# LDAP Lightweight Directory Access Protocol --- # Introduction ---- #### LDAP - Lightweight Directory Access Protocol - Non-relational database - Used to manage user accounts and mail aliases - In NTU CSIE: - CSIE Wi-Fi, SMTP, Printing, Workstation, ... all use LDAP to authenticate users - SMTP uses LDAP to resolve aliases (e.g. vegetable@csie, all@csie) - Workstations use LDAP to configure user accounts <!-- For example, your home directory, password, preferred shell and stuff --> ---- Tree Structure of LDAP ```graphviz= digraph { rankdir="LR" root [label="dc=csie,dc=ntu,dc=edu,dc=tw"] group [label="ou=group"] people [label="ou=people"] alias [label="ou=alias"] student [label="cn=student"] master [label="cn=master"] user_b10 [label="uid=b10902001"] user_b11 [label="uid=b11902002"] user_r11 [label="uid=r11922003"] list [label="ou=list"] course [label="ou=course"] all [label="cn=all"] dsa_ta [label="cn=dsa_ta"] root -> group root -> people root -> alias group -> student group -> master people -> user_b10 people -> user_b11 people -> user_r11 alias -> list alias -> course list -> all course -> dsa_ta } ``` ---- ### Important Concepts - DN: distinguished name - Full path from LDAP tree root to the node - Object Class - Specify the properties an entry can have / should have - Object class also form a tree hierarchy -- they can be inherited - Attribute - Common name, email, uid, loginShell, etc. ---- ### Example ```ldif= # ldapsearch -x uid=b09902010 dn: uid=b09902010,ou=people,dc=csie,dc=ntu,dc=edu,dc=tw uid: b09902010 objectClass: person objectClass: posixAccount homeDirectory: /home/student/09/b09902010 uidNumber: 69663 gidNumber: 450 cn: b09902010 sn:: 5p6X givenName:: 6aCG6Kii loginShell: /bin/zsh mail: b09902010@csie.ntu.edu.tw.test-google-a.com ``` --- # Installation ---- #### Download & Install Debian VM ```bash= # works on linux*.csie.org qemu-img create -f qcow2 -F qcow2 \ -b /tmp2/ldap-lab/disk.qcow2 disk.qcow2 qemu-system-x86_64 -hda disk.qcow2 -cpu host -enable-kvm \ -m 4G -nographic -nic user,hostfwd=tcp::[YOUR PORT]-:22 ``` - root password: nasa2023 - Or, install from scratch: [ISO Link](https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/debian-11.7.0-amd64-netinst.iso) ---- #### OpenLDAP - Open source implementation of LDAP - Server daemon: `slapd` - Library: `<ldap.h>` + `libldap` - Utilities: `ldapsearch`, `ldapmodify`, ... - Useful tool: `ldapvi` (not a part of OpenLDAP) ---- #### Install OpenLDAP - `apt install -y slapd ldap-utils` - Set your own admin password - `apt install ldapvi` --- # Configuration ---- #### LDIF - LDAP Data Interchange Format - Plain text for representing LDAP content and update requests - Update requests can be add, delete, modify, rename, etc. - LDIF (`.ldif`) can be consumed by `ldapadd`, `ldapmodify`, etc. ```ldif= dn: uid=b11902000,ou=people,dc=csie,dc=ntu,dc=edu,dc=tw changetype: modify replace: loginShell loginShell: /bin/zsh ``` ---- #### Configure LDAP DC Suffix ```ldif= # suffix.ldif dn: olcDatabase={1}mdb,cn=config changetype: modify replace: olcSuffix olcSuffix: dc=nasa,dc=csie,dc=ntu ``` ```bash= ldapmodify -Y EXTERNAL -H ldapi:/// -f suffix.ldif ``` ---- #### Configure LDAP Root DN ```ldif= # rootdn.ldif dn: olcDatabase={1}mdb,cn=config changetype: modify replace: olcRootDN olcRootDN: cn=admin,dc=nasa,dc=csie,dc=ntu ``` ```bash= ldapmodify -Y EXTERNAL -H ldapi:/// -f rootdn.ldif ``` ---- #### Configure LDAP Base Records ```ldif= # base.ldif dn: dc=nasa,dc=csie,dc=ntu dc: nasa objectClass: top objectClass: domain dn: cn=admin,dc=nasa,dc=csie,dc=ntu cn: admin objectClass: organizationalRole description: admin account dn: ou=people,dc=nasa,dc=csie,dc=ntu ou: people objectClass: organizationalUnit dn: ou=group,dc=nasa,dc=csie,dc=ntu ou: group objectClass: organizationalUnit ``` ```bash= ldapadd -D cn=admin,dc=nasa,dc=csie,dc=ntu -W \ -H ldapi:/// -f base.ldif ``` --- # Lab -- Add User ---- #### Add Your User Replace *b11902000* with YOUR OWN student ID! ```bash= slappasswd ``` ```ldif= # user.ldif dn: uid=b11902000,ou=people,dc=nasa,dc=csie,dc=ntu objectClass: top objectClass: account objectClass: posixAccount objectClass: shadowAccount cn: b11902000 uid: b11902000 uidNumber: 1234 gidNumber: 123 homeDirectory: /home/b11902000 loginShell: /bin/bash userPassword: <password hash> ``` ```bash= ldapadd -D cn=admin,dc=nasa,dc=csie,dc=ntu -W \ -H ldapi:/// -f user.ldif ``` ---- #### Search your User ```bash= # You should find your user with this command: ldapsearch -x -b dc=nasa,dc=csie,dc=ntu cn=b11902000 # Edit /etc/ldap/ldap.conf so this also works: ldapsearch -x cn=b11902000 # And submit a snapshot of the output. ``` ---- # [Submission Form](https://forms.gle/KgBBQZPX1cdnD43C6)