LDAP stands for Lightweight Direcory Access Protocol and in futher text we will try to answer on questions that someone can ask us based on the name LDAP. First we can get some questions like: Why is LDAP lightweigt ? Why not heavy one ? What was criteria for measuring ? LDAP was designed as light protocol used for gateway requestes to X.500 servers. More about X.500 Directory Access Protocol standards we can find at following link X500 X.500 is considered as heawyweight because it required OSI/ISO protocol stack for communication with clients. On other side we have LDAP protocol which is compared to Directory Access Protocol considered as lightweight because it used low overhead messages mapped directly on TCP layer of TCP/IP protocol stack. LDAP is also considered lightweight because it omits many X.500 operation and ot that way produces simpler operations.
Term directory in LDAP name explain that in LDAP we have a bussiness with direcories as building blocks for LDAP. But directories itselfs are built by some entries ( inputs ) and the enties are basic units of directories. These entries (usually) contain similar information. Every entri is consisted by atributes, for example name as one atribut, surname second one and so on ( if we talk about entri person ) and when we find right entri ( in some directory ) we get all information ( atributes ) there in that entri related to particular person ( or some other information how to find them on some other place ). Futher every atribute is composed by atribute type and atribute value. Atribute type is label for the kind of information stored there and atribute value is the actual data being stored. For example cn=PVO09 is an atribute where is cn is atribute type and PV090 is atribute value. Directory services are very often confused with databases because they share number of important characteristics such as fast searches etc. Directories differ from databases because they are designed to be more read from them than write to them (usually contain entries that are static and change infrequently ) because they are desigend to provide very fast responses to searches and lookups.
With databases we assume that read and write process are almost same in percentage and they are designed to provide the storage for data that can be easily designed and manupulated. Databases excel characteristics at storing objects that can be sorted in different ways, database usually implement some mechanism for preventing two parties to write data to same position, directories do not have that possibility. Complex queries are easier managed by databases than in directories and database have better characteristics when we have to work large data objects. The main advantages of directories can be presented that direcories are more suited for objects that need hierarhy. Directories can be replicated accross servers and to allow access from multiple locations. Text based informations are well suited for directory because directory can be easy searched. Directories support very good level of access conrtrol and it is possible to allow/restrict access to informations as desired.
As we said in previous section the LDAP is clinet-server communication protocol and LDAP standard mediates communication between server and client. LDAP is protocol and we can not buy it, we can only install and use some implementation of LDAP. Interesting feature of LDAP protocol that is message-oriented protocol. This means that the client construct an LDAP message which contain the request and sent it to server. The server process the requests and send back to client as series of LDAP messages.
LDAP has nine basic protocol operations that can be divided into three groups:
|'''''''''| |'''''''''|
| |---1.open conection and bind --------------->| |
| |<--2.result of bind operation ---------------| |
| client |---3.search operation ---------------------->| server |
| |<--4.entry returned -------------------------| |
| |---------------------------------------------| |
| |<--6.result of serarch operation ------------| |
| |---7. unbind operation---------------------->| |
| |<--8. close connection ----------------------| |
''''''''''' '''''''''''
Picture 1.
The steps above we will summarised in text bellow
The LDAP protocol can be presented as an implementation of four models which can be presented as follows
The information model describes basic units that LDAP uses to store information. At beggining we mentioned "entries" which map real word objects to data structures in directory. Information model defines how "entries" look like. Futher every entry is consisted of entities called atributes and every atribute is build by two pieces of information: atribute nama and one or more atribute values as it is showed on picture below
|''''''''''''''''''''''|
| |
| |atribute 1 | |
| |atribute 2 | |
| |atribute 3 | |
| |
| ENTRY |
''''''''''''''''''''''''
|''''''''''''''|
| |type| |
| |type| |
| |
| atribute |
''''''''''''''''
Picture 2.
The naming model describes the structure of directory. The entries in directory are accessed by unique parameter called "distinguish name, DN ". The distiguesh name consists of the name that unique identifies the entry at that hierarhical level. The most important part of this model is " directory information tree, DIT " which help us to organize data into model that can be leter easier search. The following picture represent an example of directory information tree.
|o=fi.muni.cz|
| | |
/ | \
/ | \
/ | \
/ | \
/ | \
/ | \
|ou=lectures| |ou=labs| |ou=timetable|
/ | \
/ | \
|uid=PV090| |uid=B102| |uid=10:00|
LDAP provide great possibilities in tree design but that does not mean we can do
everything. The directory has to be treelike strucure and we cannot insert an
entry that has not parent entry, and it is not possible to construct an entry
that has two ancestors.
