LDAP Directory Guide - The Telecom Spot
Transcript of LDAP Directory Guide - The Telecom Spot
1
ICW-1000 Global
LDAP Directory Guide
Rev; 1. 0. 0
INCOM Co., Ltd.
www.incominc.com
2
Contents
Preface ........................................................................................................................................................................................ 3
Copyright Notice .......................................................................................................................................................... 3
ICW-1000G at a Glance ............................................................................................................................................. 4
Scope of this document ............................................................................................................................................ 4
Introduction.............................................................................................................................................................................. 5
What is a directory service? .................................................................................................................................... 5
What is LDAP? ............................................................................................................................................................... 5
Installing and Configuring the LDAP server .............................................................................................................. 6
Installing the OpenLDAP server ............................................................................................................................. 6
Post-install Inspection ................................................................................................................................................ 6
Initial Concepts .............................................................................................................................................................. 7
Configuring OpenLDAP server ............................................................................................................................... 7
Basic Configuration ............................................................................................................................................ 7
Modifying/Populating your Database ........................................................................................................ 7
TLS.............................................................................................................................................................................. 9
Configuring INCOM phone ............................................................................................................................................. 11
LDAP Parameters on the Phone .......................................................................................................................... 11
Configuring via Web Interface ............................................................................................................................. 12
Configuring via Provisioning ................................................................................................................................. 12
Usage LDAP Directory on INCOM phone ................................................................................................................ 14
To search a contact from the LDAP .................................................................................................................. 14
To save phone number from LDAP to local .................................................................................................. 15
Resources ................................................................................................................................................................................ 16
User Feedback ............................................................................................................................................................. 16
3
Preface
Copyright Notice
INCOM is registered trademarks of INCOM Co., Ltd. Other referenced trademarks are trademarks (registered or
otherwise) of the respective trademark owners.
This document is confidential and proprietary to INCOM Co., Ltd. No part of this document may be reproduced,
stored, or transmitted in any form by any means without the prior written permission of INCOM Co., Ltd.
Information furnished herein by INCOM Co., Ltd., is believed to be accurate and reliable. The authors have used
their best efforts in preparing this material. These efforts include the development, research, and testing of the
theories and programs to determine their effectiveness.
However, INCOM assumes no liability for errors that may appear in this document, or for liability otherwise arising
from the application or use of any such information or for any infringement of patents or other intellectual
property rights owned by third parties which may result from such application or use. The products, their
specifications, and the information appearing in this document are subject to change without notice.
INCOM Co., Ltd.
© 2013 by INCOM Co., Ltd. All rights reserved.
ICW-1000G at a Glance
Scope of this document
This document provides a guide for installing OpenLDAP Software (http://www.openldap.org/software/) on
Linux(Ubuntu) systems. Also this guide provides configurations on the LDAP server and IP phones, and applies to
the following INCOM IP phones.
ICW-1000G running firmware version v1.1.6 or later.
Introduction
What is a directory service?
A directory is a specialized database specifically designed for searching and browsing, in additional to supporting
basic lookup and update functions. Directories tend to contain descriptive, attribute-based information and support
sophisticated filtering capabilities. Directories generally do not support complicated transaction or roll-back schemes
found in database management systems designed for handling high-volume complex updates. Directory updates are
typically simple all-or-nothing changes, if they are allowed at all
What is LDAP?
LDAP stands for Lightweight Directory Access Protocol. As the name suggests, it is a lightweight protocol for
accessing directory services, specifically X.500-based directory services. It is a client-server protocol for accessing a
directory service. LDAP is a directory service protocol that runs over TCP/IP.
What kind of information can be stored in the directory? The LDAP information model is based on entries. An entry
is a collection of attributes that has a globally-unique Distinguished Name (DN). The DN is used to refer to the entry
unambiguously. Each of the entry's attributes has a type and one or more values. The types are typically mnemonic
strings, like "cn" for common name, or "mail" for email address. The syntax of values depend on the attribute type.
For example, a cn attribute might contain the value Babs Jensen. A mail attribute might contain the value
"[email protected]". A jpegPhoto attribute would contain a photograph in the JPEG (binary) format.
How is the information arranged? In LDAP, directory entries are arranged in a hierarchical tree-like structure.
