OpenLDAP

Un article de WindowsLinux.Net - Astuces pour Windows et Linux.

Sommaire

Définition

OpenLDAP est la version open source du protocole LDAP.

Site web officiel : http://www.openldap.org/

OpenLDAP contient deux services :

  • slapd - Serveur LDAP
  • slurpd - Serveur de réplication et de mise à jour.

Installation

Note : installation sur une Debian Etch.

Pour une nouvelle installation (avec les utilitaires ldap) : 

aptitude install slapd ldap-utils

Pour reconfigurer une installation existante : 

dpkg-reconfigure slapd

Le système nous pose alors plusieurs questions, voici ce qu'il faut répondre :

Q: Faut-il ignorer la configuration de slapd ?

R: Non.

Q: Quel est le nom de domaine ?

R: windowslinux.net

Q: Quel est le nom de l'organisation ?

R: Chez moi

Saisissez un mot de passe administrateur pour la base de données.

Q: Module de la base de données à utiliser ?

R: BDB

Q: La base doit être supprimée si le paquet slapd est supprimé ?

R: Non. Si nous désinstallons slapd par erreur ou suite à une mauvaise manipulation, il est préférable de conserver nos données.

Q: Faut-il déplacer l'ancienne base de données ?

R: Cette question est posée uniquement lorsqu'on reconfigure slapd, ou quand une ancienne base de données existe deja.

Répondre "oui" si vous désirez démarrer sur une base propre (ou suite à l'exécution de "dpkg-reconfigure slapd", après l'installation du package slapd.

Q: Faut-il autoriser LDAPv2 ?

R: Non, ce n'est pas (forcément) nécessaire.

Vérification du bon fonctionnement

Exécutez la commande suivante : 

ldapsearch -x -b dc=windowslinux,dc=net

Voici un exemple de retour : 

# extended LDIF
#
# LDAPv3
# base <dc=windowslinux,dc=net> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# windowslinux.net
dn: dc=windowslinux,dc=net
objectClass: top
objectClass: dcObject
objectClass: organization
o: Chez moi
dc: windowslinux

# admin, windowslinux.net
dn: cn=admin,dc=windowslinux,dc=net
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2

Utilitaires

PhpLdapAdmin

Informations complémentaires

RFC

Quelques RFC à lire :

[RFC4520]


[RFC4511]

Codes d'erreurs

Hex Decimal Name Owner Reference Description
0x00 0 LDAP_SUCCESS IESG RFC-4511 This is used to indicate that the associated operation completed successfully.
0x01 1 LDAP_OPERATIONS_ERROR IESG RFC-4511 This is used to indicate that the associated request was out of sequence with another operation in progress (e.g., a non-bind request in the middle of a multi-stage SASL bind).It does not indicate that the client has sent an erroneous message.

eDirectory: In NDS 8.3x through NDS 7.xx, this was the default error for NDS errors that did not map to an LDAP error code. To conform to the new LDAP drafts, NDS 8.5 uses 80 (0x50) for such errors.

