SlideShare a Scribd company logo

LDAP Applied (EuroOSCON 2005)

Fran Fabrizio, profile picture
Fran Fabrizio

This talk will briefly review LDAP concepts, cover common uses of LDAP, and present examples of advanced LDAP usage to inspire using LDAP. It will not provide installation or configuration details for specific operating systems. The speaker will link to online slides and get information about the audience's LDAP knowledge and usage.

Technology
Related topics:
Identity Management
1 of 64
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
LDAP Applied Fran Fabrizio Sr. Systems Administrator Dept. of Computer & Information Sciences U of Alabama at Birmingham EuroOSCON Amsterdam, The Netherlands October 17-20, 2005
This talk.... WILL ● Briefly review LDAP concepts ● Cover common uses of LDAP ● Present examples of advanced usage ● Hopefully inspire you to use LDAP! WILL NOT ● Show you how to install LDAP ● Teach you how to configure LDAP in specific OSes ● Give all the details needed to use LDAP ● Leave you disappointed (hopefully!)
Link to Slides ● These slides are available now online at http://www.cis.uab.edu/fran/ if you wish to follow along ● They will also be available after the conference on the conference web site
Getting to Know the Audience ● How many of you know what LDAP is? ● How many of you are using LDAP right now? ● How many of you are using it for something other than user authentication or email address books?
Brief Review of LDAP What is it? What does it look like? Common Usage
What is LDAP? ● Lightweight Directory Access Protocol ● A standard protocol for accessing directory services ● Also used to refer to the directories being accessed ● Based on the X.500 specification ● Represents hierarchical information in entries consisting of a collection of attributes with a unique, or distinguished name
No really, what is LDAP? ● It's a good way to store data that is: – Mostly read access – Needed by many machines/services on the network – Generally represents collections of entities common in large organizations ● User and Group Accounts ● Computers ● Email Addresses and Contact Information ● Departments and Business Units
LDAP Structure ● An object class defines the valid attributes and properties for an entry ● A set of related object classes forms a schema. For example, you may have a schema to represent the users in a university department. ● Distinguished names similar to DNS. Ex: ou=People,dc=eurooscon,dc=example,dc=com ● LDIF (Lightweight Directory Interchange Format)
LDIF Example dn: uid=test,ou=People,dc=eurooscon,dc=example,dc=com cn: Test User uid: testuser uidNumber: 501 loginShell: /bin/sh homeDirectory: /home/testuser gidNumber: 100 userPassword:: e2NyeXB0fVRYaHRIa05GOUdBSWc= objectClass: posixAccount objectClass: shadowAccount objectClass: inetOrgPerson shadowLastChange: 13072 givenName: Test sn: User gecos: Test User
More on LDAP structure ● One entry can have multiple classes – only one can be structural (inetOrgPerson) – the rest are auxiliary ● For each class, there is a set of required attributes and a set of optional attributes. – If you are a posixAccount, you must have a uid and may have a description ● Each entry will have a unique distinguished name to reference it
Common Uses of LDAP ● User Directories: email addresses, students ● User Accounts: Centralizing accounts, access control, groups ● Inventory Catalogs: machines, offices ● Network Service Backend: DNS, Email ● Usually NOT a replacement for relational data
LDAP Applied Various Ways To Apply LDAP to Solve IT Problems
Migrating User Accounts to LDAP ● Why do you want to do this?
Migrating User Accounts to LDAP ● Why do you want to do this? ● To centralize user accounts
Migrating User Accounts to LDAP ● Why do you want to do this? ● To centralize user accounts ● To modernize from some other network account store (e.g. NIS)
Migrating User Accounts to LDAP ● Why do you want to do this? ● To centralize user accounts ● To modernize from some other network account store (e.g. NIS) ● Eliminate duplication of data (already using LDAP for corporate address book?)
Migrating User Accounts to LDAP ● Why do you want to do this? ● To centralize user accounts ● To modernize from some other network account store (e.g. NIS) ● Eliminate duplication of data (already using LDAP for corporate address book?) ● To better scale to the needs of a growing organization
Migrating User Accounts to LDAP ● NIS/NIS+ LDAP or /etc/passwd LDAP ● PADL.com MigrationTools scripts – May need to be modified ● General solution: – produce LDIF – Import into LDAP with ldapadd and ldapmodify
Migrating User Accounts to LDAP ● posixAccount – a standard LDAP schema to represent user accounts ● Demo: migrate_passwd.pl nisSchema.2.0 NAME 'posixAccount' SUP top AUXILIARY DESC 'Abstraction of an account with POSIX attributes' MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory ) MAY ( userPassword $ loginShell $ gecos $ description )
Activating LDAP-Based Logins ● pam_ldap (from PADL.com), inserts into the PAM authentication stack and partners with nss_ldap (also PADL.com) to provide authentication against LDAP ● Seamlessly authenticates both local and LDAP- based users ● Many distros automate configuration (e.g. Fedora) ● Demo: pam_ldap configuration
Integrating LDAP and Email ● Client Side - why? – Address Book lookups in LDAP – Autocompletion of partial email addresses
