Introduction to LDAP 1st presentation

1. OpenLDAP BootCamp
Directory Servers and LDAP
Doc. v. 0.1 – 05/03/09
Wildan Maulana
wildan.m@openthinklabs.com
http://workshop.openthinklabs.com/
#1

2. Main Topics
● The Basics of LDAP directories
● The history of LDAP and the OpenLDAP server

3. LDAP Basics
● The terms LDAP stands for Lightweight Directory Access
Protocol
● LDAP was originally designed to be a network protocol
that provided an alternative form of access to existing
directory servers
● LDAP is standardized. The body of LDAP standards,
including the network protocols, the directory structure,
and the services provided by an LDAP server, are all
available in the form of RFCs (Requests For Comments)
● LDAP v3 → RFC 2251 (1997)
● Updated on 2006 → RFCs 4510 - 4519

4. What is a Directory ?
● Directory server is used to maintain information
about some set of entities (entities like people
or organizations), and it provides for accessing
that information
● How information in an LDAP directory is
structured ?

5. The Structure of a Directory Entry
example : phone book entry
Acme Services
123 W. First St.
Chicago, IL 60616-1234
(773) 555-8943 or (800) 555 9834
Identify Organization Name: Acme Services
Street Address: 123 West First Street
City: Chicago
State: Illinois
Postal Code: 60616-1234
But How can we distinguish between Country: USA
Phone Number: +1 773 555 8943
two very similar records?
Phone Number: +1 800 555 9834
For example, say we have a telephone directory for the entire state of Illinois. And in
Illinois, we have a company called Acme Services located in the city of Chicago, and
another company named Acme Services located in the city of Springfield.

6. A Unique Name : The DN
● One way of distinguishing between two very
similar records is to create a unique name for
each record in the directory
● Strategy adopted by LDAP ; each record in the
directory has a distinguished name (DN)

7. More About DN
● A DN is composed of a combination of directory
information, and looks something like this :
dn: o=Acme Services, l=Chicago, st=Illinois, c=US
dn: o=Acme Services, l=Springfield, st=Illinois, c=US
DNs are not case sensitive
Some parts of LDAP records are case sensitive,
and others are not. DNs, for example, are not case sensitive.

8. LDAP Entry
● An LDAP entry, or record, is the directory unit
that stores information about an individual item in
the directory
● An entry is composed of a DN and one or more
attributes
● The DN serves as a unique identifier within an
LDAP directory information tree
● Attributes provide information about that entry

9. An Example LDAP Entry
dn: o=Acme Services, l=Chicago, st=Illinois, c=US DN
o: Acme Services
postalAddress: 123 West First Street
l: Chicago
st: Illinois
postalCode: 60616-1234 attributes
c: US
telephoneNumber: +1 773 555 8943
telephoneNumber: +1 800 555 9834
objectclass: organization
●
Attribute names, like o and postalAddress, refer to well-
defined attribute definitions contained in an LDAP schema.
They cannot be "invented" on the fly, or made up as you go.
Creating new attributes requires writing a schema.

10. An Example LDAP Entry - Cont
● On previous example there are eight attributes, representing the
following :
● Organization Name (o)
● Mailing address (postalAddress)
● Locality (l), which may be the name of a city, town, village, and
so forth
● State or Province (st)
● Postal Code or ZIP Code (postalCode)
● Country (c)
● Telephone Number (telephoneNumber)
● Object Class (objectclass), which specifies what type (or types)
of record this entry is

11. The Object Class Attributes
● The last attribute in the given record is
objectclass attribute. This is a special attribute
that provides information about what type of
record (of entry) is
● An object class determines what attributes my
be given to a record

12. Operational Attributes
● In addition to regular attributes, the directory
server may also attach spesial operational
attributes to an entry
● Operational attributes are used by the directory
it self to store information about entries
● This attributes are not designed for use by end
user

13. The Directory Information Tree
● Information in an LDAP directory is organized
into one or more hierarchies where, at the top
of the hierarchy, the is a base entry, and other
entries are organized in tree-like structures
beneath the base entry
● Each node on the hierarchy is an entry, with a
DN and more than one attributes

14. The Directory Information Tree - Cont

15. The Directory Information Tree - Cont

16. What to Do with an LDAP Server
● LDAP is designed to represent organizations,
including their structure, their physical assets,
and their personnel.
● LDAP can also be used as central authority on
network users, groups, and accounts

17. The History of LDAP and OpenLDAP
● Originally, LDAP was just a network protocol used to get data out of
an X.500 directory (a directory server architecture, designed in the
1980s and standardized in 1988). This was the intent of Yeong,
Howes, and Killie when they initially drafted the LDAP specification
as RFC 1487 in 1993.
● The first LDAP servers were gateways to X.500 directories, but these
servers quickly evolved into full-fledged directory servers. Tim Howes
and his colleagues at the University of Michigan created the Open
Source University of Michigan LDAP Implementation, which became
the reference implementation for other LDAP servers.
http://www.umich.edu/~dirsvcs/ldap/ldap.html
●

18. The History of LDAP and OpenLDAP
● In 1998 the OpenLDAP project was started by
Kurt Zeilenga using University of Michigan's
code base
● Since the late 90', OpenLDAP has continued to
mature , overseen by the OpenLDAP
Foundation, and supported by contributions
from industry sponsors.
● http://openldap.org

19. A Technical Overview of OpenLDAP
● The OpenLDAP suite can be broken up into
four components:
● Servers : Provide LDAP services
● Clients : Manipulate LDAP data
● Utilities : Support LDAP servers
● Libraries : provide programming interfaces to
LDAP

20. LDAP Component Relation

21. The Server
● The main server in LDAP suite is SLAPD (the
Stand-Alone LDAP Daemon)
● A server can store directory, data locally or simply
access (or proxy access) to external sources
● SLAPD provides authentication and searching
services, and may also support adding, removing,
and modifying directory data
● SLAPD provides fine-grained access control to the
directory

22. Clients
● Client connect to the server over the LDAP
protocol, using network-based connection or
socket (for UNIX based)
● Typically, a client will first connect to the directory
server, then bind (authenticate), and then
perform zero or more other operations (searches,
modification, additions, deletions, etc) before
finally unbinding and disconnecting

23. Utilities
● Unlike clients, utilities do not perform
operations using the LDAP protocol. Instead,
they manipulate data at a lower level, and
without mediation by the server
● Utilities are used primarily to help maintain
server

24. Libraries
● Application Programming Interfaces (APIs) are
provided to allow software developer to write
LDAP-aware applications without having to re-
write fundamental LDAP code

25. Application Integration

26. Moodle
http://docs.moodle.org/en/LDAP_authentication

27. symfony
http://www.symfony-project.org/plugins/bhLDAPAuthPlugin

28. Joomla
http://docs.joomla.org/LDAP

29. Q&A

30. Reference
● Matt Butcher, Mastering OpenLDAP, PACKT
Publishing