Introduction to LDAP under Linux

ArticleCategory: [Choose a category for your article]

System Administration

AuthorImage:[Here we need a little image form you]

[Photo of the Author]

TranslationInfo:[Author and translation history]

original in en  

AboutTheAuthor:[A small biography about the author]

Atif is a chameleon. He changes his roles, from System Administrator, to programmer, to teacher, to project manager, to whatever is required to get the job done.
Occasionally he likes to program on his laptop while watching a movie in the cinema.
Atif thinks that he owes a lot to Linux and opensource community and projects for being his teacher.
More about him can be found at his homepage

Abstract:[Here you write a little summary]

In this Article we will explore LDAP and its implementations using our favourite OS Linux.

There is a lot of literature about LDAP out there so I wont repeat it again here, neither will I talk about advanced LDAP terms, schemas, v2 versus v3 difference etc. In fact i do not know much about them. Instead I will try to explain in very simple words about what LDAP is, what its benefits and how we can use it.

I am not an LDAP expert. In fact I am an LDAP beginner. I will basically just write here what I do with LDAP and how. I will try not to confuse you like I was for a very long time.

Question: If you are a beginner, why write an article about it?
Recently I needed help on a project from a colleague. The base of the project was LDAP. He could help me with Perl, mail servers etc but did not know anything about LDAP, in fact each time he wanted to get into LDAP, it got more and more confusing.
Since being comfortable with LDAP was the minimum requirement for the project, I gave him a crash course about LDAP in half an hour and it became suddenly all clear. The concepts were so easy, it was all in front, but just needed a bit of focus or some funny examples.

I will try to do the same in this article.

You can find many urls in the reference section to learn more about LDAP.

ArticleIllustration:[This is the title picture for your article]

openLDAP

ArticleBody:[The article body]

What is LDAP?

LDAP stands for (Lightweight Directory Access Protocol) and is a directory service, very similar to the directories on the file system that we are used to and also similar to the telephone book that we use to lookup phone numbers, and also network directory services such as SUN's NIS (Network Information Service), DNS (Domain Name Service) , and also to the tree that you see in your ( or your neighbor's) garden etc.

LDAP is a specialized database. It is very important to remember that LDAP is not just another database. LDAP is optimized to make lookups (read data). Reads in LDAP are performed much more often than writes.

What do all these services have in common?
The all return some information when queried about a criteria.

Examples.

File system directory
ls /etc
This will return all files and subdirectories in the folder /etc

ls /etc/p*
This will return all files and subdirectories that begin with p

find /usr/local/apache -name index.html
This will search the file system for a file/directory called index.html , starting from the base "/usr/local/apache"

NIS directory
ypcat passwd
This will return the username, password, userid etc from the NIS database

ypmatch atif passwd
This will return entries from the password for the user atif

DNS directory
nslookup www.linuxfocus.org
This will return the ip address for the entry www.linuxfocus.org from the DNS database

nslookup -type MX linuxfocus.org
This will return only MX information from the dns database where hostname matches linuxfocus.org

LDAP directory
(we will look into them in detail below)

ldapsearch uid=aghaffar
This will return all public information about the user aghaffar
Similar to unix find / -uid aghaffar command

ldapsearch uid=aghaffar mail
This will only return mail of user aghaffar

Directory Base or Root

In each directory service we mentioned above there is always a starting point from where one can start browsing or searching. This starting point is often called "root". This is similar to the root in the tree.
Each tree has a root, then some branches and more branches and leaves and flowers etc.

Each root can further have more branches (as in the tree in your neighbor's garden), for file system for example these branches could be another subdirectory or a file.
Each of these branches can have attributes.
For example the file system tree's branches (subdirectories and files) have the following attributes. Below is a diagram that shows a file system Directory.
The attributes represents the output of the unix command ls -ld /usr
drwxr-xr-x 29 root root 749 Jun 17 23:45 /usr
fileSystemDirectory

Now a diagram for an LDAP Directory
ldapDirectory
We will talk about this diagram later.

Distinguished Name

Unlike the natural tree, each branch of the filesystem/LDAP/Phonebook Directory has at least one unique attribute , which helps us tell difference of one from the other.

On file systems this unique attribute is the filename along with the path. for example
/etc/passwd Here The filename passwd has to be unique within this path. Of course we can have /usr/passwd , /opt/passwd which are all unique by their fully qualified filename.
Similarly the DNS system has FQDN (Fully Qualified Domain Name) which is a unique entry (of coarse you can assign a lot of ip to the same FQDN smart boy!).

