openldap directory administration ldap interoperability

OpenLDAP Directory Administration

LDAP Interoperability

Table of Contents● Introduction

● Interoperability or Integration

● Directory Gateways

● Cross-Platform Authentication Services

● Distributed, Multivendor Directories

● Metadirectories

● Push/Pull Agents for Directory Synchronization





● Distributed, Multi-vendor Directories

● Metadirectories


Introduction● Why this chapter on interoperability when LDAP is

supposed to be a standard protocol

● Selling point of LDAP is its potential for consolidating vendor-specific application-specific directories

● LDAP “minimizes” interoperability problems

● Core features of LDAP are standardized, but things such as schemas are not: many common objects can be extended by vendors

● Protocol can be extended as well

● For each service that can be consolidated into an LDAP directory, there must be a corresponding client-side application to access the old information in the new directory

● This chapter: discuss technologies used to solve these problems






● Metadirectories


Interoperability or Integration ?● Directory integration means enabling client applications

to access data in an LDAP directory

● Interoperability addresses communication between LDAP servers themselves

● Blurry distinction when one LDAP server becomes the client of another LDAP server

● First question should always be: what level of integration or interoperability your application requires

● Some common approaches are listed on the next page

Interoperability or Integration ? (cont.)

Problem Possible Solution Example“What can I do if my application doesn't speak LDAP ?”

Gateways that translate one directory access protocol into another

The NIS/LDAP gateway presented in Chapter 6

“How can users in a non-Unix administrative domain access services on Unix hosts ?”

Cross-platform authentication services

Authenticating non-Microsoft clients against an Active Directory

“How can I join information contained in different directories ?”

Distributed, multi-vendor directories glued together by referrals and references

Connecting directories from different vendors into a single DIT

“How can I unify access to the databases and directories held by multiple departments in my organization ?”

Meta-directories that provide an integrated view of several disjointed directories and databases

Using an LDAP proxy server to translate entries from a second directory into the format needed by client applications

“How can I implement replication or synchronization between directories from different vendors ?”

Push/pull agents that synchronize information from one directory to another

Customizing scripts or in-house tools that suck data from one server and uploading it to another directory after translating it into a format understood by the second server






● Metadirectories


Directory Gateways● Gateways have existed for a very long time, eg. between

different email formats, network filesystems, etc.

● Examples:

– PADL's ypldapd daemon: in one way, this is actually an LDAP client from the LDAP server's point of view

– NIS/LDAP gateway shipped with Microsoft “Windows Services for Unix (SFU)”

● Provides tools for importing data from a NIS domain into Active Directory

● Main advantage of using a gateway

– You usually don't have to modify any clients

– This results in lower cost of administration

● Disadvantages

– Additional overhead, clients don't take advantage of LDAP






● Metadirectories


Cross-Platform Authentication Services

● Not: interoperability between directory services

● But: interoperability between a specific directory service and non-native clients

● eg.

– NIS/Active Directory Gateway included in Microsoft's “Services for UNIX”

– PADL's PAM and NSS LDAP modules

– Active Directory + Kerberos 5






● Metadirectories


Distributed, Multi-vendor Directories

● LDAP servers from various vendors can be linked into a single, logical, distributed directory

● Why a multi-vendor directory ?

– Singe-vendor directory may force you to take decisions that you are uncomfortable with

– eg. Say a product (calendar server) has only been tested with a particular LDAP server, possible solutions:

● Abandon calendar server● Replace existing directory● Install LDAP server that supports calendar application and

include it as a subtree of your existing directory framework

– Last option is the only option that makes sense

● How is this any different than the myriad of application-specific directories in the past ?

– Here: single access protocol for clients & admin tools

Distributed, Multi-vendor Directories (cont.)

