ClearOS Documentation

×

Warning

301 error for file:https://clearos.com/dokuwiki2/lib/exe/css.php?t=dokuwiki&tseed=82873f9c9a1f5784b951644363f20ef8

User Tools

Site Tools


Directory Server

The Directory Server app is where you can view and manage your LDAP server settings. If you plan on connecting external applications to access your ClearOS directory, you can control access and find LDAP connection information.

Installation

If your system does not have this app available, you can install it via the Marketplace.

You can find this feature in the menu system at the following location:

Server|Directory|Directory Server

Configuration

Settings

In the settings widget, the following parameters can be configured:

  • The Base Domain should be set to your primary Internet domain, for example example.com

The mode is shown for convenience only – the setting is part of the Master Slave Synchronization app.

Policies

https://clearos.com/dokuwiki2/lib/exe/fetch.php?media=content:en_us:7_ug_openldap.png

There are two security policies that can be configured:

  • The Publish Policy should be enabled if you have external applications accessing the directory, for example network-attached storage servers.
    • Not Published - Accessible only from within ClearOS
    • Local Network - Accessible from LAN interfaces only. Access is using the ldaps on port TCP 636.
    • All Networks - Accessible from all interfaces. Access is using the ldaps on port TCP 636.
  • The Accounts Access should be enabled if you have external applications requiring account information, for example adding the Global Address book feature in the Thunderbird mail client.

ldap:// access from the LAN

If you require ldap access on TCP port 389 (ldap:// as opposed to ldaps://) from your LAN, edit /usr/libexec/openldap/prestart.sh and change line 35 to read:

urls="$urls ldaps://$ip/ ldap://$ip/"

then in Webconfig > Server > Directory > Directory Server, change the Publish Policy to Local Network.

The problem now is that an update to the LDAP package could potentially overwrite this file. Overwriting can be blocked with the command:

chattr +i /usr/libexec/openldap/prestart.sh

but if an LDAP package update needs to change this file for other reasons, it will not then be able to.

ldap:// access from all networks

If you require ldap access on TCP port 389 (ldap:// as opposed to ldaps://) for all networks, edit /usr/libexec/openldap/prestart.sh and change line 38 from:

urls="ldap://127.0.0.1/ ldaps:///"

to

urls="ldaps:/// ldap:///"

then in Webconfig > Server > Directory > Directory Server, change the Publish Policy to All Networks. This will restart slapd and add the ldap as well.

The problem now is that an update to the LDAP package could potentially overwrite this file. Overwriting can be blocked with the command:

chattr +i /usr/libexec/openldap/prestart.sh

but if an LDAP package update needs to change this file for other reasons, it will not then be able to.

You can check to see which IP's and ports LDAP is listening on with

netstat -npl | grep slapd

Directory Information

General directory information is shown to help you connect external applications to the ClearOS directory.

The bind information and password listed here is critical and sensitive and should be protected.

If you are trying to access LDAP from the LAN or externally using LDAPS on TCP port 636, you may need to import the LDAP CA certificate from/etc/openldap/certs/clearos-ca-cert.pem into your client

Accessing the Directory

Webconfig uses the LDAP Directory transparently for many functions. For the most part, adding users, creating groups, setting passwords or changing information about the server will modify the directory in all the ways you need it to without needing to manually enter records.

Modifying data in your LDAP directory can break functionality of ClearOS and make it unsupportable! Please be very careful.

Desktop Graphical Tools

You can use tools like the Apache Directory Studio or phpLDAPadmin to browse or change directory information. Use the information shown in the app to connect the client to the ClearOS directory.

Command Line

You can also use command line tools to manage the directory. For these examples we will use the following data:

  • Hostname: localhost
  • Base DN: dc=clearos,dc=lan
  • Bind DN: cn=manager,ou=internal,dc=clearos,dc=lan
  • Bind Password: gbGKD86gEWXLYNRm

A simple search will reveal our entire LDAP directory.

ldapsearch -h localhost -b "dc=clearos,dc=lan" \
-D "cn=manager,ou=internal,dc=clearos,dc=lan" \
-s sub "objectclass=*" -x -w gbGKD86gEWXLYNRm

You can also limit the results to include only specific information. For example, the following show all the groups on the system:

ldapsearch -h localhost -b "dc=clearos,dc=lan" \
-D "cn=manager,ou=internal,dc=clearos,dc=lan" \
-s sub "objectclass=GroupOfNames" -x -w gbGKD86gEWXLYNRm

Help

content/en_us/7_ug_openldap_directory.txt · Last modified: 2018/10/04 04:11 by nickh

https://clearos.com/dokuwiki2/lib/exe/indexer.php?id=content%3Aen_us%3A7_ug_openldap_directory&1544994331