LDAP Basic

 

LDAP

Basic Concepts

What is LDAP

• LDAP stands for Ligthweight Directory Access Protocol.

• LDAP protocol is a message-oreiented protocol.

LDAP Protocol Operations

LDAP has nine protocol operations, which can be divided into 3 categories:

1. Interrogation operations: search, compare.

2. Update operations: add, delete, modify, modify DN(rename).

3. Authentication and control operations: bind, unbind, abondon.

• The bind operation allows a client to identify itself to the directory by providing an identity and authentication credentials;

• the unbind operation allows the client to terminate a session;

• the abandon operation allows a client to indicate that it is no longer interested in the results of an operation it had previously submitted.

A typical LDAP client/server exchange:

Step 1. The client opens a TCP connection to an LDAP server and submits a bind operation. This bind operation includes the name of the directory entry the client wants to authenticate as, along with the credentials to be used for authenticating. Credentials are often simple passwords, but they might also be digital certificates used to authenticate the client.

Step 2. After the directory has verified the bind credentials by checking that the password or digital certificate is correct, it returns a success result to the client.

Step 3. The client issues a search request.

Step 4 and 5. The server processes this request, which results in two matching entries.

Step 6. The server sends a result message.

Step 7. The client then issues an unbind request, which indicates to the server that the client wants to disconnect.

Step 8. The server obliges by closing the connection.

Suffixes, subsuffixes and chained suffixes

• A suffix is a subtree or branch whose entire contents are treated as a unit for administrative tasks. Located in the root of the directory tree.

For example, “dc=example,dc=com “.

Entries, Attributes and Values

• Entry is basic unit of information in the directory. An entry is composed of a set of attributes.

•  

  • Each Attribute has a type and one or more values. Such as cn=abc,uid=swang,mail=swang@sun.com.

• Attribute types have an syntax and a set of rules.

• An attribute can hold multiple values or only single value. This can be specified by administrator.

• Required Attributes and Allowed Attributes

For example, an entry to describe a person has required attributes(cn and sn). other attributes are allowed, not required.

• User Attributes and Operation Attributes

For operation attributes:

•  

  • a typical operation attribute is modifyTimeStamp.

  • maintained by directory server.

  • not be included in the entry when sent to client side unless the client requests then by name.

LDAP Schema

• Schema decide what types of entries the directory tree contains and the attributes available to each entry.

• LDAP Schemas don't have any bearing on the arrangement and relationship of entries in the directory, contrast to RDB.

• Standard schema located in /var/opt/mps/serverroot/slapd-cod/config/schema. See the file 00core.ldif.

DN (Distinguished Name )

• a name refer to an entry.

uid=bjensen, ou=people, dc=example, dc=com.

uid=bjensen,ou=people,dc=example,dc=com

• space is optional, so the two above are equivalent.

RDN (Relative Distinguished Name)

• the leftmost components in DN.

• Among a set of peer entries, RDN must be unique.

Groups and Roles

• A group is an entry that identifies the other entries that are its members.

• Roles are grouping mechanism that enable you to determine role membership as soon as an entry is retrieved from the directory.

Static Groups and Dynamic Groups

• Static groups explicitly name their member entries. For examples,

dn: cn=PD Managers,ou=groups,dc=example,dc=com

ou: groups

description: People who can manage engineer entries

objectClass: top

objectClass: groupOfUniqueNames

uniqueMember: uid=kwinters, ou=People, dc=example,dc=com

uniqueMember: uid=trigden, ou=People, dc=example,dc=com

cn: PD Managers

• Static groups are suitable for groups with few members. For better performance, a group don't have more than 20000 members.

• Dynamic groups speicfy a filter, and all entries that match the filter belong to this group.

Managed, Filtered, and Nested Roles

LDIF

LDAP Data Interchange Format is a standard text-based format for describing directory entries, defined in RFC 2849

LDIF allows you to export your directory data and import it into another directory server.

Two types of LDIF files. The first type describes a set of directory entries, and the other type of LDIF file is a series of LDIF update statements that describe changes to be applied to directory entries.

Start and Stop Directory Server

/usr/sbin/directoryserver start

/usr/sbin/directoryserver start-admin

/usr/sbin/directoryserver startconsole

/usr/sbin/directoryserver stop-admin

/usr/sbin/directoryserver stop

Search Entries

8 parameters:

1. base object for the search DN

2. search scope one of base, one, sub. default is sub.

