SlideShare une entreprise Scribd logo

Ldap introduction (eng)

Anatoliy Okhotnikov
Anatoliy Okhotnikov

This document provides an overview of LDAP (Lightweight Directory Access Protocol). It discusses what directory services are, the need for LDAP to centralize user information, and some key LDAP concepts like its data model, schemas, and LDIF format. It also covers setting up an OpenLDAP server, including configuration, indexing, access control, and integration with other LDAP tools and applications.

Technologie
1  sur  23
Télécharger pour lire hors ligne
LDAP ● What is Directory Services ● The need for LDAP ● LDAP Overview and Basics ● Setting up and tunning OpenLDAP ● Other LDAP tools and applications
What is Directory Services ● Similar to database but designed more for reading than for writing ● Defines a network protocol for accessing contents of the directory ● Scheme for replication of data ● Directory Service examples: DNS, finger, password DB ● LDAP is a 'Lightweight Directory Access Protocol'
The need for LDAP ● Multiple disparate sources of the same information ● Users need separate logins and passwords to login to different systems ● Complex to keep information in sync ● Similar data spread around many flat files or in database with different formats ● Inadequacies of NIS ie. Not very extensible ● X.500 is too complicated Summarizing the above: Centralization, Integration and Delegating Responsibility
LDAP Overview ● LDAP is a ‘Lightweight Directory Access Protocol’ ● LDAP marries a lightweight DAP with the X.500 information model ● Uses an extensible hierarchical object data model ● An LDAP server may implement multiple ‘back-ends’: RDBMS, simple indexes (Berkeley DB), X.500 gateway ● Designed for frequent reads and infrequent writes
LDAP Benefits ● Standardized schemas exist for many purposes (well beyond that of NIS) ● Allows consolidation of many information sources ● Well defined API, support from many applications ● Easily replicated and distributed ● Multiple backends allow integration with existing data sources (RDBMS, etc) ● Much faster than RDBMS (using lightweight backend like Berkeley DB)
LDAP Basics ● Data is organised into an hierarchical tree ● Each ‘entry’ (tree node) is identified by a DN (distinguished name) e.g. uid=aokhotnikov,ou=People,ou=Users,dc=ldap,dc=sjua ● Each component of a DN is called an RDN (relative DN) and represents a branch in the tree ● The RDN must be unique within the nodes at the same level of the tree (is generally equivalent to one of the attributes ie. ‘uid’ or ‘cn’ in the case of a person) ● Each node has 1 or many attribute values associated with it. Each attribute can have 1 or many values
LDAP Basics (cont.) ● ‘objectClass’ is a mandatory attribute which specifies the schema (attribute constraints) for the given node ● Multiple ‘objectClass’ attributes can be combined together to achieve inheritance ● Example ‘objectClass’ (common schema) attributes: dcObject, organizationalUnit, person, organizationalPerson, inetOrgPerson, inetLocalMailRecipient ● CN (Canonical Name) is another common attribute used to provide a unique name for a directory object
LDAP Schemas ● Many standard schemas exist including: – People schemas - person, organisationalPerson, inetOrgPerson, posixAccount, mailLocalRecpient, strongAuthenticationUser – Group schemas – groupOfUniqueNames, posixGroup, organisationalRole, roleMember – Host / Network schemas – domain, ipHost, ipNetwork, ipProtocol, ipService, ieee802Device, bootableDevice ● An invaluable schema repository from Alan Knowles at the Hong Kong Linux Centre: – http://ldap.akbkhome.com/
LDIF File Format ● LDIF (LDAP Data Interchange Format) is used to import/export from a LDAP directory server and run updates dn: cn=GForge Admin User,ou=WebAdmin,ou=Users,dc=ldap,dc=sjua objectClass: inetOrgPerson objectClass: posixAccount objectClass: top givenName: GForge Admin sn: User cn: GForge Admin User uid: gforgeadmin userPassword: {MD5}6z8f1uQp3reOfghTFrecJQ== uidNumber: 1000 gidNumber: 544 homeDirectory: /opt/gforge5 mail: acidumirae@gmail.com
Custom Schemas ● LDAP schemas uses SNMP style OIDs (Object Ids) for uniquely defining schema elements ● Apply for IANA enterprise number here: – http://www.iana.org/cgi-bin/enterprise.pl ● Private enterprise number OID prefix is 1.3.6.1.4.1 eg. Metaparadigm uses 1.3.6.1.4.1.11137 ● Information on custom schemas can be found here: – http://www.openldap.org/doc/admin/schema.html
Linux LDAP Servers ● OpenLDAP is the primary open-source LDAP implementation based on Univ. Michigan LDAP http://www.openldap.org/ ● Sun provides the iPlanet Directory Server/Sun One Java DS ● Oracle provides an LDAP server using an Oracle database backend ● Many others available (Novell DS, Fedora DS, Apache DS, OpenDS, Innosoft, etc.) ● Linux can also integrate with LDAP servers running on other platforms such as Microsoft Active Directory or Novell eDirectory
Commercial LDAP Servers ● Novell eDirectory ● CA Directory ● Sun One Identity Server ● Lotus Domino ● Microsoft Active Directory ● Nexor Directory ● Apple Open Directory ● View 500 ● Siemens DirX ● Isode's M-Vault ● Oracle Internet Directory ● aeSLAPD ● IBM Tivoli Directory ● ... http://www.paldap.org/ldap-server-software
