Basic theory of ldap
OpenLDAP can be used to store information in tree type fashion. Difference between an RDBMS and LDAP is that data in RDBMS is organized in rows and columns whereis data in LDAP is organized in tree structure. Also, RDBMS are suitable for add, delete, modify, etc. whereas LDAP is optimized for large number of reads and very few modifications or write. OpenLDAP simplies authentication to great extent so that users need to be created only at single place for many different applications.
LDAP servers can be connected to each other to serve a larger tree of information. We can also setup secondary servers where information or database of primary server gets replicated. To obtain information client binds with the server (anonymous binds are supported) and submits request for obtaining or changing information. To populate initial entries we can configure a 'rootdn' and 'rootpw' which helps in adding initail values. This 'rootdn' may not necessarily exist in database.
Some terminology used in LDAP notes or configuration
|DIT||DIT stands for Directory information tree. Entire LDAP database information organized in tree fashion is called DIT.|
|dn||dn stands for distinguished name. Every entry in DIT must have a unique dn so that it can be uniquely identified. Example dns are 'dc=sbarjatiya,dc=com' or 'ou=People,dc=sbarjatiya,dc=com' etc.|
|dc||dc stands for domain component. It is usually used to define base of DIT. For example for sbarjatiya.com we would have base dn, that is, top most node in DIT as "dc=sbarjatiya,dc=com". Similarly for rekallsoftware.com we have basedn as "dc=rekallsoftware,dc=com". All other nodes in DIT are then children of this basedn. Note that although we specify basedn in '/etc/openldap/slapd.conf' configuration file along with 'rootpw' and 'rootdn', we again need to create an entry for same in DIT.|
|attribute||attributes are various fields for which values can be given to every tree node. For example if node in DIT tree represents a person then address, phone number, email address, password etc. can be attributes for that node. For every node few attributes are required and must be specified. The exact attributes required depend upon type of node. But for any node at least dn should be specified to recognize it uniquely in entire DIT|
|objectClass||a node must belong to at least one objectClass. It is possible for node to belong to many different objectClasses. objectClasses can be derived from other objectClasses as child classes. Child classes support attributes of all parent classes. By creating classes we can group attributes. For example objectclass account is defined in file '/etc/openldap/schema/cosine.schema' such that every object that belongs to account class must have attribute 'userid' defined. Moreover any object of class account can also have other optional attributes such as organizationName, description, host etc. too. Each objectClass can have some other objectClass as parent. The top-most objectClass is called 'top'.|
|schema||schema files are used to define various types of attributes possible and then also group them into objectClasses. By grouping attributes into classes we can enforce some rules such as this attribute must be specified etc. Schema files are present in '/etc/openldap/schema' folder.|
|rootDSE||dn of top-most entry in DIT is called base or base-dn. Entire top-most entry is called rootDSE. All other entries are created as children of rootDSE.|
Short-names of various important attributes are:
|Short name||Full name|
|dn||Distinguished name. This attribute is required for all entries|
|userPassword||userPassword. Used to store userpassword|
Note: To find full-name of anyother attribute user 'grep <attribute_short_name> * | grep attributetype' command in '/etc/openldap/schema' folder
Types of objectClass
There are three types of objectClasses:
- Only top-most object class is ABSTRACT. All other object-classes are sub-classes of top-class. This is simlar to object class in object oriented programming where all objects are automatically inherited from object class
- Auxillary object-classes can be used to add more attributes to an entry, but it is not possible to create an entry which just belongs to one or more Auxillary classes. Every entry must have at least one Structural objectClass.
- Structural classes like Auxillary classes can be used to group attributes. But structural classes are complete in the sense that we can create entries in DIT which belong to an structural class. The same entry can also belong to other structural or auxillary classes.}}
It should be noted that if an objectClass 'C1' is derived from other class 'P1', where class 'P1' has an required attribute 'A1' and optional attribute 'A2'. Then the class 'C1' also automatically has an required attribute 'A1' and an optional attribute 'A2' as it is derived from 'P1'.