Openldap directory administration ldapv3 overview
This presentation is the property of its rightful owner.
Sponsored Links
1 / 36

OpenLDAP Directory Administration LDAPv3 Overview PowerPoint PPT Presentation


  • 42 Views
  • Uploaded on
  • Presentation posted in: General

OpenLDAP Directory Administration LDAPv3 Overview. Table of Contents. LDIF What Is an Attribute ? What Is the dc Attribute Schema References Authentication Distributed Directories Continuing Standardization. Table of Contents. LDIF What Is an Attribute ? What Is the dc Attribute

Download Presentation

OpenLDAP Directory Administration LDAPv3 Overview

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Openldap directory administration ldapv3 overview

OpenLDAP Directory AdministrationLDAPv3 Overview


Openldap directory administration ldapv3 overview

Table of Contents

  • LDIF

  • What Is an Attribute ?

  • What Is the dc Attribute

  • Schema References

  • Authentication

  • Distributed Directories

  • Continuing Standardization


Openldap directory administration ldapv3 overview

Table of Contents

  • LDIF

  • What Is an Attribute ?

  • What Is the dc Attribute

  • Schema References

  • Authentication

  • Distributed Directories

  • Continuing Standardization


Openldap directory administration ldapv3 overview

LDIF

  • Unix/Linux Administrators: generally prefer plain-text configuration files over some binary store of bits

  • LDAP Interchange Format (LDIF), defined is RFC2849, is a standard text format for storing LDAP configuration information and directory contents

  • In its most basic form, an LDIf file is:

    • A collection of entries separated from each other by blank lines

    • A mapping of attribute names to values

    • A collection of directives that instruct the parser how to process the information

  • LDIF files are often used to import new data in your directory or make changes to existing data

  • LDIF file must obey schema rules in LDAP directory, “schema violation”


Openldap directory administration ldapv3 overview

LDIF (cont.)

LDAP Directory Information Tree (DIT)

dc=plainjoe,dc=org

ou=people

ou=devices

attribute types and values

cn:gerard carter

objectClass:person

sn:carter

telephoneNumber:555-1234

cn=gerard carter

dn:cn=gerard carter,ou=people,dc=plainjoe,dc=org

RDN


Openldap directory administration ldapv3 overview

LDIF (cont.)

  • LDIF entry:

  • Observations about LDIF syntax:

    • Comments in LDIF file begin with pount character (#)

    • Attributes are listed on the lefthand side of the colon (:), and values are presented on the righthand side; the colon character is separated from the value by a space

    • the dn attribute uniquely identifies the DN of the entry

# LDIF listing for the entry dn: dc=plainjoe,dc=org

dn: dc=plainjoe,dc=org

objectClass: domain

dc: plainjoe


Openldap directory administration ldapv3 overview

LDIF (cont.)

Distinguished Names and Relative Distinguished Names

  • The full DN of an entry does not need to be stored as an attribute within that entry: can be generated on-the-fly

  • Comparing LDAP to a filesystem:

    • DN ~ absolute path to a file

    • RDN ~ a filename

    • Unlike a filename, a RDN can be made up of multiple attributes (~ compound index in relational database)

  • DN of an element = formed by stringing together the RDNs of every entity from the element to the root of the directory tree


Openldap directory administration ldapv3 overview

LDIF (cont.)

Distinguished Names and Relative Distinguished Names (cont.)

Multivalued RDNs

  • For both entries, the first component of the DN is the RDN composed of two values: cn=Jane Smith+ou=Sales and cn=Jane Smith+ou=Engineering

  • In the multivalued RDN, the + sign separates two attribute values used to form the RDN

  • Characters escaped with a \ are: pound (#), space at end of a string, comma (,), plus (+), double quote(”), backslash (\), angle brackets (< and >), semicolon (;)

# example of two entries with a multivalued RDN

dn: cn=Jane Smith+ou=Sales,dc=plainjoe,dc=org

cn: Jane Smith

ou: Sales

...

dn: cn=Jane Smith+ou=Engineering,dc=plainjoe,dc=org

cn: Jane Smith

ou: Engineering

...


Openldap directory administration ldapv3 overview

LDIF (cont.)

