TCP/IP Protocol: Lightweight Directory Access Protocol (LDAP)

Discussion in 'Linux Networking' started by Jarret W. Buse, Dec 10, 2013.

  1. Jarret W. Buse

    Jarret W. Buse Active Member Staff Writer

    Messages:
    104
    Likes Received:
    116
    Trophy Points:
    43
    TCP/IP Protocol: Lightweight Directory Access Protocol (LDAP)

    Lightweight Directory Access Protocol (LDAP) has two main uses:

    • Access a hierarchical set of records
    • Sign into a network once for access to all resources
    When accessing a set of records, LDAP can allow a user to access the records. For example, a user can search a list of employee records containing company phone numbers and e-mail addresses.

    For company intranets, a user can log on once and be granted access to allowable company resources without having to type in the password for each resource. The authentication occurs once and grants the user an Access Control List (ACL) which is a list of user permissions. When the user attempts to use a new resource the ACL is checked to determine if the user has proper privileges to access the resource.

    LDAP was created by Steve Kille of Isode Limited, Tim Howes of the University of Michigan, Colin Robbins of Nexor and Wengyik Yeong of Performance Systems International in 1993. Originally, LDAP was known as Lightweight Directory Browsing Protocol (LDBP).

    The director structure accessible by LDAP is based on the X.500 model based on the following:

    • Each entry is made up of attributes
    • Each attribute has a name with one or more values defined in a schema
    • Each entry has a unique identifier called a Distinguished Name (DN)
    • The DN consists of a Relative Distinguished Name (RDN)
    NOTE: Let’s assume an e-mail address (JohnDoe@Linux.Org) as an example. The RDN would be JohnDoe and the DN would be Linux.Org.

    The schema is a set of rules to define the content and layout of the data within the database.

    LDAP uses TCP or UDP at the default port of 389. The client can connect to an LDAP Server sometimes known as a Directory System Agent (DSA). The client sends a request to the DSA and the DSA responds appropriately. The LDAP commands consist of the following:

    • ADD – Adds a new entry into the database. If the entry already exists, the command will generate an error
    • BIND – Authenticates a user when creating a session
    • DELETE – Removes an entry from the database. The entry must exist and the client must have the privileges when authenticated to delete an entry
    • SEARCH – Searches the database for a specific entry
    • COMPARE – A search where the DN, attribute name and value are checked for equality
    • MODIFY – Allows clients to make changes to an existing entry. The entry must exist and the client must have proper privileges to modify the entry
    • MODIFY DN – Allows modification of the DN and ultimately the RDN
    • Extended Operations – Commands that were not original to LDAP but have been added, such as StartTLS
    • STARTTLS – Establishes Transport Layer Security (TLS) for data encryption between the client and server
    • ABANDON – Aborts an operation request
    • UNBIND – Abandons current operations and closes the session
    NOTE: Unbind should be performed and not simply close the LDAP session from the client side. Unbind performs a graceful session close.
    The connection to an LDAP resource is: ldap://host:port/DN?attributes?scope?filter?extensions where:

    • Host – IP Address or domain name of LDAP server
    • Port – LDAP TCP or UDP Port (389 by default)
    • DN – Distinguished Name of search
    • Attribute – list of attributes separated by commas
    • Scope – the search scope
    • Filter – search filter
    • Extensions – extension to URL format
    To make a Linux LDAP Server you perform the following:

    1. # apt-get install slapd ldap-utils migrationtools
    2. #dpkg-reconfigure slapd
    3. $ ldapsearch -x -b dc=debuntu,dc=local
    This command may cause an error because the service is not running. If an error occurs, perform the following command:
    1. # /etc/init.d/slapd start
    Now the LDAP Service is running and you can place data into the database.

    For the clients, perform the following:

    sudo apt-get install libpam-ldap libnss-ldap nss-updatedb libnss-db ldapscripts nscd

    Once installed, you can configure the program by typing:

    sudo dpkg-reconfigure ldap-auth-config

    The configuration settings are as follows:
    1. ldap://servername.linux.org – set to match your LDAP server name
    2. dc=linux,dc=org – exchange with your domain
    3. ldap version to use – set to 3 for LDAPv3
    4. make local database admin – answer yes
    5. Does the ldap database require login – answer no
    6. cn=admin,dc=linux,dc=org – sets LDAP root account
    7. ldap root account password – sets the root account password
    The next step is to configure another configuration file: cp /etc/nsswitch.conf /etc/nsswitch.conf.

    Change or add the following:

    passwd: files ldap
    group: files ldap
    shadow: files ldap

    Once these items are set, save and exit the editor. Then you need to edit another configuration file: /etc/ldap.conf.


    host 10.0.0.1 Use ldap server ip
    dc=linux,dc=org Use base dn
    uri ldap://servername.linux.org Use ldap url
    ldap_version 3 Set ldap version
    rootbinddn ou=admin,dc=linux,dc=org Set ldap admin user

    Now save these changes and exit to open another configuration file:

    /etc/ldap/ldap.conf.

    BASE dc=linux,dc=org Set with your domain
    HOST servername.linux.org Use ldap server hostname

    Save and exit with these changes and open /etc/ldap.secret. In this file, type in your root admin password you previously set then save and exit the file.

    Type the following command: chmod 600 /etc/ldap.secret. Then type the following: sudo nss_updatedb ldap.

    There are only two more items to do before we are finished. Type the following: sudo auth-client-config -t nss -p lac_ldap then type sudo pam-auth-update. Here you will press OK and Enter.

    Attached Files:

    DevynCJohnson likes this.

Share This Page