Example: Connecting OpenLDAP to Active Directory

– Working OpenLDAP, naming context dc=plainjoe,dc=org

– Active Directory, DNS domain ad.plainjoe.org, naming context is dc=ad,dc=plainjoe,dc=org

referral to ldap://ldap.plainjoe.org/dc=ad,dc=plainjoe,dc=org

reference to ldap://ldap.plainjoe.org/dc=plainjoe,dc=org

OpenLDAPdc=plainjoe,dc=org

Windows Active Directorydc=ad,dc=plainjoe,dc=org


Example: Connecting OpenLDAP to Active Directory (cont.)

– We need to add two knowledge references to this system:● Point from Active Directory Service to OpenLDAP server● Refer client searches from the OpenLDAP server to the active

directory domain

– ADSI Edit MMC snap-in required● \support\tools on Windows CD



Create referral from AD to OpenLDAP:● Must be created inside the

cn=Partitions,cn=Configuration,dc=ad,dc=plainjoe,dc=org container

● Create a new crossRef object● Add a node named OpenLDAP with nCName attribute with

value dc=plainjoe,dc=org, and dnsRoot attribute with the value ldap.plainjoe.org

● The corresponding LDIF:

● This instructs the Active Directory server to return a referral of the form ldap://ldap.plainjoe.org/dc=plainjoe,dc=org to clients in response to an LDAP search

dn: cn=OpenLDAP,cn=Partitions,dc=Configuration,dc=ad,dc=plainjoe,dc=orgcn: OpenLDAPnCName: dc=plainjoe,dc=orgdnsRoot: ldap.plainjoe.org

dn: cn=OpenLDAP,cn=Partitions,dc=Configuration,dc=ad,dc=plainjoe,dc=orgcn: OpenLDAPnCName: dc=plainjoe,dc=orgdnsRoot: ldap.plainjoe.org

ldap://ldap.plainjoe.org/dc=plainjoe,dc=org



Add corresponding knowledge reference OpenLDAP:● LDIF of object to add to OpenLDAP:

● ldapadd syntax:

dn: dc=ad,dc=plainjoe,dc=orgobjectclass: referralobjectclass: dcObjectref: ldap://ad.plainjoe.org/dc=ad,dc=plainjoe,dc=orgdc: ad

dn: dc=ad,dc=plainjoe,dc=orgobjectclass: referralobjectclass: dcObjectref: ldap://ad.plainjoe.org/dc=ad,dc=plainjoe,dc=orgdc: ad

$ ldapadd -D “cn=Manager,dc=plainjoe,dc=org” -w secret -x \> -H ldap://ldap.plainjoe.org/ -f ad-referral.ldif$ ldapadd -D “cn=Manager,dc=plainjoe,dc=org” -w secret -x \> -H ldap://ldap.plainjoe.org/ -f ad-referral.ldif



Testing Lookups:

● This search did not follow the referral, so no results are displayed

$ ldapsearch -H ldap://ad.plainjoe.org/ -x \> -b “ou=people,dc=plainjoe,dc=org” -LLL “(uid=jerry)”

Referral (10)Additional information: 00002028: RefErr: DSID-031005EE,data 0,1 access points ref 1: 'ldap.plainjoe.org'

Referral: ldap://ldap.plainjoe.org/ou=people,dc=plainjoe,dc=org

$ ldapsearch -H ldap://ad.plainjoe.org/ -x \> -b “ou=people,dc=plainjoe,dc=org” -LLL “(uid=jerry)”

Referral (10)Additional information: 00002028: RefErr: DSID-031005EE,data 0,1 access points ref 1: 'ldap.plainjoe.org'

Referral: ldap://ldap.plainjoe.org/ou=people,dc=plainjoe,dc=org



Testing Lookups (cont.):● This search follows the referral (-C switch):

$ ldapsearch -h ad.plainjoe.org/ -x -C \> -b “ou=people,dc=plainjoe,dc=org” -LLL “(uid=jerry)”

dn: cn=Gerald Carter,ou=people,dc=plainjoe,dc=orgobjectClass: posixAccountobjectClass: accountobjectClass: sambaAccountcn: Gerald CarteruidNumber: 780uid: jerrygidNumber: 100homeDirectory: /home/queso/jerryloginShell: /bin/bashrid: 2560acctFlags: [UX ]pwdLastSet: 1018451245

