. Which conflicts with the “unbounded” specification in +the XML schema files, obviously. Certain elements are obligatory +on the LDAP side, regardless of whether they have actually +appeared on the side of the peer. The current implementation has +no solution for the problem that certain elements may appear more +than one time. And the format plugin is not really able to enter +deeper levels than the first one under the ou=addressbook entry, +for instance. Only in exceptional cases, and this has not been +coded in a more general way, yet. + +Several XML elements are not mapped directly to any of the +elements offered by the LDAP schemata. They are stored in +subentries in an unusual way. For example: + +• This is an example for what I would call a direct or a regular + mapping: <Birthday><Content>...</Content></Birthday>. This can + be mapped directly to the LDAP attribute “birthDate:”. But any + potential XML attributes can not be stored with this LDAP + attribute. + +• And this is an example where an adequate LDAP attribute is + simply missing: <Nickname><Content>Foo</Content></Nickname>. + The style sheet will sort out this one and reformat the XML + file: +<subentry> +<Nickname> +Foo +</Nickname> +</subentry> +And this reformatted XML file is mapped to an LDAP entry located + one level below the entry of objectclass “evolutionPerson” + (i.e. mapped to a subentry, which could be called an indirect + or irregular mapping): + +dn: +ou=Nickname,uid=pas-id-49AD628000000004,ou=addressbook,dc=example,dc=com + +objectClass: organizationalUnit + +description: Foo + +ou: Nickname + +Quite clear, that this is not optimal. It is a workaround to +overcome the incompatibility problem. + +For the time being there is no solution for the problem, either, +that the LDAP schemata “evolutionperson” and “inetorgperson” have +various elements that are not mapped, at all, to any element of +the xmlformat-contact format. + +11 Documentation + +This README has been written in lyx-1.6.0. Thus the conversion to +HTML, PS and PDF is quite easy. And the authoring is quicker than +writing in plain LaTeX. + +The source code has been annotated with doxygen based comments. “ +make doxygen” should lead to a “doc” sub directory in the build +directory with HTML, man and other subsubdirectories. “firefox +doc/html/index.html” displays the entry page. + +All of this should save us time. + +Troubleshooting + +12 Enable debug output + +12.1 Enable trace files with libopensync and + libopensync-plugin-ldap + +mkdir /tmp/trace + +export OSYNC_TRACE=/tmp/trace + +osynctool --listplugins + +(...) + +12.2 Enable trace files with libsyncml + +mkdir /tmp/trace + +export SYNCML_TRACE=/tmp/trace + +(...) + +12.3 Enable debug output with the LDAP server slapd on fedora 10 + +vim /etc/rsyslog.conf + +*.* /var/log/debug + + + +service syslog restart + + + +vim /etc/sysconfig/ldap + +OPTIONS="-d 32767" + + +vim /etc/openldap/slapd.conf + +logfile /tmp/slapd.log + +loglevel any + + +service ldap configtest + +service ldap restart + +tail -f /tmp/slapd.log + +12.4 How to debug the format conversions with the ldap-sync + plugin + +The transformation from the format understood by the libldap API +to any format understood by libopensync is performed in several +steps and can be observed by defining certain DEBUG_* constants: + +LDAP <---> ldap plugin <---> libopensync <---> syncml plugin +<---> phone + +The conversation with the LDAP server API for getting data + +out of the directory information tree (DIT) can be watched + +by defining in ldap_plugin.h + +DEBUG_ldapdata_from_server + +The step from the LDAP server API to the xml format internally +used + +by the ldap-sync plugin can be observed by this constant: + +DEBUG_convert_ldap2xmldoc + +The step from this plugin-internal xml format to +xmlformat-contact, + +for instance, or the other way round: + +DEBUG_do_apply_stylesheet + +The step from xmlformt-contact to the xml format used by the ldap + +plugin