Scalability and Fault Tolerance ● OpenLDAP supports real-time directory replication to provide load-balancing and high availability ● OpenLDAP supports single master, multiple slaves ● Most LDAP aware applications can be configured to use multiple LDAP servers (providing fallback servers) ● Multiple master support is in the works (currently alpha) ● OpenLDAP can be integrated with ‘heartbeat’ and ‘mon’ to provide fault tolerance http://www.linux-ha.org/
Setting up OpenLDAP ● Configuration is located in: /etc/openldap/slapd.conf ● We need to include the schemas we are using include /etc/ldap/schema/core.schema include /etc/ldap/schema/collective.schema include /etc/ldap/schema/corba.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/duaconf.schema include /etc/ldap/schema/dyngroup.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/java.schema include /etc/ldap/schema/misc.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/openldap.schema include /etc/ldap/schema/ppolicy.schema include /etc/ldap/schema/samba.schema ● Next we specify a database database hdb suffix "dc=ldap,dc=sjua" rootdn "cn=admin,dc=ldap,dc=sjua" rootpw {SSHA}IrKtxIFV+2UbdD8JiL5ZuTsAx/cPuN2h directory /var/lib/ldap
Setting up OpenLDAP (cont.) ● We can now start slapd (Standalone LDAP daemon) # /etc/init.d/ldap start ● Next step is to add data to the directory using the LDIF example presented earlier # ldapadd -D cn=admin,dc=ldap,dc=sjua -W < init.ldif Enter LDAP Password: xxxxx adding new entry "dc=ldap,dc=sjua" adding new entry "ou=WebAdmin,ou=Users,dc=ldap,dc=sjua" adding new entry "uid=gfrogeadmin,ou=WebAdmin,ou=Users,dc=ldap,dc=sjua"
Tunning OpenLDAP ● We need to add additional indexes for performance index objectclass eq index cn pres,sub,eq index sn pres,sub,eq ## required to support pdb_getsampwnam index uid pres,sub,eq ## required to support pdb_getsambapwrid() index displayName pres,sub,eq index uidNumber eq index gidNumber eq index loginShell eq index memberUid eq index uniqueMember eq,pres ● We need to add ACLs for security access to attr=userPassword by self write by anonymous auth by * none access to dn="" by * read access to * by self write by users read by anonymous auth
Tunning OpenLDAP (cont.) ● Setup logging in syslog.conf (default is LOCAL4) local4.* /var/log/sldap.log ● Make sure ‘slapd’ runs as non privileged user ● Make ‘slapd’ bind to SSL port for security – need signed certificates with openSSL and modify slapd.conf TLSCertificateFile /etc/openldap/ldap.sjua.cer TLSCertificateKeyFile /etc/openldap/ldap.sjua.key – modify init script to bind to SSL port /usr/libexec/slapd -h 'ldap://ldap.metaparadigm.com/ ldaps://ldap.metaparadigm.com/' -l LOCAL4 -u ldap -g ldap
LDAP Search Filters ● LDAP uses a simple ‘search filters’ syntax (RFC2254) ● LDAP queries return all attributes of matching entries (or specifically selected attributes) which match the search filter LDAP query particles are enclosed within parenthesis in the form of ( attribute <matching rule> value ) ie. (cn=GForge Admin User) ● Matching rules include (=, =~, >=, <=) ● * can be used as a wildcard within the value ● These can be combined together using the boolean operators: and, or and not (&, |, !) eg: – (&(cn=GForge Admin User)(objectClass=posixAccount)) – (&(objectClass=inetOrgPerson)(!(ou=People))) – (|(cn=GForge Admin*)(cn=GForge*))
LDAP Search Filters (cont.) ● The following example ldap search retrieves the names and email address of all users with a givenname of ‘Gforge Admin’ or ‘Orange Admin’ ldapsearch -xLLL -h ldap.sjua -b ou=Users,dc=ldap,dc=sjua '(&(|(givenname=GForge Admin)(givenname=Orange Admin))(ob- jectClass=inetOrgPerson))' cn mail dn: cn=GForge Admin User,ou=WebAdmin,ou=Users,dc=ldap,dc=sjua cn: GForge Admin User mail: acidumirae@gmail.com dn: cn=Orange Admin User,ou=WebAdmin,ou=Users,dc=ldap,dc=sjua cn: Orange Admin User mail: aokhotnikov@softjourn.com ● Very easy to incorporate this into shell scripts with awk or sed
LDAP Applications ● Authenticate users in web applications (OrangeHRM, gForge, DokuWiki, etc.) ● Authenticate users in Samba, Apache, ProFTPd, etc. ● Possible NSS (Name Service Switch) integration ● Possible PAM (Pluggable Authentication Module) ● Possible mail routing: Sendmail, Postfix, etc. ● Shared Address Book (Evolution, Mozilla, Outlook, Eudora, web clients, etc.) ● Programming Libraries (Perl, Java, PHP, etc.)
LDAP Browsers and Editors ● Directory Administrator http://diradmin.open-it.org ● GQ http://biot.com/gq/ ● Java LDAP Browser http://www.iit.edu/~gawojar/ldap/ ● phpLDAPadmin http://phpldapadmin.sf.net/
Migration to LDAP ● Padl migration tools – http://www.padl.com/OSS/MigrationTools.html – passwd, group, hosts, networks, services, etc… ● We have migrated users from OrangeHRM using custom PHP scrip that was generating LDIF files – some issues with Samba – NTPassword is MD4 – minor issues with gForge – multiple installations(dirty database)
Resources ● OpenLDAP: http://openldap.org ● Practical LDAP from Metaparadigm Pte Ltd. http://gort.metaparadigm.com/ldap/ ● Ubuntu Documentation: OpenLDAP Server https://help.ubuntu.com/8.10/serverguide/C/openldap-server.html ● Ubuntu Documentation: Samba and LDAP https://help.ubuntu.com/8.10/serverguide/C/samba-ldap.html ● Introduction to LDAP and Single Sign-On http://tapor.ualberta.ca/Resources/Techdocs/completed/ldappresentation.pdf ● LDAP and Directory Services http://ldap.mtu.edu/docs/public/mtu_dsinfo/techiefest/techiefest_files/v3_document.htm

