LDAP configuration (2.210.3)
Prev Chapter 10.  Network Client Management (2.210)  Next

LDAP configuration (2.210.3)

The candidate should be able to configure an LDAP server. This objective includes configuring a directory hierarchy and adding group, hosts, services and other data to the hierarchy. Also included are: importing items from LDIF files and adding items with a management tool, as well as adding users to the directory and changing their passwords.

Key files, terms and utilities include:

slapd
slapd.conf

What is it?

LDAP stands for Lightweight Directory Access Protocol. As the name suggests, it is a lighter version of DAP, which stands for the Directory Access Protocol that is defined by the X.500 standard. For more information on X.500, please read RFC 2116.

The reason for a lightweight version is that DAP was rather heavy on processor load, thereby asking for more than the processors could provide at the time. LDAP is described in RFC 2251.

The LDAP project was started at the University of Michigan, but, as can be read on their site, is no longer maintained there. For current information, the University of Michigan site points visitors to the OpenLDAP site instead.

The type of information best suited for storage in a directory is information with a low mutation grade. The reason for this is that directories can not compete with RDBM systems because they are only optimized for read access. So then, what do we store in a directory? Typically, LDAP directories contain employee data such as surname, christian name, address, phone number, department, social security number, E-mail address. Alternatively, directories might store newsletters for everyone to read, description of company policies and procedures, templates supporting the house style of documents.

Configuring a directory hierarchy

Let's take the company MegaFix in The Netherlands as an example.

This figure shows MegaFix's organisational structure.

The company consists of three departments: Sales, Engineering and Administration.

In order to provide local support to their customers, the Engineering department has offices in London, Paris, Rome and Amsterdam with, for the moment, one or two engineers.

So, how do we build a directory for this organization?

First, we must decide what kind of information to store in the directory. Let's put ourselves in the shoes of the customer:

  1. The organizational structure of the company

  2. Information about people working at the company

The second thing to do is select or create object class and schema definitions. The directory /etc/ldap/schema contains a number of predefined ones and core.schema fits our needs (trust me, or have a look at it if you don't).

The third thing to do is choose the object class we are going to use. This depends on the data we wish to store. An object class describes an object by defining its possible attributes.

For the organizational structure of the company, we are going to use the object classes organization, organizationalUnit (note the z) and country. This gives us the following attributes:

  • country or c in short notation

  • organization or o in short notation

  • organizationalUnit or ou in short notation

  • userPassword

  • searchGuide

  • seeAlso

  • businessCategory

  • x121Address

  • registeredAddress

  • destinationIndicator

  • preferredDeliveryMethod

  • telexNumber

  • teletexTerminalIdentifier

  • telephoneNumber

  • internationaliSDNNumber

  • facsimileTelephoneNumber

  • street

  • postOfficeBox

  • postalCode

  • postalAddress

  • physicalDeliveryOfficeName

  • stateOrProvinceName or st

  • localityName or l

  • description

For people working for the company, we are going to use the object class person, which supports the following attributes:

  • commonName or cn in short notation

  • surname or sn in short notation

  • userPassword

  • telephoneNumber

  • seeAlso

  • description

SASL stands for Simple Authentication and Security Layer. This is the layer between OpenLDAP and Kerberos.

Finally, we define the MegaFix organization in LDAP Data Interchange Format (ldif). See ldif's man page (man ldif) for further details. 

#------------------------------------------------------------
# The organisational structure
#
# dn = distinguishedName
# ou = organizationalUnit
# o  = organizationName
# c  = country
#------------------------------------------------------------
# The organisation MegaFix in the Netherlands
dn: o=MegaFix, c=NL
objectClass: organization
description: The MegaFix Company Ltd.

# The Sales department
dn: ou=Sales, o=MegaFix, c=NL
objectClass: organization
description: Sales dept.

# The engineering department
dn: ou=Engineering, o=MegaFix, c=NL
objectClass: organization
description: Engineering dept.

# Engineering - London division
dn: ou=London, ou=Engineering, o=MegaFix, c=NL
objectClass: organization
description: Division London

# Engineering - Paris division
dn: ou=Paris, ou=Engineering, o=MegaFix, c=NL
objectClass: organization
description: Division Paris

# Engineering - Rome division
dn: ou=Rome, ou=Engineering, o=MegaFix, c=NL
objectClass: organization
description: Division Rome

# Engineering - Amsterdam division
dn: ou=Amsterdam, ou=Engineering, o=MegaFix, c=NL
objectClass: organization
description: Division Amsterdam

dn: ou=Administration, o=MegaFix, c=NL
objectClass: organization
description:  Administration dept.

