LDAP in Linux

Source: Internet
Author: User
Tags ldapsearch mx record nslookup openldap
For more information about LDAP-Linux Enterprise Application-Linux server application in Linux, see the following. Author profile:
Atif Ghaffar is like a chameleon. He often changes roles, from system administrators to programmers, to teachers and Project administrators, to any roles that can complete the work. Sometimes, while watching a movie in a cinema, he also likes to write a program out of his laptop. Atif always believes that it belongs to the linux and open source communities. For more information about Atif, visit his home page http://www.developer.ch /~ Aghaffar.

Abstract:
This article will discuss LDAP and how to implement LDAP on linux, our favorite operating system.
There are a lot of LDAP literature, so I don't want to repeat it here. I'm not going to discuss advanced LDAP concepts, plans, and the differences between the second and third versions of LDAP. In fact, I do not know much about such issues. On the contrary, I will try to explain what LDAP is, what benefits it brings us and how we use it in a simple and clear language.
I am not an LDAP expert. I am just a beginner of LDAP. This article describes what I have done with LDAP and how to do it. I will not confuse you as before.
Q: Since you are a beginner in LDAP, why do you need to write an article about LDAP?
Recently, I needed help from a colleague on a project. The foundation of this project is LDAP. My colleague can help me with perl, email server, and so on, but he knows nothing about LDAP. The fact is that every time he wants to learn LDAP in depth, he will become increasingly confused with LDAP. Because the foundation of this project is LDAP, I gave this colleague half an hour to learn LDAP. The result is that everything becomes clear. The reason is simple. LDAP is the frontend, and you only need to focus a little attention or some vivid examples.
I want to do the same in this article.
You can find many URLs useful for learning LDAP in this article.

What is LDAP?
LDAP is short for the Lightweight Directory Access Protocol. It is actually a Directory service, similar to the Directory we use in the file system, similar to the telephone number book we use to query telephone numbers, we use Network directories such as NIS (Network Information Service) and DNS (Domain Name Service, it is similar to the trees you see in the garden.
LDAP is a special database. But LDAP is different from general databases. It is very important to understand this point. LDAP optimizes the query performance, which is much better than the Write Performance of LDAP.

In general, what kind of services does the Directory Service provide?
Generally, certain information is returned Based on the query criteria.

Instance
File System Directory
Ls/etc
Returns all files and subdirectories in The/etc directory.

Ls/etc/p *
Returns all files and subdirectories starting with p in/etc.

Find/usr/local/apache-name index.html
This will search for the file/subdirectory named index.html in the "/usr/local/apache" directory.

NIS directory
Ypcat passwd
This will return the username, password, user ID, and other information from the NIS database.

Ypmatch atif passwd
Return the user's atif password.

DNS directory
Nslookup www.linuxfocus.org
Returns the IP address of www.linuxfocus.org.

Nslookup-type MX linuxfocus.org
The returned host name conforms to the MX record information of linuxfocus.org.

LDAP directory
(We will describe it in detail below)
Ldapsearch uid = aghaffar
Returns all public information about user aghaffar.
This is similar to the find/-uid aghaffar unix Command.

Ldapsearch uid = aghaffar mail
Returns the user's ughaffar email information.

Directory basics or root
In any directory service we mentioned above, there is a starting point for us to start browsing or searching. This starting point is the so-called root. This is similar to the root of the number of shards. Each tree has a root and many branches and leaves.
* The root of the file system is/
* The root of NIS is a domain name, such as "linuxfocus.org"
* The DNS Root is Internic)
* LDAP also has a definable root, such as "o = linuxfocus.org". Here, o indicates the organization.
Each root can generate many branches (just like the trees in your neighbor's garden). For a file system, its branches are files and subdirectories. Each leaf has some attributes. For example, the branches (files and subdirectories) of the file system have the following attributes:
* Name
* Modification time
* Owner
* Group (Translator's note: the group of the owner)
* And so on
Displays a file system directory.
The property is obtained by the unix Command ls-ld/usr.


The following figure shows an LDAP directory:

We will discuss this figure below.

