LDAP Applied (EuroOSCON 2005)

LDAP Applied

Fran FabrizioSr. Systems Administrator

Dept. of Computer & Information SciencesU of Alabama at Birmingham

EuroOSCONAmsterdam, The Netherlands

October 17-20, 2005

This talk....

WILL● Briefly review LDAP

concepts● Cover common uses

of LDAP● Present examples of

advanced usage● Hopefully inspire you

to use LDAP!

WILL NOT● Show you how to

install LDAP● Teach you how to

configure LDAP in specific OSes

● Give all the details needed to use LDAP

● Leave you disappointed (hopefully!)

Link to Slides● These slides are available now online at

http://www.cis.uab.edu/fran/ if you wish to follow along

● They will also be available after the conference on the conference web site

http://www.cis.uab.edu/fran/

Getting to Know the Audience● How many of you know what LDAP is?● How many of you are using LDAP right now?● How many of you are using it for something

other than user authentication or email address books?

Brief Review of LDAP

What is it?What does it look like?

Common Usage

What is LDAP?● Lightweight Directory Access Protocol● A standard protocol for accessing directory

services● Also used to refer to the directories being

accessed● Based on the X.500 specification● Represents hierarchical information in entries

consisting of a collection of attributes with a unique, or distinguished name

No really, what is LDAP?● It's a good way to store data that is:

– Mostly read access– Needed by many machines/services on the network– Generally represents collections of entities common

in large organizations● User and Group Accounts● Computers● Email Addresses and Contact Information● Departments and Business Units

LDAP Structure

● An object class defines the valid attributes and properties for an entry

● A set of related object classes forms a schema. For example, you may have a schema to represent the users in a university department.

● Distinguished names similar to DNS. Ex: ou=People,dc=eurooscon,dc=example,dc=com

● LDIF (Lightweight Directory Interchange Format)

LDIF Exampledn: uid=test,ou=People,dc=eurooscon,dc=example,dc=comcn: Test Useruid: testuseruidNumber: 501loginShell: /bin/shhomeDirectory: /home/testusergidNumber: 100userPassword:: e2NyeXB0fVRYaHRIa05GOUdBSWc=objectClass: posixAccountobjectClass: shadowAccountobjectClass: inetOrgPersonshadowLastChange: 13072givenName: Testsn: Usergecos: Test User

More on LDAP structure● One entry can have multiple classes

– only one can be structural (inetOrgPerson)– the rest are auxiliary

● For each class, there is a set of required attributes and a set of optional attributes.– If you are a posixAccount, you must have a uid and

may have a description● Each entry will have a unique distinguished

name to reference it

Common Uses of LDAP● User Directories: email addresses, students● User Accounts: Centralizing accounts, access

control, groups● Inventory Catalogs: machines, offices ● Network Service Backend: DNS, Email● Usually NOT a replacement for relational data

LDAP Applied

Various Ways To Apply LDAPto Solve IT Problems

Migrating User Accounts to LDAP

● Why do you want to do this?


● Why do you want to do this?● To centralize user accounts


● Why do you want to do this?● To centralize user accounts● To modernize from some other network account

store (e.g. NIS)



store (e.g. NIS)● Eliminate duplication of data (already using

LDAP for corporate address book?)



store (e.g. NIS)● Eliminate duplication of data (already using

LDAP for corporate address book?)● To better scale to the needs of a growing

organization


● NIS/NIS+ LDAP or /etc/passwd LDAP

● PADL.com MigrationTools scripts– May need to be modified

● General solution: – produce LDIF– Import into LDAP with ldapadd and ldapmodify


● posixAccount – a standard LDAP schema to represent user accounts

● Demo: migrate_passwd.pl

nisSchema.2.0 NAME 'posixAccount' SUP top AUXILIARY DESC 'Abstraction of an account with POSIX attributes' MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory ) MAY ( userPassword $ loginShell $ gecos $ description )

Activating LDAP-Based Logins● pam_ldap (from PADL.com), inserts into the

PAM authentication stack and partners with nss_ldap (also PADL.com) to provide authentication against LDAP

● Seamlessly authenticates both local and LDAP-based users

● Many distros automate configuration (e.g. Fedora)

● Demo: pam_ldap configuration

Integrating LDAP and Email● Client Side - why?

– Address Book lookups in LDAP– Autocompletion of partial email addresses



● Server Side - why?– Store white/blacklists– virtual mailboxes– Aliases– User preferences



● Server Side - why?– Store white/blacklists– virtual mailboxes– Aliases– User preferences

● Add the inetOrgPerson schema to LDAP entries

LDAP and Email - Client● Demo: Thunderbird and LDAP● Many other email clients support LDAP lookups

– Outlook, Outlook Express, Netscape, Pine, Eudora, Evolution, SquirrelMail, Mac Mail, etc...

