LDAP

Lightweight Directory Access Protocol (LDAP)

Migration of the central directory services from NIS to LDAP

The directory service providing amongst others the account and group information for DESY useres will be migrated from NIS to LDAP during 2014, here are some (hopefully) useful informations.

What is NIS and what is it used for at DESY

"The Network Information Service, or NIS (originally called Yellow Pages or YP) is a client–server directory service protocol for distributing system configuration data such as user and host names between computers on a computer network. Sun Microsystems developed the NIS; the technology is licensed to virtually all other Unix vendors.

Because British Telecom PLC owned the name "Yellow Pages" as a registered trademark in the United Kingdom for its paper-based, commercial telephone directory, Sun changed the name of its system to NIS, though all the commands and functions still start with “yp”.

A NIS/YP system maintains and distributes a central directory of user and group information, hostnames, e-mail aliases and other text-based tables of information in a computer network. For example, in a common UNIX environment, the list of users for identification is placed in /etc/passwd, and secret authentication hashes in /etc/shadow. NIS adds another “global” user list which is used for identifying users on any client of the NIS domain.

Administrators have the ability to configure NIS to serve password data to outside processes to authenticate users using various versions of the Unix crypt(3) hash algorithms. However in such cases, any NIS client can retrieve the entire password database for offline inspection. Kerberos was designed to handle authentication in a more secure manner."

- Wikipedia: http://en.wikipedia.org/wiki/Network_Information_Service

At DESY NIS is primarily used as a directory service for centrally administered UNIX hosts for:

  • User account publishing
  • Host- and groupname publishing
  • Publishing automounter maps

 

What's LDAP

"The Lightweight Directory Access Protocol (LDAP; /ˈɛldæp/) is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network.[1] Directory services play an important role in developing intranet and Internet applications by allowing the sharing of information about users, systems, networks, services, and applications throughout the network.[2] As examples, directory services may provide any organized set of records, often with a hierarchical structure, such as a corporate email directory. Similarly, a telephone directory is a list of subscribers with an address and a phone number."

-Wikipedia: http://en.wikipedia.org/wiki/LDAP

At DESY LDAP will replace the NIS service and provide some additional functionalitys like passthrough authentication for webservices. As server implementation we use the implementation called "OpenDJ" by:

http://forgerock.com/products/open-identity-stack/opendj/

Short info on server infrastructure

The LDAP production environment consists at the moment of one LDAP master that receives the directory data from the DESY registry in a similar matter as the NIS master did. The LDAP information then gets published to two read-only server that build the client infrastructure. All requests should be directed to the slave servers alias called:

it-ldap-slave.desy.de

 

How to search the LDAP tree

You can use the command 'ldapsearch' as a replacement for the usual NIS commands for ex. :

  • Search a user entry:

pcx5992% ldapsearch -x -b "ou=RGY,o=DESY,c=DE" -h it-ldap-slave.desy.de "(cn=Christoph Beyer)"
# extended LDIF
#
# LDAPv3
# base <ou=RGY,o=DESY,c=DE> with scope subtree
# filter: (cn=Christoph Beyer)
# requesting: ALL
#

# chbeyer, people, rgy, desy, de
dn: uid=chbeyer,ou=people,ou=rgy,o=desy,c=de
physicalDeliveryOfficeName: 02b/009
uid: chbeyer
description: primary
loginShell: /bin/zsh
givenName: Christoph
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: shadowAccount
objectClass: posixAccount
objectClass: top
cn: Christoph Beyer
telephoneNumber: 2317
sn: Beyer
street: 02b/009
gecos: Christoph Beyer,02b/009,2317
roomNumber: 02b/009
homeDirectory: /afs/desy.de/user/c/chbeyer
ou: IT (Informationstechnik)
uidNumber: 4293
mail: christoph.beyer@desy.de
gidNumber: 1000
displayName: Beyer, Christoph

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

 

  • List group members

pcx5992% ldapsearch -x -b "ou=group,ou=RGY,o=DESY,c=DE" -h it-ldap-slave.desy.de "cn=af-atlas"
# extended LDIF
#
# LDAPv3
# base <ou=group,ou=RGY,o=DESY,c=DE> with scope subtree
# filter: cn=af-atlas
# requesting: ALL
#

