ldap : theory and openldap implementation
TRANSCRIPT
LDAP
Theory and OpenLDAP implementation
1
La 1ère école 100 % dédiée à l'open source
Open Source School est fondée à l'initiative de Smile, leader de l'intégration et de l'infogérance open source, et de l'EPSI,établissement privé pionnier de l’enseignement supérieur en informatique.
Dans le cadre du Programme d’Investissements d’Avenir (PIA), le gouvernement français a décidé de soutenir la création de cette école en lui attribuant une première aide de 1,4M€ et confirme sa volonté de soutenir la filière du Logiciel Libre actuellement en plein développement.
Avec une croissance annuelle de plus de 10%, et 4 000 postes vacants chaque année dans le secteur du Logiciel Libre, OSS entend répondre à la pénurie de compétences du secteur en mobilisant l’ensemble de l’écosystème et en proposant la plus vaste offre en matière de formation aux technologies open source tant en formation initiale qu'en formation continue.
2
Les formations du plein emploi !
Formation Continue
Open Source School "Executive Education" est un organisme de formation agréé qui propose un catalogue de plus de 200 formations professionnelles et différents dispositifs de reconversion permettant le retour à l’emploi (POE) ou une meilleure employabilité pour de nombreux professionnels de l’informatique.
Pour vos demandes : [email protected]
Formation Initiale
100% logiciels libres et 100% alternance, le cursus Open Source School s’appuie sur le référentiel des blocs de compétences de l’EPSI.Il est sanctionné par un titre de niveau I RNCP, Bac+5. Le programme est proposé dans 6 campus à Bordeaux, Lille, Lyon, Montpellier, Nantes, Paris.
3
Nos domaines de formations
Introduction Anatomy of a LDAP directory OpenLDAP: A LDAP implementation Lab : Install an OpenLDAP server Working with LDAP servers Extending LDAP
Plan
1 Introduction
2 Anatomy of a LDAP directory
3 OpenLDAP: A LDAP implementation
4 Lab : Install an OpenLDAP server
5 Working with LDAP servers
6 Extending LDAP
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 2/62
Introduction Anatomy of a LDAP directory OpenLDAP: A LDAP implementation Lab : Install an OpenLDAP server Working with LDAP servers Extending LDAP
Introduction
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 3/62
Introduction Anatomy of a LDAP directory OpenLDAP: A LDAP implementation Lab : Install an OpenLDAP server Working with LDAP servers Extending LDAP
Directories
Directories
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 4/62
Introduction Anatomy of a LDAP directory OpenLDAP: A LDAP implementation Lab : Install an OpenLDAP server Working with LDAP servers Extending LDAP
Directories
What is a Directory ?
The simple answer
Large information base, mostly for read access
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 5/62
Introduction Anatomy of a LDAP directory OpenLDAP: A LDAP implementation Lab : Install an OpenLDAP server Working with LDAP servers Extending LDAP
Directories
Directory Examples
A few examples
People: white pagesOrganizations: yellow pagesComputers: DNS
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 6/62
Introduction Anatomy of a LDAP directory OpenLDAP: A LDAP implementation Lab : Install an OpenLDAP server Working with LDAP servers Extending LDAP
Directories
A Directory: what for ?
Authentication and authorization on systems or applications
Group maintainance
Privileges maintainance
Address books
Organization chart
. . .
