Using OpenLDAP for Remote Authentication
6 January 2012 Leave a comment
LDAP (Lightweight Directory Access Protocol) provides a standard way of accessing directories that can contain hierarchical information for anything from address books to authentication data. OpenLDAP, the open source implementation of LDAP, is robust and competitive with commercial products such as Microsoft’s Active Directory. If you’d like to see some of its benefits for yourself, here’s an introduction to the software and instructions on how to implement OpenLDAP as an authorization server.
OpenLDAP is designed to work with data that does not change frequently. Its default database back end, Berkeley DB, is optimized for searches and reads, and utilizes caching. OpenLDAP supports other database back ends, such as MySQL, but they cannot compete in terms of performance with Berkeley DB.
Before you work with OpenLDAP, you need a basic understanding of its terminology. RFC 4519 describes LDAP’s object attributes in detail, and this glossary is another good reference, but here are a few concepts that will help you get started.
In the root of LDAP’s directory is the DSA-Specific Entry (DSE), a.k.a. RootDSE. This is the top-level entry, which holds the base information about the server, such as its domain and capabilities.
Every entry in the LDAP directory is uniquely identified by a Distinguished Name (DN), which is a combination of strings that uniquely identifies the entry. The server also assigns an Unambiguous Identifier (UUID) to each entry, because a DN may change – for instance, when a DN includes the family name of a female employee who marries and changes her name. In such situations, the connection to the DN would have been lost if there was no UUID. A Relative Distinguished Name (RDN) comprises an entry’s attributes followed by the DN of the parent entry.