OpenLDAP is a directory solution that is rapidly being adopted. However, the reasons for this rapid adoption are quite different from the reasons Active Directory was rapidly adopted. Open-LDAP embraces the open source philosophy of software development. In addition, development of OpenLDAP is on a volunteer basis, and the software is available free of charge. This combination of philosophical differences appeals to many organizations, and it has rapidly made OpenLDAP a major contender in the directory space.
OpenLDAP embraces the open source philosophy
The OpenLDAP directory server is OS independent
The OpenLDAP Server is unlike Active Directory in another way. OpenLDAP is not oriented or even tied to a specific network operating system. Because the OpenLDAP code base is open source, anyone is welcome to port the code to an operating system, compile, and implement it. This kind of operating system independence represents a movement within the directory space that other vendors, including traditional NOS vendors like Novell, are embracing.
OpenLDAP targets general functionality, which appeals to a wider audience
Although some vendors implement an LDAP directory primarily to support a NOS, this is not the primary aim of OpenLDAP. OpenLDAP is focused on implementing the LDAP standard and directory features that are useful to a wide audience, instead of enabling platform-specific technology. This approach may be especially relevant for organizations in which a significant portion of the clients of the directory don't interoperate well with specific network operating system features. In addition, directory implementation features are simpler to understand and explain.
The OpenLDAP code has a positive history, and it lends itself to flexibility
The OpenLDAP server code base comes out of the open source University of Michigan code that pioneered the LDAP standard. Some organizations still run this University of Michigan code. Migration to OpenLDAP will be appealing to these organizations because of the larger customer base and contemporary development. Additionally, the OpenLDAP server code has a high degree of component interchangeability. Having interchangeable components supports a higher degree of flexibility. For example, being able to select the authentication module or database of your choice, instead of being limited to your vendor's choice, is a valuable benefit.
Two processes are at the heart of the OpenLDAP server
OpenLDAP has two special processes—slapd and slurpd—that are central to understanding how the directory server functions. Both these special processes come from the University of Michigan code; and because the Michigan code came first, several other LDAP directory servers also have them. This similarity might be considered a benefit by directory administrators who are familiar with LDAP.
The slapd process handles the LDAP operations
The slapd process runs the DSA and processes client operations. The behavior of the slapd process is easily controlled via a text configuration file. The slapd configuration file holds a great deal of importance for operation of the OpenLDAP server.
The slurpd process handles replication
The slurpd process is used to replicate partitions between two servers running the slapd process. The slurpd process works in conjunction with the local slapd process, reading all changes that the slapd process commits out of a special log file, and sends corresponding modify operations to the remote slapd process. One way of thinking of the slurpd process is as a harvester that uses a log file.
The client library is popular because it is openly developed
In addition to the OpenLDAP server software, the OpenLDAP client library is becoming a rising star among LDAP client libraries. This is largely because open feedback and development generates a greater amount of active development and peer use. The OpenLDAP effort is also known for adhering closely to the LDAP standards and not implementing proprietary additions. Using the OpenLDAP client library to create a piece of code means that it should work with any LDAP server.
Version releases are frequent
The OpenLDAP solution is a constantly moving target because the latest version is sometimes released on a weekly or monthly basis. This frequency makes it difficult to cover the feature set without being outdated by press time. To accommodate this timing issue, I've taken a little liberty in mentioning functionality that hasn't been implemented yet but is planned in the near future at the time of writing. The OpenLDAP group tests each release for stability and also announces the latest stable release, so instable releases can be avoided.
OpenLDAP supports using DNS for directory service location
Thankfully, by default OpenLDAP does not implement a complex namespace. The OpenLDAP namespace follows the existing LDAP standards described earlier. OpenLDAP leverages DNS in its namespace per RFC 2247 and supports using DNS SRV records to locate directory servers.
OpenLDAP hosts a root server to provide referrals for LDAP service location
In fact, OpenLDAP has taken the DNS SRV record functionality to its logical conclusion, in RFC 3088. RFC 3088 provides a mechanism to begin tying together all the LDAP servers on the Internet. OpenLDAP runs a special root server,root.openldap.org, which, given an RFC 2247 DN string, will determine whether there is a DNS SRV record for the server indicated by the string.
If so, the root server returns an LDAP URL directed to this server.
Your directory can use the OpenLDAP root server
Obviously, this service works correctly only when the destination LDAP server has the appropriate SRV record. So for example, assume you submitted a DN of dc=mycompany,dc=com
to the special root server. The root server would generate a DNS query for the SRV record _ldap._tcp.mycompany.com
. If the DNS query returned a valid record that pointed atserver1.mycompany.com, the root server would generate an LDAP URL of ldap://server1.mycompany.com/
. An administrator for an LDAP server can direct its default external referral reference to this special server and know that requests for an entry outside the namespace of the local LDAP server will be properly referred to the correct LDAP server.
Multiple naming contexts are allowed, and each corresponds to a separate database
An OpenLDAP server can have multiple naming contexts. Generally speaking, each naming context has a separate database. In reality, multiple suffixes can be associated with a single database, but the OpenLDAP team discourages this practice. You can potentially use different kinds of databases on the same OpenLDAP server, but there is little practical reason to do so.
Design flexibility is created by separating each naming context into a separate database
Because each naming context is a separate database, greater design flexibility is possible. For example, each naming context can have different configuration settings, including different replication topology, attribute indexing, or forcing the naming context to be read-only. These different configuration settings are set in the slapd configuration file under the appropriate database directive section. Alternative maintenance and optimization configurations for each naming context are also possible, which may be useful depending on the type of data in each naming context. For example, one naming context might contain data that is accessed frequently and needs a great deal of indexing for optimal performance. Another naming context might contain highly confidential data that is accessed infrequently and requires more frequent backups.
