S 3.86 OpenLDAP training for administrators
Initiation responsibility: IT Security Officer, Head of IT
Implementation responsibility: Administrator, Head of IT
To install and operate OpenLDAP securely, detailed knowledge of OpenLDAP and its basic concepts is required. Therefore, it is absolutely necessary to train the administrators in OpenLDAP and the associated security topics.
Contents of the training programme
The depth to which a given administrator will need to study the individual points depends on the type of work he will be performing. The general contents regarding directory services are listed in S 3.62 Training on the administration of directory services. The training contents should always include the following main points and explain each point.
Basic information
- Overview of the OpenLDAP structure, understanding of backends and overlays
- Planning, installation, configuration ("slapd.conf" and "slapd-config")
- Basic knowledge qualifying for the installation of the application from the source text
- Understanding in handling information sources regarding the open source software
- Knowledge of the LDAP Data Interchange Formats (LDIF)
- Object classes and operational attributes
- Knowledge of the tools of OpenLDAP and the systematic difference between ldap* and slap* tools
Schema administration
- Problems and impacts associated with schema changes
- Attribute restrictions using overlays within the schemas
- Differences between normal and operational attributes
Replication
- Mechanisms used for replication in OpenLDAP ("refreshOnly" and "refreshAndPersist")
- Search filter and operational attributes
- Outlook regarding the delta replication
- Outlook regarding multi-master and mirror-Mode operation in connection with replication conflicts
Data backups
- Problems associated with the creation of a data backup of OpenLDAP
- Saving the configuration for both configuration modes
- Restoration of data backups using "slapadd"
Granting of (application/data) access rights
- Granting of access rights to directory service objects
- Interaction between global and database-specific ACLs
- Possible access rights
Authentication
- Hash algorithms
- Kerberos
- SASL
- SSL/TLS certificates
Review questions:
- Were all administrators trained in OpenLDAP and the associated security topics?