Chapter 1. Preface

1.1. About the Author

Turbo Fredriksson started out with computers at the age of nine, which was in the year 1978. He have been using, administered and developed for Linux (mostly Debian GNU/Linux) since 1993.

1.2. Acknowledgments

I'd like to thank the kind people on the openldap-software list for helping me when I first set my system up.

1.3. Foreword

The point of this book is to show how the combination OpenLDAP and MIT Kerberos V (with the necessary 'glue software) can give you a network distributed information system that resembles NIS/NIS+ but with added security, functionality and 'distributability'. It will also give you a base for a 'single-sign-on' system (one entering of password) supplied by the Kerberos system.

Combined with Samba which is a free SMB¹/CIFS² server for UNIX operating system, one could use Linux as a file server platform in a Windows environment. A UNIX/Samba/LDAPv3 combination would give you a Windows 2000 server replacement, for free.

Why should we use so much encryption and such a complicated setup, when user information (inclusive the password) works so great by using flat files (see the next chapter about this)? Well, basically the keyword here is growth and security. To illustrate what I mean by growth, I will show you the system I use, and the (small) differences to a system I did for the company I worked for in the next chapter.

This book is about LDAPv3, and will not go into much depth in how the different protocols work. There are other and more specialized books out there for that. These are some of the recommended ones

1. "Understanding and Deploying LDAP Directory Services" by Tim Howes

2. "Understanding LDAP" by IBM

The "Understanding and Deploying." book is more geared against the philosophies and inner workings of LDAP, and not much about creating/administering your LDAP database. The "Understanding LDAP" by IBM³ can be found on IBM's web page (Chapter 9, Reference material).

1.4. Pre-required software

You will need the following software to be able to configure, make and install the software described in this book. See Chapter 9. Reference material for the links to the software.

1. GNU make is required; other make programs will not work. GNU make is often installed under the name gmake. (On GNU/Linux systems GNU make is the default tool with the name make).

2. You need an ISO/ANSI C compiler. Recent versions of GCC are recommendable, but most software in this book is known to build with a wide variety of compilers from different vendors.

3. gzip is a popular data compression program, needed to unpack all the software's ending with .gz

4. The tar program provides the ability to create tar archives, as well as various other kinds of manipulation.

5. The program patch takes a special patch file containing a difference listing produced by diff and applies those differences to one or more original files, producing a modified version of the software.

Most of these will come with your distribution of choice, especially if it is a Linux distribution). However, Solaris and AIX are some of the operating systems that don't come with a working compiler. If this is the case, you will have to download the correct Solaris/AIX compiler packages at the appropriate site. I do know that you can get Solaris binaries at the Sun freeware project⁴.

1.5. Note about building software

To build and install the software described here is quite straight forward if one have done so at least some times before. However, errors can occur if there are missing dependencies. That is, if you try to build/install Cyrus SASL before OpenSSL, you will not get SSL/TLS enabled communication. Also, if you have installed a 'standard' workstation, you might not have the other necessary development software needed. I have done my best to rule out ALL of the needed software, but as you can understand, it would be impossible to rule out ALL problems that can occur.

1.5.a. Running configure

The directory where the software gets installed, where configurations will be located etc can also be specified by using the correct switches to the configure script. To specify where the base directory for installations are, the switch

--prefix

is used. So if specifying /usr here, the binary (the actual program) will be installed into /usr/bin, shared libraries (collection of functions that can be shared among programs) gets installed into /usr/lib etc. By executing

./configure --help

one can get a full listing and a short explanation what switches are available and what they are for.

Before starting the compilations of the software's (transforming computer instructions to something the computer can understand), one first have to configure (tell the compiler how to do the compilation) the source code. This is done by executing the command ./configure with the appropriate switches. Notice the ./ (dot slash) in all the configure command lines. It is to specify that we should use the command configure in the current directory, not any configure command installed on the system. After configure have been run, the source code have been configured with the correct information (ie, 'do we have this, and do we have that' etc.).

1.5.b. Running make

Now it is time to build the software. This is done by executing the command make. Sometimes it is necessary to override some options in the system, and that is done as switches to make. This is done like this (taken from the 'Building OpenSSL section):

make -f Makefile.ssl all

Here we have specified that we should use another rules file (another word for the 'developer slang' make file) than the default. In this example we choose to use the file Makefile.ssl and that we should use the make target all, instead of the default. The -f option simply means that we should use the file specified as make file instead of the default (which with GNU make is either Makefile or makefile).

