oreilly.comSafari Books Online.Conferences.


Essential System Administration, 3rd Edition

Top Five Open Source Packages for System Administrators

by Æleen Frisch, author of Essential System Administration, 3rd Edition

This is the second installment of a five-part series in which I introduce my current list of the most useful and widely applicable open source administrative tools. These tools can make your job easier no matter what Unix operating system your computers run.

#4: LDAP

LDAP has been a hot new topic in system administration for several years now. LDAP provides a directory service which can be used for storing and querying information about the individuals in an organization (e.g., employees). The range of information that can be made available in this way is quite broad: traditional telephone or other institutional directory data (office location, phone numbers, and the like), Unix user account data, more personal data such as home telephone numbers and photographs, along with any other site-specific data that may be appropriate. In this installment, we'll look at the services that LDAP can provide.

LDAP, as its fully expanded name, Lightweight Directory Access Protocol, indicates, is a protocol that supports a directory service. A directory service functions somewhat like a database, but it differs from traditional relational databases in several ways:

  • It is optimized for reading; adding and updating entries may be expensive.

  • It provides advanced searching features.

  • Its fundamental data structures, collectively known as the schema, can be extended according to local needs.

  • It adheres to published standards to ensure interoperability among vendor implementations, specifically, a series of RFCs.

  • It takes advantage of distributed storage and data replication techniques, allowing it to scale efficiently.

Because of these advantages and others, LDAP is replacing NIS as the enterprise user account and authentication of choice.

In order to emphasize these differences with respect to standard relational databases, different terminology is used to name a directory service's data structures: records are referred to as entries, and each field within a record is known as an attribute.

In This Series

Number Five: Amanda
The countdown begins with Amanda, an enterprise backup utility.

Number Three: GRUB
The countdown continues with GRUB, the GRand Unified Bootloader.

Number Two: Nagios
The countdown continues with Nagios, a feature-rich network monitoring package.

Note: Although the term LDAP is used very loosely in common practice, it actually refers only to the protocol by which data stored in the directory is accessed (implemented in a daemon). The actual database capabilities are provided by a separate back-end program or package.

LDAP was first implemented at the University of Michigan in the early 1990's. There are many commercial LDAP servers available. In addition, OpenLDAP is an open source implementation of LDAP based on the work done at Michigan. OpenLDAP is used by default on Linux and BSD operating systems, and it can be used on most Unix systems. At some points, we will be using it as an example.

About Schema

LDAP objects are standardized in order to provide interoperability with a variety of directory services servers. An LDAP schema defines the list of possible entry types, known as object classes,along with the attributes associated with each one. Schema definitions are stored in files. For OpenLDAP, the schema files are located in the /etc/openldap/schema subdirectory.

The attributes themselves are defined in terms of their data type and format, comparison method, and the like. Within an object class, attributes can be required or optional. The same attribute can be part of more than one object class.

Object classes are arranged hierarchically, with the top object class at the root of the tree. First level object classes are children of this class, and lower level object classes are their descendants. Child classes automatically contain all the attributes of the parent class.

A directory entry can be in multiple object classes, as in the following example record for Daphne Frisch:

dn: cn=Daphne Frisch,ou=Pets,dc=ahania,dc=com 
objectClass: top 
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
Distinguished name (key field) and object classes for this directory entry.
sn: Frisch 
cn: Daphne Frisch
telephoneNumber: 555-1212 
userPassword: {crypt}meeoooowww 
description: Toy chaser and purrrring fuzz ball
Attributes from the person object class.
ou: Pets 
title: HRH 
street: 125 N. Main Street
postOfficeBox: 4224
st: CT 
postalCode: 06512 
facsimileTelephoneNumber: 888-555-1212
Attributes from the organizationalPerson object class.
departmentNumber: 14 
employeeType: permanent 
givenName: Daphne 
initials: DF 
jpegPhoto: daphne.jpg 
audio: daphne.wav 
homePhone: 555-2121 
pager: Opening the toy cabinet 
preferredLanguage: Fenglish 
userCertificate: certs/df_cert.pem 
Attributes from the inetOrgPerson object class.

The data format in the example record is known as LDIF (LDAP Data Interchange Format). It is organized as a series of attribute and value pairs (colon-separated). For example, the attribute telephoneNumber has the value 555-2121. The various attributes are colored to indicate which object class they come from.

The Ldap Schema Viewer provides a very convenient interface for exploring standard LDAP schema objects. One of the most flexible features of LDAP is that the schema is extensible. Sites can add object classes and attributes are desired to fulfill their unique needs.

Essential System Administration

Related Reading

Essential System Administration
Tools and Techniques for Linux and Unix Administration
By Æleen Frisch

Pages: 1, 2

Next Pagearrow

Sponsored by: