TCP/IP Protocol: Lightweight Directory Access Protocol (LDAP) Lightweight Directory Access Protocol (LDAP) has two main uses: Access a hierarchical set of records Sign into a network once for access to all resources When accessing a set of records, LDAP can allow a user to access the records. For example, a user can search a list of employee records containing company phone numbers and e-mail addresses. For company intranets, a user can log on once and be granted access to allowable company resources without having to type in the password for each resource. The authentication occurs once and grants the user an Access Control List (ACL) which is a list of user permissions. When the user attempts to use a new resource the ACL is checked to determine if the user has proper privileges to access the resource. LDAP was created by Steve Kille of Isode Limited, Tim Howes of the University of Michigan, Colin Robbins of Nexor and Wengyik Yeong of Performance Systems International in 1993. Originally, LDAP was known as Lightweight Directory Browsing Protocol (LDBP). The director structure accessible by LDAP is based on the X.500 model based on the following: Each entry is made up of attributes Each attribute has a name with one or more values defined in a schema Each entry has a unique identifier called a Distinguished Name (DN) The DN consists of a Relative Distinguished Name (RDN) NOTE: Let’s assume an e-mail address (JohnDoe@Linux.Org) as an example. The RDN would be JohnDoe and the DN would be Linux.Org. The schema is a set of rules to define the content and layout of the data within the database. LDAP uses TCP or UDP at the default port of 389. The client can connect to an LDAP Server sometimes known as a Directory System Agent (DSA). The client sends a request to the DSA and the DSA responds appropriately. The LDAP commands consist of the following: ADD – Adds a new entry into the database. If the entry already exists, the command will generate an error BIND – Authenticates a user when creating a session DELETE – Removes an entry from the database. The entry must exist and the client must have the privileges when authenticated to delete an entry SEARCH – Searches the database for a specific entry COMPARE – A search where the DN, attribute name and value are checked for equality MODIFY – Allows clients to make changes to an existing entry. The entry must exist and the client must have proper privileges to modify the entry MODIFY DN – Allows modification of the DN and ultimately the RDN Extended Operations – Commands that were not original to LDAP but have been added, such as StartTLS STARTTLS – Establishes Transport Layer Security (TLS) for data encryption between the client and server ABANDON – Aborts an operation request UNBIND – Abandons current operations and closes the session NOTE: Unbind should be performed and not simply close the LDAP session from the client side. Unbind performs a graceful session close. The connection to an LDAP resource is: ldap://hostort/DN?attributes?scope?filter?extensions where: Host – IP Address or domain name of LDAP server Port – LDAP TCP or UDP Port (389 by default) DN – Distinguished Name of search Attribute – list of attributes separated by commas Scope – the search scope Filter – search filter Extensions – extension to URL format To make a Linux LDAP Server you perform the following: # apt-get install slapd ldap-utils migrationtools #dpkg-reconfigure slapd $ ldapsearch -x -b dc=debuntu,dc=local This command may cause an error because the service is not running. If an error occurs, perform the following command: # /etc/init.d/slapd start Now the LDAP Service is running and you can place data into the database. For the clients, perform the following: sudo apt-get install libpam-ldap libnss-ldap nss-updatedb libnss-db ldapscripts nscd Once installed, you can configure the program by typing: sudo dpkg-reconfigure ldap-auth-config The configuration settings are as follows: ldap://servername.linux.org – set to match your LDAP server name dc=linux,dc=org – exchange with your domain ldap version to use – set to 3 for LDAPv3 make local database admin – answer yes Does the ldap database require login – answer no cn=admin,dc=linux,dc=org – sets LDAP root account ldap root account password – sets the root account password The next step is to configure another configuration file: cp /etc/nsswitch.conf /etc/nsswitch.conf. Change or add the following: passwd: files ldap group: files ldap shadow: files ldap Once these items are set, save and exit the editor. Then you need to edit another configuration file: /etc/ldap.conf. host 10.0.0.1 Use ldap server ip dc=linux,dc=org Use base dn uri ldap://servername.linux.org Use ldap url ldap_version 3 Set ldap version rootbinddn ou=admin,dc=linux,dc=org Set ldap admin user Now save these changes and exit to open another configuration file: /etc/ldap/ldap.conf. BASE dc=linux,dc=org Set with your domain HOST servername.linux.org Use ldap server hostname Save and exit with these changes and open /etc/ldap.secret. In this file, type in your root admin password you previously set then save and exit the file. Type the following command: chmod 600 /etc/ldap.secret. Then type the following: sudo nss_updatedb ldap. There are only two more items to do before we are finished. Type the following: sudo auth-client-config -t nss -p lac_ldap then type sudo pam-auth-update. Here you will press OK and Enter.