Openldap components
Basics
At it's core:
- LDAP is a database that stores entries.
- entries are assigned attributes
- entries are placed within a tree structure of organizational units (like a file directory tree)
Looking a little closer:
A directory-information-tree defines a hierarchy of arbitrarily nested OUs, which can contain entries.
- SUFFIX a directory-information-tree suffix is a combination of entries defining the start of a tree. This suffix can be composed of any type of objectclass, but most frequently it is composed of DCs (domain components), and determine's the LDAP server's FQDN. (ex:
dn: dc=subdomain' dc=example dc=com
-->subdomain.example.com
)- OU (organizational unit) are like directories. they can be nested within each other, and can contain entries.
- ENTRYs are instances of object-classes (groups of separately defined attributes).
The types of entries that can be used in this tree are defined by the included schemas. A schema defines attributes, and objects which combine pre-defined attributes into a type of information. The same attribute can be used in several different object-classes.
- attributes are defined on their own, but can be used in object-classes.
- object-class are groups of attributes.
DIT (Directory Information Tree)
The Directory information tree is a filesystem-like tree that organizes entries within OUs for a domain suffix (combination of DCs indicating a domain-name).
+- | suffix # combination of entries that determines the top of a new tree (usually domain-components) DIT | | | +- ou (Organizational Unit) # typed-directories (can be nested) | | | +- cn (Common Name) # entry (bottom level items, contain based on type attributes) +-Despite the implied structure above, you can have multiple levels of OUs.
dc=test, dc=com # test.com ou=months ou=spring cn=march cn=april cn=may ou=fall cn=september cn=october cn=novemberThe dn of one of the months listed above would be
dn= cn=september,ou=fall,ou=months,dc=test,dc=comComponents:
dn: cn=Sam,ou=Finance,dc=companyA,dc=companyB ## (distinguished name) a combination of `RDNs, OUs, and DITsuffix` ## that indicates a path from the entry all the way to the top of the tree. dc: companyA ## (domain component) a top-level tree-item ou: students ## (organizational unit) a subdirectory of a dc cn: sam ## (common name) a leaf-node in the tree
Schemas
A schema is a file that defines attributes, and objectclasses. You may include multiple schemas in your LDAP server.
Attributes
Attributes are defined separately from object-classes, but can only be used within object-classes. Many of the attributes that you'll use in object-classes will already be defined in builtin schemas (posix-users, windows-users, ...). Unless you have something very specific in mind, you will likely not need to define your own attributes.
Just the same, this is what an attribute definition looks like:
attributetype ( 2.5.4.41 # globally unique OID NAME 'name' # the name of your attribute DESC 'RFC4519: common supertype...' # description of attribute's purpose SUBSTR caseIgnoreSubstringMatch # determines how to compare during match-operations EQUALITY caseIgnoreMatch # determines how to compare during match-operations SYNTAX 1.3.6.1.4.1466.115.121.1.15{32768} # determine's syntax restrictions )NOTE:
By default, all attributes can be used multiple times within an object-class. If this is undesirable, you may include the SINGLE-VALUE flag in attribute-definition.
ObjectClasses
Object Classes are containers of attributes. An object-class can determine which attributes are required, and which attributes are optional.
objectclass ( 2.5.6.6 # OID of object-class NAME 'person' # name of object-class DESC 'a single person, user, ...' # description of object-class SUP top # inherit attributes from this object STRUCTURAL # ?? MUST ( sn $ cn ) # required attributes MAY ( userPassword $ telephoneNumber $ seeAlso $ description ) # optional attributes )Objects can inherit from multiple other objects, this inherits both the required/optional attributes. Inheriting from top means this is a toplevel object (and does not inherit from any other object).
Entries
Entries are instances of object-classes. A single entry can be of multiple object-classes.
dn: {an RDN attribute from class},ou=people,dc=prefix,dc=example,dc=com objectclass: {object-class of this entry} {attribute values, determined by objectclass}dn: sn=Ellingwood,ou=people,dc=digitalocean,dc=com objectclass: person sn: Ellingwood # class person's sn attribute cn: Justin Ellingwood # class person's cn attribute
Objects can define multiple RDNs, but each must be guaranteed to be unique at the level it is used in.
ACLs
ACLs are how you configure what attributes are readable/writable by which users. ACLs allow you to define either the DN of a specific part of the tree, or a filter for objectclasses to restrict access by certain categories of users to information stored in the LDAP server.
OpenLDAP documentation about ACLs: http://www.openldap.org/doc/admin24/guide.html#Basic%20ACLs
References
Very Informative:
- https://www.digitalocean.com/community/tutorials/understanding-the-ldap-protocol-data-hierarchy-and-entry-components
- https://www.centos.org/docs/5/html/CDS/ag/8.0/Configuring_Directory_Databases-Creating_and_Maintaining_Suffixes.html
- http://www.zytrax.com/books/ldap/ch5/step2.html#step2 ACLs
Soso: