Chapter 4. LDAP—A Directory Service

Contents

4.1. LDAP versus NIS
4.2. Structure of an LDAP Directory Tree
4.3. Configuring an LDAP Client with YaST
4.4. Configuring LDAP Users and Groups in YaST
4.5. Browsing the LDAP Directory Tree
4.6. For More Information

Abstract

The Lightweight Directory Access Protocol (LDAP) is a set of protocols designed to access and maintain information directories. LDAP can be used for user and group management, system configuration management, address management, and more. This chapter provides a basic understanding of how OpenLDAP works and how to manage LDAP data with YaST.

In a network environment it is crucial to keep important information structured and to serve it quickly. A directory service—like the common yellow pages, keeps information available in a well-structured and readily-searchable form.

Ideally, a central server stores the data in a directory and distributes it to all clients using a well-defined protocol. The structured data allow a wide range of applications to access them. A central repository reduces the necessary administrative effort. The use of an open and standardized protocol like LDAP ensures that as many different client applications as possible can access such information.

A directory in this context is a type of database optimized for quick and effective reading and searching:

The design of a directory service like LDAP is not laid out to support complex update or query mechanisms. All applications are guaranteed to access this service quickly and easily.

4.1. LDAP versus NIS

Unix system administrators traditionally use NIS (Network Information Service) for name resolution and data distribution in a network. The configuration data contained in the files group, hosts, mail, netgroup, networks, passwd, printcap, protocols, rpc, and services in the /etc directory is distributed to clients all over the network. These files can be maintained without major effort because they are simple text files. The handling of larger amounts of data, however, becomes increasingly difficult due to nonexistent structuring. NIS is only designed for Unix platforms, and is not suitable as a centralized data administration tool in heterogeneous networks.

Unlike NIS, the LDAP service is not restricted to pure Unix networks. Windows servers (from 2000) support LDAP as a directory service. The application tasks mentioned above are additionally supported in non-Unix systems.

The LDAP principle can be applied to any data structure that needs to be centrally administered. A few application examples are:

  • Replacement for the NIS service

  • Mail routing (postfix, sendmail)

  • Address books for mail clients, like Mozilla, Evolution, and Outlook

  • Administration of zone descriptions for a BIND9 name server

  • User authentication with Samba in heterogeneous networks

This list can be extended because LDAP is extensible, unlike NIS. The clearly-defined hierarchical structure of the data eases the administration of large amounts of data, as it can be searched more easily.

4.2. Structure of an LDAP Directory Tree

To get background knowledge on how a LDAP server works and how the data is stored, it is vital to understand the way the data is organized on the server and how this structure enables LDAP to provide fast access to the data. To successfully operate an LDAP setup, you also need to be familiar with some basic LDAP terminology. This section introduces the basic layout of an LDAP directory tree and provides the basic terminology used with respect to LDAP. Skip this introductory section if you already have some LDAP background knowledge and just want to learn how to set up an LDAP environment in SUSE Linux Enterprise Desktop.

An LDAP directory has a tree structure. All entries (called objects) of the directory have a defined position within this hierarchy. This hierarchy is called the directory information tree (DIT). The complete path to the desired entry, which unambiguously identifies it, is called the distinguished name or DN. A single node along the path to this entry is called relative distinguished name or RDN.

The relations within an LDAP directory tree become more evident in the following example, shown in Figure 4.1, “Structure of an LDAP Directory”.

Figure 4.1. Structure of an LDAP Directory

Structure of an LDAP Directory

The complete diagram is a fictional directory information tree. The entries on three levels are depicted. Each entry corresponds to one box in the image. The complete, valid distinguished name for the fictional employee Geeko Linux, in this case, is cn=Geeko Linux,ou=doc,dc=example,dc=com. It is composed by adding the RDN cn=Geeko Linux to the DN of the preceding entry ou=doc,dc=example,dc=com.

The types of objects that can be stored in the DIT are globally determined following a Schema. The type of an object is determined by the object class. The object class determines what attributes the relevant object must or can be assigned. The Schema, therefore, must contain definitions of all object classes and attributes used in the desired application scenario. There are a few common Schemas (see RFC 2252 and 2256). The LDAP RFC defines a few commonly used Schemas (see e.g., RFC4519). Additionally there are Schemas available for many other use cases (e.g., Samba, NIS replacement, etc.). It is, however, possible to create custom Schemas or to use multiple Schemas complementing each other (if this is required by the environment in which the LDAP server should operate).

