You are on page 1of 23

LDAP

What is Directory Services The need for LDAP LDAP Overview and Basics Setting up and tunning OpenLDAP Other LDAP tools and applications

What is Directory Services

Similar to database but designed more for reading than for writing Defines a network protocol for accessing contents of the directory Scheme for replication of data Directory Service examples: DNS, finger, password DB LD ! is a "Lightweight Directory ccess !rotocol"

The need for LDAP


#ultiple disparate sources of the same information $sers need separate logins and passwords to login to different systems %omplex to keep information in sync Similar data spread around many flat files or in database with different formats &nade'uacies of N&S ie( Not very extensible )(*++ is too complicated Summari,ing the above: Centralization, Integration and Delegating Responsibility

LDAP Overvie

LD ! is a -Lightweight Directory ccess !rotocol. LD ! marries a lightweight D ! with the )(*++ information model $ses an extensible hierarchical ob/ect data model n LD ! server may implement multiple -back0ends.: 1DB#S, simple indexes 2Berkeley DB3, )(*++ gateway Designed for fre'uent reads and infre'uent writes

LDAP !enefits

Standardi,ed schemas exist for many purposes 2well beyond that of N&S3 llows consolidation of many information sources 4ell defined !&, support from many applications 5asily replicated and distributed #ultiple backends allow integration with existing data sources 21DB#S, etc3 #uch faster than 1DB#S 2using lightweight backend like Berkeley DB3

LDAP !asics

Data is organised into an hierarchical tree 5ach -entry. 2tree node3 is identified by a DN 2distinguished name3 e(g( uid=aokhotnikov,ou=People,ou=Users,dc=ldap,dc=sjua 5ach component of a DN is called an 1DN 2relative DN3 and represents a branch in the tree 6he 1DN must be uni'ue within the nodes at the same level of the tree 2is generally e'uivalent to one of the attributes ie( -uid. or -cn. in the case of a person3 5ach node has 7 or many attribute values associated with it( 5ach attribute can have 7 or many values

LDAP !asics "cont#$

-ob/ect%lass. is a mandatory attribute which specifies the schema 2attribute constraints3 for the given node #ultiple -ob/ect%lass. attributes can be combined together to achieve inheritance 5xample -ob/ect%lass. 2common schema3 attributes:
dcObject, organizationalUnit, person, organizationalPerson, inetOrgPerson, inetLocalMailRecipient

%N 2%anonical Name3 is another common attribute used to provide a uni'ue name for a directory ob/ect

LDAP Sche%as

#any standard schemas exist including:

!eople schemas 0 person, organisational!erson, inet8rg!erson, posix ccount, mailLocal1ecpient, strong uthentication$ser 9roup schemas : group8f$ni'ueNames, posix9roup, organisational1ole, role#ember ;ost < Network schemas : domain, ip;ost, ipNetwork, ip!rotocol, ipService, ieee=+>Device, bootableDevice

n invaluable schema repository from lan ?nowles at the ;ong ?ong Linux %entre:

http:<<ldap(akbkhome(com<

LDI& &ile &or%at

LD&@ 2LD ! Data &nterchange @ormat3 is used to import<export from a LD ! directory server and run updates
dn: cn=GForge Admin User,ou= ebAdmin,ou=Users,dc=ldap,dc=sjua object!lass: inetOrgPerson object!lass: posi"Account object!lass: top gi#en$ame: GForge Admin sn: User cn: GForge Admin User uid: g%orgeadmin userPass&ord: 'M()*+z,%-u.p/reO%g01Frec2.== uid$umber: -333 gid$umber: )44 0ome(irector5: 6opt6g%orge) mail: acidumirae7gmail8com

C'sto% Sche%as

LD ! schemas uses SN#! style 8&Ds 28b/ect &ds3 for uni'uely defining schema elements pply for & N enterprise number here:

http:<<www(iana(org<cgi0bin<enterprise(pl

!rivate enterprise number 8&D prefix is 7(A(B(7(C(7 eg( #etaparadigm uses -8/8+8-848-8---/9 &nformation on custom schemas can be found here:

http:<<www(openldap(org<doc<admin<schema(html

Lin'( LDAP Servers

8penLD ! is the primary open0source LD ! implementation based on $niv( #ichigan LD ! http:<<www(openldap(org< Sun provides the i!lanet Directory Server<Sun 8ne Dava DS 8racle provides an LD ! server using an 8racle database backend #any others available 2Novell DS, @edora DS, pache DS, 8penDS, &nnosoft, etc(3 Linux can also integrate with LD ! servers running on other platforms such as #icrosoft ctive Directory or Novell eDirectory

Co%%ercial LDAP Servers


Novell eDirectory Sun 8ne &dentity Server #icrosoft ctive Directory pple 8pen Directory Siemens Dir) 8racle &nternet Directory &B# 6ivoli Directory

% Directory Lotus Domino Nexor Directory Eiew *++ &sode"s #0Eault aeSL !D (((

http:<<www(paldap(org<ldap0server0software

Scalability and &a'lt Tolerance

8penLD ! supports real0time directory replication to provide load0balancing and high availability 8penLD ! supports single master, multiple slaves #ost LD ! aware applications can be configured to use multiple LD ! servers 2providing fallback servers3 #ultiple master support is in the works 2currently alpha3 8penLD ! can be integrated with -heartbeat. and -mon. to provide fault tolerance http:<<www(linux0ha(org<

Setting 'p OpenLDAP


%onfiguration is located in: 6etc6openldap6slapd8con% 4e need to include the schemas we are using
include include include include include include include include include include include include include 6etc6ldap6sc0ema6core8sc0ema 6etc6ldap6sc0ema6collecti#e8sc0ema 6etc6ldap6sc0ema6corba8sc0ema 6etc6ldap6sc0ema6cosine8sc0ema 6etc6ldap6sc0ema6duacon%8sc0ema 6etc6ldap6sc0ema6d5ngroup8sc0ema 6etc6ldap6sc0ema6inetorgperson8sc0ema 6etc6ldap6sc0ema6ja#a8sc0ema 6etc6ldap6sc0ema6misc8sc0ema 6etc6ldap6sc0ema6nis8sc0ema 6etc6ldap6sc0ema6openldap8sc0ema 6etc6ldap6sc0ema6ppolic58sc0ema 6etc6ldap6sc0ema6samba8sc0ema

Next we specify a database


database su%%i" rootdn rootp& director5 0db :dc=ldap,dc=sjua: :cn=admin,dc=ldap,dc=sjua: ';;<A*=r>t"=F?@AUbd(,2iL)Bu1sA"6cPu$A0 6#ar6lib6ldap

Setting 'p OpenLDAP "cont#$

4e can now start slapd 2Standalone LD ! daemon3


C 6etc6init8d6ldap start

Next step is to add data to the directory using the LD&@ example presented earlier
C ldapadd D( cn=admin,dc=ldap,dc=sjua D Fnter L(AP Pass&ord: """"" adding ne& entr5 :dc=ldap,dc=sjua: E init8ldi%

adding ne& entr5 :ou= ebAdmin,ou=Users,dc=ldap,dc=sjua: adding ne& entr5 :uid=g%rogeadmin,ou= ebAdmin,ou=Users,dc=ldap,dc=sjua:

T'nning OpenLDAP

4e need to add additional indexes for performance


inde" objectclass eG inde" cn pres,sub,eG inde" sn pres,sub,eG CC reGuired to support pdbHgetsamp&nam inde" uid pres,sub,eG CC reGuired to support pdbHgetsambap&ridIJ inde" displa5$ame pres,sub,eG inde" inde" inde" inde" inde" uid$umber gid$umber login;0ell memberUid uniGueMember eG eG eG eG eG,pres

4e need to add %Ls for security


access to attr=userPass&ord b5 sel% &rite b5 anon5mous aut0 b5 K none access to dn=:: b5 K read access to K b5 sel% &rite b5 users read b5 anon5mous aut0

