LDAP

OpenLDAP
By: Ashish khurana
Extn. 2173
Short id - akhurana2@csc.com
LDAP Schedule
1. Introduction to LDAP - Day 1
2. LDAP concepts - Day 1
3. OpenLDAP - Day 2
4. LDAP Replication - Day 2
5. LDAP Authentication - Day 3
6. LDAP with sendmail - Day 3
Query - Day 3
Ldap
Schemas
a schema is a set of rules that determines what data can
be stored in a database or directory service.
Helps maintain consistency and quality of data
Reduces duplication of data
Object class attribute determines schema rules the
entry must follow.
Schema contains the following:
Required attributes
Allowed attributes
How to compare attributes
Limit what the attributes can store - ie, restrict to
integer etc
Restrict what information is stored - ie, stops
duplication etc.
Ldap
Schemas
Schemas can also be used to impose constraints on the
size, range, and format of data values stored in the
directory. For example Internet email add.
abc@xyz.com

directory entries contain a collection of attribute types
and values. Attribute types (or simply attributes) hold
specific data elements such as a name, business phone
number, or printer's rated speed in pages per minute.




Ldap
Schemas Attributes types include following
A name that uniquely identifies the attribute type
An object identifier (OID) that also uniquely identifies the attribute
A textual description
An associated attribute syntax
A set of matching rules that govern comparisons and searches
A usage indicator (whether for applications or for operation of the
directory service itself)
An indication of whether the attribute is multivalued or single-
valued
An indication of whether the attribute can be modified by regular
applications
Restrictions on the range or size of the values that may be stored in
the attribute
Ldap
Schemas
Attribute names are usually fairly short and somewhat
cryptic. Attribute names have the following properties:
They are not case sensitive; for example, cn and CN both
refer to the same attribute.
Characters used within them are limited to ASCII letters,
digits, and the hyphen character; and they must begin
with a letter.
They must be unique across the entire directory service
because LDAP applications generally refer to attributes
using their names.
way, faxPhone2, and pagesPerMinute. Some examples of
invalid attribute names are last#, 2for2, my.boss, and
favorite_drink.
Ldap
Schemas
An attribute's OID is a unique numerical identifier
usually written as a sequence of integers separated by
dots. For example, the OID for the postalAddress
attribute is 2.5.4.16.
Operational attributes are used by the directory service
itself for administrative or system-related purposes and
are usually maintained by the directory servers
themselves.

Examples of Operational Attributes
modifyTimeStamp - Date/time an entry was last
modifiedmodifiersName- Distinguished name (DN) of
the entry that made the last modification.
Ldap
Objectclass
object classes are used to group related information.
Typically, an object class models a real-world object such as a
person, printer, or network device.
Each directory entry belongs to one or more object classes. The
names of the object classes to which an entry belongs are always
listed as values for a special multivalued attribute called
objectclass.
The set of object classes associated with an entry serves the
following needs:
It determines which attribute types must be included in the entry.
It determines which attribute types may be included in the entry.
It provides a convenient way for directory clients to retrieve a
subset of entries during search operations.
Ldap
Objectclass
The definition of an LDAP object class includes all the
following pieces of information:
A name that uniquely identifies the class.
A textual description.
An OID that also uniquely identifies the class.
A set of mandatory attribute types.
A set of allowed attribute types.
A kind (structural, auxiliary, or abstract).
Structural - used to place restriction where to store info. in DIT
Auxiliary used to add a set of related attributes to an entry
that already belongs to structural class. Exp. mailRecipient
Abstract used only for classes needed to support LDAP basic
information model. Exp. Top and alias.
Ldap
Object Class Inheritance
One object class can be derived from another, in which case
it inherits some characteristics of the other class. This is
sometimes called subclassing, or object class inheritance.
Below Figure shows an example.


