HomeForumsArticlesMarketplaceDownloadsHostingFreebiesJobs
Applications|Desktop|Installation|Misc|Multimedia|Network|Programming|Reviews|Security|Servers
Welcome to Linux Forums! With a comprehensive Linux Forum, information on various types of Linux software and many Linux Reviews articles, we have all the knowledge you need a click away, or accessible via our knowledgeable members.
Find the answer to your Linux question:
Site Navigation
Linux Forums
Linux Articles
Product Showcase
Linux Downloads
Linux Hosting
Free Magazines
Job Board
IRC Chat
RSS Feeds
Free Publications


LDAP Basics

User Score User Score
Editor Score Editor Score
Contributed by: Neelesh Gurjar
Category: Servers
Distribution: Ubuntu
Views: 5451
License: Linux Forums Article License
Posted: 05 March, 2011
ToolsTools »
 BookmarkShare
 
Nowdays LDAP is used everywhere for Authentication or crucial information management purpose. In this Article I have tried to explain basics of LDAP and also OpenLDAP basic configuration. Please let me know your queries and comments on it. Thanks.

LDAP & OpenLDAP

 

LDAP - Lightweight Directory Access Protocol.

OpenLDAP - Server which operates on LDAP for eg. Microsoft AD

 

Directory Service -

  1. Stores & organize information in directory i.e. in hierarchical manner and provides access to it

  2. Eg. Domain Name System. DNS is a most successful implementation of Directory service over Internet

 

Directory Structure -

  1. Directory service stores information in Directory Structure. The diagram of Directory structure is called Directory Information Tree.

  2. A Directory is a tree of Entries

  3. An entry is set of attributes

  4. An attribute is has a Name and one or more value

  5. Attributes are Defined in Schema

  6. Each entry has an Unique Identifier i.e. DN

 

Five Major Characteristics of Directory Service -

  1. Higly optimized for reads

  2. Information can be stored in Distributed model

  3. Can extend types of information to be stored

  4. Replication

  5. Advance search capabilities

 

Difference between Databases and Directory Services

 Many people ask that can we use Database instead of Directory Service

 

SN                       Databases                                                 Directory Services

 

1.    Information has more writes and reads            More reads only, very less writes

2.   Transactions, rollbacks,                                    Transactions, rollbacks, write locks      write locks are more important                          are less important

3.   More Overheads                                               Less Overheads

 

What is LDAP ?

  1. Originally created by Tim Howes, Steve Kille and Wingyik Yeong in 1993. Later Tim & Steve improved it and started LDAPv3

  2. Application Protocol for reading & editing directories over an IP network

  3. LDAP is itself a Binary Protocol. Binary Protocol means, a protocol which is expected to read by machine than a human being.

  4. Lightweight Directory Access Protocol

  5. Lightweight in comparison with x.500 Directory Services

 

LDAP vs X.500:

Main difference in LDAP and X.500 is LDAP uses TCP stack and X.500 uses OSI stack. Thats the reason LDAP is lightweight.

 

Uses of LDAP:

  • Machine Authentication

  • User/System Groups

  • User Resource Management

  • Address Book

  • Organization Representation

  • Assets Tracking

  • Telephony Information Store

  • Application Configuration Store

 

Directory Information Tree:

LDAP stores information in Directory Structure. Pictorial view of Directory Structure is called Directory Information Tree. See Below Figure:

 

                                                        dn: dc=example,dc=com

 

                                                                      |

                                                                      |

                                -------------------------------------------------------- 

                                |                                                                         |

                                |                                                                         |

dn: ou=groups,dc=example,dc=com                    dn:ou=people,dc=example,dc=com

                                                                                                          |

                                                                                                          |                                         

                                                                  dn: cn=neelesh,ou=people,dc=example,dc=com

 

Directory Structure: 

    • A Directory is a tree of Directory Entries

    • An Entry consists of a set of Attributes

    • An Attribute has a Name and one or more values.

    • The attributes are defined in Schemas

    • Each entry has unique Identifier i.e. DN, consists of RDN

 

OpenLDAP:

Please note that in our example we have used OpenLDAP as a LDAP server.

Please visit www.openldap.org for more details.

 

 

Features of OpenLDAP:

  1. It is open source

  2. Free to use

  3. Simple Authentication and Security Layer (SASL) support

  4. Access Control

  5. Implements LDAPv3

 

Components of OpenLDAP:

  1. slapd - OpenLDAP server daemon

  2. slapd.conf  OpenLDAP configuration file

  3. Schemas - To define Attributes

  4. Libraries  Required to slapd. Normally they are under /usr/lib/ldap

  5. Backend - Banckend Database. We use BDB here. Located at /var/lib/ldap

  6. LDIF  LDAP Interchange Format. It is used for Importing and exporting information stored in Directory

  7. LDAPcleint  Used to connect LDAP server and operate it. Eg. ldapsearch, ldapadd, ldapdelete etc.

     

    slapd

     1. LDAP server daemonBinary

    2. Normally located under /usr/sbin

    3. To invoke you can directly call slapd on bash prompt




     slapd.conf

     I have divided slapd.conf into 4 Parts

     1. Schema Inclusion

     2. Backend DB & Directory Specific

     3. Access Control

     4. Other

 

     Schemas

      1. Schemas are used to define Attributes

     2. It adds extendibility of LDAP

     3. We can customize or add schemas

     4. Generally Schema files are stored under /etc/ldap/schema

 

         Schema Files                                                   Description

       core.schema                          OpenLDAP core (required)

       cosine.schema                       Cosine and Internet X.500 (useful)

       inetorgperson.schema           InetOrgPerson (useful)

       misc.schema                          Assorted (experimental)

       nis.schema                             Network Information Services (FYI)

       openldap.schema                   OpenLDAP Project (experimental)

 

 

     Libraries or modules

     

     - Generally libraries are stored under /usr/lib/ldap

     - It adds functionality and makes OpenLDAP modular

 

     Backend DB

 

     - OpenLDAP uses mainly following 2 embedded databases to store information

            - BDB Berkely DB Transactional Backend

            - HDB Hierarchical variant of BDB

     - DB is stored under /var/lib/ldap

 

     LDIF

      - LDAP interchange format

     - Collection of entries separated by new line

     - Mapping attribute names to values

     - It is used to import or export information from LDAP directory

 

     LDAPclient

      - LDAP client is used to connect to LDAP server

     - You can add, edit, delete Directory entries

 

     Important Terminologies

     - Distinguished Name (DN) & Relative Distinguished Name (RDN)

       DN is like the absolute path between root of File System and file

       RDN is like Filename

       Eg.

       Entry ---- > dn: cn=admin,dc=example,dc=com

       In above entry

       DN is cn=admin,dc=example,dc=com

       RDN is cn=admin

 

      1. Attributes

         - Attributes are used to store the values

         - Attributes can be one or more values

         - Attributes are defined in Schema Files

         - In LDIF files, Declare Attribute by following way:

               objectClass: organizationalUnit

         In above example objectClass is Attribute and organizationalUnit is value.

 

       2. objectClass Attributes

          - Compulsory attribute with atleast one value

          - It acts as a template for the data to be stored

Rate This Article: poorexcellent
 
Comments about this article
Thank you!
writen by: Nagarjuna on 2011-03-27 12:27:53
LDAP is a tough subject to learn. Well, for me at least. I've been needing a good conceptual understanding of it, and this article helped a lot. Thank you for this :)
RE: Thank you! written by Nagarjuna:
Good Summary, needs to be cleaner.
writen by: ramin.honary on 2011-04-04 06:55:32
This isn't so much an "article" as it is an outline. However, I found it to be informative. It is like, you missed just one class, but after reading the notes your friend took I understand it.
If you could clean it up, make it look more presentable, I think this would be a nice entry to the forums.
RE: Good Summary, needs to be cleaner. written by ramin.honary:
RE: Good Summary, needs to be cleaner.
writen by: neel.gurjar on 2011-05-24 23:29:53
Thanks Ramin.

I will work on it.
Sorry for delay.
Reply to neel.gurjar:

Comment title: * please do not put your response text here