Recommandé

LDAP
LDAPLDAP
LDAPChandanapriya Sathavalli
 
The Ldap Protocol
The Ldap ProtocolThe Ldap Protocol
The Ldap ProtocolGlen Plantz
 
AD & LDAP
AD & LDAPAD & LDAP
AD & LDAPCynoteck Technology Solutions Private Limited
 
Ldap intro
Ldap introLdap intro
Ldap introyousry ibrahim
 
LDAP - Lightweight Directory Access Protocol
LDAP - Lightweight Directory Access ProtocolLDAP - Lightweight Directory Access Protocol
LDAP - Lightweight Directory Access ProtocolS. Hasnain Raza
 
LDAP
LDAPLDAP
LDAPKhemnath Chauhan
 
Using OpenLDAP
Using OpenLDAPUsing OpenLDAP
Using OpenLDAPWildan Maulana
 
LDAP Presentation
LDAP PresentationLDAP Presentation
LDAP Presentationcyberleon95
 

Recommandé

LDAP
LDAPLDAP
LDAPChandanapriya Sathavalli
 
The Ldap Protocol
The Ldap ProtocolThe Ldap Protocol
The Ldap ProtocolGlen Plantz
 
AD & LDAP
AD & LDAPAD & LDAP
AD & LDAPCynoteck Technology Solutions Private Limited
 
Ldap intro
Ldap introLdap intro
Ldap introyousry ibrahim
 
LDAP - Lightweight Directory Access Protocol
LDAP - Lightweight Directory Access ProtocolLDAP - Lightweight Directory Access Protocol
LDAP - Lightweight Directory Access ProtocolS. Hasnain Raza
 
LDAP
LDAPLDAP
LDAPKhemnath Chauhan
 
Using OpenLDAP
Using OpenLDAPUsing OpenLDAP
Using OpenLDAPWildan Maulana
 
LDAP Presentation
LDAP PresentationLDAP Presentation
LDAP Presentationcyberleon95
 
AAA & RADIUS Protocols
AAA & RADIUS ProtocolsAAA & RADIUS Protocols
AAA & RADIUS ProtocolsPeter R. Egli
 
Introduction to LDAP and Directory Services
Introduction to LDAP and Directory ServicesIntroduction to LDAP and Directory Services
Introduction to LDAP and Directory ServicesRadovan Semancik
 
Introduction to GraphQL using Nautobot and Arista cEOS
Introduction to GraphQL using Nautobot and Arista cEOSIntroduction to GraphQL using Nautobot and Arista cEOS
Introduction to GraphQL using Nautobot and Arista cEOSJoel W. King
 
Active Directory Services
Active Directory ServicesActive Directory Services
Active Directory ServicesVarun Arora
 
Microsoft Active Directory.pptx
Microsoft Active Directory.pptxMicrosoft Active Directory.pptx
Microsoft Active Directory.pptxmasbulosoke
 
IdM and AC
IdM and ACIdM and AC
IdM and ACFernando Lopez Aguilar
 
LDAP Theory
LDAP TheoryLDAP Theory
LDAP Theorycyberleon95
 
Directory services
Directory servicesDirectory services
Directory servicesChristalin Nelson
 
Autenticación remota y servicios de directorio. LDAP y Kerberos
Autenticación remota y servicios de directorio. LDAP y KerberosAutenticación remota y servicios de directorio. LDAP y Kerberos
Autenticación remota y servicios de directorio. LDAP y Kerberosseguridadelinux
 
Ldap
LdapLdap
LdapHigher Private School of Engineering and Technology
 
Introduction to Active Directory
Introduction to Active DirectoryIntroduction to Active Directory
Introduction to Active Directorythoms1i
 
FreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxFreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxJulian Catrambone
 
Microsoft Offical Course 20410C_02
Microsoft Offical Course 20410C_02Microsoft Offical Course 20410C_02
Microsoft Offical Course 20410C_02gameaxt
 
SAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID ConnectSAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID ConnectUbisecure
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Alvaro Sanchez-Mariscal
 
Wintel ppt for dhcp
Wintel ppt for dhcpWintel ppt for dhcp
Wintel ppt for dhcpduraimurugan89
 
What is active directory
What is active directoryWhat is active directory
What is active directoryAdeel Khurram
 
Network and System Administration chapter 2
Network and System Administration chapter 2Network and System Administration chapter 2
Network and System Administration chapter 2IgguuMuude
 
FIWARE Training: Identity Management and Access Control
FIWARE Training: Identity Management and Access ControlFIWARE Training: Identity Management and Access Control
FIWARE Training: Identity Management and Access ControlFIWARE
 
Open mic activity logging
Open mic activity loggingOpen mic activity logging
Open mic activity loggingRanjit Rai
 
WebSSO, synchronisation et contrôle des accès via LDAP
WebSSO, synchronisation et contrôle des accès via LDAPWebSSO, synchronisation et contrôle des accès via LDAP
WebSSO, synchronisation et contrôle des accès via LDAPLINAGORA
 
OpenDS - Open Source Java LDAP server
OpenDS - Open Source Java LDAP serverOpenDS - Open Source Java LDAP server
OpenDS - Open Source Java LDAP serverAlexis Moussine-Pouchkine
 

Contenu connexe

Tendances

AAA & RADIUS Protocols
AAA & RADIUS ProtocolsAAA & RADIUS Protocols
AAA & RADIUS ProtocolsPeter R. Egli
 
