LDAP Lightweight Directory Access Protocol

1
LDAP (Lightweight Directory Access Protocol )

• Speaker Chang-Yu Wu
• Adviser Quincy Wu
• Date2007/08/22

2
Outline

• Motivation
• Related Work
• Directory Service
• X.500
• LDAP
• Depiction
• Architecture
• LDIT
• Implementation
• Conclusion
• Reference

3
Motivation
User
FTP server
Account
Mail server
Application server
Samba server
Web server
4
Motivation (cont)

• Each services has its own configuration file or
  resource record
• A server doesnt have many services
• Administration (ex account)
• Data repetitively.

5
Related Work

• Directory services (DS)
• A set of applications
• Stores and organizes information about a computer
  network's users and network resources
• X.500
• X.500 is a series of computer networking
  standards covering electronic directory services

6
Directory services
7
X.500

• A hierarchical organization of entries which is
  distributed across one or more servers

8
LDAP

• Lightweight Directory Access Protocol (LDAP) is
  an application protocol for querying and
  modifying directory services running over TCP/IP.
• Optimized for lookups
• Much higher read ratio
• More easily extended
• Implementation Software
• OpenLDAP

9
Application
10
Application (cont)
Client
Client
FTP server
Switch
Samba server
LDAP server
NAT
Mail server
Client
11
History

• RFC 1777
• Lightweight Directory Access Protocol (v1)
• RFC 2251-2256
• Lightweight Directory Access Protocol (v3)
• RFC 2829
• Authentication Methods for LDAP
• RFC 2830
• Lightweight Directory Access Protocol (v3)
  Extension for Transport Layer Security
• RFC 3377
• Lightweight Directory Access Protocol (v3)
  Technical Specification

12
Background

• Relatively simple protocol (X.500 was heavy
  weighted).
• Universal design for directory services.

13
Depiction

• An LDAP directory is organized in a simple tree
  hierarchy consisting .
• LDAP directory can be distributed among many
  servers.

14
DIT

• Directory Information Tree (DIT)
• Entity
• Describes an object (Class)
• Ex people, devices
• Class
• Attribute
• A type/syntax and a value
• Value

15
DIT
LDAP DIT
dcjohn, dcipv6, dcclub,dctw
The attribute and value of the property
oupeople
oudevices
cnAliceobjectClass personsncartertelephoneNu
mber555-1234
cnAlice
dn cnAlice , oupeople, dcjohn, dcipv6,
dcclub,dctw
RDN
16
LDAP Interchange Format

• LDIF (LDAP Interchange Format)
• RFC 2849
• A set of entry
• Attribute and value
• Stores configuration information of LDAP and
  stand text format of directory
• More instruction
• Schema

17
Schema

• Defines what object classes allowed
• Where they are stored
• What attributes they have (objectClass)
• Which attributes are optional (objectClass)
• Type/syntax of each attribute (objectClass)

18
Schema (cont)
core.schema
objectclass ( 2.5.6.6 NAME 'person' DESC
'RFC2256 a person' SUP top STRUCTURAL
MUST ( sn cn ) MAY ( userPassword
telephoneNumber seeAlso description ) )
19
LDAP Interchange Format (cont)

• DN (Distinguished Name)
• A record
• RDN (Relative Distinguished Name)
• cn and value of cn
• CN (Common Name)
• Name
• OU (Organizational Unit)
• DC (Domain Component)

20
DIT
LDIF dn cnalice,dcjohn, dcipv6,dcclub,
dctw objectClass person sn carter telephoneNum
ber 555-1234
LDAP DIT
dcjohn, dcipv6, dcclub,dctw
The attribute and value of the property
oupeople
oudevices
cnAliceobjectClass personsncartertelephoneNu
mber555-1234
cnAlice
dn cnAlice , oupeople, dcjohn, dcipv6,
dcclub,dctw
RDN
21
Model

• Information model
• Basic unit Entry
• DIT (Directory information Tree)
• Naming model
• Define entry or data of DIT by RDN (Relative
  distinguished name)
• DN (distinguished name)
• Functional model
• Define data operating procedure
• Security model
• Authentication mechanism
• ACL (Access control list)

22
Implementation

• OpenLDAP
• OpenLDAP Software is an open source
  implementation of the Lightweight Directory
  Access Protocol.
• http//www.openldap.org/
• Experimental Version
• OpenLDAP-server-2.3.37
• Download
• http//www.openldap.org/software/download/

23
Configuration file

• slapd.conf (/usr/local/etc/openldap/)
• Schema
• Log record
• SSL/TLS
• Database area
• ACL

24
Configuration file - schema
Path /usr/local/etc/openldap/schema/
25
Configuration file database area
26
Configuration file database area

• Define database
• dabatase bdb
• Define root suffix
• Suffix dcjohn,dcipv6,dcclub,dctw
• Define root DN
• rootdn cnadmin, dcjohn,dcipv6,dcclub,dctw
• Define root passwd
• rootpw XXX
• Define directory path
• Directory /var/db/xxx/

27
White page
LDIT dn cnalice,dcjohn,dcipv6, dcclub,
dctw objectClass person sn carter telephoneNum
ber 555-1234
LDAP DIT
dcjohn,dcipv6, dcclub, dctw
The attribute and value of the property
oupeople
oudevices
cnAliceobjectClass personsncartertelephoneNu
mber555-1234
cnAlice
dn cnAlice , oupeople, dcjohn,dcipv6,
dcclub, dctw
RDN
28
White page (cont)

• people.ldif
• create root
• dn dcjohn,dcipv6,dcclub,dctw
• dc john
• objectClass dcObject
• objectClass organizationalUnit
• create ou
• dn oupeople, dcjohn,dcipv6,dcclub,dctw
• ou people
• objectClass organizationalUnit
• create person
• dn cnalice, oupeople, dcjohn,dcipv6,dcclub,d
  ctw
• cnalice
• objectClass person
• sn carter
• telephoneNumber555-1234

29
Instruction

• Start
• /usr/local/libexec/slapd
• Input data
• slapadd v- l /xxx/people.ldif
• Show data
• ldapsearch x b dcjohn,dcipv6,dcclub,dctw

30
Instruction (cont)

• Offline tools
• slapadd, slapcat, slapindex, slappasswd
• Online tools
• ldapsearch, ldapadd, ldapdelete, ldapmodify,
  ldapmodrdn

31
Conclusion

• Used to access and update information in a
  directory built on the X.500 model
• Specification defines the content of messages
  between the client and the server
• Includes operations to establish and disconnect a
  session from the server

32
Reference

• Lightweight Directory Access Protocol
• RFC 2251
• OpenLDAP
• http//www.openldap.org/
• LDAP system Administration
• Gerald Carter, OREILLY, 2003