T'nning OpenLDAP "cont#$

Setup logging in syslog(conf 2default is L8% LC3


local48K 6#ar6log6sldap8log

#ake sure -slapd. runs as non privileged user #ake -slapd. bind to SSL port for security

need signed certificates with openSSL and modify slapd(conf modify init script to bind to SSL port

1L;!erti%icateFile 6etc6openldap6ldap8sjua8cer 1L;!erti%icate>e5File 6etc6openldap6ldap8sjua8Le5

6usr6libe"ec6slapd D0 Mldap:66ldap8metaparadigm8com6 ldaps:66ldap8metaparadigm8com6M N Dl LO!AL4 Du ldap Dg ldap

LDAP Search &ilters


LD ! uses a simple -search filters. syntax 21@%>>*C3 LD ! 'ueries return all attributes of matching entries 2or specifically selected attributes3 which match the search filter

LD ! 'uery particles are enclosed within parenthesis in the form of 2 attribute Fmatching ruleG value 3 ie( Icn=GForge Admin UserJ

#atching rules include 2H, HI, GH, FH3 J can be used as a wildcard within the value 6hese can be combined together using the boolean operators: and, or and not 2K, L, M3 eg:

IOIcn=GForge Admin UserJIobject!lass=posi"AccountJJ IOIobject!lass=inetOrgPersonJIPIou=PeopleJJJ IQIcn=GForge AdminKJIcn=GForgeKJJ

LDAP Search &ilters "cont#$

6he following example ldap search retrieves the names and email address of all users with a givenname of -9forge dmin. or -8range dmin.
ldapsearc0 D"LLL D0 ldap8sjua Db ou=Users,dc=ldap,dc=sjua N MIOIQIgi#enname=GForge AdminJIgi#enname=Orange AdminJJIobD ject!lass=inetOrgPersonJJM cn mail dn: cn=GForge Admin User,ou= ebAdmin,ou=Users,dc=ldap,dc=sjua cn: GForge Admin User mail: acidumirae7gmail8com dn: cn=Orange Admin User,ou= ebAdmin,ou=Users,dc=ldap,dc=sjua cn: Orange Admin User mail: aoL0otniLo#7so%tjourn8com

Eery easy to incorporate this into shell scripts with awk or sed

LDAP Applications

uthenticate users in web applications 28range;1#, g@orge, Doku4iki, etc(3 uthenticate users in Samba, pache, !ro@6!d, etc( !ossible NSS 2Name Service Switch3 integration !ossible ! # 2!luggable uthentication #odule3 !ossible mail routing: Sendmail, !ostfix, etc( Shared ddress Book 25volution, #o,illa, 8utlook, 5udora, web clients, etc(3 !rogramming Libraries 2!erl, Dava, !;!, etc(3

LDAP !ro sers and )ditors

Directory dministrator
http:<<diradmin(open0it(org

9N
http:<<biot(com<g'<

Dava LD ! Browser
http:<<www(iit(edu<Igawo/ar<ldap<

phpLD !admin
http:<<phpldapadmin(sf(net<

*igration to LDAP

!adl migration tools


http:<<www(padl(com<8SS<#igration6ools(html passwd, group, hosts, networks, services, etcO

4e have migrated users from 8range;1# using custom !;! scrip that was generating LD&@ files

some issues with Samba : N6!assword is #DC minor issues with g@orge : multiple installations2dirty database3

Reso'rces

8penLD !: http:<<openldap(org !ractical LD ! from #etaparadigm !te Ltd(


http:<<gort(metaparadigm(com<ldap<

$buntu Documentation: 8penLD ! Server


https:<<help(ubuntu(com<=(7+<serverguide<%<openldap0server(html

$buntu Documentation: Samba and LD !


https:<<help(ubuntu(com<=(7+<serverguide<%<samba0ldap(html

&ntroduction to LD ! and Single Sign08n LD ! and Directory Services

http:<<tapor(ualberta(ca<1esources<6echdocs<completed<ldappresentation(pdf

http:<<ldap(mtu(edu<docs<public<mtuPdsinfo<techiefest<techiefestPfiles<vAPdocument(htm

You might also like