Demystifying LDAP
Pages: 1, 2
A Closer Look at LDAP Data
It's extremely important when learning about LDAP and how it deals with data to separate the structure (or topology) of the data from the definitions of the objects themselves.
Simply, the structure of LDAP data is a hierarchical collection of objects. Objects can represent anything from people to printers and take their places within the hierarchy using whatever logic you like.
Objects?
Yes, objects. Each object has a list of attributes associated with it that describe that particular object. When you add or delete an object, make a request for an object, or change the value of an object's attribute, you do so solely using the LDAP protocol. In short, LDAP exists to manipulate or fetch data about objects.
Hierarchical?
The layout of the data in an LDAP directory is the Directory Information Tree (DIT). You can customize it to the needs of your organization, but it's still a hierarchical tree structure. This tree is not dissimilar to a typical filesystem; there's a "top" or "root" directory, under which are high-level objects (directories in a filesystem). Those help you to categorize the lower level objects that you're really interested in (in a filesystem, these are the files themselves).
Suppose you want to store information about people using a hierarchical collection of objects. Viewing things as a filesystem, you could create a /People directory, and under that, create a file--/People/jonesy. That file contains attribute name and value pairs to describe "jonesy." One attribute might be "firstname," with a value of "Brian." Save the file, and create a new one for each person. Eventually, you have a filesystem that looks something like:
/People
jonesy
mary
tom
janeOf course, your organization might have slightly different needs. Because the structure of the DIT is completely up to you, you might choose something more like:
/People
/Engineering
jonesy
mary
/Accounting
tom
jane
/IT
fred
mark
/Groups
mygroup
yourgroupNotice that, of course, I can have more than one high-level object, representing a different type of object I want to store data about. In this case, I've stored information about People and Groups. I can also have as many subtrees as I wish, arranged in any order I want.
A Peek at a Person
Just to whet your appetite, here's a quick look at a request for a "person" object. It's actually a fake account entry from our departmental LDAP server that I've changed to look like a typical "person" object that systems use to authenticate users. The request comes from a Linux workstation running the OpenLDAP client utility ldapsearch.
$ ldapsearch -x '(uid=ajonesy)'
dn: cn=ajonesy,ou=People,dc=cs,dc=princeton,dc=edu
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: inetLocalMailRecipient
objectClass: shadowAccount
objectClass: jabberUser
cn: ajonesy
uid: ajonesy
uidNumber: 30406
homeDirectory: /u/ajonesy
sn: Jones
givenName: Brian
roomNumber: 101B
displayName: Brian Jones
facsimileTelephoneNumber: 1113
gecos: Brian K. Jones, GUEST, 6080
mail: ajonesy@cs.princeton.edu
telephoneNumber: 6080
loginShell: /bin/bash
gidNumber: 931
description: GUEST
labeledUri: http://www.cs.princeton.edu/~ajonesyThe output format is LDAP Data Interchange Format (LDIF). As you can see, LDIF is a way to make pointy-haired bosses recoil in fear at what amounts to key-value pairs. The very first line in the entry is the dn (distinguished name). The value of that attribute uniquely identifies this object among all of the objects in the directory. After that are a list of objectclass attributes, each having a different value. What those values point to are objectclass definitions which exist in human-readable schemas that the server daemon has read. The definitions of the objectclasses consist mainly of a list of attribute definitions, followed by a statement saying "if an object is of this objectclass, it MUST have these attributes, and it MAY also have these attributes."
Schemas get only slightly more complicated than that if you want to create your own objects or entire schemas. For most, just understanding that using an objectclass implies the use of certain attributes will do just fine.
Lest you think that all of this data must necessarily come at you in the form of a whole object and nothing else, there are a couple of quick notes to make. First, notice that there's no userPassword attribute in the above output. That isn't because I've sanitized the output, it's because the user account used to perform the search that returned this object doesn't have sufficient rights to see this user's password. Second, I could alter my search command to return, say, only ajonesy's roomNumber attribute:
$ ldapsearch -x '(uid=ajonesy)' roomNumber
dn: cn=ajonesy,ou=People,dc=cs,dc=princeton,dc=edu
roomNumber: 101BYou can see how this is likely to dramatically reduce the amount of time needed to retrieve, say, the room numbers for the 3,000 people in your Los Angeles headquarters.
Stay Tuned!
This article has just scratched the surface of LDAP, but hopefully by now you're better able to visualize your directory service and its data. The next part will take a closer look at the definition of objects that live in the directory themselves, and how to create and access objects and their attributes with code.
Brian K. Jones is an infrastructure architect, and system/network/database administrator, and co-author of Linux Server Hacks, Volume Two .
Return to O'Reilly SysAdmin
Showing messages 1 through 7 of 7.
-
objectClass inheritance order
2007-02-01 08:20:33 fredcwbr [View]
-
LDAP and an existing application
2007-01-23 10:22:22 ja.rei [View]
The answer to this question may be simple, but I am ignorant, so please bear with me.
Here's the situation - We are a small shop with a client/server application, developed in PowerBuilder, that we ported to the web using
Java 2SE. Many of our customers are using LDAP and want us to use it for user authentication.
