AUERBACH PUBLICATIONS
www.auerbach-publications.com To Order Call: 1-800-272-7737 Fax: 1-800-374-3401 E-mail: orders@crcpress.com
AUERBACH PUBLICATIONS
A CRC Press Company Boca Raton London New York Washington, D.C.
2003057821
This book contains information obtained from authentic and highly regarded sources. Reprinted material is quoted with permission, and sources are indicated. A wide variety of references are listed. Reasonable efforts have been made to publish reliable data and information, but the author and the publisher cannot assume responsibility for the validity of all materials or for the consequences of their use. Neither this book nor any part may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, microfilming, and recording, or by any information storage or retrieval system, without prior permission in writing from the publisher. The consent of CRC Press LLC does not extend to copying for general distribution, for promotion, for creating new works, or for resale. Specific permission must be obtained in writing from CRC Press LLC for such copying. Direct all inquiries to CRC Press LLC, 2000 N.W. Corporate Blvd., Boca Raton, Florida 33431. Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation, without intent to infringe.
Preface
With the enormous expansion of the World Wide Web over the past decade, internetworking has become widely diffused. Nearly all business enterprises have access to and a presence on the Internet. Beyond that, the number of intranets, private networks, and extranets has also grown exponentially. Getting connected has become as routine as having a telephone. Where we once exchanged telephone numbers and mailing addresses with friends and associates, we now routinely include an e-mail address too. Even children in elementary school are now communicating via e-mail and getting information about their favorite toys from the Internet. As this distributed computing environment continues to grow, so does the storehouse of information, which makes locating the required information an increasingly challenging task. Sophisticated search engines have been created as a tool to help in locating information. Some of these search engines are specialized to provide information on particular topics. To locate persons on the Internet or intranet in a fast and easy way, a particular tool is being used that is very similar to a telephone directory, commonly referred to as white pages or yellow pages. This tool is called a directory server. If you want to get the news from CNN, you simply connect your Web browser to CNNs Web server by typing in the address (http://www.cnn.com) using the Hypertext Transfer Protocol (HTTP). Likewise, if you want to send e-mail, you use your mail client to transfer the mail to a mail server using the Simple Mail Transfer Protocol (SMTP). Similarly, if you want to look up information stored in a directory server, you would use a directory client that speaks with the directory server using the Lightweight Directory Access Protocol (LDAP), which is the subject of this book. These three protocols HTTP, SMTP, and LDAP have something in common. All are standard protocols running over the widely used Transmission Control Protocol/Internet Protocol (TCP/IP) stack. This preface to the book will briefly review what you can do with LDAP. First we will learn what type of information you can store on a directory server.
Then we will see some of the advantages that directory servers have over similar data stores such as, for example, relational databases.
It is clear that directories can hold many types of information. Let us now briefly review the advantages provided by directory servers.
Advantages of Directories
You have seen a number of cases where it is advantageous to use directories. In each of these cases, however, there are other technologies that perform the same function. You may wonder why you should use a new technology instead of continuing to work with a technology that you know very well. You would not consider making such a change unless directory services offered some
significant advantages over the technology you are already using. The following is a list of advantages:
n Growing diffusion: Because LDAP is a standard protocol, more and more software suppliers are adopting it in their products. For example, Microsoft uses LDAP to maintain configuration information in Win2000; Sun uses it to hold NIS maps in its Solaris 9 operating system; and Oracle uses it to resolve database names. n Low cost of ownership: Because LDAP is a standard protocol, you can write your own clients to connect to directory servers. If you use a proprietary solution, you have to pay license fees every time you install a new client on your network. n Low training costs: Because most LDAP servers are easy to install, configure, and maintain, the cost of training LDAP administrators is low. n Distributed solution: Because LDAP is a protocol, it is natively networkenabled. Moreover, the LDAP protocol is natively enabled for a distributed architecture, allowing you to distribute information across the entire network for use in all applications. You can even replicate a part of your directory in the intranet and push it out to a server on the Internet. n Platform independence: Because LDAP is a standard protocol, there is a wide choice of implementations of LDAP servers, ranging from important suppliers such as Star Alliance (SUN + Netscape) to open-source solutions such as the OpenLDAP implementation of the University of Michigan. From this large choice of vendors, you will find the one that best fits the platform you are using. Furthermore, client and server can run on completely different operating systems. n Easy client implementation: The large number of LDAP application programming interfaces (API) for nearly every programming language you can imagine allows you to easily add LDAP support to a great many applications. Consequently, a large number of commercial applications have already been LDAP-enabled or will become LDAP-enabled in the near future. Home-grown applications are also easily LDAP-enabled. n Built-in security in the repository: The access information is stored in the repository itself and can be very fine grained. Some products also give you the ability to control access rights to external factors, such as the IP number the client is connecting from, the time that a connection is requested, the type of data that is requested, and so on. Because these controls are executed centrally by the server, they are easy to maintain. Clients therefore do not have to worry about these details.
that this section does not contain any comments. Many products have been developed during the writing of this book, and the list is constantly changing.
n Star Alliance: This is a collaboration between Sun Microsystems and Netscape Corporation. The product offered is the Sun One server. The previous products were called i-Planet directory server and Netscape directory server. n IBM: IBM directory server n Novell: eDirectory available for Win2000/NT, Linux, Solaris, AIX, and Novell Netware (more information is available from the Web site of Novell) n Oracle: Oracle Internet directory n Critical Path: Directory server n Computer Associates: eTrust, the former OpenDirectory n Microsoft Corporation: Support of LDAP in active directory service n Lotus: Directory server for use with the Lotus name and address book n University of Michigan: The OpenLDAP project has replaced the Umich server, which is now obsolete.
