About Me

My photo
Kalyan Kumar Pasupuleti B-Tech(Information Technology). • AWS Certified Solutions Architect - Associate • RedHat Certified Engineer(RHCE) • Directory Services and Authentication Certificate of Expertise(LDAP) • Red Hat SELinux Policy Administration Certificate of Expertise(SELinux) • Network Services Security Certificate of Expertise (Network Services) • RedHat Certified Virtualization Administrator(RHCVA) • Red Hat Certified Security Specialist (RHCSS) Working as Cloud DevOps engineer

Tuesday, April 19, 2011

LDAP Basics


Nowdays LDAP is used everywhere for Authentication or crucial information management purpose. In this Article I have tried to explain basics of LDAP and also OpenLDAP basic configuration. Please let me know your queries and comments on it. Thanks.

LDAP & OpenLDAP

LDAP - Lightweight Directory Access Protocol.
OpenLDAP - Server which operates on LDAP for eg. Microsoft AD

  1. Stores & organize information in directory i.e. in hierarchical manner and provides access to it
  2. Eg. Domain Name System. DNS is a most successful implementation of Directory service over Internet

Directory Structure -
  1. Directory service stores information in Directory Structure. The diagram of Directory structure is called Directory Information Tree.
  2. A Directory is a tree of Entries
  3. An entry is set of attributes
  4. An attribute is has a Name and one or more value
  5. Attributes are Defined in Schema
  6. Each entry has an Unique Identifier i.e. DN

Five Major Characteristics of Directory Service -
  1. Higly optimized for reads
  2. Information can be stored in Distributed model
  3. Can extend types of information to be stored
  4. Replication
  5. Advance search capabilities

Difference between Databases and Directory Services
 Many people ask that can we use Database instead of Directory Service

SN                       Databases                                                 Directory Services

1.    Information has more writes and reads            More reads only, very less writes
2.   Transactions, rollbacks,                                    Transactions, rollbacks, write locks      write locks are more important                          are less important
3.   More Overheads                                               Less Overheads

What is LDAP ?
  1. Originally created by Tim Howes, Steve Kille and Wingyik Yeong in 1993. Later Tim & Steve improved it and started LDAPv3
  2. Application Protocol for reading & editing directories over an IP network
  3. LDAP is itself a Binary Protocol. Binary Protocol means, a protocol which is expected to read by machine than a human being.
  4. Lightweight Directory Access Protocol
  5. Lightweight in comparison with x.500 Directory Services

LDAP vs X.500:
Main difference in LDAP and X.500 is LDAP uses TCP stack and X.500 uses OSI stack. Thats the reason LDAP is lightweight.

Uses of LDAP:
  • Machine Authentication
  • User/System Groups
  • User Resource Management
  • Address Book
  • Organization Representation
  • Assets Tracking
  • Telephony Information Store
  • Application Configuration Store

Directory Information Tree:
LDAP stores information in Directory Structure. Pictorial view of Directory Structure is called Directory Information Tree. See Below Figure:

                                                        dn: dc=example,dc=com

                                                                      |
                                                                      |
                                -------------------------------------------------------- 
                                |                                                                         |
                                |                                                                         |
dn: ou=groups,dc=example,dc=com                    dn:ou=people,dc=example,dc=com
                                                                                                          |
                                                                                                          |                                         
                                                                  dn: cn=neelesh,ou=people,dc=example,dc=com

Directory Structure: 
    • A Directory is a tree of Directory Entries
    • An Entry consists of a set of Attributes
    • An Attribute has a Name and one or more values.
    • The attributes are defined in Schemas
    • Each entry has unique Identifier i.e. DN, consists of RDN

OpenLDAP:
Please note that in our example we have used OpenLDAP as a LDAP server.
Please visit www.openldap.org for more details.


Features of OpenLDAP:
  1. It is open source
  2. Free to use
  3. Simple Authentication and Security Layer (SASL) support
  4. Access Control
  5. Implements LDAPv3

Components of OpenLDAP:
  1. slapd - OpenLDAP server daemon
  2. slapd.conf  OpenLDAP configuration file
  3. Schemas - To define Attributes
  4. Libraries  Required to slapd. Normally they are under /usr/lib/ldap
  5. Backend - Banckend Database. We use BDB here. Located at /var/lib/ldap
  6. LDIF  LDAP Interchange Format. It is used for Importing and exporting information stored in Directory
  7. LDAPcleint  Used to connect LDAP server and operate it. Eg. ldapsearch, ldapadd, ldapdelete etc.

    slapd
     1. LDAP server daemonBinary
    2. Normally located under /usr/sbin
    3. To invoke you can directly call slapd on bash prompt



     slapd.conf
     I have divided slapd.conf into 4 Parts
     1. Schema Inclusion
     2. Backend DB & Directory Specific
     3. Access Control
     4. Other

     Schemas
      1. Schemas are used to define Attributes
     2. It adds extendibility of LDAP
     3. We can customize or add schemas
     4. Generally Schema files are stored under /etc/ldap/schema

         Schema Files                                                   Description
       core.schema                          OpenLDAP core (required)
       cosine.schema                       Cosine and Internet X.500 (useful)
       inetorgperson.schema           InetOrgPerson (useful)
       misc.schema                          Assorted (experimental)
       nis.schema                             Network Information Services (FYI)
       openldap.schema                   OpenLDAP Project (experimental)


     Libraries or modules
     
     - Generally libraries are stored under /usr/lib/ldap
     - It adds functionality and makes OpenLDAP modular

     Backend DB

     - OpenLDAP uses mainly following 2 embedded databases to store information
            - BDB Berkely DB Transactional Backend
            - HDB Hierarchical variant of BDB
     - DB is stored under /var/lib/ldap

     LDIF
      - LDAP interchange format
     - Collection of entries separated by new line
     - Mapping attribute names to values
     - It is used to import or export information from LDAP directory

     LDAPclient
      - LDAP client is used to connect to LDAP server
     - You can add, edit, delete Directory entries

     Important Terminologies
     - Distinguished Name (DN) & Relative Distinguished Name (RDN)
       DN is like the absolute path between root of File System and file
       RDN is like Filename
       Eg.
       Entry ---- > dn: cn=admin,dc=example,dc=com
       In above entry
       DN is cn=admin,dc=example,dc=com
       RDN is cn=admin

      1. Attributes
         - Attributes are used to store the values
         - Attributes can be one or more values
         - Attributes are defined in Schema Files
         - In LDIF files, Declare Attribute by following way:
               objectClass: organizationalUnit
         In above example objectClass is Attribute and organizationalUnit is value.

       2. objectClass Attributes
          - Compulsory attribute with atleast one value
          - It acts as a template for the data to be stored
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)