LDAP : Theory and OpenLDAP implementation

LDAP
Theory and OpenLDAP implementation

1
La 1ère école 100 % dédiée à l'open source
Open Source School est fondée à l'initiative de Smile, leader de
l'intégration et de l'infogérance open source, et de l'EPSI,établissement
privé pionnier de l’enseignement supérieur en informatique.
Dans le cadre du Programme d’Investissements d’Avenir (PIA), le
gouvernement français a décidé de soutenir la création de cette école en
lui attribuant une première aide de 1,4M€ et confirme sa volonté de
soutenir la filière du Logiciel Libre actuellement en plein développement.
Avec une croissance annuelle de plus de 10%, et 4 000
postes vacants chaque année dans le secteur du Logiciel
Libre, OSS entend répondre à la pénurie de compétences du
secteur en mobilisant l’ensemble de l’écosystème et en
proposant la plus vaste offre en matière de formation aux
technologies open source tant en formation initiale qu'en
formation continue.

2
Les formations du plein emploi !
 Formation Continue
Open Source School "Executive Education" est un organisme
de formation qui propose un catalogue de plus de 200
formations professionnelles et différents dispositifs de
reconversion permettant le retour à l’emploi (POE) ou une
meilleure employabilité pour de nombreux professionnels de
l’informatique.
 Pour vos demandes : formations@opensourceschool.fr
 Formation Initiale
100% logiciels libres et 100% alternance, le cursus Open
Source School s’appuie sur le référentiel des blocs de
compétences de l’EPSI.
Il est sanctionné par un titre de niveau I RNCP, Bac+5.
Le programme est proposé dans 6 campus à Bordeaux, Lille,
Lyon, Montpellier, Nantes, Paris.

Introduction Anatomy of a LDAP directory OpenLDAP: A LDAP implementation Lab : Install an OpenLDAP server Working wit
Plan
1 Introduction
2 Anatomy of a LDAP directory
3 OpenLDAP: A LDAP implementation
4 Lab : Install an OpenLDAP server
5 Working with LDAP servers
6 Extending LDAP
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 2/62

Introduction

Directories
Directories

Directories
What is a Directory ?
The simple answer
Large information base, mostly for read access

Directories
Directory Examples
A few examples
People: white pages
Organizations: yellow pages
Computers: DNS

Directories
A Directory: what for ?
Authentication and authorization on systems or applications
Group maintainance
Privileges maintainance
Address books
Organization chart
. . .

History of LDAP
History of LDAP

History of LDAP
History of LDAP: The Genesis
The X500 standards
Created in the 80s, based on 70 years of electronic directories
from telephone companies
X500 directories are supposed to be accessed utins the
Directory Access Protocol
Problem : DAP was based on the OSI stack, which never
really took oﬀ
Lightweight DAP (LDAP) was created to access directories over
the TCP/IP stack

History of LDAP
History of LDAP: Standardization
LDAP became an IETF (Internet Engineering Task Force)
standard in 1997
Now, most servers only do LDAP
OpenLDAP (the reference)
Netscape Directory Server (the dinosaur)
SunONE
389 Directory Server
Apache Directory Server , OpenDS (the youngsters)
Microsoft Active Directory (the ugly)
Current protocol version : LDAP v3
LDAP v2 deprecated since 2003

Anatomy of a LDAP directory

Directory Information Tree

LDAP = access protocol, but what do we access?
X500 standard: The Directory: Overview of concepts, models
and services
X500 is based around a single Directory Information Tree
Hierarchical structure
Has a root
Every entity can be a node or a leaf
Each entity has only one path

DIT Structure
In a branch, an entity is known by its
Relative Distinguished Name (RDN)
In the whole directory, its known by its
Distinguished Name (DN)
Simply a comma-separated list of the
RDNs of all nodes on its (unique) path

LDAP Entities
LDAP Entities

LDAP Entities
LDAP Entities: Commons properties
Object orientation (classes, attributes, objetcts, inheritance,
etc. . . )
Attributes are deﬁned by a schema
The schema itself is hierarchical through inheritance, but the
schema hierarchy has nothing to do with the object hierarchy
(DIT)
Values are strongly typed
Standard classes and attributes are directory-oriented

