Where it is used in IITB?

LDAP Seminar

Mahesh Kumar Shabeeruddin

Computer Centre Indian Institute of Technology

Bombay

February 25, 2005

What is LDAP?

Lightweight Directory Access Protocol

ldap provides only a database,and a few building features.

building features like ldap commands,

Ldap database is optimized for more reads than writes Database is hierarchical.

Uses of Ldap

Ldap can be used in.

Mainly in User Authentication.

Maintaining User information.

Hierarchical distribution of information management.

Maintaining personal info. eg:- Address book.

etc...

Advantages of ldap

Very light weight database.

Easy maintenance of User information.

Highly portable.

Easily configurable.

Easily extend-able (by defining our own acis, schemas etc..).

Replication can also be done.

etc...

Where it is used in IITB?

Authentication at various places.

netmon authentication asc (for student registration).

Accessing bighome.iitb.ac.in mail access.

Authentication at cc user hall machines.

etc...

Ldap data organization

Ldap Name-space is organized as.

Hierarchical data structure

Entries are in a tree-like structure.

This helps in hierarchical distribution of information management.

What is a dn?

dn (Distinguished name)

dn is unique name , which can distinguish between one ldap entry with another.

eg: uid=shabeer,ou=cse,ou=People,dc=iitb,dc=ac,dc=in.

dn components.

uid (User id)

cn (Common Name) sn (Surname)

ou (Organizational Unit)

Openldap Installation

Before installation , resolve all the dependency requirements.

Openldap can be downloaded at

ftp://ftp.openldap.org/pub/OpenLDAP/openldap- release/openldap-2.2.17.tgz

tar -xzvf openldap-VERSION.tgz ./configure

make depend make

make test make install

Openldap comes by default in fedora core-2 full installation.

Openldap configuration.

Checking the integrity of the slapd.conf file.

slapd -t <slapd.conf >

slaptest<slapd.conf >

Starting and stopping ldap server

Starting OpenLdap server.

/usr/local/libexec/slapd or

slapd

Stopping OpenLdap server.

kill -INT slapd

Picture

Schemas

Schemas are packaging units:

Convenient packaging unit for containing broadly similar objectClasses and attributes.

All objectclasses and all attributes are defined inside schemas.

Every attribute or objectclass used must be defined in a schema and that schema must be known to the LDAP server.

In OpenLDAP the schemas are made known using the include statement in the slapd.conf configuration file.

Objectclasses

objectClasses group sets of attributes objectclasses are defined inside schemas.

objectclasses may be organized in a hierarchy in which case they inherit all the properties of their parents.

objectclasses are the means for including attributes An objectclass has a globally unique name or identifier.

objectclasses define whether an attribute is mandatory (MUST be present) or optional (MAY be present).

Attributes

Every attribute is included in one or more objectclass.

An attribute’s characteristics are defined using ASN.1 notation.

An attribute definition may be part of a hierarchy in which case it inherits all the properties of its parents

e.g. commonName (cn), givenName (gn), surname (sn) are all children of the name attribute.

An attribute definition includes its form e.g. string, number etc., how it behaves in certain conditions e.g. are compares case sensitive or case-insensitive and other characteristics (properties).

Defining an objectClass

ObjectClassDescription = "(" whsp numericoid whsp [ "NAME" qdescrs ] [ "DESC" qdstring ] [ "SUP" oids ] ["MUST" oids ] [ "MAY" oids ] whsp ")"

Example

objectclass ( 2.5.6.2 NAME ’country’

NAME ’country’ defines a globally unique name for this objectclass

2.5.6.2 is called an OID (ObjectIdentifier)

SUP ’top’ indicates that this objectclass has a PARENT (or SUPerior) objectclass - it is part of a hierarchy. In this case the parent is top .

MUST c indicates that the attributes in the following list are mandatory the entry will fail to load.

MAY ( searchGuide $ description ) indicates that the attributes in the following list are optional.

Attribute Defnition

AttributeTypeDescription = "(" whsp numericoid whsp

"NAME" qdescrs

[ "DESC" qdstring ] [ "SUP" woid ] [ "EQUALITY" woid ]

[ "SYNTAX" whsp noidlen whsp ] [ "SINGLE-VALUE" whsp ]

[ "NO-USER-MODIFICATION" whsp ] whsp ")"

Example

2.5.4.41 which is called an OID (ObjectIdentifier)

NAME ’cn’ defines a globally unique name for this attribute SUP ’name’ indicates that this attribute has a PARENT (or SUPerior) attribute

SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 is an OID which defines the data type and what rules (data validation) are applied to the data.

EQUALITY caseIgnoreMatch indicates how this (and any child attributes) will behave when used in a search filter .

Example 2

attributetype ( 0.9.2.19.1.1.25

NAME ( ’dc’ ’domainComponent’ )

DESC ’RFC1274/2247: domain component’

EQUALITY caseIgnoreMatch

SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

What is LDIF?

LDAP Data Interchange Format Represents LDAP entries in text

Good for backups and transferring data to another system Human readable format

Allows easy modification of data

Useful for doing bulk changes (using scripts).

Format of an ldif entry

Format of an ldif entry:

# comment

dn: <distinguished name>

<attrdesc>: <attrvalue>

<attrdesc>: <attrvalue>

For Example

dn: dc=iitb,dc=ac,dc=in objectclass: top

objectclass: domain

Another example

dn: ou=CHE,ou=People,dc=iitb,dc=ac,dc=in ou: CHE

objectclass: top

objectclass: organizationalunit

dn: cn=Barbara J Jensen,dc=example,dc=

com % space to continue to next line.

cn: Barbara J

Jensen % tab to continue to next line.