Traditionally, this structure reflected the geographic and/or organizational boundaries. Entries representing countries
appear at the top of the tree. Below them are entries representing states and national organizations. Below them
might be entries representing organizational units, people, printers, documents, or just about anything else you can
think of. Figure 1 shows an example LDAP directory tree using traditional naming.
Figure 1 LDAP directory tree (traditional naming)
Installing and Configuring the LDAP server
Installing the OpenLDAP server
Install the OpenLDAP server daemon and the traditional LDAP management utilities. These are found in
packages slapd and ldap-utils respectively.
The installation of slapd will create a working configuration. In particular, it will create a database instance that you
can use to store your data. However, the suffix (or base DN) of this instance will be determined from the domain
name of the host. If you want something different, you can change it right after the installation when you still don't
have any useful data.
Proceed with the install:
If you want to change your DIT suffix, now would be a good time, because changing it discards your existing one.
To change the suffix, run the following command:
Since Ubuntu 8.10 slapd is designed to be configured within slapd itself by dedicating a separate DIT for that
purpose. This allows one to dynamically configure slapd without the need to restart the service. This configuration
database consists of a collection of text-based LDIF files located under /etc/ldap/slapd.d.
During the install you were prompted to define administrative credentials. These are LDAP-based credentials for
the rootDN of your database instance. By default, this user's DN is cn=admin,dc=example,dc=com. Also by default,
there is no administrative account created for the slapd-config database and you will therefore need to authenticate
externally to LDAP in order to access it.
Post-install Inspection
This is what the slapd-config database/DIT looks like. Recall that this database is LDIF-based and lives under
/etc/ldap/slapd.d
/etc/ldap/slapd.d/
/etc/ldap/slapd.d/cn=config.ldif
/etc/ldap/slapd.d/cn=config
/etc/ldap/slapd.d/cn=config/cn=schema
/etc/ldap/slapd.d/cn=config/cn=schema/cn={1}cosine.ldif
/etc/ldap/slapd.d/cn=config/cn=schema/cn={0}core.ldif
/etc/ldap/slapd.d/cn=config/cn=schema/cn={2}nis.ldif
/etc/ldap/slapd.d/cn=config/cn=schema/cn={3}inetorgperson.ldif
/etc/ldap/slapd.d/cn=config/cn=module{0}.ldif
/etc/ldap/slapd.d/cn=config/olcDatabase={0}config.ldif
/etc/ldap/slapd.d/cn=config/olcDatabase={-1}frontend.ldif
This guide will use a database suffix of dc=example,dc=com.
sudo apt install slapd ldap-utils
sudo dpkg-reconfigure slapd
/etc/ldap/slapd.d/cn=config/olcDatabase={1}hdb.ldif
/etc/ldap/slapd.d/cn=config/olcBackend={0}hdb.ldif
/etc/ldap/slapd.d/cn=config/cn=schema.ldif
Initial Concepts
The naming conventions used to traverse this system can be extremely complex for new users to grasp, so the
following table has been provided as an example of what these objects are and the names we are going to use in
referencing them.
Description String Value (DN)
Base Domain dc=example,dc=com
Admin User cn=admin,dc=example,dc=com
Authorized user located here ou=users,dc=example,dc=com
Authorized user account
(example)
uid=alice,dc=example,dc=com
Address book entries located
here (also used as „Base‟)
ou=addressbook,dc=example,dc=com
Address book entity
(example)
cn=Tom Index,ou=addressbook,dc=example,dc=com
Everything inside the directrory has a distinguished name (dn), this is what makes each entry unique form the others
and also provides a means to easily reference the object. Viewing the table the DN for the manager account is
“cn=admin,dc=example,dc=com”, while all of the address book entries are contained in the DN of
“ou=addressbook,dc=example,dc=com”.
Configuring OpenLDAP server
Basic Configuration
The server can be configured with a built-in administrator account that has global root privileges, it is necessary to
store the password for the root account inside the server configuration file. Create a suitable password for the root
account so it can be placed into the configuration file.
Details regarding configuring slapd can be found in the slapd-config manual page and Configuring slapd chapter of
OpenLDAP quick-start guide.
Modifying/Populating your Database
Information can be imported and exported into an LDAP directory service using the LDAP Data Interchange
Format(LDIF) as defined in RFC2849. An LDIF file specifies the contents of a directory entry in a human readable text
format.
