LDAPLightweight Directory Access

Protocol

Morteza Ansari

Naming and Di rec tor ies Group

Overview

• LDAP?

• LDAP in Solar is

• Q &A

What Is LDAP?

• LDAP– History– X.500 vs . LDAP– Data model– Advantages /d isadvantages

• Lates t from IETF

• Issues

LDAP

Provides a lightweight indust ry standard protocol to retrieve and manage informat ion s tored in a directory

Client

LDAP DirectoryServer

LDAP

• Access Protocol

• Extensible Add, Dele te, Modify, and Search operat ions

• Key features :– Lightweight– Open s tandard– Runs over TCP/IP– Hierarchical d i rec tory s tructure

LDAP History

• Universi ty of Michigan

• X.500 roots

• LDAPv1

• LDAPv2

• LDAPv3

Physical

Datal ink

Network

Transpor t

Session

Presenta tion

Appl ica tion

X.500 vs . LDAP

DynamicFixedFixedFixedSchema

Referra lsDumb refer rals

Servers chain

reques ts

Servers chain

reques ts

Not found act ion

Password

Strong*PasswordPasswordPassword

StrongSecur ity

TCP/IP (repl ica tion

only)*NoneX.500 OSIOSI

Server to Server

TCP/IPTCP/IPTCP/IPOSIClient to Server

LDAPv3LDAPv2LDAPv1X.500

Hierarchical Directory Structure

• Similar di rec tory informat ion structure as X.500

• Entr ies are dis tinguished by an unique name (DN), that ident i fies the entry wi thin DIT

cn=Morteza Ansar i, ou=people ,o=Sun Microsystems Inc,st=CA, c=US

uid=mortezauidNumber=84760loginShel l=/bin/kshemail=morteza@eng.sun.com…

country

state state

org org org

Hierarchical Directory Structure

• Similar di rec tory informat ion structure as X.500

• Entr ies are dis tinguished by an unique name (DN), that ident i fies the entry wi thin DIT

cn=Morteza Ansar i, ou=people ,dc=eng,dc=sun,dc=com

uid=mortezauidNumber=84760loginShel l=/bin/kshemail=morteza@eng.sun.com…

domain

Sub-domain Sub-domain

Category Category Category

Advantages of LDAP

• Open s tandard

• Avai lable on vi rtua l ly al l opera ting systems

• Database and vendor independent

• Relat ively s imple to LDAP-enable appl ica tions

Disadvantages of LDAP

• Slowly becoming a “Heavyweight” protocol!

• No off icia l ent ity for regis ter ing Schemas

• Access control & repl icat ion is vendor speci fic

• Clients tend to get more and more complex

Lates t from IETF

• LDAP Authentica tion is approveddraf t-ie tf-ldapext-authmeth-04. tx tdraf t-ie tf-ldapext- ldapv3- tl s-06. tx tdraf t-leach-diges t-sas l -05. tx t

• C-API is c lose to RFC sta tus• Access control is expected to reach

RFC status la ter this year• Repl ica tion work is coming along,

but i s still long ways off

Other Indus try Ef for ts

• Directory Interoperabi lity Forum– Sun/AOL al l iance , IB M, ISOCOR, Lotus,

Novel l, and Oracle– Promote a common set of APIs and SDKs– Accelera te acceptance of s tandards– Provide inte roperabi l ity , conformance, and

cer ti fica tion of d i rec tories (through Open Group)

– Sti ll miss ing Microsof t

Other Indus try Ef for ts

• Directory Services Markup Language (DSM L) Al l iance

– Bowstreet , IBM, Lotus , Microsof t, Novel l , Oracle , and Sun/Netscape

– Use XML to descr ibe d i rec tory content and structure

Overview

• What is LDAP

• LDAP in Solar is

• Q &A

LDAP in Solar is

• LDAP library (C-API)

• LDAP Naming Service

• PA M LDAP module

• Others

LDAP C-API

• Based on Univers ity of Michigan source

• draf t-ie tf-ldapext -ldap-c-api -04.tx t

• Minimal secur ity– SIMPLE– CRA M-MD5

LDAP Naming Service

• Use LDAP as the di rect ory for stor ing Network Information Services

• Reduce redundant data

• Simpl i fy admini stration

• Data shar ing among apps & OS’s

• Common authent ica tion

LDAP Naming Service

NSSbackends

Applications using getXbyY()

Name Service Switch

frontend getXbyY()

Files NIS NIS+ DNS

Unchanged components

New/modified components

LDAP

ApplicationsUsing

NamingSpecificAPI’s

login/passwd

Simplified LDAP APIs

LDAP C-APIs

PAM

pam_ldap

pam_unix

ldap_cachemgrdaemon

ldap configfiles

LDAP Naming Service

Applications using getXbyY()

Name Service Switch

frontend getXbyY()

Files NIS NIS+ DNS LDAP

ApplicationsUsing

NamingSpecificAPI’s

login/passwd

Simplified LDAP APIs

LDAP C-APIs

PAM

pam_ldap

pam_unix

ldap_cachemgrdaemon

nsswitch.conf

ldap configfiles

PA M LDAP

Applications using getXbyY()

Name Service Switch

frontend getXbyY()

Files NIS NIS+ DNS LDAP

ApplicationsUsing

NamingSpecificAPI’s

login/passwd

Simplified LDAP APIs

LDAP C-APIs

PAM

pam_ldap

pam_unix

ldap_cachemgrdaemon

nsswitch.conf

ldap configfiles

PA M LDAP

• Schema– rfc2307 ( rfc 2307bis draf t)– Automount tables in nisMap/nisObject OC– Solar isNamingProf i le

• Client conf igurat ions (prof i les) are stored in LDAP and are cached local ly

DIT Layout

nisMapName=*,…nisObjectgener ic

gete tgr*()ou=netgroup,…nisNetworknetgroup

gete tgr*()ou=networks ,…ipNetworknetworks

netmasks

ou=ethers ,…bootableDevicebootparams

ether_*()ou=ethers ,…ieee802Deviceethers

gethost*()

get ipnode*()ou=hosts ,…ipHost

hosts

ipnodes

getrpc*()ou=rpc,…oncRpcrpc

getproto*()ou=protocols ,…ipProtocolprotocols

getserv*()ou=services ,…ipServiceservices

getgr*()ou=group,…posixGroupgroup

getpw*()

getsp*()ou=people ,…

posixAccount

shadowAccountpasswd

getXbyY()naming contextobject c lassNIS map

New Commands

• ldap_gen_prof i le

• ldapcl ient

• ldapl is t

• ldap_cachemgr

References

• ht tp ://www.directoryforum.org

• ht tp ://www.dsml .org

• ht tp ://www.umich.edu/~dirsvcs/ ldap

• IETF:– LDAP Extension working group

http ://www.ie tf.org /html .char ters /ldapext-char ter .html

– LDAP Duplica tion/Replica tion/Update WGhttp ://www.ie tf.org /html .char ters /ldup-char ter .html

References

• Program ming Directory-Enabled Appl icat ions with LDAP

By: Tim Howes, Mark Smith

• Unders tanding and Deploying LDAP Directory Services

By: Time Howes, Mark Smith , & Gordon Good