LDAP Directory Services: Fundamentals and Implementation
LDAP Directory Services: Fundamentals and Implementation
Understanding LDAP
LDAP (Lightweight Directory Access Protocol) is a standardized protocol for accessing and maintaining directory services. Based on the X.500 standard but significantly simplified, LDAP operates over TCP/IP networks, making it suitable for internet applications. The core LDAP specifications are defined in RFC documents, all accessible through the LDAPman RFC repository.
LDAP provides a centralized approach to accessing static information about people or resources. While commonly used as a centralized address book, its functionality extends to more complex organizational needs. Major software vendors like Microsoft, Lotus, and IBM have integrated LDAP services into their products, with OpenLDAP being the most prominent open-source implementation.
OpenLDAP Implementation
OpenLDAP stands as one of the most widely deployed directory services, developed and maintained by an open-source community. It provides comprehensive directory functionality including search operations, authentication, secure channels, and filtering capabilities. Most Linux distributions include OpenLDAP packages in their repositories.
By default, OpenLDAP operates over unencrypted TCP/IP, but it supports SSL/TLS encryption through OpenSSL to ensure data confidentiality and integrity—critical for security-sensitive applications like user authentication.
LDAP Information Model
LDAP's information model is built on "entries," which are collections of attributes with globally unique "Distinguished Names" (DNs). Each entry's attribute consists of a type and one or more values. Attribute types use memorable names like "cn" (common name) or "mail" (email address). Attribute values follow syntax rules specific to their type—a "cn" might contain "John Doe," while a "jpegPhoto" would store binary image data.
Key LDAP Components
| Component | Full Name | Description |
|---|---|---|
| dc | Domain Component | Parts of a domain name, splitting the full domain into segments (e.g., example.com becomes dc=example,dc=com) |
| uid | User Identifier | User identification string (e.g., "jdoe") |
| ou | Organizational Unit | Container object similar to subdirectories in file systems, can contain other objects |
| cn | Common Name | Common name identifier (e.g., "John Smith") |
| sn | Surname | Family name (e.g., "Smith") |
| dn | Distinguished Name | Unique identifier in the directory tree, similar to an absolute path |
| rdn | Relative Distinguished Name | Part of the DN relative to its position in the tree, like a relative file path |
| c | Country | Two-letter country code (e.g., "US" or "CA") |
| o | Organization | Organization name (e.g., "Example Corporation") |
LDAP Operations
LDAP supports several core operations:
- Querying directories for information
- Updating existing entries
- Adding new entries
- Deleting entries
- Renaming entries
- Searching with filters
The most frequently used LDAP operation is searching, which allows filtering directory contents based on specific criteria. For example, searching within dc=example,dc=com for all entries matching the filter "(cn=John*)" and retrieving their email addresses.
LDAP Protocol Versions
Current LDAP implementations primarily use Version 2 (1995) and Version 3 (1997), with Version 3 offering enhanced features including:
- Authentication methods
- Security features
- Schema support
- Internationalization capabilities
LDAP Basic Model
LDAP's fundamental model is based on "entries." Each entry is a collection of attributes with a globally unique Distinguished Name (DN). Analogous to relational databases, an entry resembles a record, while DN functions like a primary key and attributes correspond to fields.
LDAP organizes data in a tree structure, naturally representing hierarchical relationships. For instance, a directory tree might have a root node representing an organization (example.com), with branches for departments like IT, HR, and Finance. Each node becomes an entry in the directory, with different entry types defined by objectClass.
LDAP Functional Model
LDAP's functional model defines several operation categories:
- Query Operations: Optimized for fast data retrieval, often outperforming relational databases for read-heavy workloads
- Update Operations: Less efficient than relational databases for modifications but support add, delete, and modify operations
- Replication Operations: Enable distributed architectures by propagating changes from master to slave servers
- Authentication and Management Operations: Support client identification and session control
Advanced LDAP Capabilities
LDAP implementations support numerous advanced features:
- Centralized account management
- Permission control policies
- Password management strategies
- Password auditing
- Host control management
- Synchronization mechanisms
- Encrypted transmission via TLS/SASL
- High-availability load-balanced architectures
- Custom schema definitions
- Integration with centralized identity platforms
LDAP Characteristics
LDAP offers several distinctive characteristics:
- Optimized for read operations with superior performance over writes
- Query-optimized architecture outperforming standard relational databases for read operations
- Limited transaction support without rollback capabilities
- Client/server architecture supporting distributed deployments
- Tree-structured data organization
- Internet protocol compatibility running over TCP/IP
- Simple protocol design using lookup operations for list and read functions
- Distributed access through reference mechanisms
- Low cost, easy configuration, and management
Directory Services Overview
A directory service is a specialized distributed database optimized for querying, browsing, and searching, organized in a tree structure similar to Unix/Linux file systems. Unlike relational databases, directory services excel at read operations but have limited write capabilities and lack complex features like transactions or rollback, making them unsuitable for frequently updated data.