internally: + +DEBUG_convert_xmldoc2ldap + +And the way how the ldap plugin talks to the LDAP server API, + +in order to write data into the directory information tree: + +DEBUG_ldapdata_to_server + + +13 CMakeError: MACRO_ENSURE_OUT_OF_SOURCE_BUILD + +Problem: + +CMake Error at cmake/modules/MacroEnsureOutOfSourceBuild.cmake:13 +(MESSAGE): libopensync-plugin-ldap doesn't allow to build +within the source directory. Please, create a seperate build +directory and run 'cmake /home/user1/dev/plugins/ldap-sync +[options]'! Call Stack (most recent call first): +/usr/local/share/libopensync1/cmake/modules/OpenSyncInternal.cmake:9 +(MACRO_ENSURE_OUT_OF_SOURCE_BUILD) CMakeLists.txt:50 (INCLUDE) + +Solution: + +tar -xvjf libopensync-plugin-ldap-0.39 + +cd libopensync-plugin-ldap-0.39 + +mkdir build + +cd build + +cmake ... + +make ... + +Problem: But I did make a separate build directory! Why does +cmake not realize this? + +Solution: Delete all the cache files “CMakeCache.txt” that you +can find inside the libopensync-plugin-ldap-0.xx source +directory. + +14 Debugging hints for SASL + +14.1 Which SASL mechanisms are supported by the LDAP library + +14.1.1 With unencrypted sessions + +ldapsearch -x -b "" -s base -LLL supportedSASLMechanisms + +14.1.2 With encrypted sessions + +ldapsearch -x -b "" -s base -LLL -Z supportedSASLMechanisms + +Test SASL authentication with regard to read access, only + +ldapwhoami -U "ldap_user" -w "secret" -Y DIGEST-MD5 + +ldapwhoami -U "ldap_user" -w "secret" -Y CRAM-MD5 + +ldapwhoami -U "ldap_user" -w "secret" -Z -Y LOGIN + +ldapwhoami -U "ldap_user" -w "secret" -Z -Y PLAIN + +ldapwhoami -Z -Y EXTERNAL + + + +kinit -V ldap_user + +(...) + +ldapwhoami -Y GSSAPI + +In case of any problems, one could add “-V -d1” to the ldapwhoami +command line. + +14.2 Display the TLS certificates + +of the LDAP server only + +openssl s_client -connect localhost:636 -showcerts + +both of the server and the client + +openssl s_client -connect localhost:636 -cert +/etc/openldap/cacerts/client.crt -key +/etc/openldap/cacerts/client.key -showcerts + +14.3 Make the debug output of slapd visible + +vim /etc/rsyslog.conf + +*.* /var/log/debug + + + +service syslog restart + + + +vim /etc/sysconfig/ldap + +OPTIONS="-d 32767" + +Example of a debug session: + +ldapwhoami -V -d 1 -Z -Y EXTERNAL + +(...) + +ldap_sasl_interactive_bind_s: user selected: EXTERNAL + +ldap_int_sasl_bind: EXTERNAL + +ldap_int_sasl_open: host=host.example.com + +SASL/EXTERNAL authentication started + +ldap_err2string + +ldap_sasl_interactive_bind_s: Unknown authentication method (-6) + + + +tail -f /var/log/debug + +Feb 20 13:30:49 host slapd[6298]: connection_get(21): got +connid=1 + +Feb 20 13:30:49 host slapd[6298]: connection_read(21): checking +for input on id=1 + +Feb 20 13:30:50 host slapd[6298]: + +connection_read(21): unable to get TLS client DN, error=49 id=1 + +Feb 20 13:30:50 host slapd[6298]: conn=1 fd=21 TLS established +tls_ssf=256 ssf=25 6 + +Solution: + +The variables TLS_CACERTDIR, TLS_CERT, TLS_KEY, TLSCipherSuite +and TLS_REQCERT MUST NOT be configured in +/etc/openldap/ldap.conf. They MUST be configured in ~/.ldaprc, +instead. + +15 Debugging the style sheets + +15.1 How to observe the mapping step from xmlformat_contact to + ldap_inetorgperson + +Comment out #undef DEBUG_do_apply_stylesheet so that +DEBUG_do_apply_stylesheet becomes defined: + +vim ldap_plugin.h + +// undef DEBUG_do_apply_stylesheet + +15.2 Example file contact4.xml + +<?xml version="1.0"?