You are on page 1of 34

Chapter_26

Light Weight Directory Access


Protocol (LDAP)
LDAP is a client server system. The LDAP
server can store a database, which will contain a
wide variety of informations such as the
username, addresses, hostnames, e-mail
addresses, phone numbers etc of an
organization. The LDAP clients can retrieve these
information from the LDAP server whenever
necessary.
The LDAP server database is generally
considered as a directory service. A directory is a
specialized database, which is optimized for
reading, browsing and searching. The directory
entries arranged in a hierarchical tree like
structure
Each directory entry will have a set of
attributes, which will be helpful to define that entry.
LDAP allows you to determine which attributes are
required and allowed for an entry through the use of a
special attribute called objectClass. The values of the
objectClass attribute determine the schema rules the
entry must obey.

LDAP Directory Tree


dc=aita

UID=manoj
An entry is referenced by its distinguished
name, which is constructed by taking the name of the
entry itself (called the Relative Distinguished Name) and
concatenating the names of its ancestor entries. For
example the entry for Manoj in the above example has
an RDN of uid=manoj and a DN of
uid=manoj,ou=people,dc=aita,dc=com. A DN should
be unique in a directory tree.
LDAP provides a set of tools for searching,
adding, deleting and modifying the directory entries. The
LDAP search operation allows some portion of the
directory to be searched for entries that match some
criteria specified by a search filter. Information can be
requested from each entry matches the criteria.
Working of LDAP
LDAP directory service is based on a client-
server model. One or more LDAP servers contain the
data making up the directory information tree (DIT). The
client connects to servers and asks it a question. The
server responds with an answer and/or with a pointer to
where the client can get additional information (typically
another LDAP server).
slapd – LDAP Directory Server

slapd is an LDAP directory server


that runs on many different platforms. You
can use it to provide a directory service of
your own.
Your directory can contain pretty much
anything you want to put in it.
Configuring LDAP Directory
Server
Red Hat Linux coming along with Openldap
directory server package. If you have performed
a full installation all the files required for
configuring the LDAP sever will be installed.

The slapd.conf file

The slapd.conf is the main sever configuration


file used by the OpenLDAP server
Given below is a sample slapd.conf file
# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.7
2001/09/27 20:00:31 kurt Exp $
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
Include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/redhat/rfc822-
MailMember.schema
include /etc/openldap/schema/redhat/autofs.schema
Include
/etc/openldap/schema/redhat/kerberosobject.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a
working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
#piffled //var/run/slapd.pid
#argsfile //var/run/slapd.args
# Create a replication log in /var/lib/ldap for use by
slurpd.
#replogfile /var/lib/ldap/master-slapd.replog
# Load dynamic backend modules:
# modulepath /usr/sbin/openldap
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la
# The next three lines allow use of TLS for connections using
a dummy test
# certificate, but you should generate a proper certificate by
changing to
# /usr/share/ssl/certs, running "make slapd.pem", and fixing
permissions on
# slapd.pem so that the ldap user or group can read it.
# TLSCertificateFile /usr/share/ssl/certs/slapd.pem
# TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem
# TLSCACertificateFile /usr/share/ssl/certs/ca-bundle.crt
#
# Sample Access Control
# Allow read access of root DSE
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
#access to dn="" by * read
#access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default is:
# Allow read by all
#
# rootdn can always write!
Adding initial entries to LDAP
Database
After setting up the /etc/openldap/slapd.conf you
have to start the LDAP server as follows:
# service ldap start
After starting the LDAP server the first thing you
need to do is the creation of the LDAP back end
database. You can use ldapadd command to add
entries to your LDAP directory. ldapadd command
expects input in LDAP Data Interchnge Format (LDIF).
The basic form an LDIF entry is as follows:
#comment
dn: <distinguished name>
<attrdesc>: <attrvalue>
<attrdesc>: <attrvalue>
For adding the initial entries in your LDAP data base
create a LDIF file as follows:
# vi start.ldif
dn: dc=aita,dc=com
objectClass: dcObject
dc: aita
dn: cn=root,dc=aita,dc=com
objectClass: organizationalRole
cn: root
Now, you may run ldapadd command to insert these
entries in to your directory
ldapadd –x –D “cn=root,dc=aita,dc=com” –W –f
first.ldif
Enter LDAP Password:
To verify whether the new entries are
added in your directory, use the following
command:
# ldapsearch –x –b “dc=aita,dc=com”
‘(objectclass=*)’
The above command will search for
and retrieve every entry in the database.
# ldapsearch –x –b “dc=aita,dc=com”
‘(cn=root)’
The above command will search for and
retrieve every entry which has cn:root attribute
set.
Implementing access control
By default, the slapd database grants read
access to everybody excepting the superuser (As
specified by the rootdn configuration directive). For
controlling this you can remove the “#” symbols from
the following entries of the /etc/openldap/slapd.conf
file.
access to *
by self write
by users read
by anonymous auth
The above lines will implement the access
control as authenticated users will have the read
access, anonymous users can authenticate and a user
can change his own attributes.
After modifying the slapd.conf file you need to
restart the LDAP server as follows:

