Systems Integrationwith Free Software- openldap -
Xavier Castao Garca
This session
We are going to talk about:
Introduction to LDAP
Installing and configuring LDAP
LDAP utilities
LDAP schemes
Working with LDAP
Introduction to LDAP (I)
Lightweight Directory Access Protocol (LDAP).
Internet protocol for accessing X.500 directory services.
LDAP is a lightweight alternative to the X.500 Directory Access Protocol (DAP) for use on the Internet.
References:
http://www.openldap.org/faq/data/cache/29.html
http://www.itu.int/
Introduction to LDAP (II)
LDAP maintain and offer information about objects. Objects are identifiable, that is, objects have a name.
All the objects belong, at least, to one object class.
An object class is a family for similar objects that have similar issues. An object class can be a subclass of another.
A directory entry is the basic unit of information in the directory.
Introduction to LDAP (III)
Stored information is known as DIB (Directory Information Base).
Entries are stored in the DIB using a tree structure (Directory Information Tree).
Introduction to LDAP (IV)
An entry is a set of attributes which maintaing information about the object it represents.
objectClass: top
objectClass: person
objectClass: posixAccount
description: Testing LDAP
userPassword:: e1NIQX1VK3FvWjUzdDBPaTdVcTNFMjlyY013VUphM2M9
sn: Surname
cn: Name
Each attribute is defined by a description and a value or list of values.
Attributes are defined by types, which define if attribute can have one or more values, or define sintaxes.
Introduction to LDAP (V)
Each entry is relative to the immediately upper.
For example, the previous image shows that B will have in its name a reference to A.
Entry names can be:
RDN: Relative distinguish name. Identify the entry inside the branch.
DN: Distinguish name. Identify the entry in all the LDAP.
Introduction to LDAP (VI)
RDN's are composed by an attribute name and the attribute value used as RDN.
RDN is defined by the main classes used to define the entry, for example:
UID=userid (user)
O=organizationname (organization)
CN=systemgroup (groupOfNames)
DN is composed by RDN + DN of upper entity
Introduction to LDAP (VII)
An LDAP can have a base as top of the LDAP. The rest of the LDAP names are related to the base.
For example:
LDAP base (baseDN): dc=project,dc=organizationname,dc=org
RDN's:
Organization: o=organizationname
Organizational units: ou=groupname
Groups or roles: cn=rolname
Users: uid=userid
Introduction to LDAP (VIII)
Object classes are used to categorize, control operations, regulate possitions at DIT, regulate attributes that should have an entry which could have some kind of policy.
An object class is composed by a set of attributes that objects can or should satisfy.
Object classes can be abstract, structural or auxiliar.
An object class inherits from other class.
All structural classes inherit from top class.
Introduction to LDAP (IX)
Abstract classes define features that other classes should satisfy.
Structural classes define the entry conformation. DIP rules only refer to structural.
Auxiliar classes serve to determine not basic features.
LDAP schemes (I)
Classes definition and type definition determine the LDAP scheme.
LDAP scheme, when elements are defined, uses unique identifiers (offer by IANA):
1.3.6.1.4.1.4203 (OpenLDAP OID)
OpenLDAP defines a tree for defining object and attributes syntax:
.1 (published)
.3 (attribute)
.4 (object)
LDAP schemes (II)
You have to ask for an identifier if you want to define a custom syntax. When you receive the OID, you'll be able to use this prefix:
1.3.6.1.4.1.OID
For example, you can use this identifier to new attributes and classes, setting own rules:
.0 for experimental attributes.
.1 for confirmed attributes.
LDAP schemes (III)
.1 for confirmed attributes (cont.)
.3 for types.
.1,.2,.N each type.
.4 for object classes
.1,.2,.N each class.
OpenLDAP registry: http://www.openldap.org/faq/data/cache/200.html
Example:
Clase: objectclass ( 1.3.6.1.4.1.OID.1.4.1 NAME 'location'
At: attributetype ( 1.3.6.1.4.1.OID.1.3.2 NAME 'VATNumber' ...
Working with LDAP (I)
Example for users:
dn: uid=xavi,ou=People,dc=mswl,dc=orguid: xavicn: XavierobjectClass: accountobjectClass: posixAccountobjectClass: topobjectClass: shadowAccountshadowLastChange: 11296shadowMax: 99999shadowWarning: 7loginShell: /bin/bashuidNumber: 500gidNumber: 500homeDirectory: /home/xavigecos: XavieruserPassword:: ...
Working with LDAP (II)
Example for groups:
dn: cn=ldapgroup,ou=Group,dc=example,dc=orgobjectClass: posixGroupobjectClass: topcn: ldapgroupuserPassword:: {crypt}xgidNumber: 389memberUid: xavi
Installing and configuring LDAP (I)
Exercise: Install OpenLDAP in your computer, select the base DN, user and password with all privileges. Steps:
apt-get install slapd ldap-utils
Dependencies: libiodbc2, libldap-2.3.0
Admin password and confirmation.
