SlideShare ist ein Scribd-Unternehmen logo

Introduction to LDAP and Directory Services

Radovan Semancik
Radovan Semancik

Short introduction to the concepts directory services and the LDAP protocol

Technologie
1 von 46
Downloaden Sie, um offline zu lesen
Introduction to LDAP and Directory Services Radovan Semančík Open Source Weekend, April 2016
Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. Radovan Semančík Current: Software Architect at Evolveum Architect of Evolveum midPoint Contributor to ConnId and Apache Directory API Past: Sun LDAP and IDM deployments (early 2000s) OpenIDM v1, OpenICF Many software architecture and security projects
Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. Directory Service ● “Database” usually containing data about: People (users, employees, customers, ...) Groups of people (access control groups, roles, ...) Devices (servers, network elements, ...) Configuration data A structured repository of information on people and resources within an organisation, facilitating management and communication. The Free On-Line Dictionary of Computing
Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. Directory Service Architecture Directory Service App App App App Directory Service App App
Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. Directory Service Features ● Shared database Standard protocol (RFC 4511) Standardized schema inetOrgPerson (RFC 2798), posixAccount (RFC 3207), ... ● Lightweight No locking, easy to replicate Low overhead, high performance ● Fast reads, slow writes Ideal for “configuration” data LDAP = NoSQL before it was cool
Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. Directory Service Evolution ● X.500 Origin: 1988 CCITT (now ITU-T) as support for X.400 Global directory service (similar to DNS) Very complex (DAP over OSI protocol stack) ● LDAP(* Simplified version of X.500 (DAP) Origin: 1995 IETF (RFC 1777) Currently LDAPv3 (RFC 2251, 3377, 3771) ● MS Active Directory, NDS Originated independently of X.500 Strictly speaking “LDAP” denotes network protocol. However it is commonly used to refer to the directory system as a whole. (*
Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. OSS Directory Servers ● 389 Directory Server (Fedora) RedHat ● Apache Directory Server Apache Foundation ● OpenDJ (OpenDS) ForgeRock ● OpenLDAP Symas
Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. OpenLDAP ● Native LDAP Server Storing data in LMDB databases (or other backends) Tailor-made database and indexing Excellent performance Access protocols: LDAP Written in C, long source code history ● UNIX install root directory /opt/symas or usual OS directories (packages) ● Configuration directory /etc/openldap, /etc/ldap/slapd.conf
Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. Why Do We Want Directory Services? ● They are fast! Really fast. When reading. Faster than the fastest relational databases But slow when writing (approx 10 times) ● Low resource consumption Approx 10 times lower that relational DBs ● Scaling ad nauseam 1M entries is nothing. 1B is still easy. ● Easy to replicate the data High availability, performance, scaling
Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. Directory Service vs Relational Databases RDB App RDB App RDB App RDB App LDAP App App App App
Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. Directory Service Replication Master App AppApp App Master Slave Slave Slave Slave App
Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. LDAP Basics
Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. Directory Information Tree Hierarchical structure Directory Information Tree (DIT) o=evolveum ou=People ou=Groups uid=semancik uid=foo cn=engineers
Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. Objects & Attributes cn=Radovan Semančík sn=Semančík uid=semancik objectClass=inetOrgPerson title=Software Architect telephoneNumber=+421 2 49100100 telephoneNumber=+421 2 49100136 preferredLanguage=en mail=radovan.semancik@evolveum.com jpegPhoto= o=evolveum ou=People uid=semancik
Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. Distinguished Name uid=semancik,ou=people,o=evolveum Distinguished Name (DN) Relative Distinguished Name (RDN) o=evolveum ou=People ou=Groups uid=semancik uid=foo cn=engineers
Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. Directory Suffix uid=semancik,ou=people,dc=evolveum,dc=com suffix (root suffix) dc=evolveum ou=People ou=Groups uid=semancik uid=foo cn=engineers dc=com
Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. Directory Suffix uid=semancik,ou=people,dc=evolveum,dc=com suffix (root suffix) dc=evolveum,dc=com ou=People ou=Groups uid=semancik uid=foo cn=engineers
Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. Suffix Conventions ● o=evolveum,c=sk “Traditional” X.500 ● o=evolveum.com Hybrid, based on DNS domain ● dc=evolveum,dc=com Internet style, based on DNS domain ● o=evolveum.com,o=isp Nested, sometimes used in ISP/ASP environment
Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. DIT Structure Conventions Users objectClass=inetOrgPerson (posixAccount) Groups objectClass=groupOfUniqueNames (posixGroup) Services (Access Manager, POSIX) objectClass=sunService, ipService Hosts (POSIX) objectClass=ipHost o=evolveum ou=People ou=Groups ou=Services ou=Hosts
Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. Objects & Attributes cn=Radovan Semančík sn=Semančík uid=semancik objectClass=inetOrgPerson title=Software Architect telephoneNumber=+421 2 49100100 telephoneNumber=+421 2 49100136 preferredLanguage=en mail=radovan.semancik@evolveum.com jpegPhoto= o=evolveum ou=People uid=semancik
Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. Objects and Attributes ● Attributes are global Attribute name and type is the same in all objects ● Attributes can have multiple values Multi-valued attributes is the default behavior ● Attributes may be binary E.g. jpegPhoto, userCertificate, ... ● Attribute size is practically unlimited Several megabytes for jpegPhoto is pretty normal ● Attributes may be indexed (globally)
Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. LDAP Browsers ● Apache Directory Studio Java, sophisticated ● JXplorer Java, simple ● phpLDAPadmin Web-based, PHP ● Mail clients Mozilla Thunderbird, Evolution, ...
Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. LDAP Interchange Format (LDIF) ● Textual format used for storing and exchange of data among LDAP servers ● Specified in RFC 2849 ● Example: dn: uid=test,ou=People,o=nlight objectClass: top objectClass: person uid: test cn: Test Testovic sn: Testovic dn: uid=foo,ou=People,o=nlight objectClass: top objectClass: person uid: foo cn: Foo Bar sn: Bar
Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. LDIF Example dn: uid=semancik,ou=People,o=nlight mail: radovan.semancik@nlight.eu sn: Semancik cn: Radovan Semancik givenName: Radovan uid: semancik objectClass: top objectClass: organizationalperson objectClass: inetorgperson objectClass: person userPassword:: e1NTSEF9SzU4c1ZpOStFZS8yZlF zVFN6WVhNTi9obGwzQVZRVno2R3dkUHc9PQ== dn: uid=foobar,ou=People,o=nlight uid:foobar
Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. LDIF Example dn: uid=semancik,ou=People,dc=nlight,dc=sk mail: radovan.semancik@nlight.eu sn: Semancik cn: Radovan Semancik givenName: Radovan uid: semancik objectClass: top objectClass: organizationalperson objectClass: inetorgperson objectClass: person userPassword:: e1NTSEF9SzU4c1ZpOStFZS8yZlF zVFN6WVhNTi9obGwzQVZRVno2R3dkUHc9PQ== dn: uid=foobar,ou=People,dc=nlight,dc=sk uid:foobar The “dn” line is always first Multiple lines for multi-valued attributes Base64 encoding White space: continuation of previous line Empty line: end of object Next object
Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. LDAP Operations
Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. Basic LDAP Operations ● search Find object in the DIT, also used for reading data ● add Creating objects ● modify Changing objects ● delete Removing objects ● bind User authentication
Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. Search Parameters ● Base DN: The point in the tree where to start the search ● Scope: search scope base: just the base object (used for reading data) one: just one level under the base object subtree: entire subtree under the base object ● Filter: attribute conditions Using expressions to form complex conditions ● Attribute list (optional)
Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. Search: scope dc=com dc=foo dc=evolveum ou=people ou=groups uid=foo uid=bar Search Base DN: dc=evolveum,dc=com
Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. Search: scope dc=com dc=foo ou=people ou=groups uid=foo uid=bar BASE ONE SUBTREE dc=evolveum
Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. Search Filter (string data) ● (uid=semancik) ● (cn=*sem*) - substring filter ● (uid=*) - presence filter ● (createTimestamp>=20050101000000Z) ● (objectClass=*) - special filter, matches every object
Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. Compound Search Filter ● (&(givenName=Radovan)(sn=Semancik)) ● (|(cn=sem*)(cn=zem*)) ● (&(objectClass=person)(cn=FooBar)) ● (& (| (objectClass=person) (objectClass=organization) ) (!(l=Bratislava)) )
Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. ldapseach command-line tool ● ldapsearch [-b <baseDN>] [-s <scope>] <filter> [ <attrs> ] ● Examples: ldapsearch -b 'ou=people,o=nlight' '(objectclass=*)' ldapsearch -b 'o=nlight' -s one '(ou=*)' ● Additional parameters -h <ldapServerHostName> -p <ldapServerPort> -D <bindDN>
Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. ldapsearch $ ldapsearch -b "dc=evolveum,dc=com" -s sub "(uid=semancik)" dn: uid=semancik,ou=People,dc=evolveum,dc=com mail: semancik@evolveum.com sn: Semancik cn: Radovan Semancik givenName: Radovan uid: semancik objectClass: top objectClass: organizationalperson objectClass: inetorgperson objectClass: person
Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. Authentication: bind ● Directory server authenticates every incoming connection using objects in the DIT It means that DN is used as user identifier ● This operation is called bind ● Password is usually used (simple bind) But there are other options (SASL) ● Example User “semancik” binds to the server using the DN: uid=semancik,ou=people,dc=nlight,dc=sk This object must exists. The password (hash) stored in userPassword atribute is used.
Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. BIND LDAP Bind uid=semancik,ou=people,dc=evolveum,dc=com dc=evolveum,dc=com ou=People ou=Groups uid=semancik uid=foo cn=engineers search
Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. ldapsearch with bind $ ldapsearch -D “uid=admin,ou=people,dc=nlight,dc=sk” -w password -b "dc=nlight,dc=sk" -s sub "(uid=semancik)" dn: uid=semancik,ou=People,dc=nlight,dc=sk mail: semancik@nlight.eu sn: Semancik cn: Radovan Semancik givenName: Radovan uid: semancik objectClass: top objectClass: organizationalperson objectClass: inetorgperson objectClass: person userPassword:: e1NTSEF9SzU4cS8y...obkUHc9PQ==
Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. userPassword Attribute ● One-way hash, difficult to reverse SSHA SHA crypt … ● Server may hash the password automatically … if not use slappasswd userPassword: {MECH}base64encodedHash userPassword: {SSHA}x2J+RZAmEdE5I7nw5Qi4zRuMBAb1CVVhpyMzIQ==
Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. LDAP-Based Authentication A P P L I C A T I O N Login: foo Password: bar Directory Server bind uid=foo,ou=people,dc=example,dc=com Password: bar result: success logged in Simple, but wrong
Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. LDAP-Based Authentication A P P L I C A T I O N Login: foo Password: bar Directory Server bind uid=foo,ou=people,dc=example,dc=com Password: bar result: success logged in search (uid=foo) uid=foo,ou=people,dc=example,dc=com Better, but sill not OK
Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. LDAP-Based Authentication A P P L I C A T I O N Login: foo Password: bar Directory Server bind uid=foo,ou=people,dc=example,dc=com Password: bar result: successlogged in search (uid=foo) uid=foo,ou=people,dc=example,dc=com bind cn=app1,ou=apps,dc=example,dc=com Password: h4rdP455w0rd result: success
Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. There is (much) more ... ● LDAP groups ● LDAP server configuration ● LDAP schema ● Replication ● Security (ACLs, authentication) ● Linux as LDAP client (PAM & NSS or SSS) ● This presentation is just a (very) short excerpt from the full training
Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. Directory Service Limitations ● Object-oriented, no tables, no joins ● Standard data model limitations ● Management tools are … cumbersome ● LDAP is a database, not authentication server ● Single directory myth ● You will need more components Directory server(s) Access management (SSO) Identity management
Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. Directory Service HR Application Application Application Application A M Identity Management Users CRM Application midPoint
Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. Questions and Answers
Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. Radovan Semančík www.evolveum.com Thank You

Empfohlen

The Ldap Protocol
The Ldap ProtocolThe Ldap Protocol
The Ldap Protocol
Glen Plantz
 
LDAP
LDAPLDAP
LDAP
Khemnath Chauhan
 
AD & LDAP
AD & LDAPAD & LDAP
AD & LDAP
Cynoteck Technology Solutions Private Limited
 
Ldap intro
Ldap introLdap intro
Ldap intro
yousry ibrahim
 
SIngle Sign On with Keycloak
SIngle Sign On with KeycloakSIngle Sign On with Keycloak
SIngle Sign On with Keycloak
Julien Pivotto
 
Ldap introduction (eng)
Ldap introduction (eng)Ldap introduction (eng)
Ldap introduction (eng)
Anatoliy Okhotnikov
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak
Abhishek Koserwal
 
Ldap
LdapLdap
Ldap
Higher Private School of Engineering and Technology
 

Empfohlen

The Ldap Protocol
The Ldap ProtocolThe Ldap Protocol
The Ldap Protocol
Glen Plantz
 
LDAP
LDAPLDAP
LDAP
Khemnath Chauhan
 
AD & LDAP
AD & LDAPAD & LDAP
AD & LDAP
Cynoteck Technology Solutions Private Limited
 
Ldap intro
Ldap introLdap intro
Ldap intro
yousry ibrahim
 
SIngle Sign On with Keycloak
SIngle Sign On with KeycloakSIngle Sign On with Keycloak
SIngle Sign On with Keycloak
Julien Pivotto
 
Ldap introduction (eng)
Ldap introduction (eng)Ldap introduction (eng)
Ldap introduction (eng)
Anatoliy Okhotnikov
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak
Abhishek Koserwal
 
Ldap
LdapLdap
Ldap
Higher Private School of Engineering and Technology
 
Microsoft Offical Course 20410C_02
Microsoft Offical Course 20410C_02Microsoft Offical Course 20410C_02
Microsoft Offical Course 20410C_02
gameaxt
 
Introduction to Vault
Introduction to VaultIntroduction to Vault
Introduction to Vault
Knoldus Inc.
 
Active directory slides
Active directory slidesActive directory slides
Active directory slides
Timothy Moffatt
 
Microsoft Active Directory.pptx
Microsoft Active Directory.pptxMicrosoft Active Directory.pptx
Microsoft Active Directory.pptx
masbulosoke
 
Hashicorp Vault ppt
Hashicorp Vault pptHashicorp Vault ppt
Hashicorp Vault ppt
Shrey Agarwal
 
Query logging with proxysql
Query logging with proxysqlQuery logging with proxysql
Query logging with proxysql
YoungHeon (Roy) Kim
 
Introducing Vault
Introducing VaultIntroducing Vault
Introducing Vault
Ramit Surana
 
Linux Tutorial For Beginners | Linux Administration Tutorial | Linux Commands...
Linux Tutorial For Beginners | Linux Administration Tutorial | Linux Commands...Linux Tutorial For Beginners | Linux Administration Tutorial | Linux Commands...
Linux Tutorial For Beginners | Linux Administration Tutorial | Linux Commands...
Edureka!
 
Accelerating with Ansible
Accelerating with AnsibleAccelerating with Ansible
Accelerating with Ansible
Global Knowledge Training
 
File permissions
File permissionsFile permissions
File permissions
Varnnit Jain
 
Active Directory Domain Services.pptx
Active Directory Domain Services.pptxActive Directory Domain Services.pptx
Active Directory Domain Services.pptx
syedasadraza13
 
Secret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultSecret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s Vault
AWS Germany
 
Linux commands
Linux commands Linux commands
Linux commands
debashis rout
 
Troubleshooting redis
Troubleshooting redisTroubleshooting redis
Troubleshooting redis
DaeMyung Kang
 
Getting started with Ansible
Getting started with AnsibleGetting started with Ansible
Getting started with Ansible
Ivan Serdyuk
 
(발표자료) CentOS EOL에 따른 대응 OS 검토 및 적용 방안.pdf
(발표자료) CentOS EOL에 따른 대응 OS 검토 및 적용 방안.pdf(발표자료) CentOS EOL에 따른 대응 OS 검토 및 적용 방안.pdf
(발표자료) CentOS EOL에 따른 대응 OS 검토 및 적용 방안.pdf
ssuserf8b8bd1
 
Introduction to Ansible
Introduction to AnsibleIntroduction to Ansible
Introduction to Ansible
Knoldus Inc.
 
DevOps Meetup ansible
DevOps Meetup ansibleDevOps Meetup ansible
DevOps Meetup ansible
sriram_rajan
 
Kubernetes networking
Kubernetes networkingKubernetes networking
Kubernetes networking
Sim Janghoon
 
Ansible
AnsibleAnsible
Ansible
Kamil Lelonek
 
LDAP Presentation
LDAP PresentationLDAP Presentation
LDAP Presentation
cyberleon95
 
Ldap
LdapLdap
Ldap
Shiva Krishna Chandra Shekar
 

Weitere ähnliche Inhalte

Was ist angesagt?

Microsoft Offical Course 20410C_02
Microsoft Offical Course 20410C_02Microsoft Offical Course 20410C_02
Microsoft Offical Course 20410C_02
gameaxt
 
Linux Tutorial For Beginners | Linux Administration Tutorial | Linux Commands...
Linux Tutorial For Beginners | Linux Administration Tutorial | Linux Commands...Linux Tutorial For Beginners | Linux Administration Tutorial | Linux Commands...
Linux Tutorial For Beginners | Linux Administration Tutorial | Linux Commands...
Edureka!
 

Was ist angesagt? (20)

Microsoft Offical Course 20410C_02
Microsoft Offical Course 20410C_02Microsoft Offical Course 20410C_02
Microsoft Offical Course 20410C_02
 
Introduction to Vault
Introduction to VaultIntroduction to Vault
Introduction to Vault
 
Active directory slides
Active directory slidesActive directory slides
Active directory slides
 
Microsoft Active Directory.pptx
Microsoft Active Directory.pptxMicrosoft Active Directory.pptx
Microsoft Active Directory.pptx
 
Hashicorp Vault ppt
Hashicorp Vault pptHashicorp Vault ppt
Hashicorp Vault ppt
 
Query logging with proxysql
Query logging with proxysqlQuery logging with proxysql
Query logging with proxysql
 
Introducing Vault
Introducing VaultIntroducing Vault
Introducing Vault
 
Linux Tutorial For Beginners | Linux Administration Tutorial | Linux Commands...
Linux Tutorial For Beginners | Linux Administration Tutorial | Linux Commands...Linux Tutorial For Beginners | Linux Administration Tutorial | Linux Commands...
Linux Tutorial For Beginners | Linux Administration Tutorial | Linux Commands...
 
Accelerating with Ansible
Accelerating with AnsibleAccelerating with Ansible
Accelerating with Ansible
 
File permissions
File permissionsFile permissions
File permissions
 
Active Directory Domain Services.pptx
Active Directory Domain Services.pptxActive Directory Domain Services.pptx
Active Directory Domain Services.pptx
 
Secret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultSecret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s Vault
 
Linux commands
Linux commands Linux commands
Linux commands
 
Troubleshooting redis
Troubleshooting redisTroubleshooting redis
Troubleshooting redis
 
Getting started with Ansible
Getting started with AnsibleGetting started with Ansible
Getting started with Ansible
 
(발표자료) CentOS EOL에 따른 대응 OS 검토 및 적용 방안.pdf
(발표자료) CentOS EOL에 따른 대응 OS 검토 및 적용 방안.pdf(발표자료) CentOS EOL에 따른 대응 OS 검토 및 적용 방안.pdf
(발표자료) CentOS EOL에 따른 대응 OS 검토 및 적용 방안.pdf
 
Introduction to Ansible
Introduction to AnsibleIntroduction to Ansible
Introduction to Ansible
 
DevOps Meetup ansible
DevOps Meetup ansibleDevOps Meetup ansible
DevOps Meetup ansible
 
Kubernetes networking
Kubernetes networkingKubernetes networking
Kubernetes networking
 
Ansible
AnsibleAnsible
Ansible
 

Andere mochten auch

LDAP Presentation
LDAP PresentationLDAP Presentation
LDAP Presentation
cyberleon95
 
Benchmarks on LDAP directories
Benchmarks on LDAP directoriesBenchmarks on LDAP directories
Benchmarks on LDAP directories
LDAPCon
 
Fortress Open Source IAM on LDAPv3
Fortress Open Source IAM on LDAPv3Fortress Open Source IAM on LDAPv3
Fortress Open Source IAM on LDAPv3
LDAPCon
 
Fundamentals of Enterprise Networks
Fundamentals of Enterprise NetworksFundamentals of Enterprise Networks
Fundamentals of Enterprise Networks
VisualBee.com
 
Aras PLM and the Google Mobile Explosion
Aras PLM and the Google Mobile ExplosionAras PLM and the Google Mobile Explosion
Aras PLM and the Google Mobile Explosion
Aras
 

Andere mochten auch (20)

LDAP Presentation
LDAP PresentationLDAP Presentation
LDAP Presentation
 
Ldap
LdapLdap
Ldap
 
LDAP Theory
LDAP TheoryLDAP Theory
LDAP Theory
 
LDAP - Lightweight Directory Access Protocol
LDAP - Lightweight Directory Access ProtocolLDAP - Lightweight Directory Access Protocol
LDAP - Lightweight Directory Access Protocol
 
Complete open source IAM solution
Complete open source IAM solutionComplete open source IAM solution
Complete open source IAM solution
 
Benchmarks on LDAP directories
Benchmarks on LDAP directoriesBenchmarks on LDAP directories
Benchmarks on LDAP directories
 
Fortress Open Source IAM on LDAPv3
Fortress Open Source IAM on LDAPv3Fortress Open Source IAM on LDAPv3
Fortress Open Source IAM on LDAPv3
 
Fundamentals of Enterprise Networks
Fundamentals of Enterprise NetworksFundamentals of Enterprise Networks
Fundamentals of Enterprise Networks
 
Aras PLM and the Google Mobile Explosion
Aras PLM and the Google Mobile ExplosionAras PLM and the Google Mobile Explosion
Aras PLM and the Google Mobile Explosion
 
CIS14: Are the Enterprises Ready for Identity of Everything?
CIS14: Are the Enterprises Ready for Identity of Everything?CIS14: Are the Enterprises Ready for Identity of Everything?
CIS14: Are the Enterprises Ready for Identity of Everything?
 