# service ldap restart

Before using any of ldap client commands


(like ldapadd, ldapsearch, ldapdelete) you may
need to edit the ldap client configuration files.
This files are /etc/ldap.conf and
/etc/openldap/ldap.conf.
/etc/openldap/ldap.conf file
# $OpenLDAP: pkg/ldap/libraries/libldap/ldap.conf,v 1.4.8.6
2000/09/05 17:54:38 kurt Exp $
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example, dc=com
#URI ldap://ldap.example.com ldap://ldap-
master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
HOST 100.0.0.71
BASE dc=aita,dc=com
In this file you may need to specify the base DN name
and the IP address of the LDAP server
In /etc/ldap.conf file also you need to specify the HOST IP
address and BASE DN
Now you try to retrive the informations for the LDAP
database as follows:

# ldapsearch –x –b ‘dc=aita,dc=com’ ‘(objectclass=*)’


The above command will not be retrieving any
information from the LDAP database because of the non
authentication. So you can modify the above command as
follows:

# ldapsearch –x –D “cn=root,dc=aita,dc=com” –W
‘(objectclass=*)’
# ldapsearch -LLL -x -D "cn=root,dc=aita,dc=com" -W
'(objectclass=*)'
Adding additional entries with
LDAP database:
Create a LDIF file as follows:
# vi people.ldif
dn: ou=people,dc=aita,dc=com
objectclass: organizationalunit
ou: people
dn: uid=manoj,ou=people,dc=aita,dc=com
objectclass: person
objectclass: inetorgperson
sn: manu
cn: manoj
uid: manoj
userpassword: flower
After creating the file run the ldapadd
command to add the entries in LDAP database
ldapadd -x -D "cn=root,dc=aita,dc=com" -W -f
people.ldif
Enter LDAP Password:

The command will add and


oraganisational unit people (DN:
ou=people,dc=aita,dc=com) and one user manoj
(DN: uid:manoj,ou=people,dc=aita.dc=com).
ldapmodify command

The ldapmodify command is used to modify the


LDAP database entries. This command also expecting the
input in LDIF format. For example to modify some entries in
out existing LDAP database, create a LDIF file as follows:

# vi.mod.ldif
dn: uid=manoj,ou=people,dc=aita,dc=com
changetype: modify
add: mail
mail: m.mano@accelstl.com-
add: title
title: courseware
-
replace: sn
sn: mrg
After creating the LDIF file as above run the
ldapmodify command as follows:
# ldapmodify –x –D “cn=root,dc=aita,dc=com” –W –f
mod.ldif

Enter LDAP password:


This will add the e-mail address as
m.mano@accelstl.com , add title as courseware and
modify the sn (short name) as mrg for object manoj.
Apart from add and replace you can also specify delete
option to delete any attributes as follows
# vi.mod.ldif
dn: uid=manoj,ou=people,dc=aita,dc=com
changetype: modify
delete: title
Then run the ldapmodify command as
follows:
# ldapmodify –x –D “cn=root,dc=aita,dc=com”
–W –f mod.ldif
Enter LDAP password:
The above command will delete the title
attribute from the object manoj
ldapdelete command
The ldapdelete command is used
to delete the entries from a ldap database.
# ldapdelete -x -D
"cn=root,dc=aita,dc=com" -W
uid=manoj,ou=people,dc=aita,dc=com"
Enter LDAP Password:
The above command will delete the
LDAP object manoj from the LDAP
database.
Configuring LDAP to
authenticating user logon
LDAP server can be configured to authenticating user
logon in a network like NIS. For this you need to
migrate the /etc/passwd file as LDAP database. You
can use the perl scripts stored under
/usr/share/openldap/migration to do this.