Table 4.1, “Commonly Used Object Classes and Attributes” offers a small overview of the object classes from core.schema and inetorgperson.schema used in the example, including required attributes and valid attribute values.

Table 4.1. Commonly Used Object Classes and Attributes

Object Class

Meaning

Example Entry

Required Attributes

dcObject

domainComponent (name components of the domain)

example

dc

organizationalUnit

organizationalUnit (organizational unit)

doc

ou

inetOrgPerson

inetOrgPerson (person-related data for the intranet or Internet)

Geeko Linux

sn and cn


Example 4.1, “Excerpt from schema.core” shows an excerpt from a Schema directive with explanations.

Example 4.1. Excerpt from schema.core

attributetype (2.5.4.11 NAME ( 'ou' 'organizationalUnitName') 1
       DESC 'RFC2256: organizational unit this object belongs to' 2
       SUP name ) 3

objectclass ( 2.5.6.5 NAME 'organizationalUnit' 4
       DESC 'RFC2256: an organizational unit' 5
       SUP top STRUCTURAL 6
       MUST ou 7
MAY (userPassword $ searchGuide $ seeAlso $ businessCategory 8
  $ x121Address $ registeredAddress $ destinationIndicator 
  $ preferredDeliveryMethod $ telexNumber 
  $ teletexTerminalIdentifier $ telephoneNumber 
  $ internationaliSDNNumber $ facsimileTelephoneNumber 
  $ street $ postOfficeBox $ postalCode $ postalAddress 
  $ physicalDeliveryOfficeName
  $ st $ l $ description) )
  ...

The attribute type organizationalUnitName and the corresponding object class organizationalUnit serve as an example here.

1

The name of the attribute, its unique OID (object identifier) (numerical), and the abbreviation of the attribute.

2

A brief description of the attribute with DESC. The corresponding RFC, on which the definition is based, is also mentioned here.

3

SUP indicates a superordinate attribute type to which this attribute belongs.

4

The definition of the object class organizationalUnit begins—the same as in the definition of the attribute—with an OID and the name of the object class.

5

A brief description of the object class.

6

The SUP top entry indicates that this object class is not subordinate to another object class.

7

With MUST list all attribute types that must be used in conjunction with an object of the type organizationalUnit.

8

With MAY list all attribute types that are permitted in conjunction with this object class.

A very good introduction to the use of Schemas can be found in the OpenLDAP documentation. When installed, find it in /usr/share/doc/packages/openldap2/guide/admin/guide.html.

4.3. Configuring an LDAP Client with YaST

YaST includes a module to set up LDAP-based user management. If you did not enable this feature during the installation, start the module by selecting Network Services+LDAP Client. YaST automatically enables any PAM and NSS-related changes as required by LDAP and installs the necessary files. Simply connect your client to the server and let YaST manage users over LDAP. This basic setup is described in Section 4.3.1, “Configuring Basic Settings”.

Use the YaST LDAP client to further configure the YaST group and user configuration modules. This includes manipulating the default settings for new users and groups and the number and nature of the attributes assigned to a user or group. LDAP user management allows you to assign far more and different attributes to users and groups than traditional user or group management solutions. This is described in Section 4.3.2, “Configuring the YaST Group and User Administration Modules”.

4.3.1. Configuring Basic Settings

The basic LDAP client configuration dialog (Figure 4.2, “YaST: LDAP Client Configuration”) opens during installation if you choose LDAP user management or when you select Network Services+LDAP Client in the YaST Control Center in the installed system.

Figure 4.2. YaST: LDAP Client Configuration

YaST: LDAP Client Configuration

To authenticate users of your machine against an OpenLDAP server and to enable user management via OpenLDAP, proceed as follows:

  1. Click Use LDAP to enable the use of LDAP. Select Use LDAP but Disable Logins instead if you want to use LDAP for authentication, but do not want other users to log in to this client.

  2. Enter the IP address of the LDAP server to use.

  3. Enter the LDAP Base DN to select the search base on the LDAP server. To retrieve the base DN automatically, click Fetch DN. YaST then checks for any LDAP database on the server address specified above. Choose the appropriate base DN from the search results given by YaST.