Integrating LDAP and Email ● Client Side - why? – Address Book lookups in LDAP – Autocompletion of partial email addresses ● Server Side - why? – Store white/blacklists – virtual mailboxes – Aliases – User preferences
Integrating LDAP and Email ● Client Side - why? – Address Book lookups in LDAP – Autocompletion of partial email addresses ● Server Side - why? – Store white/blacklists – virtual mailboxes – Aliases – User preferences ● Add the inetOrgPerson schema to LDAP entries
LDAP and Email - Client ● Demo: Thunderbird and LDAP ● Many other email clients support LDAP lookups – Outlook, Outlook Express, Netscape, Pine, Eudora, Evolution, SquirrelMail, Mac Mail, etc... ● Clients can use LDAP for other things besides just address lookups – ex. SquirrelMail (web mail) has a plugin to store user preferences in LDAP.
LDAP and Email - Server ● Many email servers can integrate with LDAP ● Alias lookups (Postfix) alias_maps = hash:/etc/aliases, ldap:/etc/postfix/ldap-aliases.cf (all on one line) ldap-aliases.cf contains: server_host = 192.168.139.128 sever_base = dc=eurooscon,dc=example,dc=com ● Now, Postfix can deliver to both local and LDAP user mail aliases
LDAP and Email - Server ● Postfix expects a certain LDAP schema to support this (these names are configurable) dn: cn=Accounting Staff List, dc=my, dc=com cn: Accounting Staff List o: my.com objectclass: maillist mailacceptinggeneralid: accountingstaff mailacceptinggeneralid: accounting-staff maildrop: mylist-owner maildrop: an-accountant maildrop: some-other-accountant maildrop: this, that, theother
LDAP and Email - Server ● Common usage is virtual mailboxes (e.g. ISP) ● Another common usage is to rewrite addresses fran@eurooscon.example.com to Fran.Fabrizio@eurooscon.example.com ● Sendmail, Exim, Courier, Courier-IMAP, Cyrus, uw-imap, and Qmail (and many others) all support integration with LDAP to various degrees
LDAP and Web-Based Resources ● Authenticate users to gain access to restricted parts of web site ● mod_auth_ldap – Apache module ● User-based and group-based authentication
Using LDAP with Apache ● Apache 2.0 ships with mod_auth_ldap ● Restrict access to a directory with Location <Location /protected> AuthName “Protected Directory” AuthType basic AuthLDAPURL ldap://ldap.cis.uab.edu:389/ou=People,dc=cis,dc =uab,dc=edu require valid-user # OR require group membership instead AuthLDAPGroupAttribute memberUid AuthLDAPGroupAttributeIsDN off require group cn=admin,ou=group, dc=eurooscon,dc=example,dc=com </Location>
Using LDAP with Apache ● Demo: valid-user access ● Demo: group access
Advanced Apache/LDAP Integration ● Fancy filters AuthLDAPURL ldap://eurooscon.example.com:389/ou=people,dc=e urooscon,dc=example,dc=com??(| (pagerID=*)(uid=fran)) ● Demo: Fancy Filters Example – “LDAP Applied Attendees Only”
Fancy Filter Example ● Configuration for the demo... <Location /ldapapplied> AuthType basic AuthName "LDAP Applied Attendees Only" AuthLDAPURL ldap://192.168.139.128/ou=people,dc=eurooscon,dc=example,d c=com?uid??(comExampleEuroosconSession=LDAPApplied) require valid-user </Location>
Extending LDAP Schemas ● Last slide implies attribute comExampleEuroosconSession with a value of “LDAPApplied” exists for some users ● How'd that work? We extend the LDAP Schema... – Store information custom to your environment
local.schema ● We define a local schema for this attribute in a file called local.schema: attributetype (1.3.6.1.4.1.7341.999.2.1 NAME 'comExampleEuroosconSession' DESC 'a session at EuroOSCON' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) objectclass (1.3.6.1.4.1.7341.999.1.1 NAME 'comExampleEuroosconAttendee' DESC 'optional class to represent EuroOSCON sessions' AUXILIARY MAY comExampleEuroosconSession ) The “1.3.6.1.4.1.7341.999.2.1” is an OID, a unique LDAP object identifier. More information available at http://www.iana.org/. This one was taken from my workplace. You probably don't need to use them, but I do just to be complete.
local.schema continued ● We tell the LDAP server to include this in its known schemas include /etc/openldap/schema/local.schema ● Now LDAP user entries can have: – comExampleEuroosconAttendee - optional auxiliary class – comExampleEuroosconSession – optional attribute within that class
LDAP and DNS ● Storing DNS tables in LDAP instead of flat files ● Bind, tinydns, PowerDNS and others support this ● dnsZone structural object class ● zone2ldap tool with bind will convert flat files to LDAP
Scripting LDAP Getting at LDAP from various languages
LDAP and Perl ● From Perl, use Net::LDAP use Net::LDAP; $ldap = Net::LDAP->new('ldap.eurooscon.com'); $msg = $ldap->bind; $msg = $ldap->search( base=>”dc=example,dc=com”, filter=>”(objectClass=*)”); $msg->code && die $msg->error; $result = $ldap->add( “cn=fran,ou=People,dc=uab,dc=edu”, attr => [ cn => [“Fran Fabrizio”], mail => [“fran@cis.uab.edu”], etc.....
LDAP and Perl ● Demo: Adding a User from Perl
LDAP and PHP ● PHP has an LDAP API <?php $ldap = ldap_connect('ldap.cis.uab.edu'); $result = ldap_bind($ldap); $search=ldap_search($ldap, “dc=cis,dc=uab,dc=edu”, “sn=Fabr*”); $data = ldap_get_entries($ldap, $search); $result = ldap_add(.....);
Programmatic LDAP - Others ● Java – Support through the JNDI or JLDAP (openldap.org) ● C – OpenLDAP's C API ● Ruby – Ruby-ldap ● Python – Python-ldap
