Archives par étiquette : openldap organization

Openldap tutorial – organization and data types

In this 5th OpenLDAP tutorial, we’ll see how this directory server organizes its content. This is a necessary prerequisite to be able to put data to it. Once data is entered, the server will be ready for use. The main uses are: the authentication of users on the computer systems and the synchronization of data with these systems (e.g. email servers). The advantage of using LDAP servers for these functions is that this protocol has become a wide used standard. It’s supported by the most computer systems and applications that have this need.

A coming article will deal with data feeding.


1. Data organization in an OpenLDAP server

In an OpenLDAP server, the data is organized like a treeThere is the root of the tree: the DIT (Directory information tree), the trunk of the tree and moving after the trunk, we meet:

  • Nodes: Special type data that has the ability to contain other data.
  • Leaves: the data that can be of different types.

We can compare, by analogy, this organization to that of a file system on a computer disk. Here is the representation that would be obtained from the /etc/resolvconf folder by the command:

sudo tree /etc/resolvconf

– In blue, the nodes or folders in the file system.

– In light blue and green, the data or files in the file system.

To unambiguously designate the dnscache file for example, we use the full path (full qualified name – FQN): /etc/resolvconf/update.d/dnscache. This is necessary because there may be another file, which has the same name, somewhere else on the disk.

For an LDAP directory the equivalent of the FQN is the DN (distinguished name) and it is the complete path from the root (ie the DIT).

2. Data types in an OpenLDAP server

There are a very large number of data types that can be used by the OpenLDAP server. In addition, these data types are scalable and constantly evolving. In practice it is advisable to choose a limited set of these types of data according to actual needs. To do this we must declare the schemas to be embedded in the configuration of the server. A scema is a description of the data types (metadata).

This command lists the schemas embedded by the server:

ldapsearch -x -H ldap://localhost -s one -D cn=admin,dc=ldaptuto,dc=net -y pwdAdmin -b cn=schema,cn=config cn -LLL
dn: cn={0}core,cn=schema,cn=config
cn: {0}core

dn: cn={1}cosine,cn=schema,cn=config
cn: {1}cosine

dn: cn={2}nis,cn=schema,cn=config
cn: {2}nis

dn: cn={3}inetorgperson,cn=schema,cn=config
cn: {3}inetorgperson

The result is the one obtained just after the installation of an OpenLDAP server. These are the four embedded schema by default. They are sufficient for most basic uses of an LDAP directory.

3. The default contents of the OpenLDAP server

To get the full and actual contents of an OpenLDAP directory, you must run a search query in connected mode with the server administrator account (rootDN). This is the only account that is never subject to any access restrictions.

ldapsearch -x -H ldap://localhost -D cn=admin,dc=ldaptuto,dc=net -y pwdAdmin -b dc=ldaptuto,dc=net -LLL
dn: dc=ldaptuto,dc=net
objectClass: top
objectClass: dcObject
objectClass: organization
o: OpenLDAP tutorial
dc: ldaptuto

dn: cn=admin,dc=ldaptuto,dc=net
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: e1NTSEF9RzlwcjRUdkRJajlWOWpqYjFzMTJkczhaaDBrY2pzOXA=

The result is the one obtained just after installing an OpenLDAP server. Notice the values entered during the installation (or reconfiguration).

  • cn=admin: the server administrator identifier.
  • o=OpenLDAP tutorial: The organization label.
  • dc=ldaptuto,dc=net: the DIT (domain name).
  • userPassword: administrator password (encrypted).

There are only two entries in the directory tree:

└── cn=admin,dc=ldaptuto,dc=net

The values of the objectClass attribute determines the nature (or type) of the entry.

  • dc=ldaptuto, dc=net: has dcObject type, it is the special type that determines the root or DIT of the directory. This entry is the container for all data in this directory.
  • cn=admin,dc=ldaptuto,dc=net: has simpleSecurityObject type, data that represents an authentication account. Mainly contains the password of this account.

In upcoming articles we will see other types and will feed more the directory.