Demystifying LDAP
Pages: 1, 2
A Closer Look at LDAP Data
It's extremely important when learning about LDAP and how it deals with data to separate the structure (or topology) of the data from the definitions of the objects themselves.
Simply, the structure of LDAP data is a hierarchical collection of objects. Objects can represent anything from people to printers and take their places within the hierarchy using whatever logic you like.
Objects?
Yes, objects. Each object has a list of attributes associated with it that describe that particular object. When you add or delete an object, make a request for an object, or change the value of an object's attribute, you do so solely using the LDAP protocol. In short, LDAP exists to manipulate or fetch data about objects.
Hierarchical?
The layout of the data in an LDAP directory is the Directory Information Tree (DIT). You can customize it to the needs of your organization, but it's still a hierarchical tree structure. This tree is not dissimilar to a typical filesystem; there's a "top" or "root" directory, under which are high-level objects (directories in a filesystem). Those help you to categorize the lower level objects that you're really interested in (in a filesystem, these are the files themselves).
Suppose you want to store information about people using a hierarchical collection of objects. Viewing things as a filesystem, you could create a /People directory, and under that, create a file--/People/jonesy. That file contains attribute name and value pairs to describe "jonesy." One attribute might be "firstname," with a value of "Brian." Save the file, and create a new one for each person. Eventually, you have a filesystem that looks something like:
/People
jonesy
mary
tom
janeOf course, your organization might have slightly different needs. Because the structure of the DIT is completely up to you, you might choose something more like:
/People
/Engineering
jonesy
mary
/Accounting
tom
jane
/IT
fred
mark
/Groups
mygroup
yourgroupNotice that, of course, I can have more than one high-level object, representing a different type of object I want to store data about. In this case, I've stored information about People and Groups. I can also have as many subtrees as I wish, arranged in any order I want.
A Peek at a Person
Just to whet your appetite, here's a quick look at a request for a "person" object. It's actually a fake account entry from our departmental LDAP server that I've changed to look like a typical "person" object that systems use to authenticate users. The request comes from a Linux workstation running the OpenLDAP client utility ldapsearch.
$ ldapsearch -x '(uid=ajonesy)'
dn: cn=ajonesy,ou=People,dc=cs,dc=princeton,dc=edu
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: inetLocalMailRecipient
objectClass: shadowAccount
objectClass: jabberUser
cn: ajonesy
uid: ajonesy
uidNumber: 30406
homeDirectory: /u/ajonesy
sn: Jones
givenName: Brian
roomNumber: 101B
displayName: Brian Jones
facsimileTelephoneNumber: 1113
gecos: Brian K. Jones, GUEST, 6080
mail: ajonesy@cs.princeton.edu
telephoneNumber: 6080
loginShell: /bin/bash
gidNumber: 931
description: GUEST
labeledUri: http://www.cs.princeton.edu/~ajonesyThe output format is LDAP Data Interchange Format (LDIF). As you can see, LDIF is a way to make pointy-haired bosses recoil in fear at what amounts to key-value pairs. The very first line in the entry is the dn (distinguished name). The value of that attribute uniquely identifies this object among all of the objects in the directory. After that are a list of objectclass attributes, each having a different value. What those values point to are objectclass definitions which exist in human-readable schemas that the server daemon has read. The definitions of the objectclasses consist mainly of a list of attribute definitions, followed by a statement saying "if an object is of this objectclass, it MUST have these attributes, and it MAY also have these attributes."
Schemas get only slightly more complicated than that if you want to create your own objects or entire schemas. For most, just understanding that using an objectclass implies the use of certain attributes will do just fine.
Lest you think that all of this data must necessarily come at you in the form of a whole object and nothing else, there are a couple of quick notes to make. First, notice that there's no userPassword attribute in the above output. That isn't because I've sanitized the output, it's because the user account used to perform the search that returned this object doesn't have sufficient rights to see this user's password. Second, I could alter my search command to return, say, only ajonesy's roomNumber attribute:
$ ldapsearch -x '(uid=ajonesy)' roomNumber
dn: cn=ajonesy,ou=People,dc=cs,dc=princeton,dc=edu
roomNumber: 101BYou can see how this is likely to dramatically reduce the amount of time needed to retrieve, say, the room numbers for the 3,000 people in your Los Angeles headquarters.
Stay Tuned!
This article has just scratched the surface of LDAP, but hopefully by now you're better able to visualize your directory service and its data. The next part will take a closer look at the definition of objects that live in the directory themselves, and how to create and access objects and their attributes with code.
