we’ll see how this directory server organizes its content. This is a necessary prerequisite to be able to put data to it. Once data is entered, the server will be ready for use. The main uses are: the authentication of users on the computer systems and the synchronization of data with these systems (e.g. email servers). The advantage of using LDAP servers for these functions is that this protocol has become a wide used standard. It’s supported by the most computer systems and applications that have this need. A coming article will deal with data feeding. Prerequisites:
- OpenlDAP is installed and preconfigured on a Debian, Ubuntu or compliant system. cf OpendLDAP installation and OpenLDAP reconfigure articles.
- The server administrator (rootDN) has the modifcation rights on the configuration database. See Remotly configuration management by the administrator article
1. Data organization in an OpenLDAP server
In an OpenLDAP server, the data is organized like a tree. There is the root of the tree: the DIT (Directory information tree), the trunk of the tree and moving after the trunk, we meet:- Nodes: Special type data that has the ability to contain other data.
- Leaves: the data that can be of different types.
sudo tree /etc/resolvconf
– In blue, the nodes or folders in the file system.
– In light blue and green, the data or files in the file system.
To unambiguously designate the dnscache file for example, we use the full path (full qualified name – FQN): /etc/resolvconf/update.d/dnscache. This is necessary because there may be another file, which has the same name, somewhere else on the disk.
For an LDAP directory the equivalent of the FQN is the DN (distinguished name) and it is the complete path from the root (ie the DIT).
2. Data types in an OpenLDAP server
There are a very large number of data types that can be used by the OpenLDAP server. In addition, these data types are scalable and constantly evolving. In practice it is advisable to choose a limited set of these types of data according to actual needs. To do this we must declare the schemas to be embedded in the configuration of the server. A scema is a description of the data types (metadata). This command lists the schemas embedded by the server:ldapsearch -x -H ldap://localhost -s one -D cn=admin,dc=ldaptuto,dc=net -y pwdAdmin -b cn=schema,cn=config cn -LLL
dn: cn={0}core,cn=schema,cn=config
cn: {0}core
dn: cn={1}cosine,cn=schema,cn=config
cn: {1}cosine
dn: cn={2}nis,cn=schema,cn=config
cn: {2}nis
dn: cn={3}inetorgperson,cn=schema,cn=config
cn: {3}inetorgperson
The result is the one obtained just after the installation of an OpenLDAP server. These are the four embedded schema by default. They are sufficient for most basic uses of an LDAP directory.
3. The default contents of the OpenLDAP server
To get the full and actual contents of an OpenLDAP directory, you must run a search query in connected mode with the server administrator account (rootDN). This is the only account that is never subject to any access restrictions.ldapsearch -x -H ldap://localhost -D cn=admin,dc=ldaptuto,dc=net -y pwdAdmin -b dc=ldaptuto,dc=net -LLL dn: dc=ldaptuto,dc=net objectClass: top objectClass: dcObject objectClass: organization o: OpenLDAP tutorial dc: ldaptuto dn: cn=admin,dc=ldaptuto,dc=net objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator userPassword:: e1NTSEF9RzlwcjRUdkRJajlWOWpqYjFzMTJkczhaaDBrY2pzOXA=The result is the one obtained just after installing an OpenLDAP server. Notice the values entered during the installation (or reconfiguration).
- cn=admin: the server administrator identifier.
- o=OpenLDAP tutorial: The organization label.
- dc=ldaptuto,dc=net: the DIT (domain name).
- userPassword: administrator password (encrypted).
- dc=ldaptuto, dc=net: has dcObject type, it is the special type that determines the root or DIT of the directory. This entry is the container for all data in this directory.
- cn=admin,dc=ldaptuto,dc=net: has simpleSecurityObject type, data that represents an authentication account. Mainly contains the password of this account.