Directory services consist of a directory database and access protocols. Information suitable for directory storage includes:
- Employee contact information
- Physical asset details (servers, IP addresses, locations)
- Customer contact data
- Software package configurations
- Certificates and security keys
Alternative directory service implementations include ApacheDS, Active Directory, and Red Hat Directory Service.
LDAP Data Organization
LDAP directories follow a hierarchical structure known as the Directory Information Tree (DIT). The DIT primarily serves as a read-optimized database composed of entries—equivalent to database records—each with a unique Distinguished Name (DN) and consisting of attribute-value pairs.
In a typical LDAP directory tree:
- The top level is the root directory (BaseDN)
- Organization Units (OUs) logically partition data
- OUs act as container entries that can hold other objects
- Leaf entries contain actual user or resource data
LDAP Authentication Mechanisms
LDAP supports three primary authentication methods:
- Anonymous Authentication: No credentials required, suitable for public information
- Simple Authentication: Username and password verification, supporting both plain text and MD5 hashed passwords
- SASL Authentication: Secure authentication over SSL/TLS channels, including certificate-based authentication
LDAP Security Considerations
Standard LDAP transmits data in clear text, including authentication credentials. TLS (the successor to SSL) implemented via OpenSSL provides encryption to protect data confidentiality and integrity during transmission.
LDAP Entry Structure
LDAP entries are the fundamental units in directory services, similar to dictionary entries or database records. LDAP operations (add, delete, modify, retrieve) work with entries as basic objects:
- DN (Distinguished Name): Unique identifier for an entry in the directory tree
- RDN (Relative Distinguished Name): The leftmost component of a DN
- Base DN: The root of the LDAP directory tree
LDAP Schema
LDAP schemas define the structure of directory data through object classes, attribute types, and syntax rules. These components work together to ensure consistent data structure across entries. Schema files (typically in /etc/ldap/schema/) must be loaded in specific order.
Schema files define the objects contained in a directory, their required attributes, and optional attributes. Think of schemas as classes in object-oriented programming, with entries as instances of those classes. The schema determines data storage organization and relationships between entries.
Default schema files in OpenLDAP include:
- core.schema
- cosine.schema
- inetorgperson.schema
- nis.schema
Administrators can also create custom schemas including attribute definitions, class definitions, and syntax definitions.
LDIF Format
LDIF (LDAP Data Interchange Format) is a text-based standard for representing LDAP directory data, facilitating import/export operations. Each line follows an "attribute: value" format:
# Comment dn: entry_name attribute: value attribute: value attribute: value
An LDIF file can contain multiple entries separated by blank lines. The dn line functions like a primary key in relational databases and must be unique. Object classes determine required and optional attributes for each entry.
Object Classes
Every LDAP entry must include an objectClass attribute specifying at least one object class. Object classes serve as templates defining required and optional attributes for entries. Object classes have a hierarchical structure with "top" and "alias" at the top level.
Object classes fall into three categories:
- Structural: Basic entry types (e.g., person, organizationalUnit)
- Auxiliary: Extended attributes (e.g., extensibeObject)
- Abstract: Template classes not directly instantiable (e.g., top)
Common object classes include:
- account
- alias
- dcobject
- ipHost
- organization
- organizationalRole
- organizationalUnit
- person
- organizationalPerson
- inetOrgPerson
- posixAccount
- posixGroup
Attributes
Attributes represent data properties in LDAP entries, similar to variables in programming. OpenLDAP defines numerous standard attributes, and users can create custom attributes following schema rules.
Common attributes include:
- c: Country code
- cn: Common name
- dc: Domain component
- givenName: Person's first name
- l: Locality (city or region)
- mail: Email address
- o: Organization name
- ou: Organizational unit name
- sn: Surname (family name)
- telephoneNumber: Phone number with country code
- uid: User ID (login name)
Creating LDIF Files
When creating LDIF files, ensure proper formatting with a space after each colon and no trailing spaces at line endings. Each entry must have a unique dn, and entries should be separated by blank lines.