For example: 1dM1M9W
Access to /etc/ldap:
The main configuration file is: slapd.conf
By default it stores database in /var/lib/ldap
There is a template for slapd.conf in /usr/share/slapd/slapd.conf. This exercise will work with the template.
Installing and configuring LDAP (II)
Steps:
Configuration file template has the following things that you should replace:
@BACKEND@ with bdb (Berkeley DB transactional backend is the type of database used, this is the recommended for a normal usage). There are other possibilities: hdb (hierarchical variant of dbd backend), perl (perl programmable backend), ldif (uses ldif files to store information, only for very small systems), etc.
@CHECKPOINT@ with checkpoint 512 30: How often to checkpoint the DB transaction log, these are default values, where 512 are kilobytes and 30 seconds.
@SUFFIX@ with the suffix of your database (for example dc=mswl,dc=com or something like that).
@ADMIN@ with the admin DN (typically cn=admin,dc=mswl,dc=com).
@BACKENDOPTIONS@ (only some versions of Debian) with this:
dbconfig set_cachesize 0 2097152 0 #Cache size 2Mb
dbconfig set_lk_max_objects 1500 # Number of objects that can be locked at the
same time
dbconfig set_lk_max_locks 1500 # Number of locks
dbconfig set_lk_max_lockers 1500 # Number of lockers.
References:
http://www.openldap.org/doc/admin24/slapdconfig.html#Configuration%20File%20Directives
Installing and configuring LDAP (III)
Steps:
Other general configuration parameters:
loglevel: 0, 1, 2, 4, 8 ... more level more information...
See previous reference or man 5 slapd.conf.
sizelimit: 500. The number of entries that is returned for a search operation.
You need to configure the options for your database, each database needs all the configuration params below. For example, configuring one example database:
database dbd
suffix dc=mswl,dc=com
rootdn cn=admin,dc=mswl,dc=com #If you want to grant root privileges...
directory: /var/lib/ldap. Is that OK for you?
If you want several trees you'll have to create a new directory for each one.
lastmod on: Activate lastmod overlay.
index objectClass eq. Index options for first database. You'll need to think about it when you setup real life systems, because you could need more indexes. Eq is the mode openldap create the index, other options are: pres (present), sub (substring) approx (approximation).
Installing and configuring LDAP (IV)
Steps:
Continuing with configuration parameters...
Access control:
access to attrs=userPassword, shadowLastChange
by dn=cn=admin,dc=mswl,dc=com write
by anonymous auth
by self write
by * none
access to dn.base= by * read
access to *
by dn=cn=admin,dc=mswl,dc=com write
by * read
Installing and configuring LDAP (V)
Steps:
Before starting, we need to add some data creating a file with this lines:
#Each dn is a different object. First object
dn: dc=mswl,dc=com
dc: mswl
objectClass: domain
#Each dn is a different object. Second object
dn: cn=admin,dc=mswl,dc=com
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: admin
description: LDAP administrator
userPassword: 1dM1M9W
Then, you should call:
slapadd -b dc=mswl,dc=com -l file.txt
Now, we can restart ldap:
/etc/init.d/sldap restart
Installing and configuring LDAP (VI)
Comments:
Overlays: There are some wrappers over openldap that can add and control information about the directory. For example:
accesslog: Can record accesses to a given backend database.
lastmod: Maintains a service entry with type, modifiersName and modifyTimestamp of the last write operation performed on a given database.
pcache: Allows caching of LDAP search requests in a local database.
ppolicy: Provides a variety of password control mechanisms: password aging, password reuse and duplication control, ...
unique: Enforces the uniqueness of some or all attributes within a subtree.
LDAP utilities (I)
There are several commands:
ldapsearch
ldapsearch -x -D "cn=admin,dc=mswl,dc=org -W -b "dc=mswl,dc=org" -h localhost
ldapadd
ldapadd -x -D "cn=admin,dc=mswl,dc=org -W -h localhost -f file.txt
ldapmodify
ldapmodify -x -D "cn=admin,dc=mswl,dc=org -W -h localhost -f file.txt
ldapdelete
ldapdelete -x -D "cn=admin,dc=mswl,dc=org -W -h localhost dn
LDAP utilities (II)
Exercise:
Add a organizationalUnit: People and Group
Add a group with objectClass posixGroup.
Search the posixGroups that belongs a specific organizationalUnit.
Add a user with objectClass: top, person, shadowAccount, posixAccount.
Pulse para editar el formato del texto de ttulo
Pulse para editar los formatos del texto del esquema
Segundo nivel del esquema
Tercer nivel del esquema
Cuarto nivel del esquema
Quinto nivel del esquema
Sexto nivel del esquema
Sptimo nivel del esquema
Octavo nivel del esquema
Noveno nivel del esquema
Master on Free Software