● Clients can use LDAP for other things besides just address lookups– ex. SquirrelMail (web mail) has a plugin to store

user preferences in LDAP.

LDAP and Email - Server● Many email servers can integrate with LDAP● Alias lookups (Postfix)alias_maps = hash:/etc/aliases, ldap:/etc/postfix/ldap-aliases.cf

(all on one line)

ldap-aliases.cf contains:

server_host = 192.168.139.128sever_base = dc=eurooscon,dc=example,dc=com

● Now, Postfix can deliver to both local and LDAP user mail aliases

ldap:///etc/postfix/ldap-aliases.cf

LDAP and Email - Server● Postfix expects a certain LDAP schema to

support this (these names are configurable)

dn: cn=Accounting Staff List, dc=my, dc=comcn: Accounting Staff Listo: my.comobjectclass: maillistmailacceptinggeneralid: accountingstaffmailacceptinggeneralid: accounting-staffmaildrop: mylist-ownermaildrop: an-accountantmaildrop: some-other-accountantmaildrop: this, that, theother

LDAP and Email - Server● Common usage is virtual mailboxes (e.g. ISP)● Another common usage is to rewrite addresses

[email protected]@eurooscon.example.com

● Sendmail, Exim, Courier, Courier-IMAP, Cyrus, uw-imap, and Qmail (and many others) all support integration with LDAP to various degrees

mailto:[email protected]


LDAP and Web-Based Resources● Authenticate users to gain access to restricted

parts of web site● mod_auth_ldap – Apache module● User-based and group-based authentication

Using LDAP with Apache● Apache 2.0 ships with mod_auth_ldap● Restrict access to a directory with Location

<Location /protected> AuthName “Protected Directory” AuthType basic AuthLDAPURL ldap://ldap.cis.uab.edu:389/ou=People,dc=cis,dc=uab,dc=edu require valid-user # OR require group membership instead AuthLDAPGroupAttribute memberUid AuthLDAPGroupAttributeIsDN off require group cn=admin,ou=group, dc=eurooscon,dc=example,dc=com</Location>

Using LDAP with Apache● Demo: valid-user access● Demo: group access

Advanced Apache/LDAP Integration

● Fancy filtersAuthLDAPURL

ldap://eurooscon.example.com:389/ou=people,dc=eurooscon,dc=example,dc=com??(|(pagerID=*)(uid=fran))

● Demo: Fancy Filters Example – “LDAP Applied Attendees Only”

Fancy Filter Example● Configuration for the demo...

<Location /ldapapplied> AuthType basic AuthName "LDAP Applied Attendees Only" AuthLDAPURL ldap://192.168.139.128/ou=people,dc=eurooscon,dc=example,dc=com?uid??(comExampleEuroosconSession=LDAPApplied) require valid-user</Location>

Extending LDAP Schemas● Last slide implies attribute

comExampleEuroosconSession with a value of “LDAPApplied” exists for some users

● How'd that work? We extend the LDAP Schema...– Store information custom to your environment

local.schema● We define a local schema for this attribute in a

file called local.schema: attributetype (1.3.6.1.4.1.7341.999.2.1 NAME 'comExampleEuroosconSession' DESC 'a session at EuroOSCON' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )objectclass (1.3.6.1.4.1.7341.999.1.1 NAME 'comExampleEuroosconAttendee' DESC 'optional class to represent EuroOSCON sessions' AUXILIARY MAY comExampleEuroosconSession )

The “1.3.6.1.4.1.7341.999.2.1” is an OID, a unique LDAP objectidentifier. More information available at http://www.iana.org/.This one was taken from my workplace. You probably don't needto use them, but I do just to be complete.

http://www.iana.org/

local.schema continued● We tell the LDAP server to include this in its

known schemas

include /etc/openldap/schema/local.schema

● Now LDAP user entries can have:– comExampleEuroosconAttendee - optional auxiliary

class– comExampleEuroosconSession – optional attribute

within that class

LDAP and DNS● Storing DNS tables in LDAP instead of flat files● Bind, tinydns, PowerDNS and others support

this● dnsZone structural object class● zone2ldap tool with bind will convert flat files to

LDAP

Scripting LDAP

Getting at LDAP from various languages

LDAP and Perl● From Perl, use Net::LDAP

use Net::LDAP; $ldap = Net::LDAP->new('ldap.eurooscon.com');$msg = $ldap->bind;$msg = $ldap->search( base=>”dc=example,dc=com”, filter=>”(objectClass=*)”);$msg->code && die $msg->error;

$result = $ldap->add( “cn=fran,ou=People,dc=uab,dc=edu”, attr => [ cn => [“Fran Fabrizio”], mail => [“[email protected]”], etc.....


