ldap - scs.senecac.on.caraymond.chan/ops535/1303/notes/ldap...ldap overview ldap is a protocol that...
TRANSCRIPT
![Page 1: LDAP - scs.senecac.on.caraymond.chan/ops535/1303/notes/LDAP...LDAP Overview LDAP is a protocol that defines how directory data should be access Defines and describes how data is represented](https://reader031.vdocuments.us/reader031/viewer/2022021711/5ca094f488c993e3018caede/html5/thumbnails/1.jpg)
LDAP
Lightweight Directory Access Protocol
Raymond Chan
2013
![Page 2: LDAP - scs.senecac.on.caraymond.chan/ops535/1303/notes/LDAP...LDAP Overview LDAP is a protocol that defines how directory data should be access Defines and describes how data is represented](https://reader031.vdocuments.us/reader031/viewer/2022021711/5ca094f488c993e3018caede/html5/thumbnails/2.jpg)
LDAP
● A complex subject● Promises a common source for information● Unlimited scalability using a replication
model● Provide fast read performance● Fine-grained security control over who can
do what to what data● ...
![Page 3: LDAP - scs.senecac.on.caraymond.chan/ops535/1303/notes/LDAP...LDAP Overview LDAP is a protocol that defines how directory data should be access Defines and describes how data is represented](https://reader031.vdocuments.us/reader031/viewer/2022021711/5ca094f488c993e3018caede/html5/thumbnails/3.jpg)
LDAP Overview
● LDAP is a protocol that defines how directory data should be access
● Defines and describes how data is represented in the directory service
● Defines how data is loaded into and saved from a directory service using LDIF
● LDAP defines four models related to the directory service: Information, Naming, Functional and Security Models.
![Page 4: LDAP - scs.senecac.on.caraymond.chan/ops535/1303/notes/LDAP...LDAP Overview LDAP is a protocol that defines how directory data should be access Defines and describes how data is represented](https://reader031.vdocuments.us/reader031/viewer/2022021711/5ca094f488c993e3018caede/html5/thumbnails/4.jpg)
Information Model
Defines how the information or data is represented in an LDAP system.
![Page 5: LDAP - scs.senecac.on.caraymond.chan/ops535/1303/notes/LDAP...LDAP Overview LDAP is a protocol that defines how directory data should be access Defines and describes how data is represented](https://reader031.vdocuments.us/reader031/viewer/2022021711/5ca094f488c993e3018caede/html5/thumbnails/5.jpg)
Naming Model
Using the “Attribute – Value” syntax as
'dc=nad810,dc=com'
![Page 6: LDAP - scs.senecac.on.caraymond.chan/ops535/1303/notes/LDAP...LDAP Overview LDAP is a protocol that defines how directory data should be access Defines and describes how data is represented](https://reader031.vdocuments.us/reader031/viewer/2022021711/5ca094f488c993e3018caede/html5/thumbnails/6.jpg)
Functional Model
Defines how to
readsearchwrite
modify
data stored in a directory service
![Page 7: LDAP - scs.senecac.on.caraymond.chan/ops535/1303/notes/LDAP...LDAP Overview LDAP is a protocol that defines how directory data should be access Defines and describes how data is represented](https://reader031.vdocuments.us/reader031/viewer/2022021711/5ca094f488c993e3018caede/html5/thumbnails/7.jpg)
Security Model
Defines how to control
who
can do what
towhat data
![Page 8: LDAP - scs.senecac.on.caraymond.chan/ops535/1303/notes/LDAP...LDAP Overview LDAP is a protocol that defines how directory data should be access Defines and describes how data is represented](https://reader031.vdocuments.us/reader031/viewer/2022021711/5ca094f488c993e3018caede/html5/thumbnails/8.jpg)
LDAP .ne. Database
● LDAP is a protocol to access directory information which may be stored in a database
● The data (may be stored in a database) should be optimized for read access
● LDAP does not need to have knowledge of the physical organization of the directory data
![Page 9: LDAP - scs.senecac.on.caraymond.chan/ops535/1303/notes/LDAP...LDAP Overview LDAP is a protocol that defines how directory data should be access Defines and describes how data is represented](https://reader031.vdocuments.us/reader031/viewer/2022021711/5ca094f488c993e3018caede/html5/thumbnails/9.jpg)
D I T
● Directory Information Tree– Uses to represent an LDAP enabled directory as a
hierarchy of objects– Each object is called an entry– The top of the tree is commonly called the root– Each entry in the tree has one parent entry– Each entry in the tree has one or more entries– Each child entry is a sibling of its parent's child
entries– Each entry is composed of one or more objectClass
![Page 10: LDAP - scs.senecac.on.caraymond.chan/ops535/1303/notes/LDAP...LDAP Overview LDAP is a protocol that defines how directory data should be access Defines and describes how data is represented](https://reader031.vdocuments.us/reader031/viewer/2022021711/5ca094f488c993e3018caede/html5/thumbnails/10.jpg)
objectClass
● Each objectClass contains zero or more attributes
● Each objectClass has a name● The objecClass defines whether an attribute
member is MANDATORY or OPTIONAL● An objectClass may be a child of another
objectClass and inherits all its parent's attributes.
![Page 11: LDAP - scs.senecac.on.caraymond.chan/ops535/1303/notes/LDAP...LDAP Overview LDAP is a protocol that defines how directory data should be access Defines and describes how data is represented](https://reader031.vdocuments.us/reader031/viewer/2022021711/5ca094f488c993e3018caede/html5/thumbnails/11.jpg)
Attribute
● Each attribute has a name● All attributes are members of one or more
objectClass● Each attribute defines its data type● Attributes can have single or multi values
![Page 12: LDAP - scs.senecac.on.caraymond.chan/ops535/1303/notes/LDAP...LDAP Overview LDAP is a protocol that defines how directory data should be access Defines and describes how data is represented](https://reader031.vdocuments.us/reader031/viewer/2022021711/5ca094f488c993e3018caede/html5/thumbnails/12.jpg)
LDAP Implementation
● OpenLDAP● Microsoft Active Directory
![Page 13: LDAP - scs.senecac.on.caraymond.chan/ops535/1303/notes/LDAP...LDAP Overview LDAP is a protocol that defines how directory data should be access Defines and describes how data is represented](https://reader031.vdocuments.us/reader031/viewer/2022021711/5ca094f488c993e3018caede/html5/thumbnails/13.jpg)
OpenLDAP
● Installation – rpm, source● Configuration - /etc/openldap/slapd.d● Testing
– ldadsearch– slaptest– ldapadd– ldapmodify
![Page 14: LDAP - scs.senecac.on.caraymond.chan/ops535/1303/notes/LDAP...LDAP Overview LDAP is a protocol that defines how directory data should be access Defines and describes how data is represented](https://reader031.vdocuments.us/reader031/viewer/2022021711/5ca094f488c993e3018caede/html5/thumbnails/14.jpg)
search
● RootDSE – DSE – DSA Specific Entry– DSA – Directory System Agentldapsearch -x -s base -b “” +
● Subschemaldapsearch -x -s base -b “cn=subschema”
objectclass
![Page 15: LDAP - scs.senecac.on.caraymond.chan/ops535/1303/notes/LDAP...LDAP Overview LDAP is a protocol that defines how directory data should be access Defines and describes how data is represented](https://reader031.vdocuments.us/reader031/viewer/2022021711/5ca094f488c993e3018caede/html5/thumbnails/15.jpg)
rootDSEldapsearch -x -s base -b “”+
# extended LDIF## LDAPv3# base <> with scope baseObject# filter: (objectclass=*)# requesting: + #
#dn:structuralObjectClass: OpenLDAProotDSEconfigContext: cn=confignamingContexts: dc=my-domain,dc=com
![Page 16: LDAP - scs.senecac.on.caraymond.chan/ops535/1303/notes/LDAP...LDAP Overview LDAP is a protocol that defines how directory data should be access Defines and describes how data is represented](https://reader031.vdocuments.us/reader031/viewer/2022021711/5ca094f488c993e3018caede/html5/thumbnails/16.jpg)
supportedControl: 1.3.6.1.4.1.4203.1.9.1.1supportedControl: 2.16.840.1.113730.3.4.18...supportedControl: 1.3.6.1.1.12supportedExtension: 1.3.6.1.4.1.4203.1.11.1...supportedFeatures: 1.3.6.1.4.1.4203.1.5.5supportedLDAPVersion: 3supportedSASLMechanisms: CRAM-MD5supportedSASLMechanisms: DIGEST-MD5entryDN:subschemaSubentry: cn=Subschema
# search resultsearch: 2result: 0 Success# numResponses: 2# numEntries: 1
![Page 17: LDAP - scs.senecac.on.caraymond.chan/ops535/1303/notes/LDAP...LDAP Overview LDAP is a protocol that defines how directory data should be access Defines and describes how data is represented](https://reader031.vdocuments.us/reader031/viewer/2022021711/5ca094f488c993e3018caede/html5/thumbnails/17.jpg)
Server Configuration files
● /etc/openldap/slapd.d directory:– cn=config.ldif– cn=config/
● cn=schema.ldif● olcDatabase={0}config.ldif● olcDatabase={-1}frontend.ldif● olcDatabase={1}monitor.ldif● olcDatabase={2}bdb.ldif● cn=schema/
![Page 18: LDAP - scs.senecac.on.caraymond.chan/ops535/1303/notes/LDAP...LDAP Overview LDAP is a protocol that defines how directory data should be access Defines and describes how data is represented](https://reader031.vdocuments.us/reader031/viewer/2022021711/5ca094f488c993e3018caede/html5/thumbnails/18.jpg)
Server Configuration
● olcDatabase={2}bdb.ldif– olcRootDN: cn=Manager,dc=ops535,dc=com– olcSuffix: dc=ops535,dc=com– OlcRootPW:
{SSHA}3NVLOWwqIMka30yIYLyGrrkirD0pU0Qx
![Page 19: LDAP - scs.senecac.on.caraymond.chan/ops535/1303/notes/LDAP...LDAP Overview LDAP is a protocol that defines how directory data should be access Defines and describes how data is represented](https://reader031.vdocuments.us/reader031/viewer/2022021711/5ca094f488c993e3018caede/html5/thumbnails/19.jpg)
ldap client configuration file
● /etc/openldap/ldap.conf● /etc/ldap.conf
Many options – the most import two are:● host – ip of the LDAP server● base – the naming context
![Page 20: LDAP - scs.senecac.on.caraymond.chan/ops535/1303/notes/LDAP...LDAP Overview LDAP is a protocol that defines how directory data should be access Defines and describes how data is represented](https://reader031.vdocuments.us/reader031/viewer/2022021711/5ca094f488c993e3018caede/html5/thumbnails/20.jpg)
Sample LDIF file
# root dn entrydn: dc=my-domain,dc=comdc: my-domaindescription: Root LDAP entry ou: rootobjectobjectclass: dcObjectobjectclass: organizationalUnit
dn: ou=People,dc=my-domain,dc=comou: Peopledescription: People informationobjectclass: organizationalUnit
![Page 21: LDAP - scs.senecac.on.caraymond.chan/ops535/1303/notes/LDAP...LDAP Overview LDAP is a protocol that defines how directory data should be access Defines and describes how data is represented](https://reader031.vdocuments.us/reader031/viewer/2022021711/5ca094f488c993e3018caede/html5/thumbnails/21.jpg)
Useful commands
● ldapsearch● ldapadd● ldapmodifyoff-line commands● slapcat● slapadd