[Charlug] January Meeting

[Jared Watkins]

Rick Pasotto wrote:
> On Thu, Dec 27, 2007 at 05:01:39PM -0500, Don Parris wrote:
>   
>> As for our topic, I thought I would ride on the coattails of Carla
>> Schroder's new book, 'The Linux Networking Cookbook', and talk a little
>> about OpenLDAP.  This discussion will be aimed at getting up and running
>> with OpenLDAP at a basic level.
>>
>> I will cover:
>> Installing (with some notes on the differences between Debian & Fedora)
>> Organizing the Structure
>> Creating and Modifying Records
>> Using the Database
>> Basic Access Control
>>     
>
> For those of us who have only *heard* of LDAP maybe you could start with
> what it is, where and how and why it is used, competing technologies, etc.
>
>   
I'll throw my two cents in... as I'm probably as close to an ldap expert 
as you will find around here.  Under the heading of what LDAP is... it's 
an object oriented database that stores data in attribute/value pairs 
and it differs significantly from the table structured databases that 
most are familiar with.   The database is optimized for read operations 
and is commonly used to store user specific account information and for 
centralized authentication.

LDAP has schema that define the attributes (which are similar in concept 
to sql columns/data types) and object classes which are containers that 
organize attributes around a common use.  There are several 'standard' 
object classes and associated attributes that provide a lot of utility 
right from the start.  If an organization needs to store types of data 
that are not yet designated as part of the standard schema set then they 
would need to create their own custom attribs and object classes and 
include those in all their user objects.   Attributes can be single or 
multi valued. For instance.. the 'mail' attrib is usually single valued 
and there is a second attrib... sometimes called 'mailLocalAddress' or 
'mailAlternateAddress' which is multi valued and is used to hold 1 or 
more email aliases for a user.  Attribute names are not case sensitive 
but are commonly written mixed case for readability.  LDAP is structured 
in a tree format... using leaf and branch objects.  Different ldap 
servers define these in different ways and that's ok as long as it's 
consistent.   An individual user object is referenced by the DN 
(distinguished name) which contains the full path to the location in the 
tree reading from left to right.. most specific to least specific. 

For instance.. a DN in my personal ldap directory is:  
'uid=tuser1,ou=special users, o=my company'  another that is used for 
different purposes is 'mail=testgroup at domain.com, ou=groups, o=my 
company'.    In my case I use a simple search base of 'o=my company' 
since the whole server is mine and it's fairly small.

The directory can contain any information you want.. organized in any 
way that you want and is it up to the admin to figure out what structure 
best suits the needs.  An ISP I know setup a structure where each domain 
they managed was a branch point in the tree.. with the owners of that 
domain in control of all objects under their branch.   This structure 
makes it possible to setup delegated administration for the tree and 
allows you to break up large trees to multiple servers.  You can also 
setup customized search indexing to speed things up on large systems.

In the course of my work I often have to do mass ldap migrations, tree 
restructuring, automated mass updates and sometimes create a new tree 
from scratch for a company that is moving away from antiquated systems. 
I mostly use perl for this work but also use the open source java 'ldap 
editor' and of course the standard openldap tools.


Thanks,
Jared