Table of Contents
This is a multi-part article where I will cover different areas of configuration of OpenLDAP server in CentOS 7 Linux node. You can use below links to refer different parts of this tutorial
Basics LDAP Tutorial for Beginners – Understanding Terminologies & Usage
Step-by-Step Tutorial: Install and Configure OpenLDAP
Step-by-Step Tutorial: Configure OpenLDAP with TLS certificates
Step-by-Step Tutorial: Configure LDAP client to authenticate with LDAP server
But before all that it is important to shed some light on the basics of LDAP like What is LDAP? Why do we use LDAP? What are the terminologies used with LDAP? Here this article is a LDAP tutorial for beginners so that they can understand LDAP in brief before they can actually start working on this area.
LDAP Tutorial for Beginners
Lightweight Directory Access Protocol (LDAP) is actually a set of open protocols used to access and modify centrally stored information over a network. LDAP is based on the X.500 standard (X.500 is an International Organization for Standardization [ISO] standard that defines an overall model for distributed directory services) but is a more lightweight version of the original standard. RFC 2251 explains the relationship like so: “LDAP is designed to provide access to directories supporting the X.500 models, while not incurring the resource requirements of the X.500 directory access protocol. Like traditional databases, an LDAP database can be queried for the information it stores.”
Now let us understand some basics about LDAP in our LDAP tutorial for beginners. LDAP is a protocol for accessing a specially tailored database that is used for a variety of things, such as directory service. This directory can be used to store all sorts of information. The directory can be regarded as a database of sorts. But unlike traditional databases, an LDAP database is especially suited for read, search, and browse operations instead of write operations. It is with reads that LDAP shines.
Here are some popular LDAP implementations:
- OpenLDAP, an open source LDAP suite
- Microsoft Active Directory
- 389 Directory Server
- IBM Security Directory Server
- NetIQ eDirectory
As with most network services, LDAP adheres to the usual client/server paradigm. A typical interaction between the client and the server goes like this:
- An LDAP client application connects to an LDAP server. This process is also referred to as “binding to a server.”
- Based on the access restrictions configured on the server, the LDAP server either accepts or refuses the bind/connection request.
- Assuming the server accepts, the client has the choice of querying the directory server, browsing the information stored on the server, or attempting to modify /update the information on the LDAP server.
- Again, based on access restrictions, the server can allow or deny any of the operations attempted by the client. In the event that the server cannot answer a request, it may forward or refer the client to another upstream LDAP server that may have a more authoritative response to the request.
Uses of LDAP
Let me give you some of the uses of LDAP in our article on LDAP tutorial for beginners. LDAP is a distributed directory service and can be used as storage for various types of information. Just about any kind of information can be stored in an LDAP directory—information as varied in nature as plain textual information, images, binary data, or public key certificates and so on.
Over the years, various LDAP schemas have been created to allow the storage of different data sources in an LDAP directory. Here are some example uses for LDAP:
- LDAP can serve as a complete identity management solution for an organization. It can provide authentication and authorization services for users. In fact, the services provided by the Network Information Service (NIS) can be completely replaced by LDAP.
- The information stored in DNS records can be stored in LDAP.
- LDAP can be used to provide “yellow pages” services for an organization (for instance, users’ or employees’ contact information—phone numbers, addresses, departments, and so on).
- Mail routing information can be stored in LDAP.
- A Samba schema exists that allows a Samba server to store extensive object attributes in LDAP. This allows Samba to function as a robust drop-in replacement for Microsoft Windows domain controllers in environments where redundancy and replication are needed.
If you are going to master LDAP-speak, you might as well know the essential LDAP technical jargon. In this article LDAP tutorial for beginners I have tried to summarize some of the most used terms in LDAP configuration.
- Entry (or object) - One unit in an LDAP directory. Each entry is qualified by its distinguished name (DN). Here’s an example:
- Attributes - These are pieces of information associated with an entry, such as an organization’s address or employees’ phone numbers.
- objectClass - This is a special type of attribute. All objects in LDAP must have an
objectClassdefinition specifies which attributes are required for each LDAP object, and it specifies the object classes of an entry. The values of this attribute may be modified by clients, but the
objectClassattribute itself cannot be removed.
objectClass definitions are themselves stored in schema files.
- Schema - A collection of rules that determines the structure and contents of the directory. The schema contains the attribute type definitions,
objectClassdefinitions, and other information.
The schema lists the attributes of each object type and whether these attributes are required or optional. Schemas are usually stored in plain-text files.
Following are a few examples of schemas:
- core.schema - Defines the basic LDAPv3 attributes and objects. It is a required core schema in the OpenLDAP implementation.
- inetorgperson.schema - Defines the
inetOrgPersonobject class and its associated attributes. This object is often used to store people’s contact information.
- LDIF - This stands for LDAP Data Interchange Format. It is a plain-text file for LDAP entries. Files used for importing or exporting data to and from an LDAP server should be in this format. The data used for replication among LDAP servers are also in this format.
By default, Linux systems keep a local registry of all their users. That registry is the
/etc/passwd file. In this file, we can see a line for every registered user. So, in order to access a computer, we must have a user defined in that computer. This is OK when we have only a few computers, but if we have tens or hundreds of computers, it could be a nightmare to create new users or change a password in all of them.
The solution is to centralize user account management , that is, to have a common database in which to keep all information related to user accounts. There are many ways to accomplish this, but probably the most used today is the Lightweight Directory Access Protocol (LDAP) in one of its many variants.
LDAP keeps a central database in which users, computers, and, generally speaking, all network objects are registered. There are many implementations of the protocol, for example, Active Directory from Microsoft or eDirectory from Novell. Here we’ll use OpenLDAP, a free implementation of the protocol.
OpenLDAP is the open source implementation of LDAP that runs on Linux/UNIX systems. OpenLDAP is a suite of programs, made up of slapd, slurpd, various utilities, and libraries, that implements the LDAP protocol along with various client- and server-side utilities.
The server side consists of two main daemons:
- slapd: This is a stand-alone LDAP daemon that listens for LDAP connections from clients and responds to the LDAP operations it receives over those connections.
- slurpd: This is a stand-alone LDAP replication daemon that is used to propagate changes from one slapd database to another. This daemon is used for synchronizing changes from one LDAP server to another. It is needed only when more than one LDAP server is in use.
Linux Administration: A Beginner’s Guide
Lastly I hope this article on LDAP Tutorials for Beginners and understanding OpenLDAP on Linux was helpful. So, let me know your suggestions and feedback using the comment section.