Installing and configuring the OpenLDAP Server

Edit online

You can use a supported version of the OpenLDAP Server as the user registry for Verify Identity Access.

Before you begin

Review the User registry considerations before you configure the OpenLDAP Server in your environment.

About this task

Complete the basic server installation and configuration as described in the OpenLDAP server product documentation.
Note: The following instructions are for the OpenLDAP 'cn=config' configuration format rather than the legacy 'slapd.conf' configuration style.

Procedure

  1. Apply the Verify Identity Access schema to the OpenLDAP server:
    The schema for the Verify Identity Access data must be applied to the OpenLDAP server. In order to achieve this:
    1. Obtain the verify-access-openldap-schema.ldif file from the isva directory of the file downloads section of a running Verify Identity Access appliance. This file should be copied to the OpenLDAP server.
    2. On the OpenLDAP server apply the schema ldif file to the running server. This can be achieved by using a command similar to the following:
      ldapadd -c -Y EXTERNAL -Q -H ldapi:/// -f verify-access-openldap-schema.ldif
  2. Create the suffix for the Verify Identity Access data:
    A suffix must be available to house the Verify Identity Access data (otherwise known as the secAuthority data). This suffix can be added to an existing database by adding a new olcSuffix entry to an existing database definition, or an existing suffix can be specified during configuration.

    A preferable alternative is to house the suffix in a new 'olcDatabase'. In order to achieve this:

    1. Create a new olcDatabase LDIF definition, similar to the following but customised to match your OpenLDAP server environment:
      dn: olcDatabase={2}mdb,cn=config
changetype: add
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {2}mdb
olcDbDirectory: /var/lib/ldap.secAuthority
olcSuffix: secAuthority=Default
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by group=cn=SecurityGroup,secAuthority=Default write by dn=cn=root,secAuthority=Default write by group=cn=remote-acl-users,cn=SecurityGroups,secAuthority=Default read by group=cn=ivacld-servers,cn=SecurityGroups,secAuthority=Default read by anonymous auth by * none
olcAccess: {1}to * by group=cn=SecurityGroup,secAuthority=Default write by dn=cn=root,secAuthority=Default write by group=cn=remote-acl-users,cn=SecurityGroups,secAuthority=Default read by group=cn=ivacld-servers,cn=SecurityGroups,secAuthority=Default read by self read by users auth by anonymous auth
olcLastMod: TRUE
olcRootDN: cn=root,secAuthority=Default
olcRootPW: admin
olcDbCheckpoint: 512 30
olcDbIndex: objectClass                       eq,pres
olcDbIndex: ou,cn,mail,surname,givenname      eq,pres,sub
olcDbIndex: uidNumber,gidNumber,loginShell    eq,pres
olcDbIndex: uid,memberUid                     eq,pres,sub
olcDbIndex: nisMapName,nisMapEntry            eq,pres,sub
olcDbIndex: uniqueMember,secUUID,secAuthority,secDN,secDomainID,member,principalName eq
    2. Ensure that the directory referenced by the 'olcDbDirectory' entry has been created and has the appropriate permissions.
    3. Apply the LDIF file to the running LDAP server by running a command similar to the following on the LDAP server:
      ldapadd -c -Y EXTERNAL -Q -H ldapi:/// -f verify-access-suffix.ldif
  3. Update permissions in existing suffixes for the Verify Identity Access Groups:
    In order for Verify Identity Access to be able to manage standard LDAP users' the permissions for each 'olcDatabase' must be adjusted in the LDAP configuration. In particular the following 'olcAccess' permissions are required:
    Entry/Attributes Permission Entities
    userPassword

    shadowLastChange

    		 Read group=cn=remote-acl-users,cn=SecurityGroups,<secAuthority-suffix> group=cn=ivacld-servers,cn=SecurityGroups,<secAuthority-suffix>
    Write dn=<admin-dn> group=cn=SecurityGroup,<secAuthority-suffix>
    * Read group=cn=remote-acl-users,cn=SecurityGroups,<secAuthority-suffix> group=cn=ivacld-servers,cn=SecurityGroups,<secAuthority-suffix>
    Write dn=<admin-dn> group=cn=SecurityGroup,<secAuthority-suffix>

    The '<admin-dn>' should match the 'olcRootDN' entry in the 'olcDatabase' which is housing the Verify Identity Access data. This is the DN which should be specified when configuring the Verify Identity Access runtime component.

    The '<secAuthority-suffix>' will be of the format 'secAuthority=<verify-access-domain>{,<verify-access-suffix>}, where:
    • <verify-access-domain> is the domain name used when configuring the runtime component (default: ‘Default’);
    • <verify-access-suffix> is the suffix in which the secAuthority data will reside (if no suffix is specified the data will reside in the 'secAuthority=<verify-access-domain>' suffix).
    In order to update the permissions:
    1. Create a new LDIF definition, similar to the following but customised to match your OpenLDAP server environment:
      dn: olcDatabase={1}mdb,cn=config
changetype: modify
delete: olcAccess

add: olcAccess
olcAccess: to attrs=userPassword,shadowLastChange by self write by dn="cn=admin,dc=ibm,dc=com" write by dn=cn=root,secAuthority=Default write by group=cn=SecurityGroup,secAuthority=Default write by group=cn=remote-acl-users,cn=SecurityGroups,secAuthority=Default read by group=cn=ivacld-servers,cn=SecurityGroups,secAuthority=Default read by anonymous auth by * none
olcAccess: to * by self write by dn="cn=admin,dc=ibm,dc=com" write by dn=cn=root,secAuthority=Default write by group=cn=SecurityGroup,secAuthority=Default write  by group=cn=remote-acl-users,cn=SecurityGroups,secAuthority=Default read by group=cn=ivacld-servers,cn=SecurityGroups,secAuthority=Default read by * none
    2. Apply the LDIF file to the running LDAP server by running a command similar to the following on the LDAP server:
      ldapadd -c -Y EXTERNAL -Q -H ldapi:/// -f verify-access-permissions.ldif

What to do next

After you set up the Directory Server for use with Verify Identity Access, you can configure the runtime component. Use the following values in your configuration:
  • The LDAP administrator ID for the OpenLDAP Server is the 'olcRootDN' entry for the 'olcDatabase' which is housing the Verify Identity Access data, for example: 'cn=root,secAuthority=Default'.
Note: If you experience issues when connecting to the OpenLDAP Server over TLS you might need to modify the OpenLDAP server configuration, removing the 'olcTLSCipherSuite' entry.