Distinguished Names and Relative Distinguished Names (cont.)

Multivalued RDNs (cont.)

  • Use them as little as possible, create different orginizationalUnits (ou) for Sales and Marketing

dc=plainjoe,dc=org

ou=Engineering

ou=Sales

cn=Jane Smith

cn=Jane Smith


Openldap directory administration ldapv3 overview

LDIF (cont.)

Distinguished Names and Relative Distinguished Names (cont.)

  • RFC2253 defines a method of unambiguously representing a DN using a UTF-8 string representation

    • Remove all non-escaped whitespace surrounding the equal sign in each RDN

    • Make sure appropriate characters are escaped

    • Remove all non-escaped spaces surrounding the multi-value RDN join character (+)

    • Remove all non-escaped trailing spaces on RDNs

  • eg.

    cn=gerald carter + ou=sales, dc=plainjoe ,dc=org

  • becomes:

    cn=gerald carter+ou=sales,dc=plainjoe,dc=org

  • String reresentation of a DN is case-preserving

  • However, often case-insensitive


Openldap directory administration ldapv3 overview

Table of Contents

  • LDIF

  • What Is an Attribute ?

  • What Is the dc Attribute

  • Schema References

  • Authentication

  • Distributed Directories

  • Continuing Standardization


Openldap directory administration ldapv3 overview

What Is an Attribute ?

  • Attribute types and associated syntax rules ~ variable and data type declarations found in programming languages

  • Attributes are used to hold values ~ variables can hold certain types of information + there are certain rules (eg. how to compare the variable's value)

  • LDAP attributes can be multivalued! >< store-and-replace variables:

  • Whether an attribute can be single-valued or multi-valued depends on the attribute's definition

# LDIF listing for the dn: ou=devices,dc=plainjoe,dc=org

dn: ou=devices,dc=plainjoe,dc=org

objectClass: organizationalUnit

ou=devices

telephoneNumber: +1 256 555-5446

telephoneNumber: +1 256 555-5447

description: Container for all network enabled devices existing

within the plainjoe.org domain


Openldap directory administration ldapv3 overview

What Is an Attribute ? (cont.)

Attribute Syntax

  • Attribute type definitions: include matching rules that tell LDAP server how to make comparisons

  • LDAP uses OIDs just like SNMP MIBs

    • Fall under the private (4), enterprise (1) branch of the tree; joint-ISO-ccitt (2) is also possible

    • OID = uniquely identifies items such as attributes, syntaxes, object classes and extended controls

# attributetype definition for telephoneNumber

# From RFC 2256

attributetype ( 2.5.4.20 NAME 'telephoneNumber'

EQUALITY telephoneNumberMatch

SUBSTR telephoneNumberSubstringsMatch

SYNTAX 1.3.6.1.4.1.1466.115.121.1.50{32} )

matching rules

encoding rules

OID (object identifier)

recommended minimum for the largest length of data


Openldap directory administration ldapv3 overview

What Is an Attribute ? (cont.)

OIDs

Root

ccitt(0)

ISO(1)

join-ISO-ccitt(2)

org(3)

dod(6)

internet(1)

mgmt(2)

private(4)

directory(1)

experimental(3)

enterprise(1)


Openldap directory administration ldapv3 overview

What Is an Attribute ? (cont.)

What Does the Name of the objectClass Attribute Mean ?

  • All entries in an LDAP directory must have an objectClass attribute

  • This attribute must have at least one value (multiple values are possible and common)

  • Each objectClass value acts as a template for the data stored in an entry; defines a set of attributes that must/may be present

# LDIF listing for the dn: ou=devices,dc=plainjoe,dc=org

dn: ou=devices,dc=plainjoe,dc=org

objectClass: organizationalUnit

ou=devices

telephoneNumber: +1 256 555-5446

telephoneNumber: +1 256 555-5447

description: Container for all network enabled devices existing

within the plainjoe.org domain


Openldap directory administration ldapv3 overview

What Is an Attribute ? (cont.)

What Does the Name of the objectClass Attribute Mean ? (cont.)