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 7/62
Introduction Anatomy of a LDAP directory OpenLDAP: A LDAP implementation Lab : Install an OpenLDAP server Working with LDAP servers Extending LDAP
History of LDAP
History of LDAP
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 8/62
Introduction Anatomy of a LDAP directory OpenLDAP: A LDAP implementation Lab : Install an OpenLDAP server Working with LDAP servers Extending LDAP
History of LDAP
History of LDAP: The Genesis
The X500 standards
Created in the 80s, based on 70 years of electronic directoriesfrom telephone companiesX500 directories are supposed to be accessed utins theDirectory Access ProtocolProblem : DAP was based on the OSI stack, which neverreally took off
Lightweight DAP (LDAP) was created to access directories overthe TCP/IP stack
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 9/62
Introduction Anatomy of a LDAP directory OpenLDAP: A LDAP implementation Lab : Install an OpenLDAP server Working with LDAP servers Extending LDAP
History of LDAP
History of LDAP: Standardization
LDAP became an IETF (Internet Engineering Task Force)standard in 1997
Now, most servers only do LDAP
OpenLDAP (the reference)Netscape Directory Server (the dinosaur)
SunONE389 Directory Server
Apache Directory Server , OpenDS (the youngsters)Microsoft Active Directory (the ugly)
Current protocol version : LDAP v3
LDAP v2 deprecated since 2003
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 10/62
Introduction Anatomy of a LDAP directory OpenLDAP: A LDAP implementation Lab : Install an OpenLDAP server Working with LDAP servers Extending LDAP
Anatomy of a LDAP directory
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 11/62
Introduction Anatomy of a LDAP directory OpenLDAP: A LDAP implementation Lab : Install an OpenLDAP server Working with LDAP servers Extending LDAP
Directory Information Tree
Directory Information Tree
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 12/62
Introduction Anatomy of a LDAP directory OpenLDAP: A LDAP implementation Lab : Install an OpenLDAP server Working with LDAP servers Extending LDAP
Directory Information Tree
Directory Information Tree
LDAP = access protocol, but what do we access?
X500 standard: The Directory: Overview of concepts, modelsand services
X500 is based around a single Directory Information Tree
Hierarchical structureHas a rootEvery entity can be a node or a leafEach entity has only one path
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 13/62
Introduction Anatomy of a LDAP directory OpenLDAP: A LDAP implementation Lab : Install an OpenLDAP server Working with LDAP servers Extending LDAP
Directory Information Tree
DIT Structure
In a branch, an entity is known by itsRelative Distinguished Name (RDN)In the whole directory, its known by itsDistinguished Name (DN)
Simply a comma-separated list of theRDNs of all nodes on its (unique) path
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 14/62
Introduction Anatomy of a LDAP directory OpenLDAP: A LDAP implementation Lab : Install an OpenLDAP server Working with LDAP servers Extending LDAP
LDAP Entities
LDAP Entities
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 15/62
Introduction Anatomy of a LDAP directory OpenLDAP: A LDAP implementation Lab : Install an OpenLDAP server Working with LDAP servers Extending LDAP
LDAP Entities
LDAP Entities: Commons properties
Object orientation (classes, attributes, objetcts, inheritance,etc. . . )
Attributes are defined by a schema
The schema itself is hierarchical through inheritance, but theschema hierarchy has nothing to do with the object hierarchy(DIT)
Values are strongly typed
Standard classes and attributes are directory-oriented
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 16/62
Introduction Anatomy of a LDAP directory OpenLDAP: A LDAP implementation Lab : Install an OpenLDAP server Working with LDAP servers Extending LDAP
LDAP Entities
LDAP Entities: Classes
Simple inheritance
Class types
AbstractStructural: defines the meaning of the objectAuxiliary: allows to add attributes to an object (composition)
