Contents
Abstract
The Lightweight Directory Access Protocol (LDAP) is a set of protocols designed to access and maintain information directories. LDAP can be used for user and group management, system configuration management, address management, and more. This chapter provides a basic understanding of how OpenLDAP works and how to manage LDAP data with YaST.
In a network environment it is crucial to keep important information structured and to serve it quickly. A directory service—like the common yellow pages, keeps information available in a well-structured and readily-searchable form.
Ideally, a central server stores the data in a directory and distributes it to all clients using a well-defined protocol. The structured data allow a wide range of applications to access them. A central repository reduces the necessary administrative effort. The use of an open and standardized protocol like LDAP ensures that as many different client applications as possible can access such information.
A directory in this context is a type of database optimized for quick and effective reading and searching:
To make multiple concurrent reading accesses possible, the number of updates is usually very low. The number of read and write accesses is often limited to a few users with administrative privileges. In contrast, conventional databases are optimized for accepting the largest possible data volume in a short time.
When static data is administered, updates of the existing data sets are very rare. When working with dynamic data, especially when data sets like bank accounts or accounting are concerned, the consistency of the data is of primary importance. If an amount should be subtracted from one place to be added to another, both operations must happen concurrently, within one transaction, to ensure balance over the data stock. Traditional relational databases usually have a very strong focus on data consistency, such as the referential integrity support of transactions. Conversely, short-term inconsistencies are usually acceptable in LDAP directories. LDAP directories often do not have such strong consistency requirements as relational databases.
The design of a directory service like LDAP is not laid out to support complex update or query mechanisms. All applications are guaranteed to access this service quickly and easily.
Unix system administrators traditionally use NIS (Network Information
Service) for name resolution and data distribution in a network. The
configuration data contained in the files group,
hosts, mail,
netgroup, networks,
passwd, printcap,
protocols, rpc, and
services in the /etc directory
is distributed to clients all over the network. These files can be
maintained without major effort because they are simple text files. The
handling of larger amounts of data, however, becomes increasingly
difficult due to nonexistent structuring. NIS is only designed for Unix
platforms, and is not suitable as a centralized data administration tool
in heterogeneous networks.
Unlike NIS, the LDAP service is not restricted to pure Unix networks. Windows servers (from 2000) support LDAP as a directory service. The application tasks mentioned above are additionally supported in non-Unix systems.
The LDAP principle can be applied to any data structure that needs to be centrally administered. A few application examples are:
Replacement for the NIS service
Mail routing (postfix, sendmail)
Address books for mail clients, like Mozilla, Evolution, and Outlook
Administration of zone descriptions for a BIND9 name server
User authentication with Samba in heterogeneous networks
This list can be extended because LDAP is extensible, unlike NIS. The clearly-defined hierarchical structure of the data eases the administration of large amounts of data, as it can be searched more easily.
To get background knowledge on how a LDAP server works and how the data is stored, it is vital to understand the way the data is organized on the server and how this structure enables LDAP to provide fast access to the data. To successfully operate an LDAP setup, you also need to be familiar with some basic LDAP terminology. This section introduces the basic layout of an LDAP directory tree and provides the basic terminology used with respect to LDAP. Skip this introductory section if you already have some LDAP background knowledge and just want to learn how to set up an LDAP environment in SUSE Linux Enterprise Desktop.
An LDAP directory has a tree structure. All entries (called objects) of the directory have a defined position within this hierarchy. This hierarchy is called the directory information tree (DIT). The complete path to the desired entry, which unambiguously identifies it, is called the distinguished name or DN. A single node along the path to this entry is called relative distinguished name or RDN.
The relations within an LDAP directory tree become more evident in the following example, shown in Figure 4.1, “Structure of an LDAP Directory”.
The complete diagram is a fictional directory information tree. The
entries on three levels are depicted. Each entry corresponds to one box
in the image. The complete, valid distinguished name
for the fictional employee Geeko
Linux, in this case, is cn=Geeko
Linux,ou=doc,dc=example,dc=com. It is composed by adding the
RDN cn=Geeko Linux to the DN of the preceding entry
ou=doc,dc=example,dc=com.
The types of objects that can be stored in the DIT are globally determined following a Schema. The type of an object is determined by the object class. The object class determines what attributes the relevant object must or can be assigned. The Schema, therefore, must contain definitions of all object classes and attributes used in the desired application scenario. There are a few common Schemas (see RFC 2252 and 2256). The LDAP RFC defines a few commonly used Schemas (see e.g., RFC4519). Additionally there are Schemas available for many other use cases (e.g., Samba, NIS replacement, etc.). It is, however, possible to create custom Schemas or to use multiple Schemas complementing each other (if this is required by the environment in which the LDAP server should operate).
Table 4.1, “Commonly Used Object Classes and Attributes” offers a small overview of the object
classes from core.schema and
inetorgperson.schema used in the example, including
required attributes and valid attribute values.
Table 4.1. Commonly Used Object Classes and Attributes¶
|
Object Class |
Meaning |
Example Entry |
Required Attributes |
|---|---|---|---|
|
dcObject |
domainComponent (name components of the domain) |
example |
dc |
|
organizationalUnit |
organizationalUnit (organizational unit) |
doc |
ou |
|
inetOrgPerson |
inetOrgPerson (person-related data for the intranet or Internet) |
Geeko Linux |
sn and cn |
Example 4.1, “Excerpt from schema.core” shows an excerpt from a Schema directive with explanations.
Example 4.1. Excerpt from schema.core¶
attributetype (2.5.4.11 NAME ( 'ou' 'organizationalUnitName')DESC 'RFC2256: organizational unit this object belongs to'
SUP name )
objectclass ( 2.5.6.5 NAME 'organizationalUnit'
DESC 'RFC2256: an organizational unit'
SUP top STRUCTURAL
MUST ou
MAY (userPassword $ searchGuide $ seeAlso $ businessCategory
$ x121Address $ registeredAddress $ destinationIndicator $ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName $ st $ l $ description) ) ...
The attribute type organizationalUnitName and the
corresponding object class organizationalUnit serve as
an example here.
The name of the attribute, its unique OID (object identifier) (numerical), and the abbreviation of the attribute. | |
A brief description of the attribute with | |
| |
The definition of the object class
| |
A brief description of the object class. | |
The | |
With | |
With |
A very good introduction to the use of Schemas can be found in the
OpenLDAP documentation. When installed, find it in
/usr/share/doc/packages/openldap2/guide/admin/guide.html.
YaST includes a module to set up LDAP-based user management. If you did not enable this feature during the installation, start the module by selecting +. YaST automatically enables any PAM and NSS-related changes as required by LDAP and installs the necessary files. Simply connect your client to the server and let YaST manage users over LDAP. This basic setup is described in Section 4.3.1, “Configuring Basic Settings”.
Use the YaST LDAP client to further configure the YaST group and user configuration modules. This includes manipulating the default settings for new users and groups and the number and nature of the attributes assigned to a user or group. LDAP user management allows you to assign far more and different attributes to users and groups than traditional user or group management solutions. This is described in Section 4.3.2, “Configuring the YaST Group and User Administration Modules”.
The basic LDAP client configuration dialog (Figure 4.2, “YaST: LDAP Client Configuration”) opens during installation if you choose LDAP user management or when you select + in the YaST Control Center in the installed system.
To authenticate users of your machine against an OpenLDAP server and to enable user management via OpenLDAP, proceed as follows:
Click to enable the use of LDAP. Select instead if you want to use LDAP for authentication, but do not want other users to log in to this client.
Enter the IP address of the LDAP server to use.
Enter the to select the search base on the LDAP server. To retrieve the base DN automatically, click . YaST then checks for any LDAP database on the server address specified above. Choose the appropriate base DN from the search results given by YaST.
If TLS or SSL-protected communication with the server is required, select . Click to download a certificate in PEM format from a URL.
Select to mount remote
directories on your client, such as a remotely managed
/home.
Select to have a user's home automatically created on the first user login.
Click to apply your settings.
To modify data on the server as administrator, click . The following dialog is split into two tabs. See Figure 4.3, “YaST: Advanced Configuration”.
In the tab, adjust the following settings according to your needs:
If the search base for users, passwords, and groups differs from the global search base specified in the , enter these different naming contexts in , , and .
Specify the password change protocol. The standard method to use
whenever a password is changed is crypt,
meaning that password hashes generated by crypt
are used. For details on this and other options, refer to the
pam_ldap man page.
Specify the LDAP group to use with . The default value for this is
member.
If a secure connection requires certificate checking, specify where your in PEM format is located. Or specify a directory with certificates.
If the LDAP server still uses LDAPv2, enable the use of this protocol version by selecting .
In , adjust the following settings:
Set the base for storing your user management data via .
Enter the appropriate value for .
This DN must be identical with the rootdn value
specified in /etc/openldap/slapd.conf to enable
this particular user to manipulate data stored on the LDAP server.
Enter the full DN (such as
cn=Administrator,dc=example,dc=com) or activate
to have the base DN added
automatically when you enter cn=Administrator.
Check to create the basic configuration objects on the server to enable user management via LDAP.
If your client machine needs to act as a file server for home directories across your network, check .
Use the section to select, add, delete, or modify the password policy settings to use. The configuration of password policies with YaST is part of the LDAP server setup.
Click to leave the , then to apply your settings.
Use to edit entries on the LDAP server. Access to the configuration modules on the server is then granted according to the ACLs and ACIs stored on the server. Follow the procedures outlined in Section 4.3.2, “Configuring the YaST Group and User Administration Modules”.
Use the YaST LDAP client to adapt the YaST modules for user and group administration and to extend them as needed. Define templates with default values for the individual attributes to simplify the data registration. The presets created here are stored as LDAP objects in the LDAP directory. The registration of user data is still done with the regular YaST modules for user and group management. The registered data is stored as LDAP objects on the server.
The dialog for module configuration (Figure 4.4, “YaST: Module Configuration”) allows the creation of new modules, selection and modification of existing configuration modules, and design and modification of templates for such modules.
To create a new configuration module, proceed as follows:
In the click , then open the tab. Click and enter the LDAP server credentials.
Click and select the type of module to create.
For a user configuration module, select
suseUserConfiguration and for a group configuration
choose suseGroupConfiguration.
Choose a name for the new template (e.g.,
userConfig). The content view shows a table listing
all attributes allowed in this module and their assigned values.
Accept the preset values or adjust the defaults to use in group and
user configurations by selecting the relevant attribute, pressing
, and entering the new value. Rename a module
by changing the cn attribute of the module.
Clicking deletes the currently selected
module.
After you click , the new module is added to the selection menu.
The YaST modules for group and user administration embed templates with standard values. To edit a template associated with a configuration module, start the object template configuration (Figure 4.5, “YaST: Configuration of an Object Template”).
In the dialog, click .
Determine the values of the general attributes assigned to this template according to your needs or leave them empty. Empty attributes are deleted on the LDAP server.
Modify, delete, or add new default values for new objects (user or group configuration objects in the LDAP tree).
Connect the template to its module by setting the
susedefaulttemplate attribute value of the module to
the DN of the adapted template.
![]() | |
The default values for an attribute can be created from other
attributes by using a variable instead of an absolute value. For
example, when creating a new user, | |
Once all modules and templates are configured correctly and ready to run, new groups and users can be registered in the usual way with YaST.
The actual registration of user and group data differs only slightly from the procedure when not using LDAP. The following instructions relate to the administration of users. The procedure for administering groups is analogous.
Access the YaST user administration with +.
Use to limit the view of users to the LDAP users and enter the password for Root DN.
Click to enter the user configuration. A dialog with four tabs opens:
Specify username, login, and password in the tab.
Check the tab for the group membership, login shell, and home directory of the new user. If necessary, change the default to values that better suit your needs. The default values (as well as those of the password settings) can be defined with the procedure described in Section 4.3.2, “Configuring the YaST Group and User Administration Modules”.
Modify or accept the default .
Enter the tab, select the LDAP plug-in, and click to configure additional LDAP attributes assigned to the new user (see Figure 4.6, “YaST: Additional LDAP Settings”).
Click to apply your settings and leave the user configuration.
The initial input form of user administration offers . This allows you to apply LDAP search filters to the set of available users. Alternatively open the module for configuring LDAP users and groups by selecting .
To conveniently browse the LDAP directory tree and all its entries, use the YaST LDAP Browser:
Log in as root.
Start ++.
Enter the address of the LDAP server, the Administrator DN, and the password for the Root DN of this server (if you need both to read and write the data stored on the server).
Alternatively, choose and do not provide the password to gain read access to the directory.
The tab displays the content of the LDAP directory to which your machine connected. Click to expand each item's submenu.
To view any entry in detail, select it in the view and open the tab.
All attributes and values associated with this entry are displayed.
To change the value of any of these attributes, select the attribute, click , enter the new value, click , and provide the Root DN password when prompted.
Leave the LDAP browser with .
More complex subjects (like SASL configuration or establishment of a replicating LDAP server that distributes the workload among multiple slaves) were omitted from this chapter. Find detailed information about both subjects in the OpenLDAP 2.4 Administrator's Guide—see at OpenLDAP 2.4 Administrator's Guide.
The Web site of the OpenLDAP project offers exhaustive documentation for beginner and advanced LDAP users:
A detailed question and answer collection applying to the installation, configuration, and use of OpenLDAP. Find it at http://www.openldap.org/faq/data/cache/1.html.
Brief step-by-step instructions for installing your first LDAP server.
Find it at
http://www.openldap.org/doc/admin24/quickstart.html
or on an installed system in Section 2 of
/usr/share/doc/packages/openldap2/guide/admin/guide.html.
A detailed introduction to all important aspects of LDAP
configuration, including access controls and encryption. See
http://www.openldap.org/doc/admin24/ or, on an
installed system,
/usr/share/doc/packages/openldap2/guide/admin/guide.html.
A detailed general introduction to the basic principles of LDAP: http://www.redbooks.ibm.com/redbooks/pdfs/sg244986.pdf.
Printed literature about LDAP:
LDAP System Administration by Gerald Carter (ISBN 1-56592-491-6)
Understanding and Deploying LDAP Directory Services by Howes, Smith, and Good (ISBN 0-672-32316-8)
The ultimate reference material for the subject of LDAP are the corresponding RFCs (request for comments), 2251 to 2256.