  4. If TLS or SSL-protected communication with the server is required, select LDAP TLS/SSL. Click Download CA Certificate to download a certificate in PEM format from a URL.

  5. Select Start Automounter to mount remote directories on your client, such as a remotely managed /home.

  6. Select Create Home Directory on Login to have a user's home automatically created on the first user login.

  7. Click OK to apply your settings.

To modify data on the server as administrator, click Advanced Configuration. The following dialog is split into two tabs. See Figure 4.3, “YaST: Advanced Configuration”.

Figure 4.3. YaST: Advanced Configuration

YaST: Advanced Configuration

  1. In the Client Settings tab, adjust the following settings according to your needs:

    1. If the search base for users, passwords, and groups differs from the global search base specified in the LDAP base DN, enter these different naming contexts in User Map, Password Map, and Group Map.

    2. Specify the password change protocol. The standard method to use whenever a password is changed is crypt, meaning that password hashes generated by crypt are used. For details on this and other options, refer to the pam_ldap man page.

    3. Specify the LDAP group to use with Group Member Attribute. The default value for this is member.

    4. If a secure connection requires certificate checking, specify where your CA Certificate File in PEM format is located. Or specify a directory with certificates.

    5. If the LDAP server still uses LDAPv2, enable the use of this protocol version by selecting LDAP Version 2.

  2. In Administration Settings, adjust the following settings:

    1. Set the base for storing your user management data via Configuration Base DN.

    2. Enter the appropriate value for Administrator DN. This DN must be identical with the rootdn value specified in /etc/openldap/slapd.conf to enable this particular user to manipulate data stored on the LDAP server. Enter the full DN (such as cn=Administrator,dc=example,dc=com) or activate Append Base DN to have the base DN added automatically when you enter cn=Administrator.

    3. Check Create Default Configuration Objects to create the basic configuration objects on the server to enable user management via LDAP.

    4. If your client machine needs to act as a file server for home directories across your network, check Home Directories on This Machine.

    5. Use the Password Policy section to select, add, delete, or modify the password policy settings to use. The configuration of password policies with YaST is part of the LDAP server setup.

    6. Click OK to leave the Advanced Configuration, then Finish to apply your settings.

Use Configure User Management Settings to edit entries on the LDAP server. Access to the configuration modules on the server is then granted according to the ACLs and ACIs stored on the server. Follow the procedures outlined in Section 4.3.2, “Configuring the YaST Group and User Administration Modules”.

4.3.2. Configuring the YaST Group and User Administration Modules

Use the YaST LDAP client to adapt the YaST modules for user and group administration and to extend them as needed. Define templates with default values for the individual attributes to simplify the data registration. The presets created here are stored as LDAP objects in the LDAP directory. The registration of user data is still done with the regular YaST modules for user and group management. The registered data is stored as LDAP objects on the server.

Figure 4.4. YaST: Module Configuration

YaST: Module Configuration

The dialog for module configuration (Figure 4.4, “YaST: Module Configuration”) allows the creation of new modules, selection and modification of existing configuration modules, and design and modification of templates for such modules.

To create a new configuration module, proceed as follows:

  1. In the LDAP Client Configuration click Advanced Configuration, then open the Administration Settings tab. Click Configure User Management Settings and enter the LDAP server credentials.

  2. Click New and select the type of module to create. For a user configuration module, select suseUserConfiguration and for a group configuration choose suseGroupConfiguration.

  3. Choose a name for the new template (e.g., userConfig). The content view shows a table listing all attributes allowed in this module and their assigned values.

  4. Accept the preset values or adjust the defaults to use in group and user configurations by selecting the relevant attribute, pressing Edit, and entering the new value. Rename a module by changing the cn attribute of the module. Clicking Delete deletes the currently selected module.

  5. After you click OK, the new module is added to the selection menu.

The YaST modules for group and user administration embed templates with standard values. To edit a template associated with a configuration module, start the object template configuration (Figure 4.5, “YaST: Configuration of an Object Template”).

  1. In the Module Configuration dialog, click Configure Template.

  2. Determine the values of the general attributes assigned to this template according to your needs or leave them empty. Empty attributes are deleted on the LDAP server.

  3. Modify, delete, or add new default values for new objects (user or group configuration objects in the LDAP tree).

Figure 4.5. YaST: Configuration of an Object Template

YaST: Configuration of an Object Template

Connect the template to its module by setting the susedefaulttemplate attribute value of the module to the DN of the adapted template.