Ldap
ObjectClass
Therefore, inetOrgPerson entries require all the attributes
required of organizationalPerson entries (and therefore
of person enTRies as well). Similarly, inetOrgPerson
entries are allowed to include any of the optional attributes
from the superior classes.

In general, the class from which another class inherits some
of its characteristics is called the superior class, or
superclass (that is, organizationalPerson is the
superior class of inetOrgPerson). When one class is
derived from another, it inherits the set of required attribute
types, the set of optional attribute types, and the kind of
object class from its superior.


Ldap
Object class inheritance
All structural object classes are ultimately derived
from one special abstract object class called top.
The definition of the top class consists of a single
mandatory attribute called objectclass, which
ensures that all LDAP entries contain at least one
value for objectclass.
Ldap
Attribute
Attributes are used to hold values. Like variables in
programs perform a similar task they store
information.
OpenLDAP
Obtaining openldap
Many Linux vendors include precompiled versions
of OpenLDAP with their distributions.
The latest version of OpenLDAP can be obtained
from
http://www.OpenLDAP.org/software/download/.
The OpenLDAP 2 branch is an LDAPv3-
compliant implementation.
Day-1
OpenLdap
S/w required before installation of LDAP
Our OpenLDAP server will require several external software
packages:
Support for POSIX threads, either by the operating system or an
external library.
SSL/TLS libraries (such as the OpenSSL package, which is
available from http://www.openssl.org/).
A database manager library that supports DBM type storage
facilities. The current library of choice is the Berkeley DB 4.1
package from Sleepycat Software (http://www.sleepycat.com/).
Release 2.1 of the SASL libraries from Carnegie Mellon
University (http://asg.web.cmu.edu/sasl/sasl-library.html).
Openldap
Installed components included with OpenLDAP
libexec/slapd
The LDAP server.
libexec/slurpd
The LDAP replication helper.
bin/ldapadd, bin/ldapmodify, bin/ldapdelete,
bin/ldapmodrdn
Command-line tools for adding, modifying, and deleting entries on
an LDAP server. These commands support both LDAPv2 and
LDAPv3
bin/ldapsearch, bin/ldapcompare
Command-line utilities for searching for an LDAP directory or
testing a compare operation on a specific attribute held by an
entry

Openldap
Installed components included with OpenLDAP Cont
bin/ldappasswd
A tool for changing the password attribute in LDAP entries. This
tool is the LDAP equivalent of / bin/passwd.
sbin/slapadd, sbin/slapcat, sbin/slapindex
Tools for manipulating the local backend data store used by the
slapd daemon.
sbin/slappasswd
A simple utility to generate password hashes suitable for use in
slapd.conf.
lib/libldap*, lib/liblber*, include/ldap*.h, include/lber*.h
The OpenLDAP client SDK.
OpenLdap
Installation
rpm ivh packagename.rpm
[root@thor root]# rpm -qa | grep openldap
openldap-devel-2.0.23-4
openldap-2.0.23-4
openldap-servers-2.0.23-4
openldap-clients-2.0.23-4
[root@thor root]#

