OpenLDAP Directory Administration
LDAPv3 Overview
Table of Contents● LDIF
● What Is an Attribute ?
● What Is the dc Attribute
● Schema References
● Authentication
● Distributed Directories
● Continuing Standardization
Table of Contents● LDIF
● What Is an Attribute ?
● What Is the dc Attribute
● Schema References
● Authentication
● Distributed Directories
● Continuing Standardization
LDIF● Unix/Linux Administrators: generally prefer plain-text
configuration files over some binary store of bits
● LDAP Interchange Format (LDIF), defined is RFC2849, is a standard text format for storing LDAP configuration information and directory contents
● In its most basic form, an LDIf file is:
– A collection of entries separated from each other by blank lines
– A mapping of attribute names to values
– A collection of directives that instruct the parser how to process the information
● LDIF files are often used to import new data in your directory or make changes to existing data
● LDIF file must obey schema rules in LDAP directory, “schema violation”
LDIF (cont.)LDAP Directory Information Tree (DIT)
dc=plainjoe,dc=org
ou=devices ou=people
cn=gerard carter
dn:cn=gerard carter,ou=people,dc=plainjoe,dc=orgdn:cn=gerard carter,ou=people,dc=plainjoe,dc=org
RDN
attribute types and values
cn:gerard carterobjectClass:personsn:cartertelephoneNumber:555-1234
cn:gerard carterobjectClass:personsn:cartertelephoneNumber:555-1234
LDIF (cont.)● LDIF entry:
● Observations about LDIF syntax:
– Comments in LDIF file begin with pount character (#)
– Attributes are listed on the lefthand side of the colon (:), and values are presented on the righthand side; the colon character is separated from the value by a space
– the dn attribute uniquely identifies the DN of the entry
# LDIF listing for the entry dn: dc=plainjoe,dc=orgdn: dc=plainjoe,dc=orgobjectClass: domaindc: plainjoe
# LDIF listing for the entry dn: dc=plainjoe,dc=orgdn: dc=plainjoe,dc=orgobjectClass: domaindc: plainjoe
LDIF (cont.)Distinguished Names and Relative Distinguished
Names
– The full DN of an entry does not need to be stored as an attribute within that entry: can be generated on-the-fly
– Comparing LDAP to a filesystem:● DN ~ absolute path to a file● RDN ~ a filename● Unlike a filename, a RDN can be made up of multiple
attributes (~ compound index in relational database)
– DN of an element = formed by stringing together the RDNs of every entity from the element to the root of the directory tree
LDIF (cont.)Distinguished Names and Relative Distinguished
Names (cont.)
Multivalued RDNs
● For both entries, the first component of the DN is the RDN composed of two values: cn=Jane Smith+ou=Sales and cn=Jane Smith+ou=Engineering
● In the multivalued RDN, the + sign separates two attribute values used to form the RDN
● Characters escaped with a \ are: pound (#), space at end of a string, comma (,), plus (+), double quote(”), backslash (\), angle brackets (< and >), semicolon (;)
# example of two entries with a multivalued RDNdn: cn=Jane Smith+ou=Sales,dc=plainjoe,dc=orgcn: Jane Smithou: Sales...
dn: cn=Jane Smith+ou=Engineering,dc=plainjoe,dc=orgcn: Jane Smithou: Engineering...
# example of two entries with a multivalued RDNdn: cn=Jane Smith+ou=Sales,dc=plainjoe,dc=orgcn: Jane Smithou: Sales...
dn: cn=Jane Smith+ou=Engineering,dc=plainjoe,dc=orgcn: Jane Smithou: Engineering...
LDIF (cont.)Distinguished Names and Relative Distinguished
Names (cont.)
Multivalued RDNs (cont.)● Use them as little as possible, create different orginizationalUnits (ou) for Sales and Marketing
dc=plainjoe,dc=org
ou=Engineering ou=Sales
cn=Jane Smith cn=Jane Smith
LDIF (cont.)Distinguished Names and Relative Distinguished
Names (cont.)
