PDA

View Full Version : LDAP Newbie



schestev
29-Oct-2011, 18:26
What or where would be a good place to start learning how to setup,
configure, and use LDAP on SLES and or OES2 for Novell and third party
applications?
I have tried wading through the documentation, but soon get lost and
confused. Can't sidestep this any longer. Must get it running and
working.

Thanks for any pointers you can provide.


--
schestev
------------------------------------------------------------------------
schestev's Profile: http://forums.novell.com/member.php?userid=22683
View this thread: http://forums.novell.com/showthread.php?t=447515

ab
29-Oct-2011, 19:49
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'd start with setting up an OES 2 server since that comes with
eDirectory which is relatively easy to setup (OES just does it) and
which is the most powerful directory (including an LDAP interface) out
there (no, I'm not biased; it is just the truth). What you then do with
the directory is up to you... users, groups, organizational roles, you
name it.

Good luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJOrEpnAAoJEF+XTK08PnB5TbcP/2UXV1cVslyssKa/KJ73Pp8c
gQH8Duejw9p+7y6YaYtuHMW1WI36yJDjsh5zGTHChM7QoH/3WOWETdQFP5uDesq2
lsUg02sCpArWIgqsHiPFLaxs5ZJTFiFlmh8yVt6ugEWY2XDDGU GKMJHN9OHe8KB8
QM2e3O1PbxDheATbAa3vBJTVAVoTIRIYe7tRvt7fB44LtVSYGk mO1YVw/EXGLwzB
oIjCrKZgh+2WgeLryYHcjLHr5VZ2XtifOrSzH1bZ2lPgaQNW0/ubn0dQC7H/YFl2
ADhL6CXzrEc8Nx2K9GzKXVtLrhodW4geNullI05fI6jBrWBHIE/XVqKnTJ1vJ5pN
McoTaQaAn4e/8V11JzdWz4RiQ4itrx3hQ4qQPI6fYVxwg8MYBiWAyZv27bs8iW sP
HJMKaowguOq2SH4kFJbFhB+ciFoLnDJmVVp5avIr7xfnHMv4V2 nsJRnpcXZ6z4DW
u9USKRaftwMg11tnEHz/IA+TJloUCluqUWr+ZYwyZmm58ZKMrOTfZo6en2kSfcBB
LADODA2dXQ/p84+z0+TcUiRgwW5pjJKh6p1M2FUTwHegAp5ogPCJqWYnunCgP MnK
cXrZnlu5BXoeUYCfxw7wK0ACy63TULqkGmGcS736nZ0WYC9yDJ 6NdGiYuMgv44UX
Tgj61k5sNdtpSvlt64sJ
=+JwD
-----END PGP SIGNATURE-----

Bob-O-Rama
29-Oct-2011, 21:46
The "P" in LDAP means Protocol - not much you can do with a protocol...
:-) Its not as if your users will say "Wow, that is one mighty
impressive protocol you have there." Of course there are
-applications- that integrate -with- LDAP. If you have NetWare or OES,
as AB says, you already have it, and by default, its pretty useful.

To start, get an LDAP browser, like LBE, which will let your see your
Tree as seen by applications that use LDAP. This will tell you what is
/ is not exposed via LDAP. The NDS attribute names are mapped to LDAP
attributes names. So having a LDAP browser is essential. Also CLI
tools like ldapsearch allow you to script things / test from linux
shell: for example:


Code:
--------------------
ldapsearch -h ldap.foo.edu -D cn=IMSchmart,ou=Students,o=Academic -w HisPassword -b ou=Students,o=academic "(cn=IMSchmart)"

--------------------


Lets you login -as- a given user and see the tree with their rights.
When you perform LDAP integrations, its usually best to create a special
account for the purpose to limit the applications ability to hose up
your directory ( remember, LDAP is a two way street )

But in all honesty, you can Google your way around most of this. So
the better question: what are you trying to do -with- LDAP. What
applications do you have which can use LDAP? What is the goal of these
efforts?