OpenLdap
Configuration - slapd.conf
The slapd.conf file is the central source of configuration
information for the OpenLDAP standalone server (slapd), the
replication helper daemon (slurpd), and related tools, such as
slapcat and slapadd.
In the tradition of Unix configuration files, slapd.conf is an
ASCII file with the following rules:
Blank lines and lines beginning with a pound sign (#) are ignored.
Parameters and associated values are separated by whitespace characters
(space or tab).
A line with a blank space in the first column is considered to be a
continuation of the previous one. There is no need for a line continuation
character such as a backslash (\).
Introduction to LDAP
Migration tools
Perl scripts designed to convert the various /etc system files
(e.g., /etc/passwd and /etc/hosts) into LDIF format.
Once you've converted the system files to LDIF, you can
import them into your LDAP store either online using the
ldapadd(1) command or by using an offline database
creation utility such as the OpenLDAP slapadd(8c) tool.
These LDAP migration scripts can be found at
http://www.padl.com/OSS/MigrationTools.html.
After unpacking the migration scripts, you must customize
the migrate_common.ph script to fit your network settings.
Within this Perl script is a variable named
$DEFAULT_BASE, which is used to define the base suffix
under which the organizational units that will serve as
containers for migrated information will be created.
Introduction to LDAP
Migration Tools
The scripts accept input and output filenames as
command-line parameters. If no output filename
is present, the scripts write the converted entries
to standard output. For example, the following
command converts /etc/passwd into an LDIF
file:
root# migrate_passwd.pl /etc/passwd
/tmp/passwd.ldif
There are various migration scripts support
translating
Introduction to LDAP
Migration Tools
/etc/fstab (stored in ou=Mounts)
/etc/hosts (stored in ou=Hosts)
/etc/passwd and /etc/shadow (stored in
ou=People)
/etc/group (stored in ou=Group)
/etc/protocols (stored in ou=Protocols)
/etc/rpc (stored in ou=Rpc)
/etc/services (stored in ou=Services)
/etc/networks (stored in ou=Networks)
netgroups (stored in ou=Netgroups)
Introduction to LDAP
Migration Tools
Since we are primarily dealing with users and
groups in this chapter, the following entries
have already been added to the directory:
dn: ou=people,dc=plainjoe,dc=org
objectclass: organizationalUnit
ou: people
dn: ou=group,dc=plainjoe,dc=org
objectclass: organizationalUnit
ou: group
Introduction to LDAP
Migration Tools
The Name Service Switch (NSS) is similar to PAM
except that it only provides a mechanism for
information retrieval. PADL Software's nss_ldap
module can be obtained from
http://www.padl.com/OSS/nss_ldap.html. The current
implementation can be used on AIX, HP-UX, Linux,
and Solaris.
The nss_ldap module uses the same /etc/ldap.conf
configuration file as PADL's pam_ldap module. The
configuration parameters for this module are
summarized in Table 6-3. While both pam_ldap and
nss_ldap read /etc/ldap.conf for configuration settings,
the parameters prefixed by pam_ do not affect the
behavior of nss_ldap.
Introduction to LDAP
Migration Tools
To configure a service to use the nss_ldap module, add
the keyword ldap to the appropriate lines in your
/etc/nsswitch.conf file. PADL's NSS module currently
supports the following databases:
passwd
group
hosts
services
networks
protocols
rpc
ethers
netgroups
Introduction to LDAP
Migration Tools
Here's an excerpt from an nsswitch.conf file. It
specifies that the system should consult the
local password, shadow password, and group
files before querying the directory server.
## Define the order of lookups for users and
groups.
passwd: files ldap
shadow: files ldap
group: files ldap
ldap & sendmail
Access
LDAP SMTP Access Control LDAP SMTP Access Control
One example of the use of "arbitrary" LDAP
connectivity to
enhance the functionality of sendmail is to
replaces the access file
traditionally used to reject, deny, or allow
various domain names
from using a SMTP server.
By replacing ...

Ldap and Sendmail
Access
Kaccess hash /etc/mail/access
in /etc/sendmail.cf with ...
Kaccess ldap -1 -v morrisonmailaccesslevel -k (&
(objectClass=morrisonmailaccess)(morrisonmailaccesscri
teria=%0))
sendmail can be configured to look into the DIT for
domains and
hosts that are to be granted the various levels of access.
NOTE: The above configuration file entry resides
entirely on one line in the
actual /etc/sendmail.cf file.
Ldap and Sendmail
Access Relay
Example LDAP objects used to replaces the
traditional sendmail access file.
cn=Allow SMTP Relay,ou=Access
Control,ou=Electronic Mail,o=Morrison
Industries,c=US
objectClass=morrisonmailaccess
morrisonmailaccesslevel=RELAY
cn=Allow SMTP Relay
morrisonmailaccesscriteria=mie
morrisonmailaccesscriteria=barracuda
morrisonmailaccesscriteria=littleboy
morrisonmailaccesscriteria=firewall
morrisonmailaccesscriteria=mail.morrison.iserv.net
morrisonmailaccesscriteria=localhost
morrisonmailaccesscriteria=localhost.localdomain
morrisonmailaccesscriteria=127.0.0.1
Ldap and Sendmail
Access - Reject
cn=Reject SMTP,ou=Access
Control,ou=Electronic Mail,o=Morrison
Industries,c=US
objectClass=morrisonmailaccess
morrisonmailaccesslevel=REJECT
cn=Reject SMTP
morrisonmailaccesscriteria=smartbrief.rsvp0.net
Ldap and Sendmail
Access Discard
cn=Discard SMTP,ou=Access
Control,ou=Electronic Mail,o=Morrison
Industries,c=US
objectClass=morrisonmailaccess
morrisonmailaccesslevel=DISCARD
cn=Discard SMTP
morrisonmailaccesscriteria=pink4free.com
OpenLdap
ACL
The Directory ACLs provided by OpenLDAP are simple in their syntax, yet very
flexible and powerful in their implementation. The basic idea is to define Who
has Access to What? The most frequent forms of "Who" include:
*
Matches any connected user, including anonymous connection

self
The DN of the currently connected user, assuming he has been successfully
authenticated by a previous bind request

anonymous
Nonauthenticated user connections

users
Authenticated user connections

Regular expression
Matches a DN or an SASL identity
Day-1
OpenLdap
ACL - Syntax
Access Control List syntax:
access to <dn="dn matching pattern">
<attrs=attribute, attribute, . . . >
by <pattern> < compare | search | read | write >
OpenLDAP support four access levels. Granting a greater access
level implies granting all lower levels. For example, granting
read access implies search and compare.
write
Access to update attribute values (e.g., Change this
telephoneNumber to 555-2345).
read
Access to read search results (e.g., Show me all the entries with a
telephoneNumber of 555*).
OpenLdap
ACL
search
Access to apply search filters (e.g., Are there any entries with a
telephoneNumber of 555*).

compare
Access to compare attributes (e.g., Is your telephoneNumber 555-
1234?).

auth
Access to bind (authenticate). This requires that the client send a
username in the form of a DN and some type of credentials to prove
his or her identity.

none
No access.

OpenLdap
ACL Matching Patterns
There are several special clauses that can be used in
specifying the by
<pattern> of the access control rule.

Self Matches the dn of the object itself, useful for
granting users the ability to modify the attributes
of their own objects.

user Grants privilages to any authentication connection.

anonymous Grants privilages to anonymous connections.

auth Grants privilages to the procedures used to
authenticate connections to the DSA.

OpenLdap
ACL - Examples
access to attr=userpassword
by self write
by anonymous auth

The above gives users write access to their own
userpassword attribute and authentication privilages to
anonymous connections.

access to *
by self write
by users read

The above gives users write access to their own object
and read access to all objects to those connections
that have been authenticated
Ldap
ObjectClass
authPasswordObject
subschema
top
alias
applicationEntity
dSA
applicationProcess
bootableDevice
certificationAuthority
certificationAuthority-V2
country
cRLDistributionPoint
dcObject
device
dmd
domain
domainNameForm
extensibleObject
groupOfNames
groupOfUniqueNames
ieee802Device
ipHost
ipNetwork
ipProtocol
ipService
locality
dcLocalityNameForm
nisMap
nisNetgroup
nisObject
Ldap
Objectclass
oncRpc
organization
dcOrganizationNameFo
rm
organizationalRole
organizationalUnit
dcOrganizationalUnitNa
meForm
person
organizationalPerson
inetOrgPerson
uidOrganizationalPe
rsonNameForm
residentialPerson
posixAccount
posixGroup
shadowAccount
strongAuthentication
User
END OF THE DAY
Thank you
Queries / Suggestions