320 likes | 378 Views
LDAP (Lightweight Directory Access Protocol ). Speaker: Chang-Yu Wu Adviser: Quincy Wu Date:2007/08/22. Outline. Motivation Related Work Directory Service X.500 LDAP Depiction Architecture LDIT Implementation Conclusion Reference. Motivation. User. FTP server. Account.
E N D
LDAP (Lightweight Directory Access Protocol ) Speaker: Chang-Yu Wu Adviser: Quincy Wu Date:2007/08/22
Outline • Motivation • Related Work • Directory Service • X.500 • LDAP • Depiction • Architecture • LDIT • Implementation • Conclusion • Reference
Motivation User FTP server Account Mail server Application server Samba server Web server
Motivation (cont) • Each services has its own configuration file or resource record • A server doesn’t have many services • Administration (ex: account) • Data repetitively.
Related Work • Directory services (DS) • A set of applications • Stores and organizes information about a computer network's users and network resources • X.500 • X.500 is a series of computer networking standards covering electronic directory services
X.500 • A hierarchical organization of entries which is distributed across one or more servers
LDAP • Lightweight Directory Access Protocol (LDAP) is an application protocol for querying and modifying directory services running over TCP/IP. • Optimized for lookups • Much higher read ratio • More easily extended • Implementation Software • OpenLDAP
Internet Application (cont) Client Client FTP server Switch Samba server LDAP server NAT Mail server Client
History • RFC 1777 • Lightweight Directory Access Protocol(v1) • RFC 2251-2256 • Lightweight Directory Access Protocol (v3) • RFC 2829 • Authentication Methods for LDAP • RFC 2830 • Lightweight Directory Access Protocol (v3) : Extension for Transport Layer Security • RFC 3377 • Lightweight Directory Access Protocol (v3) : Technical Specification
X.500 Application Presentation LDAP Session Application OSI protocol Transport TCP UDP Network IP TCP/IP Protocol Data link Physical media Physical Internet Background • Relatively simple protocol (X.500was heavy weighted). • Universal design for directory services.
Company Department_A Department_B employee employee employee employee Depiction • An LDAP directory is organized in a simple tree hierarchy consisting . • LDAP directory can be distributed among many servers.
DIT • Directory Information Tree (DIT) • Entity • Describes an object (Class) • Ex: people, devices • Class • Attribute • A type/syntax and a value • Value
DIT LDAP DIT dc=john, dc=ipv6, dc=club,dc=tw The attribute and value of the property ou=people ou=devices cn=AliceobjectClass: personsn:cartertelephoneNumber:555-1234 cn=Alice dn: cn=Alice , ou=people, dc=john, dc=ipv6, dc=club,dc=tw RDN
LDAP Interchange Format • LDIF (LDAP Interchange Format) • RFC 2849 • A set of entry • Attribute and value • Stores configuration information of LDAP and stand text format of directory • More instruction • Schema
Schema • Defines what object classes allowed • Where they are stored • What attributes they have (objectClass) • Which attributes are optional (objectClass) • Type/syntax of each attribute (objectClass)
Schema (cont) core.schema objectclass ( 2.5.6.6 NAME 'person' DESC 'RFC2256: a person' SUP top STRUCTURAL MUST ( sn $ cn ) MAY ( userPassword $ telephoneNumber $ seeAlso $ description ) )
LDAP Interchange Format (cont) • DN (Distinguished Name): • A record • RDN (Relative Distinguished Name): • cn and value of cn • CN (Common Name): • Name • OU (Organizational Unit): • DC (Domain Component):
LDIF dn: cn=alice,dc=john, dc=ipv6,dc=club, dc=tw objectClass: person sn=: carter telephoneNumber: 555-1234 DIT LDAP DIT dc=john, dc=ipv6, dc=club,dc=tw The attribute and value of the property ou=people ou=devices cn=AliceobjectClass: personsn:cartertelephoneNumber:555-1234 cn=Alice dn: cn=Alice , ou=people, dc=john, dc=ipv6, dc=club,dc=tw RDN
Model • Information model • Basic unit: Entry • DIT (Directory information Tree) • Naming model • Define entry or data of DIT by RDN (Relative distinguished name) • DN (distinguished name) • Functional model • Define data operating procedure • Security model • Authentication mechanism • ACL (Access control list)
Implementation • OpenLDAP • OpenLDAP Software is an open source implementation of the Lightweight Directory Access Protocol. • http://www.openldap.org/ • Experimental Version • OpenLDAP-server-2.3.37 • Download • http://www.openldap.org/software/download/
Configuration file • slapd.conf (/usr/local/etc/openldap/) • Schema • Log record • SSL/TLS • Database area • ACL
Configuration file - schema Path : /usr/local/etc/openldap/schema/
Configuration file – database area • Define database • dabatase bdb • Define root suffix • Suffix “dc=john,dc=ipv6,dc=club,dc=tw” • Define root DN • rootdn “cn=admin, dc=john,dc=ipv6,dc=club,dc=tw” • Define root passwd • rootpw XXX • Define directory path • Directory /var/db/xxx/
White page LDIT dn: cn=alice,dc=john,dc=ipv6, dc=club, dc=tw objectClass: person sn=: carter telephoneNumber: 555-1234 LDAP DIT dc=john,dc=ipv6, dc=club, dc=tw The attribute and value of the property ou=people ou=devices cn=AliceobjectClass: personsn:cartertelephoneNumber:555-1234 cn=Alice dn: cn=Alice , ou=people, dc=john,dc=ipv6, dc=club, dc=tw RDN
White page (cont) people.ldif #create root dn: dc=john,dc=ipv6,dc=club,dc=tw dc: john objectClass: dcObject objectClass: organizationalUnit #create ou dn: ou=people, dc=john,dc=ipv6,dc=club,dc=tw ou: people objectClass: organizationalUnit #create person dn: cn=alice, ou=people, dc=john,dc=ipv6,dc=club,dc=tw cn:alice objectClass: person sn: carter telephoneNumber:555-1234
Instruction • Start • /usr/local/libexec/slapd • Input data • slapadd –v- l /xxx/people.ldif • Show data • ldapsearch –x –b “dc=john,dc=ipv6,dc=club,dc=tw”
Instruction (cont) • Offline tools • slapadd, slapcat, slapindex, slappasswd • Online tools • ldapsearch, ldapadd, ldapdelete, ldapmodify, ldapmodrdn
Conclusion • Used to access and update information in a directory built on the X.500 model • Specification defines the content of messages between the client and the server • Includes operations to establish and disconnect a session from the server
Reference • Lightweight Directory Access Protocol • RFC 2251 • OpenLDAP • http://www.openldap.org/ • LDAP system Administration • Gerald Carter, O’REILLY, 2003