OpenLDAP, i.e., http://www.openldap.org. This book also cannot serve as a substitute for the documentation that is normally shipped with servers, such as users guide, administrators guide, and so on. If you use a particular LDAP server, please read the documentation shipped with the product.
the security model shows how to control access to the information held in the directory.
files. It also shows you how the Microsoft world can be integrated and how you can Web-enable your LDAP server.
The Author
Reinhard Voglmaier studied physics at the University of Munich in Germany (TUM) and graduated from the Max Planck Institute for Astrophysics and Extraterrestrial Physics in Munich. After working in the Information Technology (IT) Department at the German University of the Army in the field of computer architecture, he was hired as a hardware specialist for automation by Honeywell. He then moved on to Siemens Nixdorf, where he worked for several years as a UNIX systems specialist for performance questions in database/network installations. For the past six years, he has worked at Glaxo Smith Kline in the field of Web and LDAP services. He is currently a member of an international team developing a companywide LDAP implementation for Glaxo Smith Kline.
Contents
1 The LDAP Protocol Directories and Directory Server Network Protocols The TCP/IP Protocol Stack The OSI Protocol Stack Internet Standards: RFCs DAP: X.500 Standard Finally LDAP LDAP: How It Works Under the Hood: The Database Holding Information Conclusion References 2 LDAP Basics Example: An Enterprise with a Few Departments Objects in LDAP: Object Classes, Attributes, and Schema Server Configuration First Steps with LDAP Updating a Directory with a Batch Process The LDIF Standard Ldapsearch Revisited: Search Filter LDAP: Is This a Protocol? Your Favorite Browser Speaks LDAP Conclusion 3 LDAP Models Introduction Information Model
Introduction Object Classes Formal Definition of Object Classes Some Words about Object-Class Inheritance Some Examples of Object-Class Definitions Object-Class Types Object Identifiers Attribute-Type Definitions Formal Definition of Attributes Attribute Types Matching Rules Syntaxes Conclusion for Information Model Naming Model The Directory Information Tree Distinguished Name Examples of Distinguished Names Directory Suffix Aliases Referrals Distinguished-Name Syntax Last but Not Least, Information about the Server Conclusion for Naming Model Functional Model Overview of LDAP Operations Interrogation Operations Update Operations Authentication and Control Operations LDAP Operations in Detail Interrogation Operations: Search Interrogation Operations: Compare Update Operations: Add Update Operations: Delete Update Operations: Modify Update Operations: ModifyDN Authentication Operations: Bind Authentication Operations: Unbind Control Operation: Abandon Conclusion for Functional Model Security Model Authentication and Authorization Authentication Anonymous Access
Basic Authentication LDAP over SSL/TLS Kerberos SASL Concluding Authentication Authorization 4 LDAP: Some Practical Details Search Revisited Query Filters equalityMatch Substring greaterOrEqual, lessOrEqual Present approxMatch Boolean Operators: And, Or, Not Examples extensibleMatch Directory Schema Revisited Schema Descriptions ASN.1 Schema Format slapd.conf Schema Format LDAP (v3) Schema Format Checking the Directory Schema Exploring the Directory Schema Extending the Directory Schema Indexes LDIF File Format Description of Directory Entries Update of Directory Entries The Add Function The Delete Function The modifyDN Function The Modify Function LDIF: Conclusion, an Example in Perl LDAP URLs Differences between LDAP (v2) and LDAP (v3) Conclusion: Work in Progress LDAP Duplication/Replication/Update Protocols (LDUP) LDAP Extensions (LDAPext) LDAP (v3) Revision (LDAPbis)
5 Distributed Architectures Introduction to Replication and Partitioning Data Distribution between LDAP and Non-LDAP Systems Partitioning What Is Partitioning? Gluing the Directories Together Referrals Examples And Now from the Client Point of View Chaining Security Aspects Using Chaining Difference between Chaining and Referrals Replication Replication Scenarios Schema Information and ACL Single Master versus Multimaster Replication Agreements Supplier- or Consumer-Initiated Replication Frequency of Replication Unit of Replication Incremental or Total Replication Replication Account Load Sharing Security Aspects Work in Progress Data Distribution between LDAP and Non-LDAP Systems Broker Metadirectory DSML DSML Tools Castor Conclusion 6 LDAP APIs LDAP Command-Line Tools Selected Commands ldapmodify Some Examples of ldapmodify ldapsearch Some Examples of ldapsearch Command-Line Tools: Conclusion
LDAP and Programming Language Support LDAP and PHP First Steps with PHP-LDAP Authentication and Control Operations ldap_connect ldap_bind ldap_unbind ldap_close More about Authentication in a Web Environment Search and Associated Commands ldap_search ldap_read ldap_list ldap_compare Working with the Result Identifiers ldap_get_entries ldap_count_entries ldap_sort ldap_parse_result ldap_get_attributes ldap_first_entry ldap_next_entry ldap_first_attribute ldap_next_attribute ldap_get_dn ldap_get_values, ldap_get_values_len Conclusion: An Example Adding, Deleting, and Modifying Entries ldap_add ldap_delete ldap_modify ldap_rename What Remains? Perl and LDAP Our First Perl LDAP Program Perl Objects The LDAP Object Authentication/Control Methods Interrogation Methods Update Methods Schema Exploring (LDAP [v3]) Callback The Search Object
The Entry Object The Message Object The Reference Object The Schema Object Conclusion Scripts The C LDAP API LDAP SDK v2 versus v3 Our First LDAP Program in C Structures Overview of LDAP Functions Authentication and Control Operations Interrogation Operations Iteration Commands through Results Sets Update Operations: Add, Delete, Modify DN, Modify Conclusion The Java LDAP API Our First Java Class Authentication and Control Operations Connect and Bind Unbind Clone Search and Compare Operations Search Compare Working with Search Results Working with Search Constraints Update Operations Add Delete Modify Rename LDAP URLs JNDI Java Naming and Directory Interfaces Enterprise JavaBeans Conclusion What Is Missing Active Directory and ADSI Other Languages 7 LDAP Directory-Server Administration Open-Source Software
Getting the Directory Server Up and Running Software Installation OpenLDAP Installation UNIX WIN32 Sun One Installation Securing Your LDAP Server Setting Up Security in Sun One Setting Up Security in OpenLDAP LDAP Server Configuration Introduction Configure the Root DN Configure Administrator and Operator Configure the Directory Schema/Schemas Configure the Indexes Conclusion Load the Data Log Files Starting and Stopping the Server Backup and Recovery Service-Level Agreement Backup Methods Classical Backup Logical Backup of the Directory Backup via Replication System Monitoring Why Monitoring SNMP Home-Grown Solutions Use of SNMP Use the LDAP Protocol Log-File Analysis User Administration LDAP Users, Groups, and UNIX Administration Utilities 8 LDAP and Web Services Introduction LDAP URLs Application Servers Accessing an LDAP Server via CGI Scripts Accessing an LDAP Server via an Application Server Gateways
Web Server Authentication Example: The auth_ldap Module for Apache The Authentication Phase The Authorization Phase LDAP Authentication Using CGI Scripts LDAP Authentication Using the PHP Preprocessor LDAP and the Web: A Case Study Requirements LDAP Internet Environment LDAP Directory LDAP Authentication and the Web Server Control if the User Is Known by the System Accept Only Members of Particular Groups Accept Only a Particular User LDAP-HTTP Gateway LDAP Application Broker Conclusion 9 The Design of Directory Services Introduction Directory Life Cycle Planning of Directory Services Goal of the Project Benefits of the Project Objectives of the Project Target of the Project Analysis of the Actual Situation Analysis of the Data to Be Held in the Directory Steps to Perform Project Plan Design of Directory Services Data Design Schema Design Tree Design Partitioning Design Replication Design Security Design Data Design Schema Design Tree Design Choosing a Root for the Directory Information Tree Branching the Directory Tree
Partitioning Number of Entries Is Too High Network Traffic to the Directory Is Too High Not All of the Data Is Equally Used Some Line Segments Become Overloaded Partitioning and Namespace Replication Network Traffic to the Directory Is Too High Some Line Segments Become Overloaded Replication and Namespace Security Design Authentication Authorization Protection of the Data Conclusion Appendix A Acronyms Appendix B LDAP Requests for Comments and Drafts LDAP RFCs Comments about the Most Important LDAP RFCs List of LDAP RFCs Work in Progress LDAP (v3) Revision (ldapbis) LDAP Duplication/Replication/Update Protocols (ldup) Appendix C Useful Links General LDAP Clients OIDs and Standards Tutorials and How-Tos Security SNMP LDAP API LDAP Server Implementations Free Implementations Commercial Implementations Appendix D Standards Object Classes Attribute Types Appendix E Configuration of OpenLDAP
Configuration Files Configuration File of the OpenLDAP Server The Global Section Access Control Information Schema Information Log Information Resource Limitations Referrals Back-end and Database Sections Appendix F Playing with Replication in OpenLDAP Appendix G Playing with OpenLDAP Proxy Server The Back End What We Will Need Compiling the OpenLDAP Proxy Running the OpenLDAP Proxy Further Capabilities The Meta Back End