In this article, we will see Introduction about LDAP and OpenLDAP, how to setup OpenLDAP server and small examples.
LDAP à Lightweight Directory Access Protocol.
OpenLDAP à Server which operates on LDAP for eg. Microsoft AD
Directory Service –
1. Stores & organize information in directory i.e. in hierarchical manner and provides access to it
2. Eg. Domain Name System. DNS is a most successful implementation of Directory service over Internet
Directory Structure –
1. Directory service stores information in Directory Structure. The diagram of Directory structure is called Directory Information Tree.
2. A Directory is a tree of Entries
3. An entry is set of attributes
4. An attribute is has a Name and one or more value
5. Attributes are Defined in Schema
6. Each entry has an Unique Identifier i.e. DN
Five Major Characteristics of Directory Service –
1. Higly optimized for reads
2. Information can be stored in Distributed model
3. Can extend types of information to be stored
4. Replication
5. Advance search capabilities
Difference between Databases and Directory Services
|
SN |
Databases |
Directory Services |
|
1. |
Information has more writes and reads |
More reads only, very less writes |
|
2. |
Transactions, rollbacks, write locks are more important |
Transactions, rollbacks, write locks are less important |
|
3. |
More Overheads |
Less Overheads |
What is LDAP ?
1. Originally created by Tim Howes, Steve Kille and Wingyik Yeong in 1993. Later Tim & Steve improved it and started LDAPv3
2. Application Protocol for reading & editing directories over an IP network
3. LDAP is itself a Binary Protocol. Binary Protocol means, a protocol which is expected to read by machine than a human being.
4. Lightweight Directory Access Protocol
5. Lightweight in comparison with x.500 Directory Services
LDAP vs X.500:
Main difference in LDAP and X.500 is LDAP uses TCP stack and X.500 uses OSI stack. That’s the reason LDAP is lightweight.
Uses of LDAP:
• Machine Authentication
• User/System Groups
• User Resource Management
• Address Book
• Organization Representation
• Assets Tracking
• Telephony Information Store
• Application Configuration Store
Directory Information Tree:
LDAP stores information in Directory Structure. Pictorial view of Directory Structure is called Directory Information Tree. See Below Figure:
Directory Structure:
• A Directory is a tree of Directory Entries
• An Entry consists of a set of Attributes
• An Attribute has a Name and one or more values.
• The attributes are defined in Schemas
• Each entry has unique Identifier i.e. DN, consists of RDN
OpenLDAP:
Please note that in our example we have used OpenLDAP as a LDAP server.
Please visit www.openldap.org for more details.
Features of OpenLDAP:
1. It is open source
2. Free to use
3. Simple Authentication and Security Layer (SASL) support
4. Access Control
5. Implements LDAPv3
Components of OpenLDAP:
1. slapd – OpenLDAP server daemon
2. slapd.conf – OpenLDAP configuration file
3. Schemas – To define Attributes
4. Libraries – Required to slapd. Normally they are under /usr/lib/ldap
5. Backend – Banckend Database. We use BDB here. Located at /var/lib/ldap
6. LDIF – LDAP Interchange Format. It is used for Importing and exporting information stored in Directory
7. LDAPcleint – Used to connect LDAP server and operate it. Eg. ldapsearch, ldapadd, ldapdelete etc.
1. slapd –
a. LDAP server daemon
b. Binary
c. Normally located under /usr/sbin
d. To invoke you can directly call “slapd” on bash prompt
2. slapd.conf
I have divided slapd.conf into 4 Parts
a. Schema Inclusion
b. Backend DB & Directory Specific
c. Access Control
d. Other
3. Schemas
– Schemas are used to define Attributes
– It adds extendibility of LDAP
– We can customize or add schemas
– Generally Schema files are stored under /etc/ldap/schema
|
File |
Description |
|
core.schema |
OpenLDAP core (required) |
|
cosine.schema |
Cosine and Internet X.500 (useful) |
|
inetorgperson.schema |
InetOrgPerson (useful) |
|
misc.schema |
Assorted (experimental) |
|
nis.schema |
Network Information Services (FYI) |
|
openldap.schema |
OpenLDAP Project (experimental) |
4. Libraries or modules
– Generally libraries are stored under /usr/lib/ldap
– It adds functionality and makes OpenLDAP modular
5. Backend DB
– OpenLDAP uses mainly following 2 embedded databases to store information
o BDB – Berkely DB Transactional Backend
o HDB – Hierarchical variant of BDB
– DB is stored under /var/lib/ldap
6. LDIF
– LDAP interchange format
– Collection of entries separated by new line
– Mapping attribute names to values
– It is used to import or export information from LDAP directory
7. LDAPclient
– LDAP client is used to connect to LDAP server
– You can add, edit, delete Directory entries
Important Terminologies
1. Distinguished Name (DN) & Relative Distinguished Name (RDN)
DN is like the absolute path between root of File System and file
RDN is like Filename
Eg.
Entry —- > dn: cn=admin,dc=persi,dc=com
In above entry
DN is “cn=admin,dc=persi,dc=com”
RDN is “cn=admin”
2. Attributes
o Attributes are used to store the values
o Attributes can be one or more values
o Attributes are defined in Schema Files
o In LDIF files, Declare Attribute by following way:
objectClass: organizationalUnit
In above example objectClass is Attribute and organizationalUnit is value.
