#1

OpenLDAP BootCampDirectory Servers and LDAP

Doc. v. 0.1 – 05/03/09

Wildan Maulanawildan.m@openthinklabs.com

http://workshop.openthinklabs.com/

Main Topics

● The Basics of LDAP directories● The history of LDAP and the OpenLDAP server

LDAP Basics

● The terms LDAP stands for Lightweight Directory Access Protocol

● LDAP was originally designed to be a network protocol that provided an alternative form of access to existing directory servers

● LDAP is standardized. The body of LDAP standards, including the network protocols, the directory structure, and the services provided by an LDAP server, are all available in the form of RFCs (Requests For Comments)

● LDAP v3 → RFC 2251 (1997)● Updated on 2006 → RFCs 4510 - 4519

What is a Directory ?

● Directory server is used to maintain information about some set of entities (entities like people or organizations), and it provides for accessing that information

● How information in an LDAP directory is structured ?

The Structure of a Directory Entryexample : phone book entry

Acme Services123 W. First St.Chicago, IL 60616-1234(773) 555-8943 or (800) 555 9834

Organization Name: Acme ServicesStreet Address: 123 West First StreetCity: ChicagoState: IllinoisPostal Code: 60616-1234Country: USAPhone Number: +1 773 555 8943Phone Number: +1 800 555 9834

Identify

But How can we distinguish between two very similar records?

For example, say we have a telephone directory for the entire state of Illinois. And inIllinois, we have a company called Acme Services located in the city of Chicago, andanother company named Acme Services located in the city of Springfield.

A Unique Name : The DN

● One way of distinguishing between two very similar records is to create a unique name for each record in the directory

● Strategy adopted by LDAP ; each record in the directory has a distinguished name (DN)

More About DN

● A DN is composed of a combination of directory information, and looks something like this :

dn: o=Acme Services, l=Chicago, st=Illinois, c=US

dn: o=Acme Services, l=Springfield, st=Illinois, c=US

DNs are not case sensitive

Some parts of LDAP records are case sensitive, and others are not. DNs, for example, are not case sensitive.

LDAP Entry

● An LDAP entry, or record, is the directory unit that stores information about an individual item in the directory

● An entry is composed of a DN and one or more attributes● The DN serves as a unique identifier within an

LDAP directory information tree● Attributes provide information about that entry

An Example LDAP Entry

dn: o=Acme Services, l=Chicago, st=Illinois, c=USo: Acme ServicespostalAddress: 123 West First Streetl: Chicagost: IllinoispostalCode: 60616-1234c: UStelephoneNumber: +1 773 555 8943telephoneNumber: +1 800 555 9834objectclass: organization

● Attribute names, like o and postalAddress, refer to well-defined attribute definitions contained in an LDAP schema. They cannot be "invented" on the fly, or made up as you go.

Creating new attributes requires writing a schema.

DN

attributes

An Example LDAP Entry - Cont

● On previous example there are eight attributes, representing the following :

● Organization Name (o)● Mailing address (postalAddress)● Locality (l), which may be the name of a city, town, village, and

so forth● State or Province (st)● Postal Code or ZIP Code (postalCode)● Country (c)● Telephone Number (telephoneNumber) ● Object Class (objectclass), which specifies what type (or types)

of record this entry is

The Object Class Attributes

● The last attribute in the given record is objectclass attribute. This is a special attribute that provides information about what type of record (of entry) is

● An object class determines what attributes my be given to a record

Operational Attributes

● In addition to regular attributes, the directory server may also attach spesial operational attributes to an entry

● Operational attributes are used by the directory it self to store information about entries

● This attributes are not designed for use by end user

The Directory Information Tree

● Information in an LDAP directory is organized into one or more hierarchies where, at the top of the hierarchy, the is a base entry, and other entries are organized in tree-like structures beneath the base entry

● Each node on the hierarchy is an entry, with a DN and more than one attributes

The Directory Information Tree - Cont

The Directory Information Tree - Cont

What to Do with an LDAP Server

● LDAP is designed to represent organizations, including their structure, their physical assets, and their personnel.

● LDAP can also be used as central authority on network users, groups, and accounts

The History of LDAP and OpenLDAP

● Originally, LDAP was just a network protocol used to get data out of an X.500 directory (a directory server architecture, designed in the 1980s and standardized in 1988). This was the intent of Yeong, Howes, and Killie when they initially drafted the LDAP specification as RFC 1487 in 1993.

● The first LDAP servers were gateways to X.500 directories, but these servers quickly evolved into full-fledged directory servers. Tim Howes and his colleagues at the University of Michigan created the Open Source University of Michigan LDAP Implementation, which became the reference implementation for other LDAP servers.

http://www.umich.edu/~dirsvcs/ldap/ldap.html

●

The History of LDAP and OpenLDAP

● In 1998 the OpenLDAP project was started by Kurt Zeilenga using University of Michigan's code base

● Since the late 90', OpenLDAP has continued to mature , overseen by the OpenLDAP Foundation, and supported by contributions from industry sponsors.

● http://openldap.org

A Technical Overview of OpenLDAP

● The OpenLDAP suite can be broken up into four components:

● Servers : Provide LDAP services● Clients : Manipulate LDAP data ● Utilities : Support LDAP servers● Libraries : provide programming interfaces to

LDAP

LDAP Component Relation

The Server

● The main server in LDAP suite is SLAPD (the Stand-Alone LDAP Daemon)

● A server can store directory, data locally or simply access (or proxy access) to external sources

● SLAPD provides authentication and searching services, and may also support adding, removing, and modifying directory data

● SLAPD provides fine-grained access control to the directory

Clients

● Client connect to the server over the LDAP protocol, using network-based connection or socket (for UNIX based)

● Typically, a client will first connect to the directory server, then bind (authenticate), and then perform zero or more other operations (searches, modification, additions, deletions, etc) before finally unbinding and disconnecting

Utilities

● Unlike clients, utilities do not perform operations using the LDAP protocol. Instead, they manipulate data at a lower level, and without mediation by the server

● Utilities are used primarily to help maintain server

Libraries

● Application Programming Interfaces (APIs) are provided to allow software developer to write LDAP-aware applications without having to re-write fundamental LDAP code

Application Integration

Moodle

http://docs.moodle.org/en/LDAP_authentication

symfony

http://www.symfony-project.org/plugins/bhLDAPAuthPlugin

Joomla

http://docs.joomla.org/LDAP

Q&A

Reference

● Matt Butcher, Mastering OpenLDAP, PACKT Publishing