-- Bob


--
Bob Mahar -- Novell Knowledge Partner
Do you do what you do at a .EDU? http://novell.com/ttp
"Programming is like teaching a jellyfish to build a house."
More Bob: 'Twitter' (http://twitter.com/BobMahar) 'Blog'
(http://blog.trafficshaper.com) 'Vimeo' (http://vimeo.com/boborama) <--
Click And Be Amazed!
------------------------------------------------------------------------
Bob-O-Rama's Profile: http://forums.novell.com/member.php?userid=5269
View this thread: http://forums.novell.com/showthread.php?t=447515

schestev
31-Oct-2011, 00:56
AB and Bob,
Thanks for your responses and thoughts to my questions. Yes, I have
used web search engines to try and learn more about ldap...I finally
quit with version differences, compatibility issues, features, and terms
that essentially meant little to me. I am willing to try again, but
hopefully with some guidance this time so I can focus on the essentials
needed to get things started. I prefer eating my elephants in bite-sized
chunks rather than one big gulp.

Bob, we are a k12 school district and use several third party
applications, e.g. Moodle, PowerSchool (student information software),
Lightspeed (web content filtering, etc) that through using ldap (so I am
told) will improve functionality, integration, and administration
efficiency.

Since these are all attributes I am looking for to maximize our
administration efforts, I am interested in learning more about ldap and
how to get it working on our network. I have a few Netware machines
still in service, v6.0 and v6.5, and have been stepping into the waters
of SLES 10 and 11. Linux is definitely not within my comfort zone, but
some of it is coming to me little by little as I continue to use it.

The primary purpose in seeking to use ldap in our shop is for
authentication to these third party apps through the use of existing
Novell user accounts. Thus not having to create separate user accounts
for every app we use in our schools that requires a user name and
password.

Bob, you eluded to possible security issues in using ldap. Could you
elaborate on that and ways to minimize security issues? Would using
encryption provide sufficient security protection?

Thanks again.


--
schestev
------------------------------------------------------------------------
schestev's Profile: http://forums.novell.com/member.php?userid=22683
View this thread: http://forums.novell.com/showthread.php?t=447515

ab
31-Oct-2011, 03:51
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

If you currently have NetWare 6.5 you already have eDirectory, and it
comes with an LDAP interface. eDirectory on SLES will also have the
interface available by default so the next set of details is probably
just configuring your various applications to point to the LDAP
interfaces (basically point to your servers) and make sure you have
everything setup properly on the application side. How that is done
depends on the application but usually it entails giving the application
rights to find users (their full distinguished name (DN)) by their
relative distinguished name (usually a user's CN) and then attempting a
bind with the resulting DN. Where are you in this process? Have you
installed eDirectory on SLES, or tried your applications with your
NetWare's install of eDirectory (and corresponding LDAP interfaces)?

Good luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJOrgzgAAoJEF+XTK08PnB5LM0P/j4RKCjLNfUhGC2J19lk59U4
RImNp9kP0wsIhpxIYLiMTfQjKlB/y1mHwgZLwQ0K025kqZbJdzNKw9rFVku2uRu2
IyUaTG8/kTla7smbqwyHSwFhkMKzARkHfd0hfk1/1hUN0W6TmCuVyzFECJc8eslW
NTT+MrmwUfRvwezZ3myCUbwIqZaSv2lxqq9M7fFvGu6lPMLtO/hKRqC43XN/EQ7N
7S+umu90Dq7Mah7GgQoCLvSdFMyutvmJfeRD1KZMjQyweLsaaj TzIdtYG1O+7usR
MdyqTfyUB1fyPRIsaayFia3Q8RydKfxwlp+KZBimJ1JB/5Go+Dx/+RlecOc0cBDi
DIyW0FlJpvg+5C1qVEXx30z2IQhE8nSgXxWuE7hBRZvQN8Vfy1 tVVDp9afKNh61e
aHeZCRuJWSV6rOPJew4EogXZGKDxaZKCbAFoqPQv9QR1dWBQmv IXEHp8kM20yxr0
+y1w91R/99NMNZ0i4aEfgTlIpgMNkVTtOdG3FsYJGE6XNGwyu2GdQKovIj Ak8LA0
jvhdvQo4/+uJrpRPqAbhBak4TfZx5xK6BFatdohzLONajje2sOkdDDNc4xA PZk8k
Wj1N771EiCPWeuNLljiwfcNeeSo28f7ioxpvKvDSwhj9qHhryd QxamjptTCmWPhT
GOZOdR1OP5lbS74s+MpU
=K/Ly
-----END PGP SIGNATURE-----

jmozdzen
31-Oct-2011, 15:16
schestev,

setting up an LDAP infrastructure using SLES11 is both easy and
complex:

Easy, because you can set up an LDAP server (openldap) with a few
clicks within yast.

