Basics of LDAP
| Basics of LDAP |
 |
 |
 |
|
Lightweight Directory Access Protocol (LDAP) The course level is for an Experienced Linux Administrator. LDAP is not easy and in fact can be very frustrating. Our plan is to provide several LDAP courses with increasing difficulty and options. The first course is Basic LDAP use with the project being the creation of a User Whitepages. Teh second LDAP course will be how to use the Open Source graphical tools that are available for LDAP and the third course will be the use of LDAP with Samba. The course is designed for a CentOS system but here are links to: Ubuntu Client and Ubuntu Server. Project: LDAP White Pages Community
There are several reasons that make LDAP an excellent choice. 1. Consolidation – The main advantage of LDAP is the ability to use one directory of information containing users and user data and access that one directory from many different services. For example one directory could be used for email, samba, squid, web browsers, etc. The time savings for providing one directory for all services is a great advantage. 2. Directory Information - LDAP makes it possible to add additional information into the directory that the organization may want to provide. Information like, phone numbers, addresses, office location, etc. 3. Speed - A directory system is designed for fast reads. This means that all processes that require user data will operate faster. 4. Security – LDAP supports Secure Socket Layers(SSL) and Tansport Layer Security (TLS) so your information access can be secured. 5. Lightweight - LDAP is considered lightweight as compared to the X.500 system which was built on the OSI layers. LDAP has less overhead than the X.500 standard. Less overhead was accomplished by mapping LDAP into the network layer on port 389. The X.500 was mapped to the application layer so as a result carried a lot more information. LDAP carries less operations than X.500. These means that LDAP is easier for programmers to implement and connect to more services. LDAP Terms schema A set of rules which determines if information is a directory is valid. This provides you a way to define objects as well as maintain the validity of the directory. Each schema has specific rules which is uses to determine the directory status. So the rules for the nix schema differ from the rules for the samba schema. The schema contains attribute names, types and syntax which is defined by object classes. So, in summary, the schema ties together the definitions, object classes, attributes and all the rest of the data necessary for defining what you are working with. You will incorporate specific schemas by using an include line in the /etc/openldap/slapd.conf file. include /ec/openldap/schema/samba.schema OIDs A globally unique OID helps define each element of the schema you are using. The OIDs are based upon a hierarchical structure. Attributes Attribute information is described by attributeType. The attribute name is what is specified from one piece of data. Fore example, homePhone could be an attribute name representing a person's phone number. Object Classes When you group attribute data you will e suing a objectclass. This means that all in the data is the object class is similar. DIT (DIrectory Information Tree) The top of the tree is called the Base DN, this is what names the database. The importance of the Base DN is that everything must come under this object. So when you name the object make sure this is the top most object you want. There are several ways that you can organize after you establish the base. You could organize based on regional areas. So for example the next containers that you would create are based on areas that your company is involved in like, Japan, Europe, China, US, etc. You could also create a situation where built containers based on function. In that situation you may end up creating users multiple times as they cross over functions. No matter how you describe your functions there will be the cross over that will require a lot more overhead. Many companies may design containers based on business function. Here you may have a sales, research, shipping, etc. LDIF (LDAP Data Intercahnge Format) LDIF is the format for storing data in the directory system. This format creates entries for your directory that are human readable. LDAP Interchange Format is a plain text file that describes the organization. LDIF is a file format for entries in the LDAP tree, it provides a method of mapping attributes to values and it may contain directives for the parser. Indexing Indexes will improve the search performance of the directory. You have a number of indexes available to use. Presence - list entries that contain a specific attribute (homePhone) Equality - entries that contain specifc attribute and value (homePhone=442-345-7656) Approximate - close to search filter Substrings - wilcard searches (homePhone=*-345-*) dc=linux,dc=local; # LDIF listing for the entry dn: dc=beginlinux,dc=net dn: dc=linux,dc=local objectClass: domain dc: linux When you view this entry the standard is to have the attribute, a colon and then the value. attribute: value dc: linux Understanding the distinctions between distinguished name (DN) and relative distinguished name (RDN) is important to clarify. In this example for fred smith his entry will look like this: dn: cn=Fred Smith,dc=linux,dc=local cn: Fred Smith ou: People
The DN is dn: cn=Fred Smith,dc=linux,dc=local This takes into account the entire directory tree structure. The RDN only takes in a part of the directory tree structure. RDN is cn=Fred Smith Attributes are designed to hold values.This data type specifies what type of information can be stored in the variable, along with certain other rules, such as how to compare the variable's value to the data stored in another variable of the same type.
Copyright CyberMontana Inc. and BeginLinux.com All rights reserved. Cannot be reproduced without written permission. Box 1262 Trout Creek, MT 59874
|