$ ldapsearch -h ad.plainjoe.org/ -x -C \> -b “ou=people,dc=plainjoe,dc=org” -LLL “(uid=jerry)”

dn: cn=Gerald Carter,ou=people,dc=plainjoe,dc=orgobjectClass: posixAccountobjectClass: accountobjectClass: sambaAccountcn: Gerald CarteruidNumber: 780uid: jerrygidNumber: 100homeDirectory: /home/queso/jerryloginShell: /bin/bashrid: 2560acctFlags: [UX ]pwdLastSet: 1018451245



Testing Lookups (cont.):● The other way round: search to OpenLDAP for data stored in

Active Directory● By default, Active Directory does not support anonymous

searches (apart from its rootDSE), hence we only get a referral (test with & without -C option):

● See more info: Single sign-on, Kerberos: Cross-platform authentication services

$ ldapsearch -x -H ldap://ldap.plainjoe.org/ \> -b “dc=ad,dc=plainjoe,dc=org” -LLL -C “(sAMAccountName=kristi)”

# refldap://ad.plainjoe.org/CN=Configuration,DC=ad,DC=plainjoe,DC=org

$ ldapsearch -x -H ldap://ldap.plainjoe.org/ \> -b “dc=ad,dc=plainjoe,dc=org” -LLL -C “(sAMAccountName=kristi)”

# refldap://ad.plainjoe.org/CN=Configuration,DC=ad,DC=plainjoe,DC=org

$ ldapsearch -x -H ldap://ldap.plainjoe.org/ \> -b “dc=ad,dc=plainjoe,dc=org” -LLL “(sAMAccountName=kristi)”

Referral (10)Matched DN: dc=ad,dc=plainjoe,dc=orgReferral: ldap://ad.plainjoe.org/dc=ad,dc=plainjoe,dc=org??sub

$ ldapsearch -x -H ldap://ldap.plainjoe.org/ \> -b “dc=ad,dc=plainjoe,dc=org” -LLL “(sAMAccountName=kristi)”

Referral (10)Matched DN: dc=ad,dc=plainjoe,dc=orgReferral: ldap://ad.plainjoe.org/dc=ad,dc=plainjoe,dc=org??sub






● Metadirectories


Metadirectories● Term describes any solution that joins distinct, isolated

data sources into a single logical volume

● Popular products on the market:

– MaXware MetaCenter (http://www.maxware.com/)

– Siemens DirXmetahub (http://www.siemens.ie/fixedoperators/CarrierNetworks/Meta/dirxmetahub.htm)

– Sun Microsystems SunONE MetaDirectory (http://wwws.sun.com/software/products/meta_directory/home_meta_dir.html)

– Novell's eDirectory and DirXML combination (http://www.novell.com/products/edirectory/)

– Microsoft Metadirectory Services (http://www.microsoft.com/windows2000/technologies/directory/MMS)

● A metadirectory is any directory service that presents an alternative view of a data source

http://www.maxware.com/

http://www.siemens.ie/fixedoperators/CarrierNetworks/Meta/dirxmetahub.htm

http://wwws.sun.com/software/products/meta_directory/home_meta_dir.html

http://www.novell.com/products/edirectory/

http://www.microsoft.com/windows2000/technologies/directory/MMS

Metadirectories (cont.)OpenLDAP's Proxy Backend

– Translates server's schema into a different view, suitable for a particular application

– No replication or synchronization of data

– Eg. client expects a directory to provide an email address using the mail attribute, assume an Active Directory where the Kerberos principal name is username@domain (userPrincipalName). It makes no sense to duplicate this information

– Requirements:● Active Directory domain must be configured for the DNS

domain ad.plainjoe.org● DNS name ad.plainjoe.org must resolve to the IP address of

an Active Directory domain controller for that domain● An account named ldap-proxy must be created in AD for use

by the proxy server when binding to a Windows DC

mailto:username@domain

Metadirectories (cont.)OpenLDAP's Proxy Backend (cont.)

