Enterprise Software

The LDAP mystery unveiled

Just what is LDAP and what does it do? Vincent Danen, one of TPG's finest Linux writers, answers the question in this Guild Meeting!

Just what is LDAP and what does it do? Vincent Danen, one of TPG's finest Linux writers, answers the question in this Guild Meeting! If you couldn’t join us then, enjoy the transcript and we hope to see you on our next live Guild Meeting.

Just what is LDAP and what does it do? Vincent Danen, one of TPG’s finest Linux writers, answers the question in this Guild Meeting! If you couldn’t join us then, enjoy the transcript and we hope to see you on our next live Guild Meeting.

Note: TechProGuild edits Guild Meeting transcripts for clarity.

Welcome to the Guild Meeting!
MODERATOR: Ladies and gents, I'd like to welcome all of you to tonight's Guild Meeting! Tonight's speaker is our favorite Cannuke—Vincent Danen! Tonight, Vincent is going to shed some light on a much-needed topic ... LDAP!

VINCENT DANEN: Thank you, thank you. I think it's "cannuck" actually, but we'll just ignore that. Okay, so tonight we're talking about LDAP ... anyone here already familiar with it?

MIKKILUSA: Not me, so a brief explanation first, please.

What is the meaning of LDAP?
VINCENT DANEN: Okay, LDAP stands for Lightweight Directory Access Protocol. It's basically a "second generation" of the original DAP protocol used with the X.500 and using the OSI stack (as opposed to LDAP using the TCP/IP stack, which is much more efficient).

Basically, LDAP is a directory access protocol (or directory database) that allows you to store information like company directories, Netscape bookmarks, and so forth into a remote database for access anywhere across the Internet, provided you have an LDAP client and the appropriate permissions to the server.

Have you noticed the Roaming User section in your Netscape preferences? If you take a close look at it, under the server tag it asks for an LDAP server. Netscape is an LDAP client, which lets you access bookmarks and your address book regardless of where you are on the Internet (i.e., overseas on your laptop). The only thing you need to do is upload your bookmarks/address book to the LDAP server and voila ... you can access it anywhere!

That is, in a very small nutshell, LDAP.

Permissions issues
JLWALLEN: So, how does LDAP deal with user permissions? Is this a server concept or client-side concept? I'm just curious about the security of LDAP.

VINCENT DANEN: Obviously, it depends on the server, but I'll speak from an OpenLDAP standpoint. Passwords and whatnot are stored on the server. Authentication is done using different methods (again, methods differ according to the server), but you can use SSL authentication with OpenLDAP. I also believe they are trying to incorporate Kerberos into the LDAP specs as well.

You can also structure different databases in different ways, with some requiring passwords, and others not. It depends on how you set each database up. You can have as much (or as little) security as you like.

JLWALLEN: So, you have an LDAP server, which offers up a group of files (to LDAP clients only) and services in the form of databases.

Protocol versus server implementation
GJANI: Does it integrate with NT or Novell or is it a stand-alone device?

VINCENT DANEN: Gjani, it's a protocol, not a server implementation. Under Linux, there is OpenLDAP, which is an open source LDAP client/server package. Under NT, there are also LDAP client/server implementations (the associated cost I'm not sure of). LDAP is a protocol, just like POP3, SMTP, or FTP. If there are LDAP clients for Novell or NT, then yes, they can interface with an LDAP server on any platform.

JLWALLEN: I'm assuming you can use Linux for your LDAP server and it will "dole" out to pretty much any client—regardless of OS?

VINCENT DANEN: Yes, the LDAP server under Linux (OpenLDAP) would only require an LDAP client of some sort to access it. For example, Netscape is an LDAP client in that it can use an LDAP server to store bookmarks and address books. If an LDAP client exists and conforms to the LDAPv2 standard, it will work with OpenLDAP under Linux.

JLWALLEN: So the big benefit, say for a company, would be that it would be able to share things (company wide) like bookmarks and address books. Can you give "global" permissions?

VINCENT DANEN: Yes. One of the big ideas behind LDAP is for things like a company directory. Ask for an employee name and it pulls up their e-mail address, office number, and so forth. I believe LDAP is more of a public directory access service than a private one, although you can certainly secure it.

The roots of LDAP
JLWALLEN: If I may ask, who created LDAP? What protocol is it based on?

VINCENT DANEN: Jack, I'm not sure who created LDAP itself, but it was based on the X.500 Directory Access Protocol.
Our Guild Meetings feature top-flight professionals leading discussions on interesting and valuable IT issues. You can find a schedule of Guild Meetings in your weekly TechProGuild Notes TechMail, or on the Guild Meeting calendar.
GJANI: I am guessing you would still load an NT server as an OS, then utilize LDAP for remote access, is that correct?

