A 5.000 words introduction to LDAP
This document explains LDAP in less than 5.000 words. It assumes the reader has general knowledge of computing and UNIX in general. I decided to write it when I noticed many of my friends, seasoned UNIX administrators and programmers, were interested in learning LDAP. I describe the basic concepts and some specific programs.
I started learning LDAP just a few months ago during my work in Novell; I am far from being an expert. However, I found the subject easy to grasp. I write this hoping others in a similar situation may learn things even faster than I did.
LDAP stands for Lightweight Directory Access Protocol. It is a protocol to access hierarchical databases (just like SQL accesses relational databases).
The objects in the databases are stored in a tree, which is the reason it is called "hierarchical". The name of the root is usually called the "suffix" or "root" and all objects are stored inside it.
There is a unique way of refering to each object, called its distinguished name (or DN, for short). The DN is a comma separated list of the IDs of the object and all its parents up to the root. For example, a DN could be "UID=aforero, OU=Users, O=Novell, CN=bachue, CN=com", where "CN=bachue, CN=com" is the suffix; if we start at the root, go down the branch "O=Novell", then "OU=Users" and finally "UID=aforero" we'll arrive at our object.
The objects are a list of attributes. The attributes are pairs (name, value). An object can have multiple attributes with the same name (or, a less popular way of viewing it, an attribute can have multiple values).
All objects in the tree must have a type (sometimes more than one). The types of an object are usually called its classes. The classes themselves are called schemas. Examples are person, PosixAccount or organizationalUnit. The following is a definition of a schema:
objectclass ( 2.5.6.6 NAME 'person'
DESC 'RFC2256: a person'
SUP top STRUCTURAL
MUST ( sn $ cn )
MAY ( userPassword $ telephoneNumber $ seeAlso $ description ) )This specifies that objects must have attributes sn (surname) and cn (common name) in order to be of class person. Objects of class person may also have any of the attributes in the MAY list.
The names of the classes of the objects (schemas) are specified as the values of their objectClass attributes. There are structural and auxiliary schemas (person above is structural); all the objects in an LDAP database must have at least one structural class.
Examples of LDAP servers are Microsoft's Active Directory, Novell eDirectory and the free OpenLDAP. In my experience, OpenLDAP works very well. An example client is a suite of command-line tools distributed as part of OpenLDAP: ldapsearch, ldapadd, ldapdelete and ldapmodify.
LDAP operates on TCP port 389. Usually you'll want to use LDAPs, which is the encrypted (over SSL/TLS) version, instead. LDAPs operates on port 636.
LDAP has become very popular for storing information about users. In the case of UNIX machines the schemas PosixAccount, PosixGroup and ShadowAccount contain attributes corresponding to the fields in /etc/passwd, /etc/group and /etc/shadow respectively. Using them along with NSS_LDAP and PAM_LDAP, one can very easily set up multiple systems to authenticate users with the information from a centralized backend. This is similar to what can be achieved with NIS, but more secure. SAMBA is another application that can store its information in an LDAP database using its own schemas.
There is a file format for interchanging information in LDAP databases. It is called LDAP Data Interchange Format or LDIF for short. LDIF files are made up of entries, each being a list of attributes (names and values) for a particular object in the database. Binary values are encoded using Base64 and everything is encoded in UTF-8. You can, for example, dump the database into an LDIF file and use it to import the same data to a different database. The format is simple and intuitive.
OpenLDAP is a good server implementation, easy to setup. It stores the information using BDB files and keeps indexes on attributes you specify. You can use access control lists to specify which users are granted access to which information.
To administrate your OpenLDAP database the best option is probably to create LDIF files with the changes or additions you want to make and use ldapmodify or ldapadd to apply them. There are some other options but, in my experience, they tend to be immature and have specific problems.
There. I hope you found this useful.
Last update: 2006-07-25 (Rev 7626)