LDAP and Relational Data ● Would be neat to do queries that link LDAP and relational data – Example: CIS Web Site ● dblink-ldap – http://pgfoundry.org/projects/dblink-ldap/ – beta project to provide LDAP data as a table/view within PostgreSQL ● Microsoft has OLE DB Provider for Directory Services – access AD with SQL queries
LDAP and Windows Strategies for LDAP in a multiplatform environment
Strategy 1: AD -is- LDAP ● Active Directory -is- an LDAP version 3 server
Strategy 1: AD -is- LDAP ● Active Directory -is- an LDAP version 3 server ● AD can import LDIF – Ldifde.exe included with Windows Server 2003 and supports batch LDIF operations
Strategy 1: AD -is- LDAP ● Active Directory -is- an LDAP version 3 server ● AD can import LDIF – Ldifde.exe included with Windows Server 2003 and supports batch LDIF operations ● Can also script from VBScript
Strategy 1: AD -is- LDAP ● Active Directory -is- an LDAP version 3 server ● AD can import LDIF – Ldifde.exe included with Windows Server 2003 and supports batch LDIF operations ● Can also script from VBScript ● AD4Unix is a plugin (sf.net/projects/ad4unix) that adds Unix attributes to AD and manages them through AD Users and Computers MMC.
Strategy 1: AD -is- LDAP ● Active Directory -is- an LDAP version 3 server ● AD can import LDIF – Ldifde.exe included with Windows Server 2003 and supports batch LDIF operations ● Can also script from VBScript ● AD4Unix is a plugin (sf.net/projects/ad4unix) that adds Unix attributes to AD and manages them through AD Users and Computers MMC. ● pam_ldap can auth against AD
Strategy 1: AD -is- LDAP ● This model can be expanded to allow pam_ldap to update user passwords in AD
Strategy 1: AD -is- LDAP ● This model can be expanded to allow pam_ldap to update user passwords in AD ● Additionally, nss_ldap can also talk to AD, but is expecting Unix-like attributes for home dirs, uid/gid, shells, etc... – Installing MS's Services for Unix installs the NIS server, which has the side effect of doing this for you – Or, extend the schema yourself – install MKSADExtPlugin, and register the Active Directory Schema MMC to set the option to allow schema edits
Strategy 2: Migrate AD to LDAP ● ldifde.exe can export AD forest
Strategy 2: Migrate AD to LDAP ● ldifde.exe can export AD forest ● Unless you plan to use Kerberos authentication with your LDAP server, you'll need to reset users' passwords
Strategy 2: Migrate AD to LDAP ● ldifde.exe can export AD forest ● Unless you plan to use Kerberos authentication with your LDAP server, you'll need to reset users' passwords ● This will also require alteration of the LDIF that Microsoft produces to be more Unix friendly
Strategy 2: Migrate AD to LDAP ● ldifde.exe can export AD forest ● Unless you plan to use Kerberos authentication with your LDAP server, you'll need to reset users' passwords ● This will also require alteration of the LDIF that Microsoft produces to be more Unix friendly ● pGina can authenticate Windows clients against Unix LDAP server
Strategy 2: pGina ● pGina is an open source replacement for Microsoft's Gina (Graphical Identification and Authentication)
Strategy 2: pGina ● pGina is an open source replacement for Microsoft's Gina (Graphical Identification and Authentication) ● Allows Windows clients to authenticate against various sources via a plugin architecture – including LDAP, of course
Strategy 2: pGina ● pGina is an open source replacement for Microsoft's Gina (Graphical Identification and Authentication) ● Allows Windows clients to authenticate against various sources via a plugin architecture – including LDAP, of course ● Highly customizable
Strategy 2: pGina ● pGina is an open source replacement for Microsoft's Gina (Graphical Identification and Authentication) ● Allows Windows clients to authenticate against various sources via a plugin architecture – including LDAP, of course ● Highly customizable ● Demo: pGina
Monitoring LDAP ● Reading LDAP logs – Debug levels allow output of useful information – /usr/sbin/slapd -d xxx ● 8 – connection management ● 32 – search filter processing ● 64 – config file processing ● 128 – access control list processing ● 256 – connections/operations/results ● additive – 288 is conn/ops/results and search filters
Managing LDAP ● Command line – ldap* and slap* tools for OpenLDAP ● Scripting ● GQ – Simple GTK+/GTK2 GUI – sf.net/projects/gqclient ● Webmin – webmin.com – LDAP Users and Groups plugin ● Demo: webmin
Other Uses of LDAP ● Samba authentication – advantages over smbpasswd file ● Serving certificates ● Machine configurations ● Radius authentication ● Managing network printers
Conclusions ● LDAP can consolidate many administrative tasks ● LDAP is optimized for reads and will be faster than SQL for simple reads ● LDAP can improve scalability – all mail servers in organization can use same data store, for instance ● Once in place, LDAP can often be reapplied to solve new problems
For More Information ● www.openldap.org ● PADL.com – pam_ldap – nss_ldap – MigrationTools ● Book: LDAP System Administration by Gerald Carter, published by O'Reilly – More detail about a lot of these ideas is found there
Thank You ● Thanks for coming! ● My contact information is: Fran Fabrizio fran@cis.uab.edu http://www.cis.uab.edu/fran/ ● Feel free to email any questions you may have, or catch me at the conference for the rest of the week!

More Related Content

PDF
Ldap introduction (eng)
Anatoliy Okhotnikov
 
PDF
OpenLDAP configuration brought to Apache Directory Studio
LDAPCon
 
PPT
Ldap system administration
Ali Abdo
 
PPTX
User administration without you - integrating LDAP
MongoDB
 
PDF
EKON 12 Running OpenLDAP
Max Kleiner
 
PDF
A Deep Dive Into Spark
Ashish kumar
 
PDF
LDAP Theory
cyberleon95
 
PPTX
Thrift vs Protocol Buffers vs Avro - Biased Comparison
Igor Anishchenko
 
Ldap introduction (eng)
Anatoliy Okhotnikov
 
OpenLDAP configuration brought to Apache Directory Studio
LDAPCon
 
Ldap system administration
Ali Abdo
 
User administration without you - integrating LDAP
MongoDB
 
EKON 12 Running OpenLDAP
Max Kleiner
 
A Deep Dive Into Spark
Ashish kumar
 
LDAP Theory
cyberleon95
 
Thrift vs Protocol Buffers vs Avro - Biased Comparison
Igor Anishchenko
 

What's hot (20)

PDF
Java JDBC
Jussi Pohjolainen
 
PPTX
DSpace 4.2 Basics & Configuration
DuraSpace
 
PPT
DSpace Tutorial : Open Source Digital Library
rajivkumarmca
 
PDF
Rest style web services (google protocol buffers) prasad nirantar
IndicThreads
 
PPT
Introduction to Thrift
Dvir Volk
 
PDF
DSLs in JavaScript
elliando dias
 
PPTX
Dplyr packages
19mss020Karthick
 
PPTX
Apache Thrift, a brief introduction
Randy Abernethy
 
PPTX
Transformations and actions a visual guide training
Spark Summit
 
PPTX
DSpace 4.2 Transmission: Import/Export
DuraSpace
 
PPTX
Database Programming Techniques
Raji Ghawi
 
PPTX
CodeIgniter & MVC
Jamshid Hashimi
 
PPT
Scala and spark
Fabio Fumarola
 
PDF
Multiplexing in Thrift: Enhancing thrift to meet Enterprise expectations- Imp...
Impetus Technologies
 
PDF
RESTLess Design with Apache Thrift: Experiences from Apache Airavata
smarru
 
PPTX
XFILES, The APEX 4 version - The truth is in there
Marco Gralike
 
PPTX
Overview Of .Net 4.0 Sanjay Vyas
rsnarayanan
 
PDF
Decoupled Libraries for PHP
Paul Jones
 
PDF
Apache thrift-RPC service cross languages
Jimmy Lai
 
PDF
Everything you ever wanted to know about lotus script
Bill Buchan
 
Java JDBC
Jussi Pohjolainen
 
DSpace 4.2 Basics & Configuration
DuraSpace
 
DSpace Tutorial : Open Source Digital Library
rajivkumarmca
 
Rest style web services (google protocol buffers) prasad nirantar
IndicThreads
 
Introduction to Thrift
Dvir Volk
 
DSLs in JavaScript
elliando dias
 
Dplyr packages
19mss020Karthick
 
Apache Thrift, a brief introduction
Randy Abernethy
 
Transformations and actions a visual guide training
Spark Summit
 
DSpace 4.2 Transmission: Import/Export
DuraSpace
 
Database Programming Techniques
Raji Ghawi
 
CodeIgniter & MVC
Jamshid Hashimi
 
Scala and spark
Fabio Fumarola
 
Multiplexing in Thrift: Enhancing thrift to meet Enterprise expectations- Imp...
Impetus Technologies
 
RESTLess Design with Apache Thrift: Experiences from Apache Airavata
smarru
 
XFILES, The APEX 4 version - The truth is in there
Marco Gralike
 
Overview Of .Net 4.0 Sanjay Vyas
rsnarayanan
 
Decoupled Libraries for PHP
Paul Jones
 
Apache thrift-RPC service cross languages
Jimmy Lai
 
Everything you ever wanted to know about lotus script
Bill Buchan
 
Ad

Similar to LDAP Applied (EuroOSCON 2005) (20)

PDF
Ldap 121020013604-phpapp01
SANE Ibrahima
 
PDF
Practical-LDAP-and-Linux
Balaji Ravi
 
PDF
Slaps - a Smalltalk LDAP server
ESUG
 
PDF
OpenLDAP - Installation and Configuration
Wildan Maulana
 
PDF
ivanova-samba_backend.pdf
OrlandoJesusFigueroa
 
ODP
Ldapsession
guest648519
 
ODP
Ldapsession 1217528612650451-9
rezgui
 
PPT
LSC - Synchronizing identities @ Loadays 2010
RUDDER
 
ODP
LSC - Synchronizing identities @ Loadays 2010
Jonathan Clarke
 
PPTX
OpenStack Keystone with LDAP
Jesse Pretorius
 
ODP
Under the Hood 11g Identity Management
InSync Conference
 
PDF
Build your LDAP Web Interface with LinID Directory Manager
LDAPCon
 
ODP
Ldap Synchronization Connector @ 2011.RMLL
sbahloul
 
PPTX
LDAP - Lightweight Directory Access Protocol
S. Hasnain Raza
 
ODP
11g Identity Management - InSync10
Peter McLarty
 
PPTX
Active Directory & LDAP Authentication Without Triggers
Perforce
 
PPTX
LDAP(In_Linux).pptx
ShanmugapriyaSenthil3
 
PDF
[HKDUG] #20161210 - BarCamp Hong Kong 2016 - What's News in PHP?
Wong Hoi Sing Edison
 