#------------------------------------------------------------
# The persons in the organisation
#
# dn = distinguishedName
# ou = organizationalUnit
# o  = organizationName
# c  = country
# cn = commonName
# sn = surname
#------------------------------------------------------------

# The Company's Manager
dn: cn=Manager, o=MegaFix, c=NL
objectClass: person
cn: Manager
cn: Gordon Gekko
sn: Gekko
description: General Manager - The Big Boss
telephoneNumber: 555-1255

# The engineers in London
dn: cn=John Hughes, ou=London, ou=Engineering, o=MegaFix, c=NL
objectClass: person
cn: Engineer
cn: John Hughes
sn: Hughes
description: Engineer

dn: cn=Peter Baines, ou=London, ou=Engineering, o=MegaFix, c=NL
objectClass: person
cn: Engineer
cn: Peter Baines
sn: Baines
description: Engineer

# The engineers in Paris
dn: cn=Linda Charteris, ou=Paris, ou=Engineering, o=MegaFix, c=NL
objectClass: person
cn: Engineer
cn: Linda Charteris
sn: Charteris
description: Engineer

# The engineers in Rome
dn: cn=Marcello Conti, ou=Rome, ou=Engineering, o=MegaFix, c=NL
objectClass: person
cn: Engineer
cn: Marcello Conti
sn: Conti
description: Engineer

# The engineers in Amsterdam
dn: cn=Pieter Jansen, ou=Amsterdam, ou=Engineering, o=MegaFix, c=NL
objectClass: person
cn: Engineer
cn: Pieter Jansen
sn: Jansen
description: Engineer

dn: cn=Johan Klaassens, ou=Amsterdam, ou=Engineering, o=MegaFix, c=NL
objectClass: person
cn: Engineer
cn: Johan Klaassens
sn: Klaassens
description: Engineer

To update our directory with the data from the above file MegaFix.ldif, we use the command: 

# ldapadd -f /etc/ldap/MegaFix.ldif -D 'cn=Manager,o=Megafix,c=NL' -W -x
Enter LDAP Password: (which is 'blabla')
adding new entry "o=MegaFix, c=NL"
adding new entry "ou=Sales, o=MegaFix, c=NL"
adding new entry "ou=Engineering, o=MegaFix, c=NL"
adding new entry "ou=London, ou=Engineering, o=MegaFix, c=NL"
adding new entry "ou=Paris, ou=Engineering, o=MegaFix, c=NL"
adding new entry "ou=Rome, ou=Engineering, o=MegaFix, c=NL"
adding new entry "ou=Amsterdam, ou=Engineering, o=MegaFix, c=NL"
adding new entry "ou=Administration, o=MegaFix, c=NL"
adding new entry "cn=Manager, o=MegaFix, c=NL"
adding new entry "cn=John Hughes, ou=London, ou=Engineering, o=MegaFix, c=NL"
adding new entry "cn=Peter Baines, ou=London, ou=Engineering, o=MegaFix, c=NL"
adding new entry "cn=Linda Charteris, ou=Paris, ou=Engineering, o=MegaFix, c=NL"
adding new entry "cn=Marcello Conti, ou=Rome, ou=Engineering, o=MegaFix, c=NL"
adding new entry "cn=Pieter Jansen, ou=Amsterdam, ou=Engineering, o=MegaFix, c=NL"
adding new entry "cn=Johan Klaassens, ou=Amsterdam, ou=Engineering, o=MegaFix, c=NL"

The data has been added.