  • objectClass definition:

    • objectClass possesses an OID, just like attribute types, encoding syntaxes, and matching rules

    • Keyword MUST denotes set of attributes that must be present in any instance of this object (“=posses at least one value”)

    • Keyword MAY defines set of attributes whose presence is optional

    • Keyword SUP specifies parent object from which this object was derived (no multiple inheritance)

    • It's possible for two object classes to have common attribute members (eg. organizationalUnit opbject class and person object class have a telephoneNumber attribute)


Openldap directory administration ldapv3 overview

What Is an Attribute ? (cont.)

What Does the Name of the objectClass Attribute Mean ? (cont.)

objectClass:organizationalUnit

ou:

userPassword:

searchGuide:

seeAlso:

businessCategory:

x121Address:

registeredAddress:

destinationIndicator:

perferredDeliveryMethod:

telexNumber:

telexTerminalIdentifier:

telephoneNumber:

internationaliSDNNumber:

facsimileTelephoneNumber:

street:

postOfficeBox:

postalCode:

postalAddress:

physicalDeliveryOfficeName:

st:

l:

description:

required attributes

# organizationalUnit objectClass definition from

# RFC 2256

( 2.5.6.5 NAME 'organizationalUnit' SUP top STRUCTURAL

MUST ou

MAY ( userPassword $ searchGuide $ seeAlso $

businessCategory $ x121Address $

registeredAddress $ destinationIndicator $

perferredDeliveryMethod $ telexNumber $

telexTerminalIdentifier $ telephoneNumber $

internationalISDNNumber $

facsimileTelephoneNumber $ street $

postOfficeBox $ postalCode $ postalAddress $

physicalDeliveryOfficeName $ st $ l $

description ) )

optional attributes


Openldap directory administration ldapv3 overview

What Is an Attribute ? (cont.)

Object Class Types

Structural object classes

Represent real-world object, such as a person or an organizationalUnit.

Each entry within an LDAP directory must have exactly one structural object class listed in the objectClass attribute.

Once an entry's structural object class has been instantiated, it cannot be changed without deleting and re-adding entire entry

Auxiliary object classes

Add certain characteristics to a structural class; cannot be used on their own, but only to supplement an existing structural object.

Special auxiliary object class, extensibleObject, that implicitly includes all attributes defined in the server's schema as optional members

Abstract object classes

Act the same as their counterpart in object-oriented programming: cannot be used directly, but only as ancestors of derived classes.

Most common abstract class related to LDAP (and X.500) that you will use is the top object class, which is the parent or ancestor of all LDAP object classes


Openldap directory administration ldapv3 overview

Table of Contents

  • LDIF

  • What Is an Attribute ?

  • What Is the dc Attribute

  • Schema References

  • Authentication

  • Distributed Directories

  • Continuing Standardization


Openldap directory administration ldapv3 overview

What Is the dc Attribute ?

  • Topmost entry:

  • Originally, X.500 namespace was based on geographic and national regions,eg.:

  • Where:

    o = organizationalName

    l = locality

    c = country

  • RFC 2247 introduces system where LDAP directory naming context can be piggybacked on an existing DNS infrastructure

    Note: Directory's naming context = the DN of the topmost entry

# LDIF listing for the entry dn: dc=plainjoe,dc=org

dn: dc=plainjoe,dc=org

objectClass: domain

dc: plainjoe

dn: o=plainjoe,l=AL,c=US


Openldap directory administration ldapv3 overview

What Is the dc Attribute ? (cont.)

  • Allow mapping between DNS & LDAP directory namespace: two objects for storing domain components: domain (standalone container) and dcObject (=auxiliary class)

objectClass:domain

dc:

userPassword:

searchGuide:

seeAlso:

businessCategory:

x121Address:

registeredAddress:

destinationIndicator:

perferredDeliveryMethod:

telexNumber:

telexTerminalIdentifier:

telephoneNumber:

internationaliSDNNumber:

facsimileTelephoneNumber:

street:

postOfficeBox:

postalCode:

postalAddress:

physicalDeliveryOfficeName:

st:

l:

description:

o:

associatedName:

required attributes

# domain objectClass definition from

# RFC 2247

( 0.9.2342.19200300.100.4.13 NAME 'domain'

SUP top STRUCTURAL

MUST dc

MAY ( userPassword $ searchGuide $ seeAlso $

businessCategory $ x121Address $

registeredAddress $ destinationIndicator $

perferredDeliveryMethod $ telexNumber $

telexTerminalIdentifier $ telephoneNumber $

internationalISDNNumber $

facsimileTelephoneNumber $ street $

postOfficeBox $ postalCode $ postalAddress $

physicalDeliveryOfficeName $ st $ l $

description $ o $ associatedName ) )

optional attributes


Openldap directory administration ldapv3 overview

What Is the dc Attribute ? (cont.)