PDF
Advanced SQL - Database Access from Programming Languages
S.Shayan Daneshvar
 
PDF
RMLL 2013 - Build your LDAP management web interface with LinID Directory Man...
Clément OUDOT
 
Ldap 121020013604-phpapp01
SANE Ibrahima
 
Practical-LDAP-and-Linux
Balaji Ravi
 
Slaps - a Smalltalk LDAP server
ESUG
 
OpenLDAP - Installation and Configuration
Wildan Maulana
 
ivanova-samba_backend.pdf
OrlandoJesusFigueroa
 
Ldapsession
guest648519
 
Ldapsession 1217528612650451-9
rezgui
 
LSC - Synchronizing identities @ Loadays 2010
RUDDER
 
LSC - Synchronizing identities @ Loadays 2010
Jonathan Clarke
 
OpenStack Keystone with LDAP
Jesse Pretorius
 
Under the Hood 11g Identity Management
InSync Conference
 
Build your LDAP Web Interface with LinID Directory Manager
LDAPCon
 
Ldap Synchronization Connector @ 2011.RMLL
sbahloul
 
LDAP - Lightweight Directory Access Protocol
S. Hasnain Raza
 
11g Identity Management - InSync10
Peter McLarty
 
Active Directory & LDAP Authentication Without Triggers
Perforce
 
LDAP(In_Linux).pptx
ShanmugapriyaSenthil3
 
[HKDUG] #20161210 - BarCamp Hong Kong 2016 - What's News in PHP?
Wong Hoi Sing Edison
 
Advanced SQL - Database Access from Programming Languages
S.Shayan Daneshvar
 
RMLL 2013 - Build your LDAP management web interface with LinID Directory Man...
Clément OUDOT
 
Ad

More from Fran Fabrizio (6)

PDF
Careers in System Administration (2007)
Fran Fabrizio
 
PDF
Amanda for Data Backup, or: How to Sleep Better at Night (OSCON 2004)
Fran Fabrizio
 
PDF
AJAX the Great: The Origin and Development of the Dynamic Web (2007)
Fran Fabrizio
 
PDF
Open Source Data Backup, or: How to Sleep Better at Night (OSCON 2005)
Fran Fabrizio
 
PDF
Rebooting the Team - Surge 2013
Fran Fabrizio
 
PDF
Scaffolding for a Growing Team - Surge 2014
Fran Fabrizio
 
Careers in System Administration (2007)
Fran Fabrizio
 
Amanda for Data Backup, or: How to Sleep Better at Night (OSCON 2004)
Fran Fabrizio
 
AJAX the Great: The Origin and Development of the Dynamic Web (2007)
Fran Fabrizio
 
Open Source Data Backup, or: How to Sleep Better at Night (OSCON 2005)
Fran Fabrizio
 
Rebooting the Team - Surge 2013
Fran Fabrizio
 
Scaffolding for a Growing Team - Surge 2014
Fran Fabrizio
 

Recently uploaded (20)

PDF
Microsoft Solutions Partner Drive Digital Transformation with D365.pdf
Microsoft Dynamics
 
PDF
DASA ADMISSION 2024_FirstRound_FirstRank_LastRank.pdf
rameswartudu05
 
PDF
Getting started with AI Agents and Multi-Agent Systems
Maxim Salnikov
 
PPTX
observCloud-Native Containerability and monitoring.pptx
anupsingh76937
 
PDF
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PPTX
Chapter 5: Probability Theory and Statistics
RandyFin
 
PPTX
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
PDF
Getting Started with Data Integration: FME Form 101
Safe Software
 
PPTX
Modernising the Digital Integration Hub
Daniel Toomey
 
PDF
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
PPTX
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
PDF
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
PDF
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
PDF
2021 HotChips TSMC Packaging Technologies for Chiplets and 3D_0819 publish_pu...
KeXue5
 
PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
PPTX
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PPTX
O2C Customer Invoices to Receipt V15A.pptx
ssuserbfa915
 
PDF
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
Microsoft Solutions Partner Drive Digital Transformation with D365.pdf
Microsoft Dynamics
 
DASA ADMISSION 2024_FirstRound_FirstRank_LastRank.pdf
rameswartudu05
 
Getting started with AI Agents and Multi-Agent Systems
Maxim Salnikov
 
observCloud-Native Containerability and monitoring.pptx
anupsingh76937
 
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
Chapter 5: Probability Theory and Statistics
RandyFin
 
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
Getting Started with Data Integration: FME Form 101
Safe Software
 
Modernising the Digital Integration Hub
Daniel Toomey
 
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
2021 HotChips TSMC Packaging Technologies for Chiplets and 3D_0819 publish_pu...
KeXue5
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
O2C Customer Invoices to Receipt V15A.pptx
ssuserbfa915
 
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 

LDAP Applied (EuroOSCON 2005)