To check if everything works the way we want it to, let's ask our directory for a list of all entries concerning the engineering organizationalUnit, ou for short: 

# ldapsearch -LLL -b 'ou=engineering,o=MegaFix,c=nl' -x cn description
dn: ou=Engineering, o=MegaFix, c=NL
description: Engineering dept.

dn: ou=London, ou=Engineering, o=MegaFix, c=NL
description: Division London

dn: ou=Paris, ou=Engineering, o=MegaFix, c=NL
description: Division Paris

dn: ou=Rome, ou=Engineering, o=MegaFix, c=NL
description: Division Rome

dn: ou=Amsterdam, ou=Engineering, o=MegaFix, c=NL
description: Division Amsterdam

dn: cn=John Hughes, ou=London, ou=Engineering, o=MegaFix, c=NL
cn: Engineer
cn: John Hughes
description: Engineer

dn: cn=Peter Baines, ou=London, ou=Engineering, o=MegaFix, c=NL
cn: Engineer
cn: Peter Baines
description: Engineer

dn: cn=Linda Charteris, ou=Paris, ou=Engineering, o=MegaFix, c=NL
cn: Engineer
cn: Linda Charteris
description: Engineer

dn: cn=Marcello Conti, ou=Rome, ou=Engineering, o=MegaFix, c=NL
cn: Engineer
cn: Marcello Conti
description: Engineer

dn: cn=Pieter Jansen, ou=Amsterdam, ou=Engineering, o=MegaFix, c=NL
cn: Engineer
cn: Pieter Jansen
description: Engineer

dn: cn=Johan Klaassens, ou=Amsterdam, ou=Engineering, o=MegaFix, c=NL
cn: Engineer
cn: Johan Klaassens
description: Engineer

And it works!

The distinguishedName, or dn, consists of the set of attributes that uniquely identify an entry. This set of attributes corresponds to the path that has to be traveled to reach that entry. The last result shown above, Johan Klaassens, is found by starting to search at o=MegaFix and c=NL, going to the department of Engineering and finally going to the division Amsterdam.

Adding data to the hierarchy

MegaFix's sales in Amsterdam have increased and thus the need for a third engineer arose. Luckily, Mr. Wim Poorten applied for the job and got it.

To add Mr. Poorten to our directory, we create the file /etc/ldap/MegaFix.Amsterdam.Add.ldif, I like descriptive names, and issue the command: 

# ldapadd -f /etc/ldap/MegaFix.Amsterdam.Add.ldif -D 'cn=Manager,o=MegaFix,x=NL' -W -x
Enter LDAP Password: (which is 'blabla')

There should now be three engineers working in the Amsterdam division: 

# ldapsearch -LLL -b 'ou=amsterdam,ou=engineering,o=MegaFix,c=nl' -x cn
dn: ou=Amsterdam, ou=Engineering, o=MegaFix, c=NL

dn: cn=Pieter Jansen, ou=Amsterdam, ou=Engineering, o=MegaFix, c=NL
cn: Engineer
cn: Pieter Jansen

dn: cn=Johan Klaassens, ou=Amsterdam, ou=Engineering, o=MegaFix, c=NL
cn: Engineer
cn: Johan Klaassens

dn: cn=Wim Poorten, ou=Amsterdam, ou=Engineering, o=MegaFix, c=NL
cn: Engineer
cn: Wim Poorten

And, as you can see, there are!

Remove data from the hierarchy

Unfortunately, sales are down in London. John Hughes has to leave the company.

Naturally, the directory should reflect this new situation. 

ldapdelete -r -x 'cn=John Hughes, ou=London, ou=Engineering, o=MegaFix, c=NL'

change a password stored in LDAP

ldappasswd is used to change or set a password in LDAP. Please note the ldappasswd utility requires confidentiality. If the messages are not encrypted with SSL, TLS, or an appropriate SASL mechanism, the server will not perform the request.

example

The Directory Manager changes the password of the user uid=tuser1,ou=People,dc=example,dc=com to new_password over SSL. 

			ldappasswd -Z -h myhost -P /etc/dirsrv/slapd-instance_name/cert8.db -D "cn=Directory Manager" 
     -w dmpassword -s new_password "uid=tuser1,ou=People,dc=example,dc=com"

A user, tuser5, authenticates with DIGEST-MD5 and changes the password to new_password. 

      		ldappasswd -h myhost -o “mech=DIGEST-MD5” -o “authid=dn:uid=tuser5,ou=People,dc=example,dc=com” 
      -w old_password -s new_password

More on LDAP

If you would like to read more about LDAP, this section points you to a few sources of information:

Copyright Snow B.V. The Netherlands
Prev Up Next
PAM authentication (2.210.2)  Home Chapter 11. E-Mail services (2.211)