The Lightweight Directory Access Protocol (LDAP) is actually a set of open protocols used to access and modify centrally stored information over a network.
2. • Lightweight Directory Access Protocol (LDAP)
• The Lightweight Directory Access Protocol (LDAP) is actually a set of open protocols used to access and modify
centrally stored information over a network.
• LDAP Directory
• Just as in the popular Domain Name System (DNS), the directory entries in LDAP are arranged in a hierarchical
tree structure. The hierarchical tree structure of LDAP is known formally as the directory information tree (DIT).
The top of the directory hierarchy has a root element. The complete path to any node in the tree structure,
which uniquely identifies it, is known as the distinguished name (DN) of the node or object.
• For example, suppose a company named Example, Inc., decides to structure its directory tree using a domain-
based naming structure. This company has different subdivisions (OUs), such as the Engineering department,
the Sales department, and the R&D department.
3. • Client/Server Model
• A typical interaction between the client and the server goes like this:
• 1. An LDAP client application connects to an LDAP server. This process is also referred to as “binding to a
server.”
• 2. Based on the access restrictions configured on the server, the LDAP server either accepts or refuses the
bind/connection request.
• 3. Assuming the server accepts, the client has the choice of querying the directory server, browsing the
information stored on the server, or attempting to modify /update the information on the LDAP server.
• 4. Again, based on access restrictions, the server can allow or deny any of the operations attempted by the
client. In the event that the server cannot answer a request, it may forward or refer the client to another
upstream LDAP server that may have a more authoritative response to the request.
• Uses of LDAP
• LDAP can serve as a complete identity management solution for an Organization.
• The information stored in DNS records can be stored in LDAP.
• LDAP can be used to provide “yellow pages” services for an organization
• Mail routing information can be stored in LDAP.
4. • LDAP Terminology
• Entry (or object)
• Attributes
• objectClass
• Schema
• LDIF This stands for LDAP Data Interchange Format.
• OpenLDAP
• OpenLDAP is the open source implementation of LDAP that runs on Linux/UNIX systems. OpenLDAP is a suite
of programs, made up of slapd, slurpd, various utilities, and libraries, that implements the LDAP protocol
along with various client- and server-side utilities.
• slapd This is a stand-alone LDAP daemon that listens for LDAP connections from clients and responds to the
LDAP operations it receives over those connections.
• slurpd This is a stand-alone LDAP replication daemon that is used to propagate changes from one slapd
database to another. This daemon is used for synchronizing changes from one LDAP server to another. It is
needed only when more than one LDAP server is in use.
5. • Installing OpenLDAP
• To get the OpenLDAP server and client components up and running, these packages are required on Fedora,
RHEL, and CentOS systems:
• openldap-2*.rpm Provides the configuration files and libraries for OpenLDAP.
• openldap-clients*.rpm Provides the client programs needed for accessing and modifying OpenLDAP
directories.
• openldap-servers*.rpm Provides the servers (slapd, slurpd) and other utilities necessary to configure and run
LDAP.
• The steps are:
• 1. While logged in as root, first confirm which of the packages you already have installed by querying the RPM
database:
• [root@fedora-server ~]# rpm -qa | grep -i openldap
• 2. Our sample system already has the basic openldap libraries in place, so we will go ahead and install the
OpenLDAP client and server packages using dnf:
• [root@fedora-server ~]# dnf -y install openldap-servers openldap-clients
• 3. Once the installation completes successfully, you can go on to the configuration section.
6. • Configuring OpenLDAP
• Configuring slapd
• The slapd.conf file is the configuration file for the slapd daemon. On Fedora and other Red Hat–like distros, the full
path to the file is /etc/openldap/slapd.conf.
• 1. While logged into the system as root, change to OpenLDAP’s working directory:
• [root@fedora-server ~]# cd /etc/openldap/
• 2. Make a backup of any existing slapd.conf file by renaming it (so that you can always revert to it in case of
mistakes):
• [root@fedora-server openldap]# mv slapd.conf slapd.conf.original
• 3. Empty out any existing files and directories under the /etc/openldap/slapd.d/ directory:
• [root@fedora-server openldap]# rm -rf slapd.d/*
• 4. Use any text editor to create a new /etc/openldap/slapd.conf file.
• 5. Save your changes to the file and exit the editor.
• 6. Use the slaptest command to convert the slapd.conf file that you created earlier into the new openldap
configuration format:
• [root@fedora-server openldap]# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
• 7. The resulting slapd daemon’s configuration should be owned by the system user named ldap. Use the chown and
chmod commands to ensure that theconfiguration files have the correct ownership and permissions
7. • Starting and Stopping slapd
• After setting up slapd’s configuration file, our next step will be to start the daemon.
• Starting it on a Fedora system is easy. But first, we’ll use the systemctl command to check the status of the
daemon:
• [root@fedora-server ~]# systemctl status slapd
• If the output of the previous command shows that the daemon is not currently running, start it with this
command:
• [root@fedora-server ~]# systemctl start slapd
• And if you find that the LDAP service is already running, you can instead issue the systemctl command with
the restart option, like so:
• [root@fedora-server ~]# systemctl restart slapd
8. • Configuring OpenLDAP Clients
• The notion of clients takes some getting used to in the LDAP world. Almost any system resource or process
can be an LDAP client. And, fortunately or unfortunately, each group of clients has its own specific
configuration files.
• The configuration files for OpenLDAP clients are generally named ldap.conf, but they are stored in different
directories, depending on the particular client in question.
• Two common locations for the OpenLDAP client configuration files are the /etc/openldap/ directory and the
/etc/ directory.
• The client applications that use the OpenLDAP libraries (provided by the openldap*.rpm package)—programs
such as ldapadd, ldapsearch, Sendmail, and Evolution—consult the /etc/openldap/ldap .conf file, if it exists.
• The nss_ldap libraries instead use the /etc/ldap.conf file as the configuration file.
• Open the /etc/openldap/ldap.conf file in any text editor, and change (or create it if it
• doesn’t exist) this line in the listing,
• # BASE dc=example,dc=com
• to look like this:
• BASE dc=example,dc=org
9. • Creating Directory Entries
• The LDAP Data Interchange Format (LDIF) is used to represent entries in an LDAP directory in textual form. As
stated earlier, data in LDAP is presented and exchanged in this format. The data in an LDIF file can be used to
manipulate, add, remove, and change the information stored in the LDAP directory.
• The LDIF file is slightly strict in its format. You should keep these points in mind:
• Multiple entries within the same LDIF file are separated by blank lines.
• Entries that begin with the pound sign (#) are regarded as comments and are ignored.
• An entry that spans more than one line can be continued on the next line by starting the next line with a single
space or tab character.
• The space following the colon (:) is important for each entry.