Elvir Kuric,272506@fi.muni.cz



How LDAP works ?

The above list represent how clinet connect to server and how server accept connection and send requested data to the client.

The LDAP models

The LDAP protocol can be presented as an implementation of four models which can be presented as follows

The information model describes basic units that LDAP uses to store information. At beggining we mentioned "entries" which map real word objects to data structures in directory. Information model defines how "entries" look like. Futher every entry is consisted of entities called atributes and every atribute is build by two pieces of information: atribute nama and one or more atribute values as it is showed on picture below


 |                      |
 |    |atribute 1 |     |
 |    |atribute 2 |     |
 |    |atribute 3 |     |
 |                      |
 |        ENTRY         |

     |    |type|    |
     |    |type|    |
     |              |   
     |   atribute   |
        Picture 2.

The naming model describes the structure of directory. The entries in directory are accessed by unique parameter called "distinguish name, DN ". The distiguesh name consists of the name that unique identifies the entry at that hierarhical level. The most important part of this model is " directory information tree, DIT " which help us to organize data into model that can be leter easier search. The following picture represent an example of directory information tree.

			         |   |   |
                                 /   |   \
		                /    |    \
			       /     |     \
			      /      |      \ 
		             /       |       \
		            /        |        \
	            |ou=lectures| |ou=labs|  |ou=timetable| 
		       /             |                \
		      /              |                 \
		|uid=PV090|      |uid=B102|          |uid=10:00|

LDAP provide great possibilities in tree design but that does not mean we can do everything. The directory has to be treelike strucure and we cannot insert an entry that has not parent entry, and it is not possible to construct an entry that has two ancestors.

The information model describes the elements of directory, and the naming model describes the structure of directory. The functional model describes the operations that we can perform on directory using LDAP protocol. The LDAP functional model consists of a set of operations divided into three groups. The interrogation operations allow us to search the directory and retrieve directory data. The update operations allow you to add, delete, rename, and change directory entries. The authentication and control operations allow clients to identify themselves to the directory and control certain aspects of a session

The security model is very important because the LDAP is connection oriented protocol and in typical enviroment the client opens connection to server and server performs action after receiving request for opening connection. After that the clinet must provide user credentials. If everything is all right, the server accept credentials and this associate some rights to user which provide those credentelas. Before the client can access to server to acction must be performed authenticaion and authorization.Authentication takes place when the client identifies itself for the server as it tries to connect. The process depends very much on the authentication mechanism used. The easiest way is to connect to the server without the need to provide an identity. To such an anonymous connection, if allowed at all, the server grants the lowest access rights. There are authentication schemes ranging from simple authentication with user and password to authentication using certificates. These certificates give the assurance to the server that the client really is who it says it is. The authorization is process by which the server grants the correct access rights to previous authenticaion server. This points out very important feature of directories characterised by access rights and using this it is possible to fine granulated access to directorise on LDAP server. For this purpose the server must maintain the access control information (ACI) data which are held ACL ( access controlo file )file. The process of authenticaion is very extensively described in rfc 2829. The most important features related to authentication of LDAP client to LDAP server can be listed as bellow

As in every system there are different level of authentication in LDAP system too. There are various methods of authentication of client to server and they can be divided as follow:

We will in futher text explain in short all of above access metodes to LDAP server. Anonymous access is easyer to implement but this method has minimal security. In this case server has no idea who is asking for access. Anonymous access is used mainly for public accessed data such ac public phone book and etc. Basic authentication present type of authentication where client sent credentials to server in plan text without any encryption.Unsafe. LDAP and SASL ( Simple Authentication and Security Layer ) is a method of providing authentication services to a connection-oriented protocol such as LADP. This standard makes it possible for a client and server to agree upon a security layer for encryption. Once the server and client are connected, they agree upon a security mechanism for the ongoing conversation. One of these mechanisms is for example Kerberos. SASL specifies a challenge-response protocol in which data is exchanged between the client and the server for the purposes of authentication and establishment of a security layer on which to carry out communication later between client and server.


OpenLDAP Software is a free, open source implementation of the Lightweight Directory Access Protocol ( LDAP ) developed by the OpenLDAP Project and it is released under its own license called the OpenLDAP Public License. Under Linux the term which is most in use is slapd and it represent LDAP directory server that runs on many platforms. Imortant to say is that slapd support following features

LDAP instalation and configuration

For installation on Debian system we will need to install the following packets

 apt-get install slapd ldap-utils migrationtools 
During installation we will be asked for administrator password for LDAP. debconf will do the rest and after that in our /etc/ldap/slapd.conf we will find among other following content

# 'database' directive occurs
database        bdb

# The base of your directory in database #1
suffix          "dc=lab"

# rootdn directive for specifying a superuser on the database. This is needed
# for syncrepl.
# rootdn          "cn=admin,dc=lab"

and futher we created an simple file test.ldif ---just for testing
speo:/etc/ldap# cat test.ldif
dn: dc=lab
dc: lab
objectClass: top
objectClass: dcObject
objectClass: organization
o: subnet

dn: cn=admin,dc=lab
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: admin
description: LDAP Administrator user
userPassword: {MD5}ttttttttttttXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX-----This is my
password :) :) 

#dn: cn=nss,dc=example
#objectClass: organizationalRole
#objectClass: simpleSecurityObject
#cn: nss
#description: LDAP NSS user for user-lookups

and add it to ldap using slapadd -l test.ldif I setted password to access LDAP using slappaswd -h {MD5} where we will be asked to enter password twice. The output of slappaswd command is neccesary to copy to test.ldif. In case we do not do that we will an error when we want to send an query to LDAP.

For client configuration it is neccesary to get packets

apt-get install ldap-utils libpam-ldap libnss-ldap nscd slapd ldap-utils
The ldap-utils package allows us to querry and alter the ldap database remotely. The content in /etc/ldap/ldap.conf on our client is
BASE    dc=lab
# dc=com
URI     ldap://ldap.speo.lab:389

pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_crypt local

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

LDAP replication

The LDAP system allow replication of master directiry tree to slave. The slave server can share the load for read requsets and act as backup server. To bring up a replica slapd instance, we must configure the master and slave slapd instances for replication, then shut down the master slapd so you can copy the database. Finally, you bring up the master slapd instance, the slave slapd instance, and the slurpd instance. These steps are as follows (we can set up as many slave slapd instances as you wish)

replica uri=ldap://speo-beta:389 binddn="cn=admin,dc=lab"
bindmethod=simple credentials=secret

replogfile      /var/lib/ldap/replog

on our slave in slapd.conf we have to add the following
updatedn        cn=admin,dc=lab
updateref       ldap://speo.lab