0x02 2 LDAP_PROTOCOL_ERROR IESG RFC-4511 This is used to indicate that the client sent data to the server that did not comprise a valid LDAP request.
0x03 3 LDAP_TIMELIMIT_EXCEEDED IESG RFC-4511 This is used to indicate that processing on the associated request time limit specified by either the client request or the server administration limits has been exceeded and has been terminated because it took too long to complete. For a search operation, it is possible that some of the matching entries had been returned when the time limit was reached.
0x04 4 LDAP_SIZELIMIT_EXCEEDED IESG RFC-4511 This is used to indicate that there were more entries matching the criteria contained in a search operation than were allowed to be returned by the size limit configuration. Incomplete results maybe returned.
0x05 5 LDAP_COMPARE_FALSE IESG RFC-4511 Does not indicate an error condition. This is used to indicate that a compare operation completed successfully, but the provided attribute value assertion did not match the target entry.
0x06 6 LDAP_COMPARE_TRUE IESG RFC-4511 Does not indicate an error condition. This is used to indicate that a compare operation completed successfully, and the provided attribute value assertion matched the target entry.
0x07 7 LDAP_AUTH_METHOD_NOT_SUPPORTED IESG RFC-4511 This is used to indicate that the Directory Server does not support the requested authentication method.
0x08 8 LDAP_STRONG_AUTH_REQUIRED IESG RFC-4511 Indicates one of the following:
  • In bind requests, the LDAP server accepts only strong authentication.
  • In a client request, the client requested an operation such as delete that requires strong authentication.
  • In an unsolicited notice of disconnection, the LDAP server discovers the security protecting the communication between the client and server has unexpectedly failed or been compromised.
0x09 9 reserved(partialResults) IESG RFC-4511
0x0A 10 LDAP_REFERRAL IESG RFC-4511 Does not indicate an error condition. In LDAPv3, indicates that the server does not hold the target entry of the request, but that the servers in the referral field may.
0x0B 11 LDAP_ADMINLIMIT_EXCEEDED IESG RFC-4511
0x0C 12 LDAP_UNAVAILABLE_CRITICAL_EXTENSION IESG RFC-4511 Indicates that the LDAP server was unable to satisfy a request because one or more critical extensions were not available. Either the server does not support the control or the control is not appropriate for the operation type.
0x0D 13 LDAP_CONFIDENTIALITY_REQUIRED IESG RFC-4511 Indicates that the session is not protected by a protocol such as Transport Layer Security (TLS), which provides session confidentiality and the request will not be handeled without confidentiality enabled.
0x0E 14 LDAP_SASL_BIND_IN_PROGRESS IESG RFC-4511 Does not indicate an error condition, but indicates that the server is ready for the next step in the process. The client must send the server the same SASL mechanism to continue the process.
0x0F 15 Not used.
0x10 16 LDAP_NO_SUCH_ATTRIBUTE IESG RFC-4511 Indicates that the attribute specified in the modify or compare operation does not exist in the entry.
0x11 17 LDAP_UNDEFINED_TYPE IESG RFC-4511 Indicates that the attribute specified in the modify or add operation does not exist in the LDAP server's schema.
0x12 18 LDAP_INAPPROPRIATE_MATCHING IESG RFC-4511 Indicates that the matching rule specified in the search filter does not match a rule defined for the attribute's syntax.
0x13 19 LDAP_CONSTRAINT_VIOLATION IESG RFC-4511 Indicates that the attribute value specified in a modify, add, or modify DN operation violates constraints placed on the attribute. The constraint can be one of size or content (string only, no binary).
0x14 20 LDAP_TYPE_OR_VALUE_EXISTS IESG RFC-4511 Indicates that the attribute value specified in a modify or add operation already exists as a value for that attribute.
0x15 21 LDAP_INVALID_SYNTAX IESG RFC-4511 Indicates that the attribute value specified in an add, compare, or modify operation is an unrecognized or invalid syntax for the attribute.
N/A 22-31 Not used.
0x20 32 LDAP_NO_SUCH_OBJECT IESG RFC-4511 Indicates the target object cannot be found. This code is not returned on following operations:
  • Search operations that find the search base but cannot find any entries that match the search filter.
  • Bind operations.
0x21 33 LDAP_ALIAS_PROBLEM IESG RFC-4511 Indicates that an error occurred when an alias was dereferenced.
0x22 34 LDAP_INVALID_DN_SYNTAX IESG RFC-4511 Indicates that the syntax of the DN is incorrect. (If the DN syntax is correct, but the LDAP server's structure rules do not permit the operation, the server returns LDAP_UNWILLING_TO_PERFORM.)
0x23 35 LDAP_IS_LEAF(Some Server RESERVED) IESG RFC-4511 Indicates that the specified operation cannot be performed on a leaf entry. (This code is not currently in the LDAP specifications, but is reserved for this constant.)
0x24 36 LDAP_ALIAS_DEREF_PROBLEM IESG RFC-4511 Indicates that during a search operation, either the client does not have access rights to read the aliased object's name or dereferencing is not allowed.
N/A 37-47 Reserved
0x30 48 LDAP_INAPPROPRIATE_AUTH IESG RFC-4511 Indicates that during a bind operation, the client is attempting to use an authentication method that the client cannot use correctly. For example, either of the following cause this error:
  • The client returns simple credentials when strong credentials are required.
  • The client returns a DN and a password for a simple bind when the entry does not have a password defined.
0x31 49 LDAP_INVALID_CREDENTIALS IESG RFC-4511 Indicates that during a bind operation one of the following occurred:
  • The client passed either an incorrect DN or password.
  • The password is incorrect because it has expired, intruder detection has locked the account, or some other similar reason.
0x32 50 LDAP_INSUFFICIENT_ACCESS IESG RFC-4511 Indicates that the caller does not have sufficient rights to perform the requested operation.
0x33 51 LDAP_BUSY IESG RFC-4511 Indicates that the LDAP server is too busy to process the client request at this time but if the client waits and resubmits the request, the server may be able to process it then.
0x34 52 LDAP_UNAVAILABLE IESG RFC-4511 Indicates that the LDAP server cannot process the client's bind request, usually because it is shutting down.
0x35 53 LDAP_UNWILLING_TO_PERFORM IESG RFC-4511 Indicates that the LDAP server cannot process the request because of server-defined restrictions. This error is returned for the following reasons:
  • The add entry request violates the server's structure rules.
  • The modify attribute request specifies attributes that users cannot modify.
  • Password restrictions prevent the action.
  • Connection restrictions prevent the action.
0x36 54 LDAP_LOOP_DETECT IESG RFC-4511 Indicates that the client discovered an alias or referral loop, and is thus unable to complete this request.
N/A 55-63 Reserved IESG
0x40 64 LDAP_NAMING_VIOLATION IESG RFC-4511 Indicates that the add or modify DN operation violates the schema's structure rules. For example:
  • The request places the entry subordinate to an alias.
  • The request places the entry subordinate to a container that is forbidden by the containment rules.
  • The RDN for the entry uses a forbidden attribute type.
0x41 65 LDAP_OBJECT_CLASS_VIOLATION IESG RFC-4511 Indicates that the add, modify, or modify DN operation violates the object class rules for the entry. For example, the following types of request return this error:
  • The add or modify operation tries to add an entry without a value for a required attribute.
  • The add or modify operation tries to add an entry with a value for an attribute which the class definition does not contain.
  • The modify operation tries to remove a required attribute without removing the auxiliary class that defines the attribute as required.
0x42 66 LDAP_NOT_ALLOWED_ON_NONLEAF IESG RFC-4511 Indicates that the requested operation is permitted only on leaf entries. For example, the following types of requests return this error:
  • The client requests a delete operation on a parent entry.
  • The client request a modify DN operation on a parent entry.
0x43 67 LDAP_NOT_ALLOWED_ON_RDN IESG RFC-4511 Indicates that the modify operation attempted to remove an attribute value that forms the entry's relative distinguished name.
0x44 68 LDAP_ALREADY_EXISTS IESG RFC-4511 Indicates that the add operation attempted to add an entry that already exists, or that the modify operation attempted to rename an entry to the name of an entry that already exists.
0x45 69 LDAP_NO_OBJECT_CLASS_MODS IESG RFC-4511 Indicates that the modify operation attempted to modify the structure rules of an object class.
0x46 70 LDAP_RESULTS_TOO_LARGE IESG RFC-4511 Reserved for CLDAP.
0x47 71 LDAP_AFFECTS_MULTIPLE_DSAS Indicates that the modify DN operation moves the entry from one LDAP server to another and thus requires more than one LDAP server.
N/A 72-79 Reserved IESG
0x50 80 LDAP_OTHER IESG RFC-4511 Indicates an unknown error condition. This is the default value for NDS error codes which do not map to other LDAP error codes.
N/A 81-90 Reserved (APIs) IESG RFC-4511
N/A 91-112 Reserved (LDAP APIs)
0x71 113 lcupResourcesExhausted IESG RFC-3298 The server is running out of resources. LDAP Client Update Protocol
0x72 114 lcupSecurityViolation IESG RFC-3298 The client is suspected of malicious actions. LDAP Client Update Protocol
0x73 115 lcupInvalidData IESG RFC-3298 Invalid cookie was supplied by the client - both/either the scheme and/or the value part was invalid . LDAP Client Update Protocol
0x74 116 lcupUnsupportedScheme IESG RFC-3298 The scheme part of the cookie is a valid OID but is not supported by this server. LDAP Client Update Protocol
0x75 117 lcupReloadRequired IESG RFC-3298 Indicates that client data needs to be reinitialized. This reason is returned if the server does not synchronize the client or if the server's data was reloaded since the last synchronization session. LDAP Client Update Protocol
0x78 118 Canceled IESG RFC-3909 The Cancel request is an ExtendedRequest with the requestName field containing 1.3.6.1.1.8 and a requestValue field which contains a BER-encoded cancelRequestValue value.
0x79 119 noSuchOperation IESG RFC-3909 Returned if the server has no knowledge of the operation requested for cancelation.
0x7A 120 tooLate IESG RFC-3909 Returned to indicate that it is too late to cancel the outstanding operation.
0x7B 121 cannotCancel IESG RFC-3909 Returned if the identified operation does not support cancellation or the cancel operation could not be performed.
0x7C 122 assertionFailed IESG RFC-4528 When the control is attached to an LDAP request, the processing of the request is conditional on the evaluation of the Filter as applied against the target of the operation. If the Filter evaluates to TRUE, then the request is processed normally. If the Filter evaluates to FALSE or Undefined, then assertionFailed (122) resultCode is returned, and no further processing is performed.
0x7D 123 authorizationDenied WELTMAN RFC-4532 Used to indicate that the server does not allow the client to assume the asserted identity.
Récupérée de « http://www.windowslinux.net/index.php/OpenLDAP »