Introduction to LDAP and Directory Services
Introduction to LDAP and Directory ServicesIntroduction to LDAP and Directory Services
Introduction to LDAP and Directory ServicesRadovan Semancik
 
Introduction to GraphQL using Nautobot and Arista cEOS
Introduction to GraphQL using Nautobot and Arista cEOSIntroduction to GraphQL using Nautobot and Arista cEOS
Introduction to GraphQL using Nautobot and Arista cEOSJoel W. King
 
Active Directory Services
Active Directory ServicesActive Directory Services
Active Directory ServicesVarun Arora
 
Microsoft Active Directory.pptx
Microsoft Active Directory.pptxMicrosoft Active Directory.pptx
Microsoft Active Directory.pptxmasbulosoke
 
Autenticación remota y servicios de directorio. LDAP y Kerberos
Autenticación remota y servicios de directorio. LDAP y KerberosAutenticación remota y servicios de directorio. LDAP y Kerberos
Autenticación remota y servicios de directorio. LDAP y Kerberosseguridadelinux
 
Introduction to Active Directory
Introduction to Active DirectoryIntroduction to Active Directory
Introduction to Active Directorythoms1i
 
FreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxFreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxJulian Catrambone
 
Microsoft Offical Course 20410C_02
Microsoft Offical Course 20410C_02Microsoft Offical Course 20410C_02
Microsoft Offical Course 20410C_02gameaxt
 
SAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID ConnectSAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID ConnectUbisecure
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Alvaro Sanchez-Mariscal
 
What is active directory
What is active directoryWhat is active directory
What is active directoryAdeel Khurram
 
Network and System Administration chapter 2
Network and System Administration chapter 2Network and System Administration chapter 2
Network and System Administration chapter 2IgguuMuude
 
FIWARE Training: Identity Management and Access Control
FIWARE Training: Identity Management and Access ControlFIWARE Training: Identity Management and Access Control
FIWARE Training: Identity Management and Access ControlFIWARE
 
Open mic activity logging
Open mic activity loggingOpen mic activity logging
Open mic activity loggingRanjit Rai
 

Tendances (20)

AAA & RADIUS Protocols
AAA & RADIUS ProtocolsAAA & RADIUS Protocols
AAA & RADIUS Protocols
 
Introduction to LDAP and Directory Services
Introduction to LDAP and Directory ServicesIntroduction to LDAP and Directory Services
Introduction to LDAP and Directory Services
 
Introduction to GraphQL using Nautobot and Arista cEOS
Introduction to GraphQL using Nautobot and Arista cEOSIntroduction to GraphQL using Nautobot and Arista cEOS
Introduction to GraphQL using Nautobot and Arista cEOS
 
Active Directory Services
Active Directory ServicesActive Directory Services
Active Directory Services
 
Microsoft Active Directory.pptx
Microsoft Active Directory.pptxMicrosoft Active Directory.pptx
Microsoft Active Directory.pptx
 
IdM and AC
IdM and ACIdM and AC
IdM and AC
 
LDAP Theory
LDAP TheoryLDAP Theory
LDAP Theory
 
Directory services
Directory servicesDirectory services
Directory services
 
Autenticación remota y servicios de directorio. LDAP y Kerberos
Autenticación remota y servicios de directorio. LDAP y KerberosAutenticación remota y servicios de directorio. LDAP y Kerberos
Autenticación remota y servicios de directorio. LDAP y Kerberos
 
Ldap
LdapLdap
Ldap
 
Introduction to Active Directory
Introduction to Active DirectoryIntroduction to Active Directory
Introduction to Active Directory
 
FreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxFreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of Linux
 
Microsoft Offical Course 20410C_02
Microsoft Offical Course 20410C_02Microsoft Offical Course 20410C_02
Microsoft Offical Course 20410C_02
 
SAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID ConnectSAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID Connect
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
 
Wintel ppt for dhcp
Wintel ppt for dhcpWintel ppt for dhcp
Wintel ppt for dhcp
 
What is active directory
What is active directoryWhat is active directory
What is active directory
 
Network and System Administration chapter 2
Network and System Administration chapter 2Network and System Administration chapter 2
Network and System Administration chapter 2
 
FIWARE Training: Identity Management and Access Control
FIWARE Training: Identity Management and Access ControlFIWARE Training: Identity Management and Access Control
FIWARE Training: Identity Management and Access Control
 
Open mic activity logging
Open mic activity loggingOpen mic activity logging
Open mic activity logging
 

En vedette

WebSSO, synchronisation et contrôle des accès via LDAP
WebSSO, synchronisation et contrôle des accès via LDAPWebSSO, synchronisation et contrôle des accès via LDAP
WebSSO, synchronisation et contrôle des accès via LDAPLINAGORA
 
Plone - Déployer un intranet collaboratif avec intégration d'un annuaire LDAP
Plone - Déployer un intranet collaboratif avec intégration d'un annuaire LDAPPlone - Déployer un intranet collaboratif avec intégration d'un annuaire LDAP
Plone - Déployer un intranet collaboratif avec intégration d'un annuaire LDAPParis, France
 
Distributed computing time
Distributed computing timeDistributed computing time
Distributed computing timeDeepak John
 
iPhone Objective-C Development (ukr) (2009)
iPhone Objective-C Development (ukr) (2009)iPhone Objective-C Development (ukr) (2009)
iPhone Objective-C Development (ukr) (2009)Anatoliy Okhotnikov
 
ITEvent: Continuous Integration (ukr)
ITEvent: Continuous Integration (ukr)ITEvent: Continuous Integration (ukr)
ITEvent: Continuous Integration (ukr)Anatoliy Okhotnikov
 
