altes Altenarchiv

Alongside our new series about “Cool Solutions”, this is the second in another new series in which we explain technical terms with short, easy-to-digest articles. In this series we will not be going into too much detail, as the primary objective is to offer you a better overall technical understanding of the wide range of specialist terms we use on a daily basis. Today, we are starting with an explanation of the terms LDAP and OpenLDAP.

What is LDAP / OpenLDAP?

LDAP is the abbreviation for “Lightweight Directory Access Protocol”. This is a protocol which was defined to standardize the access to and maintenance of directory services. It emerged as a simplification of the considerably more comprehensive X.500 standard, and has since managed to establish itself as the de facto standard for the handling of directory services.

OpenLDAP is a reference implementation for this standard and brings with it both a server implementation and a client library for access to LDAP servers. UCS employs both.

Directory Service – Structure and Objects

An LDAP server implements a database to which queries can be sent via the LDAP protocol. Just like with other databases, the actual information here is stored in a file system. As a “database server”, OpenLDAP ensures the high-performance availability of the data, e.g., through indexing of the contents. Every “object” in the database corresponds to a data set, which stores for example the attributes of a specific user.

To give an example, that would look as follows in the LDAP notation:

dn: uid=steuwer,cn=users,dc=univention,dc=local
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: posixAccount
objectClass: top
uid: steuwer
mail: steuwer@nullunivention.de
displayName: Ingo Steuwer
sn: Steuwer
homeDirectory: /home/steuwer
givenName: Ingo
title: Head of Professional Services
o: Univention GmbH

A data set is always composed of attribute value pairs, e.g.: “sn: Steuwer” for the surname (surname / sn). In contrast, the LDAP context employs special attributes such as:

  • objectClass: The “objectClass” attribute defines the type of data set that the object represents. Each of the assigned object classes allows a specific number of attributes. Which attributes these are and what syntax they support depends in turn on schemas, which are notified to the LDAP server.
  • dn: The “Distinguished Name” (DN) defines the position of the object in the directory service. The directory is built like a tree, as are the majority of file systems. The order in a DN leads from the leaf to the root, in other words the “opposite” of what we are used to in a file path in a file system. In our example, the object is referenced by “uid=steuwer”; the path by the elements “cn-users” (what is referred to as a container) and “dc=univention,dc=local” (the LDAP basis, in other words the “root” of the tree).

What Are Directory Services Used For?

Directory services have established themselves for the storing of infrastructure information and, above all, identities. Thanks not least to the widespread use of Active Directory, the storage of comprehensive information concerning users (name, contact details, etc) and the corresponding authentication and authorization data has now become the norm. In this context, a considerable advantage of LDAP compared with SQL databases lies in the fact that users can define the access rules to data in the directory service in considerably more detail.

Access to Data

There are various LDAP clients available for access to the data. In UCS, the corresponding modules in the Management Console are generally used.

However, the following example illustrates a query via the command line tool “ldapsearch”.

The most important parameters are:

  • LDAP server: The LDAP server is usually specified as a URI – in the form “LDAPS://<FQDN>” for an SSL/TLS-encrypted connection
  • LDAP basis: LDAP server supports the operation of different “data partitions”, which are differentiated by means of their LDAP basis. In UCS environments there is only one LDAP basis, which is preconfigured on UCS systems. In the example above, this is “dc=univention,dc=local”, as such the input is performed based on the basis in the configuration file. However, if the tools are used to access other LDAP servers, the relevant basis there must be specified.
  • Authentication: LDAP servers generally do not return any results in case of anonymous accesses. Unlike other databases, there are also no error messages. As such there is no “Access Denied” or similar message; the system simply returns no results. Access is only possible following authentication, e.g., by means of specification of a user account in the LDAP as a DN and its password.
  • Filters: Searches for objects in the LDAP are performed via filters. This usually involves a combination of an object class (e.g., for “I am looking for a user” via “objectClass=person”) and an attribute (e.g., “uid=Administrator”). To combine these two examples to create a filter, they are simply placed in parentheses “()” and prefixed with a “&”: “(&(objectClass=person)(uid=Administrator))

The complete request for the command line tool “ldapsearch” is therefore:

ldapsearch -H LDAPS://ucs-master.univention.local \
-x -D "uid=steuwer,cn=users,dc=univention,dc=local" -w "secret"\
"(&(objectClass=person)(uid=Administrator))"

The “-H” option makes it possible to specify an LDAP URI for definition of the LDAP server to be used. In the specification selected here with “LDAPS”, the connection is encrypted via SSL. To this end, it is important that the certificates are named and the server is specified with the fully qualified domain name (FQDN). The parameter “-x” selects a simple LDAP bind as an authentication procedure and “-D” and “-w” are used to pass on the user DN and password. The filter then searches for the “Administrator” user account – no prefixed option letter is required for this.

Simplifications in UCS with “univention-ldapsearch”

UCS offers the command line tool “univention-ldapsearch” on all systems. As such, it is possible for “root” users to access the LDAP with the account of the current UCS system. The tool uses “ldapsearch” in the background, but passes the correct values for the LDAP server, LDAP basis and authentication on. As such, specifying the LDAP filter is sufficient for a search:

univention-ldapsearch "(&(objectClass=person)(uid=Administrator))"

Further information

For further background knowledge about LDAP you find a good introduction on Wikipedia. As a first starting point for the concrete use of OpenLDAP you can refer to the documentation on the OpenLDAP project site.

In addition to the good man pages (“man ldapsearch”) etc. there are also numerous books available. And last but not least, you can always get a profound introduction into the UCS implementation via our documentation.

Using Linux since 1999, Ingo Steuwer started working at Univention in 2004. As Head of Professional Services he focusses on supporting UCS customers and projects.

What's your opinion? Leave a comment!

Your email address will not be published. Required fields are marked *