After the software have been compiled (successfully I hope :), it is time to install the software in there correct location on the system (so it can be used system vide). This is also made by executing the command make. This time however, we will call the make target install instead of the target all like this:

make -f Makefile.ssl install

A target is the actual rule that you want to use. The default target is usually all, but it can also be the first target that exists in the specified make file. The reason we specified all in the previous example is that we want to be absolutely sure that we compile the software in the correct order.

Also, the progress and fast moving target that the Internet and the OpenSource movement are, the versions I have described here are most likely already out of date. Two weeks after I started with this book, Cyrus SASL⁵ had released version 1.5.26 (not officially, only through there CVS⁶ service) , that fixed the problem described on page 48, chapter 4.4.a ('bugs in Cyrus SASL, v1.5.24').

1.5.c. Using and applying patches

In many of the software's used here, there are bugs. Most bugs have been fixed in later versions, but either those later versions have not been officially released, or I haven't had the possibility to test them properly.

This forces us to apply patches. This is done using a patch file. A patch file is a file that describes the differences between two files. It is created using the program diff, by the software developer or someone that have found and fixed a bug.

A patch file created would look something like this. Say file number one have the line

this is line number one

and the second file contains the lines

this is line number one
this is line number two

The differences between these two files are the second line (reading 'this is line number two'). If this was a very large file, with a lot of changes, and an update contains many changed files, distributing all of the changed files might be a very large affair. But if we only distributed the changes to all these files, we get away with a much smaller replacement. A patch file between the two files would look like this

--- file1       Wed Jun 20 21:04:54 2001
+++ file2       Wed Jun 20 21:05:01 2001
@@ -1 +1,2 @@
 this is line number one
+this is line number two

The first two lines tell us which file have been changed (file2 in this example) and when the patch was created. The third line tell us where in the file the change have been made.

The rest of the patch (in this example, only the last two lines) is the changes. The plus sign say that it's an addition, and a minus sign would constitute a removal. Now, say that I modify file2, and replace the last line to 'this is line number three', and save it as file3, what would the patch look like? This is how

--- file2       Wed Jun 20 21:05:01 2001
+++ file3       Wed Jun 20 21:08:38 2001
@@ -1,2 +1,2 @@
 this is line number one
-this is line number two
+this is line number three

This means that we should remove the line reading 'this is line number two', and replace it with a line that reads 'this is line number three'.

Applying a patch file created with diff is done with the command patch like this. Say we've lost file number two and three, but still have file1 left and we only have the two patches above, this is how you get to file3.

patch file1 < patch1.patch 
patch file1 < patch2.patch

We must tell patch which file to apply the patch to (file1), and we must do this twice, once for each patch that we want to apply. The first command line will make file1 look like file2 above, and the second command line will make it look like file3 above.

1.6. Note about text notation

Wherever you see the <> (in bold) part, it means that that's where you input your own information. So for example, when you see

<YOUR KERBEROS REALM>

It means that you should put your realm (we will discuss realms and what they are in the next chapter) in there, like this:

BAYOUR.COM

Note, that you should NOT include the characters < and >!.

Paths are shown with italic text, and commands in lowercase+bold. To emphasize options for commands, underline is used.

Also, I assume in this document that the configuration for OpenLDAP2 is installed into /etc/ldap/. If you haven't installed it there, please remember to exchange that path to your path.

1.7. Software updates and newer versions

I have since I initially started to write this book, upgraded some packages described here. The information about this can be found in the chapter 8.3, updates section. At the time of this writing (Sunday, August 19, 2001) I have not successfully compiled and installed OpenLDAP v2.0.11!

I'm still working heavily on this, it is at the top of my to do list, since I really (!!) need to upgrade because of a resent security alert.

1.8. Disclaimer

This issue (LDAPv3) is not for the beginner, and I will usually not answer any questions in the format of 'I get this when i try to configure/make/install this-or-that-software'! In short, you will be required to 'read between the lines' of this book, and draw you own (correct! :) conclutions. That being said, it's not as difficult as it might seem. If you belong to the group of people that I here call 'beginner', I recommend installing the software while reading the OpenLDAP web page on OpenLDAP administration.

Please don't send any 'please help me' mails directly to me. Direct it to the appropriate mailing lists (page 90) for help instead, you stand a much better chance of getting a reply if you do. I just don't have the time (or knowledge) to help anyone/everyone in private.