Questions:
1.Does it matter what kind of LDAP server the customers are using?
2.Is there any freeware available to get the app to talk to the server?(Java)
3.What technical information do I need to gather from the customers?
-
What is LDAP ill suited for?
2006-08-10 08:13:41 fivesticksop [View]
The introduction starts with the idea that LDAP is good some places and "completely inappropriate for yet another batch of problems". I'd love to see more on the problems that LDAP is ill suited toward solving.
-
LDAP and RDBMS
2006-08-09 07:26:49 mentata [View]
While I agree with the premise and am always happy to see LDAP illuminated, I have long espoused my own view as to why one might develop applications with directories:
http://www.mentata.com/ldaphttp/why/ldap.htm
In contrast, the standard schema argument presented in the article seems particularly weak because there are literally thousands of published schema available but only a handful that are used across implementations with just a few attributes of consistent relevance.
The most common reason I perceive developers prefer an RDMBS to a directory is familiarity. If they were well-versed in both, they would actually understand that a directory is significantly simpler and easier to manage. An RDBMS has strictly more capability, but it comes at a complexity cost that gets partially masked by training and tools. An enterprise data warehouse does demand an RDBMS, but will usually also demand at least one dedicated DBA.
On the other hand if your application doesn't involve multi-join queries, your system doesn't require rollback, and data retrieval will be more common than change, I argue a directory could be the basis of a very nice solution even where the application deals with things beyond people.
And nothing precludes dumping summary information from the directory into your RDMBS for other needs. The reality is that production directories and relational databases are *both* running in most every mid to large size organization, even though their coexistence is most often coincidental. I think it would be better to see them deployed in pre-meditated architectures that play to their complementary strengths.
See you again on the next installment.
-
LDAP is harder to program than using an ORM like Hibernate
2006-08-08 21:21:33 ozgwei [View]
I had to use LDAP in a Java project.
I found it pretty difficult to program with LDAP for the following reasons:
1) Not many tutorials, including this one, explains core concepts in depth, such as dn, cn, dc, etc... And I don't have the time to read the LDAP specification. So I tried by making mistakes. The project worked but the LDAP part of it was the most unsure bit I felt about it.
2) Not many good examples could be found showing how to program using LDAP for user management. I had to use the raw LDAP API.
3) From the object-oriented point of view, there is no abstraction layer, provided either by Sun or open source for user management using LDAP. Instead of working with a User object conforming to Java Bean specification, I had to work with Context, ModificationItem, SearchControls, Attribute, Attributes, BasicAttributes, NameParser, NamingEnumeration and many Exceptions. And, the javadoc from Sun expects the reader to be an LDAP expert. On the other hand, using an Object-Relationa Mapping (ORM) packages, such as Hibernate or the new Java Persistence API (JPA) is much more easier. Combining Hibernate and Spring, many DB access codes are just one-liners. (The application is likely to use Hibernate and/or Spring for data access anyway...)
4) The Java JNDI API has no rollback. It gave me a lot of headaches when a transaction failed, the database rolled back except JNDI.
5) About the security, LDAP can protect data stored in the LDAP server. However, it cannot protect data in your applications. Developers need to consult LDAP before granting access in the applications. Acegi Security, on the other hand, can handle complex access control, even over domain objects or enquiry results, without writing a line of programs.
So in short, if the user management is pretty standard, with limited number of users and manually managed by a sysadmin, it's OK to use LDAP for user management.
However, if you have tens of thousands of users, and you want fine management over users, allowing help desks to manage users instead of asking sysadmin, you should use the database solution, preferrably with an ORM package.
Above is my personal experience and feeling towards LDAP with my limited knowledge about LDAP.
Perhaps, more efforts should be made for developers to understand LDAP more easily and program with LDAP more efficiently... I'd like to see an abstraction over LDAP for user management that suffices most user management needs with extension points to customise to each organisation's needs...
Just my 2 cents.
-
Great article!
2006-07-31 20:31:37 gusphin [View]
Hi, is it possible to implement ldap for a non-corporate website, let's say, an online store or somethin' simplet to do the user autenticathion, or is ldap only for complex schemas?
-
Ldap or Database (users, roles, etc)
2006-07-31 07:53:58 javadevdc [View]
I'm not convinced it is cleaner or easier to implement an ldap server as opposed to a mysql server running with users, roles, etc.
If the user provisioning service that is implemented in mysql is well documented, I don't see the advantage ldap has over the database.
I also think ldap is much more difficult for programmers than giving them and api and a model of the users and roles.
Ex.
snip ---->>
objectclass ( 1.3.6.1.4.1.15490.2.1 NAME 'objCollege'
SUP top STRUCTURAL
DESC 'object class'
MUST (collegeName $ collegePrincipal $ collegePresident $ collegeSecretary )
MAY (collegeBoardMember ) )
dn: o=college
o: college
objectclass: organization
objectclass: objCollege
objectclass: top
Description: top object class
collegeName: ABC Engineering college
... and the rest follows?
---->><<<
wouldn't it be the same as
dn: o=college
objectclass: top
objectclass: organization
objectclass: objCollege
o: college
Description: top object class
... >> and the rest follows .???