3. Alias dereferencing options

4. Size limit

5. Time limit

6. Attributes-only parameter

7. Search filter

8. List of attributes to return

Examples:

• Simple retrieving

ldapsearch -b "dc=example,dc=com" "uid=swang"

• Retrieving only certain attributes

ldapsearch -b "dc=example,dc=com" "uid=swang" cn mail

• Binding a DN with password.

ldapsearch -h localhost -D "uid=bjensen,ou=people,dc=example,dc=com" -w hifalutin -s sub -b "dc=example,dc=com" "(cn=Barbara Jensen)"

• Retrieve person which located in either cupertino or sunnyvale.

ldapsearch -h localhost -s sub -b "dc=example,dc=com" "(&(|(L=cupertino)(L=sunnyvale)) (objectclass=person))"

• Retrieving a single entry

ldapsearch -b "uid=swang, ou=people, dc=example, dc=com" -s base "objectclass=*"

• Listing all entries directly below an entry

ldapsearch -b "uid=swang, ou=people, dc=example, dc=com" -s one "objectclass=*"

• Searching for matching entries within a subtree

ldapsearch -b "uid=swang, ou=people, dc=example, dc=com" -s sub "objectclass=*"

Managing Access Control

ACI

• ACI stands for Access Control Instruction.

• ACI defined in entries as an attribute. For example,

aci: (targetattr != "userPassword") (version 3.0; acl "Anonymous access"; allow (read, search, compare)userdn = "ldap:///anyone ";)

• The aci attribute is multi-valued.

ACI Structures

• Target - Determines the entry or attributes to which the permissions will apply.

• Permission - Defines what operations are allowed or denied.

• Bind Rule - Determines who is subject to the ACI based on their bind DN.

ACI Syntax

aci: ( target )(version 3.0;acl " name "; permission bindRules ;)

• target specifies the entry, attributes, or set of entries and attributes for which you want to control access. The target can be a distinguished name, one or more attributes, or a single LDAP filter. The target is optional. When the target is not specified, the ACI applies to the entire entry where it is defined and all of its children.

• version 3.0 is a required string that identifies the ACI version.

• name is a name for the ACI. The name can be any string that identifies the ACI. The ACI name is required and should describe the effect of the ACI.

• permission specifically states what rights you are either allowing or denying, for example read or search rights.

• bindRules specify the credentials and bind parameters that a user has to provide to be granted access. Bind rules can also be based on user or group membership or connection properties of the client.

Target and Target Attributes

Table 6-1 LDIF Target Keywords

Keyword

Valid Expressions

Wildcard Allowed?

target	ldap:///distinguished_name	yes
targetattr	attribute	yes
targetfilter	LDAP_filter	yes
targattrfilters	LDAP_operation:LDAP_filter	yes

• (target = "ldap:///uid=bjensen,ou=People,dc=example,dc=com ")

• (target != "ldap:///dc=example,dc=com ")

• (targetattr = "cn || sn || uid")

• (target="ldap:///uid=*,ou=Marketing,dc=example,dc=com") (targetattr="uid")

• (targetfilter = "(| (status=contractor)(fulltime<=79))")

Permission

• Syntax

allow|deny (rights )

• rights

  read, write, add, delete, search, compare, selfwrite, proxy, import and all.

  aci: (target="ldap:///dc=example,dc=com") (version 3.0;acl \
   "example"; allow (read, search, compare) bindRule ;)

Bind Rule

 

Table 6-2 LDIF Bind Rule Keywords 

Keyword

Valid Expressions

Wildcard Allowed?

userdn	ldap:///distinguished_name ldap:///all ldap:///anyone ldap:///self ldap:///parent ldap:///suffix ??sub?(filter )	yes, in DN only
groupdn	[ldap:///DN ]	no
roledn	[ldap:///DN ]	no
userattr	attribute #bindType or attribute #value	no
ip	IP_address	yes
dns	DNS_host_name	yes
dayofweek	sun mon tue wed thu fri sat	no
timeofday	0 - 2359	no
authmethod	none simple ssl sasl authentication_method	no

ACI Examples

• Anonymous access

aci: (targetattr != "userPassword") (version 3.0; acl "Anonymous access"; allow (read, search, compare)userdn = "ldap:///anyone";)