Brian K. Jones is an infrastructure architect, and system/network/database administrator, and co-author of Linux Server Hacks, Volume Two .
Return to O'Reilly SysAdmin
Showing messages 1 through 17 of 17.
-
objectClass inheritance order
2007-02-01 08:20:33 fredcwbr [View]
-
LDAP and an existing application
2007-01-23 10:22:22 ja.rei [View]
The answer to this question may be simple, but I am ignorant, so please bear with me.
Here's the situation - We are a small shop with a client/server application, developed in PowerBuilder, that we ported to the web using
Java 2SE. Many of our customers are using LDAP and want us to use it for user authentication.
Questions:
1.Does it matter what kind of LDAP server the customers are using?
2.Is there any freeware available to get the app to talk to the server?(Java)
3.What technical information do I need to gather from the customers?
-
What is LDAP ill suited for?
2006-08-10 08:13:41 fivesticksop [View]
The introduction starts with the idea that LDAP is good some places and "completely inappropriate for yet another batch of problems". I'd love to see more on the problems that LDAP is ill suited toward solving. -
What is LDAP ill suited for?
2006-08-10 17:31:40 mentata [View]
Systems that won't tolerate any inconsistency, applications that require drilling down to find unpredicted relationships between entries, or databases that are changed more than they are queried. Consider the inappropriateness of using a directory for bank account management, data warehousing, or real time stock pricing, respectively.
Otherwise, I could likely make an argument.
-
LDAP and RDBMS
2006-08-09 07:26:49 mentata [View]
While I agree with the premise and am always happy to see LDAP illuminated, I have long espoused my own view as to why one might develop applications with directories:
http://www.mentata.com/ldaphttp/why/ldap.htm
In contrast, the standard schema argument presented in the article seems particularly weak because there are literally thousands of published schema available but only a handful that are used across implementations with just a few attributes of consistent relevance.
The most common reason I perceive developers prefer an RDMBS to a directory is familiarity. If they were well-versed in both, they would actually understand that a directory is significantly simpler and easier to manage. An RDBMS has strictly more capability, but it comes at a complexity cost that gets partially masked by training and tools. An enterprise data warehouse does demand an RDBMS, but will usually also demand at least one dedicated DBA.
On the other hand if your application doesn't involve multi-join queries, your system doesn't require rollback, and data retrieval will be more common than change, I argue a directory could be the basis of a very nice solution even where the application deals with things beyond people.
And nothing precludes dumping summary information from the directory into your RDMBS for other needs. The reality is that production directories and relational databases are *both* running in most every mid to large size organization, even though their coexistence is most often coincidental. I think it would be better to see them deployed in pre-meditated architectures that play to their complementary strengths.
See you again on the next installment.
-
LDAP is harder to program than using an ORM like Hibernate
2006-08-08 21:21:33 ozgwei [View]
I had to use LDAP in a Java project.
I found it pretty difficult to program with LDAP for the following reasons:
1) Not many tutorials, including this one, explains core concepts in depth, such as dn, cn, dc, etc... And I don't have the time to read the LDAP specification. So I tried by making mistakes. The project worked but the LDAP part of it was the most unsure bit I felt about it.
2) Not many good examples could be found showing how to program using LDAP for user management. I had to use the raw LDAP API.
3) From the object-oriented point of view, there is no abstraction layer, provided either by Sun or open source for user management using LDAP. Instead of working with a User object conforming to Java Bean specification, I had to work with Context, ModificationItem, SearchControls, Attribute, Attributes, BasicAttributes, NameParser, NamingEnumeration and many Exceptions. And, the javadoc from Sun expects the reader to be an LDAP expert. On the other hand, using an Object-Relationa Mapping (ORM) packages, such as Hibernate or the new Java Persistence API (JPA) is much more easier. Combining Hibernate and Spring, many DB access codes are just one-liners. (The application is likely to use Hibernate and/or Spring for data access anyway...)
4) The Java JNDI API has no rollback. It gave me a lot of headaches when a transaction failed, the database rolled back except JNDI.
5) About the security, LDAP can protect data stored in the LDAP server. However, it cannot protect data in your applications. Developers need to consult LDAP before granting access in the applications. Acegi Security, on the other hand, can handle complex access control, even over domain objects or enquiry results, without writing a line of programs.
So in short, if the user management is pretty standard, with limited number of users and manually managed by a sysadmin, it's OK to use LDAP for user management.
However, if you have tens of thousands of users, and you want fine management over users, allowing help desks to manage users instead of asking sysadmin, you should use the database solution, preferrably with an ORM package.
Above is my personal experience and feeling towards LDAP with my limited knowledge about LDAP.