Standardizing Identity Provisioning with SCIM
Standardizing Identity Provisioning with SCIMStandardizing Identity Provisioning with SCIM
Standardizing Identity Provisioning with SCIM
 
CIS14: Developing with OAuth and OIDC Connect
CIS14: Developing with OAuth and OIDC ConnectCIS14: Developing with OAuth and OIDC Connect
CIS14: Developing with OAuth and OIDC Connect
 
How to import the agile plm database
How to import the agile plm databaseHow to import the agile plm database
How to import the agile plm database
 
Reinforcing Your Enterprise With Security Architectures
Reinforcing Your Enterprise With Security ArchitecturesReinforcing Your Enterprise With Security Architectures
Reinforcing Your Enterprise With Security Architectures
 
1208 1450 how digital transformation affects plm pi berlin 2017
1208 1450 how digital transformation affects plm pi berlin 20171208 1450 how digital transformation affects plm pi berlin 2017
1208 1450 how digital transformation affects plm pi berlin 2017
 
ITU Letter to the President of Indonesia (IM2 Case)
ITU Letter to the President of Indonesia (IM2 Case)ITU Letter to the President of Indonesia (IM2 Case)
ITU Letter to the President of Indonesia (IM2 Case)
 
PAFonteyne_ExtendedCV_2015
PAFonteyne_ExtendedCV_2015PAFonteyne_ExtendedCV_2015
PAFonteyne_ExtendedCV_2015
 
Ejecucion presupuesto 2012_2014
Ejecucion presupuesto 2012_2014Ejecucion presupuesto 2012_2014
Ejecucion presupuesto 2012_2014
 
Elastische Skalierbarkeit für Web-Anwendungen
Elastische Skalierbarkeit für Web-AnwendungenElastische Skalierbarkeit für Web-Anwendungen
Elastische Skalierbarkeit für Web-Anwendungen
 
Janhit Humanitarian Magazine 2013 - Raj Saubhag Ashram, Sayla
Janhit Humanitarian Magazine 2013 - Raj Saubhag Ashram, SaylaJanhit Humanitarian Magazine 2013 - Raj Saubhag Ashram, Sayla
Janhit Humanitarian Magazine 2013 - Raj Saubhag Ashram, Sayla
 

Ähnlich wie Introduction to LDAP and Directory Services

“Publishing and Consuming Linked Data. (Lessons learnt when using LOD in an a...
“Publishing and Consuming Linked Data. (Lessons learnt when using LOD in an a...“Publishing and Consuming Linked Data. (Lessons learnt when using LOD in an a...
“Publishing and Consuming Linked Data. (Lessons learnt when using LOD in an a...
Marta Villegas
 
Scalable Plone hosting with Amazon EC2 for Rice University's Rhaptos open lea...
Scalable Plone hosting with Amazon EC2 for Rice University's Rhaptos open lea...Scalable Plone hosting with Amazon EC2 for Rice University's Rhaptos open lea...
Scalable Plone hosting with Amazon EC2 for Rice University's Rhaptos open lea...
Jazkarta, Inc.
 
RMLL 2013 : Build Your Personal Search Engine using Crawlzilla
RMLL 2013 : Build Your Personal Search Engine using CrawlzillaRMLL 2013 : Build Your Personal Search Engine using Crawlzilla
RMLL 2013 : Build Your Personal Search Engine using Crawlzilla
Jazz Yao-Tsung Wang
 
Web 3 Mark Greaves
Web 3 Mark GreavesWeb 3 Mark Greaves
Web 3 Mark Greaves
Mediabistro
 
Nobel Prizes as Linked Open Data
Nobel Prizes as Linked Open DataNobel Prizes as Linked Open Data
Nobel Prizes as Linked Open Data
MetaSolutions AB
 
Introduction to Semantic Web for GIS Practitioners
Introduction to Semantic Web for GIS PractitionersIntroduction to Semantic Web for GIS Practitioners
Introduction to Semantic Web for GIS Practitioners
Emanuele Della Valle
 
The Why, When, and How of NoSQL - A Practical Approach
The Why, When, and How of NoSQL - A Practical ApproachThe Why, When, and How of NoSQL - A Practical Approach
The Why, When, and How of NoSQL - A Practical Approach
DATAVERSITY
 

Ähnlich wie Introduction to LDAP and Directory Services (20)

Delphi ORM SOA MVC SQL NoSQL JSON REST mORMot
Delphi ORM SOA MVC SQL NoSQL JSON REST mORMotDelphi ORM SOA MVC SQL NoSQL JSON REST mORMot
Delphi ORM SOA MVC SQL NoSQL JSON REST mORMot
 
Accessing the Linked Open Data Cloud via ODBC
Accessing the Linked Open Data Cloud via ODBCAccessing the Linked Open Data Cloud via ODBC
Accessing the Linked Open Data Cloud via ODBC
 
Exploring the Semantic Web
Exploring the Semantic WebExploring the Semantic Web
Exploring the Semantic Web
 
State of the Semantic Web
State of the Semantic WebState of the Semantic Web
State of the Semantic Web
 
LOD2 Webinar: SIREn
LOD2 Webinar: SIREnLOD2 Webinar: SIREn
LOD2 Webinar: SIREn
 
“Publishing and Consuming Linked Data. (Lessons learnt when using LOD in an a...
“Publishing and Consuming Linked Data. (Lessons learnt when using LOD in an a...“Publishing and Consuming Linked Data. (Lessons learnt when using LOD in an a...
“Publishing and Consuming Linked Data. (Lessons learnt when using LOD in an a...
 