VINCENT DANEN: Gjani, I'm not sure I follow you. What exactly are you asking (in regards to loading an NT server and then using LDAP for remote access)?

GJANI: Vdanen, I was referring to using LDAP instead of RAS on a system running NT as an OS.

TRENTCOOK: LDAP and RAS are apples and oranges.

GJANI: After hearing more about LDAP, however, it seems as if it'll be more useful with Linux then NT.

VINCENT DANEN: Gjani, not really. LDAP as a protocol functions the same way regardless of what OS it's being run on. Think of LDAP as a directory "database," because that's what it is.

Gjani, you'll have to forgive me here ... like I just mentioned to Trent, I'm not a Windows person. What's RAS?

MIKKILUSA: Remote access server.

GJANI: RAS is Remote Access Services for Win NT, used to remotely access resources from NT server.

VINCENT DANEN: Okay, so you use RAS to dial into your NT workstation somehow and tinker with it? If that's the case, LDAP is completely different. RAS would be like telnet or SSH. Think of LDAP more in terms of a database system like MySQL or Oracle, except that it's not a database, but a directory service (like finger ... ask it a question, it gives you an answer).

TRENTCOOK: RAS doesn't even give you remote control. It allows you to log in to a domain from a remote location, for example, at your house, then you can browse the network.

JLWALLEN: So RAS is like a VPN?

TRENTCOOK: Exactly. RAS is like VPN ... and active directory communication ... I believe can be carried out over LDAP v2 or 3 or HTTP as well.

GJANI: Can you control things remotely using LDAP?

VINCENT DANEN: Gjani, no, there's nothing to control. All it does is store information that you can access remotely, like a company directory. Think of it more as a browsable Web site or directory than a remote access system.

GJANI: Got it, thanks.

Active Directory
TRENTCOOK: Are we discussing any LDAP with regards to Active Directory?

VINCENT DANEN: Trent, what is Active Directory? That sounds like a Windows term, and I'm a Linux guy. (I don't know much about how Windows implements and renames things.)

TRENTCOOK: I play with the penguin, but wish I could deem myself "a Linux guy." Active Directory is MS version of Novell's NDS. It essentially builds a networking structure on LDAP by organizing clients in OUs—different locations or divisions such as marketing and development, etc.

VINCENT DANEN: So Active Directory is probably the Windows equivalent to OpenLDAP for Linux. Does it use Novell NDS alone or does it follow the LDAPv2 protocol also? Or is it interchangeable? (Curious about this Windows stuff.)

Getting started
JLWALLEN: So what is the setup process like?

VINCENT DANEN: Jack, the setup process is interesting, to say the least. I can only speak for OpenLDAP here, so maybe someone's made it easier for another implementation on another OS. OpenLDAP uses, like almost everything in Linux, text files, and they can be rather cryptic. You'll definitely want to spend a lot of time at the OpenLDAP Web site before and while setting it up (http://www.openldap.org).

JLWALLEN: Why don't you give us a quick outline of the setup process?

VINCENT DANEN: I can give you a very basic one. I haven't gotten that far with it myself. The first step is to download and compile/install it. Some distributions include it (i.e., Mandrake 7.0 comes with it).

JLWALLEN: Do the distributions install it by default when doing, say, a server install (Red Hat 6.2)?

VINCENT DANEN: Can't speak for Red Hat, but the beta version of Mandrake 7.0 installs it during a server and development install.

JLWALLEN: I see. Are the configuration files similar to that of an smb.conf or is it more like an .rc file?

VINCENT DANEN: Jack, they're similar to smb.conf and other .conf style config files (the slapd daemon uses, of all things, slapd.conf, while the LDAP client uses ldap.conf). What you put in them can be an exercise, however.

The Benefits of LDAP
TRENTCOOK: I'm no LDAP expert, that is for sure. I have decided not to implement it at our offices as of yet. I currently have set up NT 4.0, 2000, and RH 6.1. What could LDAP benefit us the most in? Just sharing, say bookmarks and user info, etc?

VINCENT DANEN: Trent, it would be good for company directories, publishing contact info (i.e., e-mail addresses, phone numbers, etc.). It would be good for sharing bookmarks and address books as well. (Now, I know this works with Netscape and probably Mozilla. I don't think IE supports it at all.) Basically, it's good for distributing directory-based information (i.e., locations of files, pictures, etc.).

OpenLDAP versus LDAP
GJANI: Is OpenLDAP the same as LDAP?

VINCENT DANEN: Gjani, OpenLDAP is the Linux client/server package that uses the LDAP protocol.

JLWALLEN: IE doesn't even support LDAP? I can understand them not supporting OpenLDAP, but LDAP?

VINCENT DANEN: Jack, It *might* support LDAP. I can't honestly say for sure. I use IE on my Win98 machine and I don't see anything for roaming users or profiles, not like in Netscape's preferences, so if it supports LDAP at all, then it's buried somewhere (mind you I also use IE4, it might be supported in IE5).

JLWALLEN: Like the gnutella of bookmarks! That would be pretty cool! A massive public bookmark/address book!

GJANI: I can see why address book would be useful, but having public bookmark? I guess it would be an individual company's preference.

JLWALLEN: I can imagine the implications would be pretty steep of running a public-wide address book with LDAP.

TRENTCOOK: I know that MS Outlook Express supports LDAP. Would there happen to be some sort of public MASSIVE LDAP server that I could connect my Outlook Express to and take a peek, or Netscape, etc.?

VINCENT DANEN: Trentcook, there are public LDAP servers out there. I don't have a list handy, but if you did a search on google or something, you'd probably find one, or I can search for one and see if it works.

TRENTCOOK: I think I'll try a search and see. Does LDAP slow down the server? I know that when Active Directory on Win2000 is enabled, it takes about 15 minutes to do a simple reboot.

VINCENT DANEN: No, it's extremely efficient and very fast.

JLWALLEN: I know that running ftp, http, nfs, and samba servers on Linux doesn't slow it down much ... at least not the boot process. Not sure about LDAP, of course. What do you think, Vincent? If you're running, say, a file server and an ftp server on one machine (let's say it's for a small company), would you want to run LDAP on its own hardware or does it have a small enough footprint that it can run with others?

TRENTCOOK: Active dir does far more than just LDAP, though, total e-mail, user, password, location, integration, etc.

VINCENT DANEN: I can only speak for OpenLDAP. It has a pretty small footprint. You could easily run an OpenLDAP server on the same machine as your web/ftp/file-sharing server without noticing a remarkable slowdown. There is very little overhead.

Hardware considerations
JLWALLEN: That is really good to hear. What kind of hardware would you recommend for an OpenLDAP server?

VINCENT DANEN: The test machine I'm running it on is, you Windows users will be horrified to hear, a 486 Mandrake 7.0 computer with 32 MB of RAM. Runs pretty fast on it, too.

JLWALLEN: So we're talking minimal hardware. Now, how much traffic could this machine of yours take?

VINCENT DANEN: Obviously, if you're going to be serving more people than me and my six-computer network, you might want it on something a little more hefty, but there's no reason why a Pentium-class machine wouldn't handle it fine.

JLWALLEN: So with OpenLDAP, you're looking at a dirt-cheap solution to a pretty complex problem. Not only that, but a dirt-cheap solution that will, simply put, WORK.

VINCENT DANEN: As in how much traffic to OpenLDAP? I couldn't honestly tell you. I've got a very small "tester" directory in there now. I would imagine that for a midsized company with, say, 300 employees, you might want it on a higher-class computer, especially if it's going to be accessed a lot. I would recommend using the same hardware considerations you would for a company intranet Web site using Linux. A Pentium machine with a decent amount of RAM and swap would be fine.

TRENTCOOK: I think the only way I will TRULY get my head around LDAP is to set one up and just see what it can do.

VINCENT DANEN: Yeah, it's a cheap (free) solution on a cheap (free) OS that, although it takes a bit of time and understanding to properly set up, is something that will sit there and happily work for you for as long as you need it to.

JLWALLEN: So a Pentium III 550 with 128 MB of RAM (120-MB swap) and a large hard drive would serve this purpose well ... or is that even overkill?

VINCENT DANEN: I'd say unless you were going to serve the entire Internet, that's probably overkill. Let's look at it like this: For me to run my Apache Web site for my Web site (Freezer Burn), which is 80% SQL-stored dynamic content using PHP, a full-page SQL query (i.e., my CD catalog, which has 410+ entries), takes about 1.5 seconds to retrieve and sort the data and generate the Web page (on a Pentium III 350 with 192 MB of RAM).

TRENTCOOK: Essentially, you would give a central location for users to store e-mail addresses, for example, which would be the same as using an address book locally, but they could access it from anywhere they had the Internet, correct?

VINCENT DANEN: Yeah, that pretty much sums up probably the most commonly used aspect of LDAP, yes.