The following LDIF file(addressbook.ldif) will create the hierarchical directory service structure that we will be using
for our address book. The first entry is that of the base directory and the second entry is for the administrator
account. The last two entries are the two organizational units that we will use to store the authorized users and the
address book entries.
dn: dc=example,dc=com
objectclass: dcObject
objectclass: organization
o: Home LDAP Server
dc: example
dn: cn=admin,dc=example,dc=com
objectclass: organizationalRole
cn: admin
dn: ou=users,dc=example,dc=com
ou: users
objectClass: top
objectClass: organizationalUnit
dn: ou=addressbook,dc=example,dc=com
ou: addressbook
objectClass: top
objectClass: organizationalUnit
Using the „ldapadd‟ command you can enter the LDIF contents into the server, creating your initial directory scheme.
Now that we have defined and imported our directory scheme, we are able to create user entries to populate the
addressbook. The following is a simple example LDIF entry (newcontact.ldif) for a contact. The first line(dn:)
designates where about in the directory the entry will belong when its imported, this should be changed to suit
your needs.
dn: cn=Tom Index,ou=addressbook,dc=example,dc=com
cn: Tom Index
gn: Tom
sn: Index
o: Home
pager: 5555
mobile: 0402012312
telephoneNumber: 1235
mail: [email protected]
objectClass: top
objectClass: inetOrgPerson
The contents of the LDIF file (newcontact.ldif) can be added into the directory service using also the „ladpadd‟
command like below. The standard access controls for the server defines that everyone can read the directory
entries, but only the manager (administrator) can write to the directories.
ldapadd –x –D „cn=admin,dc=example,dc=com‟ –W –f /etc/openldap/addressbook.ldif
Now that the first entry has been added to the directory server, the file can be copied so more entries can be
added. Alternatively, extra entries can be added to the same file ensuring that a blank line is used to separate each
different entry.
TLS
The following details are typical of the security settings that you may consider implementing.
When authenticating to an OpenLDAP server it is best to do so using an encrypted session. This can be
accomplished using Transport Layer Security (TLS). Here, we will be our own Certificate Authority and then create
and sign our LDAP server certificate as that CA. we will use the certtool utility to complete these tasks.
① Install the gnutls-bin and ssl-cert packages:
② Create a private key for the Certificate Authority:
③ Create the template file /etc/ssl/ca.info to define the CA:
④ Create the self-signed CA certificate:
⑤ Make a private key for the server:
⑥ Create the /etc/ssl/ldap01.info file containing:
sudo apt install gnutls-bin ssl-cert
sudo sh –c “certtool ==generate-privkey > /set/ssl/private/cakey.pem
cn = Example Company
ca
cert_signing_key
sudo certtool –generate-privkey \
--bits 1024 \
--outfile /etc/ssl/private//ldap01_slapd_key.pem
sudo certtool –generate-self-signed \
--load-privkey /etc/ssl/private/cakey.pem \
--template /etc/ssl/ca.info \
--outfile /etc/ssl/certs/cacert.pem
ldapadd –x –D „cn=admin,dc=example,dc=com‟ –W –f /etc/openldap/newcontact.ldif
⑦ Create the server‟s certificate:
⑧ Adjust permissions and ownership:
⑨ Now, restart slapd, since we added the openldap user to the ssl-cert group:
Create the file certinfo.ldif with the following contents.
dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/ldap01_slapd_cert.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/ldap01_slapd_key.pem
Use the ldapmodify command to tell slapd about our TLS work via the slapd-config database:
organization = Example Company
cn = ldap01.example.com
tls_www_server
encryption_key
signing_key
expiration_days = 3600
sudo certtool –generate-certificate \
--load-privkey /etc/ssl/private/ldap01_slapd_key.pem \
--load-ca-certificate /etc/ssl/certs/cacert.pem \
--load-ca-privkey /etc/ssl/private/cakey.pem \
--template /etc/ssl/ldap01.info \
--outfile /etc/ssl/certs/ldap01_slapd_cert.pem
sudo chgrp openldap /etc/ssl/private/ldap01_slapd_key.pem
sudo chmod 0640 /etc/ssl/private/ldap01_slapd_key.pem
sudo gpasswd –a openldap ssl-cert
sudo systemctl restart slapd.service
sudo ldapmodify –Y EXTERNAL –H ldapi:/// -f certinfo.ldif
Configuring INCOM phone
LDAP is disabled on INCOM phone by default. You should configure LDAP via web interface or using configuration
file.