– RFC2253 defines a method of unambiguously representing a DN using a UTF-8 string representation
● Remove all non-escaped whitespace surrounding the equal sign in each RDN
● Make sure appropriate characters are escaped● Remove all non-escaped spaces surrounding the multi-value
RDN join character (+)● Remove all non-escaped trailing spaces on RDNs
– eg.
cn=gerald carter + ou=sales, dc=plainjoe ,dc=org
– becomes:
cn=gerald carter+ou=sales,dc=plainjoe,dc=org
– String reresentation of a DN is case-preserving
– However, often case-insensitive
Table of Contents● LDIF
● What Is an Attribute ?
● What Is the dc Attribute
● Schema References
● Authentication
● Distributed Directories
● Continuing Standardization
What Is an Attribute ?● Attribute types and associated syntax rules ~ variable
and data type declarations found in programming languages
● Attributes are used to hold values ~ variables can hold certain types of information + there are certain rules (eg. how to compare the variable's value)
● LDAP attributes can be multivalued! >< store-and-replace variables:
● Whether an attribute can be single-valued or multi-valued depends on the attribute's definition
# LDIF listing for the dn: ou=devices,dc=plainjoe,dc=orgdn: ou=devices,dc=plainjoe,dc=orgobjectClass: organizationalUnitou=devicestelephoneNumber: +1 256 555-5446telephoneNumber: +1 256 555-5447description: Container for all network enabled devices existing
within the plainjoe.org domain
# LDIF listing for the dn: ou=devices,dc=plainjoe,dc=orgdn: ou=devices,dc=plainjoe,dc=orgobjectClass: organizationalUnitou=devicestelephoneNumber: +1 256 555-5446telephoneNumber: +1 256 555-5447description: Container for all network enabled devices existing
within the plainjoe.org domain
What Is an Attribute ? (cont.)Attribute Syntax
– Attribute type definitions: include matching rules that tell LDAP server how to make comparisons
– LDAP uses OIDs just like SNMP MIBs● Fall under the private (4), enterprise (1) branch of the tree;
joint-ISO-ccitt (2) is also possible● OID = uniquely identifies items such as attributes, syntaxes,
object classes and extended controls
# attributetype definition for telephoneNumber# From RFC 2256attributetype ( 2.5.4.20 NAME 'telephoneNumber'
EQUALITY telephoneNumberMatchSUBSTR telephoneNumberSubstringsMatchSYNTAX
1.3.6.1.4.1.1466.115.121.1.50{32} )
# attributetype definition for telephoneNumber# From RFC 2256attributetype ( 2.5.4.20 NAME 'telephoneNumber'
EQUALITY telephoneNumberMatchSUBSTR telephoneNumberSubstringsMatchSYNTAX
1.3.6.1.4.1.1466.115.121.1.50{32} )
recommended minimum for the largest length of data
encoding rulesmatching rules
OID (object identifier)
What Is an Attribute ? (cont.)OIDs
Root
ccitt(0) ISO(1) join-ISO-ccitt(2)
org(3)
dod(6)
internet(1)
directory(1) mgmt(2) experimental(3) private(4)
enterprise(1)
What Is an Attribute ? (cont.)What Does the Name of the objectClass Attribute
Mean ?
– All entries in an LDAP directory must have an objectClass attribute
– This attribute must have at least one value (multiple values are possible and common)
– Each objectClass value acts as a template for the data stored in an entry; defines a set of attributes that must/may be present
# LDIF listing for the dn: ou=devices,dc=plainjoe,dc=orgdn: ou=devices,dc=plainjoe,dc=orgobjectClass: organizationalUnitou=devicestelephoneNumber: +1 256 555-5446telephoneNumber: +1 256 555-5447description: Container for all network enabled devices existing
within the plainjoe.org domain
# LDIF listing for the dn: ou=devices,dc=plainjoe,dc=orgdn: ou=devices,dc=plainjoe,dc=orgobjectClass: organizationalUnitou=devicestelephoneNumber: +1 256 555-5446telephoneNumber: +1 256 555-5447description: Container for all network enabled devices existing
within the plainjoe.org domain
What Is an Attribute ? (cont.)What Does the Name of the objectClass Attribute
Mean ? (cont.)
– objectClass definition:● objectClass possesses an OID, just like attribute types,
encoding syntaxes, and matching rules● Keyword MUST denotes set of attributes that must be present
in any instance of this object (“=posses at least one value”)● Keyword MAY defines set of attributes whose presence is
optional● Keyword SUP specifies parent object from which this object
was derived (no multiple inheritance)● It's possible for two object classes to have common attribute
members (eg. organizationalUnit opbject class and person object class have a telephoneNumber attribute)
What Is an Attribute ? (cont.)What Does the Name of the objectClass Attribute
Mean ? (cont.)
objectClass:organizationalUnit
ou:
userPassword:searchGuide:seeAlso:businessCategory:x121Address:registeredAddress:destinationIndicator:perferredDeliveryMethod:telexNumber:telexTerminalIdentifier:telephoneNumber:internationaliSDNNumber:facsimileTelephoneNumber:street:postOfficeBox:postalCode:postalAddress:physicalDeliveryOfficeName:st:l:description:
objectClass:organizationalUnit
ou:
userPassword:searchGuide:seeAlso:businessCategory:x121Address:registeredAddress:destinationIndicator:perferredDeliveryMethod:telexNumber:telexTerminalIdentifier:telephoneNumber:internationaliSDNNumber:facsimileTelephoneNumber:street:postOfficeBox:postalCode:postalAddress:physicalDeliveryOfficeName:st:l:description:
# organizationalUnit objectClass definition from # RFC 2256( 2.5.6.5 NAME 'organizationalUnit' SUP top STRUCTURAL MUST ou MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $ x121Address $ registeredAddress $ destinationIndicator $ perferredDeliveryMethod $ telexNumber $ telexTerminalIdentifier $ telephoneNumber $ internationalISDNNumber $ facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName $ st $ l $ description ) )
optional attributes
required attributes
What Is an Attribute ? (cont.)Object Class Types
Structural object classes
Represent real-world object, such as a person or an organizationalUnit.
Each entry within an LDAP directory must have exactly one structural object class listed in the objectClass attribute.
Once an entry's structural object class has been instantiated, it cannot be changed without deleting and re-adding entire entry
Auxiliary object classes
Add certain characteristics to a structural class; cannot be used on their own, but only to supplement an existing structural object.
Special auxiliary object class, extensibleObject, that implicitly includes all attributes defined in the server's schema as optional members
Abstract object classes
Act the same as their counterpart in object-oriented programming: cannot be used directly, but only as ancestors of derived classes.
Most common abstract class related to LDAP (and X.500) that you will use is the top object class, which is the parent or ancestor of all LDAP object classes
Table of Contents● LDIF
● What Is an Attribute ?
● What Is the dc Attribute
● Schema References
● Authentication
● Distributed Directories
● Continuing Standardization
What Is the dc Attribute ?● Topmost entry:
● Originally, X.500 namespace was based on geographic and national regions,eg.:
● Where:
o = organizationalName
l = locality
c = country
● RFC 2247 introduces system where LDAP directory naming context can be piggybacked on an existing DNS infrastructure
Note: Directory's naming context = the DN of the topmost entry
# LDIF listing for the entry dn: dc=plainjoe,dc=orgdn: dc=plainjoe,dc=orgobjectClass: domaindc: plainjoe
# LDIF listing for the entry dn: dc=plainjoe,dc=orgdn: dc=plainjoe,dc=orgobjectClass: domaindc: plainjoe
dn: o=plainjoe,l=AL,c=USdn: o=plainjoe,l=AL,c=US
What Is the dc Attribute ? (cont.)● Allow mapping between DNS & LDAP directory
namespace: two objects for storing domain components: domain (standalone container) and dcObject (=auxiliary class)
objectClass:domain
dc:
userPassword:searchGuide:seeAlso:businessCategory:x121Address:registeredAddress:destinationIndicator:perferredDeliveryMethod:telexNumber:telexTerminalIdentifier:telephoneNumber:internationaliSDNNumber:facsimileTelephoneNumber:street:postOfficeBox:postalCode:postalAddress:physicalDeliveryOfficeName:st:l:description:o:associatedName:
objectClass:domain
dc:
userPassword:searchGuide:seeAlso:businessCategory:x121Address:registeredAddress:destinationIndicator:perferredDeliveryMethod:telexNumber:telexTerminalIdentifier:telephoneNumber:internationaliSDNNumber:facsimileTelephoneNumber:street:postOfficeBox:postalCode:postalAddress:physicalDeliveryOfficeName:st:l:description:o:associatedName:
# domain objectClass definition from # RFC 2247( 0.9.2342.19200300.100.4.13 NAME 'domain' SUP top STRUCTURAL MUST dc MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $ x121Address $ registeredAddress $ destinationIndicator $ perferredDeliveryMethod $ telexNumber $ telexTerminalIdentifier $ telephoneNumber $ internationalISDNNumber $ facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName $ st $ l $ description $ o $ associatedName ) )
optional attributes
required attributes
What Is the dc Attribute ? (cont.)
