LDAP : Theory and OpenLDAP implementation

LDAP

Theory and OpenLDAP implementation

1

La 1ère école 100 % dédiée à l'open source

Open Source School est fondée à l'initiative de Smile, leader de l'intégration et de l'infogérance open source, et de l'EPSI,établissement privé pionnier de l’enseignement supérieur en informatique.

Dans le cadre du Programme d’Investissements d’Avenir (PIA), le gouvernement français a décidé de soutenir la création de cette école en lui attribuant une première aide de 1,4M€ et confirme sa volonté de soutenir la filière du Logiciel Libre actuellement en plein développement.

Avec une croissance annuelle de plus de 10%, et 4 000 postes vacants chaque année dans le secteur du Logiciel Libre, OSS entend répondre à la pénurie de compétences du secteur en mobilisant l’ensemble de l’écosystème et en proposant la plus vaste offre en matière de formation aux technologies open source tant en formation initiale qu'en formation continue.

2

Les formations du plein emploi !

Formation Continue

Open Source School "Executive Education" est un organisme de formation agréé qui propose un catalogue de plus de 200 formations professionnelles et différents dispositifs de reconversion permettant le retour à l’emploi (POE) ou une meilleure employabilité pour de nombreux professionnels de l’informatique.

Pour vos demandes : [email protected]

Formation Initiale

100% logiciels libres et 100% alternance, le cursus Open Source School s’appuie sur le référentiel des blocs de compétences de l’EPSI.Il est sanctionné par un titre de niveau I RNCP, Bac+5. Le programme est proposé dans 6 campus à Bordeaux, Lille, Lyon, Montpellier, Nantes, Paris.

mailto:[email protected]

3

Nos domaines de formations

Introduction Anatomy of a LDAP directory OpenLDAP: A LDAP implementation Lab : Install an OpenLDAP server Working with LDAP servers Extending LDAP

Plan

1 Introduction

2 Anatomy of a LDAP directory

3 OpenLDAP: A LDAP implementation

4 Lab : Install an OpenLDAP server

5 Working with LDAP servers

6 Extending LDAP

www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 2/62


Introduction



Directories

Directories



Directories

What is a Directory ?

The simple answer

Large information base, mostly for read access



Directories

Directory Examples

A few examples

People: white pagesOrganizations: yellow pagesComputers: DNS



Directories

A Directory: what for ?

Authentication and authorization on systems or applications

Group maintainance

Privileges maintainance

Address books

Organization chart

. . .



History of LDAP

History of LDAP



History of LDAP

History of LDAP: The Genesis

The X500 standards

Created in the 80s, based on 70 years of electronic directoriesfrom telephone companiesX500 directories are supposed to be accessed utins theDirectory Access ProtocolProblem : DAP was based on the OSI stack, which neverreally took off

Lightweight DAP (LDAP) was created to access directories overthe TCP/IP stack



History of LDAP

History of LDAP: Standardization

LDAP became an IETF (Internet Engineering Task Force)standard in 1997

Now, most servers only do LDAP

OpenLDAP (the reference)Netscape Directory Server (the dinosaur)

SunONE389 Directory Server

Apache Directory Server , OpenDS (the youngsters)Microsoft Active Directory (the ugly)

Current protocol version : LDAP v3

LDAP v2 deprecated since 2003



Anatomy of a LDAP directory



Directory Information Tree






LDAP = access protocol, but what do we access?

X500 standard: The Directory: Overview of concepts, modelsand services

X500 is based around a single Directory Information Tree

Hierarchical structureHas a rootEvery entity can be a node or a leafEach entity has only one path




DIT Structure

In a branch, an entity is known by itsRelative Distinguished Name (RDN)In the whole directory, its known by itsDistinguished Name (DN)

Simply a comma-separated list of theRDNs of all nodes on its (unique) path



LDAP Entities

LDAP Entities



LDAP Entities

LDAP Entities: Commons properties

Object orientation (classes, attributes, objetcts, inheritance,etc. . . )

Attributes are defined by a schema

The schema itself is hierarchical through inheritance, but theschema hierarchy has nothing to do with the object hierarchy(DIT)