3. objectClass Attribute
o Compulsory attribute with atleast one value
o It acts as a template for the data to be stored
o Defines set of attribute that must or may be present
Eg. “organizationalUnit” objectClass
It is an attribute value defined in core.schema.
In core.schema à
olcObjectClasses: ( 2.5.6.5 NAME ‘organizationalUnit’
DESC ‘RFC2256: an organizational unit’
SUP top STRUCTURAL
MUST ou
MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $
x121Address $ registeredAddress $ destinationIndicator $
. . . . . . . . . . .
In above example if we use “organizationalUnit’ object class, then we MUST use “ou” attribute and we MAY use userPassword, searchGuide etc. attributes.
Installing & Configuring LDAP:
Server side configuration:
Please note that we have used Ubuntu for server OS.
Step 1 – Install OpenLDAP on server
$ apt-get install slapd ldap-utils gq db4.8-util db4.8-doc
Step 2 – Copy slapd.conf which I have provided and paste that into /usr/share/slapd or /etc/ldap or wherever you want.
Then change domain name as per your requirement.
suffix “dc=persi,dc=com” ———-à Put your domain name here.
rootdn “cn=admin,dc=persi,dc=com” à Put your domain name here.
rootpw secret à Change password
Step 3 – Stop Apparmor if running.
$ /etc/init.d/apparmour teardown
Step 4 – Check /var/run/slapd & /var/lib/ldap directories are there or not. Also ownership of them should be openldap:openldap
Step 5 – Start OpenLDAP using below command
$ slapd –u openldap –g openldap -f /usr/share/slapd/slapd.conf
Step 6 – Create “first.ldif”. Put below content in that:
Note: please do not copy paste.
dn: dc=persi,dc=com
objectclass: dcObject
objectclass: organization
o: Persi’s company
dc: persi
dn: cn=admin,dc=persi,dc=com
objectclass: simpleSecurityObject
objectclass: organizationalRole
cn: admin
userPassword: bigsecretword
description: LDAP Administrator
Step 7 – Import that first.ldif
$ ldapadd -x -D “cn=admin,dc=persi,dc=com” -W -f <path_to_first.ldif>
Now you can try connecting OpenLDAP server with LDAP client such as Jxplorer from any other network machine or same machine.
Step 8 – Create people.ldif & Put below content in it. Please do not copy paste.
dn: ou=people,dc=persi,dc=com à Change domain as per your requirement
ou: people
description: All users
objectClass: organizationalUnit
Import it using below command:
$ ldapadd -x -D “cn=admin,dc=persi,dc=com” -W -f <path_to_people.ldif>
Step 9 – Create user.ldif and put below content in it & import it using above command just replace username
dn: uid=neelesh,ou=People,dc=persi,dc=com
uid: Neelesh
cn: Neelesh
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$6$VcBA8aTh$CG9wOo.Ypy2LVd39wj7SnoA5aVa/OP7MdWi1L7UjAgrKcAj6B50uYXoSSlErFRyjXDa6bKQEMjnvj8GDpcJXl.
shadowLastChange: 15029
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 5000
gidNumber: 5000
homeDirectory: /home/neelesh
gecos: neelesh,,,
Client side configuration
Note: for clientside we have used CentOS Linux
Easy Steps:
Step 1 – Login to GUI mode. And click on System -> Administration -> Authentication
Step 2 – Under “User Information” Tab
– Enable LDAP support & Click on “Configure LDAP”
– Keep disable TLS encryption checkbox
– In “LDAP search Base DN” give -> dc=persi,dc=com
– In “LDAP server” Textbox -> ldap://<IP of server>:389
Step 3 – Under “Authentication” Tab
– Enable LDAP support & Click on “Configure LDAP”
– Keep disable TLS encryption checkbox
– In “LDAP search Base DN” give -> dc=persi,dc=com
– In “LDAP server” Textbox -> ldap://<IP of server>:389
Manual Steps:
Step 1. – Add below 4 lines in /etc/ldap.conf
binddn cn=admin,dc=persi,dc=com
bindpw secret
uri ldap://10.77.25.160:389
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5
pam_password exop
And if you facing some issues please uncomment below lines and use proper DN.
nss_base_passwd ou=people,dc=persi,dc=com?one –à User mapping
nss_base_shadow ou=people,dc=persi,dc=com?one
nss_base_group ou=groups,dc=persi,dc=com?one à Group Mapping if required
Step 2. – Edit /etc/nsswitch.conf
Just make sure to change passwd, shadow, group in /etc/nsswitch.conf like below.
passwd: files ldap
shadow: files ldap
group: files ldap
Above settings means, While authentication It will check user in local user database i.e. /etc/passwd and shasow, if it doesn’t found there then it will search in ldap directory.
Step 3. – Edit /etc/pam.d/system-auth
Add below lines under respective sections.
auth sufficient pam_ldap.so use_first_pass
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
password sufficient pam_ldap.so use_authtok
session optional pam_ldap.so
Now try login from the Client system with ldap user, in our example i.e. Neelesh and passwd neel123.
