Download presentation
Presentation is loading. Please wait.
1
Implementation and configuration of LDAP
Kevin Moseley KSM Technology Introduction: My name is Kevin Moseley and my presentation tonight is about LDAP. At my day job at Walgreens' we are looking to implement a LDAP solution for a possible migration to Linux. To help motivate me to learn more about LDAP I figured that I would do a presentation about it.
2
What is LDAP? LDAP (Lightweight Directory Access Protocol) is just that; a protocol. There are many implementations of LDAP including Sun iPlanet, RedHat Directory Server, and of course OpenLdap. LDAP is just a protocol that is left to vendors to implement. LDAP is useful when a “heavier” directory service is unnecessary. Not to take away from LDAP; it is an extremely useful and functional database in its own right. As a matter of fact other directory vendors such as Novell and Microsoft have LDAP compatibility built in to their servers.
3
LDAP Overview Based on x.500 directory but has removed some of the more obscure features. Allows for full distinguished names. Allows for users to have same username since they are differentiated by context. Creates a central repository for user credentials and information. LDAP is optimized for reads. The x.500 was a standard for directories that was created many years ago. Really no directory implements the full specification. Usually they implement just enough to be called compliant LDAP can be used to create a highly efficient directory for all types of information. Many products have LDAP compatibility build in or as modules, (Apache, Samba, and Radius) LDAP is optimized for reads; writes will take considerably longer.
4
LDAP Tree example Here is an example of a LDAP tree. As you can it allows for users to have the same name. They are identified by their relation to the root of the tree. The use of logical units makes it easier to partition these sections to other servers for replication. Could also be a completely flat structure with out containers.
5
Implementation of LDAP
Hardware requirements Depends on number of users. Fault tolerance requirements. Software requirements This presentation is based on OpenLdap. Any un*x based OS should be able to run OpenLdap. Most likely you will get a precompiled binary from your distribution vendor. Really any un*x system should be able to run a LDAP server. POSIX threads capability would help the performance of your server. Hardware will depend on LDAP structure, number of objects, and number of requests per second. Software in this example is utilizing OpenLDAP utilizing Berkeley DB for the backend database.
6
LDAP Terminology Schema: Is what defines the characteristics of an object. (i.e. A user schema is name, password, ) Some options are required where others are optional. Relative distinguished name: dn:cn=Joe user Fully distinguished name: dn:cn=Joe user,ou=users,dc=company,dc=com. Schema is what makes a user a user, a radius object a radius object. It is what defines an object. RDN is the name of the object assuming a certain position in the tree. FDN is the absolute position of an object in the tree.
7
LDAP utilities Ldapsearch: Used to query the LDAP database.
Ldapadd: Used to add entries to the LDAP database. Linked to ldapmodify. Ldapmodify: Used to modify existing entries in an LDAP database. Ldapdelete: Used to remove entries from a ldap database. Ldapmodrdn: Used to modify the RDN of an object. LDAP command line utilities for managing your LDAP tree. Pretty much self explanatory. Give quick review of each item.
8
LDAP Utilities cont. Slapcat: used to concatenate an ldap database into a LDIF file. Useful in creating slave LDAP servers and backup. Nssswitch used to allow a machine query an ldap server for credentials. pam_ldap allows for pam authentication against an ldap server. Nsswitch is provided by PADL and allows for a machine to query a ldap directory for user and group information. pam_ldap is also provided by PADL and uses pam for authentication against an ldap directory. Both software products are released under the GPL license.
9
Configuring LDAP Most configuration will be made to the slapd.conf file. This is the configuration file for the slapd daemon. Also configuration for the replication daemon is performed here. The replication daemon is called slurpd. Things you want to configure are context, replication partners, database options. When configuring and OpenLdap server most of the configuration is set in the slapd.conf. Also the slurpd configuration is usually configured in this file. You can separate the config but since they are so interdependent they are configured in the same file. The slapd.conf configures the context, replication, and database options.
10
Configuration cont. Slapd.conf is where you configure acl's for permissions on the directory. Also you configure the indexes for the database backend. Configure the number of cached objects in memory. slapd.conf allows for configuration of the database backend. You can control the number of objects cached in memory, what attributes of an object are indexes and what type of index to use.
11
Adding users and objects
Most additions can be made via a LDIF file. This file will allow for multiple additions to be made at one time. Nice because you can then script the addition of users or objects. There are graphical utilities for adding users, ou, dc's etc... LDIF files allow for efficient addition, modification, and removal of objects. Entries in an LDIF file are separated by a blank line. If you separate modifications with a -, then all of the changes are done at once in an atomic fashion.
12
Replication overview This is the procedure for how OpenLdap implements replication. There is no standard replications so replication with another vendor is next to impossible.
13
Verify ldap is working Query the ldap server to verify it is responding to queries. Use ldapsearch -x -b “dc=company,dc=com” “(objectclass=*)” This should show you all of the objects in your LDAP tree. If you see other information you will need to begin troubleshooting procedures.
14
Possible uses of LDAP Samba authentication. Machine authentication.
VPN and Radius authentication. Phone and directory. Store sendmail configuration. Automount config. Store BIND zone files (with a patch) Interoperate with Active Directory. As you can see and ldap directory can be immensely useful to an organization. With patches to BIND you can store your zone files in ldap. You can also store automount information for when users log in. In addition, sendmail configurations, radius users can be stored in ldap. Web authentication can also be configured to use ldap. Any ldap server should be able to inter operate with active directory. Ldap is also a convenient method for creating a mail and user database that can be queried.
15
More information... LDAP System Administration by O'Reilly
OpenLdap website:
16
Questions and Answers
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.