Introduction to LDAP
LDAP (Lightweight Directory Access Protocol) is a protocol that is used to communicate with directory servers. Directory is a sort of a database that is used heavily for identity management use cases. The terms “LDAP”, “LDAP database” and “directory server” are usually used interchangeably.
Unlike relational SQL databases, the LDAP database is not organized into tables, rows and columns but it is organized into a hierarchical directory structure – into containers, entries and attributes.
SSSD and LDAP integration
SSSD can connect to any LDAP server to lookup POSIX accounts and other information such as sudo rules and autofs maps using an SSSD LDAP provider. It also provides various mechanisms of access controls and password policies. LDAP provider features include (but they are not limited to):
SASL/SSL/TLS support
LDAP service auto discovery
Limit search behavior using multiple search bases
Password changing and password policy support
RFC2307 and RFC2307bis support
POSIX users and groups support
sudo rules support
autofs maps support
LDAP-based access control
Simple access control
See also
To read more about how SSSD is used in LDAP integration at a high level, refer to the following links:
LDAP Basics
The rest of the page is dedicated to readers that are not yet familiar with directory servers. It explains the very basics that will help you dive into the LDAP world. Please lookup and visit external resources such as ldap.com to gain more thorough information.
Directory structure
Each directory entry consists of a distinguished name, object class and attributes.
- Distinguished name (DN)
The distinguished name is a unique name that identifies the object in the database. It is created out of set of attributes that have unique value to the object (also called relative distinguished name or RDN) and the parent’s DN. It basically resembles a hierarchical path to the entry (for example.
name=John,cn=users,dc=mydomain
wherename
is the entry’s attribute with unique value andcn=users,dc=mydomain
is the parent’s DN.- Object class (OC)
An object class is a special attribute that specifies what mandatory and optional attributes can be set on the entry. Object classes are defined in schemas that are installed on the LDAP server.
- Attributes
Attributes are single or multi-valued properties of the entry. Their format and functions (e.g. date, string, case sensitiveness, comparison schema, limits, etc.) are defined by schema and object classes. Some standard and common attributes are:
dc: domain component – used to identify the directory domain
ou: organizational unit – used to split entries into named containers
cn: canonical name – used to provide name to an object
LDIF
Directory entries can be exported into an LDIF (LDAP Data Interchange Format) format which is a text representation of the directory contents. Here is a simple example:
dn: dc=ldap,dc=vm
objectClass: domain
objectClass: top
dc: ldap
dn: ou=users,dc=ldap,dc=vm
objectClass: organizationalUnit
objectClass: top
ou: users
dn: cn=user-1,ou=users,dc=ldap,dc=vm
objectClass: posixAccount
objectClass: top
cn: user-1
gidNumber: 10001
homeDirectory: /home/user-1
uid: user-1
uidNumber: 10001
userPassword: {SHA}98O8HYCOBHMq32eZZczDTKeuNEE=
This represents the following entries:
Filtering LDAP entries
LDAP filters are expressed using a tree that consist of attribute-value pairs
and operators. The whole tree is then collapsed using parentheses. The filters
are well explained here and here, but
here is an example for a quick introduction and basic idea. The following filter
will search for all objects that have objectClass
equal to posixAccount
and canonical name set either to John or Alice. The filter also requires that an
uidNumber
attribute is set (it may have any arbitrary value but it must have
a value).
(&(objectClass=posixAccount)(uidNumber=*)(|(cn=John)(cn=Alice)))
We can also expand this filter into an indented tree so the operators and their operands can be easily understood.
(&
(objectClass=posixAccount)
(uidNumber=*)
(|
(cn=John)
(cn=Alice)
)
)
Scope and search base
When querying LDAP, we usually also specify a search base and scope which tells
the server from which object and how far in the hierarchy it should start
searching. A search base is simply a DN, scope can be one of base
,
subtree
or onelevel
.
- base
The search base itself it matched against the filter. If the filter matches, the search base entry is returned. Otherwise an empty result is returned.
- subtree
All entries below the search base are filtered.
- onelevel
Similar to
subtree
but only one level below the search base is searched.
Tools
You can use OpenLDAP tools to work with an LDAP server. Especially
ldapsearch
, ldapadd
, ldapdelete
and ldapmodify
. To install
these tools, run:
dnf install openldap-clients
yum install openldap-clients
apt install slapd ldap-utils
The following code shows an example of looking up an entry using the filter above and a simple bind with a combination of account and password:
ldapsearch -x -D "cn=Directory Manager" -w "$password" -H ldap://ldap.example.com -b dc=example,dc=com -s sub '(&(objectClass=posixAccount)(uidNumber=*)(|(cn=John)(cn=Alice)))'
You can also choose from a variety of graphical LDAP tools such as the Apache Directory Studio.