Complex, because that initially set up LDAP server won't bring you
anywhere.

LDAP servers are tree-structured databases, accessed via the LDAP
protocol. But as with any database, it's your job to structure the
database and fill in the data. Of course, typically the "end programs"
(like the mentioned Moodle, PowerSchool etc, and even SLES itself) have
their requirements concerning the structure of the database, in order to
use it. And once the database is set up according to that structure, the
programs usually help you fill the database.

A simple sample is SLES itself: Within YaST, you can both set up an
LDAP server and configure SLES to use it to ie. store account data. The
"passwd" program will automatically change the passwords in the LDAP
directory, PAM will access the info etc.

Things get potentionally nasty when you try to "integrate" multiple
applications to use the same database - they have to agree on a common
structure, where all participating programs access a common set of
records.

Within LDAP directories, a "record" (identified by its DN -
"distinguished name") has fields ("attributes") that need to be
described in a schema definition, sort of like a "data type". It's
rather common that a certain application brings it's own definitions
with it - fortunately, a single record can reference multiple
definitions. Again an easy example: You can store user accounts in the
LDAP tree, where each user has attributes (the "fields") from the base
account definition, SaMBa definitions and i.e. Postfix mail store
information.

It's your job as the admin to find out what type of information each
application can store / look up in the directory, what definitions are
required and to configure the LDAP server accordingly. Then you define
the tree with all the information you'd like to have stored (partly in
independent trees, partly in combined records) and to configure each
application with the information where in the tree to look up what
information.

Now while this is confusing at first, I recommend to start with setting
up the SLES user accounts within LDAP, using the "standard" locations as
recommended by YaST, and then trying to integrate one application at a
time. That way you have a learning curve not too steep, while still
having moments of success.

Be prepared to re-design your tree after a while, as you notice that
your tree as created so far is sub-optimum and will not allow you to
integrate the application you're looking at at that moment.

And when you have your structure ready & running, you'll notice with
deep concern that you have not yet implemented any security measures -
neither redundancy nor access security. When you
"integrate"/"centralize", you create greater dependency on availablitiy
and integrity of the information provided... typically, access control
goes first: You'll have to decide what part of the tree may be visibile
to anyone, what part only to identified users (or even those of a
certain group) and who may update what.

And if you made it there and have even added redundancy and data backup
- then and only then you should actually implement this in a production
environment ;-)

Regards,
Jens

PS: If you're already running OES, you most likely already have the
eDirectory set up - I'm no OES guy, but from what I've read that's the
part I referred to with setting up the LDAP server and using it for SLES
accounts, so you'd have that already.


--
from the times when today's "old school" was "new school" :eek:
------------------------------------------------------------------------
jmozdzen's Profile: http://forums.novell.com/member.php?userid=32246
View this thread: http://forums.novell.com/showthread.php?t=447515

MoserHans
31-Oct-2011, 16:06
schestev;2149979 Wrote:
> What or where would be a good place to start learning how to setup,
> configure, and use LDAP on SLES and or OES2 for Novell and third party
> applications?
> I have tried wading through the documentation, but soon get lost and
> confused. Can't sidestep this any longer. Must get it running and
> working.
SLES has OpenLDAP slapd as LDAP server. So you can start at 'OpenLDAP
Software 2.4 Administrator's Guide'
(http://www.openldap.org/doc/admin24/)
If you do need more basic info about LDAP, you i.e. should buy a book
on LDAP.


--
MoserHans
------------------------------------------------------------------------
MoserHans's Profile: http://forums.novell.com/member.php?userid=53101
View this thread: http://forums.novell.com/showthread.php?t=447515

schestev
01-Nov-2011, 22:46
Many thanks for the advice, especially for the in-depth but "chewable
bites" from Jens' post.

I believe I have enough now to start pushing some sand around around in
my sandbox.

Thank you also to MoserHans for the recommendation on openldap admin
guide. I will definitely check into what it has to offer. As to buying a
book on LDAP...well, I'm sure there are plenty of books to choose from
ranging from super simple to super complex. The trick for me is to find
the one for my level and easily assimilated.

Perhaps there may even be some decent online training that could be of
help.
If you or anyone else can think of other good resources I can turn to,
I would welcome the input.
Thanks again!


--
schestev
------------------------------------------------------------------------
schestev's Profile: http://forums.novell.com/member.php?userid=22683
View this thread: http://forums.novell.com/showthread.php?t=447515