LDAP Seminar
Mahesh Kumar Shabeeruddin
Computer Centre Indian Institute of Technology
Bombay
February 25, 2005
What is LDAP?
Lightweight Directory Access Protocol
ldap provides only a database,and a few building features.
building features like ldap commands,
Ldap database is optimized for more reads than writes Database is hierarchical.
Uses of Ldap
Ldap can be used in.
Mainly in User Authentication.
Maintaining User information.
Hierarchical distribution of information management.
Maintaining personal info. eg:- Address book.
etc...
Advantages of ldap
Very light weight database.
Easy maintenance of User information.
Highly portable.
Easily configurable.
Easily extend-able (by defining our own acis, schemas etc..).
Replication can also be done.
etc...
Where it is used in IITB?
Authentication at various places.
netmon authentication asc (for student registration).
Accessing bighome.iitb.ac.in mail access.
Authentication at cc user hall machines.
etc...
Ldap data organization
Ldap Name-space is organized as.
Hierarchical data structure
Entries are in a tree-like structure.
This helps in hierarchical distribution of information management.
What is a dn?
dn (Distinguished name)
dn is unique name , which can distinguish between one ldap entry with another.
eg: uid=shabeer,ou=cse,ou=People,dc=iitb,dc=ac,dc=in.
dn components.
uid (User id)
cn (Common Name) sn (Surname)
ou (Organizational Unit)
Openldap Installation
Before installation , resolve all the dependency requirements.
Openldap can be downloaded at
ftp://ftp.openldap.org/pub/OpenLDAP/openldap- release/openldap-2.2.17.tgz
tar -xzvf openldap-VERSION.tgz ./configure
make depend make
make test make install
Openldap comes by default in fedora core-2 full installation.
Openldap configuration.
Checking the integrity of the slapd.conf file.
slapd -t <slapd.conf >
slaptest<slapd.conf >
Starting and stopping ldap server
Starting OpenLdap server.
/usr/local/libexec/slapd or
slapd
Stopping OpenLdap server.
kill -INT slapd
Picture
Schemas
Schemas are packaging units:
Convenient packaging unit for containing broadly similar objectClasses and attributes.
All objectclasses and all attributes are defined inside schemas.
Every attribute or objectclass used must be defined in a schema and that schema must be known to the LDAP server.
In OpenLDAP the schemas are made known using the include statement in the slapd.conf configuration file.
Objectclasses
objectClasses group sets of attributes objectclasses are defined inside schemas.
objectclasses may be organized in a hierarchy in which case they inherit all the properties of their parents.
objectclasses are the means for including attributes An objectclass has a globally unique name or identifier.
objectclasses define whether an attribute is mandatory (MUST be present) or optional (MAY be present).
Attributes
Every attribute is included in one or more objectclass.
An attribute’s characteristics are defined using ASN.1 notation.
An attribute definition may be part of a hierarchy in which case it inherits all the properties of its parents
e.g. commonName (cn), givenName (gn), surname (sn) are all children of the name attribute.
An attribute definition includes its form e.g. string, number etc., how it behaves in certain conditions e.g. are compares case sensitive or case-insensitive and other characteristics (properties).
Defining an objectClass
ObjectClassDescription = "(" whsp numericoid whsp [ "NAME" qdescrs ] [ "DESC" qdstring ] [ "SUP" oids ] ["MUST" oids ] [ "MAY" oids ] whsp ")"
Example
objectclass ( 2.5.6.2 NAME ’country’
NAME ’country’ defines a globally unique name for this objectclass
2.5.6.2 is called an OID (ObjectIdentifier)
SUP ’top’ indicates that this objectclass has a PARENT (or SUPerior) objectclass - it is part of a hierarchy. In this case the parent is top .
MUST c indicates that the attributes in the following list are mandatory the entry will fail to load.
MAY ( searchGuide $ description ) indicates that the attributes in the following list are optional.
Attribute Defnition
AttributeTypeDescription = "(" whsp numericoid whsp
"NAME" qdescrs
[ "DESC" qdstring ] [ "SUP" woid ] [ "EQUALITY" woid ]
[ "SYNTAX" whsp noidlen whsp ] [ "SINGLE-VALUE" whsp ]
[ "NO-USER-MODIFICATION" whsp ] whsp ")"
Example
2.5.4.41 which is called an OID (ObjectIdentifier)
NAME ’cn’ defines a globally unique name for this attribute SUP ’name’ indicates that this attribute has a PARENT (or SUPerior) attribute
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 is an OID which defines the data type and what rules (data validation) are applied to the data.
EQUALITY caseIgnoreMatch indicates how this (and any child attributes) will behave when used in a search filter .
Example 2
attributetype ( 0.9.2.19.1.1.25
NAME ( ’dc’ ’domainComponent’ )
DESC ’RFC1274/2247: domain component’
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
What is LDIF?
LDAP Data Interchange Format Represents LDAP entries in text
Good for backups and transferring data to another system Human readable format
Allows easy modification of data
Useful for doing bulk changes (using scripts).
Format of an ldif entry
Format of an ldif entry:
# comment
dn: <distinguished name>
<attrdesc>: <attrvalue>
<attrdesc>: <attrvalue>
For Example
dn: dc=iitb,dc=ac,dc=in objectclass: top
objectclass: domain
Another example
dn: ou=CHE,ou=People,dc=iitb,dc=ac,dc=in ou: CHE
objectclass: top
objectclass: organizationalunit
dn: cn=Barbara J Jensen,dc=example,dc=
com % space to continue to next line.
cn: Barbara J
Jensen % tab to continue to next line.