LDAP and Perl● Demo: Adding a User from Perl

LDAP and PHP● PHP has an LDAP API

<?php$ldap = ldap_connect('ldap.cis.uab.edu');$result = ldap_bind($ldap);$search=ldap_search($ldap, “dc=cis,dc=uab,dc=edu”, “sn=Fabr*”);$data = ldap_get_entries($ldap, $search);$result = ldap_add(.....);

Programmatic LDAP - Others● Java

– Support through the JNDI or JLDAP (openldap.org)● C

– OpenLDAP's C API● Ruby

– Ruby-ldap● Python

– Python-ldap

LDAP and Relational Data● Would be neat to do queries that link LDAP and

relational data– Example: CIS Web Site

● dblink-ldap – http://pgfoundry.org/projects/dblink-ldap/– beta project to provide LDAP data as a table/view

within PostgreSQL● Microsoft has OLE DB Provider for Directory

Services – access AD with SQL queries

http://pgfoundry.org/projects/dblink-ldap/

LDAP and Windows

Strategies for LDAP ina multiplatform environment

Strategy 1: AD -is- LDAP● Active Directory -is- an LDAP version 3 server

Strategy 1: AD -is- LDAP● Active Directory -is- an LDAP version 3 server● AD can import LDIF

– Ldifde.exe included with Windows Server 2003 and supports batch LDIF operations



● Can also script from VBScript



● Can also script from VBScript● AD4Unix is a plugin (sf.net/projects/ad4unix)

that adds Unix attributes to AD and manages them through AD Users and Computers MMC.



● Can also script from VBScript● AD4Unix is a plugin (sf.net/projects/ad4unix)

that adds Unix attributes to AD and manages them through AD Users and Computers MMC.

● pam_ldap can auth against AD

Strategy 1: AD -is- LDAP● This model can be expanded to allow pam_ldap

to update user passwords in AD

Strategy 1: AD -is- LDAP● This model can be expanded to allow pam_ldap

to update user passwords in AD● Additionally, nss_ldap can also talk to AD, but is

expecting Unix-like attributes for home dirs, uid/gid, shells, etc...– Installing MS's Services for Unix installs the NIS

server, which has the side effect of doing this for you

– Or, extend the schema yourself – install MKSADExtPlugin, and register the Active Directory Schema MMC to set the option to allow schema edits

Strategy 2: Migrate AD to LDAP

● ldifde.exe can export AD forest


● ldifde.exe can export AD forest● Unless you plan to use Kerberos authentication

with your LDAP server, you'll need to reset users' passwords




● This will also require alteration of the LDIF that Microsoft produces to be more Unix friendly




● This will also require alteration of the LDIF that Microsoft produces to be more Unix friendly

● pGina can authenticate Windows clients against Unix LDAP server

Strategy 2: pGina● pGina is an open source replacement for

Microsoft's Gina (Graphical Identification and Authentication)



● Allows Windows clients to authenticate against various sources via a plugin architecture– including LDAP, of course




● Highly customizable




● Highly customizable● Demo: pGina

Monitoring LDAP● Reading LDAP logs

– Debug levels allow output of useful information– /usr/sbin/slapd -d xxx

● 8 – connection management● 32 – search filter processing● 64 – config file processing● 128 – access control list processing● 256 – connections/operations/results● additive – 288 is conn/ops/results and search filters

Managing LDAP● Command line

– ldap* and slap* tools for OpenLDAP● Scripting● GQ – Simple GTK+/GTK2 GUI

– sf.net/projects/gqclient● Webmin

– webmin.com– LDAP Users and Groups plugin

● Demo: webmin

Other Uses of LDAP● Samba authentication

– advantages over smbpasswd file● Serving certificates● Machine configurations● Radius authentication● Managing network printers

Conclusions● LDAP can consolidate many administrative

tasks● LDAP is optimized for reads and will be faster

than SQL for simple reads● LDAP can improve scalability – all mail servers

in organization can use same data store, for instance

● Once in place, LDAP can often be reapplied to solve new problems

For More Information● www.openldap.org● PADL.com

– pam_ldap– nss_ldap– MigrationTools

● Book: LDAP System Administration by Gerald Carter, published by O'Reilly– More detail about a lot of these ideas is found there

http://www.openldap.org/

Thank You● Thanks for coming!

● My contact information is:

Fran [email protected]://www.cis.uab.edu/fran/

● Feel free to email any questions you may have, or catch me at the conference for the rest of the week!


Technology

LDAP Applied (EuroOSCON 2005)