URL: https://it.desy.de/e5/e47485/e56053/index_eng.html
Breadcrumb Navigation
LDAP
Lightweight Directory Access Protocol (LDAP)
What's LDAP
"The Lightweight Directory Access Protocol (LDAP; /ˈɛldæp/) is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network.[1] Directory services play an important role in developing intranet and Internet applications by allowing the sharing of information about users, systems, networks, services, and applications throughout the network.[2] As examples, directory services may provide any organized set of records, often with a hierarchical structure, such as a corporate email directory. Similarly, a telephone directory is a list of subscribers with an address and a phone number."
-Wikipedia: http://en.wikipedia.org/wiki/LDAP
At DESY LDAP will replace the NIS service and provide some additional functionalitys like passthrough authentication for webservices. As server implementation we use the implementation called "OpenDJ" by:
http://forgerock.com/products/open-identity-stack/opendj/
Short info on server infrastructure
The LDAP production environment consists at the moment of one LDAP master that receives the directory data from the DESY registry in a similar matter as the NIS master did. The LDAP information then gets published to two read-only server that build the client infrastructure. All requests should be directed to the slave servers alias called:
it-ldap-slave.desy.de
How to search the LDAP tree
You can use the command 'ldapsearch' as a replacement for the usual NIS commands for ex. :
- Search a user entry:
pcx5992% ldapsearch -x -b "ou=RGY,o=DESY,c=DE" -h it-ldap-slave.desy.de "(cn=Hans Mueller)"
# extended LDIF
#
# LDAPv3
# base <ou=RGY,o=DESY,c=DE> with scope subtree
# filter: (cn=Hans Mueller)
# requesting: ALL
#
# hmueller, people, rgy, desy, de
dn: uid=hmueller,ou=people,ou=rgy,o=desy,c=de
physicalDeliveryOfficeName: 12/34a
uid: hmueller
description: primary
loginShell: /bin/zsh
givenName: Hans
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: shadowAccount
objectClass: posixAccount
objectClass: top
cn: Hans Mueller
telephoneNumber: 1234
sn: Mueller
street: 12/34a
gecos: Hans Mueller,12,34a,1234
roomNumber: 12,34a
homeDirectory: /afs/desy.de/user/h/hmueller
ou: IT (Informationstechnik)
uidNumber: 5555
mail: hans.mueller@desy.de
gidNumber: 1000
displayName: Mueller, Hans
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
- List group members
pcx5992% ldapsearch -x -b "ou=group,ou=RGY,o=DESY,c=DE" -h it-ldap-slave.desy.de "cn=somegroup"
# extended LDIF
#
# LDAPv3
# base <ou=group,ou=RGY,o=DESY,c=DE> with scope subtree
# filter: cn=somegroup
# requesting: ALL
#
# somegroup, group, rgy, desy, de
dn: cn=somegroup,ou=group,ou=rgy,o=desy,c=de
gidNumber: 5555
objectClass: groupOfUniqueNames
objectClass: posixGroup
objectClass: top
uniqueMember: uid=someuser,ou=people,ou=rgy,o=desy,c=de
[ ... ]
Configuration examples
For fully benefitting of the LDAP directory service we stronlgy recommend on 'current' LINUX systems to use the 'SSSD' authentication stack. Here is a basic configuration you can use:
- Un- and install the pkg's necessary on your LINUX systems for using the SSSD stack
- Edit the nsswitch.conf file:
shadow: files sss
group: files sss
services: files
netgroup: files sss
- Edit the sssd.conf file:
domains = LDAP
services = nss, pam
config_file_version = 2
[nss]
filter_users = root
filter_groups = root
[pam]
[domain/LDAP]
debug_level = 6
ldap_schema = rfc2307bis
id_provider = ldap
ldap_uri = ldap://it-ldap-slave.desy.de ldap_search_base = ou=RGY,o=DESY,c=DE
ldap_group_member = uniqueMember
Further QueriesData of a DESY person can be listed by:
where Name is the surname of the person sought, not the account name.
|