Classes are lists of attributes
Mandatory attributesOptional attributes
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 17/62
Introduction Anatomy of a LDAP directory OpenLDAP: A LDAP implementation Lab : Install an OpenLDAP server Working with LDAP servers Extending LDAP
LDAP Entities
LDAP Entities: Attribute
Simple Inheritance
Example: surname attribute type inherits from name attribute
Defined outside the class
Can be used by different classes
May have multiple names
Usually a short and a long nameExample: commonName and cn
Can be multi-valued
Single valued: first name, UIDMultivalued: group membership, email aliases
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 18/62
Introduction Anatomy of a LDAP directory OpenLDAP: A LDAP implementation Lab : Install an OpenLDAP server Working with LDAP servers Extending LDAP
LDAP Entities
LDAP Entities: Attribute syntax
Syntax: defines the attribute type
IntegerString (UTF-8 only)Telephone NumberDateBinary data
Standardized on a specific tree
Example OID (Object ID): 1.3.6.1.4.1.1466.115.121.1.15http://www.rfc-editor.org/rfc/rfc2252.txt
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 19/62
Introduction Anatomy of a LDAP directory OpenLDAP: A LDAP implementation Lab : Install an OpenLDAP server Working with LDAP servers Extending LDAP
LDAP Entities
LDAP Entities: Matching rule
Matching rule on attribute value
Defines how values are comparedFor equality or substringsSortingExamples :
caseExactMatch (toto == toto)caseIgnoreMatch (toto == ToTO)telephoneNumberMatch ( 04 99 77 20 19 = 04-99-77-20-19)
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 20/62
Introduction Anatomy of a LDAP directory OpenLDAP: A LDAP implementation Lab : Install an OpenLDAP server Working with LDAP servers Extending LDAP
LDAP Entities
LDAP Entities: Object structure
Object
Instances of one or more classes (object composition)
Can only have one structural classAnd as many auxiliary classes as wantedExample: person, posixAccount, sambaAccount
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 21/62
Introduction Anatomy of a LDAP directory OpenLDAP: A LDAP implementation Lab : Install an OpenLDAP server Working with LDAP servers Extending LDAP
LDAP Entities
LDAP Entities: Object definitionObject Definition
Have a special “objectClass” attribute
Defines which classes the object belongs toAll objects must have at least one objectClass“objectClass” does not belong to any class
The RDN of the object is one of its attributes
Format: attr name=value
ExamplesUser :
uid=bejac
Computer :
hostname=myserver
Example DN
dn: uid=bejac,department=DT,locality=levallois,organization=smile
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 22/62
Introduction Anatomy of a LDAP directory OpenLDAP: A LDAP implementation Lab : Install an OpenLDAP server Working with LDAP servers Extending LDAP
LDAP vs RDBMS
LDAP vs RDBMS
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 23/62
Introduction Anatomy of a LDAP directory OpenLDAP: A LDAP implementation Lab : Install an OpenLDAP server Working with LDAP servers Extending LDAP
LDAP vs RDBMS
LDAP vs RDBMSWhy choose LDAP over a RDBMS
Standard protocolAll databases have different access protocolsSQL is NOT an access protocol
Many LDAP implementations
Very rich on data validation and structure
Native structure is close to most organization’s structure
Hierarchical
Very fast reads
Efficient lookup of different objects with common attributes
Usually does not require adaptation of the directory to anapplication
Standard schemas and classes offer a wide range of commonuse cases.
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 24/62
Introduction Anatomy of a LDAP directory OpenLDAP: A LDAP implementation Lab : Install an OpenLDAP server Working with LDAP servers Extending LDAP
LDAP vs RDBMS
LDAP vs RDBMS
However, LDAP is not recommended if
Its only used for one applicationMany relations between objectsLots of edits/inserts/deletes
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 25/62
Introduction Anatomy of a LDAP directory OpenLDAP: A LDAP implementation Lab : Install an OpenLDAP server Working with LDAP servers Extending LDAP
