Lightweight Directory Access Protocol

The Lightweight Directory Access Protocol (LDAP) is designed to implement network- accessible directories of users, providing information about them such as their e-mail address or phone number. Such directories can also be used for authentication purposes, identifying that a certain user belongs to a specified network. You can find out more information on LDAP at www.ldapman.org. You can think of an LDAP directory as an Internet-accessible phone book, where anyone can look you up to find your e-mail address or other information. In fact, it may be more accurate to refer to such directories as databases. They are databases of user information, accessible over networks like the Internet. Normally, the users on a local network are spread across several different systems, and to obtain information about a user, you would have to know what system the user is on, and then query that system. With LDAP, user information for all users on a network is kept in the LDAP server. You only have to query the network's LDAP server to obtain information about a user. For example, Sendmail can use LDAP to look up user addresses. You can also use Mozilla or Netscape to query LDAP. In Mozilla, open the address book, then select File | New, and choose the LDAPD directory. Here you can enter the LDAP server. In the Preferences dialog, select addressing under the Mail & Newsgroup category. This displays a panel where you can enter the LDAP directory server.

LDAP Clients and Servers

LDAP directories are implemented as clients and servers, where you use an LDAP client to access an LDAP server that manages the LDAP database. Most Linux distributions, including Red Hat, use OpenLDAP, an open-source version of LDAP (you can find out more about OpenLDAP at www.openldap.org). This package includes an LDAP server (slapd), an LDAP replication server (slurpd), an LDAP client, and tools. slurpd is used to update other LDAP servers on your network, should you have more than one. Once the LDAP server is installed, you can start, stop, and restart the LDAP server (slapd) with the ldap startup script:

service ldap restart

LDAP Configuration Files

All LDAP configuration files are kept in the /etc/openldap directory. These include slapd.conf, the LDAP server configuration file, and ldap.conf, the LDAP clients and tools configuration file. To enable the LDAP server, you have to manually edit the slapd.conf file, and change the domain value (dc) for the suffix and rootdn entries to your own network's domain address. This is the network that will be serviced by the LDAP server. To enable LDAP clients and their tools, you have to specify the correct domain address in the ldap.conf file in the BASE option, along with the server's address in the HOST option (domain name or IP address). For clients, you can either edit the ldap.conf file directly or use the System Settings Authentication tool, clicking the Configure LDAP button on either the User Information or Authentication panel. Here you can enter the domain name and the LDAP server's address.

LDAP Tools

An entry in an LDAP database consists of a name (known as a distinguished name) followed by a set of attributes and their values. For example, a name could be a username and the attribute would be the user's e-mail address, the address being the attribute's value. Allowable attributes are determined by object class sets defined in the /etc/openldap/schema directory. To actually make or change entries in the LDAP database, you use the ldapadd and ldapmodify utilities. With ldapdelete, you can remove entries. Once you have created an LDAP database, you can then query it, through the LDAP server, with ldapsearch. For the LDAP server, you can create a text file of LDAP entries using an LDAP Data Interchange Format (LDIF) format. Such text files can then be read in all at once to the LDAP database using the slapadd tool. The slapcat tool extracts entries from the LDAP database and saves them in an LDIF file. To reindex additions and changes, you use the slapindex utility.

LDAP and PAM

With LDAP, you can also more carefully control the kind of information given out and to whom. Using a PAM module (pam_ldap), LDAP can perform user authentication tasks, providing centralized authentication for users. Login operations that users perform for different services such as mail POP server, system login, and Samba logins can all be carried out through LDAP using a single PAM-secured user ID and password. To configure PAM to use LDAP, use the System Settings Authentication tool (authconfig-gtk), and select Enable LDAP Support on the Authentication panel (see Chapter 4). You should also make sure that LDAP server is correctly specified. To use LDAP for authentication, you need to configure PAM to use it, as well as migrate authentication files to the LDAP format. The /usr/share/openldap/migration directory holds scripts you can use to translate the old files into LDAP versions.

LDAP and the Name Service Switch Service

With the libnss_ldap module, LDAP can also be used in the Name Service Switch (NSS) service along with NIS and system files for system database services like passwords and groups. Clients can easily enable LDAP for NSS by using the System Settings Authentication tool and selecting Enable LDAP Support in the User Information panel. You also need to make sure that the LDAP server is specified. You could also manually add ldap for entries in the /etc/nsswitch.conf file.