Lightweight Directory Access Protocol (LDAP) is increasingly becoming the mechanism by which disparate directories are bound together. At the enterprise level, making use of LDAP can provide an opportunity to make use of a single, existing directory and provide a single point of administration across a heterogeneous environment.
In this Daily Drill Down, I will explain the benefits of LDAP and show you how to install OpenLDAP on a Red Hat Linux 7.2 server to create seamless cross-platform communication.
Exactly what is LDAP? It’s a protocol based on X.500, which is a standard set for a directory service by the International Telecommunications Union and by the ISO/IEC. The LDAP defines how a server and a client communicate with each other. LDAP provides a common, standard way for devices to use any service that can understand the protocol. These services can include Novell’s Directory Service and Microsoft Active Directory.
Why the name Lightweight Directory Access Protocol? The original X.500 Directory Access Protocol (DAP) specification was an application layer protocol and required an entire protocol stack in order to operate. LDAP was developed as a “lightweight” protocol based on TCP/IP, which defines the transport mechanism and format of messages used to access the data in a directory rather than the entire directory and protocol stack.
Why use LDAP?
There are a number of reasons to use LDAP, including:
- · LDAP is based on standards, which means that its future is not likely to be controlled by one corporation.
- · LDAP is interoperable with most, if not all, of the major vendor directories, such as NDS, MSAD, and iPlanet.
- · LDAP creates the potential for a single point of administration even across platforms.
Many organizations currently have a system to synchronize user accounts and passwords based on NIS, custom scripts, or other means. Imagine being able to simply add an account to a Novell Directory Services server and have that user be able to log on to any server in the enterprise immediately thereafter, no matter what operating system is running on the server. When rolled out and properly integrated, LDAP can make that happen.
LDAP has its own terminology, as with most directory services. For people who have used NDS or Active Directory, these terms will be fairly familiar. For others who are new to the world of directories, learning the terminology is important, especially when there are problems that need to be resolved.
- · Distinguished name
A distinguished name uniquely identifies an item in a directory’s database. The name starts at the individual entry, such as the user name, and moves up the directory hierarchy toward the most global element, such as the country. For example, if I wanted to show my home address as a Distinguished name, it would look like scottlowe.Germantown.Maryland.us. Scott Lowe is my name, Germantown is the city where I live, Maryland is the state, and the United States is the country. While this is a simplistic example, it shows how a properly designed directory can be used to easily categorize users.
- · Entry
This is the smallest unit in a directory. In the example above, scottlowe would be considered the entry.
- · Attributes
Each entry has certain attributes that define its behavior. In the example above, some attributes about scottlowe could be age, height, weight, eye color, and so on.
- · Referral
A referral is not directly implemented in LDAP2, but some servers, such as iPlanet, support it. A referral allows an LDAP server to send a client request on to another server.
LDAP on Linux
Most organizations have a directory that is based on either Novell’s or Microsoft’s directory service. This is primarily due to the widespread use of Windows desktops in these organizations. Therefore, it makes sense for Linux servers that are added to the network to use these existing central directories as their point of authentication. In some cases, Linux machines are not completely replacing Windows machines and need to be made to work in the infrastructure.
While LDAP can be implemented on almost any platform, I am going to concentrate on the Linux platform, since that is the platform seeing such a great rise in popularity.
Setting up LDAP
Setting up the OpenLDAP server requires a number of prerequisites. I will be saving all the downloaded files into the /usr/src directory on my server. Here is a listing of the necessary files:
- · openssl-0.9.6d.tar.gz and openssl-engine-0.9.6d.tar.gz
The OpenSSL TLS libraries
- · krb5-1.2.5.tar
OpenLDAP supports Kerberos authentication and needs one of two services installed: either the MIT Kerberos server or Heimdal Kerberos. For this article, I will be using the MIT server.
- · cyrus-sasl-2.1.2.tar.gz
Cyrus's Simple Authentication and Security Layer Libraries. These libraries will make use of OpenSSL and Kerberos if they are present.
- · db-4.0.14.tar.gz
OpenLDAP needs a database. The Berkeley Sleepcat database will be used for this example, but another database, called GDBM, is a viable alternative.
- · openldap-stable-20020215.tgz
The OpenLDAP source code.
Once OpenSSL is downloaded, it needs to be installed. To install OpenSSL, use the set of commands shown in Figure A.
The next step is to install the Kerberos software that OpenLDAP will use. To run this installation, issue the commands shown in Figure B.
Installing Cyrus SASL
To install Cyrus SASL, issue the commands shown in Figure C.
Berkeley DB installation
The LDAP server needs a database. The instructions to install the database are shown in Figure D.
The final component in the OpenLDAP installation is OpenLDAP itself. OpenLDAP is installed with the commands shown in Figure E.
If you run into trouble with any of the prerequisites, look for helpful installation information on their individual Web sites.
OpenLDAP is primarily configured through the use of directives in the /usr/src/openldap-2.0.23/servers/slapd/slapd.conf file. For this article, I am going to use the default configuration file, which is shown in Listing A. Note: I inserted comments explaining the parameters within this listing.
Once you have a configuration file set up, you can start the slapd process with the command /usr/local/openldap/libexec/slapd start.
To make sure OpenLDAP is running, you can use the ps –ef | grep slap command, which would yield the results shown in Listing B.
The next step is to add the first organization and organizational role to the database. The easiest way to do this initially is to create an LDAP Data Interchange Format (LDIF) file. For my example, I will use the file called newentries.ldif, as shown in Listing C.
This file contains two entries. The first entry will create an organization named my-domain.com, and the second entry will create an organizational role named Manager inside the new organization. The newentries.ldif file is imported with the command shown in Listing D. (Note: The -w parameter provides a simple password.)
What does this file actually say? The lines that begin with a pound sign (#) are just comments. The abbreviations dn, dc, and so on, have different meanings. For example:
- · dn
Distinguished name. This is the primary, unique key for the entry.
- · dc
Domain component. The example above would correspond to my-domain.com, where "my-domain" and "com" would be the individual components. Using this syntax, LDAP makes it easy to work with subdomains, i.e., dc=marketing, dc=my-domain, dc=com.
- · o
Organization. This is the larger organization to which the object belongs.
- · cn
Common Name. Identifies the name of an object in the directory. For a user object, this would normally be the person’s name.
- · ObjectClass
Specifies the class of the object. For example, organization, organizationalrole, and user are all object classes.
- · Description
This is a description of the object that will appear in the directory.
For more information on the available options in an LDIF file, Netscape is an excellent reference, and it also has information on the format of the LDIF file.
Testing the installation
To test the LDAP installation, issue the command shown in Listing E. If the LDAP installation is working properly, the results will return the two objects you just created.
The ldapsearch command is included in OpenLDAP as a utility used to search for objects in the LDAP directory. The example above uses the -b parameter defining the base domain of my-domain.com and searches for objects of any class objectclass=*. The -x parameter tells ldapsearch to use simple authentication. The results of this search will be a list of all the objects in your directory. In the example above, there are two objects: my-domain.com and manager.my-domain.com.
OpenLDAP can provide you with a powerful way to perform central authentication or a way to keep track of users in a registration system. You can even configure a Linux server to use LDAP rather than the local user database for authentication with the use of PAM modules.