Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Ldapsession 1217528612650451-9


Published on

Ldap description

  • Be the first to comment

  • Be the first to like this

Ldapsession 1217528612650451-9

  1. 1. Systems Integration with Free Software - openldap - Xavier Castaño García
  2. 2. This session <ul><li>We are going to talk about: </li></ul><ul><ul><li>Introduction to LDAP </li></ul></ul><ul><ul><li>Installing and configuring LDAP </li></ul></ul><ul><ul><li>LDAP utilities </li></ul></ul><ul><ul><li>LDAP schemes </li></ul></ul><ul><ul><li>Working with LDAP </li></ul></ul>
  3. 3. Introduction to LDAP (I) <ul><li>Lightweight Directory Access Protocol (LDAP). </li></ul><ul><li>Internet protocol for accessing X.500 directory services. </li></ul><ul><li>LDAP is a lightweight alternative to the X.500 Directory Access Protocol (DAP) for use on the Internet. </li></ul><ul><li>References: </li></ul><ul><ul><li> </li></ul></ul><ul><ul><li> </li></ul></ul>
  4. 4. Introduction to LDAP (II) <ul><li>LDAP maintain and offer information about objects. Objects are identifiable, that is, objects have a name. </li></ul><ul><li>All the objects belong, at least, to one object class. </li></ul><ul><li>An object class is a family for similar objects that have similar issues. An object class can be a subclass of another. </li></ul><ul><li>A directory entry is the basic unit of information in the directory. </li></ul>
  5. 5. Introduction to LDAP (III) <ul><li>Stored information is known as DIB (Directory Information Base). </li></ul><ul><li>Entries are stored in the DIB using a tree structure (Directory Information Tree). </li></ul>
  6. 6. Introduction to LDAP (IV) <ul><li>An entry is a set of attributes which maintaing information about the object it represents. </li></ul><ul><ul><ul><ul><ul><ul><li>objectClass: top </li></ul></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><ul><li>objectClass: person </li></ul></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><ul><li>objectClass: posixAccount </li></ul></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><ul><li>description: Testing LDAP </li></ul></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><ul><li>userPassword:: e1NIQX1VK3FvWjUzdDBPaTdVcTNFMjlyY013VUphM2M9 </li></ul></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><ul><li>sn: Surname </li></ul></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><ul><li>cn: Name </li></ul></ul></ul></ul></ul></ul><ul><li>Each attribute is defined by a description and a value or list of values. </li></ul><ul><li>Attributes are defined by types, which define if attribute can have one or more values, or define sintaxes. </li></ul>
  7. 7. Introduction to LDAP (V) <ul><li>Each entry is relative to the immediately upper. </li></ul><ul><ul><li>For example, the previous image shows that “B” will have in its name a reference to “A”. </li></ul></ul><ul><li>Entry names can be: </li></ul><ul><ul><li>RDN: Relative distinguish name. Identify the entry inside the branch. </li></ul></ul><ul><ul><li>DN: Distinguish name. Identify the entry in all the LDAP. </li></ul></ul>
  8. 8. Introduction to LDAP (VI) <ul><li>RDN's are composed by an attribute name and the attribute value used as RDN. </li></ul><ul><li>RDN is defined by the main classes used to define the entry, for example: </li></ul><ul><ul><li>UID=userid (user) </li></ul></ul><ul><ul><li>O=organizationname (organization) </li></ul></ul><ul><ul><li>CN=systemgroup (groupOfNames) </li></ul></ul><ul><li>DN is composed by RDN + “DN of upper entity” </li></ul>