> + +<contact> + +<Address Location="Home"> + +<PostOfficeBox>12345</PostOfficeBox> + +<ExtendedAddress>userstreet5 + +10000 Any City + +user1 + +Berlin + +Berlin + +10000 + +Germany + +</ExtendedAddress> + +<Street>Mr. user1</Street> + +<Locality>Any City</Locality> + +<Region>Any State</Region> + +<PostalCode>10000</PostalCode> + +<Country>Any Country</Country> + +</Address> + +<AddressLabel Location="Home"> + +<Content>Mr. user1 + +userstreet5 + +10000 Any City + +user1 + +Berlin + +Berlin + +10000 + +Germany + +Any City, Any State + +10000 + +12345 + +Any Country</Content> + +</AddressLabel> + +<AddressLabel> + +<Content>user1 + +userstreet 5 + +Berlin, Berlin + +10000 + +10000 Berlin + +Germany</Content> + +</AddressLabel> + +<Anniversary> + +<Content>20090302</Content> + +</Anniversary> + +<Assistant> + +<Content>workaholic</Content> + +</Assistant> + +<Birthday> + +<Content>20090301</Content> + +</Birthday> + +<BlogUrl> + +<Content>http://blog.example.com/</Content> + +</BlogUrl> + +<CalendarUrl> + +<Content>http://calendar.example.com/</Content> + +</CalendarUrl> + +<Categories> + +<Category>Hot Contacts</Category> + +</Categories> + +<EMail Location="Other" UI-Slot="1"> + +<Content>user1@home</Content> + +</EMail> + +<FileAs> + +<Content>user1</Content> + +</FileAs> + +<FormattedName> + +<Content>user1</Content> + +</FormattedName> + +<FreeBusyUrl> + +<Content>http://busy.example.com/</Content> + +</FreeBusyUrl> + +<IM-AIM Location="Home" UI-Slot="1"> + +<Content>aim_account</Content> + +</IM-AIM> + +<IM-ICQ Location="Home" UI-Slot="4"> + +<Content>icq_account</Content> + +</IM-ICQ> + +<IM-MSN Location="Home" UI-Slot="3"> + +<Content>msn_account</Content> + +</IM-MSN> + +<IM-Yahoo Location="Home" UI-Slot="2"> + +<Content>yahoo_account</Content> + +</IM-Yahoo> + +<Manager> + +<Content>dude1</Content> + +</Manager> + +<Name> + +<FirstName>user1</FirstName> + +</Name> + +<Nickname> + +<Content>one</Content> + +</Nickname> + +<Note> + +<Content>Here we could any notes.</Content> + +</Note> + +<Organization> + +<Name>creative.com</Name> + +<Unit>supervisory</Unit> + +<Unit>Second floor</Unit> + +</Organization> + +<Profession> + +<Content>creator</Content> + +</Profession> + +<Revision> + +<Content>20090315T124347Z</Content> + +</Revision> + +<Spouse> + +<Content>Betty</Content> + +</Spouse> + +<Telephone Location="Work" UI-Slot="1"> + +<Content>0000000000004</Content> + +</Telephone> + +<Title> + +<Content>Emperor</Content> + +</Title> + +<Uid> + +<Content>pas-id-49BCF74000000000</Content> + +</Uid> + +<Url> + +<Content>http://www.example.com/</Content> + +</Url> + +<VideoUrl> + +<Content>http://video.example.com/</Content> + +</VideoUrl> + +<WantsHtml> + +<Content>TRUE</Content> + +</WantsHtml> + +</contact> + +15.3 Check the mapping step from xmlformat_contact to + ldap_inetorgperson + +xsltproc xmlformat_contact2ldap_inetorgperson.xsl contact4.xml + + + +xsltproc xmlformat_contact2ldap_inetorgperson.xsl contact4.xml | +xmllint --noout - + + + +xsltproc xmlformat_contact2ldap_inetorgperson.xsl contact4.xml | +xsltproc ldap_inetorgperson2xmlformat_contact.xsl - + + + +xsltproc xmlformat_contact2ldap_inetorgperson.xsl contact4.xml | +xsltproc ldap_inetorgperson2xmlformat_contact.xsl - | xmllint +--noout - + + + +xsltproc xmlformat_contact2ldap_inetorgperson.xsl contact4.xml | +xsltproc ldap_inetorgperson2xmlformat_contact.xsl - | xmllint +--noout --schema +/usr/local/share/libopensync1/schemas/xmlformat-contact.xsd - + +15.4 Alternative parsers + +java -jar /usr/share/java/xalan-j2.jar -IN contact4.xml -XSL +xmlformat_contact2ldap_inetorgperson.xsl + + + +java -jar /usr/share/java/saxon.jar contact4.xml +xmlformat_contact2ldap_inetorgperson.xsl + +16 ERROR: (mod->mod_vals.modv_strvals) is NULL + +This error message: + +ERROR: (mod->mod_vals.modv_strvals) is NULL. + +means that a particular libldap call has not been told to use +binary values rather than strings. The ldap plugin does NOT use “ +modv_strvals”. Throughout the whole plugin “ +mod->mod_vals.modv_bvals”, or shorter, “mod->mod_bvalues” are +used. So there must always be a prior line “mod->mod_op = +LDAP_MOD_BVALUES” or “mod->mod_op = LDAP_MOD_BVALUES | +ANY_OTHER_OPTION | ...”. Apparently, such a line is missing in +this case. + +17 LDAP ERROR: No such object (32) + +This error message may have different reasons, the most common +one being that you simply have a type in your search: ... [truncated message content] |
