360 likes | 478 Views
OpenLDAP Directory Administration LDAPv3 Overview. Table of Contents. LDIF What Is an Attribute ? What Is the dc Attribute Schema References Authentication Distributed Directories Continuing Standardization. Table of Contents. LDIF What Is an Attribute ? What Is the dc Attribute
E N D
Table of Contents • LDIF • What Is an Attribute ? • What Is the dc Attribute • Schema References • Authentication • Distributed Directories • Continuing Standardization
Table of Contents • LDIF • What Is an Attribute ? • What Is the dc Attribute • Schema References • Authentication • Distributed Directories • Continuing Standardization
LDIF • Unix/Linux Administrators: generally prefer plain-text configuration files over some binary store of bits • LDAP Interchange Format (LDIF), defined is RFC2849, is a standard text format for storing LDAP configuration information and directory contents • In its most basic form, an LDIf file is: • A collection of entries separated from each other by blank lines • A mapping of attribute names to values • A collection of directives that instruct the parser how to process the information • LDIF files are often used to import new data in your directory or make changes to existing data • LDIF file must obey schema rules in LDAP directory, “schema violation”
LDIF (cont.) LDAP Directory Information Tree (DIT) dc=plainjoe,dc=org ou=people ou=devices attribute types and values cn:gerard carter objectClass:person sn:carter telephoneNumber:555-1234 cn=gerard carter dn:cn=gerard carter,ou=people,dc=plainjoe,dc=org RDN
LDIF (cont.) • LDIF entry: • Observations about LDIF syntax: • Comments in LDIF file begin with pount character (#) • Attributes are listed on the lefthand side of the colon (:), and values are presented on the righthand side; the colon character is separated from the value by a space • the dn attribute uniquely identifies the DN of the entry # LDIF listing for the entry dn: dc=plainjoe,dc=org dn: dc=plainjoe,dc=org objectClass: domain dc: plainjoe
LDIF (cont.) Distinguished Names and Relative Distinguished Names • The full DN of an entry does not need to be stored as an attribute within that entry: can be generated on-the-fly • Comparing LDAP to a filesystem: • DN ~ absolute path to a file • RDN ~ a filename • Unlike a filename, a RDN can be made up of multiple attributes (~ compound index in relational database) • DN of an element = formed by stringing together the RDNs of every entity from the element to the root of the directory tree
LDIF (cont.) Distinguished Names and Relative Distinguished Names (cont.) Multivalued RDNs • For both entries, the first component of the DN is the RDN composed of two values: cn=Jane Smith+ou=Sales and cn=Jane Smith+ou=Engineering • In the multivalued RDN, the + sign separates two attribute values used to form the RDN • Characters escaped with a \ are: pound (#), space at end of a string, comma (,), plus (+), double quote(”), backslash (\), angle brackets (< and >), semicolon (;) # example of two entries with a multivalued RDN dn: cn=Jane Smith+ou=Sales,dc=plainjoe,dc=org cn: Jane Smith ou: Sales ... dn: cn=Jane Smith+ou=Engineering,dc=plainjoe,dc=org cn: Jane Smith ou: Engineering ...
