Openldap enterprise features
1 / 28

OpenLDAP Enterprise Features - PowerPoint PPT Presentation

  • Updated On :

OpenLDAP Enterprise Features. Bruce Huang ( Tommy Yan ( HP Open Source and Linux Organization. Agenda. 2 Non-Native English speakers Directory services in large enterprises-- challenges and progress Technical implementation of some enterprise features.

Related searches for OpenLDAP Enterprise Features

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'OpenLDAP Enterprise Features' - sereno

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Openldap enterprise features l.jpg

OpenLDAP Enterprise Features

Bruce Huang (

Tommy Yan (

HP Open Source and Linux Organization

Agenda l.jpg

  • 2 Non-Native English speakers

  • Directory services in large enterprises-- challenges and progress

  • Technical implementation of some enterprise features

Directories in a large enterprise an hp example back to 2003 l.jpg
Directories in a large enterprise- an HP example back to 2003








  • - Mission-critical repository used by 1500+ applications in HP

  • Approximately 50 million+ operations/day

  • Resolve every mail address

  • Authorize every HP inline login

  • Hardware: Approximately 30 servers Worldwide

  • Software: Sun ONE Directory Server 5.x

Directories in a large enterprise an hp example back to 2003 cont l.jpg
Directories in a large enterprise- an HP example back to 2003(cont.)

Directory Root

People (Employees/Contingents HR data, email, NT, certs, etc)


Groups (News/Mail/Security group owners, members, description, etc)


Servers (used to store server certificates)


Locations (HP real estate, address, lat/long, time zone, etc)


Organizations (HP organizations, name, address, contact, etc)


Business Partners


What are the challenges in this model l.jpg
What are the challenges in this model?

  • Cost: Per entry pricing mode. (An entry is defined as a single Distinguished Name (DN) and its contained attributes. 1 employee takes 1 entry, 1 server takes 1 entry, for example.)

  • Lock: Vendors don’t want to modify the existing product to meet our technical requirement, but want us to buy more products.

Why was considered the solution l.jpg
Why was considered the solution

  • Cost: Symas per server/enterprise license model

  • Freedom: Having the source code

  • Support: IT has the resource and capability to support it (OSMS, Symas)

  • Standard, not proprietary: Why not enhance the applications?

Openldap s challenges and progress l.jpg
OpenLDAP’s challenges and progress

  • General enterprise grade robustness:

    • Solid Berkeley DB support

    • Audit capability

    • Reconfiguring must be available on-the-fly as much as possible

    • Reliable replication strategy

  • Password Policy: A security policy for passwords (e.g., must not be a dictionary word, must be over 6 characters, and so on). Overlay by Neil Dunbar (HP) and Howard Chu(Symas)

Openldap s challenges and progress cont l.jpg
OpenLDAP’s challenges and progress (cont.)

  • Data constraint: For instance, a telephone number could be forced to follow ITU standard representation rules. Overlay by Neil Dunbar (HP).

  • Translucency: store department-specific attributes for its employees in a local directory, for extension and speed.Overlay by Symas, sponsored by HP.

  • Group Policy: Much of HP's authorization data resides in the notion of groups; groups of employees; groups of assets; groups of business partners, and so forth. However, the LDAP/X.500 model does not really impose any notion of what groups mean. Overlay by Symas.

What is the current status l.jpg
What is the current status

  • HP completed migrating the Enterprise Directory to OpenLDAP on Linux in 2006.

  • HP is completely unchained from the per-entry licensing model

  • Above directory enterprise requirements are met.

  • Source code upstream to the OpenLDAP community.

Openldap working model l.jpg
OpenLDAP working model

  • slapd frontend receives an LDAP request

  • slapd frontend passes the request to the backend

  • The backend calls some functions of frontend to send the results to the client

Openldap overlays l.jpg
OpenLDAP Overlays

  • Overlays: modules working between frontend and backend

    • introduced since OpenLDAP 2.2

    • change the behavior of backends without changing backend code

    • process incoming requests before backends

    • process outgoing results before frontend

  • Processing Steps

    • The frontend passes requests to the first overlay

  • The first overlay forwards requests to the next overlay until requests reach the real backend.

  • The backend directs results from the first overlay to the last one until they are sent to the client.

Create your own overlay l.jpg
Create your own overlay


static slap_overinst hello_ovl;

int init_module(int argc, char *argv[])


hello_ovl.on_bi.bi_type = “hello";

hello_ovl.on_bi.bi_op_add = hello_add;

hello_ovl.on_bi.bi_op_modify = hello_modify;

hello_ovl.on_bi.bi_db_close = hello_close;

return overlay_register(&hello_ovl);


static int hello_add(Operation *op, SlapReply *rs)


static int hello_modify(Operation *op, SlapReply *rs)


Two examples of using overlays password policy constraint l.jpg
Two Examples of Using Overlays- Password Policy- Constraint

Password policy l.jpg
Password Policy

  • provide password control mechanisms, like password aging, password reuse, mandatory password resets and so on.

  • define multiple password policies by using ‘pwdPolicy’ object class.

