Basics of LDAP

Lightweight Directory Access Protocol (LDAP)

This course will help you understand the benefits of LDAP as well as implementation of LDAP.    The OpenLDAP Project is a collaborative effort to develop a robust, commercial-grade, fully featured, and open source LDAP suite of applications and development tools. The project is managed by a worldwide community of volunteers that use the Internet to communicate, plan, and develop the OpenLDAP Suite and its related documentation.

Lesson 2

Course Difficulty

The course level is for an Experienced Linux Administrator.  LDAP is not easy and in fact can be very frustrating. Our plan is to provide several LDAP courses with increasing difficulty and options.  The first course is Basic LDAP use with the project being the creation of a User Whitepages.  Teh second LDAP course will be how to use the Open Source graphical tools that are available for LDAP and the third course will be the use of LDAP with Samba.  The course is designed for a CentOS system but here are links to: Ubuntu Client and Ubuntu Server.

LDAP File Locations

LDAP Commands

LDAP Logging

LDAP Server Install

tcp_wrappers with LDAP

Add System User

Set Up LDAP Client

Project: LDAP White Pages

Course Support
The course author, among others, will be available for questions in the Forum.

Quizzes
The quizzes are there to help you focus on the key points made about each distro. Caution: You will only be able to take a quiz one time and that score will be recorded.  So before you take the quiz be sure you understand all of the features that you will be tested on.  Click Here to take a Demo Test so that you can see how the questions will be formatted.

Community
Be sure to check out the Community Page with information on other courses and Community Discounts on ALL Training.

LDAP is a directory not a database. One major difference is that directories are designed for reads while a database is really designed to read and write.  This  makes directories much faster for finding information.

LDAP is a protocol that is designed to access information.  The protocol is server-client related, where the client makes requests of the server and the server provides those requests.  The protocol does not define where a directory should be located.  The significance of this is that when a service accesses LDAP it does not need to know where the directory is, which provides freedom in design.

There are several reasons that make LDAP an excellent choice.

1. Consolidation – The main advantage of LDAP is the ability to use one directory of information containing users and user data and access that one directory from many different services. For example one directory could be used for email, samba, squid, web browsers, etc. The time savings for providing one directory for all services is a great advantage.

2. Directory Information - LDAP makes it possible to add additional information into the directory that the organization may want to provide. Information like, phone numbers, addresses, office location, etc.

3. Speed - A directory system is designed for fast reads. This means that all processes that require user data will operate faster.

4. Security – LDAP supports Secure Socket Layers(SSL) and Tansport Layer Security (TLS) so your information access can be secured.

5. Lightweight - LDAP is considered lightweight as compared to the X.500 system which was built on the OSI layers.  LDAP has less overhead than the X.500 standard. Less overhead was accomplished by mapping LDAP into the network layer on port 389. The X.500 was mapped to the application layer so as a result carried a lot more information.  LDAP carries less operations than X.500. These means that LDAP is easier for programmers to implement and connect to more services.

LDAP Terms
schema
A set of rules which determines if information is a directory is valid.  This provides you a way to define objects as well as maintain the validity of the directory.  Each schema has specific rules which is uses to determine the directory status.  So the rules for the nix schema differ from the rules for the samba schema.  

The schema contains attribute names, types and syntax  which is defined by object classes.   

So, in summary, the schema ties together the definitions, object classes, attributes and all the rest of the data necessary for defining what you are working with.

You will incorporate specific schemas by using an include line in the /etc/openldap/slapd.conf file.

include /ec/openldap/schema/samba.schema

OIDs

A globally unique OID helps define each element of the schema you are using.  The OIDs are based upon a hierarchical structure.

Attributes
Attribute information is described by attributeType.  The attribute name is what is specified from one piece of data.  Fore example, homePhone could be an attribute name representing a person's phone number.

Object Classes
When you group attribute data you will  e suing a objectclass.  This means that all in the data is the object class is similar.

DIT (DIrectory Information Tree)
The top of the tree is called the Base DN, this is what names the database.  The importance of the Base DN is that everything must come under this object. So when you name the object make sure this is the top most object you want.  There are several ways that you can organize after you establish the base.  You could organize based on regional areas.  So for example the next containers that you would create are based on areas that your company is involved in like, Japan, Europe, China, US, etc.  You could also create a situation where built containers based on function.  In that situation you may end up creating users multiple times as they cross over functions.  No matter how you describe your functions there will be the cross over that will require a lot more overhead.  Many companies may design containers  based on business function.  Here you may have a sales, research, shipping, etc.

LDIF (LDAP Data Intercahnge Format)
LDIF is the format for storing data in the directory system.  This format creates entries for your directory that are human readable.   LDAP Interchange Format is a plain text file that describes the organization.  LDIF is a file format for entries in the LDAP tree, it provides a method of mapping attributes to values and it may contain directives for the parser.

Indexing
Indexes will improve the search performance of the directory.  You have a number of indexes available to use.   
Presence - list entries that contain a specific attribute (homePhone)
Equality - entries that contain specifc attribute and value (homePhone=442-345-7656)
Approximate - close to search filter  
Substrings - wilcard searches (homePhone=*-345-*)

In this example, the top entry is the distinguished name (DN) which looks like this in the LDIF:

dc=linux,dc=local;

# LDIF listing for the entry dn: dc=beginlinux,dc=net dn: dc=linux,dc=local objectClass: domain dc: linux 

When you view this entry the standard is to have the attribute, a colon and then the value.

attribute: value

dc: linux

Understanding the distinctions between distinguished name (DN) and relative distinguished name (RDN) is important to clarify. In this example for fred smith his entry will look like this:

dn: cn=Fred Smith,dc=linux,dc=local

cn: Fred Smith

ou: People

The DN is dn: cn=Fred Smith,dc=linux,dc=local

This takes into account the entire directory tree structure. The RDN only takes in a part of the directory tree structure.

RDN is cn=Fred Smith

Attributes are designed to hold values.

This data type specifies what type of information can be stored in the variable, along with certain other rules, such as how to compare the variable's value to the data stored in another variable of the same type.