LDAP Command-Line Tools
OpenLDAP provides several command-line tools for directory operations:
Adding Entries: ldapadd
ldapadd -x -D "admin_dn" -w password -f ldif_file
Deleting Entries: ldapdelete
ldapdelete -x -D "admin_dn" -w password "entry_dn"
Modifying Entries: ldapmodify
ldapmodify -x -D "admin_dn" -w password -f modification_file
Searching: ldapsearch
ldapsearch -x -D "admin_dn" -w password -b "base_dn" [filter] [attributes]
Setting Passwords: ldappasswd
ldappasswd -x -D "admin_dn" -w password -s new_password "user_dn"
Working with LDAP Data
Adding Data from LDIF
To add data from an LDIF file to the directory:
ldapadd -x -D "cn=admin,dc=example,dc=com" -w secret -f data.ldif
Querying Directory Data
To search all entries under a base DN:
ldapsearch -x -b "dc=example,dc=com"
To search with a filter:
ldapsearch -x -b "dc=example,dc=com" "(sn=smith*)"
Modifying Entries
Interactive modification:
ldapmodify -x -D "cn=admin,dc=example,dc=com" -w secret dn: cn=john,ou=users,dc=example,dc=com changetype: modify replace: sn sn: Smith
File-based modification:
Create a modification file:
dn: cn=john,ou=users,dc=example,dc=com changetype: modify add: mail mail: john@example.com
Apply the modification:
ldapmodify -x -D "cn=admin,dc=example,dc=com" -w secret -f modify.ldif
Deleting Entries
To delete a leaf entry:
ldapdelete -x -D "cn=admin,dc=example,dc=com" -w secret "cn=john,ou=users,dc=example,dc=com"
Note: Non-leaf entries cannot be directly deleted; their contents must be removed first.
Exporting Data
To export directory data to an LDIF file:
slapcat -l export.ldif
LDAP Replication
For high availability and load balancing, LDAP supports replication between master and slave servers using the slurpd process:
- Client submits modification request to slave server
- Slave returns reference to master server
- Client submits request to master server
- Master updates database and logs changes
- slurpd propagates changes to slave servers
- Slaves apply changes locally
Common LDAP Object Attributes
LDAP defines numerous attributes for common objects:
- cn: Common name
- sn: Surname
- givenName: First name
- mail: Email address
- telephoneNumber: Phone number
- title: Job title
- uid: User identifier
- userPassword: Password hash
- description: Description text
LDIF Examples
Adding an Organization Unit and User
dn: ou=IT,dc=example,dc=com changetype: add objectclass: top objectclass: organizationalUnit ou: IT dn: cn=john.doe,ou=IT,dc=example,dc=com changetype: add objectclass: person objectclass: organizationalPerson objectclass: inetOrgPerson cn: John Doe sn: Doe givenName: John mail: john.doe@example.com uid: jdoe telephoneNumber: +1-555-123-4567
Modifying an Entry
dn: cn=john.doe,ou=IT,dc=example,dc=com changetype: modify add: mail mail: john.doe@work.example.com - replace: telephoneNumber telephoneNumber: +1-555-987-6543 - delete: description
Renaming an Entry
dn: cn=john.doe,ou=IT,dc=example,dc=com changetype: modrdn newrdn: cn=john.smith deleteoldrdn: 1
Deleting an Entry
dn: cn=john.smith,ou=IT,dc=example,dc=com changetype: delete
OpenLDAP Configuration
The main OpenLDAP configuration file (slapd.conf) typically includes:
- Schema file inclusions
- Global access control policies
- Database definitions
- Index configurations
Key configuration elements include:
- Schema definitions (specifying object classes and attributes)
- Directory suffix (the base DN)
- Administrator DN and password
- Database backend and storage location
- Access control lists
Data Import Methods
LDAP data can be imported through several methods:
- Manual entry using command-line tools
- Batch import from LDIF files
- Automated scripts
- GUI-based client tools
Schema Configuration
To properly configure OpenLDAP:
- Edit slapd.conf to include required schema files
- Set appropriate directory suffix
- Configure administrator DN and password
- Define database storage location
- Set up appropriate indexes
- Configure access controls
Example schema configuration:
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/nis.schema
database bdb
suffix "dc=example,dc=com"
rootdn "cn=admin,dc=example,dc=com"
rootpw {SSHA}hashed_password
directory /var/lib/ldap
index objectClass eq