  • 1. LDAP Applied Fran Fabrizio Sr. Systems Administrator Dept. of Computer & Information Sciences U of Alabama at Birmingham EuroOSCON Amsterdam, The Netherlands October 17-20, 2005
  • 2. This talk.... WILL ● Briefly review LDAP concepts ● Cover common uses of LDAP ● Present examples of advanced usage ● Hopefully inspire you to use LDAP! WILL NOT ● Show you how to install LDAP ● Teach you how to configure LDAP in specific OSes ● Give all the details needed to use LDAP ● Leave you disappointed (hopefully!)
  • 3. Link to Slides ● These slides are available now online at http://www.cis.uab.edu/fran/ if you wish to follow along ● They will also be available after the conference on the conference web site
  • 4. Getting to Know the Audience ● How many of you know what LDAP is? ● How many of you are using LDAP right now? ● How many of you are using it for something other than user authentication or email address books?
  • 5. Brief Review of LDAP What is it? What does it look like? Common Usage
  • 6. What is LDAP? ● Lightweight Directory Access Protocol ● A standard protocol for accessing directory services ● Also used to refer to the directories being accessed ● Based on the X.500 specification ● Represents hierarchical information in entries consisting of a collection of attributes with a unique, or distinguished name
  • 7. No really, what is LDAP? ● It's a good way to store data that is: – Mostly read access – Needed by many machines/services on the network – Generally represents collections of entities common in large organizations ● User and Group Accounts ● Computers ● Email Addresses and Contact Information ● Departments and Business Units
  • 8. LDAP Structure ● An object class defines the valid attributes and properties for an entry ● A set of related object classes forms a schema. For example, you may have a schema to represent the users in a university department. ● Distinguished names similar to DNS. Ex: ou=People,dc=eurooscon,dc=example,dc=com ● LDIF (Lightweight Directory Interchange Format)
  • 9. LDIF Example dn: uid=test,ou=People,dc=eurooscon,dc=example,dc=com cn: Test User uid: testuser uidNumber: 501 loginShell: /bin/sh homeDirectory: /home/testuser gidNumber: 100 userPassword:: e2NyeXB0fVRYaHRIa05GOUdBSWc= objectClass: posixAccount objectClass: shadowAccount objectClass: inetOrgPerson shadowLastChange: 13072 givenName: Test sn: User gecos: Test User
  • 10. More on LDAP structure ● One entry can have multiple classes – only one can be structural (inetOrgPerson) – the rest are auxiliary ● For each class, there is a set of required attributes and a set of optional attributes. – If you are a posixAccount, you must have a uid and may have a description ● Each entry will have a unique distinguished name to reference it
  • 11. Common Uses of LDAP ● User Directories: email addresses, students ● User Accounts: Centralizing accounts, access control, groups ● Inventory Catalogs: machines, offices ● Network Service Backend: DNS, Email ● Usually NOT a replacement for relational data
  • 12. LDAP Applied Various Ways To Apply LDAP to Solve IT Problems
  • 13. Migrating User Accounts to LDAP ● Why do you want to do this?
  • 14. Migrating User Accounts to LDAP ● Why do you want to do this? ● To centralize user accounts
  • 15. Migrating User Accounts to LDAP ● Why do you want to do this? ● To centralize user accounts ● To modernize from some other network account store (e.g. NIS)
  • 16. Migrating User Accounts to LDAP ● Why do you want to do this? ● To centralize user accounts ● To modernize from some other network account store (e.g. NIS) ● Eliminate duplication of data (already using LDAP for corporate address book?)
  • 17. Migrating User Accounts to LDAP ● Why do you want to do this? ● To centralize user accounts ● To modernize from some other network account store (e.g. NIS) ● Eliminate duplication of data (already using LDAP for corporate address book?) ● To better scale to the needs of a growing organization
  • 18. Migrating User Accounts to LDAP ● NIS/NIS+ LDAP or /etc/passwd LDAP ● PADL.com MigrationTools scripts – May need to be modified ● General solution: – produce LDIF – Import into LDAP with ldapadd and ldapmodify
  • 19. Migrating User Accounts to LDAP ● posixAccount – a standard LDAP schema to represent user accounts ● Demo: migrate_passwd.pl nisSchema.2.0 NAME 'posixAccount' SUP top AUXILIARY DESC 'Abstraction of an account with POSIX attributes' MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory ) MAY ( userPassword $ loginShell $ gecos $ description )
  • 20. Activating LDAP-Based Logins ● pam_ldap (from PADL.com), inserts into the PAM authentication stack and partners with nss_ldap (also PADL.com) to provide authentication against LDAP ● Seamlessly authenticates both local and LDAP- based users ● Many distros automate configuration (e.g. Fedora) ● Demo: pam_ldap configuration
  • 21. Integrating LDAP and Email ● Client Side - why? – Address Book lookups in LDAP – Autocompletion of partial email addresses
  • 22. Integrating LDAP and Email ● Client Side - why? – Address Book lookups in LDAP – Autocompletion of partial email addresses ● Server Side - why? – Store white/blacklists – virtual mailboxes – Aliases – User preferences