Sinux
SinuxSinux
Sinux
 
OpenLink Virtuoso - Management & Decision Makers Overview
OpenLink Virtuoso - Management & Decision Makers OverviewOpenLink Virtuoso - Management & Decision Makers Overview
OpenLink Virtuoso - Management & Decision Makers Overview
 
Guidance, Code and Education: ScalaCenter and the Scala Community, Heather Mi...
Guidance, Code and Education: ScalaCenter and the Scala Community, Heather Mi...Guidance, Code and Education: ScalaCenter and the Scala Community, Heather Mi...
Guidance, Code and Education: ScalaCenter and the Scala Community, Heather Mi...
 
Scalable Plone hosting with Amazon EC2 for Rice University's Rhaptos open lea...
Scalable Plone hosting with Amazon EC2 for Rice University's Rhaptos open lea...Scalable Plone hosting with Amazon EC2 for Rice University's Rhaptos open lea...
Scalable Plone hosting with Amazon EC2 for Rice University's Rhaptos open lea...
 
2016 mORMot
2016 mORMot2016 mORMot
2016 mORMot
 
Text mining and Visualizations
Text mining and VisualizationsText mining and Visualizations
Text mining and Visualizations
 
RMLL 2013 : Build Your Personal Search Engine using Crawlzilla
RMLL 2013 : Build Your Personal Search Engine using CrawlzillaRMLL 2013 : Build Your Personal Search Engine using Crawlzilla
RMLL 2013 : Build Your Personal Search Engine using Crawlzilla
 
Web 3 Mark Greaves
Web 3 Mark GreavesWeb 3 Mark Greaves
Web 3 Mark Greaves
 
LDAP : Theory and OpenLDAP implementation
LDAP : Theory and OpenLDAP implementationLDAP : Theory and OpenLDAP implementation
LDAP : Theory and OpenLDAP implementation
 
Corrib.org - OpenSource and Research
Corrib.org - OpenSource and ResearchCorrib.org - OpenSource and Research
Corrib.org - OpenSource and Research
 
Nobel Prizes as Linked Open Data
Nobel Prizes as Linked Open DataNobel Prizes as Linked Open Data
Nobel Prizes as Linked Open Data
 
Introduction to Semantic Web for GIS Practitioners
Introduction to Semantic Web for GIS PractitionersIntroduction to Semantic Web for GIS Practitioners
Introduction to Semantic Web for GIS Practitioners
 
The Why, When, and How of NoSQL - A Practical Approach
The Why, When, and How of NoSQL - A Practical ApproachThe Why, When, and How of NoSQL - A Practical Approach
The Why, When, and How of NoSQL - A Practical Approach
 
Migrating Fast to Solr
Migrating Fast to SolrMigrating Fast to Solr
Migrating Fast to Solr
 

Mehr von Radovan Semancik

Mehr von Radovan Semancik (7)

How To Maintain Million Lines Of Open Source Code And Remain Sane or The Stor...
How To Maintain Million Lines Of Open Source Code And Remain Sane or The Stor...How To Maintain Million Lines Of Open Source Code And Remain Sane or The Stor...
How To Maintain Million Lines Of Open Source Code And Remain Sane or The Stor...
 
There is REST and then there is "REST"
There is REST and then there is "REST"There is REST and then there is "REST"
There is REST and then there is "REST"
 
MidPoint: Consumer to Contributor
MidPoint: Consumer to ContributorMidPoint: Consumer to Contributor
MidPoint: Consumer to Contributor
 
Identity governance and data protection with mid point
Identity governance and data protection with mid pointIdentity governance and data protection with mid point
Identity governance and data protection with mid point
 
Project midPoint or how a handful of fools fought the Giants
Project midPoint or how a handful of fools fought the GiantsProject midPoint or how a handful of fools fought the Giants
Project midPoint or how a handful of fools fought the Giants
 
Identity Management with midPoint
Identity Management with midPointIdentity Management with midPoint
Identity Management with midPoint
 
Open Source Identity Management
Open Source Identity ManagementOpen Source Identity Management
Open Source Identity Management
 

Kürzlich hochgeladen

Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Roshan Dwivedi
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 

Kürzlich hochgeladen (20)

Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 

Introduction to LDAP and Directory Services

  • 1. Introduction to LDAP and Directory Services Radovan Semančík Open Source Weekend, April 2016
  • 2. Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. Radovan Semančík Current: Software Architect at Evolveum Architect of Evolveum midPoint Contributor to ConnId and Apache Directory API Past: Sun LDAP and IDM deployments (early 2000s) OpenIDM v1, OpenICF Many software architecture and security projects
  • 3. Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. Directory Service ● “Database” usually containing data about: People (users, employees, customers, ...) Groups of people (access control groups, roles, ...) Devices (servers, network elements, ...) Configuration data A structured repository of information on people and resources within an organisation, facilitating management and communication. The Free On-Line Dictionary of Computing
  • 4. Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. Directory Service Architecture Directory Service App App App App Directory Service App App
  • 5. Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. Directory Service Features ● Shared database Standard protocol (RFC 4511) Standardized schema inetOrgPerson (RFC 2798), posixAccount (RFC 3207), ... ● Lightweight No locking, easy to replicate Low overhead, high performance ● Fast reads, slow writes Ideal for “configuration” data LDAP = NoSQL before it was cool
  • 6. Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. Directory Service Evolution ● X.500 Origin: 1988 CCITT (now ITU-T) as support for X.400 Global directory service (similar to DNS) Very complex (DAP over OSI protocol stack) ● LDAP(* Simplified version of X.500 (DAP) Origin: 1995 IETF (RFC 1777) Currently LDAPv3 (RFC 2251, 3377, 3771) ● MS Active Directory, NDS Originated independently of X.500 Strictly speaking “LDAP” denotes network protocol. However it is commonly used to refer to the directory system as a whole. (*
  • 7. Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. OSS Directory Servers ● 389 Directory Server (Fedora) RedHat ● Apache Directory Server Apache Foundation ● OpenDJ (OpenDS) ForgeRock ● OpenLDAP Symas
  • 8. Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. OpenLDAP ● Native LDAP Server Storing data in LMDB databases (or other backends) Tailor-made database and indexing Excellent performance Access protocols: LDAP Written in C, long source code history ● UNIX install root directory /opt/symas or usual OS directories (packages) ● Configuration directory /etc/openldap, /etc/ldap/slapd.conf
  • 9. Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. Why Do We Want Directory Services? ● They are fast! Really fast. When reading. Faster than the fastest relational databases But slow when writing (approx 10 times) ● Low resource consumption Approx 10 times lower that relational DBs ● Scaling ad nauseam 1M entries is nothing. 1B is still easy. ● Easy to replicate the data High availability, performance, scaling
  • 10. Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. Directory Service vs Relational Databases RDB App RDB App RDB App RDB App LDAP App App App App
  • 11. Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. Directory Service Replication Master App AppApp App Master Slave Slave Slave Slave App
  • 12. Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. LDAP Basics
  • 13. Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. Directory Information Tree Hierarchical structure Directory Information Tree (DIT) o=evolveum ou=People ou=Groups uid=semancik uid=foo cn=engineers
  • 14. Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. Objects & Attributes cn=Radovan Semančík sn=Semančík uid=semancik objectClass=inetOrgPerson title=Software Architect telephoneNumber=+421 2 49100100 telephoneNumber=+421 2 49100136 preferredLanguage=en mail=radovan.semancik@evolveum.com jpegPhoto= o=evolveum ou=People uid=semancik
  • 15. Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. Distinguished Name uid=semancik,ou=people,o=evolveum Distinguished Name (DN) Relative Distinguished Name (RDN) o=evolveum ou=People ou=Groups uid=semancik uid=foo cn=engineers
  • 16. Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. Directory Suffix uid=semancik,ou=people,dc=evolveum,dc=com suffix (root suffix) dc=evolveum ou=People ou=Groups uid=semancik uid=foo cn=engineers dc=com
  • 17. Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. Directory Suffix uid=semancik,ou=people,dc=evolveum,dc=com suffix (root suffix) dc=evolveum,dc=com ou=People ou=Groups uid=semancik uid=foo cn=engineers
  • 18. Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. Suffix Conventions ● o=evolveum,c=sk “Traditional” X.500 ● o=evolveum.com Hybrid, based on DNS domain ● dc=evolveum,dc=com Internet style, based on DNS domain ● o=evolveum.com,o=isp Nested, sometimes used in ISP/ASP environment
  • 19. Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. DIT Structure Conventions Users objectClass=inetOrgPerson (posixAccount) Groups objectClass=groupOfUniqueNames (posixGroup) Services (Access Manager, POSIX) objectClass=sunService, ipService Hosts (POSIX) objectClass=ipHost o=evolveum ou=People ou=Groups ou=Services ou=Hosts
  • 20. Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. Objects & Attributes cn=Radovan Semančík sn=Semančík uid=semancik objectClass=inetOrgPerson title=Software Architect telephoneNumber=+421 2 49100100 telephoneNumber=+421 2 49100136 preferredLanguage=en mail=radovan.semancik@evolveum.com jpegPhoto= o=evolveum ou=People uid=semancik
  • 21. Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. Objects and Attributes ● Attributes are global Attribute name and type is the same in all objects ● Attributes can have multiple values Multi-valued attributes is the default behavior ● Attributes may be binary E.g. jpegPhoto, userCertificate, ... ● Attribute size is practically unlimited Several megabytes for jpegPhoto is pretty normal ● Attributes may be indexed (globally)
  • 22. Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. LDAP Browsers ● Apache Directory Studio Java, sophisticated ● JXplorer Java, simple ● phpLDAPadmin Web-based, PHP ● Mail clients Mozilla Thunderbird, Evolution, ...
  • 23. Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. LDAP Interchange Format (LDIF) ● Textual format used for storing and exchange of data among LDAP servers ● Specified in RFC 2849 ● Example: dn: uid=test,ou=People,o=nlight objectClass: top objectClass: person uid: test cn: Test Testovic sn: Testovic dn: uid=foo,ou=People,o=nlight objectClass: top objectClass: person uid: foo cn: Foo Bar sn: Bar