  9. 9. Introduction to LDAP (VII) <ul><li>An LDAP can have a “base” as top of the LDAP. The rest of the LDAP names are related to the base. </li></ul><ul><li>For example: </li></ul><ul><ul><li>LDAP base (baseDN): dc=project,dc=organizationname,dc=org </li></ul></ul><ul><ul><li>RDN's: </li></ul></ul><ul><ul><ul><li>Organization: o=organizationname </li></ul></ul></ul><ul><ul><ul><li>Organizational units: ou=groupname </li></ul></ul></ul><ul><ul><ul><li>Groups or roles: cn=rolname </li></ul></ul></ul><ul><ul><ul><li>Users: uid=userid </li></ul></ul></ul>
  10. 10. Introduction to LDAP (VIII) <ul><li>Object classes are used to categorize, control operations, regulate possitions at DIT, regulate attributes that should have an entry which could have some kind of policy. </li></ul><ul><ul><li>An object class is composed by a set of attributes that objects can or should satisfy. </li></ul></ul><ul><ul><li>Object classes can be abstract, structural or auxiliar. </li></ul></ul><ul><ul><li>An object class inherits from other class. </li></ul></ul><ul><ul><ul><li>All structural classes inherit from “top” class. </li></ul></ul></ul>
  11. 11. Introduction to LDAP (IX) <ul><li>Abstract classes define features that other classes should satisfy. </li></ul><ul><li>Structural classes define the entry conformation. DIP rules only refer to structural. </li></ul><ul><li>Auxiliar classes serve to determine not basic features. </li></ul>
  12. 12. LDAP schemes (I) <ul><li>Classes definition and type definition determine the LDAP scheme. </li></ul><ul><li>LDAP scheme, when elements are defined, uses unique identifiers (offer by IANA): </li></ul><ul><li> (OpenLDAP OID) </li></ul><ul><li>OpenLDAP defines a tree for defining object and attributes syntax: </li></ul><ul><ul><li>.1 (published) </li></ul></ul><ul><ul><ul><li>.3 (attribute) </li></ul></ul></ul><ul><ul><ul><li>.4 (object) </li></ul></ul></ul>
  13. 13. LDAP schemes (II) <ul><li>You have to ask for an identifier if you want to define a custom syntax. When you receive the OID, you'll be able to use this prefix: </li></ul><ul><li> </li></ul><ul><li>For example, you can use this identifier to new attributes and classes, setting own rules: </li></ul><ul><ul><li>.0 for experimental attributes. </li></ul></ul><ul><ul><li>.1 for confirmed attributes. </li></ul></ul>
  14. 14. LDAP schemes (III) <ul><li>.1 for confirmed attributes (cont.) </li></ul><ul><ul><li>.3 for types. </li></ul></ul><ul><ul><ul><li>.1,.2,.N each type. </li></ul></ul></ul><ul><ul><li>.4 for object classes </li></ul></ul><ul><ul><ul><li>.1,.2,.N each class. </li></ul></ul></ul><ul><li>OpenLDAP registry: </li></ul><ul><li>Example: </li></ul><ul><ul><li>Clase: objectclass ( NAME 'location' </li></ul></ul><ul><ul><li>At: attributetype ( NAME 'VATNumber' ... </li></ul></ul>
  15. 15. Working with LDAP (I) <ul><li>Example for users: </li></ul>dn: uid=xavi,ou=People,dc=mswl,dc=org uid: xavi cn: Xavier objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount shadowLastChange: 11296 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 500 gidNumber: 500 homeDirectory: /home/xavi gecos: Xavier userPassword:: ...