Standard object classes
Standard object classes
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 26/62
Introduction Anatomy of a LDAP directory OpenLDAP: A LDAP implementation Lab : Install an OpenLDAP server Working with LDAP servers Extending LDAP
Standard object classes
Standard object classes: inetOrgPerson
inetOrgPerson : user accounts in a company
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 27/62
Introduction Anatomy of a LDAP directory OpenLDAP: A LDAP implementation Lab : Install an OpenLDAP server Working with LDAP servers Extending LDAP
Standard object classes
Standard object classes: groupOfNames
groupOfNames : groups
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 28/62
Introduction Anatomy of a LDAP directory OpenLDAP: A LDAP implementation Lab : Install an OpenLDAP server Working with LDAP servers Extending LDAP
Standard object classes
Standard object classes: organizationalUnitorganizationUnit : branches
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 29/62
Introduction Anatomy of a LDAP directory OpenLDAP: A LDAP implementation Lab : Install an OpenLDAP server Working with LDAP servers Extending LDAP
OpenLDAP: A LDAP implementation
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 30/62
Introduction Anatomy of a LDAP directory OpenLDAP: A LDAP implementation Lab : Install an OpenLDAP server Working with LDAP servers Extending LDAP
OpenLDAP
OpenLDAP is a software project that provides
A LDAP server : slapd
A LDAP client library : libldap
Command line LDAP tools : ldap-utils
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 31/62
Introduction Anatomy of a LDAP directory OpenLDAP: A LDAP implementation Lab : Install an OpenLDAP server Working with LDAP servers Extending LDAP
Setting up slapd
Setting up slapd
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 32/62
Introduction Anatomy of a LDAP directory OpenLDAP: A LDAP implementation Lab : Install an OpenLDAP server Working with LDAP servers Extending LDAP
Setting up slapd
Setting up slapd
On Debian
aptitude install slapd
/etc/init.d/slapd stop
rm -rf /etc/ldap/slapd.d
cp /usr/share/doc/slapd/examples/slapd.conf /etc/ldap
In /etc/ldap/slapd.conf
Replace @BACKEND@ with hdb
Replace @SUFFIX@ with dc=lxc
Replace @ADMIN@ with cn=admin, dc=lxc
Comment out rootdnAdd the following line below rootdn
rootpw "admin"
/etc/init.d/slapd start
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 33/62
Introduction Anatomy of a LDAP directory OpenLDAP: A LDAP implementation Lab : Install an OpenLDAP server Working with LDAP servers Extending LDAP
Setting up slapd
Setting up slapd
Config directory (/etc/ldap/slapd.d)
All config edits must be done through LDAP operations
Harder to maintainPowerful
Don’t use it if you’re not extremely familiar with OpenLDAP
Config file (/etc/ldap/slapd.conf)
Easier to maintain (in only one place)Edits via any text editor
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 34/62
Introduction Anatomy of a LDAP directory OpenLDAP: A LDAP implementation Lab : Install an OpenLDAP server Working with LDAP servers Extending LDAP
Setting up slapd
Setting up slapd
Config file useful parameters
suffix : base of your DITrootdn/rootpw : admin credentialsACLs
access to *
by dn="cn=admin,dc=mondomain" write
by * read
admin can write everythingeverybody else can only read
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 35/62
Introduction Anatomy of a LDAP directory OpenLDAP: A LDAP implementation Lab : Install an OpenLDAP server Working with LDAP servers Extending LDAP
LDAP Clients
LDAP Clients
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 36/62
Introduction Anatomy of a LDAP directory OpenLDAP: A LDAP implementation Lab : Install an OpenLDAP server Working with LDAP servers Extending LDAP
LDAP Clients
LDAP Clients
Desktop clients :JXPlorer:
Use java libs to connect, allowing to check if your java appswill have working LDAPhttp://www.jxplorer.org/
Apache Directory Studio:
RCP (based on Eclipse)Intended to be used with ApacheDSGreat for any other server toohttp://directory.apache.org/studio/Or as an eclipse plugin :http://directory.apache.org/studio/update/1.x
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 37/62
Introduction Anatomy of a LDAP directory OpenLDAP: A LDAP implementation Lab : Install an OpenLDAP server Working with LDAP servers Extending LDAP
LDAP Clients
LDAP Clients
phpLDAPAdmin:
Web clientUses a templating system to easy entry administration
Very customizable, great for integration as an easy admin toolfor a client
Nice schema browserInstallation
PHP 5 LDAP + Debian :
# aptitude install php5-ldap phpldapadmin
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 38/62
Introduction Anatomy of a LDAP directory OpenLDAP: A LDAP implementation Lab : Install an OpenLDAP server Working with LDAP servers Extending LDAP
Lab : Install an OpenLDAP server
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 39/62
Introduction Anatomy of a LDAP directory OpenLDAP: A LDAP implementation Lab : Install an OpenLDAP server Working with LDAP servers Extending LDAP
Practice
Install OpenLDAP
Create two branches
Create two users in one of the branches
In the other branch, create a group for the two users
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 40/62
Introduction Anatomy of a LDAP directory OpenLDAP: A LDAP implementation Lab : Install an OpenLDAP server Working with LDAP servers Extending LDAP
Working with LDAP servers
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 41/62
Introduction Anatomy of a LDAP directory OpenLDAP: A LDAP implementation Lab : Install an OpenLDAP server Working with LDAP servers Extending LDAP
Data modification with LDIF
Data modification with LDIF
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 42/62
Introduction Anatomy of a LDAP directory OpenLDAP: A LDAP implementation Lab : Install an OpenLDAP server Working with LDAP servers Extending LDAP
Data modification with LDIF
The LDIF format 1/5
LDIF = LDAP Directory Interchange Format
Serialized data format for exchange of information betweendirectoriesStandard, does not depend on a particular directory (but itscontent can)Similar in purpose to SQL
Knowledge of this format is mandatory when working withLDAP
man ldif
Two types of recordsEntry record
Contains an image of the data
Change record
Contains a set of operations to perform
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 43/62
Introduction Anatomy of a LDAP directory OpenLDAP: A LDAP implementation Lab : Install an OpenLDAP server Working with LDAP servers Extending LDAP
Data modification with LDIF
The LDIF format 2/5Entry LDIF
Describes data from a directory (import/export)
Format
Simple and understandable by both computers and humans(take that, XML!)ASCII (no funny characters)
Syntax:
Entities are separated by a blank line
One attribute per line
attribute name: valueif the value can be encoded as an ASCII string (numbers, asciistrings, etc.)attribute name:: base 64 value
If the value cannot be encoded as ASCII (UTF-8 string, binarydata)
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 44/62
Introduction Anatomy of a LDAP directory OpenLDAP: A LDAP implementation Lab : Install an OpenLDAP server Working with LDAP servers Extending LDAP
Data modification with LDIF
The LDIF format 3/5
Entry LDIF example
dn: uid=mapal,ou=people,dc=smile,dc=fr
objectClass: inetOrgPerson
uid: mapal
cn: Marc Palazon
sn: Palazon
dn: uid=cychi,ou=people,dc=smile,dc=fr
objectClass: inetOrgPerson
uid: cychi
cn: Cyrille Chignardet
sn: Chignardet
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 45/62
Introduction Anatomy of a LDAP directory OpenLDAP: A LDAP implementation Lab : Install an OpenLDAP server Working with LDAP servers Extending LDAP
Data modification with LDIF
The LDIF format 4/5Change LDIF
Only modificationsModifications are separated by a ligne containing only a -(dash)New attributes can be used to describe operations
Syntaxchangetype: modify
add, replace, delete attributeadd:replace:delete:
changetype: deleteDelete object
changetype: modrdnRename object
newrdn:newsuperior:
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 46/62