LDAP Parameters on the Phone
Parameter Description
Enable_LDAP This parameter enables or disables LDAP feature on the phone
0: Disabled(default)
1: Enabled
TLS_Mode This parameter specifies the connection mode between the LDAP server and phone.
0: LDAP(default) (unencrypted connection between the LDAP server and the phone.)
1: LDAP TLS Start (TLS/SSL connection between LDAP server and the phone)
LDAP_Filter This parameter specifies the search criteria for names and numbers look up. The format of
the search criteria is compliant to the standard string representations of LDAP search
filters.
The „%‟ symbol in the filter stands for the name prefix entered by the user.
Default: (|(cn=%)(sn=%)(mobile=%)(telephoneNumber=%)(ipPhone=%))
Server_Address This parameter specifies the domain name or IP address of the LDAP server
Default: blank
Server_Port This Parameter specifies the LDAP server port.
Default: 389
Base This parameter specifies the LDAP search base which corresponds to the location in the
LDAP directory. The search base narrows the search scope and decreases directory search
time
Default: dc=incominc,dc=com
LDAP_Username This parameter specifies the user name to login the LDAP server. If the LDAP server allows
anonymous to login, this parameter can be left blank. Otherwise you should provide the
user name to access the LDAP server
Default: cn=admin,dc=incominc,dc=com
LDAP_Password This parameter specifies the password to login the LDAP server. . If the LDAP server allows
anonymous to login, this parameter can be left blank. Otherwise you should provide the
user name to access the LDAP server
Default: blank
Max_Hits This parameter specifies the maximum number of the search results to be returned by the
LDAP server.
Default: 50
LDAP_Name_Attr This parameter specifies the name attributes of each record to be returned by the LDAP
server. This parameter compresses the search results.
Default: cn,sn
LDAP_Number_Attr This parameter specifies the number attributes of each record to be returned by the LDAP
server. This parameter compresses the search results.
Default: mobile,telephoneNumber,ipPhone
LDAP_Display_Name This parameter specifies the display name of the contact record displayed on the LCD
screen
Default: %cn
LDAP_Protocol_Version This parameter specifies the LDAP protocol version supported on the phone.
Default: 3
Configuring via Web Interface
① Check the IP address of the phone
② Enter the IP address and port (e.g., http://IP address:8080) in the address bar of the web browser.
③ Enter the password (default: 000000) in the login page.
④ Click „setup‟ and enter the user name and password (default: admin/000000) in the login popup.
⑤ Click „LDAP‟ in the section list.
⑥ Enter the desired values in the corresponding fields.
Figure 2 Configure LDAP via Web Interface
Configuring via Provisioning
If you want to set LDAP on the phone via provisioning, you can use the following template. You should insert this
template to your e1_common.ini.
Please refer to the Admin. manual for detailed provisioning procedure.
[LDAP]
Enable_LDAP=1
TLS_Mode=0
LDAP_Filter=(|(cn=%)(sn=%)(mobile=%)(telephoneNumber=%)(ipPhone=%))
Server_Address=192.168.0.50
Server_Port=289
Base=dc=incominc,dc=com
LDAP_Username=
LDAP_Password=
Max_Hits=50
LDAP_Name_Attr=cn,sn
LDAP_Number_Attr=mobile,telephoneNumber,ipPhone
LDAP_Display_Name=%cn
LDAP_Protocol_Version=3
Usage LDAP Directory on INCOM phone
To search a contact from the LDAP
You can access the LDAP directory on Phone book search menu.
① On Phone book search menu, there will be a soft menu for switching between local phone book search
mode and LDAP search mode.
② Press the LDAP soft menu to access the LDAP search screen.
③ Enter a few continuous characters of the contact name or continuous digits of the contact phone number
using the keypad. The contacts which match the search criteria will appear on screen.
④ Press or to select the desired contact.
⑤ Press or to select the desired number.
⑥ Press to dial out.
To save phone number from LDAP to local
Select the „Add to Pbook‟ soft menu to add the contact to local.
Resources
User Feedback
We are attempting to improve the documentation quality and we appreciate your feedback. Email your opinions