Upload
lyphuc
View
253
Download
0
Embed Size (px)
Citation preview
LDAP
Lightweight Directory Access Protocol
Raymond Chan
2013
LDAP
● A complex subject● Promises a common source for information● Unlimited scalability using a replication
model● Provide fast read performance● Fine-grained security control over who can
do what to what data● ...
LDAP Overview
● LDAP is a protocol that defines how directory data should be access
● Defines and describes how data is represented in the directory service
● Defines how data is loaded into and saved from a directory service using LDIF
● LDAP defines four models related to the directory service: Information, Naming, Functional and Security Models.
Information Model
Defines how the information or data is represented in an LDAP system.
Naming Model
Using the “Attribute – Value” syntax as
'dc=nad810,dc=com'
Functional Model
Defines how to
readsearchwrite
modify
data stored in a directory service
Security Model
Defines how to control
who
can do what
towhat data
LDAP .ne. Database
● LDAP is a protocol to access directory information which may be stored in a database
● The data (may be stored in a database) should be optimized for read access
● LDAP does not need to have knowledge of the physical organization of the directory data
D I T
● Directory Information Tree– Uses to represent an LDAP enabled directory as a
hierarchy of objects– Each object is called an entry– The top of the tree is commonly called the root– Each entry in the tree has one parent entry– Each entry in the tree has one or more entries– Each child entry is a sibling of its parent's child
entries– Each entry is composed of one or more objectClass
objectClass
● Each objectClass contains zero or more attributes
● Each objectClass has a name● The objecClass defines whether an attribute
member is MANDATORY or OPTIONAL● An objectClass may be a child of another
objectClass and inherits all its parent's attributes.
Attribute
● Each attribute has a name● All attributes are members of one or more
objectClass● Each attribute defines its data type● Attributes can have single or multi values
LDAP Implementation
● OpenLDAP● Microsoft Active Directory
OpenLDAP
● Installation – rpm, source● Configuration - /etc/openldap/slapd.d● Testing
– ldadsearch– slaptest– ldapadd– ldapmodify
search
● RootDSE – DSE – DSA Specific Entry– DSA – Directory System Agentldapsearch -x -s base -b “” +
● Subschemaldapsearch -x -s base -b “cn=subschema”
objectclass
rootDSEldapsearch -x -s base -b “”+
# extended LDIF## LDAPv3# base <> with scope baseObject# filter: (objectclass=*)# requesting: + #
#dn:structuralObjectClass: OpenLDAProotDSEconfigContext: cn=confignamingContexts: dc=my-domain,dc=com
supportedControl: 1.3.6.1.4.1.4203.1.9.1.1supportedControl: 2.16.840.1.113730.3.4.18...supportedControl: 1.3.6.1.1.12supportedExtension: 1.3.6.1.4.1.4203.1.11.1...supportedFeatures: 1.3.6.1.4.1.4203.1.5.5supportedLDAPVersion: 3supportedSASLMechanisms: CRAM-MD5supportedSASLMechanisms: DIGEST-MD5entryDN:subschemaSubentry: cn=Subschema
# search resultsearch: 2result: 0 Success# numResponses: 2# numEntries: 1
Server Configuration files
● /etc/openldap/slapd.d directory:– cn=config.ldif– cn=config/
● cn=schema.ldif● olcDatabase={0}config.ldif● olcDatabase={-1}frontend.ldif● olcDatabase={1}monitor.ldif● olcDatabase={2}bdb.ldif● cn=schema/
Server Configuration
● olcDatabase={2}bdb.ldif– olcRootDN: cn=Manager,dc=ops535,dc=com– olcSuffix: dc=ops535,dc=com– OlcRootPW:
{SSHA}3NVLOWwqIMka30yIYLyGrrkirD0pU0Qx
ldap client configuration file
● /etc/openldap/ldap.conf● /etc/ldap.conf
Many options – the most import two are:● host – ip of the LDAP server● base – the naming context
Sample LDIF file
# root dn entrydn: dc=my-domain,dc=comdc: my-domaindescription: Root LDAP entry ou: rootobjectobjectclass: dcObjectobjectclass: organizationalUnit
dn: ou=People,dc=my-domain,dc=comou: Peopledescription: People informationobjectclass: organizationalUnit
Useful commands
● ldapsearch● ldapadd● ldapmodifyoff-line commands● slapcat● slapadd