Lightweight Directory Access Protocol (LDAP) is increasingly becoming the mechanism by which disparate directories are bound together. At the enterprise level, making use of LDAP can provide an opportunity to make use of a single, existing directory and provide a single point of administration across a heterogeneous environment.

In this Daily Drill Down, I will explain the benefits of LDAP and show you how to install OpenLDAP on a Red Hat Linux 7.2 server to create seamless cross-platform communication.

About LDAP
Exactly what is LDAP? It’s a protocol based on X.500, which is a standard set for a directory service by the International Telecommunications Union and by the ISO/IEC. The LDAP defines how a server and a client communicate with each other. LDAP provides a common, standard way for devices to use any service that can understand the protocol. These services can include Novell’s Directory Service and Microsoft Active Directory.

Why the name Lightweight Directory Access Protocol? The original X.500 Directory Access Protocol (DAP) specification was an application layer protocol and required an entire protocol stack in order to operate. LDAP was developed as a “lightweight” protocol based on TCP/IP, which defines the transport mechanism and format of messages used to access the data in a directory rather than the entire directory and protocol stack.

Why use LDAP?
There are a number of reasons to use LDAP, including:

  • ·        LDAP is based on standards, which means that its future is not likely to be controlled by one corporation.
  • ·        LDAP is interoperable with most, if not all, of the major vendor directories, such as NDS, MSAD, and iPlanet.
  • ·        LDAP creates the potential for a single point of administration even across platforms.

Many organizations currently have a system to synchronize user accounts and passwords based on NIS, custom scripts, or other means. Imagine being able to simply add an account to a Novell Directory Services server and have that user be able to log on to any server in the enterprise immediately thereafter, no matter what operating system is running on the server. When rolled out and properly integrated, LDAP can make that happen.

LDAP terminology
LDAP has its own terminology, as with most directory services. For people who have used NDS or Active Directory, these terms will be fairly familiar. For others who are new to the world of directories, learning the terminology is important, especially when there are problems that need to be resolved.

  • ·        Distinguished name
    A distinguished name uniquely identifies an item in a directory’s database. The name starts at the individual entry, such as the user name, and moves up the directory hierarchy toward the most global element, such as the country. For example, if I wanted to show my home address as a Distinguished name, it would look like scottlowe.Germantown.Maryland.us. Scott Lowe is my name, Germantown is the city where I live, Maryland is the state, and the United States is the country. While this is a simplistic example, it shows how a properly designed directory can be used to easily categorize users.
  • ·        Entry
    This is the smallest unit in a directory. In the example above, scottlowe would be considered the entry.
  • ·        Attributes
    Each entry has certain attributes that define its behavior. In the example above, some attributes about scottlowe could be age, height, weight, eye color, and so on.
  • ·        Referral
    A referral is not directly implemented in LDAP2, but some servers, such as iPlanet, support it. A referral allows an LDAP server to send a client request on to another server.

LDAP on Linux
Most organizations have a directory that is based on either Novell’s or Microsoft’s directory service. This is primarily due to the widespread use of Windows desktops in these organizations. Therefore, it makes sense for Linux servers that are added to the network to use these existing central directories as their point of authentication. In some cases, Linux machines are not completely replacing Windows machines and need to be made to work in the infrastructure.

While LDAP can be implemented on almost any platform, I am going to concentrate on the Linux platform, since that is the platform seeing such a great rise in popularity.

Setting up LDAP
Setting up the OpenLDAP server requires a number of prerequisites. I will be saving all the downloaded files into the /usr/src directory on my server. Here is a listing of the necessary files:

  • ·        openssl-0.9.6d.tar.gz and openssl-engine-0.9.6d.tar.gz
    The OpenSSL TLS libraries
  • ·        krb5-1.2.5.tar
    OpenLDAP supports Kerberos authentication and needs one of two services installed: either the MIT Kerberos server or Heimdal Kerberos. For this article, I will be using the MIT server.
  • ·        cyrus-sasl-2.1.2.tar.gz
    Cyrus’s Simple Authentication and Security Layer Libraries. These libraries will make use of OpenSSL and Kerberos if they are present.
  • ·        db-4.0.14.tar.gz
    OpenLDAP needs a database. The Berkeley Sleepcat database will be used for this example, but another database, called GDBM, is a viable alternative.
  • ·        openldap-stable-20020215.tgz
    The OpenLDAP source code.

Installing OpenSSL
Once OpenSSL is downloaded, it needs to be installed. To install OpenSSL, use the set of commands shown in Figure A.
Figure A

cd /usr/src This command changes to the /usr/src directory.
gunzip -dc openssl-0.9.6d.tar.gz | tar xvf – This command unpacks the OpenSSL archive.
cd openssl-0.9.6d This command switches to the OpenLDAP directory.
./config This command runs the configuration script.
make This command builds OpenSSL.
make test This command tests your installation. (If you receive error messages during this step, refer to the OpenSSL documentation.)
make install This command installs OpenSSL into /usr/local/ssl, which is the default location.

OpenSSL is now installed.

