Professional Documents
Culture Documents
What is Directory Services The need for LDAP LDAP Overview and Basics Setting up and tunning OpenLDAP Other LDAP tools and applications
Similar to database but designed more for reading than for writing Defines a network protocol for accessing contents of the directory Scheme for replication of data Directory Service examples: DNS, finger, password DB LD ! is a "Lightweight Directory ccess !rotocol"
#ultiple disparate sources of the same information $sers need separate logins and passwords to login to different systems %omplex to keep information in sync Similar data spread around many flat files or in database with different formats &nade'uacies of N&S ie( Not very extensible )(*++ is too complicated Summari,ing the above: Centralization, Integration and Delegating Responsibility
LDAP Overvie
LD ! is a -Lightweight Directory ccess !rotocol. LD ! marries a lightweight D ! with the )(*++ information model $ses an extensible hierarchical ob/ect data model n LD ! server may implement multiple -back0ends.: 1DB#S, simple indexes 2Berkeley DB3, )(*++ gateway Designed for fre'uent reads and infre'uent writes
LDAP !enefits
Standardi,ed schemas exist for many purposes 2well beyond that of N&S3 llows consolidation of many information sources 4ell defined !&, support from many applications 5asily replicated and distributed #ultiple backends allow integration with existing data sources 21DB#S, etc3 #uch faster than 1DB#S 2using lightweight backend like Berkeley DB3
LDAP !asics
Data is organised into an hierarchical tree 5ach -entry. 2tree node3 is identified by a DN 2distinguished name3 e(g( uid=aokhotnikov,ou=People,ou=Users,dc=ldap,dc=sjua 5ach component of a DN is called an 1DN 2relative DN3 and represents a branch in the tree 6he 1DN must be uni'ue within the nodes at the same level of the tree 2is generally e'uivalent to one of the attributes ie( -uid. or -cn. in the case of a person3 5ach node has 7 or many attribute values associated with it( 5ach attribute can have 7 or many values
-ob/ect%lass. is a mandatory attribute which specifies the schema 2attribute constraints3 for the given node #ultiple -ob/ect%lass. attributes can be combined together to achieve inheritance 5xample -ob/ect%lass. 2common schema3 attributes:
dcObject, organizationalUnit, person, organizationalPerson, inetOrgPerson, inetLocalMailRecipient
%N 2%anonical Name3 is another common attribute used to provide a uni'ue name for a directory ob/ect
LDAP Sche%as
!eople schemas 0 person, organisational!erson, inet8rg!erson, posix ccount, mailLocal1ecpient, strong uthentication$ser 9roup schemas : group8f$ni'ueNames, posix9roup, organisational1ole, role#ember ;ost < Network schemas : domain, ip;ost, ipNetwork, ip!rotocol, ipService, ieee=+>Device, bootableDevice
n invaluable schema repository from lan ?nowles at the ;ong ?ong Linux %entre:
http:<<ldap(akbkhome(com<
LD&@ 2LD ! Data &nterchange @ormat3 is used to import<export from a LD ! directory server and run updates
dn: cn=GForge Admin User,ou= ebAdmin,ou=Users,dc=ldap,dc=sjua object!lass: inetOrgPerson object!lass: posi"Account object!lass: top gi#en$ame: GForge Admin sn: User cn: GForge Admin User uid: g%orgeadmin userPass&ord: 'M()*+z,%-u.p/reO%g01Frec2.== uid$umber: -333 gid$umber: )44 0ome(irector5: 6opt6g%orge) mail: acidumirae7gmail8com
C'sto% Sche%as
LD ! schemas uses SN#! style 8&Ds 28b/ect &ds3 for uni'uely defining schema elements pply for & N enterprise number here:
http:<<www(iana(org<cgi0bin<enterprise(pl
!rivate enterprise number 8&D prefix is 7(A(B(7(C(7 eg( #etaparadigm uses -8/8+8-848-8---/9 &nformation on custom schemas can be found here:
http:<<www(openldap(org<doc<admin<schema(html
8penLD ! is the primary open0source LD ! implementation based on $niv( #ichigan LD ! http:<<www(openldap(org< Sun provides the i!lanet Directory Server<Sun 8ne Dava DS 8racle provides an LD ! server using an 8racle database backend #any others available 2Novell DS, @edora DS, pache DS, 8penDS, &nnosoft, etc(3 Linux can also integrate with LD ! servers running on other platforms such as #icrosoft ctive Directory or Novell eDirectory