LDAP Entities
LDAP Entities: Classes
Simple inheritance
Class types
Abstract
Structural: deﬁnes the meaning of the object
Auxiliary: allows to add attributes to an object (composition)
Classes are lists of attributes
Mandatory attributes
Optional attributes

LDAP Entities
LDAP Entities: Attribute
Simple Inheritance
Example: surname attribute type inherits from name attribute
Defined outside the class
Can be used by different classes
May have multiple names
Usually a short and a long name
Example: commonName and cn
Can be multi-valued
Single valued: first name, UID
Multivalued: group membership, email aliases

LDAP Entities
LDAP Entities: Attribute syntax
Syntax: deﬁnes the attribute type
Integer
String (UTF-8 only)
Telephone Number
Date
Binary data
Standardized on a speciﬁc tree
Example OID (Object ID): 1.3.6.1.4.1.1466.115.121.1.15
http://www.rfc-editor.org/rfc/rfc2252.txt

LDAP Entities
LDAP Entities: Matching rule
Matching rule on attribute value
Deﬁnes how values are compared
For equality or substrings
Sorting
Examples :
caseExactMatch (toto == toto)
caseIgnoreMatch (toto == ToTO)
telephoneNumberMatch ( 04 99 77 20 19 = 04-99-77-20-19)

LDAP Entities
LDAP Entities: Object structure
Object
Instances of one or more classes (object composition)
Can only have one structural class
And as many auxiliary classes as wanted
Example: person, posixAccount, sambaAccount

LDAP Entities
LDAP Entities: Object definition
Object Definition
Have a special “objectClass” attribute
Defines which classes the object belongs to
All objects must have at least one objectClass
“objectClass” does not belong to any class
The RDN of the object is one of its attributes
Format: attr name=value
Examples
User :
uid=bejac
Computer :
hostname=myserver
Example DN
dn: uid=bejac,department=DT,locality=levallois,organization=smile

LDAP vs RDBMS
LDAP vs RDBMS

LDAP vs RDBMS
LDAP vs RDBMS
Why choose LDAP over a RDBMS
Standard protocol
All databases have different access protocols
SQL is NOT an access protocol
Many LDAP implementations
Very rich on data validation and structure
Native structure is close to most organization’s structure
Hierarchical
Very fast reads
Efficient lookup of different objects with common attributes
Usually does not require adaptation of the directory to an
application
Standard schemas and classes offer a wide range of common
use cases.

LDAP vs RDBMS
LDAP vs RDBMS
However, LDAP is not recommended if
Its only used for one application
Many relations between objects
Lots of edits/inserts/deletes

Standard object classes

Standard object classes: inetOrgPerson
inetOrgPerson : user accounts in a company

Standard object classes: groupOfNames
groupOfNames : groups

Standard object classes: organizationalUnit
organizationUnit : branches

OpenLDAP: A LDAP implemen

OpenLDAP
OpenLDAP is a software project that provides
A LDAP server : slapd
A LDAP client library : libldap
Command line LDAP tools : ldap-utils

Setting up slapd
Setting up slapd

Setting up slapd
Setting up slapd
On Debian
aptitude install slapd
/etc/init.d/slapd stop
rm -rf /etc/ldap/slapd.d
cp /usr/share/doc/slapd/examples/slapd.conf /etc/ldap
In /etc/ldap/slapd.conf
Replace @BACKEND@ with hdb
Replace @SUFFIX@ with dc=lxc
Replace @ADMIN@ with cn=admin, dc=lxc
Comment out rootdn
Add the following line below rootdn
rootpw "admin"
/etc/init.d/slapd start

Setting up slapd
Setting up slapd
Config directory (/etc/ldap/slapd.d)
All config edits must be done through LDAP operations
Harder to maintain
Powerful
Don’t use it if you’re not extremely familiar with OpenLDAP
Config file (/etc/ldap/slapd.conf)
Easier to maintain (in only one place)
Edits via any text editor

Setting up slapd
Setting up slapd
Config file useful parameters
suffix : base of your DIT
rootdn/rootpw : admin credentials
ACLs
access to *
by dn="cn=admin,dc=mondomain" write
by * read
admin can write everything
everybody else can only read

