In this OpenLDAP Tutorial, we’ll look at the LDAP protocol, as well as how it is used to centralize user accounts on a network.
What is LDAP?
LDAP, short for Lightweight Directory Access Protocol is one of the most popular protocols in the field of Directory Information Services. It provides a central location to store information about users and computers on your network. Using LDAP, users can find each other’s phone numbers, email addresses and can even log into services using their assigned LDAP credentials.
What is OpenLDAP?
OpenLDAP is an open source LDAP provider for Unix-like operating systems.
This provides numerous benefits to a system administrator. Centralized user credentials vastly simplify the process of adding new users into a network by reducing the duplication of efforts. It also improves overall security; disabling a user’s account in LDAP prevents them from logging into any services.
OpenVPN is an example of a program which allows integration with LDAP. Once in place, users can use their assigned credentials to sign on to your network. Once connected, they can use those same credentials to access other integrated systems such as SnipeIT.
How Does LDAP Differ From Microsoft Active Directory?
Anyone with a background administering Windows domains has almost certainly worked with Active Directory. It manages much of the same functionality as OpenLDAP, plus much more.
The reason for this is simple. Active Directory is an LDAP server. It also includes large swaths of other functionality such as Kerberos authentication support.
However, in keeping with traditional Unix philosophy. OpenLDAP is only an LDAP server. Users can include addons like Kerberos via krb5.
How do LDAP and Kerberos Differ?
As I’ll discuss later in this tutorial, LDAP allows users to use the same account with multiple different systems. You may have seen another protocol, Kerberos, mentioned along with LDAP. But why is there a whole second protocol for authentication when LDAP can already do it?
The big difference is in how the two protocols operate. LDAP only centralizes information for the accounts themselves. This means that every program has the same set of credentials assigned to it. However, Kerberos is a single sign-on solution. It centralizes the actual act of logging in. While LDAP requires you to manually enter your credentials into each individual service, Kerberos only makes you enter them once. It then passes an authentication token to the services; automatically logging you in to each.
How to Install OpenLDAP
Installing the Packages
All of the computers on your network are part of a domain. One of the key features of this setup is the ability to refer to systems by their hostnames, rather than their IP addresses. Therefore, the first step in this process is to decide on the name for the overall domain. This name is part of the search path for the OUs and users.
Each domain has one or more organizational units. Organizational units work similarly to a folder. They store all the objects which are part of your directory. These objects are things like users, computers, security group or distribution lists. Each of these serves a different role.
Going back to our corporate analogy, organizational units are useful for separating out the users and computers of different departments. For example, let’s say you have a sales department. You’re going to create an organizational unit called “sales”. Within this organizational unit you will then create the different user accounts. Your employee, John Smith will have an account in the system with a given username and password.
After this, the system will authenticate against OpenLDAP. Linux traditionally uses the pre-authentication module, or PAM, for authentication. By default, it uses the /etc/shadow file. This Linux’s built-in database containing the hash of each password used on the system.
LDAP centralizes this database. It takes the place of /etc/shadow and returns the results itself when a user logs in. This is useful. If an employee leaves your organization, An administrator only needs to disable their account, locking them out. This applies to any system integrated with LDAP.
Creating the Root DN
The overall admin of thee directory is the first thing we need to create. Users within the root DN have full permissions over the entire system. As a result, it’s important to keep them secure. This is the location where our main administrator user will reside.
Binding to an Account
There are two types of authentication which can be used when connecting to an LDAP server. The first is anonymous authentication, in which no credentials are required. The second requires the use of a bind DN. This is the distinguished name of an object contained within the LDAP database.
As an example, let’s attempt to run an anonymous query on our OpenLDAP server:
ldapsearch -x -b "dc=mydomain,dc=local"
Now, let’s try again, this time authenticating against our admin user:
ldapsearch -D "cn=admin,dc=mydomain,dc=local" -b "dc=mydomain,dc=local" -W
Working With OpenLDAP
What is An LDIF File (LDAP Interchange Format)?
LDAP stores all of its data in a binary file format. To simplify the process of modifying entries in the directory, the LDIF file format was developed. LDIF files contain information regarding operations to be performed on the directory. For example, this is an example of an LDIF file to create an organizational unit called “members” for the domain “mydomain.local”:
Code language: HTTP (http)
dn: ou=members,dc=mydomain,dc=local changetype: add objectClass: organizationalUnit
Each line in this file represents a part of the object to be created. The dn line specifies the object’s complete path. Note how it starts from the lowest level and works its way up. The organizational unit is nested under the domain. The domain components start from the farthest left entry and work back to the top level domain.
Next, the changetype line specifies what kind of change this is; this can be either add, delete, or modify. Adds can only run once. The server actively refuses any attempts to run them again. Likewise, deletes can also only run a single time. Obviously, an object cannot be deleted once it has already been erased.
This leads us to the modify changetype. Of the three, this one requires the most information. In addition to specifying the fields to modify and their new values, it is also necessary to explicitly flag them for modification. For example,
Code language: HTTP (http)
dn: uid=tuser,ou=members,dc=mydomain,dc=local changeType: modify change: telephoneNumber telephoneNumber: 123-555-9876
Running this file against the directory will change the test user’s listed phone number.
After this, the objectClass line defines what kind of object is to be created. In this case, the new object is an organizational unit. There are many different types of object; each has unique properties and serve different roles.
As a result of this file, an organizational unit called “members” will be created in the mydomain.local domain. Later on, this OU will store user objects.
It is important to note that processing this LDIF file against the directory multiple times will not duplicate the organizational unit. OpenLDAP will see that the entry already exists and will refuse to create a new one.
Creating a User in OpenLDAP
With the members organizational unit now in place, it is time to create a test user. Users in LDAP require more information than organizational units do. First, create testuser.ldif and insert the following:
Code language: HTTP (http)
dn: uid=tuser,ou=test,dc=mydomain,dc=local changetype: add objectClass: inetOrgPerson displayName: Test User cn: Test User sn: User givenname: Test telephonenumber: 123-456-7890
Basic LDAP Queries
LDAP provides the ability to query for specific data from the directory. For example, rather than retrieving every property assigned to an object, it is possible to narrow the amount of fields returned by the search.
ldapsearch -b "dc=mydomain,dc=local" -D "cn=admin,dc=mydomain,dc=local" -W "objectClass=inetOrgPerson" id telephoneNumber
Making Use of OpenLDAP
There’s many different services that you can tie into LDAP. In the future, we will discuss connecting many of these services into our newly created server. Everything for Linux user logins to web-based software can be joined to the database, alllowing easy administration of permissions.