● If the directory's root entry was dc=org, with a child entry of dc=plainjoe,dc=org:
– The naming context would have been dc=org
– Our server would unnecessarily respond to queries for any entry whose DN ended with dc=org
– ~ DNS: don't service requests for the .org domain
objectClass:dcObject
dc:
objectClass:dcObject
dc:
# dcObject objectClass definition from # RFC 2247( 1.3.6.1.4.1.1466.344 NAME 'dcObject' SUP top AUXILIARY MUST dc ) )
required attributes
Table of Contents● LDIF
● What Is an Attribute ?
● What Is the dc Attribute
● Schema References
● Authentication
● Distributed Directories
● Continuing Standardization
Schema References● What do all the abbreviations mean ? “c”, “cn”, “sn”, ...
● Sources of information:
– RFC 3377 and related LDAPv3 standards● http://www.rfc-editor.org/● Provides a list of references for researching related LDAPv3
and X.500 topics
– LDAP Schema Viewer● http://ldap.akbkhome.com/● Browse descriptions and dependencies among common LDAP
attributes, object classes, and OIDs
– Object Identifiers Registry● http://www.alvestrand.no/objectid/● To track down the owner of specific OID arcs
– Sun Micrososystems Product Documentation● http://docs.sun.com/● Search site for “LDAP schema reference”
Table of Contents● LDIF
● What Is an Attribute ?
● What Is the dc Attribute
● Schema References
● Authentication
● Distributed Directories
● Continuing Standardization
Authentication● Why needed ?
– Establish the client's privileges for each session
– All searches, queries, ... are controlled by the authentication level of the authenticated user
● LDIF representation:
dn: cn=gerald carter,ou=people,dc=orgobjectClass: personcn: gerald cartersn: cartertelephoneNumber: 555-1234userPassword: {MD5}Xr4il0zQ4PCOq3aQOqbuaQ==
dn: cn=gerald carter,ou=people,dc=orgobjectClass: personcn: gerald cartersn: cartertelephoneNumber: 555-1234userPassword: {MD5}Xr4il0zQ4PCOq3aQOqbuaQ==
objectClass:person
ou:
userPassword:telephoneNumber:seeAlso:description:
objectClass:person
ou:
userPassword:telephoneNumber:seeAlso:description:
optional attributes
required attributes
# person objectClass definition from # RFC 2256( 2.5.6.6 NAME 'person' SUP top STRUCTURAL MUST ( sn $ cn ) MAY ( userPassword $ telephoneNumber $ seeAlso $ description ) )
Authentication (cont.)● The userPassword attribute stores a representation of
the credentials necessary to authenticate a user
● The prefix (in this case {MD5}) describes how the credentials are encoded (base64-encoded MD5 hash): vendor-dependent
{CRYPT}: crypt() system call
{MD5}: base64-encoded MD5 digest of password
{SHA}: (secure hash algorithm) base64-encoded 160-bit SHA-1 hash
{SSHA}: (salted secure hash algorithm) salted version of previous hash
● Act of being authenticated is called binding
● Mechanisms for authentication:
anonymous/simple authentication/simple authentication over SSL/TLS/simple authentication and security layer (SASL)
Authentication (cont.)Anonymous Authentication
– Binding to a directory using an empty DN and password
– Very common frequently used by client applications
Simple Authentication
– Login name in the form of a DN is sent with the password in clear text to the LDAP server
– Server attempts to match this password with the userPassword value
Simple Authentication over SSL/TLS
– Wraps the information in an encrypted transport layer, making it more palatable
– Two means of using SSL/TLS with LDAPv3● LDAP over SSL (LDAPS – TCP/636): deprecated● RFC 2830 introduced an LDAPv3 extended operation for