In LDAP the fully qualified name of an entry is called "dn" or Distinguished name. This name is always unique in a directory. for example my dn is "uid=aghaffar, ou=People, o=developer.ch"
It is not possible to have another entry with the same dn, but surely we can have a dn such as "uid=aghaffar, ou=Administrators, o=developer.ch"
This represents the example of file system entries /etc/passwd and /usr/passwd
We have a unique attribute called uid in the tree "ou=Administrators, o=developer.ch" and we have a unique attribute called uid in the tree "ou=People, o=developer.ch".
They do not clash.

LDAP Servers

There are many LDAP servers available on the market today and most will work on Linux.
For this article we will use openLDAP.

Why I chose openLDAP? Why should you choose openLDAP?

open LDAP is available from http://www.openldap.org. You can either download source package and build it yourself or see if you Linux distribution already has this package. If it does then simply spare yourself the effort and install the pre-compiled version.
I have tested openLDAP on SuSE6.x and RedHat6.x.

Building the LDAP directory

In this section we will setup an LDAP server step by step.
Steps to take:

Download and install openLDAP

As mentioned before, either download the sources from www.openldap.com and install it according to the documentation or install a pre-compiled package(installing of the packages or a howto on compiling applications is out of the scope of this Article)

Configure the LDAP server

For this example, I will build and LDAP directory for linuxfocus.org.
You can change names etc to reflect your site. to setup the main server to have to edit the files slapd.conf and ldap.conf in your favorite editor.
On my servers this file is in /etc/openldap. Yours could be in /usr/local/etc/openldap or else where depending on your Linux Distribution or compile time configuration if you build openldap yourself.

        
######### /etc/openldap/slapd.conf ###################################
# the following are defined by default in my suse 6.4 linux distribution
# We will talk more about them in part II or part III of this article
# Perhaps by then I will know what they mean :)
      
include         /etc/openldap/slapd.at.conf
include         /etc/openldap/slapd.oc.conf
schemacheck     off

pidfile         /var/run/slapd.pid
argsfile        /var/run/slapd.args

#######################################################################
# ldbm database definitions
#######################################################################

# this defined the kind of database to use. keep the default ldbm
database        ldbm

# suffix or directory root. This is the top node in your LDAP directory
suffix          "o=linuxfocus.org"

# this is where the ldap dbs will be kept
directory       /var/lib/ldap

# the distinguished name of the directory manager
rootdn          "cn=Manager, o=linuxfocus.org"

# its bad idea to keep the ldap manager password in clear text but we
# will use it in the beinning to get used to LDAP
rootpw          secret    


# Thats all. for now.

Edit your /etc/openldap/ldap.conf
This file is on the ldap client (we will use the same machine as client and server. They could be same or separate)
This file is often read by ldap utilities such as ldapdelete , ldapadd, etc

##########/etc/openldap/ldap.conf#########
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable.

# this defines the ldapserver. you can use hostname or ip address
host 127.0.0.1

# this is the directory root we want to use to start searching from.
# we will use the top node in our configuration
# it need not be the top level node in the directory, for example
# we can use base = ou=users, o=linuxfocus.ch
# if we do that then all our searched will start from that branch 
of the tree base  o=linuxfocus.org
# thats all
Now start the ldap server.
If you are using the pre-installed openldap server from SuSE, then you can start it by
/etc/rc.d/ldap start
On RedHat, I believe it is
/etc/rc.d/init.d/ldap start
If you have compiled and installed by yourself and used the defaults then you may start
/usr/local/libexec/slapd & or where ever you installed it. Just find slapd and run it

Adding data to the newly installed LDAP server

At this point you have an ldap server running, ready to be filled up with information.
The standard way to fill information in the ldap server is to create an LDIF (LDAP Directory Interchange Format)* file. You can read man ldif to find more information about ldif.
Very simply, ldif is the textual representation for ldap entries. These entries are human readable and interchangeable between two different LDAP servers running from different vendors, using different database back-ends or running on different operating systems.
* Yes Yet another format. I wonder why XML is not used instead of LDIF

So without further ado lets create this ldif file. Some things to remember.

  • Every record/entry in the ldif file is separated with a blank line.