April 26, 2006

LDAP in the enterprise

Author: Gary Sims

The Lightweight Directory Access Protocol (LDAP) is a network protocol used to access a special purpose database (called a directory) that stores information about people, organizations, and computers. What can LDAP do for your business and your network?

LDAP was developed as an easier version of the Directory Access Protocol that is part of the X.500 directory standard. It is the network language spoken between a piece of client software (such as an email client) and a directory. A directory is a type of database that stores information about your enterprise in a hierarchical form. Each entry in the directory is referenced using what is called a "distinguished name," which consists of the name of the entry itself as well as the names, from bottom to top, of the entries above it in the directory.

How does this work in practice? Suppose you wanted to write an email to Wile E. Coyote, a colleague in your organization, Acme Products. Rather than needing to know his email address or already have him in your personal address book, your email client can look up Mr. Coyote in the directory (using LDAP) and get his email address. It will discover his distinguished name to be "CN=Wile E. Coyote, O=Acme, C=US". Here CN means Common Name, O means Organization, and C stands for Country; all may be in upper or lower case.

Thanks to this hierarchical structure, a directory can be highly distributed, meaning that different parts of the overall directory can be held on different servers, which themselves can be in different physical locations.

Why would I want LDAP and a directory?

If you don't already have a LDAP directory in your organization, then you probably have several non-unified databases (in different forms) spread throughout your organization. You may have one for login information, one for email accounts, another for distribution lists, an online company phone book, and so on. If a new employee joins your organization, you must create a user account for him, then an email account, then the receptionist must be informed about him, and the mailing room, and so on. With an LDAP directory, the new employee can be added once; the information is then available to all the parts of your enterprise. By using an LDAP directory you can link your people's contact details, user accounts, mailboxes, and other information. An LDAP directory simplifies the task of adding, modifying, and deleting user information. Name changes, password changes, and new phone numbers are all dealt with in a single place.

There are several areas in which your organization can benefit from an LDAP directory. For instance, the messaging infrastructure of your enterprise needs information about all of the users in it. This includes routing data (mailbox account information), address book information, and mailing lists. An LDAP directory is ideal for providing an email infrastructure. Popular open source mail servers such as Sendmail and Postfix can be configured to use LDAP for routing information.

For example, Postfix has an aliases configuration file containing routing information on how to deliver mail to the correct mailboxes. Common aliases include sending mail for webmaster and postmaster to the administrator's mailbox. By storing this information in an LDAP directory and not locally on the mail server, an administrator can maintain the aliases from anywhere on the network. If you have multiple mail servers, they can all be configured to use the same directory information, which removes the need to maintain local copies of the same information (one for each mail server).

An LDAP directory is also well-suited to providing a single sign-on infrastructure. For example, in a mixed Windows and Linux environment, a Samba server can be configured as a primary domain controller with an LDAP-based authentication mechanism.

Linux's Pluggable Authentication Modules (PAM) provide an abstraction layer for the process of authentication. By using PAM, a Linux server can be configured to use LDAP as an authentication mechanism. This combined with Samba acting as a Primary Domain Controller means that a Linux server can provide single sign-on services in a heterogeneous network.

Integrating an LDAP directory into your enterprise needn't be too difficult. Many products, both open source and commercial, are already LDAP-enabled, and there are many software development libraries available to help you write custom software that uses LDAP.

The OpenLDAP server

An enterprise directory server must be fast, robust, secure, scalable, and cost-effective. OpenLDAP is an open source directory server that meets these requirements. It includes a standalone LDAP directory server plus a replication server. The server supports LDAP over both IPv4 and IPv6 as well as the Simple Authentication and Security Layer (SASL). The server provides a fully featured access control facility, allowing you to control access to the information in the directory based on LDAP authorization information, address, domain name, and other criteria.

OpenLDAP offers a choice of database back ends, and the server can be configured to serve multiple databases at the same time. This means that a single OpenLDAP server can respond to requests for many logically different portions of the directory tree, using the same or different database back ends.

Installing the OpenLDAP server isn't too difficult. Debian users can get the software using apt-get. Fedora Core, Red Hat, CentOS, and SUSE all provide OpenLDAP RPMs.

Once you've installed the OpenLDAP server there are some simple steps to getting your first results from it. First, read the slapd.conf file (which is probably in /etc/openldap) and check (and change accordingly) following attributes:

suffix "dc=MY-DOMAIN,dc=COM"
rootdn "cn=YOUR NAME,dc=MY-DOMAIN,dc=COM"
rootpw secret

You need to replace MY-DOMAIN and COM with the appropriate domain components of your domain name. For example, for hungrypenguin.net, I would use:

suffix "dc=hungrypenguin,dc=net"
rootdn "cn=Gary Sims,dc=hungrypenguin,dc=net"

Next you need to create some entries in the directory. The simplest way to do this is using a Lightweight Directory Interchange Format (LDIF) file. Create a file called example.ldif with content like the following:

dn: dc=hungrypenguin,dc=net
objectclass: dcObject
objectclass: organization
o: The Hungry Penguin
dc: hungrypenguin

dn: cn=Gary Sims,dc=hungrypenguin,dc=net
objectclass: person
cn: Gary Sims
sn: Sims

This will create an organization called "The Hungry Penguin" with a person in it called "Gary Sims." Notice the hierarchical nature of the directory -- Gary Sims is below Hungry Penguin.

Once you've created the LDIF file, you can use it to add entries to the directory using the ldapadd tool. Here is the example for The Hungry Penguin organization; you will need to put in your own values.

ldapadd -x -D "cn=Gary Sims,dc=hungrypenguin,dc=net" -W -f example.ldif

In this command, -x tells the tool to use simple authentication when connecting to the directory (instead of SASL). -D specifies which distinguished name to use to connect to the directory. This needs to be the same as the one you specified for the rootdn in slapd.conf. If you get it wrong, then authenticating with the LDAP server will fail. -W tells the ldapadd tool to prompt for the password. Finally, -f tells the tool to use the file example.ldif as the input.

The last step is to check your entires, this time using the ldapsearch tool:

ldapsearch -x -b dc=hungrypenguin,dc=net

As before you need to replace "dc=hungrypenguin" with your organization and "dc=net" with the appropriate domain components of your domain name. You should see your organization and the person in it returned in the results.

This, of course, is just the beginning. There are more details on deploying your LDAP server in the OpenLDAP documentation. There are also papers, presentations and conference materials on the openldap.org website. O'Reilly also publish a book called "LDAP System Administration" which includes sections on OpenLDAP.

Using Linux and the OpenLDAP server to deploy a directory in your enterprise can yield many benefits by bringing together disparate collections of data and turning them into a single, integrated information store.

Click Here!