  • 23. Integrating LDAP and Email ● Client Side - why? – Address Book lookups in LDAP – Autocompletion of partial email addresses ● Server Side - why? – Store white/blacklists – virtual mailboxes – Aliases – User preferences ● Add the inetOrgPerson schema to LDAP entries
  • 24. LDAP and Email - Client ● Demo: Thunderbird and LDAP ● Many other email clients support LDAP lookups – Outlook, Outlook Express, Netscape, Pine, Eudora, Evolution, SquirrelMail, Mac Mail, etc... ● Clients can use LDAP for other things besides just address lookups – ex. SquirrelMail (web mail) has a plugin to store user preferences in LDAP.
  • 25. LDAP and Email - Server ● Many email servers can integrate with LDAP ● Alias lookups (Postfix) alias_maps = hash:/etc/aliases, ldap:/etc/postfix/ldap-aliases.cf (all on one line) ldap-aliases.cf contains: server_host = 192.168.139.128 sever_base = dc=eurooscon,dc=example,dc=com ● Now, Postfix can deliver to both local and LDAP user mail aliases
  • 26. LDAP and Email - Server ● Postfix expects a certain LDAP schema to support this (these names are configurable) dn: cn=Accounting Staff List, dc=my, dc=com cn: Accounting Staff List o: my.com objectclass: maillist mailacceptinggeneralid: accountingstaff mailacceptinggeneralid: accounting-staff maildrop: mylist-owner maildrop: an-accountant maildrop: some-other-accountant maildrop: this, that, theother
  • 27. LDAP and Email - Server ● Common usage is virtual mailboxes (e.g. ISP) ● Another common usage is to rewrite addresses fran@eurooscon.example.com to Fran.Fabrizio@eurooscon.example.com ● Sendmail, Exim, Courier, Courier-IMAP, Cyrus, uw-imap, and Qmail (and many others) all support integration with LDAP to various degrees
  • 28. LDAP and Web-Based Resources ● Authenticate users to gain access to restricted parts of web site ● mod_auth_ldap – Apache module ● User-based and group-based authentication
  • 29. Using LDAP with Apache ● Apache 2.0 ships with mod_auth_ldap ● Restrict access to a directory with Location <Location /protected> AuthName “Protected Directory” AuthType basic AuthLDAPURL ldap://ldap.cis.uab.edu:389/ou=People,dc=cis,dc =uab,dc=edu require valid-user # OR require group membership instead AuthLDAPGroupAttribute memberUid AuthLDAPGroupAttributeIsDN off require group cn=admin,ou=group, dc=eurooscon,dc=example,dc=com </Location>
  • 30. Using LDAP with Apache ● Demo: valid-user access ● Demo: group access
  • 31. Advanced Apache/LDAP Integration ● Fancy filters AuthLDAPURL ldap://eurooscon.example.com:389/ou=people,dc=e urooscon,dc=example,dc=com??(| (pagerID=*)(uid=fran)) ● Demo: Fancy Filters Example – “LDAP Applied Attendees Only”
  • 32. Fancy Filter Example ● Configuration for the demo... <Location /ldapapplied> AuthType basic AuthName "LDAP Applied Attendees Only" AuthLDAPURL ldap://192.168.139.128/ou=people,dc=eurooscon,dc=example,d c=com?uid??(comExampleEuroosconSession=LDAPApplied) require valid-user </Location>
  • 33. Extending LDAP Schemas ● Last slide implies attribute comExampleEuroosconSession with a value of “LDAPApplied” exists for some users ● How'd that work? We extend the LDAP Schema... – Store information custom to your environment
  • 34. local.schema ● We define a local schema for this attribute in a file called local.schema: attributetype (1.3.6.1.4.1.7341.999.2.1 NAME 'comExampleEuroosconSession' DESC 'a session at EuroOSCON' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) objectclass (1.3.6.1.4.1.7341.999.1.1 NAME 'comExampleEuroosconAttendee' DESC 'optional class to represent EuroOSCON sessions' AUXILIARY MAY comExampleEuroosconSession ) The “1.3.6.1.4.1.7341.999.2.1” is an OID, a unique LDAP object identifier. More information available at http://www.iana.org/. This one was taken from my workplace. You probably don't need to use them, but I do just to be complete.
  • 35. local.schema continued ● We tell the LDAP server to include this in its known schemas include /etc/openldap/schema/local.schema ● Now LDAP user entries can have: – comExampleEuroosconAttendee - optional auxiliary class – comExampleEuroosconSession – optional attribute within that class
  • 36. LDAP and DNS ● Storing DNS tables in LDAP instead of flat files ● Bind, tinydns, PowerDNS and others support this ● dnsZone structural object class ● zone2ldap tool with bind will convert flat files to LDAP
  • 37. Scripting LDAP Getting at LDAP from various languages
  • 38. LDAP and Perl ● From Perl, use Net::LDAP use Net::LDAP; $ldap = Net::LDAP->new('ldap.eurooscon.com'); $msg = $ldap->bind; $msg = $ldap->search( base=>”dc=example,dc=com”, filter=>”(objectClass=*)”); $msg->code && die $msg->error; $result = $ldap->add( “cn=fran,ou=People,dc=uab,dc=edu”, attr => [ cn => [“Fran Fabrizio”], mail => [“fran@cis.uab.edu”], etc.....
  • 39. LDAP and Perl ● Demo: Adding a User from Perl
  • 40. LDAP and PHP ● PHP has an LDAP API <?php $ldap = ldap_connect('ldap.cis.uab.edu'); $result = ldap_bind($ldap); $search=ldap_search($ldap, “dc=cis,dc=uab,dc=edu”, “sn=Fabr*”); $data = ldap_get_entries($ldap, $search); $result = ldap_add(.....);
  • 41. Programmatic LDAP - Others ● Java – Support through the JNDI or JLDAP (openldap.org) ● C – OpenLDAP's C API ● Ruby – Ruby-ldap ● Python – Python-ldap
  • 42. LDAP and Relational Data ● Would be neat to do queries that link LDAP and relational data – Example: CIS Web Site ● dblink-ldap – http://pgfoundry.org/projects/dblink-ldap/ – beta project to provide LDAP data as a table/view within PostgreSQL ● Microsoft has OLE DB Provider for Directory Services – access AD with SQL queries