Perhaps, more efforts should be made for developers to understand LDAP more easily and program with LDAP more efficiently... I'd like to see an abstraction over LDAP for user management that suffices most user management needs with extension points to customise to each organisation's needs...
Just my 2 cents.
-
LDAP made easier
2006-08-09 07:40:30 mentata [View]
efforts should be made for developers to understand LDAP more easily and program with LDAP more efficiently... I'd like to see an abstraction over LDAP for user management that suffices most user management needs with extension points to customise to each organisation's needs...
Well it isn't limited to user management, but:
http://www.mentata.com/ldaphttp/
I am aiming in that same general direction.
-
Great article!
2006-07-31 20:31:37 gusphin [View]
Hi, is it possible to implement ldap for a non-corporate website, let's say, an online store or somethin' simplet to do the user autenticathion, or is ldap only for complex schemas?
-
possibilities
2006-08-09 07:31:54 mentata [View]
I've held off on the obvious store application example, but with my handy framework I demonstrate some other ideas:
http://www.mentata.com/ldaphttp/examples/ -
Great article!
2006-08-01 05:41:58 Brian K. Jones |
[View]
LDAP can be used wherever you want it. Also, most of the schemas in LDAP are *not* complex, and they're made less complex by the fact that you don't have to use every attribute of every schema. If you just want to store a few bits of information, you can do that quite nicely with LDAP.
LDAP is certainly not tied in any way to "enterprise", and there are people who use it at home for simple addressbook storage. I am one of those people. The nice thing is that once everyone is in the LDAP service, many applications are ready to talk to it, like my mail client, for example. There are also lots of web applications that can be pointed at an LDAP server.
Good luck!
-
Ldap or Database (users, roles, etc)
2006-07-31 07:53:58 javadevdc [View]
I'm not convinced it is cleaner or easier to implement an ldap server as opposed to a mysql server running with users, roles, etc.
If the user provisioning service that is implemented in mysql is well documented, I don't see the advantage ldap has over the database.
I also think ldap is much more difficult for programmers than giving them and api and a model of the users and roles. -
Ldap or Database (users, roles, etc)
2006-07-31 08:16:03 Brian K. Jones |
[View]
Hi,
Your very first sentence proves the point in the article, actually. What exactly do you mean by "users and roles"? Do you mean system level users and roles, or users and roles that are defined only in your environment in the database? The fact that I would have to ask this question lends creedence to the argument for using LDAP over a database for certain tasks, because the LDAP data schemas are generally widely published and standardized. If I talk to an LDAP user from just about anywhere and mention "inetorguser", they know pretty much what I'm talking about and what it implies. Not so with your users and roles.
Further, you could well be right that your particular implementation for user provisioning might be "better". I have no idea, really, because I have no clue how you're defining "better". To my mind, not having to devote the resources of database admins, schema designers, developers and the like to do something that has already been done a thousand times over (and is proven to work a thousand times over) is "better" for two reasons:
First, it costs less in terms of time (and probably money)
Second, the data layout for users is standardized. This means that if I come into your environment to do work and you're using ldap, I already know what I'm dealing with, because as an admin, I've dealt with LDAP a million times before (and probably with the schema you're using for user data, as well). I have *not*, on the other hand, dealt with your custom creation a million times before. This goes for developers as well as admins.
This is all without even mentioning that what I'm talking about in the article is only *marginally* about user *provisioning*. It's really more about user data storage and retrieval, which is an area where LDAP is clearly an accepted standard over custom mysql schemas. For example, no email client that I've used can grab their addressbook information from a mysql server - and even if they could, am I to expect my users to be able to fill in information about the site-specific data schema? Or worse, am I to expect the admins (er, me) to go and configure (and keep updated!) all of my users' email client configs? No Bueno(tm)
I'd like more detail on which aspects of LDAP you think developers would find more difficult? Have you ever coded using php_ldap, JNDI, python-ldap, Net::LDAP....? I've used all of these as a developer, and have found using them to be far simpler than coding against a database in most instances. To tell the truth, the models are fairly similar, and where the differences exist, I believe 9 out of 10 developers would *prefer* LDAP, and the 10th developer probably works for Oracle or something. I'm confident of this because I support developers who have told me as much, and it's usually these developers that I have to keep away from the LDAP server for fear they'll store inappropriate data in the LDAP server because it's so *easy* to code against.
Please clarify your arguments against using LDAP, and cite examples where you've experienced pain with LDAP. It's certainly possible I've missed your point, and I'd love the opportunity to help if I can. :-) -
Why Active Directory?