Values are strongly typed

Standard classes and attributes are directory-oriented



LDAP Entities

LDAP Entities: Classes

Simple inheritance

Class types

AbstractStructural: defines the meaning of the objectAuxiliary: allows to add attributes to an object (composition)

Classes are lists of attributes

Mandatory attributesOptional attributes



LDAP Entities

LDAP Entities: Attribute

Simple Inheritance

Example: surname attribute type inherits from name attribute

Defined outside the class

Can be used by different classes

May have multiple names

Usually a short and a long nameExample: commonName and cn

Can be multi-valued

Single valued: first name, UIDMultivalued: group membership, email aliases



LDAP Entities

LDAP Entities: Attribute syntax

Syntax: defines the attribute type

IntegerString (UTF-8 only)Telephone NumberDateBinary data

Standardized on a specific tree

Example OID (Object ID): 1.3.6.1.4.1.1466.115.121.1.15http://www.rfc-editor.org/rfc/rfc2252.txt



LDAP Entities

LDAP Entities: Matching rule

Matching rule on attribute value

Defines how values are comparedFor equality or substringsSortingExamples :

caseExactMatch (toto == toto)caseIgnoreMatch (toto == ToTO)telephoneNumberMatch ( 04 99 77 20 19 = 04-99-77-20-19)



LDAP Entities

LDAP Entities: Object structure

Object

Instances of one or more classes (object composition)

Can only have one structural classAnd as many auxiliary classes as wantedExample: person, posixAccount, sambaAccount



LDAP Entities

LDAP Entities: Object definitionObject Definition

Have a special “objectClass” attribute

Defines which classes the object belongs toAll objects must have at least one objectClass“objectClass” does not belong to any class

The RDN of the object is one of its attributes

Format: attr name=value

ExamplesUser :

uid=bejac

Computer :

hostname=myserver

Example DN

dn: uid=bejac,department=DT,locality=levallois,organization=smile



LDAP vs RDBMS

LDAP vs RDBMS



LDAP vs RDBMS

LDAP vs RDBMSWhy choose LDAP over a RDBMS

Standard protocolAll databases have different access protocolsSQL is NOT an access protocol

Many LDAP implementations

Very rich on data validation and structure

Native structure is close to most organization’s structure

Hierarchical

Very fast reads

Efficient lookup of different objects with common attributes

Usually does not require adaptation of the directory to anapplication

Standard schemas and classes offer a wide range of commonuse cases.



LDAP vs RDBMS

LDAP vs RDBMS

However, LDAP is not recommended if

Its only used for one applicationMany relations between objectsLots of edits/inserts/deletes



Standard object classes





Standard object classes: inetOrgPerson

inetOrgPerson : user accounts in a company




Standard object classes: groupOfNames

groupOfNames : groups




Standard object classes: organizationalUnitorganizationUnit : branches



OpenLDAP: A LDAP implementation



OpenLDAP

OpenLDAP is a software project that provides

A LDAP server : slapd

A LDAP client library : libldap

Command line LDAP tools : ldap-utils



Setting up slapd

Setting up slapd



Setting up slapd

Setting up slapd

On Debian

aptitude install slapd

/etc/init.d/slapd stop

rm -rf /etc/ldap/slapd.d

cp /usr/share/doc/slapd/examples/slapd.conf /etc/ldap

In /etc/ldap/slapd.conf

Replace @BACKEND@ with hdb

Replace @SUFFIX@ with dc=lxc

Replace @ADMIN@ with cn=admin, dc=lxc

Comment out rootdnAdd the following line below rootdn

rootpw "admin"

/etc/init.d/slapd start



Setting up slapd

Setting up slapd

Config directory (/etc/ldap/slapd.d)

All config edits must be done through LDAP operations

Harder to maintainPowerful

Don’t use it if you’re not extremely familiar with OpenLDAP

Config file (/etc/ldap/slapd.conf)

Easier to maintain (in only one place)Edits via any text editor



Setting up slapd

Setting up slapd

Config file useful parameters

suffix : base of your DITrootdn/rootpw : admin credentialsACLs

access to *

by dn="cn=admin,dc=mondomain" write

by * read

admin can write everythingeverybody else can only read



LDAP Clients

LDAP Clients



LDAP Clients

LDAP Clients

Desktop clients :JXPlorer:

Use java libs to connect, allowing to check if your java appswill have working LDAPhttp://www.jxplorer.org/

Apache Directory Studio:

RCP (based on Eclipse)Intended to be used with ApacheDSGreat for any other server toohttp://directory.apache.org/studio/Or as an eclipse plugin :http://directory.apache.org/studio/update/1.x



LDAP Clients

LDAP Clients

phpLDAPAdmin:

Web clientUses a templating system to easy entry administration

Very customizable, great for integration as an easy admin toolfor a client

Nice schema browserInstallation

PHP 5 LDAP + Debian :

# aptitude install php5-ldap phpldapadmin



Lab : Install an OpenLDAP server



Practice

Install OpenLDAP

Create two branches

Create two users in one of the branches

In the other branch, create a group for the two users



Working with LDAP servers



Data modification with LDIF





The LDIF format 1/5

LDIF = LDAP Directory Interchange Format

Serialized data format for exchange of information betweendirectoriesStandard, does not depend on a particular directory (but itscontent can)Similar in purpose to SQL

Knowledge of this format is mandatory when working withLDAP

man ldif

Two types of recordsEntry record

Contains an image of the data

Change record

Contains a set of operations to perform




The LDIF format 2/5Entry LDIF

Describes data from a directory (import/export)

Format

Simple and understandable by both computers and humans(take that, XML!)ASCII (no funny characters)

Syntax:

Entities are separated by a blank line

One attribute per line

attribute name: valueif the value can be encoded as an ASCII string (numbers, asciistrings, etc.)attribute name:: base 64 value

If the value cannot be encoded as ASCII (UTF-8 string, binarydata)




The LDIF format 3/5

Entry LDIF example

dn: uid=mapal,ou=people,dc=smile,dc=fr

objectClass: inetOrgPerson

uid: mapal

cn: Marc Palazon

sn: Palazon

dn: uid=cychi,ou=people,dc=smile,dc=fr

objectClass: inetOrgPerson

uid: cychi

cn: Cyrille Chignardet

sn: Chignardet




The LDIF format 4/5Change LDIF

Only modificationsModifications are separated by a ligne containing only a -(dash)New attributes can be used to describe operations

Syntaxchangetype: modify

add, replace, delete attributeadd:replace:delete:

changetype: deleteDelete object

changetype: modrdnRename object

newrdn:newsuperior:




The LDIF format 5/5

Change LDIF example

dn : cn=Babs Jensen , dc=example , dc=comc h a n g e t y p e : modi fyadd : givenNamegivenName : BarbaragivenName : babs−r e p l a c e : d e s c r i p t i o nd e s c r i p t i o n : t h e f a b u l o u s babs−d e l e t e : snsn : j e n s e n−

dn : cn=Babs Jensen , dc=example , dc=comc h a n g e t y p e : modrdnnewrdn : cn=Barbara J Jensenn e w s u p e r i o r : ou=People , dc=example , dc=com

dn : cn=Barbara J Jensen , ou=People , dc=example , dc=comc h a n g e t y p e : d e l e t e



Data retrieval with searches





LDAP searches 1/2

4 elements are needed (base, scope, filter and attributes)

base

Node of the DIT under which search will occur

scope

sub: all objects under the basebase: only the base itselfone: only its immediate childs (but not the node itself)




LDAP searches 2/2Filter

Basic expression: attribute=value

used for “any value” or substringing

Examples:

cn=admin

cn=admi*

cn=*

Can use logic operators

AND (&), OR (|) , NOT (!)Polish notation + parenthesis = “I Can’t Believe It’s NotLisp!” :

(&(attr1 = val1)(attr2 = val2))

(& (attr3 = val3) (|(attr1 = val1)(attr2 = val2)))

Attributes

Attributes to return from results (all by default)



OpenLDAP client tools





Client OpenLDAP tools

ldapsearch

-H <url> (ldap:// or ldaps://)-x : skip SASL and use simple authentication-D <user DN>-w <password> (-W to prompt)-b <base>-s <base|one|sub> (scope)<filter><attributes>

ldapmodify

Same parameters to specify the connection-a (add new entries) = ldapadd-f <ldif file>



OpenLDAP server tools






Careful: they alter the database directly

Stop the server first!