Database Modification commands
ldapadd open a connection, binds and adds entries. eg:
ldapadd -x -D "cn=Manager,dc=iitb,dc=ac,dc=in" -W -f example-add.ldif
-D binddn
-W Prompt for simple authentication -f ldif file
-x use simple authentication.
Formatof example-add.ldif
dn: cn=Barbara Jensen,dc=example,dc=com objectClass: person
cn: Barbara Jensen
ldapmodify
ldapmodify open a connection, binds and modifies entries.
eg:
ldapmodify -c -D "cn=Manager,dc=iitb,dc=ac,dc=in"
-x -f example-modify.ldif -W
example-modify.ldif
dn:uid=sarawagi,ou=UG,ou=ME,ou=People,dc=iitb,dc=ac,dc=in changetype: modify
delete: objectclass objectClass: Person -
delete: telephone
logo
ldapsearch
ldapsearch open a connection, binds and performs a search using specified parameters.
eg:
ldapsearch -L "(sn=smith)" cn sn telephoneNumber Result
dn: uid=jts,dc=example,dc=com cn: John Smith
cn: John T. Smith sn: Smith
sn;lang-en: Smith sn;lang-de: Schmidt
telephoneNumber: 1 555 123-4567 dn: uid=sss,dc=example,dc=com cn: Steve Smith
Taking Backups
Taking Backups
slapcat: dump the database to an LDIF file.
eg: slapcat -l filename.ldif Daily backups
today=‘date +"%G_%m_%d_%H_%M"‘;
filename=$today.ldif;
#Taking Backups
/usr/local/openldap/sbin/slapcat -l $filename;
/bin/gzip $filename;
Restoring backup ldif to ldap
Restoring backup ldif to ldap slapadd: ldif to database eg: slapadd -l filename.ldif gq installation
ftp://ftp.pbone.net/mirror/atrpms.physik.fu-berlin.de/
dist/fc2/gq/gq-1.0-9_beta1.rhfc2.at.i386.rpm rpm -i gq-1.0-9_beta1.rhfc2.at.i386.rpm
ACLs (Access Control Lists)
access to <what >
[ by<who > <access >[<control >] ]+
Example:
access to *
by self write break by users read continue
by * none break
<what> ::= [dn=<dnspec>] [filter=<ldapfilter>]
[attrs=<attrlist>]
The first part specifies a condition based on the position of the entry in the Directory Information Tree.
eg: access to
dn=”uid=*,ou=pg,ou=cse,ou=people,dc=iitb,dc=ac,dc=in”
The second part defines a condition that the attributes in the entry must fulfill and is specified as an LDAP filter.
eg: access to * age >25
The third part defines whether the access clause affects access to the whole entry (if absent) or only some part of it.
ACLs continued
<who> ::= [*]
[anonymous]
[users]
[self]
[dn=<pattern> ]
[peername.ip=<pattern>]
Terms peername refer to the remote side of the connection to the directory
eg: access to * by peername.ip=”10.100.5.1” ....
self refers to a user who is bound as the target entry.
eg: access to * by self ....
users refers to users who have bound as some entry, eg: access to * by users ....
anonymous refers to users who have not bound at all or did a
Access
<access>::=write| read | compare | search| auth|none read :: Access is granted to read this entry and it’s prescribed list of attributes .
write :: Access is granted to modify this entry and it’s prescribed list of attributes .
auth :: Access is granted to this entry’s attribute(s) to perform authentication/authorization. This is used for the bind operation.
access to *
control
The <control > qualifier is an optional.
<control> ::= [ stop | continue | break ] stop
This is the default and it causes access checking to stop on a match.
continue
Continue evaluating the current access control clause after a match. That is, continue on to the next <who> directive.
break
On a match, break out of the current access control clause and evaluate the next clause that follows.
access to *
by self write break
Order Matters
# ACL One
#
access to *
by self write
by users read
by * none
#
# ACL Two
#
access to attr=userPassword
by self write
Continued..
access to *
by self write
by users read
by * none break
#
# ACL Two
#
access to attr=userPassword
by self write
by users read
by * none
Perl- Ldap support
use Net::LDAP;
$ldap=Net::LDAP->new(’ldapweb.iitb.ac.in’) or die "$@";
$mesg = $ldap->bind ; # an anonymous bind
$mesg = $ldap->search( # perform a search
base => "dc=iitb,dc=ac,dc=in", filter => "(uid=mahesh31)" );
$mesg->code && die $mesg->error;
Perl ..
Establishing connection:
$ldap = Net::LDAP->new( ’ldapweb.iitb.ac.in’ );
user binding:
$mesg = $ldap->bind( "cn=me,o=example", password => "mypasswd");
Adding attributes:
$mesg = $ldap->add( $dn,
attrs => [
name => ’Graham Barr’, attr => ’value1’, attr => ’value2’,
multi => [qw(value1 value2)]
]
Perl ..
Deleting Entries
$mesg = $ldap->delete( $dn );
Modifying Entries
$mesg = $ldap->modify( $dn, replace => {
’mail’ => ’gbarr@pobox.com’ } );
References
http://www.openldap.org/doc/admin22/quickstart.html http://www.openldap.org/doc/admin22/dbtools.html http://www.linuxfromscratch.org/blfs/view/cvs/server/
openldap.html
http://www.openldap.org/doc/admin22/slapdconfig.html http://www.zytrax.com/books/ldap/ch6