What's LDAP

"The Lightweight Directory Access Protocol (LDAP; /ˈɛldæp/) is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network.^[1] Directory services play an important role in developing intranet and Internet applications by allowing the sharing of information about users, systems, networks, services, and applications throughout the network.^[2] As examples, directory services may provide any organized set of records, often with a hierarchical structure, such as a corporate email directory. Similarly, a telephone directory is a list of subscribers with an address and a phone number."

-Wikipedia: http://en.wikipedia.org/wiki/LDAP

At DESY LDAP will replace the NIS service and provide some additional functionalitys like passthrough authentication for webservices. As server implementation we use the implementation called "OpenDJ" by:

http://forgerock.com/products/open-identity-stack/opendj/

Short info on server infrastructure

The LDAP production environment consists at the moment of one LDAP master that receives the directory data from the DESY registry in a similar matter as the NIS master did. The LDAP information then gets published to two read-only server that build the client infrastructure. All requests should be directed to the slave servers alias called:

it-ldap-slave.desy.de

How to search the LDAP tree

You can use the command 'ldapsearch' as a replacement for the usual NIS commands for ex. :

• Search a user entry:

pcx5992% ldapsearch -x -b "ou=RGY,o=DESY,c=DE" -h it-ldap-slave.desy.de "(cn=Hans Mueller)"
# extended LDIF
#
# LDAPv3
# base <ou=RGY,o=DESY,c=DE> with scope subtree
# filter: (cn=Hans Mueller)
# requesting: ALL
#

# hmueller, people, rgy, desy, de
dn: uid=hmueller,ou=people,ou=rgy,o=desy,c=de
physicalDeliveryOfficeName: 12/34a
uid: hmueller
description: primary
loginShell: /bin/zsh
givenName: Hans
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: shadowAccount
objectClass: posixAccount
objectClass: top
cn: Hans Mueller
telephoneNumber: 1234
sn: Mueller
street: 12/34a
gecos: Hans Mueller,12,34a,1234
roomNumber: 12,34a
homeDirectory: /afs/desy.de/user/h/hmueller
ou: IT (Informationstechnik)
uidNumber: 5555
mail: hans.mueller@desy.de
gidNumber: 1000
displayName: Mueller, Hans

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
 

• List group members

pcx5992% ldapsearch -x -b "ou=group,ou=RGY,o=DESY,c=DE" -h it-ldap-slave.desy.de "cn=somegroup"
# extended LDIF
#
# LDAPv3
# base <ou=group,ou=RGY,o=DESY,c=DE> with scope subtree
# filter: cn=somegroup
# requesting: ALL
#

# somegroup, group, rgy, desy, de
dn: cn=somegroup,ou=group,ou=rgy,o=desy,c=de
gidNumber: 5555
objectClass: groupOfUniqueNames
objectClass: posixGroup
objectClass: top
uniqueMember: uid=someuser,ou=people,ou=rgy,o=desy,c=de
[ ... ]

Configuration examples

For fully benefitting of the LDAP directory service we stronlgy recommend on 'current' LINUX systems to use the 'SSSD' authentication stack. Here is a basic configuration you can use:

• Un- and install the pkg's necessary on your LINUX systems for using the SSSD stack
• Edit the nsswitch.conf file:

• Edit the sssd.conf file: