[olug] LDAP

Phil Brutsche pbrutsch at creighton.edu
Tue Jul 10 04:23:37 UTC 2001 

Considering some people had missed my talk about LDAP a couple weeks ago,
and since I had gotten a few details wrong :) I decided to be a nice guy
and show off what I did to make LDAP work in the last 30 minutes.

I'm using OpenLDAP 2.0.11; it compiles effortlessly on, well, lotsa stuff
:)

Once installed, the LDAP software needs to be configured, which is
straightforward.  All you need to define are the schema used in the
directory(ies), what database formats to use, where the database files
will be stored, as well as access control information.  The config file
I've used for this example is at http://giedi.obix.com/~phil/slapd.conf.

Once configured, the LDAP directory needs some basic info about the
structure the directory is going to take; this needs to be done before any
entries can be added.

One thing that needs to be remembered is that LDAP is organized into a
sort of "tree" structure, read from right to left.  That means that, when
you see:

ou=people,o=somecompany,c=us

You read it as:

The "organizational unit" people is part of the organization
"somecompany"; the organization "somecompany is part of the country "US",
the United States.

This is what makes up the search base: all the leaves and branches below
this "trunk" will be searched and nothing else.

A unique entry in the directory is indentified by the "distinguished name"
- "DN" for short; DNs can have authentication information associated with
them.  This makes them a sort of "user" in the directory, capable of
performing (potentially) priveledged actions on the directory.

LDAP directories also have one or more "root DNs" - these behave as a
super-user on a unix-type system; they can change anything, read anything,
add anything, and delete anything.

Most LDAP servers work with a format called LDIF (ldap database
interchange format, or something like that).  The LDIF data I "primed" my
database with is at http://giedi.obix.com/~phil/olug.ldif.

That's all you need to build a basic directory service.  Simple, isn't it
:)

I've put up a web-based client for querying the directory at
http://giedi.obix.com/~phil/ldap.php3.  Source for this client is at
http:/giedi.obix.com/~phil/ldap.txt.

The directory service is also accessible to "traditional" ldap clients
like Netscape Communicator, Outlook Express, and Pine; the host name is
giedi.obix.com and the search root is "ou=people,dc=olug,dc=org".

That concludes tonight's public service announcement.  Stay tuned on this
penguin-channel for further updates!  (aka tomorrow I'm going to talk
about pam_ldap and nss_ldap unless someone beats me to it)


Phil


---------------------------------------------------------------------
To unsubscribe, e-mail: olug-unsubscribe at bstc.net
For additional commands, e-mail: olug-help at bstc.net

More information about the OLUG mailing list