Introduction Anatomy of a LDAP directory OpenLDAP: A LDAP implementation Lab : Install an OpenLDAP server Working with LDAP servers Extending LDAP
Data modification with LDIF
The LDIF format 5/5
Change LDIF example
dn : cn=Babs Jensen , dc=example , dc=comc h a n g e t y p e : modi fyadd : givenNamegivenName : BarbaragivenName : babs−r e p l a c e : d e s c r i p t i o nd e s c r i p t i o n : t h e f a b u l o u s babs−d e l e t e : snsn : j e n s e n−
dn : cn=Babs Jensen , dc=example , dc=comc h a n g e t y p e : modrdnnewrdn : cn=Barbara J Jensenn e w s u p e r i o r : ou=People , dc=example , dc=com
dn : cn=Barbara J Jensen , ou=People , dc=example , dc=comc h a n g e t y p e : d e l e t e
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 47/62
Introduction Anatomy of a LDAP directory OpenLDAP: A LDAP implementation Lab : Install an OpenLDAP server Working with LDAP servers Extending LDAP
Data retrieval with searches
Data retrieval with searches
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 48/62
Introduction Anatomy of a LDAP directory OpenLDAP: A LDAP implementation Lab : Install an OpenLDAP server Working with LDAP servers Extending LDAP
Data retrieval with searches
LDAP searches 1/2
4 elements are needed (base, scope, filter and attributes)
base
Node of the DIT under which search will occur
scope
sub: all objects under the basebase: only the base itselfone: only its immediate childs (but not the node itself)
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 49/62
Introduction Anatomy of a LDAP directory OpenLDAP: A LDAP implementation Lab : Install an OpenLDAP server Working with LDAP servers Extending LDAP
Data retrieval with searches
LDAP searches 2/2Filter
Basic expression: attribute=value
used for “any value” or substringing
Examples:
cn=admin
cn=admi*
cn=*
Can use logic operators
AND (&), OR (|) , NOT (!)Polish notation + parenthesis = “I Can’t Believe It’s NotLisp!” :
(&(attr1 = val1)(attr2 = val2))
(& (attr3 = val3) (|(attr1 = val1)(attr2 = val2)))
Attributes
Attributes to return from results (all by default)
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 50/62
Introduction Anatomy of a LDAP directory OpenLDAP: A LDAP implementation Lab : Install an OpenLDAP server Working with LDAP servers Extending LDAP
OpenLDAP client tools
OpenLDAP client tools
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 51/62
Introduction Anatomy of a LDAP directory OpenLDAP: A LDAP implementation Lab : Install an OpenLDAP server Working with LDAP servers Extending LDAP
OpenLDAP client tools
Client OpenLDAP tools
ldapsearch
-H <url> (ldap:// or ldaps://)-x : skip SASL and use simple authentication-D <user DN>-w <password> (-W to prompt)-b <base>-s <base|one|sub> (scope)<filter><attributes>
ldapmodify
Same parameters to specify the connection-a (add new entries) = ldapadd-f <ldif file>
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 52/62
Introduction Anatomy of a LDAP directory OpenLDAP: A LDAP implementation Lab : Install an OpenLDAP server Working with LDAP servers Extending LDAP
OpenLDAP server tools
OpenLDAP server tools
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 53/62
Introduction Anatomy of a LDAP directory OpenLDAP: A LDAP implementation Lab : Install an OpenLDAP server Working with LDAP servers Extending LDAP
OpenLDAP server tools
OpenLDAP server tools
Careful: they alter the database directly
Stop the server first!
Directory export (incl. metadata)
slapcat > export.ldif
Directory import
slapadd -l import.ldifIf you want to re-import everything:
First delete /var/lib/ldap/*
Always run slapadd as openldap user
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 54/62
Introduction Anatomy of a LDAP directory OpenLDAP: A LDAP implementation Lab : Install an OpenLDAP server Working with LDAP servers Extending LDAP
Extending LDAP
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 55/62
Introduction Anatomy of a LDAP directory OpenLDAP: A LDAP implementation Lab : Install an OpenLDAP server Working with LDAP servers Extending LDAP
Schemas
Schemas
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 56/62
Introduction Anatomy of a LDAP directory OpenLDAP: A LDAP implementation Lab : Install an OpenLDAP server Working with LDAP servers Extending LDAP
Schemas
LDAP schemas 1/4
Every element (syntax, attribute, class, rule) has an ObjectIDentifier (OID)
The OID is a worldwide hierarchical database using the ASN.1format
Example: 1.3.6 = iso.org.dod
It has nothing to do with the DIT or the objectClass hierarchyRegulated by Internet Assigned Numbers Authority (IANA)Anybody can get a Private Enterprise Number from IANA
Register at http://pen.iana.org/pen/PenApplication.pageSee: http://www.iana.org/assignments/enterprise-numbersPrefix for PEN: 1.3.6.1.4.1Smile: 1.3.6.1.4.1.37413Browse the OID tree at http://www.oid-info.com/
You can also use 2.999, intented for documentation
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 57/62
Introduction Anatomy of a LDAP directory OpenLDAP: A LDAP implementation Lab : Install an OpenLDAP server Working with LDAP servers Extending LDAP
Schemas
LDAP schemas 2/4
Defining a class
RFC4512 Object Class Description
O b j e c t C l a s s D e s c r i p t i o n = ”(” whspn u m e r i c o i d whsp ; O b j e c t C l a s s i d e n t i f i e r[ ”NAME” q d e s c r s ][ ”DESC” q d s t r i n g ][ ”OBSOLETE” whsp ][ ”SUP” o i d s ] ; S u p e r i o r O b j e c t C l a s s e s[ ( ”ABSTRACT” / ”STRUCTURAL” / ”AUXILIARY” ) whsp ] ; d e f a u l t s t r u c t u r a l[ ”MUST” o i d s ] ; A t t r i b u t e T y p e s[ ”MAY” o i d s ] ; A t t r i b u t e T y p e swhsp ”)”
Example:
o b j e c t c l a s s ( 2 . 5 . 6 . 6 NAME ’ person ’DESC ’ RFC2256 : a person ’SUP top STRUCTURALMUST ( sn $ cn )MAY ( u s e r P a s s w o r d $ te lephoneNumber $ s e e A l s o $ d e s c r i p t i o n
) )
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 58/62
Introduction Anatomy of a LDAP directory OpenLDAP: A LDAP implementation Lab : Install an OpenLDAP server Working with LDAP servers Extending LDAP
Schemas
LDAP schemas 3/4
Defining an attribute
RFC4512 Attribute Type Description
A t t r i b u t e T y p e D e s c r i p t i o n = ”(” whspn u m e r i c o i d whsp ; A t t r i b u t e T y p e i d e n t i f i e r[ ”NAME” q d e s c r s ] ; name used i n A t t r i b u t e T y p e[ ”DESC” q d s t r i n g ] ; d e s c r i p t i o n[ ”EQUALITY” woid ; Matching Rule name[ ”ORDERING” woid ; Matching Rule name[ ”SUBSTR” woid ] ; Matching Rule name[ ”SUP” woid ] ; d e r i v e d from t h i s o t h e r A t t r i b u t e T y p e[ ”SYNTAX” whsp n o i d l e n whsp ] ; Syntax OID[ ”SINGLE−VALUE” whsp ] ; d e f a u l t m u l t i−v a l u e dwhsp ”)”
Exemple:
a t t r i b u t e t y p e ( 2 . 5 . 4 . 1 7 NAME ’ posta lCode ’DESC ’ RFC2256 : p o s t a l code ’EQUALITY c a s e I g n o r e M a t c hSUBSTR c a s e I g n o r e S u b s t r i n g s M a t c hSYNTAX 1 . 3 . 6 . 1 . 4 . 1 . 1 4 6 6 . 1 1 5 . 1 2 1 . 1 . 1 5{ 4 0} )
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 59/62
Introduction Anatomy of a LDAP directory OpenLDAP: A LDAP implementation Lab : Install an OpenLDAP server Working with LDAP servers Extending LDAP
Schemas
LDAP schemas 4/4
OpenLDAP schemas
Flat files in /etc/ldap/schema
include in slapd.confExamples:
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 60/62
Introduction Anatomy of a LDAP directory OpenLDAP: A LDAP implementation Lab : Install an OpenLDAP server Working with LDAP servers Extending LDAP
How to design your DIT
How to design your DIT
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 61/62
Introduction Anatomy of a LDAP directory OpenLDAP: A LDAP implementation Lab : Install an OpenLDAP server Working with LDAP servers Extending LDAP
How to design your DIT
How to design your DIT
You need a deep understanding of how the directory will beused
Many possibilities
You can use attributes, groups or structure to make sense ofthe data
Simple model: one branch for people, one branch for groups
OU model:
Example: by business unitExample: by activity (sales, production. . . )Example: by hierarchy
Geographical model (by location. . . )
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 62/62