Database Modification commands

ldapadd open a connection, binds and adds entries. eg:

ldapadd -x -D "cn=Manager,dc=iitb,dc=ac,dc=in" -W -f example-add.ldif

-D binddn

-W Prompt for simple authentication -f ldif file

-x use simple authentication.

Formatof example-add.ldif

dn: cn=Barbara Jensen,dc=example,dc=com objectClass: person

cn: Barbara Jensen

ldapmodify

ldapmodify open a connection, binds and modifies entries.

eg:

ldapmodify -c -D "cn=Manager,dc=iitb,dc=ac,dc=in"

-x -f example-modify.ldif -W

example-modify.ldif

dn:uid=sarawagi,ou=UG,ou=ME,ou=People,dc=iitb,dc=ac,dc=in changetype: modify

delete: objectclass objectClass: Person -

delete: telephone

logo

ldapsearch

ldapsearch open a connection, binds and performs a search using specified parameters.

eg:

ldapsearch -L "(sn=smith)" cn sn telephoneNumber Result

dn: uid=jts,dc=example,dc=com cn: John Smith

cn: John T. Smith sn: Smith

sn;lang-en: Smith sn;lang-de: Schmidt

telephoneNumber: 1 555 123-4567 dn: uid=sss,dc=example,dc=com cn: Steve Smith

Taking Backups

Taking Backups

slapcat: dump the database to an LDIF file.

eg: slapcat -l filename.ldif Daily backups

today=‘date +"%G_%m_%d_%H_%M"‘;

filename=$today.ldif;

#Taking Backups

/usr/local/openldap/sbin/slapcat -l $filename;

/bin/gzip $filename;

Restoring backup ldif to ldap

Restoring backup ldif to ldap slapadd: ldif to database eg: slapadd -l filename.ldif gq installation

ftp://ftp.pbone.net/mirror/atrpms.physik.fu-berlin.de/

dist/fc2/gq/gq-1.0-9_beta1.rhfc2.at.i386.rpm rpm -i gq-1.0-9_beta1.rhfc2.at.i386.rpm

ACLs (Access Control Lists)

access to <what >

[ by<who > <access >[<control >] ]+

Example:

access to *

by self write break by users read continue

by * none break

<what> ::= [dn=<dnspec>] [filter=<ldapfilter>]

[attrs=<attrlist>]

The first part specifies a condition based on the position of the entry in the Directory Information Tree.

eg: access to

dn=”uid=*,ou=pg,ou=cse,ou=people,dc=iitb,dc=ac,dc=in”

The second part defines a condition that the attributes in the entry must fulfill and is specified as an LDAP filter.

eg: access to * age >25

The third part defines whether the access clause affects access to the whole entry (if absent) or only some part of it.

ACLs continued

<who> ::= [*]

[anonymous]

[users]

[self]

[dn=<pattern> ]

[peername.ip=<pattern>]

Terms peername refer to the remote side of the connection to the directory

eg: access to * by peername.ip=”10.100.5.1” ....

self refers to a user who is bound as the target entry.

eg: access to * by self ....

users refers to users who have bound as some entry, eg: access to * by users ....

anonymous refers to users who have not bound at all or did a

Access

<access>::=write| read | compare | search| auth|none read :: Access is granted to read this entry and it’s prescribed list of attributes .

write :: Access is granted to modify this entry and it’s prescribed list of attributes .

auth :: Access is granted to this entry’s attribute(s) to perform authentication/authorization. This is used for the bind operation.

access to *

control

The <control > qualifier is an optional.

<control> ::= [ stop | continue | break ] stop

This is the default and it causes access checking to stop on a match.

continue

Continue evaluating the current access control clause after a match. That is, continue on to the next <who> directive.

break

On a match, break out of the current access control clause and evaluate the next clause that follows.

access to *

by self write break

Order Matters

# ACL One

#

access to *

by self write

by users read

by * none

#

# ACL Two

#

access to attr=userPassword

by self write

Continued..

access to *

by self write

by users read

by * none break

#

# ACL Two

#

access to attr=userPassword

by self write

by users read

by * none

Perl- Ldap support

use Net::LDAP;

$ldap=Net::LDAP->new(’ldapweb.iitb.ac.in’) or die "$@";

$mesg = $ldap->bind ; # an anonymous bind

$mesg = $ldap->search( # perform a search

base => "dc=iitb,dc=ac,dc=in", filter => "(uid=mahesh31)" );

$mesg->code && die $mesg->error;

Perl ..

Establishing connection:

$ldap = Net::LDAP->new( ’ldapweb.iitb.ac.in’ );

user binding:

$mesg = $ldap->bind( "cn=me,o=example", password => "mypasswd");

Adding attributes:

$mesg = $ldap->add( $dn,

attrs => [

name => ’Graham Barr’, attr => ’value1’, attr => ’value2’,

multi => [qw(value1 value2)]

]

Perl ..

Deleting Entries

$mesg = $ldap->delete( $dn );

Modifying Entries

$mesg = $ldap->modify( $dn, replace => {

’mail’ => ’gbarr@pobox.com’ } );

References

http://www.openldap.org/doc/admin22/quickstart.html http://www.openldap.org/doc/admin22/dbtools.html http://www.linuxfromscratch.org/blfs/view/cvs/server/

openldap.html

http://www.openldap.org/doc/admin22/slapdconfig.html http://www.zytrax.com/books/ldap/ch6