Lightweight Directory Access Protocol (LDAP)

Migration of the central directory services from NIS to LDAP

The directory service providing amongst others the account and group information for DESY useres will be migrated from NIS to LDAP during 2014, here are some (hopefully) useful informations.

What is NIS and what is it used for at DESY

- Wikipedia: http://en.wikipedia.org/wiki/Network_Information_Service

At DESY NIS is deprecated. It was primarily used as a directory service for centrally administered UNIX hosts for:

  • User account publishing
  • Host- and groupname publishing
  • Publishing automounter maps


What's LDAP

"The Lightweight Directory Access Protocol (LDAP; /ˈɛldæp/) is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network.[1] Directory services play an important role in developing intranet and Internet applications by allowing the sharing of information about users, systems, networks, services, and applications throughout the network.[2] As examples, directory services may provide any organized set of records, often with a hierarchical structure, such as a corporate email directory. Similarly, a telephone directory is a list of subscribers with an address and a phone number."

-Wikipedia: http://en.wikipedia.org/wiki/LDAP

At DESY LDAP will replace the NIS service and provide some additional functionalitys like passthrough authentication for webservices. As server implementation we use the implementation called "OpenDJ" by:


Short info on server infrastructure

The LDAP production environment consists at the moment of one LDAP master that receives the directory data from the DESY registry in a similar matter as the NIS master did. The LDAP information then gets published to two read-only server that build the client infrastructure. All requests should be directed to the slave servers alias called:



How to search the LDAP tree

You can use the command 'ldapsearch' as a replacement for the usual NIS commands for ex. :

  • Search a user entry:

pcx5992% ldapsearch -x -b "ou=RGY,o=DESY,c=DE" -h it-ldap-slave.desy.de "(cn=Hans Mueller)"
# extended LDIF
# LDAPv3
# base <ou=RGY,o=DESY,c=DE> with scope subtree
# filter: (cn=Hans Mueller)
# requesting: ALL

# hmueller, people, rgy, desy, de
dn: uid=hmueller,ou=people,ou=rgy,o=desy,c=de
physicalDeliveryOfficeName: 12/34a
uid: hmueller
description: primary
loginShell: /bin/zsh
givenName: Hans
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: shadowAccount
objectClass: posixAccount
objectClass: top
cn: Hans Mueller
telephoneNumber: 1234
sn: Mueller
street: 12/34a
gecos: Hans Mueller,12,34a,1234
roomNumber: 12,34a
homeDirectory: /afs/desy.de/user/h/hmueller
ou: IT (Informationstechnik)
uidNumber: 5555
mail: hans.mueller@desy.de
gidNumber: 1000
displayName: Mueller, Hans

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


  • List group members

pcx5992% ldapsearch -x -b "ou=group,ou=RGY,o=DESY,c=DE" -h it-ldap-slave.desy.de "cn=somegroup"
# extended LDIF
# LDAPv3
# base <ou=group,ou=RGY,o=DESY,c=DE> with scope subtree
# filter: cn=somegroup
# requesting: ALL

# somegroup, group, rgy, desy, de
dn: cn=somegroup,ou=group,ou=rgy,o=desy,c=de
gidNumber: 5555
objectClass: groupOfUniqueNames
objectClass: posixGroup
objectClass: top
uniqueMember: uid=someuser,ou=people,ou=rgy,o=desy,c=de

[ ... ]


Configuration examples

For fully benefitting of the LDAP directory service we stronlgy recommend on 'current' LINUX systems to use the 'SSSD' authentication stack. Here is a basic configuration you can use:

  • Un- and install the pkg's necessary on your LINUX systems for using the SSSD stack
  • Edit the nsswitch.conf file:
passwd:     files sss
shadow:     files sss
group:      files sss
services:   files 
netgroup:   files sss
  • Edit the sssd.conf file:
domains = LDAP
services = nss, pam
config_file_version = 2

filter_users = root
filter_groups = root


debug_level = 6
ldap_schema = rfc2307bis

id_provider = ldap
ldap_uri = ldap://it-ldap-slave.desy.de
ldap_search_base = ou=RGY,o=DESY,c=DE

ldap_group_member = uniqueMember
auth_provider = krb5
krb5_server = kerberos1.desy.de:88,kerberos2.desy.de:88,kerberos3.desy.de:88
krb5_realm = DESY.DE





Further Queries

Data of a DESY person can be listed by:

ldapsearch -x -H ldap://ldap.desy.de -b 'ou=People,o=DESY,c=DE' "sn=Name"

where Name is the surname of the person sought, not the account name.