TRENTCOOK: Thanks, Vincent. I'm just trying to think if I could actually get my users to use it ... so many can't find the local address book, let alone an online one. Some think it's rocket science to log in each morning.

Inside the LDAP.CONF file
JLWALLEN: What is a typical entry in an ldap.conf file?

VINCENT DANEN: A typical entry for ldap.conf ... are you sure you want ldap.conf? It's pretty boring. Simply put, it looks like this:

BASE dc=myserver, dc=com

HOST ldap.myserver.com

There, that's your ldap.conf file. Basically, you just provide the domain name (in this case, using the dc= statements, which create a domain of myserver.com), and the HOST statement, which is the OpenLDAP server.

JLWALLEN: One thing I'm curious about: Does this lend itself to an easily (read:user) corrupted file? I can imagine having a huge database of addresses and such, and one simpleton bringing it down.

VINCENT DANEN: Because of the nature of LDAP (it's a primarily "read" medium as opposed to a "read/write" medium like a database), you can restrict updates to the directory to specific users and/or locations (i.e., local updates only). Since it's like a Web site in the "readability" aspect, you shouldn't have to really worry about some simpleton deleting the directory by accident (same as you wouldn't worry about them deleting your Web site simply by viewing it).

To be quite honest with you guys, LDAP is something still very new to me, and I'm struggling with it a little bit, too. I won't say it's easy because it isn't, especially if you have no experience with it at all. I thought learning how to use an SQL database was complex, but it's a piece of cake compared to LDAP (or, at any rate, to OpenLDAP). It can be challenging and extremely interesting.

TRENTCOOK: Are you saying that setting up an LDAP server was harder than setting up SQL?

VINCENT DANEN: Yes. I found OpenLDAP to be more difficult to configure than setting up a database in MySQL (but not as difficult as getting PostgreSQL to work!).

RPM
MODERATOR: Anyway, what I was saying—come up with your last questions so I can give out a pretty swell prize tonight!

GJANI: I learned something new tonight ... I learned about OpenLDAP.

MIKKILUSA: I downloaded from Linux machine. (Jack did not pay me to say that.)

VINCENT DANEN: Mikkilusa, what distro are you using? Installing with RPM will be much easier.

MIKKILUSA: Red Hat.

TRENTCOOK: Sounds like many hours of monitor radiation fun. It would be extremely rewarding once it was setup, though. I use RH, so I think I would grab the RPM version.

VINCENT DANEN: You should check an rpm2html mirror to see if there is an OpenLDAP RPM available for Red Hat (my guess is there is) and use that instead of compiling it. It's a little easier that way.

I agree with you completely. OpenLDAP is a very nice package, and the LDAP protocol looks very useful. Once I get a little more into it, I'm sure I'll be quite pleased with what it all does.

MIKKILUSA: It is tgz.

VINCENT DANEN: Yeah, that's the source code. Find an RPM ... trust me.

MIKKILUSA: I do not see RPM on that site. I will look again.

VINCENT DANEN: Check out http://www.freezer-burn.org/rpm2html/ and look for the RPM. It should list where you can get it from.

And the winner is…
MODERATOR: Well, gang, I got a winner for tonight! The winner of the new Mandrake 7.0 is ... gjani!

VINCENT DANEN: Way to go, Gjani! You'll love Mandrake ... it's my favorite distro out there!

GJANI: That's good to know, Vincent.

VINCENT DANEN: Gjani, will this be your first exposure to Linux?

GJANI: Yes, Vincent. I've heard of Red Hat 6.0, but that's all.

VINCENT DANEN: Gjani: you're gonna love it. Check out http://www.linux-mandrake.com/en/ for more info on that distro. It's (IMNSHO) the best distro out there.

MODERATOR: Gjani, I'd like you to e-mail me (jwallen@techrepublic.com) your contact info, including your screen name, e-mail, and snail mail address.

MODERATOR: Don't forget, everyone, this Thursday night Trent Cook will be speaking about Windows Troubleshooting.

TRENTCOOK: See you Thursday night, everyone.

MODERATOR: Be sure to return for this exciting time! Same time and same channel! Thank you all and have a wonderful, wonderful night!

Don't forget to give Linux a try! If you have any requests for Linux topics or questions, send them to me (jwallen@techrepublic.com).
Our Guild Meetings feature top-flight professionals leading discussions on interesting and valuable IT issues. You can find a schedule of Guild Meetings in your weekly TechProGuild Notes TechMail, or on the Guild Meeting calendar.

About

Vincent Danen works on the Red Hat Security Response Team and lives in Canada. He has been writing about and developing on Linux for over 10 years and is a veteran Mac user.

0 comments