  • apply specific password polices to entries

  • Configuration directives:

    • moduleload

    • overlay ppolicy

    • ppolicy_default <defaultDN>

    • more explanations in Linux man page (slapo-ppolicy)

Password policy con t l.jpg
Password Policy (con’t)

Example: Create two different password policies and apply them to entries.

  • Load and configure the overlay in slapd.conf:


overlay ppolicy

ppolicy_default cn=default,ou=policy,dc=hp,dc=com

Password policy con t16 l.jpg
Password Policy (con’t)

  • Add two policy entries

    • policy.ldif:

dn: cn=default,ou=policy,dc=hp,dc=com

objectClass: pwdPolicy

objectClass: device

cn: default

pwdAttribute: userPassword

pwdCheckQuality: 2

pwdMinLength: 5

pwdMaxAge: 2592000

dn: cn=strong,ou=policy,dc=hp,dc=com

objectClass: pwdPolicy

objectClass: device

cn: strong

pwdAttribute: userPassword

pwdCheckQuality: 2

pwdMinLength: 8

pwdMaxAge: 1296000

Password policy con t17 l.jpg
Password Policy (con’t)

  • Set the pwdPolicySubentry attribute in a DN

    • bruce.ldif:

dn: uid=bruce,dc=osms,dc=hp,dc=com

objectClass: inetOrgPerson

uid: bruce


sn: huang

employeeNumber: 111111

cn: Bruce Huang

pwdPolicySubentry: cn=strong,ou=policy,dc=hp,dc=com

Password policy con t18 l.jpg
Password Policy (con’t)

  • Verify whether the overlay works by running ‘ldappassword’ to change the password of ‘uid=bruce,dc=osms,dc=hp,dc=com’ to a word less than 8 characters :

Result: Constraint violation (19)

Additional info: Password fails quality checking policy

  • Note: the bind DN used to change the password must not be the rootdn.

Constraint l.jpg

  • Contributed by HP

  • Constrain the values of attributes by character set or regular expression

  • Triggered by LDAP add and modify operations

  • Configuration directives:

    • constraint_attribute <attribute> <constraint> <constraint_value>

      • Possible values of <constraint>: charset regex

Constraint con t l.jpg
Constraint (con’t)

  • Example: Constrain empolyeeNumber as 6 digits and cn as valid letters

    • Load and configure the overlay in slapd.conf:


overlay constraint

constraint_attribute employeeNumber regex ^[0-9]{6}$

constraint_attribute cn regex ^[a-zA-Z]*$

Constraint con t21 l.jpg
Constraint (con’t)

  • Verify it by running ‘ldapmodify’ to change the employeeNumber attribute of ‘uid=bruce,ou=people,dc=hp,dc=com’ to a number with 5 digits:

    • modify.ldif:

dn: uid=bruce,ou=people,dc=hp,dc=com

changetype: modify

replace: employeeNumber

employeeNumber: 12345

ldap_modify: Constraint violation (19)

additional info: modify breaks regular expression constraint on employeeNumber

More information on overlay l.jpg
More information on overlay

  • OpenLDAP admin guide:


  • Linux man page

  • OpenLDAP Source Code

Resource thanks and questions l.jpg
Resource, Thanks and Questions

  • (Special thanks to Neil Dunbar and Kartik Subbarao from HP directories team)



Attribute uniqueness l.jpg


Attribute Uniqueness

  • Enforce the uniqueness of one or some attributes in a subtree

  • triggered by the operations of add, modify and modrdn

  • Configuration options:

    • unique_base <basedn>

    • unique_ignore <attribute…>

    • unique_attributes <attribute…>

Attribute uniqueness con t l.jpg
Attribute Uniqueness (con’t)

  • Example: Enforce the uniqueness of uid and mail for all DNs


overlay unique

unique_base dc=hp,dc=com

unique_ignore objectClass dc ou o cn

unique_attributes uid mail

dn: uid=bruce,ou=people,dc=hp,dc=com

objectClass: inetOrgPerson

uid: bruce

sn: Huang

cn: Bruce


Error Message:

Constraint violation (19)

additional info: some attributes not unique

Translucency l.jpg

  • Enable a translucent proxy

  • A remote LDAP server and a local database are required

  • Entries from the remote server may be overridden (attribute level) by entries in the local database

  • Configuration options:

    • translucent_strict

    • translucent_no_glue

Referential integrity l.jpg
Referential Integrity

  • maintain the cohesiveness of a schema with reference attributes

  • triggered by the operations of modrdn and delete

  • Configuration options:

    • refint_attributes <attribute…>

    • refint_nothing <string>

    • refer to Linux man page (slapo-refint)

Referential integrity con t l.jpg
Referential Integrity (con’t)

  • Example: Remove Jason and have Tommy as his replacement

    • Delete “uid=zjason,ou=people,dc=hp,dc=com”

    • The attribute of manager in “uid=hbruce,ou=people,dc=hp,dc=com” and “uid=ytommy,ou=people,dc=hp,dc=com” is set to “uid=ytommy,ou=people,dc=hp,dc=com” automatically.


overlay refint

refint_attributes manager

refint_nothing uid=ytommy, ou=people,dc=hp,dc=com