The information model describes the elements of directory, and the naming model describes the structure of directory. The functional model describes the operations that we can perform on directory using LDAP protocol. The LDAP functional model consists of a set of operations divided into three groups. The interrogation operations allow us to search the directory and retrieve directory data. The update operations allow you to add, delete, rename, and change directory entries. The authentication and control operations allow clients to identify themselves to the directory and control certain aspects of a session
The security model is very important because the LDAP is connection oriented protocol and in typical enviroment the client opens connection to server and server performs action after receiving request for opening connection. After that the clinet must provide user credentials. If everything is all right, the server accept credentials and this associate some rights to user which provide those credentelas. Before the client can access to server to acction must be performed authenticaion and authorization.Authentication takes place when the client identifies itself for the server as it tries to connect. The process depends very much on the authentication mechanism used. The easiest way is to connect to the server without the need to provide an identity. To such an anonymous connection, if allowed at all, the server grants the lowest access rights. There are authentication schemes ranging from simple authentication with user and password to authentication using certificates. These certificates give the assurance to the server that the client really is who it says it is. The authorization is process by which the server grants the correct access rights to previous authenticaion server. This points out very important feature of directories characterised by access rights and using this it is possible to fine granulated access to directorise on LDAP server. For this purpose the server must maintain the access control information (ACI) data which are held ACL ( access controlo file )file. The process of authenticaion is very extensively described in rfc 2829. The most important features related to authentication of LDAP client to LDAP server can be listed as bellow
We will in futher text explain in short all of above access metodes to LDAP server. Anonymous access is easyer to implement but this method has minimal security. In this case server has no idea who is asking for access. Anonymous access is used mainly for public accessed data such ac public phone book and etc. Basic authentication present type of authentication where client sent credentials to server in plan text without any encryption.Unsafe. LDAP and SASL ( Simple Authentication and Security Layer ) is a method of providing authentication services to a connection-oriented protocol such as LADP. This standard makes it possible for a client and server to agree upon a security layer for encryption. Once the server and client are connected, they agree upon a security mechanism for the ongoing conversation. One of these mechanisms is for example Kerberos. SASL specifies a challenge-response protocol in which data is exchanged between the client and the server for the purposes of authentication and establishment of a security layer on which to carry out communication later between client and server.
OpenLDAP Software is a free, open source implementation of the Lightweight Directory Access Protocol ( LDAP ) developed by the OpenLDAP Project and it is released under its own license called the OpenLDAP Public License. Under Linux the term which is most in use is slapd and it represent LDAP directory server that runs on many platforms. Imortant to say is that slapd support following features
For installation on Debian system we will need to install the following packets
apt-get install slapd ldap-utils migrationtoolsDuring installation we will be asked for administrator password for LDAP. debconf will do the rest and after that in our /etc/ldap/slapd.conf we will find among other following content
# 'database' directive occurs database bdb # The base of your directory in database #1 suffix "dc=lab" # rootdn directive for specifying a superuser on the database. This is needed # for syncrepl. # rootdn "cn=admin,dc=lab"and futher we created an simple file test.ldif ---just for testing
speo:/etc/ldap# cat test.ldif
dn: dc=lab
dc: lab
objectClass: top
objectClass: dcObject
objectClass: organization
o: subnet
dn: cn=admin,dc=lab
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: admin
description: LDAP Administrator user
userPassword: {MD5}ttttttttttttXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX-----This is my
password :) :)
#dn: cn=nss,dc=example
#objectClass: organizationalRole
#objectClass: simpleSecurityObject
#cn: nss
#description: LDAP NSS user for user-lookups
#userPassword: {MD5}XXXXXXXXXXXXXXXXXXXXXX==
and add it to ldap using slapadd -l test.ldif
I setted password to access LDAP using slappaswd -h {MD5} where we will
be asked to enter password twice. The output of slappaswd command is neccesary
to copy to test.ldif. In case we do not do that we will an error when we want to
send an query to LDAP.
For client configuration it is neccesary to get packets
apt-get install ldap-utils libpam-ldap libnss-ldap nscd slapd ldap-utilsThe ldap-utils package allows us to querry and alter the ldap database remotely. The content in /etc/ldap/ldap.conf on our client is
BASE dc=lab # dc=com URI ldap://ldap.speo.lab:389 #ldap://speo.lab:666 pam_filter objectclass=posixAccount pam_login_attribute uid pam_crypt local #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never
The LDAP system allow replication of master directiry tree to slave. The slave server can share the load for read requsets and act as backup server. To bring up a replica slapd instance, we must configure the master and slave slapd instances for replication, then shut down the master slapd so you can copy the database. Finally, you bring up the master slapd instance, the slave slapd instance, and the slurpd instance. These steps are as follows (we can set up as many slave slapd instances as you wish)
replica uri=ldap://speo-beta:389 binddn="cn=admin,dc=lab" bindmethod=simple credentials=secret replogfile /var/lib/ldap/replogon our slave in slapd.conf we have to add the following
updatedn cn=admin,dc=lab updateref ldap://speo.lab