LDAP

Lightweight Directory Access Protocol

Raymond Chan

2013

LDAP

● A complex subject● Promises a common source for information● Unlimited scalability using a replication

model● Provide fast read performance● Fine-grained security control over who can

do what to what data● ...

LDAP Overview

● LDAP is a protocol that defines how directory data should be access

● Defines and describes how data is represented in the directory service

● Defines how data is loaded into and saved from a directory service using LDIF

● LDAP defines four models related to the directory service: Information, Naming, Functional and Security Models.

Information Model

Defines how the information or data is represented in an LDAP system.

Naming Model

Using the “Attribute – Value” syntax as

'dc=nad810,dc=com'

Functional Model

Defines how to

readsearchwrite

modify

data stored in a directory service

Security Model

Defines how to control

who

can do what

towhat data

LDAP .ne. Database

● LDAP is a protocol to access directory information which may be stored in a database

● The data (may be stored in a database) should be optimized for read access

● LDAP does not need to have knowledge of the physical organization of the directory data

D I T

● Directory Information Tree– Uses to represent an LDAP enabled directory as a

hierarchy of objects– Each object is called an entry– The top of the tree is commonly called the root– Each entry in the tree has one parent entry– Each entry in the tree has one or more entries– Each child entry is a sibling of its parent's child

entries– Each entry is composed of one or more objectClass

objectClass

● Each objectClass contains zero or more attributes

● Each objectClass has a name● The objecClass defines whether an attribute

member is MANDATORY or OPTIONAL● An objectClass may be a child of another

objectClass and inherits all its parent's attributes.

Attribute

● Each attribute has a name● All attributes are members of one or more

objectClass● Each attribute defines its data type● Attributes can have single or multi values

LDAP Implementation

● OpenLDAP● Microsoft Active Directory

OpenLDAP

● Installation – rpm, source● Configuration - /etc/openldap/slapd.d● Testing

– ldadsearch– slaptest– ldapadd– ldapmodify

search

● RootDSE – DSE – DSA Specific Entry– DSA – Directory System Agentldapsearch -x -s base -b “” +

● Subschemaldapsearch -x -s base -b “cn=subschema”

objectclass

rootDSEldapsearch -x -s base -b “”+

# extended LDIF## LDAPv3# base <> with scope baseObject# filter: (objectclass=*)# requesting: + #

#dn:structuralObjectClass: OpenLDAProotDSEconfigContext: cn=confignamingContexts: dc=my-domain,dc=com

supportedControl: 1.3.6.1.4.1.4203.1.9.1.1supportedControl: 2.16.840.1.113730.3.4.18...supportedControl: 1.3.6.1.1.12supportedExtension: 1.3.6.1.4.1.4203.1.11.1...supportedFeatures: 1.3.6.1.4.1.4203.1.5.5supportedLDAPVersion: 3supportedSASLMechanisms: CRAM-MD5supportedSASLMechanisms: DIGEST-MD5entryDN:subschemaSubentry: cn=Subschema

# search resultsearch: 2result: 0 Success# numResponses: 2# numEntries: 1

Server Configuration files

● /etc/openldap/slapd.d directory:– cn=config.ldif– cn=config/

● cn=schema.ldif● olcDatabase={0}config.ldif● olcDatabase={-1}frontend.ldif● olcDatabase={1}monitor.ldif● olcDatabase={2}bdb.ldif● cn=schema/

Server Configuration

● olcDatabase={2}bdb.ldif– olcRootDN: cn=Manager,dc=ops535,dc=com– olcSuffix: dc=ops535,dc=com– OlcRootPW:

{SSHA}3NVLOWwqIMka30yIYLyGrrkirD0pU0Qx

ldap client configuration file

● /etc/openldap/ldap.conf● /etc/ldap.conf

Many options – the most import two are:● host – ip of the LDAP server● base – the naming context

Sample LDIF file

# root dn entrydn: dc=my-domain,dc=comdc: my-domaindescription: Root LDAP entry ou: rootobjectobjectclass: dcObjectobjectclass: organizationalUnit

dn: ou=People,dc=my-domain,dc=comou: Peopledescription: People informationobjectclass: organizationalUnit

Useful commands

● ldapsearch● ldapadd● ldapmodifyoff-line commands● slapcat● slapadd