Ubuntu server wireless access point (eng)
Ubuntu server wireless access point (eng)Ubuntu server wireless access point (eng)
Ubuntu server wireless access point (eng)Anatoliy Okhotnikov
 
Flexible Symmetric Global Snapshot
Flexible Symmetric Global Snapshot Flexible Symmetric Global Snapshot
Flexible Symmetric Global Snapshot Ashutosh Jaiswal
 
Distributed Snapshots
Distributed SnapshotsDistributed Snapshots
Distributed Snapshotsawesomesos
 

En vedette (20)

WebSSO, synchronisation et contrôle des accès via LDAP
WebSSO, synchronisation et contrôle des accès via LDAPWebSSO, synchronisation et contrôle des accès via LDAP
WebSSO, synchronisation et contrôle des accès via LDAP
 
OpenDS - Open Source Java LDAP server
OpenDS - Open Source Java LDAP serverOpenDS - Open Source Java LDAP server
OpenDS - Open Source Java LDAP server
 
Plone - Déployer un intranet collaboratif avec intégration d'un annuaire LDAP
Plone - Déployer un intranet collaboratif avec intégration d'un annuaire LDAPPlone - Déployer un intranet collaboratif avec intégration d'un annuaire LDAP
Plone - Déployer un intranet collaboratif avec intégration d'un annuaire LDAP
 
Ldap
LdapLdap
Ldap
 
Distributed computing time
Distributed computing timeDistributed computing time
Distributed computing time
 
Jenkins CI (ukr)
Jenkins CI (ukr)Jenkins CI (ukr)
Jenkins CI (ukr)
 
Php web app security (eng)
Php web app security (eng)Php web app security (eng)
Php web app security (eng)
 
iPhone Objective-C Development (ukr) (2009)
iPhone Objective-C Development (ukr) (2009)iPhone Objective-C Development (ukr) (2009)
iPhone Objective-C Development (ukr) (2009)
 
Web application security (eng)
Web application security (eng)Web application security (eng)
Web application security (eng)
 
ITEvent: Continuous Integration (ukr)
ITEvent: Continuous Integration (ukr)ITEvent: Continuous Integration (ukr)
ITEvent: Continuous Integration (ukr)
 
Ubuntu server wireless access point (eng)
Ubuntu server wireless access point (eng)Ubuntu server wireless access point (eng)
Ubuntu server wireless access point (eng)
 
ITIL (ukr)
ITIL (ukr)ITIL (ukr)
ITIL (ukr)
 
Debug (ukr)
Debug (ukr)Debug (ukr)
Debug (ukr)
 
Php unit (eng)
Php unit (eng)Php unit (eng)
Php unit (eng)
 
Flexible Symmetric Global Snapshot
Flexible Symmetric Global Snapshot Flexible Symmetric Global Snapshot
Flexible Symmetric Global Snapshot
 
Xdebug (ukr)
Xdebug (ukr)Xdebug (ukr)
Xdebug (ukr)
 
Continuous integration (eng)
Continuous integration (eng)Continuous integration (eng)
Continuous integration (eng)
 
Distributed Snapshots
Distributed SnapshotsDistributed Snapshots
Distributed Snapshots
 
ITEvent: Kanban Intro (ukr)
ITEvent: Kanban Intro (ukr)ITEvent: Kanban Intro (ukr)
ITEvent: Kanban Intro (ukr)
 
Db design (ukr)
Db design (ukr)Db design (ukr)
Db design (ukr)
 

Similaire à Ldap introduction (eng)

LDAP Applied (EuroOSCON 2005)
LDAP Applied (EuroOSCON 2005)LDAP Applied (EuroOSCON 2005)
LDAP Applied (EuroOSCON 2005)Fran Fabrizio
 
OpenLDAP - Installation and Configuration
OpenLDAP - Installation and ConfigurationOpenLDAP - Installation and Configuration
OpenLDAP - Installation and ConfigurationWildan Maulana
 
Practical-LDAP-and-Linux
Practical-LDAP-and-LinuxPractical-LDAP-and-Linux
Practical-LDAP-and-LinuxBalaji Ravi
 
RMLL 2013 - Build your LDAP management web interface with LinID Directory Man...
RMLL 2013 - Build your LDAP management web interface with LinID Directory Man...RMLL 2013 - Build your LDAP management web interface with LinID Directory Man...
RMLL 2013 - Build your LDAP management web interface with LinID Directory Man...Clément OUDOT
 
LDAP Development Using Spring LDAP
LDAP Development Using Spring LDAPLDAP Development Using Spring LDAP
LDAP Development Using Spring LDAPLDAPCon
 
Ldapsession 1217528612650451-9
Ldapsession 1217528612650451-9Ldapsession 1217528612650451-9
Ldapsession 1217528612650451-9rezgui
 
Slaps - a Smalltalk LDAP server
Slaps - a Smalltalk LDAP serverSlaps - a Smalltalk LDAP server
Slaps - a Smalltalk LDAP serverESUG
 
Under the Hood 11g Identity Management
Under the Hood 11g Identity ManagementUnder the Hood 11g Identity Management
Under the Hood 11g Identity ManagementInSync Conference
 
Active Directory & LDAP Authentication Without Triggers
Active Directory & LDAP Authentication Without TriggersActive Directory & LDAP Authentication Without Triggers
Active Directory & LDAP Authentication Without TriggersPerforce
 
User administration without you - integrating LDAP
User administration without you - integrating LDAPUser administration without you - integrating LDAP
User administration without you - integrating LDAPMongoDB
 
Open Ldap Integration and Configuration with Lifray 6.2
Open Ldap Integration and Configuration with Lifray 6.2Open Ldap Integration and Configuration with Lifray 6.2
Open Ldap Integration and Configuration with Lifray 6.2Vinaykumar Hebballi
 