1. Copy the /etc/passwd file to some other


name
# cp /etc/passwd /passwd.ldap
2. Edit the passwd.ldap file and remove the
entries of the users which you may not convert
as a LDAP user .
3. Entre in to the /usr/share/openldap/migration
directory and edit the migrate_Common.ph file
and add/change the follwing lines as below
$DEFAULT_MAIL_DOMAIN = "aita.com";
$DEFAULT_BASE = "dc=aita,dc=com";

4. Run the following command


#./migrate_passwd.pl /etc/passwd.ldap
passwd.ldif
The above command will create passwd.ldif
file. By defaults the passwd.ldif file will
configure to add all the users under an
organiational unit named people.
5. Next you can use the passwd.ldif file
you have created on the previous step to
add the user in LDAP database as follows:
# ldapadd –x –D
“cn=root,dc=aita,dc=com” –W –f
passwd.ldif
Enter LDAP Password:
The above command will add all the
users in the LDAP database along with all
the parameters like UID, GID, password,
home directory, default shell, passwd
expiry details etc.
6. In the client side you have to edit the
ldap.conf file and /etc/nsswitch.conf to perform
the authentication by the LDAP server.In the
nsswitch.conf file set the search order for
passwd, group and shadow files as follows
passwd: files ldap
shadow: files ldap
group: files ldap

This will enable the searching of the user


names and passwords first in the local
/etc/passwd file and then in the LDAP server
database.
Implementing Address books
A very useful feature of an Ldap
database on a linuxserver is that when you have
an internal network in your organization, you can
have a single place to store all your external
contacts.
You could even divide it in groups, or
departments. It is no longer neccesary to give
each employee a seperate address book. Apart
from using Ldap, this could also be done with
Microsoft Exchange Server, Lotus Domino, and
Netscape Active Directory.
To use Microsoft Address Book and
programs that rely on it, such as Microsoft
Outlook, Microsoft Outlook Express and Microsoft
Outlook 2000 there is no need to change the
basic ldap configuration. There are two things
that need to be modified though.

At first, you have to create a directory


tree to store your addresses and relevant data.
Second, you have to make sure that all hosts on
your local network have read access to this tree.
All Microsoft Email programs can use the Ldap
Directory Services. If you want to search for people, you
have to use the Address Book. When composing a new
email message, a name can be automatically matched to an
email address. To do this, the cn,sn,givenname and mail
fields are searched.

When you want to configure your Microsoft


email program to use an Ldap server as your address book,
or to look up email addresses, you need to do the following:

Start your favorite email program and open the


address book. This can be done by selecting Tools,
Addressbook from within the program, or via the start menu
by selecting Start,Programs,Accessories,Address Book.
1. Click on Tools,Accounts to open the Internet
Account window.
2. Click Add, now you get an Internet
Connection Wizard window, type the ip address
or hostname of your Ldap server, and click OK.
3. On the next window, answer Yes to confirm
you want to check your adresses using this
directory, or No if you don't want do not want
that. Now click Next and click Finish.
4. Now you're back at the Internet Account
window. Select your newly-added account and
click Properties.
5.On the properties window, click the Advanced
tab.
6.In the Search Base field, enter the base of the
tree where your adresses will be stored. An
example could be
ou=Addressbook,dc=aita,dc=com.
7.Press OK to close the window and click Close to
close the Internet Account window. You should
have returned to the main Address Book window
now.
8.Now, when you enter a name in the to: field, the
email address is looked up in the Ldap Directory,
and automatically filled in for you.
If an entry is not found, a window is presented,
and any typos can be corrected, or a new search