LDAP Clients
LDAP Clients

LDAP Clients
LDAP Clients
Desktop clients :
JXPlorer:
Use java libs to connect, allowing to check if your java apps
will have working LDAP
http://www.jxplorer.org/
Apache Directory Studio:
RCP (based on Eclipse)
Intended to be used with ApacheDS
Great for any other server too
http://directory.apache.org/studio/
Or as an eclipse plugin :
http://directory.apache.org/studio/update/1.x

LDAP Clients
LDAP Clients
phpLDAPAdmin:
Web client
Uses a templating system to easy entry administration
Very customizable, great for integration as an easy admin tool
for a client
Nice schema browser
Installation
PHP 5 LDAP + Debian :
# aptitude install php5-ldap phpldapadmin

Lab : Install an OpenLDAP serv

Practice
Install OpenLDAP
Create two branches
Create two users in one of the branches
In the other branch, create a group for the two users

Working with LDAP servers

Data modiﬁcation with LDIF

The LDIF format 1/5
LDIF = LDAP Directory Interchange Format
Serialized data format for exchange of information between
directories
Standard, does not depend on a particular directory (but its
content can)
Similar in purpose to SQL
Knowledge of this format is mandatory when working with
LDAP
man ldif
Two types of records
Entry record
Contains an image of the data
Change record
Contains a set of operations to perform

The LDIF format 2/5
Entry LDIF
Describes data from a directory (import/export)
Format
Simple and understandable by both computers and humans
(take that, XML!)
ASCII (no funny characters)
Syntax:
Entities are separated by a blank line
One attribute per line
attribute name: value
if the value can be encoded as an ASCII string (numbers, ascii
strings, etc.)
attribute name:: base 64 value
If the value cannot be encoded as ASCII (UTF-8 string, binary
data)

The LDIF format 3/5
Entry LDIF example
dn: uid=mapal,ou=people,dc=smile,dc=fr
objectClass: inetOrgPerson
uid: mapal
cn: Marc Palazon
sn: Palazon
dn: uid=cychi,ou=people,dc=smile,dc=fr
objectClass: inetOrgPerson
uid: cychi
cn: Cyrille Chignardet
sn: Chignardet

The LDIF format 4/5
Change LDIF
Only modiﬁcations
Modiﬁcations are separated by a ligne containing only a -
(dash)
New attributes can be used to describe operations
Syntax
changetype: modify
add, replace, delete attribute
add:
replace:
delete:
changetype: delete
Delete object
changetype: modrdn
Rename object
newrdn:
newsuperior:

The LDIF format 5/5
Change LDIF example
dn : cn=Babs Jensen , dc=example , dc=com
changetype : modify
add : givenName
givenName : Barbara
givenName : babs
−
r e p l a c e : d e s c r i p t i o n
d e s c r i p t i o n : the f a b u l o u s babs
−
d e l e t e : sn
sn : j e n s e n
−
dn : cn=Babs Jensen , dc=example , dc=com
changetype : modrdn
newrdn : cn=Barbara J Jensen
newsuperior : ou=People , dc=example , dc=com
dn : cn=Barbara J Jensen , ou=People , dc=example , dc=com
changetype : d e l e t e

Data retrieval with searches

LDAP searches 1/2
4 elements are needed (base, scope, ﬁlter and attributes)
base
Node of the DIT under which search will occur
scope
sub: all objects under the base
base: only the base itself
one: only its immediate childs (but not the node itself)

LDAP searches 2/2
Filter
Basic expression: attribute=value
used for “any value” or substringing
Examples:
cn=admin
cn=admi*
cn=*
Can use logic operators
AND (&), OR (|) , NOT (!)
Polish notation + parenthesis = “I Can’t Believe It’s Not
Lisp!” :
(&(attr1 = val1)(attr2 = val2))
(& (attr3 = val3) (|(attr1 = val1)(attr2 = val2)))
Attributes
Attributes to return from results (all by default)

OpenLDAP client tools

Client OpenLDAP tools
ldapsearch
-H <url> (ldap:// or ldaps://)
-x : skip SASL and use simple authentication
-D <user DN>
-w <password> (-W to prompt)
-b <base>
-s <base|one|sub> (scope)
<ﬁlter>
<attributes>
ldapmodify
Same parameters to specify the connection
-a (add new entries) = ldapadd
-f <ldif ﬁle>

OpenLDAP server tools

Careful: they alter the database directly
Stop the server ﬁrst!
Directory export (incl. metadata)
slapcat > export.ldif
Directory import
slapadd -l import.ldif
If you want to re-import everything:
First delete /var/lib/ldap/*
Always run slapadd as openldap user

Extending LDAP

Schemas
Schemas

Schemas
LDAP schemas 1/4
Every element (syntax, attribute, class, rule) has an Object
IDentiﬁer (OID)
The OID is a worldwide hierarchical database using the ASN.1
format
Example: 1.3.6 = iso.org.dod
It has nothing to do with the DIT or the objectClass hierarchy
Regulated by Internet Assigned Numbers Authority (IANA)
Anybody can get a Private Enterprise Number from IANA
Register at http://pen.iana.org/pen/PenApplication.page
See: http://www.iana.org/assignments/enterprise-numbers
Preﬁx for PEN: 1.3.6.1.4.1
Smile: 1.3.6.1.4.1.37413
Browse the OID tree at http://www.oid-info.com/
You can also use 2.999, intented for documentation

Schemas
LDAP schemas 2/4
Deﬁning a class
RFC4512 Object Class Description
O b j e c t C l a s s D e s c r i p t i o n = ”(” whsp
numericoid whsp ; O b j e c t C la s s i d e n t i f i e r
[ ”NAME” q d e s c r s ]
[ ”DESC” q d s t r i n g ]
[ ”OBSOLETE” whsp ]
[ ”SUP” o i d s ] ; S u p e r i o r O b j e c t C l a s s e s
[ ( ”ABSTRACT” / ”STRUCTURAL” / ”AUXILIARY” ) whsp ] ; d e f a u l t s t r u c t u r a l
[ ”MUST” o i d s ] ; AttributeTypes
[ ”MAY” o i d s ] ; AttributeTypes
whsp ”)”
Example:
o b j e c t c l a s s ( 2 . 5 . 6 . 6 NAME ’ person ’
DESC ’ RFC2256 : a person ’
SUP top STRUCTURAL
MUST ( sn $ cn )
MAY ( userPassword $ telephoneNumber $ s e e A l s o $ d e s c r i p t i o n
) )

Schemas
LDAP schemas 3/4
Deﬁning an attribute
RFC4512 Attribute Type Description
A t t r i b u t e T y p e D e s c r i p t i o n = ”(” whsp
numericoid whsp ; AttributeType i d e n t i f i e r
[ ”NAME” q d e s c r s ] ; name used i n AttributeType
[ ”DESC” q d s t r i n g ] ; d e s c r i p t i o n
[ ”EQUALITY” woid ; Matching Rule name
[ ”ORDERING” woid ; Matching Rule name
[ ”SUBSTR” woid ] ; Matching Rule name
[ ”SUP” woid ] ; d e r i v e d from t h i s other AttributeType
[ ”SYNTAX” whsp n o i d l e n whsp ] ; Syntax OID
[ ”SINGLE−VALUE” whsp ] ; d e f a u l t multi−valued
whsp ”)”
Exemple:
a t t r i b u t e t y p e ( 2 . 5 . 4 . 1 7 NAME ’ postalCode ’
DESC ’ RFC2256 : p o s t a l code ’
EQUALITY caseIgnoreMatch
SUBSTR c ase Ig nor eS ubs tri ng sMa tc h
SYNTAX 1 . 3 . 6 . 1 . 4 . 1 . 1 4 6 6 . 1 1 5 . 1 2 1 . 1 . 1 5 { 4 0 } )

Schemas
LDAP schemas 4/4
OpenLDAP schemas
Flat ﬁles in /etc/ldap/schema
include in slapd.conf
Examples:
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema

How to design your DIT

You need a deep understanding of how the directory will be
used
Many possibilities
You can use attributes, groups or structure to make sense of
the data
Simple model: one branch for people, one branch for groups
OU model:
Example: by business unit
Example: by activity (sales, production. . . )
Example: by hierarchy
Geographical model (by location. . . )

LDAP : Theory and OpenLDAP implementation

More Related Content

What's hot

Similar to LDAP : Theory and OpenLDAP implementation

More from Open Source School

Recently uploaded

LDAP : Theory and OpenLDAP implementation