Directory export (incl. metadata)

slapcat > export.ldif

Directory import

slapadd -l import.ldifIf you want to re-import everything:

First delete /var/lib/ldap/*

Always run slapadd as openldap user



Extending LDAP



Schemas

Schemas



Schemas

LDAP schemas 1/4

Every element (syntax, attribute, class, rule) has an ObjectIDentifier (OID)

The OID is a worldwide hierarchical database using the ASN.1format

Example: 1.3.6 = iso.org.dod

It has nothing to do with the DIT or the objectClass hierarchyRegulated by Internet Assigned Numbers Authority (IANA)Anybody can get a Private Enterprise Number from IANA

Register at http://pen.iana.org/pen/PenApplication.pageSee: http://www.iana.org/assignments/enterprise-numbersPrefix for PEN: 1.3.6.1.4.1Smile: 1.3.6.1.4.1.37413Browse the OID tree at http://www.oid-info.com/

You can also use 2.999, intented for documentation



Schemas

LDAP schemas 2/4

Defining a class

RFC4512 Object Class Description

O b j e c t C l a s s D e s c r i p t i o n = ”(” whspn u m e r i c o i d whsp ; O b j e c t C l a s s i d e n t i f i e r[ ”NAME” q d e s c r s ][ ”DESC” q d s t r i n g ][ ”OBSOLETE” whsp ][ ”SUP” o i d s ] ; S u p e r i o r O b j e c t C l a s s e s[ ( ”ABSTRACT” / ”STRUCTURAL” / ”AUXILIARY” ) whsp ] ; d e f a u l t s t r u c t u r a l[ ”MUST” o i d s ] ; A t t r i b u t e T y p e s[ ”MAY” o i d s ] ; A t t r i b u t e T y p e swhsp ”)”

Example:

o b j e c t c l a s s ( 2 . 5 . 6 . 6 NAME ’ person ’DESC ’ RFC2256 : a person ’SUP top STRUCTURALMUST ( sn $ cn )MAY ( u s e r P a s s w o r d $ te lephoneNumber $ s e e A l s o $ d e s c r i p t i o n

) )



Schemas

LDAP schemas 3/4

Defining an attribute

RFC4512 Attribute Type Description

A t t r i b u t e T y p e D e s c r i p t i o n = ”(” whspn u m e r i c o i d whsp ; A t t r i b u t e T y p e i d e n t i f i e r[ ”NAME” q d e s c r s ] ; name used i n A t t r i b u t e T y p e[ ”DESC” q d s t r i n g ] ; d e s c r i p t i o n[ ”EQUALITY” woid ; Matching Rule name[ ”ORDERING” woid ; Matching Rule name[ ”SUBSTR” woid ] ; Matching Rule name[ ”SUP” woid ] ; d e r i v e d from t h i s o t h e r A t t r i b u t e T y p e[ ”SYNTAX” whsp n o i d l e n whsp ] ; Syntax OID[ ”SINGLE−VALUE” whsp ] ; d e f a u l t m u l t i−v a l u e dwhsp ”)”

Exemple:

a t t r i b u t e t y p e ( 2 . 5 . 4 . 1 7 NAME ’ posta lCode ’DESC ’ RFC2256 : p o s t a l code ’EQUALITY c a s e I g n o r e M a t c hSUBSTR c a s e I g n o r e S u b s t r i n g s M a t c hSYNTAX 1 . 3 . 6 . 1 . 4 . 1 . 1 4 6 6 . 1 1 5 . 1 2 1 . 1 . 1 5{ 4 0} )



Schemas

LDAP schemas 4/4

OpenLDAP schemas

Flat files in /etc/ldap/schema

include in slapd.confExamples:

include /etc/ldap/schema/nis.schema

include /etc/ldap/schema/inetorgperson.schema



How to design your DIT






You need a deep understanding of how the directory will beused

Many possibilities

You can use attributes, groups or structure to make sense ofthe data

Simple model: one branch for people, one branch for groups

OU model:

Example: by business unitExample: by activity (sales, production. . . )Example: by hierarchy

Geographical model (by location. . . )


LDAP : Theory and OpenLDAP implementation

Technology

Transcript of LDAP : Theory and OpenLDAP implementation