2006-07-31 10:26:16 javadevdc [View]
Hi,
One thing I'm curious about too is the use of Microsoft Active Directory. I work mostly in open source & Java shops and yet a lot of these environments use Active Directory. When I inquire about it the response is usually Active Directory is a lot easier than OpenLdap. -
Why Active Directory?
2006-07-31 10:35:11 Brian K. Jones |
[View]
Hi again!
Active Directory *is* easier to set up than OpenLDAP, but if that's the only reason for using AD over OpenLDAP, then the decision-making process needs work, IMHO ;-)
AD is different from just about every other LDAP implementation in existence, so when I say "LDAP", I'm careful to separate that from anything having to do with AD, because it's different (surprise!).
There's no reason you can't develop against AD, though - it's just another (non-standard, ms-specific) schema is all. BTW - you can send queries to AD (or any ldap server) using IE (if you like that kind of thing). This is one plugin I can't find for firefox/mozilla, which is ironic since the same company gave birth to the code that later became Sun ONE Directory server, Netscape Server, and now Fedora Directory server.
Oh yeah, I also forgot to copy in the link to the Java LDAP browser in my last post --> http://www-unix.mcs.anl.gov/~gawor/ldap/
-
Ldap or Database (users, roles, etc)
2006-07-31 10:00:19 javadevdc [View]
First off, if you can point me to an easy setup for ldap on debian/Ubuntu and a simple program (preferably in Java) that can access a user and permissions granted to that user that would be great.
Maybe these are myths, but this is what my experience is :
* ldap is different for each implementation. Microsoft Active Directory is not going to be similar to OpenLdap. Someone is not going to up and running with Active Directory or OpenLdap from setup to programming.
* You need someone that specializes in Ldap to set it up; not so with mysql and say JAAS or Acegi. I can set up roles, users and a complex permission system using Spring's Acegi in less than an hour.
* OpenLdap is hard to set up.
>>I believe 9 out of 10 developers would *prefer* LDAP, and the 10th developer probably works for Oracle
As a developer, I would like to easily set up my environment. ldap is not as easy as setting up users and roles in a database.
Oracle has an identity server so they would push ldap.
I'd love to see a getting ldap up and running on linux for busy people.
-
Ldap or Database (users, roles, etc)
2006-07-31 10:29:23 Brian K. Jones |
[View]
>First off, if you can point me to an easy setup >for ldap on debian/Ubuntu and a simple program >(preferably in Java) that can access a user and >permissions granted to that user that would be >great.
If you've never in your life seen LDAP, then I guess its as easy as doing anything else you've never seen before. In other words, "easy" is a relative term. However, a google search turns up two documents you might find helpful.
http://directory.fedora.redhat.com/wiki/Howto:DebianUbuntu
http://www.openldap.org/doc/admin23/quickstart.html
As for OpenLDAP, I don't personally like it (and I've used it extensively). However, it's harder to tweak to perfection for a production deployment than it is to set up a simple test. See the above link to set up a quick test server. I prefer fedora directory server, but have never tried to build it on a non-RH-based distro. I know users who *have* built it on gentoo and debian though.
>As a developer, I would like to easily set up my >environment. ldap is not as easy as setting up >users and roles in a database.
If the priority is not to do what is necessarily easier for the developer, but to deploy the right application or service in the right way, then sometimes, as a developer, you must learn things that you don't currently have familiarity with in the interest of using the right tool for the job.
If you set up an ldap server once, then back up your data (a one-command process to dump to an ldif file), then future setups are Mind Numbingly Easy(tm)
:-)
If there's more demand for the document you request, perhaps I'll write one myself! Thanks for that input!
-
Ldap or Database (users, roles, etc)
2006-08-14 09:49:08 jblaine [View]
"If the priority is not to do what is necessarily easier for the developer, but to deploy the right application or service in the right way, then sometimes, as a developer, you must learn things that you don't currently have familiarity with in the interest of using the right tool for the job."
Well said.
Ex.
snip ---->>
objectclass ( 1.3.6.1.4.1.15490.2.1 NAME 'objCollege'
SUP top STRUCTURAL
DESC 'object class'
MUST (collegeName $ collegePrincipal $ collegePresident $ collegeSecretary )
MAY (collegeBoardMember ) )
dn: o=college
o: college
objectclass: organization
objectclass: objCollege
objectclass: top
Description: top object class
collegeName: ABC Engineering college
... and the rest follows?
---->><<<
wouldn't it be the same as
dn: o=college
objectclass: top
objectclass: organization
objectclass: objCollege
o: college
Description: top object class
... >> and the rest follows .???