  16. 16. Working with LDAP (II) <ul><li>Example for groups: </li></ul>dn: cn=ldapgroup,ou=Group,dc=example,dc=org objectClass: posixGroup objectClass: top cn: ldapgroup userPassword:: {crypt}x gidNumber: 389 memberUid: xavi
  17. 17. Installing and configuring LDAP (I) <ul><li>Exercise: Install OpenLDAP in your computer, select the base DN, user and password with all privileges. Steps: </li></ul><ul><ul><li>apt-get install slapd ldap-utils </li></ul></ul><ul><ul><ul><li>Dependencies: libiodbc2, libldap-2.3.0 </li></ul></ul></ul><ul><ul><li>Admin password and confirmation. </li></ul></ul><ul><ul><ul><li>For example: 1dM1M9W </li></ul></ul></ul><ul><ul><li>Access to /etc/ldap: </li></ul></ul><ul><ul><ul><li>The main configuration file is: slapd.conf </li></ul></ul></ul><ul><ul><ul><li>By default it stores database in /var/lib/ldap </li></ul></ul></ul><ul><ul><li>There is a template for slapd.conf in /usr/share/slapd/slapd.conf. This exercise will work with the template. </li></ul></ul>
  18. 18. Installing and configuring LDAP (II) <ul><li>Steps: </li></ul><ul><ul><li>Configuration file template has the following things that you should replace: </li></ul></ul><ul><ul><ul><li>@BACKEND@ with bdb (Berkeley DB transactional backend is the type of database used, this is the recommended for a normal usage). There are other possibilities: hdb (hierarchical variant of dbd backend), perl (perl programmable backend), ldif (uses ldif files to store information, only for very small systems), etc. </li></ul></ul></ul><ul><ul><ul><li>@CHECKPOINT@ with checkpoint 512 30: How often to checkpoint the DB transaction log, these are default values, where 512 are kilobytes and 30 seconds. </li></ul></ul></ul><ul><ul><ul><li>@SUFFIX@ with the suffix of your database (for example dc=mswl,dc=com or something like that). </li></ul></ul></ul><ul><ul><ul><li>@ADMIN@ with the admin DN (typically cn=admin,dc=mswl,dc=com). </li></ul></ul></ul><ul><ul><ul><li>@BACKENDOPTIONS@ (only some versions of Debian) with this: </li></ul></ul></ul><ul><ul><ul><ul><ul><ul><ul><ul><li>dbconfig set_cachesize 0 2097152 0 #Cache size 2Mb </li></ul></ul></ul></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><ul><ul><ul><li>dbconfig set_lk_max_objects 1500 # Number of objects that can be locked at the </li></ul></ul></ul></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><ul><ul><ul><li>same time </li></ul></ul></ul></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><ul><ul><ul><li>dbconfig set_lk_max_locks 1500 # Number of locks </li></ul></ul></ul></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><ul><ul><ul><li>dbconfig set_lk_max_lockers 1500 # Number of lockers. </li></ul></ul></ul></ul></ul></ul></ul></ul><ul><ul><li>References: </li></ul></ul><ul><ul><li> </li></ul></ul>
  19. 19. Installing and configuring LDAP (III) <ul><li>Steps: </li></ul><ul><ul><li>Other general configuration parameters: </li></ul></ul><ul><ul><ul><li>loglevel: 0, 1, 2, 4, 8 ... more level more information... </li></ul></ul></ul><ul><ul><ul><ul><li>See previous reference or “man 5 slapd.conf”. </li></ul></ul></ul></ul><ul><ul><ul><li>sizelimit: 500. The number of entries that is returned for a search operation. </li></ul></ul></ul><ul><ul><li>You need to configure the options for your database, each database needs all the configuration params below. For example, configuring one example database: </li></ul></ul><ul><ul><ul><li>database “dbd” </li></ul></ul></ul><ul><ul><ul><li>suffix “dc=mswl,dc=com” </li></ul></ul></ul><ul><ul><ul><li>rootdn “cn=admin,dc=mswl,dc=com” #If you want to grant root privileges... </li></ul></ul></ul><ul><ul><ul><li>directory: /var/lib/ldap. Is that OK for you? </li></ul></ul></ul><ul><ul><ul><ul><li>If you want several trees you'll have to create a new directory for each one. </li></ul></ul></ul></ul><ul><ul><ul><li>lastmod on: Activate lastmod overlay. </li></ul></ul></ul><ul><ul><ul><li>index objectClass eq. Index options for first database. You'll need to think about it when you setup real life systems, because you could need more indexes. “Eq” is the mode openldap create the index, other options are: pres (present), sub (substring) approx (approximation). </li></ul></ul></ul>