Introduction to Apache Spark
Introduction to Apache SparkIntroduction to Apache Spark
Introduction to Apache SparkRahul Jain
 
PostgreSQL - Object Relational Database
PostgreSQL - Object Relational DatabasePostgreSQL - Object Relational Database
PostgreSQL - Object Relational DatabaseMubashar Iqbal
 
RESTful with Drupal - in-s and out-s
RESTful with Drupal - in-s and out-sRESTful with Drupal - in-s and out-s
RESTful with Drupal - in-s and out-sKalin Chernev
 
Real time Analytics with Apache Kafka and Apache Spark
Real time Analytics with Apache Kafka and Apache SparkReal time Analytics with Apache Kafka and Apache Spark
Real time Analytics with Apache Kafka and Apache SparkRahul Jain
 

Similaire à Ldap introduction (eng) (20)

LDAP Applied (EuroOSCON 2005)
LDAP Applied (EuroOSCON 2005)LDAP Applied (EuroOSCON 2005)
LDAP Applied (EuroOSCON 2005)
 
OpenLDAP - Installation and Configuration
OpenLDAP - Installation and ConfigurationOpenLDAP - Installation and Configuration
OpenLDAP - Installation and Configuration
 
Practical-LDAP-and-Linux
Practical-LDAP-and-LinuxPractical-LDAP-and-Linux
Practical-LDAP-and-Linux
 
ivanova-samba_backend.pdf
ivanova-samba_backend.pdfivanova-samba_backend.pdf
ivanova-samba_backend.pdf
 
RMLL 2013 - Build your LDAP management web interface with LinID Directory Man...
RMLL 2013 - Build your LDAP management web interface with LinID Directory Man...RMLL 2013 - Build your LDAP management web interface with LinID Directory Man...
RMLL 2013 - Build your LDAP management web interface with LinID Directory Man...
 
LDAP(In_Linux).pptx
LDAP(In_Linux).pptxLDAP(In_Linux).pptx
LDAP(In_Linux).pptx
 
LDAP Development Using Spring LDAP
LDAP Development Using Spring LDAPLDAP Development Using Spring LDAP
LDAP Development Using Spring LDAP
 
Ldapsession
LdapsessionLdapsession
Ldapsession
 
Ldapsession 1217528612650451-9
Ldapsession 1217528612650451-9Ldapsession 1217528612650451-9
Ldapsession 1217528612650451-9
 
Slaps - a Smalltalk LDAP server
Slaps - a Smalltalk LDAP serverSlaps - a Smalltalk LDAP server
Slaps - a Smalltalk LDAP server
 
Under the Hood 11g Identity Management
Under the Hood 11g Identity ManagementUnder the Hood 11g Identity Management
Under the Hood 11g Identity Management
 
Active Directory & LDAP Authentication Without Triggers
Active Directory & LDAP Authentication Without TriggersActive Directory & LDAP Authentication Without Triggers
Active Directory & LDAP Authentication Without Triggers
 
LDAP
LDAPLDAP
LDAP
 
User administration without you - integrating LDAP
User administration without you - integrating LDAPUser administration without you - integrating LDAP
User administration without you - integrating LDAP
 
Open Ldap Integration and Configuration with Lifray 6.2
Open Ldap Integration and Configuration with Lifray 6.2Open Ldap Integration and Configuration with Lifray 6.2
Open Ldap Integration and Configuration with Lifray 6.2
 
Introduction to Apache Spark
Introduction to Apache SparkIntroduction to Apache Spark
Introduction to Apache Spark
 
PostgreSQL - Object Relational Database
PostgreSQL - Object Relational DatabasePostgreSQL - Object Relational Database
PostgreSQL - Object Relational Database
 
Apache Spark on HDinsight Training
Apache Spark on HDinsight TrainingApache Spark on HDinsight Training
Apache Spark on HDinsight Training
 
RESTful with Drupal - in-s and out-s
RESTful with Drupal - in-s and out-sRESTful with Drupal - in-s and out-s
RESTful with Drupal - in-s and out-s
 
Real time Analytics with Apache Kafka and Apache Spark
Real time Analytics with Apache Kafka and Apache SparkReal time Analytics with Apache Kafka and Apache Spark
Real time Analytics with Apache Kafka and Apache Spark
 

Plus de Anatoliy Okhotnikov

Project Management: Burn-Down Chart / OrangeHRM Project MOD (eng)
Project Management: Burn-Down Chart / OrangeHRM Project MOD (eng)Project Management: Burn-Down Chart / OrangeHRM Project MOD (eng)
Project Management: Burn-Down Chart / OrangeHRM Project MOD (eng)Anatoliy Okhotnikov
 

Plus de Anatoliy Okhotnikov (6)

Agile (IF PM Group) v2
Agile (IF PM Group) v2Agile (IF PM Group) v2
Agile (IF PM Group) v2
 
User story workflow (eng)
User story workflow (eng)User story workflow (eng)
User story workflow (eng)
 
Unit testing (eng)
Unit testing (eng)Unit testing (eng)
Unit testing (eng)
 
Project Management: Burn-Down Chart / OrangeHRM Project MOD (eng)
Project Management: Burn-Down Chart / OrangeHRM Project MOD (eng)Project Management: Burn-Down Chart / OrangeHRM Project MOD (eng)
Project Management: Burn-Down Chart / OrangeHRM Project MOD (eng)
 
Linux introduction (eng)
Linux introduction (eng)Linux introduction (eng)
Linux introduction (eng)
 
Agile Feedback Loops (ukr)
Agile Feedback Loops (ukr)Agile Feedback Loops (ukr)
Agile Feedback Loops (ukr)
 

Dernier

Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 

Dernier (20)

Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 

Ldap introduction (eng)

