tutor:LDAP
Contents |
Introduction
|
LDAP is an alternative to using /etc/shaddow and /etc/passwd, or NIS. The advantage that LDAP has over password file is all information about users and groups can be held on one (centrally administered) server so the user information does not have to be replicated. The advantage over NIS is that LDAP can be used to store information besides user information (such as Netscape Roaming Profiles) and can be used on multiple platforms (NT, Novel, Solaris, and Linux for starters). |
- http://ldots.org/ldap/
- http://tldp.org/HOWTO/LDAP-HOWTO/introduction.html
- http://quark.humbug.org.au/publications/ldap/ldap_tut.html
A directory is similar to a database, but tends to contain more descriptive, attribute-based information. The information in a directory is generally read much more often than it is written. Directories are tuned to give quick-response to high-volume lookup or search operations. They may have the ability to replicate information widely in order to increase availability and reliability, while reducing response time. When directory information is replicated, temporary inconsistencies between the replicas may be OK, as long as they get in sync eventually.
There are many different ways to provide a directory service. Different methods allow different kinds of information to be stored in the directory, place different requirements on how that information can be referenced, queried and updated, how it is protected from unauthorized access, etc. Some directory services are local, providing service to a restricted context (e.g., the finger service on a single machine). Other services are global, providing service to a much broader context.
LDAP directory service is based on a client-server model. One or more LDAP servers contain the data making up the LDAP directory tree or LDAP backend database. An LDAP client connects to an LDAP server and asks it a question. The server responds with the answer, or with a pointer to where the client can get more information (typically, another LDAP server). No matter what LDAP server a client connects to, it sees the same view of the directory; a name presented to one LDAP server references the same entry it would at another LDAP server. This is an important feature of a global directory service, like LDAP.
LDAP
- Lightweight Directory Access Protocol
- Based on X.500
- Directory service (RFC1777)
- Stores attribute based data
- Data generally read more than written to
- No transactions
- No rollback
- Hierarchical data structure
- Entries are in a tree-like structure called Directory Information Tree (DIT)
Hierarchy
- Main domain (dc=de)
- Organization (dc=fzk)
- Organizational Unit (ou=People, ou=Servers, ou=Group)
- Person (uid=first, cn=dev, ...)
- Organizational Unit (ou=People, ou=Servers, ou=Group)
- Organization (dc=fzk)
Acronyms
- LDAP
- Lightweight Directory Access Protocol
- DN
- Distinguish Name
- RDN
- Relative Distinuished Name
- DIT
- Directory Information Tree
- LDIF
- LDAP Data Interchange Format
- OID
- Object Identifier
LDAP URL
Definition taken from RFC1959
<ldapurl> ::= "ldap://" [ <hostport> ] "/" <dn> [ "?" <attributes>
[ "?" <scope> "?" <filter> ] ]
<hostport> ::= <hostname> [ ":" <portnumber> ]
<dn> ::= a string as defined in RFC 1485
<attributes> ::= NULL | <attributelist>
<attributelist> ::= <attributetype>
| <attributetype> [ "," <attributelist> ]
<attributetype> ::= a string as defined in RFC 1777
<scope> ::= "base" | "one" | "sub"
<filter> ::= a string as defined in RFC 1558
Explanations:
- DN
- Distinguished name
- Attribute list
- List of attributes you want returned
- Scope
- base = base object search
- one = one level search
- sub = subtree search
- Filter
- Standard LDAP search filter
Examples
- ldap://foo.bar.com/dc=bar,dc=com
- ldap://argle.bargle.com/dc=bar,dc=com??sub?uid=barney
- ldap://ldap.bedrock.com/dc=bar,dc=com?cn?sub?uid=barney
LDAP command line tools
- ldapadd, ldapmodify
- Used to add or modify ldap entries
$ ldapmodify -r -D 'cn=foo,dc=bar,dc=com' -W < /tmp/user.ldif
- ldapdelete
- Used to delete entries
$ ldapdelete -D 'cn=foo,dc=bar,dc=com' -W 'cn=user,dc=bar,dc=com'
- ldapsearch
- Used to search ldap servers
$ ldapsearch -L -D 'cn=foo,dc=bar,dc=com' 'objectclass=posixAccount'
Firewall
All standard and TLS LDAP traffic occurs over port 389/tcp. LDAPS traffic occurs over port 636/tcp. Connections are always initiated by the client.
LDIF
- LDAP Data Interchange Format
- Represents LDAP entries in text
- Human readable format
- Allows easy modification of data
- ldbmcat converts ldbm database to ldif
- ldif2ldbm converts ldif back to ldbm database
- Example extract
dn: uid=bmarshal,ou=People,dc=pisoftware,dc=com
uid: bmarshal
cn: Brad Marshall
objectclass: account
objectclass: posixAccount
objectclass: top
loginshell: /bin/bash
uidnumber: 500
gidnumber: 120
homedirectory: /mnt/home/bmarshal
gecos: Brad Marshall,,,,
userpassword: {crypt}KDnOoUYN7Neac
Schema
- Set of rules that describes what kind of data is stored
- Helps maintain consistancy and quality of data
- Reduces duplication of data
- Object class attribute determines schema rules the entry must follow
- Schema contains the following:
- Required attributes
- Allowed attributes
- How to compare attributes
- Limit what the attributes can store - ie, restrict to integer etc
- Restrict what information is stored - ie, stops duplication etc
Attribute abbreviations
See RFC2256
- uid
- User id
- cn
- Common Name
- sn
- Surname
- l
- Location
- ou
- Organisational Unit
- o
- Organisation
- dc
- Domain Component
- st
- State
- c
- Country
Search Filters
- Criteria for attributes that must be fulfilled for entry to be returned
- Base dn = base object entry search is relative to
- Prefix notation
- Standards
- Operators
- & = and
- | = or
- ! = not
- ~= = approx equal
- >= = greater than or equal
- <= = less than or equal
- * = any
- Eg
- (objectclass=posixAccount)
- (cn=Mickey M*)
- (|(uid=fred)(uid=bill))
- (&(|(uid=jack)(uid=jill))(objectclass=posixAccount))
auth
- Simple auth, no encryption
- ldapsearch -H ldap://hostname/ -b dc=example,dc=com -x
- Simple auth, SSL via LDAPS
- ldapsearch -H ldaps://hostname/ -b dc=example,dc=com -x
- Simple auth, SSL via StartTLS
- ldapsearch -H ldap://hostname/ -ZZ -b dc=example,dc=com -x
- SASL auth, no encryption
- ldapsearch -H ldap://hostname/ -b dc=example,dc=com
- SASL auth, SSL via LDAPS
- ldapsearch -H ldaps://hostname/ -b dc=example,dc=com
- SASL auth, SSL via StartTLS
- ldapsearch -H ldap://hostname/ -ZZ -b dc=example,dc=com
Install Server
 do not store the password in plain-text, convert the password to a hash by using the command slappasswd -s password and paste the resulting hash into the file.
|
# install openldap server yum install openldap-servers openldap-clients # configura the /etc/openldap/slapd.conf vi /etc/openldap/slapd.conf # check: include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/inetorgperson.schema # insert: defaultaccess read access to attr=userpassword by self write by * read access to * by self write by dn=".+" read by * read database bdb suffix "dc=dgireffs1,dc=fzk,dc=de" rootdn "cn=Manager,dc=dgireffs1,dc=fzk,dc=de" rootpw password # vi /etc/openldap/ldap.conf URI ldap://127.0.0.1/ BASE dc=fzk,dc=de HOST dgireffs1.fzk.de TLS_CACERTDIR /etc/openldap/cacerts # create the DB_CONFIG configuration cp /etc/openldap/DB_CONFIG.example /var/lib/ldap/DB_CONFIG # start the ldap service service ldap start # create the *.ldif vi /localhome/base.ldif dn: dc=fzk,dc=de dc: fzk objectClass: domain # Import *.ldif into your directory ldapadd -x -D "cn=manager,dc=fzk,dc=de" -w password -f /localhome/base.ldif # test ldapsearch -x objectclass=\*