  • 24. Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. LDIF Example dn: uid=semancik,ou=People,o=nlight mail: radovan.semancik@nlight.eu sn: Semancik cn: Radovan Semancik givenName: Radovan uid: semancik objectClass: top objectClass: organizationalperson objectClass: inetorgperson objectClass: person userPassword:: e1NTSEF9SzU4c1ZpOStFZS8yZlF zVFN6WVhNTi9obGwzQVZRVno2R3dkUHc9PQ== dn: uid=foobar,ou=People,o=nlight uid:foobar
  • 25. Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. LDIF Example dn: uid=semancik,ou=People,dc=nlight,dc=sk mail: radovan.semancik@nlight.eu sn: Semancik cn: Radovan Semancik givenName: Radovan uid: semancik objectClass: top objectClass: organizationalperson objectClass: inetorgperson objectClass: person userPassword:: e1NTSEF9SzU4c1ZpOStFZS8yZlF zVFN6WVhNTi9obGwzQVZRVno2R3dkUHc9PQ== dn: uid=foobar,ou=People,dc=nlight,dc=sk uid:foobar The “dn” line is always first Multiple lines for multi-valued attributes Base64 encoding White space: continuation of previous line Empty line: end of object Next object
  • 26. Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. LDAP Operations
  • 27. Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. Basic LDAP Operations ● search Find object in the DIT, also used for reading data ● add Creating objects ● modify Changing objects ● delete Removing objects ● bind User authentication
  • 28. Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. Search Parameters ● Base DN: The point in the tree where to start the search ● Scope: search scope base: just the base object (used for reading data) one: just one level under the base object subtree: entire subtree under the base object ● Filter: attribute conditions Using expressions to form complex conditions ● Attribute list (optional)
  • 29. Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. Search: scope dc=com dc=foo dc=evolveum ou=people ou=groups uid=foo uid=bar Search Base DN: dc=evolveum,dc=com
  • 30. Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. Search: scope dc=com dc=foo ou=people ou=groups uid=foo uid=bar BASE ONE SUBTREE dc=evolveum
  • 31. Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. Search Filter (string data) ● (uid=semancik) ● (cn=*sem*) - substring filter ● (uid=*) - presence filter ● (createTimestamp>=20050101000000Z) ● (objectClass=*) - special filter, matches every object
  • 32. Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. Compound Search Filter ● (&(givenName=Radovan)(sn=Semancik)) ● (|(cn=sem*)(cn=zem*)) ● (&(objectClass=person)(cn=FooBar)) ● (& (| (objectClass=person) (objectClass=organization) ) (!(l=Bratislava)) )
  • 33. Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. ldapseach command-line tool ● ldapsearch [-b <baseDN>] [-s <scope>] <filter> [ <attrs> ] ● Examples: ldapsearch -b 'ou=people,o=nlight' '(objectclass=*)' ldapsearch -b 'o=nlight' -s one '(ou=*)' ● Additional parameters -h <ldapServerHostName> -p <ldapServerPort> -D <bindDN>
  • 34. Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. ldapsearch $ ldapsearch -b "dc=evolveum,dc=com" -s sub "(uid=semancik)" dn: uid=semancik,ou=People,dc=evolveum,dc=com mail: semancik@evolveum.com sn: Semancik cn: Radovan Semancik givenName: Radovan uid: semancik objectClass: top objectClass: organizationalperson objectClass: inetorgperson objectClass: person
  • 35. Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. Authentication: bind ● Directory server authenticates every incoming connection using objects in the DIT It means that DN is used as user identifier ● This operation is called bind ● Password is usually used (simple bind) But there are other options (SASL) ● Example User “semancik” binds to the server using the DN: uid=semancik,ou=people,dc=nlight,dc=sk This object must exists. The password (hash) stored in userPassword atribute is used.
  • 36. Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. BIND LDAP Bind uid=semancik,ou=people,dc=evolveum,dc=com dc=evolveum,dc=com ou=People ou=Groups uid=semancik uid=foo cn=engineers search
  • 37. Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. ldapsearch with bind $ ldapsearch -D “uid=admin,ou=people,dc=nlight,dc=sk” -w password -b "dc=nlight,dc=sk" -s sub "(uid=semancik)" dn: uid=semancik,ou=People,dc=nlight,dc=sk mail: semancik@nlight.eu sn: Semancik cn: Radovan Semancik givenName: Radovan uid: semancik objectClass: top objectClass: organizationalperson objectClass: inetorgperson objectClass: person userPassword:: e1NTSEF9SzU4cS8y...obkUHc9PQ==
  • 38. Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. userPassword Attribute ● One-way hash, difficult to reverse SSHA SHA crypt … ● Server may hash the password automatically … if not use slappasswd userPassword: {MECH}base64encodedHash userPassword: {SSHA}x2J+RZAmEdE5I7nw5Qi4zRuMBAb1CVVhpyMzIQ==
  • 39. Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. LDAP-Based Authentication A P P L I C A T I O N Login: foo Password: bar Directory Server bind uid=foo,ou=people,dc=example,dc=com Password: bar result: success logged in Simple, but wrong
  • 40. Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. LDAP-Based Authentication A P P L I C A T I O N Login: foo Password: bar Directory Server bind uid=foo,ou=people,dc=example,dc=com Password: bar result: success logged in search (uid=foo) uid=foo,ou=people,dc=example,dc=com Better, but sill not OK
  • 41. Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. LDAP-Based Authentication A P P L I C A T I O N Login: foo Password: bar Directory Server bind uid=foo,ou=people,dc=example,dc=com Password: bar result: successlogged in search (uid=foo) uid=foo,ou=people,dc=example,dc=com bind cn=app1,ou=apps,dc=example,dc=com Password: h4rdP455w0rd result: success
  • 42. Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. There is (much) more ... ● LDAP groups ● LDAP server configuration ● LDAP schema ● Replication ● Security (ACLs, authentication) ● Linux as LDAP client (PAM & NSS or SSS) ● This presentation is just a (very) short excerpt from the full training
  • 43. Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. Directory Service Limitations ● Object-oriented, no tables, no joins ● Standard data model limitations ● Management tools are … cumbersome ● LDAP is a database, not authentication server ● Single directory myth ● You will need more components Directory server(s) Access management (SSO) Identity management
  • 44. Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. Directory Service HR Application Application Application Application A M Identity Management Users CRM Application midPoint
  • 45. Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. Questions and Answers
  • 46. Copyright © 2005-2016 nLight, s.r.o., Evolveum, s.r.o. May be distributed under the terms of CC-BY-ND. Radovan Semančík www.evolveum.com Thank You