Distinguished Name (DN, Distinguished Name)
Different from trees in nature, each leaf in the file system/LDAP/telephone address book directory has at least one unique attribute, which can help us differentiate these branches.
In a file system, these unique attributes are file names with full paths. For example,/etc/passwd, the file name is unique under this path. Of course we can have/usr/passwd,/opt/passwd, but they are still unique based on their complete paths.
Similar to the formal Domain Name of the DNS system, the FQDN is also unique.
In LDAP, the distinguished name of an entry is "dn" or "Distinguished Name. This name is always unique in a directory. For example, my dn is "uid = aghaffar, ou = People, o = developer. ch ". There cannot be the same dn, but we can have dn for example, "uid = aghaffar, ou = Administrators, o = developer. ch. This is similar to the example of/etc/passwd and/usr/passwd in the file system.
We have unique attributes: uid in "ou = Administrators, o = developer. ch" and uid in "ou = People, o = developer. ch. This is not a conflict.

LDAP Server
There are many LDAP servers on the market, most of which can be run on linux. This article describes how to use openLDAP.
Why do I choose openLDAP? Why should you choose openLDAP?
* OpenLDAP is open source.
The official website of openLDAP is http://www.openldap.org. You can download the source code package and compile it yourself, or check whether your linux release contains the package. If it is already included, you can install the pre-compiled version to reduce the effort.
I have successfully tested openLDAP on SuSE6.x and RedHat6.x.
Build an LDAP directory
The following describes how to set up an LDAP server.
Steps:
* Download and install openLDAP
* Configure LDAP server
* Configure the local environment to point to LDAP Installation
* Initialize the LDAP database
* Query LDAP
* Add/modify LDAP entries
Download and install openLDAP
As mentioned above, you can download the source code package from www.openldap.com and install it according to its related documents, or install pre-compiled packages (package installation or how to compile the application is beyond the scope discussed in this article ).
Configure the LDAP server
In our example, I will build an LDAP server for linuxfocus.org. You can use your favorite editor to edit slapd. conf and ldap. comf configuration files to change parameters such as names to meet your specific needs.
The configuration file on my server is in the/etc/openldap directory. Your configuration file may be in/usr/local/etc/openldap or somewhere else, this depends on your linux release version or openldap compilation.
#########/Etc/openldap/slapd. conf ###################################
# The following sections are pre-defined in my suse 6.4 linux release
# The part we set is in the second and third parts of this article.
Include/etc/openldap/slapd. at. conf
Include/etc/openldap/slapd. oc. conf
Schemacheck off

Pidfile/var/run/slapd. pid
Argsfile/var/run/slapd. args

######################################## ###############################
# Ldbm database definitions
######################################## ###############################

# Define the database type used. The default value is ldbm.
Database ldbm

# Suffix or root. This is the top node of your LDAP directory
Suffix "o = linuxfocus.org"

# Location where LDAP dbs are stored
Directory/var/lib/ldap

# Name differentiation of directory Administrators
Rootdn "cn = Manager, o = linuxfocus.org"

# It is very bad to save the ldap directory administrator's plaintext password, but we will do this when we first start using ldap.
Rootpw secret

# This is everything

Edit your/etc/openldap/ldap. conf configuration file
This file is on the ldap client (we will use the same computer as the server and client, of course, this can be on the same computer or different computers)
Usually, ldap clients such as ldapdelete and ldapadd read the content of the file.

#########/Etc/openldap/ldap. conf #########
# LDAP default settings
#
# View ldap. conf (5) for more information
# This file should be readable to all users

# Defines the ldap server. You can use the host name or IP address.
Host 127.0.0.1

# Define the root of the directory to be queried
# The top node we will use. This is not necessarily the root of the directory. For example, we can use
# Base = ou = users, o = linuxfocus. ch
# In this case, all our queries start from the branch of the root o = linuxfocus.org.

Start the ldap server.
If you use the openldap server pre-compiled by SuSE, you can use the following command to start the ldap service.
/Etc/rc. d/ldap start
In RedHat, the command is
/Etc/rc. d/init. d/ldap start
If you compile and install it by yourself using the default settings, you can use/usr/local/libexec/slapd & to start the ldap server. If the default settings are not used, locate the slapd file and run it.

Add data to the newly installed LDAP Server
Up to now, your ldap server has been running and you can add data. The most standard way to add data to an ldap server is to create an LDIF (LDAP directory Interchange Format) file. You can read man ldif to obtain
Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.