LDIF (cont.) Distinguished Names and Relative Distinguished Names (cont.) Multivalued RDNs (cont.) • Use them as little as possible, create different orginizationalUnits (ou) for Sales and Marketing dc=plainjoe,dc=org ou=Engineering ou=Sales cn=Jane Smith cn=Jane Smith
LDIF (cont.) Distinguished Names and Relative Distinguished Names (cont.) • RFC2253 defines a method of unambiguously representing a DN using a UTF-8 string representation • Remove all non-escaped whitespace surrounding the equal sign in each RDN • Make sure appropriate characters are escaped • Remove all non-escaped spaces surrounding the multi-value RDN join character (+) • Remove all non-escaped trailing spaces on RDNs • eg. cn=gerald carter + ou=sales, dc=plainjoe ,dc=org • becomes: cn=gerald carter+ou=sales,dc=plainjoe,dc=org • String reresentation of a DN is case-preserving • However, often case-insensitive
Table of Contents • LDIF • What Is an Attribute ? • What Is the dc Attribute • Schema References • Authentication • Distributed Directories • Continuing Standardization
What Is an Attribute ? • Attribute types and associated syntax rules ~ variable and data type declarations found in programming languages • Attributes are used to hold values ~ variables can hold certain types of information + there are certain rules (eg. how to compare the variable's value) • LDAP attributes can be multivalued! >< store-and-replace variables: • Whether an attribute can be single-valued or multi-valued depends on the attribute's definition # LDIF listing for the dn: ou=devices,dc=plainjoe,dc=org dn: ou=devices,dc=plainjoe,dc=org objectClass: organizationalUnit ou=devices telephoneNumber: +1 256 555-5446 telephoneNumber: +1 256 555-5447 description: Container for all network enabled devices existing within the plainjoe.org domain
What Is an Attribute ? (cont.) Attribute Syntax • Attribute type definitions: include matching rules that tell LDAP server how to make comparisons • LDAP uses OIDs just like SNMP MIBs • Fall under the private (4), enterprise (1) branch of the tree; joint-ISO-ccitt (2) is also possible • OID = uniquely identifies items such as attributes, syntaxes, object classes and extended controls # attributetype definition for telephoneNumber # From RFC 2256 attributetype ( 2.5.4.20 NAME 'telephoneNumber' EQUALITY telephoneNumberMatch SUBSTR telephoneNumberSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.50{32} ) matching rules encoding rules OID (object identifier) recommended minimum for the largest length of data
What Is an Attribute ? (cont.) OIDs Root ccitt(0) ISO(1) join-ISO-ccitt(2) org(3) dod(6) internet(1) mgmt(2) private(4) directory(1) experimental(3) enterprise(1)
What Is an Attribute ? (cont.) What Does the Name of the objectClass Attribute Mean ? • All entries in an LDAP directory must have an objectClass attribute • This attribute must have at least one value (multiple values are possible and common) • Each objectClass value acts as a template for the data stored in an entry; defines a set of attributes that must/may be present # LDIF listing for the dn: ou=devices,dc=plainjoe,dc=org dn: ou=devices,dc=plainjoe,dc=org objectClass: organizationalUnit ou=devices telephoneNumber: +1 256 555-5446 telephoneNumber: +1 256 555-5447 description: Container for all network enabled devices existing within the plainjoe.org domain
What Is an Attribute ? (cont.) What Does the Name of the objectClass Attribute Mean ? (cont.) • objectClass definition: • objectClass possesses an OID, just like attribute types, encoding syntaxes, and matching rules • Keyword MUST denotes set of attributes that must be present in any instance of this object (“=posses at least one value”) • Keyword MAY defines set of attributes whose presence is optional • Keyword SUP specifies parent object from which this object was derived (no multiple inheritance) • It's possible for two object classes to have common attribute members (eg. organizationalUnit opbject class and person object class have a telephoneNumber attribute)
What Is an Attribute ? (cont.) What Does the Name of the objectClass Attribute Mean ? (cont.) objectClass:organizationalUnit ou: userPassword: searchGuide: seeAlso: businessCategory: x121Address: registeredAddress: destinationIndicator: perferredDeliveryMethod: telexNumber: telexTerminalIdentifier: telephoneNumber: internationaliSDNNumber: facsimileTelephoneNumber: street: postOfficeBox: postalCode: postalAddress: physicalDeliveryOfficeName: st: l: description: required attributes # organizationalUnit objectClass definition from # RFC 2256 ( 2.5.6.5 NAME 'organizationalUnit' SUP top STRUCTURAL MUST ou MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $ x121Address $ registeredAddress $ destinationIndicator $ perferredDeliveryMethod $ telexNumber $ telexTerminalIdentifier $ telephoneNumber $ internationalISDNNumber $ facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName $ st $ l $ description ) ) optional attributes
What Is an Attribute ? (cont.) Object Class Types Structural object classes Represent real-world object, such as a person or an organizationalUnit. Each entry within an LDAP directory must have exactly one structural object class listed in the objectClass attribute. Once an entry's structural object class has been instantiated, it cannot be changed without deleting and re-adding entire entry Auxiliary object classes Add certain characteristics to a structural class; cannot be used on their own, but only to supplement an existing structural object. Special auxiliary object class, extensibleObject, that implicitly includes all attributes defined in the server's schema as optional members Abstract object classes Act the same as their counterpart in object-oriented programming: cannot be used directly, but only as ancestors of derived classes. Most common abstract class related to LDAP (and X.500) that you will use is the top object class, which is the parent or ancestor of all LDAP object classes
Table of Contents • LDIF • What Is an Attribute ? • What Is the dc Attribute • Schema References • Authentication • Distributed Directories • Continuing Standardization
What Is the dc Attribute ? • Topmost entry: • Originally, X.500 namespace was based on geographic and national regions,eg.: • Where: o = organizationalName l = locality c = country • RFC 2247 introduces system where LDAP directory naming context can be piggybacked on an existing DNS infrastructure Note: Directory's naming context = the DN of the topmost entry # LDIF listing for the entry dn: dc=plainjoe,dc=org dn: dc=plainjoe,dc=org objectClass: domain dc: plainjoe dn: o=plainjoe,l=AL,c=US
What Is the dc Attribute ? (cont.) • Allow mapping between DNS & LDAP directory namespace: two objects for storing domain components: domain (standalone container) and dcObject (=auxiliary class) objectClass:domain dc: userPassword: searchGuide: seeAlso: businessCategory: x121Address: registeredAddress: destinationIndicator: perferredDeliveryMethod: telexNumber: telexTerminalIdentifier: telephoneNumber: internationaliSDNNumber: facsimileTelephoneNumber: street: postOfficeBox: postalCode: postalAddress: physicalDeliveryOfficeName: st: l: description: o: associatedName: required attributes # domain objectClass definition from # RFC 2247 ( 0.9.2342.19200300.100.4.13 NAME 'domain' SUP top STRUCTURAL MUST dc MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $ x121Address $ registeredAddress $ destinationIndicator $ perferredDeliveryMethod $ telexNumber $ telexTerminalIdentifier $ telephoneNumber $ internationalISDNNumber $ facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName $ st $ l $ description $ o $ associatedName ) ) optional attributes
What Is the dc Attribute ? (cont.) • If the directory's root entry was dc=org, with a child entry of dc=plainjoe,dc=org: • The naming context would have been dc=org • Our server would unnecessarily respond to queries for any entry whose DN ended with dc=org • ~ DNS: don't service requests for the .org domain objectClass:dcObject dc: required attributes # dcObject objectClass definition from # RFC 2247 ( 1.3.6.1.4.1.1466.344 NAME 'dcObject' SUP top AUXILIARY MUST dc ) )
Table of Contents • LDIF • What Is an Attribute ? • What Is the dc Attribute • Schema References • Authentication • Distributed Directories • Continuing Standardization
Schema References • What do all the abbreviations mean ? “c”, “cn”, “sn”, ... • Sources of information: • RFC 3377 and related LDAPv3 standards • http://www.rfc-editor.org/ • Provides a list of references for researching related LDAPv3 and X.500 topics • LDAP Schema Viewer • http://ldap.akbkhome.com/ • Browse descriptions and dependencies among common LDAP attributes, object classes, and OIDs • Object Identifiers Registry • http://www.alvestrand.no/objectid/ • To track down the owner of specific OID arcs • Sun Micrososystems Product Documentation • http://docs.sun.com/ • Search site for “LDAP schema reference”
Table of Contents • LDIF • What Is an Attribute ? • What Is the dc Attribute • Schema References • Authentication • Distributed Directories • Continuing Standardization
Authentication • Why needed ? • Establish the client's privileges for each session • All searches, queries, ... are controlled by the authentication level of the authenticated user • LDIF representation: objectClass:person ou: userPassword: telephoneNumber: seeAlso: description: required attributes # person objectClass definition from # RFC 2256 ( 2.5.6.6 NAME 'person' SUP top STRUCTURAL MUST ( sn $ cn ) MAY ( userPassword $ telephoneNumber $ seeAlso $ description ) ) optional attributes dn: cn=gerald carter,ou=people,dc=org objectClass: person cn: gerald carter sn: carter telephoneNumber: 555-1234 userPassword: {MD5}Xr4il0zQ4PCOq3aQOqbuaQ==