# af-atlas, group, rgy, desy, de
dn: cn=af-atlas,ou=group,ou=rgy,o=desy,c=de
gidNumber: 5292
objectClass: groupOfUniqueNames
objectClass: posixGroup
objectClass: top
uniqueMember: uid=agrohsje,ou=people,ou=rgy,o=desy,c=de
uniqueMember: uid=ahalf,ou=people,ou=rgy,o=desy,c=de
uniqueMember: uid=aliev,ou=people,ou=rgy,o=desy,c=de
uniqueMember: uid=amelzer,ou=people,ou=rgy,o=desy,c=de
uniqueMember: uid=asbah,ou=people,ou=rgy,o=desy,c=de
uniqueMember: uid=atlasonl,ou=people,ou=rgy,o=desy,c=de
uniqueMember: uid=atlhsio,ou=people,ou=rgy,o=desy,c=de
uniqueMember: uid=bessner,ou=people,ou=rgy,o=desy,c=de
uniqueMember: uid=bheimel,ou=people,ou=rgy,o=desy,c=de
uniqueMember: uid=bisanz,ou=people,ou=rgy,o=desy,c=de
uniqueMember: uid=blumen,ou=people,ou=rgy,o=desy,c=de
uniqueMember: uid=boehler,ou=people,ou=rgy,o=desy,c=de
uniqueMember: uid=britzger,ou=people,ou=rgy,o=desy,c=de
uniqueMember: uid=brock,ou=people,ou=rgy,o=desy,c=de
uniqueMember: uid=camarda,ou=people,ou=rgy,o=desy,c=de
uniqueMember: uid=cdeterre,ou=people,ou=rgy,o=desy,c=de
uniqueMember: uid=cgumpert,ou=people,ou=rgy,o=desy,c=de
uniqueMember: uid=chengler,ou=people,ou=rgy,o=desy,c=de
uniqueMember: uid=clange,ou=people,ou=rgy,o=desy,c=de
uniqueMember: uid=cmeyer,ou=people,ou=rgy,o=desy,c=de
uniqueMember: uid=congpeng,ou=people,ou=rgy,o=desy,c=de
uniqueMember: uid=cristinz,ou=people,ou=rgy,o=desy,c=de
uniqueMember: uid=cschillo,ou=people,ou=rgy,o=desy,c=de
uniqueMember: uid=czirr,ou=people,ou=rgy,o=desy,c=de
uniqueMember: uid=dariza,ou=people,ou=rgy,o=desy,c=de
uniqueMember: uid=dassoula,ou=people,ou=rgy,o=desy,c=de
uniqueMember: uid=dbiederm,ou=people,ou=rgy,o=desy,c=de
uniqueMember: uid=dduschin,ou=people,ou=rgy,o=desy,c=de
uniqueMember: uid=dsosacor,ou=people,ou=rgy,o=desy,c=de
uniqueMember: uid=dsperlic,ou=people,ou=rgy,o=desy,c=de
uniqueMember: uid=ebergeas,ou=people,ou=rgy,o=desy,c=de
uniqueMember: uid=eckardt,ou=people,ou=rgy,o=desy,c=de

[ ... ]

 

Configuration examples

For fully benefitting of the LDAP directory service we stronlgy recommend on 'current' LINUX systems to use the 'SSSD' authentication stack. Here is a basic configuration you can use:

  • Un- and install the pkg's necessary on your LINUX systems for using the SSSD stack
  • Edit the nsswitch.conf file:
passwd:     files sss
shadow:     files sss
group:      files sss
services:   files 
netgroup:   files sss
  • Edit the sssd.conf file:
[sssd]
domains = LDAP
services = nss, pam
config_file_version = 2

[nss]
filter_users = root
filter_groups = root

[pam]

[domain/LDAP]
debug_level = 6
ldap_schema = rfc2307bis

id_provider = ldap
ldap_uri = ldap://it-ldap-slave.desy.de
ldap_search_base = ou=RGY,o=DESY,c=DE

ldap_group_member = uniqueMember

auth_provider = krb5
krb5_server = netra33.desy.de:88,netra34.desy.de:88,netra32.desy.de:88
krb5_realm = DESY.DE

 

 

 

 

Lightweight Directory Access Protocol (LDAP)


Technicalities

The data of a DESY person can be listed by:

ldapsearch -x -H ldap://ldap.desy.de -b 'ou=People,o=DESY,c=DE' "sn=username"

The username is not the name of the person, but the account name.

top


Edited by: Vladimir.Holzmann@desy.de