  • If the directory's root entry was dc=org, with a child entry of dc=plainjoe,dc=org:

    • The naming context would have been dc=org

    • Our server would unnecessarily respond to queries for any entry whose DN ended with dc=org

    • ~ DNS: don't service requests for the .org domain

objectClass:dcObject

dc:

required attributes

# dcObject objectClass definition from

# RFC 2247

( 1.3.6.1.4.1.1466.344 NAME 'dcObject'

SUP top AUXILIARY

MUST dc ) )


Openldap directory administration ldapv3 overview

Table of Contents

  • LDIF

  • What Is an Attribute ?

  • What Is the dc Attribute

  • Schema References

  • Authentication

  • Distributed Directories

  • Continuing Standardization


Openldap directory administration ldapv3 overview

Schema References

  • What do all the abbreviations mean ? “c”, “cn”, “sn”, ...

  • Sources of information:

    • RFC 3377 and related LDAPv3 standards

      • http://www.rfc-editor.org/

      • Provides a list of references for researching related LDAPv3 and X.500 topics

    • LDAP Schema Viewer

      • http://ldap.akbkhome.com/

      • Browse descriptions and dependencies among common LDAP attributes, object classes, and OIDs

    • Object Identifiers Registry

      • http://www.alvestrand.no/objectid/

      • To track down the owner of specific OID arcs

    • Sun Micrososystems Product Documentation

      • http://docs.sun.com/

      • Search site for “LDAP schema reference”


Openldap directory administration ldapv3 overview

Table of Contents

  • LDIF

  • What Is an Attribute ?

  • What Is the dc Attribute

  • Schema References

  • Authentication

  • Distributed Directories

  • Continuing Standardization


Openldap directory administration ldapv3 overview

Authentication

  • Why needed ?

    • Establish the client's privileges for each session

    • All searches, queries, ... are controlled by the authentication level of the authenticated user

  • LDIF representation:

objectClass:person

ou:

userPassword:

telephoneNumber:

seeAlso:

description:

required attributes

# person objectClass definition from

# RFC 2256

( 2.5.6.6 NAME 'person' SUP top STRUCTURAL

MUST ( sn $ cn )

MAY ( userPassword $ telephoneNumber $

seeAlso $ description ) )

optional attributes

dn: cn=gerald carter,ou=people,dc=org

objectClass: person

cn: gerald carter

sn: carter

telephoneNumber: 555-1234

userPassword: {MD5}Xr4il0zQ4PCOq3aQOqbuaQ==


Openldap directory administration ldapv3 overview

Authentication (cont.)

  • The userPassword attribute stores a representation of the credentials necessary to authenticate a user

  • The prefix (in this case {MD5}) describes how the credentials are encoded (base64-encoded MD5 hash): vendor-dependent

    {CRYPT}: crypt() system call

    {MD5}: base64-encoded MD5 digest of password

    {SHA}: (secure hash algorithm) base64-encoded 160-bit SHA-1 hash

    {SSHA}: (salted secure hash algorithm) salted version of previous hash

  • Act of being authenticated is called binding

  • Mechanisms for authentication:

    anonymous/simple authentication/simple authentication over SSL/TLS/simple authentication and security layer (SASL)


Openldap directory administration ldapv3 overview

Authentication (cont.)