  20. 20. Installing and configuring LDAP (IV) <ul><li>Steps: </li></ul><ul><ul><li>Continuing with configuration parameters... </li></ul></ul><ul><ul><ul><li>Access control: </li></ul></ul></ul><ul><ul><ul><ul><ul><li>access to attrs=userPassword, shadowLastChange </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><ul><li>by dn=”cn=admin,dc=mswl,dc=com” write </li></ul></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><ul><li>by anonymous auth </li></ul></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><ul><li>by self write </li></ul></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><ul><li>by * none </li></ul></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>access to dn.base=”” by * read </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>access to * </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><ul><li>by dn=”cn=admin,dc=mswl,dc=com” write </li></ul></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><ul><li>by * read </li></ul></ul></ul></ul></ul></ul>
  21. 21. Installing and configuring LDAP (V) <ul><li>Steps: </li></ul><ul><ul><li>Before starting, we need to add some data creating a file with this lines: </li></ul></ul><ul><ul><ul><ul><ul><li>#Each dn is a different object. First object </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>dn: dc=mswl,dc=com </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>dc: mswl </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>objectClass: domain </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>#Each dn is a different object. Second object </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>dn: cn=admin,dc=mswl,dc=com </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>objectClass: organizationalRole </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>objectClass: simpleSecurityObject </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>cn: admin </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>description: LDAP administrator </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>userPassword: 1dM1M9W </li></ul></ul></ul></ul></ul><ul><ul><li>Then, you should call: </li></ul></ul><ul><ul><ul><li>slapadd -b dc=mswl,dc=com -l file.txt </li></ul></ul></ul><ul><ul><li>Now, we can restart ldap: </li></ul></ul><ul><ul><ul><li>/etc/init.d/sldap restart </li></ul></ul></ul>
  22. 22. Installing and configuring LDAP (VI) <ul><li>Comments: </li></ul><ul><ul><li>Overlays: There are some wrappers over openldap that can add and control information about the directory. For example: </li></ul></ul><ul><ul><ul><li>accesslog: Can record accesses to a given backend database. </li></ul></ul></ul><ul><ul><ul><li>lastmod: Maintains a service entry with type, modifiersName and modifyTimestamp of the last write operation performed on a given database. </li></ul></ul></ul><ul><ul><ul><li>pcache: Allows caching of LDAP search requests in a local database. </li></ul></ul></ul><ul><ul><ul><li>ppolicy: Provides a variety of password control mechanisms: password aging, password reuse and duplication control, ... </li></ul></ul></ul><ul><ul><ul><li>unique: Enforces the uniqueness of some or all attributes within a subtree. </li></ul></ul></ul>
  23. 23. LDAP utilities (I) <ul><li>There are several commands: </li></ul><ul><ul><li>ldapsearch </li></ul></ul><ul><ul><ul><li>ldapsearch -x -D &quot;cn=admin,dc=mswl,dc=org” -W -b &quot;dc=mswl,dc=org&quot; -h localhost </li></ul></ul></ul><ul><ul><li>ldapadd </li></ul></ul><ul><ul><ul><ul><ul><li>ldapadd -x -D &quot;cn=admin,dc=mswl,dc=org” -W -h localhost -f file.txt </li></ul></ul></ul></ul></ul><ul><ul><li>ldapmodify </li></ul></ul><ul><ul><ul><ul><ul><li>ldapmodify -x -D &quot;cn=admin,dc=mswl,dc=org” -W -h localhost -f file.txt </li></ul></ul></ul></ul></ul><ul><ul><li>ldapdelete </li></ul></ul><ul><ul><ul><li>ldapdelete -x -D &quot;cn=admin,dc=mswl,dc=org” -W -h localhost “dn” </li></ul></ul></ul>
  24. 24. LDAP utilities (II) <ul><li>Exercise: </li></ul><ul><ul><li>Add a organizationalUnit: People and Group </li></ul></ul><ul><ul><li>Add a group with objectClass posixGroup. </li></ul></ul><ul><ul><li>Search the posixGroups that belongs a specific organizationalUnit. </li></ul></ul><ul><ul><li>Add a user with objectClass: top, person, shadowAccount, posixAccount. </li></ul></ul>