– Supports updating the target via the proxy, supports ACLs

– This option is not enabled by default

– Recompile and create a new database in slapd.conf

$ ./configure --enable-ldap --enable-rewrite$ ./configure --enable-ldap --enable-rewrite

database ldap

suffix ou=windows,dc=plainjoe,dc=org

uri ldap://ad.plainjoe.orgsuffixmassage ou=windows,dc=plainjoe,dc=org

cn=users,dc=ad,dc=plainjoe,dc=org

binddn cn=ldap-proxy,cn=users,dc=ad,dc=plainjoe,dc=orgbindpw proxy-secret

map attribute uid sAMAccountNamemap attribute cn namemap attribute mail userPrincipalNamemap objectclass account user

map attribute *

database ldap

suffix ou=windows,dc=plainjoe,dc=org

uri ldap://ad.plainjoe.orgsuffixmassage ou=windows,dc=plainjoe,dc=org

cn=users,dc=ad,dc=plainjoe,dc=org

binddn cn=ldap-proxy,cn=users,dc=ad,dc=plainjoe,dc=orgbindpw proxy-secret

map attribute uid sAMAccountNamemap attribute cn namemap attribute mail userPrincipalNamemap objectclass account user

map attribute *


– See the result: query Active Directory, items provided by proxy are in italic

$ ldapsearch -H ldap://ad.plainjoe.org -x \> -D [email protected] -w proxy-secret -X \> -b “cn=users,dc=ad,dc=plainjoe,dc=org” -LLL \> “(sAMAccountName=kristi)”

dn: CN=Kristi Carter,CN=Users,DC=ad,DC=plainjoe,DC=orgaccountExpires: 9223372036854775807badPasswordTime: 0badPwdCount: 0codePage: 0cn: Kristi CartercountryCode: 0displayName: Kristi CartergivenName: JoeinstanceType: 4lastLogoff: 0lastLogon: 0logonCount: 0distinguishedName: CN=Kristi Carter,CN=Users,DC=ad,DC=plainjoe,DC=orgobjectCategory: CN=Person,CN=Schema,CN=Configuration,DC=ad,DC=plainjoe,DC=orgobjectClass: topobjectClass: personobjectClass: organizationalPersonobjectClass: user

$ ldapsearch -H ldap://ad.plainjoe.org -x \> -D [email protected] -w proxy-secret -X \> -b “cn=users,dc=ad,dc=plainjoe,dc=org” -LLL \> “(sAMAccountName=kristi)”

dn: CN=Kristi Carter,CN=Users,DC=ad,DC=plainjoe,DC=orgaccountExpires: 9223372036854775807badPasswordTime: 0badPwdCount: 0codePage: 0cn: Kristi CartercountryCode: 0displayName: Kristi CartergivenName: JoeinstanceType: 4lastLogoff: 0lastLogon: 0logonCount: 0distinguishedName: CN=Kristi Carter,CN=Users,DC=ad,DC=plainjoe,DC=orgobjectCategory: CN=Person,CN=Schema,CN=Configuration,DC=ad,DC=plainjoe,DC=orgobjectClass: topobjectClass: personobjectClass: organizationalPersonobjectClass: user


– (cont.)

objectGUID:: NDHKI8oYFkqN8da3Gl9a5Q==objectSid:: AQUAAAAAAAUVAAAAEcNfczJiHypDFwoyUwQAAA==primaryGroupID: 513pwdLastSet: 126784120014273696name: Kristi CartersAMAccountName: kristisAMAccountType: 805306368sn: CarteruserAccountControl: 66048userPrincipalName: [email protected]: 2963uSNCreated: 2957whenChanged: 20021006210839.0ZwhenChanged: 20021006210637.0Z

objectGUID:: NDHKI8oYFkqN8da3Gl9a5Q==objectSid:: AQUAAAAAAAUVAAAAEcNfczJiHypDFwoyUwQAAA==primaryGroupID: 513pwdLastSet: 126784120014273696name: Kristi CartersAMAccountName: kristisAMAccountType: 805306368sn: CarteruserAccountControl: 66048userPrincipalName: [email protected]: 2963uSNCreated: 2957whenChanged: 20021006210839.0ZwhenChanged: 20021006210637.0Z