Anonymous Authentication

  • Binding to a directory using an empty DN and password

  • Very common frequently used by client applications

    Simple Authentication

  • Login name in the form of a DN is sent with the password in clear text to the LDAP server

  • Server attempts to match this password with the userPassword value

    Simple Authentication over SSL/TLS

  • Wraps the information in an encrypted transport layer, making it more palatable

  • Two means of using SSL/TLS with LDAPv3

    • LDAP over SSL (LDAPS – TCP/636): deprecated

    • RFC 2830 introduced an LDAPv3 extended operation for negotiating TLS over the standard TCP/398 port: StartTLS


Openldap directory administration ldapv3 overview

Authentication (cont.)

Simple Authentication and Security Layer (SASL)

  • Extensible security scheme defined in RFC 2222

  • Can add additional authentication mechanism to conection-oriented protocols such as IMAP and LDAP

  • SASL supports pluggable authentication scheme

  • Additionally, hosts may also negotiate a security layer (such as SSL/TLS)

  • RFC 2222 defines the several authentication schemes for SASL, including:

    • Kerberos v4 (KERBEROS_V4)

    • The Generic Security Service Application Program Interface, version 2 (GSSAPI) (RFC 2078)

    • The S/Key mechanism (SKEY) (one-time password scheme based on MD5)

    • The External (EXTERNAL) mechanism

    • RFC 2831 adds SASL/DIGEST-MD5 (compatible with HTTP/1.1 digest authentication)


Openldap directory administration ldapv3 overview

Table of Contents

  • LDIF

  • What Is an Attribute ?

  • What Is the dc Attribute

  • Schema References

  • Authentication

  • Distributed Directories

  • Continuing Standardization


Openldap directory administration ldapv3 overview

Distributed Directories

  • eg. see schema on next slide

  • Different hosts possess different portions of the directory tree

  • Reasons:

    • Performance

    • Geographical location

    • Administrative boundaries

  • You must configure two links between the main directory server and the server that holds people ou.

    • Subordinate knowledge reference link (often simply called reference)

    • Superior knowledge reference link (often simply called a referral)


Openldap directory administration ldapv3 overview

Distributed Directories (cont.)

server1.plainjoe.org

  • Most often, naming context of second server is a continuation of the directory

  • people ou in main directory tree has no children – all queries should be served by the second server

dc=plainjoe,dc=org

ou=people

ou=devices

ou=people,dc=plainjoe,dc=org

cn=gerald carter

server2.plainjoe.org


Openldap directory administration ldapv3 overview

Distributed Directories (cont.)

  • The entry ou=people,dc=plainjoe,dc=org on main directory server is now a placeholder that contains a referral to the actual directory server for this entry

  • referral object contains only one attribute, ref; format is:

    ldap://[host:port]/[/dn[?attribute][?scope][?filter][?extensions]]

objectClass:referral

ref:

required attributes

( 2.16.840.1.113730.3.2.6

NAME 'referral'

DESC 'named subordinate reference object'

STRUCTURAL

MUST ref )

dn: ou=people,dc=plainjoe,dc=org

objectClass: referral

ref: ldap://server2.plainjoe.org/ou=people,dc=plainjoe,dc=org


Openldap directory administration ldapv3 overview

Distributed Directories (cont.)

  • Configuring the superior knowledge reference link (from second server back to main directory)

    • Vendor-dependant operation

    • Purpose is to define an LDAP URI, in this case:

      ldap://server1.plainjoe.org/dc=plainjoe,dc=org

    • Who should follow the referral link ? Two possible answers:

      • The server follows and resolves any referrals that it runs into during an LDAP operation. Client receives only the result and never knows that the referral happened

        “Chaining”

      • Client follows link for itself. Supported by all LDAPv3-compliant clients and servers


Openldap directory administration ldapv3 overview

Table of Contents

  • LDIF

  • What Is an Attribute ?

  • What Is the dc Attribute

  • Schema References

  • Authentication

  • Distributed Directories

  • Continuing Standardization


Openldap directory administration ldapv3 overview

Continuing Standardization

  • Currently two working groups within the IETF to help LDAP evolve:

    • LDAP Duplication/Replication/Update Protocols (LDUP) working group

      http://ietf.org/html.charters/ldup-charter.html

    • LDAPv3 Revision (LDAPbis) working group

      http://ietf.org/html.charters/ldapbis-charter.html

      Note: See also http://www.ldapzone.com/


  • Login