  • 1. LDAP ● What is Directory Services ● The need for LDAP ● LDAP Overview and Basics ● Setting up and tunning OpenLDAP ● Other LDAP tools and applications
  • 2. What is Directory Services ● Similar to database but designed more for reading than for writing ● Defines a network protocol for accessing contents of the directory ● Scheme for replication of data ● Directory Service examples: DNS, finger, password DB ● LDAP is a 'Lightweight Directory Access Protocol'
  • 3. The need for LDAP ● Multiple disparate sources of the same information ● Users need separate logins and passwords to login to different systems ● Complex to keep information in sync ● Similar data spread around many flat files or in database with different formats ● Inadequacies of NIS ie. Not very extensible ● X.500 is too complicated Summarizing the above: Centralization, Integration and Delegating Responsibility
  • 4. LDAP Overview ● LDAP is a ‘Lightweight Directory Access Protocol’ ● LDAP marries a lightweight DAP with the X.500 information model ● Uses an extensible hierarchical object data model ● An LDAP server may implement multiple ‘back-ends’: RDBMS, simple indexes (Berkeley DB), X.500 gateway ● Designed for frequent reads and infrequent writes
  • 5. LDAP Benefits ● Standardized schemas exist for many purposes (well beyond that of NIS) ● Allows consolidation of many information sources ● Well defined API, support from many applications ● Easily replicated and distributed ● Multiple backends allow integration with existing data sources (RDBMS, etc) ● Much faster than RDBMS (using lightweight backend like Berkeley DB)
  • 6. LDAP Basics ● Data is organised into an hierarchical tree ● Each ‘entry’ (tree node) is identified by a DN (distinguished name) e.g. uid=aokhotnikov,ou=People,ou=Users,dc=ldap,dc=sjua ● Each component of a DN is called an RDN (relative DN) and represents a branch in the tree ● The RDN must be unique within the nodes at the same level of the tree (is generally equivalent to one of the attributes ie. ‘uid’ or ‘cn’ in the case of a person) ● Each node has 1 or many attribute values associated with it. Each attribute can have 1 or many values
  • 7. LDAP Basics (cont.) ● ‘objectClass’ is a mandatory attribute which specifies the schema (attribute constraints) for the given node ● Multiple ‘objectClass’ attributes can be combined together to achieve inheritance ● Example ‘objectClass’ (common schema) attributes: dcObject, organizationalUnit, person, organizationalPerson, inetOrgPerson, inetLocalMailRecipient ● CN (Canonical Name) is another common attribute used to provide a unique name for a directory object
  • 8. LDAP Schemas ● Many standard schemas exist including: – People schemas - person, organisationalPerson, inetOrgPerson, posixAccount, mailLocalRecpient, strongAuthenticationUser – Group schemas – groupOfUniqueNames, posixGroup, organisationalRole, roleMember – Host / Network schemas – domain, ipHost, ipNetwork, ipProtocol, ipService, ieee802Device, bootableDevice ● An invaluable schema repository from Alan Knowles at the Hong Kong Linux Centre: – http://ldap.akbkhome.com/
  • 9. LDIF File Format ● LDIF (LDAP Data Interchange Format) is used to import/export from a LDAP directory server and run updates dn: cn=GForge Admin User,ou=WebAdmin,ou=Users,dc=ldap,dc=sjua objectClass: inetOrgPerson objectClass: posixAccount objectClass: top givenName: GForge Admin sn: User cn: GForge Admin User uid: gforgeadmin userPassword: {MD5}6z8f1uQp3reOfghTFrecJQ== uidNumber: 1000 gidNumber: 544 homeDirectory: /opt/gforge5 mail: acidumirae@gmail.com
  • 10. Custom Schemas ● LDAP schemas uses SNMP style OIDs (Object Ids) for uniquely defining schema elements ● Apply for IANA enterprise number here: – http://www.iana.org/cgi-bin/enterprise.pl ● Private enterprise number OID prefix is 1.3.6.1.4.1 eg. Metaparadigm uses 1.3.6.1.4.1.11137 ● Information on custom schemas can be found here: – http://www.openldap.org/doc/admin/schema.html
  • 11. Linux LDAP Servers ● OpenLDAP is the primary open-source LDAP implementation based on Univ. Michigan LDAP http://www.openldap.org/ ● Sun provides the iPlanet Directory Server/Sun One Java DS ● Oracle provides an LDAP server using an Oracle database backend ● Many others available (Novell DS, Fedora DS, Apache DS, OpenDS, Innosoft, etc.) ● Linux can also integrate with LDAP servers running on other platforms such as Microsoft Active Directory or Novell eDirectory
  • 12. Commercial LDAP Servers ● Novell eDirectory ● CA Directory ● Sun One Identity Server ● Lotus Domino ● Microsoft Active Directory ● Nexor Directory ● Apple Open Directory ● View 500 ● Siemens DirX ● Isode's M-Vault ● Oracle Internet Directory ● aeSLAPD ● IBM Tivoli Directory ● ... http://www.paldap.org/ldap-server-software
  • 13. Scalability and Fault Tolerance ● OpenLDAP supports real-time directory replication to provide load-balancing and high availability ● OpenLDAP supports single master, multiple slaves ● Most LDAP aware applications can be configured to use multiple LDAP servers (providing fallback servers) ● Multiple master support is in the works (currently alpha) ● OpenLDAP can be integrated with ‘heartbeat’ and ‘mon’ to provide fault tolerance http://www.linux-ha.org/