Authentication (cont.) • The userPassword attribute stores a representation of the credentials necessary to authenticate a user • The prefix (in this case {MD5}) describes how the credentials are encoded (base64-encoded MD5 hash): vendor-dependent {CRYPT}: crypt() system call {MD5}: base64-encoded MD5 digest of password {SHA}: (secure hash algorithm) base64-encoded 160-bit SHA-1 hash {SSHA}: (salted secure hash algorithm) salted version of previous hash • Act of being authenticated is called binding • Mechanisms for authentication: anonymous/simple authentication/simple authentication over SSL/TLS/simple authentication and security layer (SASL)
Authentication (cont.) Anonymous Authentication • Binding to a directory using an empty DN and password • Very common frequently used by client applications Simple Authentication • Login name in the form of a DN is sent with the password in clear text to the LDAP server • Server attempts to match this password with the userPassword value Simple Authentication over SSL/TLS • Wraps the information in an encrypted transport layer, making it more palatable • Two means of using SSL/TLS with LDAPv3 • LDAP over SSL (LDAPS – TCP/636): deprecated • RFC 2830 introduced an LDAPv3 extended operation for negotiating TLS over the standard TCP/398 port: StartTLS
Authentication (cont.) Simple Authentication and Security Layer (SASL) • Extensible security scheme defined in RFC 2222 • Can add additional authentication mechanism to conection-oriented protocols such as IMAP and LDAP • SASL supports pluggable authentication scheme • Additionally, hosts may also negotiate a security layer (such as SSL/TLS) • RFC 2222 defines the several authentication schemes for SASL, including: • Kerberos v4 (KERBEROS_V4) • The Generic Security Service Application Program Interface, version 2 (GSSAPI) (RFC 2078) • The S/Key mechanism (SKEY) (one-time password scheme based on MD5) • The External (EXTERNAL) mechanism • RFC 2831 adds SASL/DIGEST-MD5 (compatible with HTTP/1.1 digest authentication)
Table of Contents • LDIF • What Is an Attribute ? • What Is the dc Attribute • Schema References • Authentication • Distributed Directories • Continuing Standardization
Distributed Directories • eg. see schema on next slide • Different hosts possess different portions of the directory tree • Reasons: • Performance • Geographical location • Administrative boundaries • You must configure two links between the main directory server and the server that holds people ou. • Subordinate knowledge reference link (often simply called reference) • Superior knowledge reference link (often simply called a referral)
Distributed Directories (cont.) server1.plainjoe.org • Most often, naming context of second server is a continuation of the directory • people ou in main directory tree has no children – all queries should be served by the second server dc=plainjoe,dc=org ou=people ou=devices ou=people,dc=plainjoe,dc=org cn=gerald carter server2.plainjoe.org
Distributed Directories (cont.) • The entry ou=people,dc=plainjoe,dc=org on main directory server is now a placeholder that contains a referral to the actual directory server for this entry • referral object contains only one attribute, ref; format is: ldap://[host:port]/[/dn[?attribute][?scope][?filter][?extensions]] objectClass:referral ref: required attributes ( 2.16.840.1.113730.3.2.6 NAME 'referral' DESC 'named subordinate reference object' STRUCTURAL MUST ref ) dn: ou=people,dc=plainjoe,dc=org objectClass: referral ref: ldap://server2.plainjoe.org/ou=people,dc=plainjoe,dc=org
Distributed Directories (cont.) • Configuring the superior knowledge reference link (from second server back to main directory) • Vendor-dependant operation • Purpose is to define an LDAP URI, in this case: ldap://server1.plainjoe.org/dc=plainjoe,dc=org • Who should follow the referral link ? Two possible answers: • The server follows and resolves any referrals that it runs into during an LDAP operation. Client receives only the result and never knows that the referral happened “Chaining” • Client follows link for itself. Supported by all LDAPv3-compliant clients and servers
Table of Contents • LDIF • What Is an Attribute ? • What Is the dc Attribute • Schema References • Authentication • Distributed Directories • Continuing Standardization
Continuing Standardization • Currently two working groups within the IETF to help LDAP evolve: • LDAP Duplication/Replication/Update Protocols (LDUP) working group http://ietf.org/html.charters/ldup-charter.html • LDAPv3 Revision (LDAPbis) working group http://ietf.org/html.charters/ldapbis-charter.html Note: See also http://www.ldapzone.com/