– Now, we issue a similar query to the proxy server, except we look up a uid rather than an Active Directory sAMAccountName:

– From the two results, we see that:

$ ldapsearch -H ldap://ldap.plainjoe.org -x \> -b “ou=windows,dc=plainjoe,dc=org” -LLL “(uid=kristi)”

dn: CN=Kristi Carter,ou=windows,dc=plainjoe,dc=orgobjectClass: topobjectClass: personobjectClass: organizationalPersonobjectClass: accountcn: Kristi Carteruid: kristimail: [email protected]


dn: CN=Kristi Carter,ou=windows,dc=plainjoe,dc=orgobjectClass: topobjectClass: personobjectClass: organizationalPersonobjectClass: accountcn: Kristi Carteruid: kristimail: [email protected]

objectClass: username: Kristi CartersAMAccountName: kristiuserPrincipalName: [email protected]

objectClass: username: Kristi CartersAMAccountName: kristiuserPrincipalName: [email protected]

mapped to

objectClass: accountcn: Kristi Carteruid: kristimail: [email protected]

objectClass: accountcn: Kristi Carteruid: kristimail: [email protected]


– If you remove the directive that filters all the attributes that aren't explicitly mapped (map attribute *), response is slightly different:

– slapd still filters out some attributes bacause queries are still controlled by the local schema in slapd.conf: unknown attributes are filtered out


dn: CN=Kristi Carter,ou=windows,dc=plainjoe,dc=orgcn: Kristi CarterDisplayName: Kristi Cartermail: [email protected]: KristidistinguishedName: CN=Kristi Carter,ou=windows,dc=plainjoe,dc=orgobjectClass: topobjectClass: personobjectClass: organizationalPersonobjectClass: accountcn: Kristi Carteruid: kristisn: Carter


dn: CN=Kristi Carter,ou=windows,dc=plainjoe,dc=orgcn: Kristi CarterDisplayName: Kristi Cartermail: [email protected]: KristidistinguishedName: CN=Kristi Carter,ou=windows,dc=plainjoe,dc=orgobjectClass: topobjectClass: personobjectClass: organizationalPersonobjectClass: accountcn: Kristi Carteruid: kristisn: Carter






● Metadirectories


Push/pull Agents for Directory Synchronization

● Common tools for synchronizing information between directories

● Single agent pulls information from one directory service and massages the data to make it acceptable for upload to another directory server

● Several directory vendors provide synchronization agents (drivers, connectors, ...)

● Data is often transferred in an XML-based format

Directory A Directory BDriver

connector transmitting data in common

format

data in directory-specific format

Push/pull Agents for Directory Synchronization (cont.)

● A partial list of commercial connector/driver offerings:

– SunOne's XMLDAP (http://wwws.sun.com/software/products/directory_srvr/)

– Novell's DirXML (http://www.novell.com/products/edirectory/dirxml/)

● Commercial vs. in-house

– Inherent knowledge of when data changes in the directory

– Homegrown tools can be very useful

http://wwws.sun.com/software/products/directory_srvr/

http://www.novell.com/products/edirectory/dirxml/

Push/pull Agents for Directory Synchronization (cont.)

The Directory Services Markup Language

– XML (Extensible Markup Language) fever has infected LDAP

– DSML (Directory Services Markup Language) = XML schema for representing LDAP information using document fragments

– DSML v1.0 is really just an attempt at replacing LDIF

– DSML v2.0 (May 2002): new and interesting functionality● DSML v2.0 is designed to provide methods for representing

LDAP queries, updates, and responses in XML● This allows eg. embedded devices to access LDAP data

without an LDAP client library, only XML parsing & SOAP

– No concrete examples yet

– More info: http://www.oasis-open.org/committees/dsml/

http://www.oasis-open.org/committees/dsml/

openldap directory administration ldap interoperability

Documents