[Tip]

The default values for an attribute can be created from other attributes by using a variable instead of an absolute value. For example, when creating a new user, cn=%sn %givenName is created automatically from the attribute values for sn and givenName.

Once all modules and templates are configured correctly and ready to run, new groups and users can be registered in the usual way with YaST.

4.4. Configuring LDAP Users and Groups in YaST

The actual registration of user and group data differs only slightly from the procedure when not using LDAP. The following instructions relate to the administration of users. The procedure for administering groups is analogous.

  1. Access the YaST user administration with Security and Users+User and Group Management.

  2. Use Set Filter to limit the view of users to the LDAP users and enter the password for Root DN.

  3. Click Add to enter the user configuration. A dialog with four tabs opens:

    1. Specify username, login, and password in the User Data tab.

    2. Check the Details tab for the group membership, login shell, and home directory of the new user. If necessary, change the default to values that better suit your needs. The default values (as well as those of the password settings) can be defined with the procedure described in Section 4.3.2, “Configuring the YaST Group and User Administration Modules”.

    3. Modify or accept the default Password Settings.

    4. Enter the Plug-Ins tab, select the LDAP plug-in, and click Launch to configure additional LDAP attributes assigned to the new user (see Figure 4.6, “YaST: Additional LDAP Settings”).

  4. Click OK to apply your settings and leave the user configuration.

Figure 4.6. YaST: Additional LDAP Settings

YaST: Additional LDAP Settings

The initial input form of user administration offers LDAP Options. This allows you to apply LDAP search filters to the set of available users. Alternatively open the module for configuring LDAP users and groups by selecting LDAP User and Group Configuration.

4.5. Browsing the LDAP Directory Tree

To conveniently browse the LDAP directory tree and all its entries, use the YaST LDAP Browser:

  1. Log in as root.

  2. Start YaST+Network Services+LDAP Browser.

  3. Enter the address of the LDAP server, the Administrator DN, and the password for the Root DN of this server (if you need both to read and write the data stored on the server).

    Alternatively, choose Anonymous Access and do not provide the password to gain read access to the directory.

    The LDAP Tree tab displays the content of the LDAP directory to which your machine connected. Click to expand each item's submenu.

    Figure 4.7. Browsing the LDAP Directory Tree

    Browsing the LDAP Directory Tree

  4. To view any entry in detail, select it in the LDAP Tree view and open the Entry Data tab.

    All attributes and values associated with this entry are displayed.

    Figure 4.8. Browsing the Entry Data

    Browsing the Entry Data

  5. To change the value of any of these attributes, select the attribute, click Edit, enter the new value, click Save, and provide the Root DN password when prompted.

  6. Leave the LDAP browser with Close.

4.6. For More Information

More complex subjects (like SASL configuration or establishment of a replicating LDAP server that distributes the workload among multiple slaves) were omitted from this chapter. Find detailed information about both subjects in the OpenLDAP 2.4 Administrator's Guide—see at OpenLDAP 2.4 Administrator's Guide.

The Web site of the OpenLDAP project offers exhaustive documentation for beginner and advanced LDAP users:

OpenLDAP Faq-O-Matic

A detailed question and answer collection applying to the installation, configuration, and use of OpenLDAP. Find it at http://www.openldap.org/faq/data/cache/1.html.

Quick Start Guide

Brief step-by-step instructions for installing your first LDAP server. Find it at http://www.openldap.org/doc/admin24/quickstart.html or on an installed system in Section 2 of /usr/share/doc/packages/openldap2/guide/admin/guide.html.

OpenLDAP 2.4 Administrator's Guide

A detailed introduction to all important aspects of LDAP configuration, including access controls and encryption. See http://www.openldap.org/doc/admin24/ or, on an installed system, /usr/share/doc/packages/openldap2/guide/admin/guide.html.

Understanding LDAP

A detailed general introduction to the basic principles of LDAP: http://www.redbooks.ibm.com/redbooks/pdfs/sg244986.pdf.

Printed literature about LDAP:

  • LDAP System Administration by Gerald Carter (ISBN 1-56592-491-6)

  • Understanding and Deploying LDAP Directory Services by Howes, Smith, and Good (ISBN 0-672-32316-8)

The ultimate reference material for the subject of LDAP are the corresponding RFCs (request for comments), 2251 to 2256.