  • 14. Setting up OpenLDAP ● Configuration is located in: /etc/openldap/slapd.conf ● We need to include the schemas we are using include /etc/ldap/schema/core.schema include /etc/ldap/schema/collective.schema include /etc/ldap/schema/corba.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/duaconf.schema include /etc/ldap/schema/dyngroup.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/java.schema include /etc/ldap/schema/misc.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/openldap.schema include /etc/ldap/schema/ppolicy.schema include /etc/ldap/schema/samba.schema ● Next we specify a database database hdb suffix "dc=ldap,dc=sjua" rootdn "cn=admin,dc=ldap,dc=sjua" rootpw {SSHA}IrKtxIFV+2UbdD8JiL5ZuTsAx/cPuN2h directory /var/lib/ldap
  • 15. Setting up OpenLDAP (cont.) ● We can now start slapd (Standalone LDAP daemon) # /etc/init.d/ldap start ● Next step is to add data to the directory using the LDIF example presented earlier # ldapadd -D cn=admin,dc=ldap,dc=sjua -W < init.ldif Enter LDAP Password: xxxxx adding new entry "dc=ldap,dc=sjua" adding new entry "ou=WebAdmin,ou=Users,dc=ldap,dc=sjua" adding new entry "uid=gfrogeadmin,ou=WebAdmin,ou=Users,dc=ldap,dc=sjua"
  • 16. Tunning OpenLDAP ● We need to add additional indexes for performance index objectclass eq index cn pres,sub,eq index sn pres,sub,eq ## required to support pdb_getsampwnam index uid pres,sub,eq ## required to support pdb_getsambapwrid() index displayName pres,sub,eq index uidNumber eq index gidNumber eq index loginShell eq index memberUid eq index uniqueMember eq,pres ● We need to add ACLs for security access to attr=userPassword by self write by anonymous auth by * none access to dn="" by * read access to * by self write by users read by anonymous auth
  • 17. Tunning OpenLDAP (cont.) ● Setup logging in syslog.conf (default is LOCAL4) local4.* /var/log/sldap.log ● Make sure ‘slapd’ runs as non privileged user ● Make ‘slapd’ bind to SSL port for security – need signed certificates with openSSL and modify slapd.conf TLSCertificateFile /etc/openldap/ldap.sjua.cer TLSCertificateKeyFile /etc/openldap/ldap.sjua.key – modify init script to bind to SSL port /usr/libexec/slapd -h 'ldap://ldap.metaparadigm.com/ ldaps://ldap.metaparadigm.com/' -l LOCAL4 -u ldap -g ldap
  • 18. LDAP Search Filters ● LDAP uses a simple ‘search filters’ syntax (RFC2254) ● LDAP queries return all attributes of matching entries (or specifically selected attributes) which match the search filter LDAP query particles are enclosed within parenthesis in the form of ( attribute <matching rule> value ) ie. (cn=GForge Admin User) ● Matching rules include (=, =~, >=, <=) ● * can be used as a wildcard within the value ● These can be combined together using the boolean operators: and, or and not (&, |, !) eg: – (&(cn=GForge Admin User)(objectClass=posixAccount)) – (&(objectClass=inetOrgPerson)(!(ou=People))) – (|(cn=GForge Admin*)(cn=GForge*))
  • 19. LDAP Search Filters (cont.) ● The following example ldap search retrieves the names and email address of all users with a givenname of ‘Gforge Admin’ or ‘Orange Admin’ ldapsearch -xLLL -h ldap.sjua -b ou=Users,dc=ldap,dc=sjua '(&(|(givenname=GForge Admin)(givenname=Orange Admin))(ob- jectClass=inetOrgPerson))' cn mail dn: cn=GForge Admin User,ou=WebAdmin,ou=Users,dc=ldap,dc=sjua cn: GForge Admin User mail: acidumirae@gmail.com dn: cn=Orange Admin User,ou=WebAdmin,ou=Users,dc=ldap,dc=sjua cn: Orange Admin User mail: aokhotnikov@softjourn.com ● Very easy to incorporate this into shell scripts with awk or sed
  • 20. LDAP Applications ● Authenticate users in web applications (OrangeHRM, gForge, DokuWiki, etc.) ● Authenticate users in Samba, Apache, ProFTPd, etc. ● Possible NSS (Name Service Switch) integration ● Possible PAM (Pluggable Authentication Module) ● Possible mail routing: Sendmail, Postfix, etc. ● Shared Address Book (Evolution, Mozilla, Outlook, Eudora, web clients, etc.) ● Programming Libraries (Perl, Java, PHP, etc.)
  • 21. LDAP Browsers and Editors ● Directory Administrator http://diradmin.open-it.org ● GQ http://biot.com/gq/ ● Java LDAP Browser http://www.iit.edu/~gawojar/ldap/ ● phpLDAPadmin http://phpldapadmin.sf.net/
  • 22. Migration to LDAP ● Padl migration tools – http://www.padl.com/OSS/MigrationTools.html – passwd, group, hosts, networks, services, etc… ● We have migrated users from OrangeHRM using custom PHP scrip that was generating LDIF files – some issues with Samba – NTPassword is MD4 – minor issues with gForge – multiple installations(dirty database)
  • 23. Resources ● OpenLDAP: http://openldap.org ● Practical LDAP from Metaparadigm Pte Ltd. http://gort.metaparadigm.com/ldap/ ● Ubuntu Documentation: OpenLDAP Server https://help.ubuntu.com/8.10/serverguide/C/openldap-server.html ● Ubuntu Documentation: Samba and LDAP https://help.ubuntu.com/8.10/serverguide/C/samba-ldap.html ● Introduction to LDAP and Single Sign-On http://tapor.ualberta.ca/Resources/Techdocs/completed/ldappresentation.pdf ● LDAP and Directory Services http://ldap.mtu.edu/docs/public/mtu_dsinfo/techiefest/techiefest_files/v3_document.htm