Thursday, July 31, 2014

LDAP server configuration - Part-1

Directory Service

It is a software which stores the information of network entities like users, servers etc. It can store any kind of information in the form of attribute and its value.

LDAP

Mostly we are using this term something like addressing a database which stores information. But it is a protocol to communicate with directory services or information directory. It supports TCP/IP so we can use this in network. Mostly we will call this LDAP information directory service as LDAP server, which supports ldap queries to store and retrieve data.

Is LDAP server is just like a database? . It acts as a database for storing information but it is more optimized for read operation because modification to LDAP entities will be very less but read operation will be very high.


LDAP server is mostly using for authentication purpose.

What is the advantage of using LDAP server for authentivation

1. LDAP is a protocol . Since it is a standard most of the platform support it.
2. Most of the applications are LDAP ready because they don't need to worry in handling user database in their application
3. Security, There are Access Control List  (ACL) to restrict the entity access .
4. There are lot of LDAP server vendors both in commercial and open-source.Installation of these are very easy.
5. Replication option is there to store the data in remote location for security purpose.


You want cross platform support?, Change of data less frequent? More read operation?   if answer is yes then LDAP server will be the best place to store the information.

Structure of  LDAP Directory Tree.

 Its structure is just like an inverted rooted tree similar to DNS or linux directory structure.Each entry in LDAP tree is uniquely identified by Distinguished Name or will call DN. Mostly we are reading this DN from leaf node to root. I will explain how it is in later portion.


Suppose I am creating ldap server for company example.com




In the above picture the first box ( dc=example,dc=com) is the Base DN for this ldap.
There are multiple format for defining the base DN. But here I used the DNS name format. So Base DN is the top level of the ldap tree.

Suppose we have number of employees in our company . So in LDAP , as we discussed earlier it will be stored in another category or as a node named OU. OU stands for organizational unit. Mostly OU is using for defining a broad categories like ou=users, ou=computers,ou=groups, etc. OU can be further be divided . Suppose we have users in US and UK the the structure will be go like this




 So DN which identifies the users in US will be like .

ou=US,ou=users,dc=example,dc=com
 
See how it is, from individual entry back to words the root of tree.

For "ou=gourps" what will be the DN?  it will be ou=groups,dc=example,dc=com.


An entry in the ldap contains set of attributes which is uniquely identified by DN. There is one term called RDN ( Relative Distinguished Name) . It is nothing but a relative path to an entity based on another DN.

consider the case ou=UK,ou=users,dc=example,dc=com. This a DN and ou=UK, ou=users  is a RDN based on the base DN dc=example,dc=com. Simply like absolute path and relative path in file system.


In LDAP we can store almost data in a format of attribute and value. For example for a user named "John Smith" there will be multiple details related to him like Name, Address, Email etc. all these can be stored in LDAP.

 Here is a sample ldap entry for a user John Smith.

dn: uid=jsmith,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
cn: John Smith
givenName: John
sn: Smith
mail: jsmith@example.com
telephoneNumber: +999999999
title: Test Engineer
uid: jsmith
uidNumber: 10000
gidNumber: 100
homeDirectory: /home/jsmith
loginShell: /bin/bash

in this example these are the attribute we need store in the  LDAP.
So look at the first line it defines the DN for user John Smith, But here uid is taken to build DN . This uid just like a user name ( not the uid , gid in linux ).


Here we can see objectClass: inetOrgPerson,  objectClass: posixAccount. The object class defines these atrributes.Which means to use an attribute in LDAP we need to include corresponding object class in the LDAP entry.

 
Configuring LDAP server will be explained in next part


1 comment:

  1. Nice link ..How do we configure LDAP server in UNIX?

    ReplyDelete

Which operating system you like most?