Novell eDirectory Sun 8ne &dentity Server #icrosoft ctive Directory pple 8pen Directory Siemens Dir) 8racle &nternet Directory &B# 6ivoli Directory
% Directory Lotus Domino Nexor Directory Eiew *++ &sode"s #0Eault aeSL !D (((
http:<<www(paldap(org<ldap0server0software
8penLD ! supports real0time directory replication to provide load0balancing and high availability 8penLD ! supports single master, multiple slaves #ost LD ! aware applications can be configured to use multiple LD ! servers 2providing fallback servers3 #ultiple master support is in the works 2currently alpha3 8penLD ! can be integrated with -heartbeat. and -mon. to provide fault tolerance http:<<www(linux0ha(org<
%onfiguration is located in: 6etc6openldap6slapd8con% 4e need to include the schemas we are using
include include include include include include include include include include include include include 6etc6ldap6sc0ema6core8sc0ema 6etc6ldap6sc0ema6collecti#e8sc0ema 6etc6ldap6sc0ema6corba8sc0ema 6etc6ldap6sc0ema6cosine8sc0ema 6etc6ldap6sc0ema6duacon%8sc0ema 6etc6ldap6sc0ema6d5ngroup8sc0ema 6etc6ldap6sc0ema6inetorgperson8sc0ema 6etc6ldap6sc0ema6ja#a8sc0ema 6etc6ldap6sc0ema6misc8sc0ema 6etc6ldap6sc0ema6nis8sc0ema 6etc6ldap6sc0ema6openldap8sc0ema 6etc6ldap6sc0ema6ppolic58sc0ema 6etc6ldap6sc0ema6samba8sc0ema
Next step is to add data to the directory using the LD&@ example presented earlier
C ldapadd D( cn=admin,dc=ldap,dc=sjua D Fnter L(AP Pass&ord: """"" adding ne& entr5 :dc=ldap,dc=sjua: E init8ldi%
adding ne& entr5 :ou= ebAdmin,ou=Users,dc=ldap,dc=sjua: adding ne& entr5 :uid=g%rogeadmin,ou= ebAdmin,ou=Users,dc=ldap,dc=sjua:
T'nning OpenLDAP
#ake sure -slapd. runs as non privileged user #ake -slapd. bind to SSL port for security
need signed certificates with openSSL and modify slapd(conf modify init script to bind to SSL port
LD ! uses a simple -search filters. syntax 21@%>>*C3 LD ! 'ueries return all attributes of matching entries 2or specifically selected attributes3 which match the search filter
LD ! 'uery particles are enclosed within parenthesis in the form of 2 attribute Fmatching ruleG value 3 ie( Icn=GForge Admin UserJ
#atching rules include 2H, HI, GH, FH3 J can be used as a wildcard within the value 6hese can be combined together using the boolean operators: and, or and not 2K, L, M3 eg:
6he following example ldap search retrieves the names and email address of all users with a givenname of -9forge dmin. or -8range dmin.
ldapsearc0 D"LLL D0 ldap8sjua Db ou=Users,dc=ldap,dc=sjua N MIOIQIgi#enname=GForge AdminJIgi#enname=Orange AdminJJIobD ject!lass=inetOrgPersonJJM cn mail dn: cn=GForge Admin User,ou= ebAdmin,ou=Users,dc=ldap,dc=sjua cn: GForge Admin User mail: acidumirae7gmail8com dn: cn=Orange Admin User,ou= ebAdmin,ou=Users,dc=ldap,dc=sjua cn: Orange Admin User mail: aoL0otniLo#7so%tjourn8com
Eery easy to incorporate this into shell scripts with awk or sed
LDAP Applications
uthenticate users in web applications 28range;1#, g@orge, Doku4iki, etc(3 uthenticate users in Samba, pache, !ro@6!d, etc( !ossible NSS 2Name Service Switch3 integration !ossible ! # 2!luggable uthentication #odule3 !ossible mail routing: Sendmail, !ostfix, etc( Shared ddress Book 25volution, #o,illa, 8utlook, 5udora, web clients, etc(3 !rogramming Libraries 2!erl, Dava, !;!, etc(3
Directory dministrator
http:<<diradmin(open0it(org
9N
http:<<biot(com<g'<
Dava LD ! Browser
http:<<www(iit(edu<Igawo/ar<ldap<
phpLD !admin
http:<<phpldapadmin(sf(net<
*igration to LDAP
4e have migrated users from 8range;1# using custom !;! scrip that was generating LD&@ files
some issues with Samba : N6!assword is #DC minor issues with g@orge : multiple installations2dirty database3
Reso'rces
http:<<tapor(ualberta(ca<1esources<6echdocs<completed<ldappresentation(pdf
http:<<ldap(mtu(edu<docs<public<mtuPdsinfo<techiefest<techiefestPfiles<vAPdocument(htm