Embed Size (px)
Citation preview
Directory Server
Campus Booster ID: 351
www.supinfo.com
Copyright © SUPINFO. All rights reserved
OpenLDAP
Course objectivesOpenLDAP
Know what directory server are.
Know what is OpenLDAP.
Know how to install and configure OpenLDAP.
By completing this course, you will :
Course topicsOpenLDAP
Directories. Which purposes.
LDAP. Theory and protocol.
OpenLDAP. Practice.
Course’s plan :
Directories
From X.500 to nowadays
OpenLDAP
PreviewDirectories
What is it ?
What is it intended for ?
Evolution.
The yellow pagesDirectories
Mapping "name" to “telephone number"
Sort by category
Sort by city
Find the information
As fast as possible
A database ?Directories
A database ? Not exactly.
Arborescent structure
Like a filesystem
No limit on attributes
No columns, no tables
Optimized for read and search operations
HistoryDirectories
X.500
OSI Directory Access Protocol
Created by telecom operators
Created in 1988
Impossible to port on micro-computers
Not compatible with TCP/IP( OSI )
ProblemsDirectories
Need for classified data
Need for security.
Need for speed.
LDAP v3
Lightweight Directory Access Protocol
OpenLDAP
PreviewLDAP v3
Advantages
Components
Models
LDAPv3 advantagesLDAP v3
SASL (single-sign-on) authentification
SSL/TLS encryption
Schemas discovery
Data modelLDAP v3
Defines the type of stored data
An entry is an LDAP object
It contains some attributes
An attribute match a data type
An attribute can have multiple values
Directory
AttributesLDAP v3
Two kinds of attributes :
User attributes
System attributes
Easy to remember names :
Cn : Common Name
userPassword : Password
objectClass : Class of the object
InheritanceLDAP v3
The entries inherits from their parent
Naming conventionLDAP v3
Directory Information Tree (DIT) creation
Organizes the entries
Defines inheritances
The DIT is important, it must reflect the reality
DIT exampleLDAP v3
Stop-and-thinkLDAP v3
Do we have to create the data model ?
Is the DIT important ?
OpenLDAP
A free Implementation of LDAP protocol
OpenLDAP
PreviewOpenLDAP
Installation
Configuration
First step inside the system
Let’s practice
Server sideOpenLDAP
The daemon is slapd
Standalone LDAP Daemon
Replication daemon : slurpd
Standalone LDAP Update Replication Daemon
The configuration file is slapd.conf
Located in : /etc/openldap
Slapd.confOpenLDAP
Important statements :
include file : include a schema
database type : may be bdb, ldbd, ...
suffix path : our tree suffix
rootdn path : Who is root ?
rootpw secret : the root password !
pidfile : file holding the server PID
argfile : file holding default server arguments.
ExampleOpenLDAP
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/inetorgperson.schema
database bdb
suffix "c=FR, o=Labo-linux"
rootdn "cn=admin,c=FR,o=Labo-linux"
rootpw {SSHA}ZKKuqbEKJfKSXhUbHG3fG8MDn9j1v4QN
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/inetorgperson.schema
database bdb
suffix "c=FR, o=Labo-linux"
rootdn "cn=admin,c=FR,o=Labo-linux"
rootpw {SSHA}ZKKuqbEKJfKSXhUbHG3fG8MDn9j1v4QN
ACLOpenLDAP
Restrict access to attributes
access to <what>
by <who> <access type>
access to <what>
by <who> <access type>
access to attr=userPassword
by self write
by anonymous auth
by dn.base="cn=Admin,dc=example,dc=com" write
by * none
access to attr=userPassword
by self write
by anonymous auth
by dn.base="cn=Admin,dc=example,dc=com" write
by * none
ACLOpenLDAP
*
Anonymous
Self
Everybody
Anonymous users
User associated with concerned attribute
dn.style=<regex> User matching the regex
<what>
Object name
* means all objects.
<who>
ACLOpenLDAP
base
One
Subtree
dn.style=<regex>
style:
Exact matching
One child below matching expression
Subtree beginning with matching expression
Children Like subtree but excluding matching head
ACLOpenLDAP
Example :
0: o=suffix
1: cn=Manager,o=suffix
2: ou=people,o=suffix
3: uid=kdz,ou=people,o=suffix
4: cn=addresses,uid=kdz,ou=people,o=suffix
5: uid=hyc,ou=people,o=suffix
dn.base="ou=people,o=suffix"
dn.one="ou=people,o=suffix"
dn.subtree="ou=people,o=suffix"
2
3, 5
2,3,4,5
dn.children="ou=people,o=suffix" 3,4,5
ACLOpenLDAP
None
Auth
Search
Permissions
<access type> :
No rights at all
Requiered to authentificate
Apply search filters
Read Reading data
Write Writing data
Data addingOpenLDAP
LDIF files
Contains structured data
Added with the ldapadd command
# ldapadd -D 'cn=Manager,o=Labo-linux' -W -f file.ldif
# ldapadd -D 'cn=Manager,o=Labo-linux' -W -f file.ldif
LDIF FilesOpenLDAP
dn: o=Labo-linux
objectclass: organization
o: Labo-linux
dn: o=Labo-linux
objectclass: organization
o: Labo-linux
dn: ou=Ressources, o=Labo-linux
objectclass: organizationalUnit
ou: Ressources
description: Ressources de l'organisation
dn: ou=Ressources, o=Labo-linux
objectclass: organizationalUnit
ou: Ressources
description: Ressources de l'organisation
Starting serverOpenLDAP
Add a special user for LDAP for security purposes.
And then look at the logs ...
# slapd -u ldapuser -g ldapgroup \
> -h 'ldap://localhost/'
# slapd -u ldapuser -g ldapgroup \
> -h 'ldap://localhost/'
# tail /var/log/ldap/ldap.log# tail /var/log/ldap/ldap.log
Stop-and-thinkOpenLDAP
The only way to learn is to practice !
Course SummaryOpenLDAP
What is directoryWhat is
directory LDAPLDAPOpenLDAPOpenLDAP
AdministrationAdministration
For moreOpenLDAP
CoursesPublications
Web sites
www.openldap.org
-Kerberos
Conferences
www.labo-linux.org
http://www.oreilly.com/catalog/ldapsa/
Congratulations
You have successfully completed the SUPINFO course
OpenLDAP
The end