Installing Kerberos
The next step is to install the Kerberos software that OpenLDAP will use. To run this installation, issue the commands shown in Figure B.
Figure B

cd /usr/src This command changes to the src directory.
tar -xvf krb5-1.2.5.tar This command untars the distribution.
gunzip -dc krb5-1.2.5.tar.gz | tar xvf – This command unzips and untars the file again. (For some reason, the distribution was tarballed twice.)
cd krb5-1.2.5/src This command switches to the Kerberos source directory.
./configure This command builds the configuration script.
make This command compiles the distribution.
make check This command runs the built-in checks to make sure Kerberos works.
make install This command installs the software.

Kerberos is now installed.

Installing Cyrus SASL
To install Cyrus SASL, issue the commands shown in Figure C.
Figure C

cd /usr/src This command changes to the src directory.
gunzip -dc cyrus-sasl-2.1.2.tar.gz | tar xvf – This command unpacks the Cyrus SASL distribution.
cd cyrus-sasl-2.1.2 This command switches to the Cyrus SASL directory.
./config This command builds the configuration script.
make This command compiles the program.
make install This command installs the binaries.

Cyrus SASL is now installed.

Berkeley DB installation
The LDAP server needs a database. The instructions to install the database are shown in Figure D.
Figure D

cd /usr/src This command changes to the src directory.
gunzip -dc db-4.0.14.tar.gz | tar xvf – This command unpacks the distribution.
cd db-4.0.14/build_unix This command changes to the DB directory.
../dist/configure This command runs the configuration script.
make This command compiles the program.
make install This command installs the binaries.

The database component is now installed.

OpenLDAP
The final component in the OpenLDAP installation is OpenLDAP itself. OpenLDAP is installed with the commands shown in Figure E.
Figure E

cd /usr/src This command changes to the src directory.
gunzip -dc openldap-stable-20020215.tgz | tar xvf – This command expands the distribution.
cd openldap-2.0.23 This command changes to the OpenLDAP distribution directory.
./configure –prefix=/usr/local/openldap This command builds a compile script for OpenLDAP, instructing it to place the installation in /usr/local/openldap.
make depend This command builds the dependencies needed by OpenLDAP.
make This command builds OpenLDAP.
make test This command tests the compiled software.
make install This command installs OpenLDAP binaries to /usr/local/openldap.

OpenLDAP is now installed.

More help

If you run into trouble with any of the prerequisites, look for helpful installation information on their individual Web sites.

OpenLDAP configuration
OpenLDAP is primarily configured through the use of directives in the /usr/src/openldap-2.0.23/servers/slapd/slapd.conf file. For this article, I am going to use the default configuration file, which is shown in Listing A. Note: I inserted comments explaining the parameters within this listing.

Starting OpenLDAP
Once you have a configuration file set up, you can start the slapd process with the command /usr/local/openldap/libexec/slapd start.

To make sure OpenLDAP is running, you can use the ps –ef | grep slap command, which would yield the results shown in Listing B.

Adding organizations
The next step is to add the first organization and organizational role to the database. The easiest way to do this initially is to create an LDAP Data Interchange Format (LDIF) file. For my example, I will use the file called newentries.ldif, as shown in Listing C.

This file contains two entries. The first entry will create an organization named my-domain.com, and the second entry will create an organizational role named Manager inside the new organization. The newentries.ldif file is imported with the command shown in Listing D. (Note: The -w parameter provides a simple password.)

What does this file actually say? The lines that begin with a pound sign (#) are just comments. The abbreviations dn, dc, and so on, have different meanings. For example:

  • ·        dn
    Distinguished name. This is the primary, unique key for the entry.
  • ·        dc
    Domain component. The example above would correspond to my-domain.com, where “my-domain” and “com” would be the individual components. Using this syntax, LDAP makes it easy to work with subdomains, i.e., dc=marketing, dc=my-domain, dc=com.
  • ·        o
    Organization. This is the larger organization to which the object belongs.
  • ·        cn
    Common Name. Identifies the name of an object in the directory. For a user object, this would normally be the person’s name.
  • ·        ObjectClass
    Specifies the class of the object. For example, organization, organizationalrole, and user are all object classes.
  • ·        Description
    This is a description of the object that will appear in the directory.

For more information on the available options in an LDIF file, Netscape is an excellent reference, and it also has information on the format of the LDIF file.

Testing the installation
To test the LDAP installation, issue the command shown in Listing E. If the LDAP installation is working properly, the results will return the two objects you just created.

The ldapsearch command is included in OpenLDAP as a utility used to search for objects in the LDAP directory. The example above uses the -b parameter defining the base domain of my-domain.com and searches for objects of any class objectclass=*. The -x parameter tells ldapsearch to use simple authentication. The results of this search will be a list of all the objects in your directory. In the example above, there are two objects: my-domain.com and manager.my-domain.com.

LDAP uses
OpenLDAP can provide you with a powerful way to perform central authentication or a way to keep track of users in a registration system. You can even configure a Linux server to use LDAP rather than the local user database for authentication with the use of PAM modules.