  • 43. LDAP and Windows Strategies for LDAP in a multiplatform environment
  • 44. Strategy 1: AD -is- LDAP ● Active Directory -is- an LDAP version 3 server
  • 45. Strategy 1: AD -is- LDAP ● Active Directory -is- an LDAP version 3 server ● AD can import LDIF – Ldifde.exe included with Windows Server 2003 and supports batch LDIF operations
  • 46. Strategy 1: AD -is- LDAP ● Active Directory -is- an LDAP version 3 server ● AD can import LDIF – Ldifde.exe included with Windows Server 2003 and supports batch LDIF operations ● Can also script from VBScript
  • 47. Strategy 1: AD -is- LDAP ● Active Directory -is- an LDAP version 3 server ● AD can import LDIF – Ldifde.exe included with Windows Server 2003 and supports batch LDIF operations ● Can also script from VBScript ● AD4Unix is a plugin (sf.net/projects/ad4unix) that adds Unix attributes to AD and manages them through AD Users and Computers MMC.
  • 48. Strategy 1: AD -is- LDAP ● Active Directory -is- an LDAP version 3 server ● AD can import LDIF – Ldifde.exe included with Windows Server 2003 and supports batch LDIF operations ● Can also script from VBScript ● AD4Unix is a plugin (sf.net/projects/ad4unix) that adds Unix attributes to AD and manages them through AD Users and Computers MMC. ● pam_ldap can auth against AD
  • 49. Strategy 1: AD -is- LDAP ● This model can be expanded to allow pam_ldap to update user passwords in AD
  • 50. Strategy 1: AD -is- LDAP ● This model can be expanded to allow pam_ldap to update user passwords in AD ● Additionally, nss_ldap can also talk to AD, but is expecting Unix-like attributes for home dirs, uid/gid, shells, etc... – Installing MS's Services for Unix installs the NIS server, which has the side effect of doing this for you – Or, extend the schema yourself – install MKSADExtPlugin, and register the Active Directory Schema MMC to set the option to allow schema edits
  • 51. Strategy 2: Migrate AD to LDAP ● ldifde.exe can export AD forest
  • 52. Strategy 2: Migrate AD to LDAP ● ldifde.exe can export AD forest ● Unless you plan to use Kerberos authentication with your LDAP server, you'll need to reset users' passwords
  • 53. Strategy 2: Migrate AD to LDAP ● ldifde.exe can export AD forest ● Unless you plan to use Kerberos authentication with your LDAP server, you'll need to reset users' passwords ● This will also require alteration of the LDIF that Microsoft produces to be more Unix friendly
  • 54. Strategy 2: Migrate AD to LDAP ● ldifde.exe can export AD forest ● Unless you plan to use Kerberos authentication with your LDAP server, you'll need to reset users' passwords ● This will also require alteration of the LDIF that Microsoft produces to be more Unix friendly ● pGina can authenticate Windows clients against Unix LDAP server
  • 55. Strategy 2: pGina ● pGina is an open source replacement for Microsoft's Gina (Graphical Identification and Authentication)
  • 56. Strategy 2: pGina ● pGina is an open source replacement for Microsoft's Gina (Graphical Identification and Authentication) ● Allows Windows clients to authenticate against various sources via a plugin architecture – including LDAP, of course
  • 57. Strategy 2: pGina ● pGina is an open source replacement for Microsoft's Gina (Graphical Identification and Authentication) ● Allows Windows clients to authenticate against various sources via a plugin architecture – including LDAP, of course ● Highly customizable
  • 58. Strategy 2: pGina ● pGina is an open source replacement for Microsoft's Gina (Graphical Identification and Authentication) ● Allows Windows clients to authenticate against various sources via a plugin architecture – including LDAP, of course ● Highly customizable ● Demo: pGina
  • 59. Monitoring LDAP ● Reading LDAP logs – Debug levels allow output of useful information – /usr/sbin/slapd -d xxx ● 8 – connection management ● 32 – search filter processing ● 64 – config file processing ● 128 – access control list processing ● 256 – connections/operations/results ● additive – 288 is conn/ops/results and search filters
  • 60. Managing LDAP ● Command line – ldap* and slap* tools for OpenLDAP ● Scripting ● GQ – Simple GTK+/GTK2 GUI – sf.net/projects/gqclient ● Webmin – webmin.com – LDAP Users and Groups plugin ● Demo: webmin
  • 61. Other Uses of LDAP ● Samba authentication – advantages over smbpasswd file ● Serving certificates ● Machine configurations ● Radius authentication ● Managing network printers
  • 62. Conclusions ● LDAP can consolidate many administrative tasks ● LDAP is optimized for reads and will be faster than SQL for simple reads ● LDAP can improve scalability – all mail servers in organization can use same data store, for instance ● Once in place, LDAP can often be reapplied to solve new problems
  • 63. For More Information ● www.openldap.org ● PADL.com – pam_ldap – nss_ldap – MigrationTools ● Book: LDAP System Administration by Gerald Carter, published by O'Reilly – More detail about a lot of these ideas is found there
  • 64. Thank You ● Thanks for coming! ● My contact information is: Fran Fabrizio fran@cis.uab.edu http://www.cis.uab.edu/fran/ ● Feel free to email any questions you may have, or catch me at the conference for the rest of the week!