J
Jarret W. Buse
Guest
TCP/IP Protocol: Lightweight Directory Access Protocol (LDAP)
Lightweight Directory Access Protocol (LDAP) has two main uses:
For company intranets, a user can log on once and be granted access to allowable company resources without having to type in the password for each resource. The authentication occurs once and grants the user an Access Control List (ACL) which is a list of user permissions. When the user attempts to use a new resource the ACL is checked to determine if the user has proper privileges to access the resource.
LDAP was created by Steve Kille of Isode Limited, Tim Howes of the University of Michigan, Colin Robbins of Nexor and Wengyik Yeong of Performance Systems International in 1993. Originally, LDAP was known as Lightweight Directory Browsing Protocol (LDBP).
The director structure accessible by LDAP is based on the X.500 model based on the following:
The schema is a set of rules to define the content and layout of the data within the database.
LDAP uses TCP or UDP at the default port of 389. The client can connect to an LDAP Server sometimes known as a Directory System Agent (DSA). The client sends a request to the DSA and the DSA responds appropriately. The LDAP commands consist of the following:
The connection to an LDAP resource is: ldap://hostort/DN?attributes?scope?filter?extensions where:
For the clients, perform the following:
sudo apt-get install libpam-ldap libnss-ldap nss-updatedb libnss-db ldapscripts nscd
Once installed, you can configure the program by typing:
sudo dpkg-reconfigure ldap-auth-config
The configuration settings are as follows:
Change or add the following:
passwd: files ldap
group: files ldap
shadow: files ldap
Once these items are set, save and exit the editor. Then you need to edit another configuration file: /etc/ldap.conf.
host 10.0.0.1 Use ldap server ip
dc=linux,dc=org Use base dn
uri ldap://servername.linux.org Use ldap url
ldap_version 3 Set ldap version
rootbinddn ou=admin,dc=linux,dc=org Set ldap admin user
Now save these changes and exit to open another configuration file:
/etc/ldap/ldap.conf.
BASE dc=linux,dc=org Set with your domain
HOST servername.linux.org Use ldap server hostname
Save and exit with these changes and open /etc/ldap.secret. In this file, type in your root admin password you previously set then save and exit the file.
Type the following command: chmod 600 /etc/ldap.secret. Then type the following: sudo nss_updatedb ldap.
There are only two more items to do before we are finished. Type the following: sudo auth-client-config -t nss -p lac_ldap then type sudo pam-auth-update. Here you will press OK and Enter.
Lightweight Directory Access Protocol (LDAP) has two main uses:
- Access a hierarchical set of records
- Sign into a network once for access to all resources
For company intranets, a user can log on once and be granted access to allowable company resources without having to type in the password for each resource. The authentication occurs once and grants the user an Access Control List (ACL) which is a list of user permissions. When the user attempts to use a new resource the ACL is checked to determine if the user has proper privileges to access the resource.
LDAP was created by Steve Kille of Isode Limited, Tim Howes of the University of Michigan, Colin Robbins of Nexor and Wengyik Yeong of Performance Systems International in 1993. Originally, LDAP was known as Lightweight Directory Browsing Protocol (LDBP).
The director structure accessible by LDAP is based on the X.500 model based on the following:
- Each entry is made up of attributes
- Each attribute has a name with one or more values defined in a schema
- Each entry has a unique identifier called a Distinguished Name (DN)
- The DN consists of a Relative Distinguished Name (RDN)
The schema is a set of rules to define the content and layout of the data within the database.
LDAP uses TCP or UDP at the default port of 389. The client can connect to an LDAP Server sometimes known as a Directory System Agent (DSA). The client sends a request to the DSA and the DSA responds appropriately. The LDAP commands consist of the following:
- ADD – Adds a new entry into the database. If the entry already exists, the command will generate an error
- BIND – Authenticates a user when creating a session
- DELETE – Removes an entry from the database. The entry must exist and the client must have the privileges when authenticated to delete an entry
- SEARCH – Searches the database for a specific entry
- COMPARE – A search where the DN, attribute name and value are checked for equality
- MODIFY – Allows clients to make changes to an existing entry. The entry must exist and the client must have proper privileges to modify the entry
- MODIFY DN – Allows modification of the DN and ultimately the RDN
- Extended Operations – Commands that were not original to LDAP but have been added, such as StartTLS
- STARTTLS – Establishes Transport Layer Security (TLS) for data encryption between the client and server
- ABANDON – Aborts an operation request
- UNBIND – Abandons current operations and closes the session
The connection to an LDAP resource is: ldap://hostort/DN?attributes?scope?filter?extensions where:
- Host – IP Address or domain name of LDAP server
- Port – LDAP TCP or UDP Port (389 by default)
- DN – Distinguished Name of search
- Attribute – list of attributes separated by commas
- Scope – the search scope
- Filter – search filter
- Extensions – extension to URL format
- # apt-get install slapd ldap-utils migrationtools
- #dpkg-reconfigure slapd
- $ ldapsearch -x -b dc=debuntu,dc=local
- # /etc/init.d/slapd start
For the clients, perform the following:
sudo apt-get install libpam-ldap libnss-ldap nss-updatedb libnss-db ldapscripts nscd
Once installed, you can configure the program by typing:
sudo dpkg-reconfigure ldap-auth-config
The configuration settings are as follows:
- ldap://servername.linux.org – set to match your LDAP server name
- dc=linux,dc=org – exchange with your domain
- ldap version to use – set to 3 for LDAPv3
- make local database admin – answer yes
- Does the ldap database require login – answer no
- cn=admin,dc=linux,dc=org – sets LDAP root account
- ldap root account password – sets the root account password
Change or add the following:
passwd: files ldap
group: files ldap
shadow: files ldap
Once these items are set, save and exit the editor. Then you need to edit another configuration file: /etc/ldap.conf.
host 10.0.0.1 Use ldap server ip
dc=linux,dc=org Use base dn
uri ldap://servername.linux.org Use ldap url
ldap_version 3 Set ldap version
rootbinddn ou=admin,dc=linux,dc=org Set ldap admin user
Now save these changes and exit to open another configuration file:
/etc/ldap/ldap.conf.
BASE dc=linux,dc=org Set with your domain
HOST servername.linux.org Use ldap server hostname
Save and exit with these changes and open /etc/ldap.secret. In this file, type in your root admin password you previously set then save and exit the file.
Type the following command: chmod 600 /etc/ldap.secret. Then type the following: sudo nss_updatedb ldap.
There are only two more items to do before we are finished. Type the following: sudo auth-client-config -t nss -p lac_ldap then type sudo pam-auth-update. Here you will press OK and Enter.