negotiating TLS over the standard TCP/398 port: StartTLS
Authentication (cont.)Simple Authentication and Security Layer (SASL)
– Extensible security scheme defined in RFC 2222
– Can add additional authentication mechanism to conection-oriented protocols such as IMAP and LDAP
– SASL supports pluggable authentication scheme
– Additionally, hosts may also negotiate a security layer (such as SSL/TLS)
– RFC 2222 defines the several authentication schemes for SASL, including:
● Kerberos v4 (KERBEROS_V4)● The Generic Security Service Application Program Interface,
version 2 (GSSAPI) (RFC 2078)● The S/Key mechanism (SKEY) (one-time password scheme
based on MD5)● The External (EXTERNAL) mechanism● RFC 2831 adds SASL/DIGEST-MD5 (compatible with HTTP/1.1
digest authentication)
Table of Contents● LDIF
● What Is an Attribute ?
● What Is the dc Attribute
● Schema References
● Authentication
● Distributed Directories
● Continuing Standardization
Distributed Directories● eg. see schema on next slide
● Different hosts possess different portions of the directory tree
● Reasons:
– Performance
– Geographical location
– Administrative boundaries
● You must configure two links between the main directory server and the server that holds people ou.
– Subordinate knowledge reference link (often simply called reference)
– Superior knowledge reference link (often simply called a referral)
Distributed Directories (cont.)
● Most often, naming context of second server is a continuation of the directory
● people ou in main directory tree has no children – all queries should be served by the second server
dc=plainjoe,dc=org
ou=devices ou=people
ou=people,dc=plainjoe,dc=org
cn=gerald carter
server1.plainjoe.org
server2.plainjoe.org
Distributed Directories (cont.)● The entry ou=people,dc=plainjoe,dc=org on main
directory server is now a placeholder that contains a referral to the actual directory server for this entry
● referral object contains only one attribute, ref; format is:
ldap://[host:port]/[/dn[?attribute][?scope][?filter][?extensions]]
objectClass:referral
ref:
objectClass:referral
ref:
( 2.16.840.1.113730.3.2.6 NAME 'referral' DESC 'named subordinate reference object' STRUCTURAL MUST ref )
required attributes
dn: ou=people,dc=plainjoe,dc=orgobjectClass: referralref: ldap://server2.plainjoe.org/ou=people,dc=plainjoe,dc=org
dn: ou=people,dc=plainjoe,dc=orgobjectClass: referralref: ldap://server2.plainjoe.org/ou=people,dc=plainjoe,dc=org
Distributed Directories (cont.)● Configuring the superior knowledge reference link (from
second server back to main directory)
– Vendor-dependant operation
– Purpose is to define an LDAP URI, in this case:
ldap://server1.plainjoe.org/dc=plainjoe,dc=org
– Who should follow the referral link ? Two possible answers:● The server follows and resolves any referrals that it runs into
during an LDAP operation. Client receives only the result and never knows that the referral happened
“Chaining”● Client follows link for itself. Supported by all LDAPv3-
compliant clients and servers
Table of Contents● LDIF
● What Is an Attribute ?
● What Is the dc Attribute
● Schema References
● Authentication
● Distributed Directories
● Continuing Standardization
Continuing Standardization● Currently two working groups within the IETF to help
LDAP evolve:
– LDAP Duplication/Replication/Update Protocols (LDUP) working group
http://ietf.org/html.charters/ldup-charter.html
– LDAPv3 Revision (LDAPbis) working group
http://ietf.org/html.charters/ldapbis-charter.html
Note: See also http://www.ldapzone.com/