OpenLDAP supports subordinate and external referrals
As you might have gathered already, OpenLDAP supports referrals. Both subordinate and superior referrals are supported, and the referrals can be internal or external to the directory namespace.
Subordinate referrals and a control to provide maintenance are supported
You can create subordinate referrals by creating an objectclass=referral
entry in the appropriate location within the namespace. OpenLDAP supports the ManageDsaIT
control with the add, modify, and delete operations to allow changes to referral entries. This control allows an administrator to suppress the usual behavior of the referral entry to return a client referral to another location.
Superior referrals are created outside the LDAP directory
Superior referrals are created in the slapd configuration file as a directive. A superior referral to the OpenLDAP root server noted above would consist of the following line:
referral ldap://root.openldap.org/
Referral support enables the possibility of a distributed directory
OpenLDAP's referral support allows the creation of a directory distributed across multiple servers. Each server might host a separate portion of the namespace, depending on the needs of the organization. As noted in Chapter 5, there are many possible reasons for such a design, including segmenting data to a specific location or segregating client groups to a specific server.
OpenLDAP supports single-master replication via the slurpd process
As noted earlier, OpenLDAP supports directory replication across multiple servers. The slurpd process performs this functionality. OpenLDAP supports only single-master replication at this time. Multimaster replication is possible with the existing versions, but it is considered experimental and is poorly documented.
The slapd configuration file controls the replication behavior
The slurpd process works closely with the slapd process running on the same server. The slapd configuration file controls much of the behavior of the slurpd process. Two things are needed in the master server's slapd configuration file. First, a replica directive is needed that specifies what server the replication should be directed toward as well as the authentication method and credentials that should be used in the LDAP session with this other server. The slurpd process uses the LDAP operations to perform the replication. Second, a replogfile directive is needed to instruct the slapd process to log all changes to file. This file is in turn used by the slurpd process to determine what operations need to be replicated. You may have wondered how the portion of directory to be replicated is specified in this scheme. The replication directives are placed in the same database section as the naming context that you want to replicate. You are really replicating a database via LDAP operations, and the databases on the server represent the partitions you can replicate. You'll notice this same approach to replication in many other LDAP products. In fact, Chapter 8 describes something remarkably similar with slight improvements.
OpenLDAP has special support features for the LDBM database type
OpenLDAP gives administrators a choice of databases to support the directory functionality. OpenLDAP favors the LDBM database type, and it has built-in configuration options for this database type.
You can use other databases with OpenLDAP
However, OpenLDAP can use other types of databases, including SQL. OpenLDAP accomplishes this functionality via what it calls the Shell backend database type. The Shell backend is really just the basic interface that OpenLDAP supports to interact with other types of databases. In the slapd configuration file, you would specify an external database command for each of the ten LDAP operations. After this configuration, the OpenLDAP directory would be able to use the external database. In this case, database configuration, indexing, and optimization would all be external to OpenLDAP.
Database support customization is possible
For more integrated database support, you can write your own backend. A backend is code that redirects LDAP operations to a database, thus acting as a proxy. By writing your own backend, you can allow any special database functionality to interoperate more closely with the LDAP configuration.
Determining what attributes to index is at the heart of optimization
Indexing is an important consideration as a directory grows. When the commonly searched attributes are indexed, performance is better. Indexing all the attributes would require more resources and performance would suffer, so you should index only those attributes that are frequently used in search filters.
Indexing support is provided for LDBM, but other databases must provide their own
The level of indexing support OpenLDAP provides is dependent on the database employed. OpenLDAP favors the LDBM database type, and you can include indexing directives in the slapd configuration file only when you are using this type of data base. The indexing directives for an LDBM database are specific and support a higher degree of optimization than LDAP servers from other vendors.
Which match operators are indexed is important
The OpenLDAP indexing directives let you optimize the indexing to the type of search filter match operator that is most relevant. For example, imagine a directory with the following frequently used search filters:
(st=CA) (userCertificate=*)
The following indexing directives would optimize the indexing:
index st eq index userCertificate pres
The first directive indexes the st
attribute for the equality operator, which means that the DN of every entry that has a st
value needs to be kept in the index, and further that every value of the st
attribute must be kept in the index so each value can be quickly matched. The second directive indexes the userCertificate
attribute for the presence operator, which means that the DN of every entry that has a user certificate value needs to be kept in the index, but the values of that attribute are not needed.
All the standard match operators are supported for inclusion in indexing
In addition to the equality and presence index parameters, OpenLDAP supports several others. These include the approximate operator (the “sounds like” operator), attribute subtyping, and language attribute options (which OpenLDAP calls language tags).
Indexing is not the only factor in optimizing OpenLDAP performance. For example, the access controls employed can greatly affect directory performance.
OpenLDAP has fallen behind other solutions in terms of number of features
OpenLDAP has focused on performance and standards in the area of server operation functionality. This strength together with its low cost results in an attractive option. However, in comparison with other LDAP servers, OpenLDAP lags behind in terms of additional features.
OpenLDAP has implemented many additional LDAP RFCs, but neglected others
In its favor, OpenLDAP has implemented the password modify control (RFC 3062), strong SASL-based authentication (RFC 2829), session encryption via TLS (RFC 2830), and language tags (RFC 2596). But common features that have been implemented by the majority of LDAP server vendors, such as server-side sorting control (RFC 2891) and the paged search control, have yet to be implemented.
OpenLDAP got a late start
The lack of features seems to be attributed largely to OpenLDAP's late entry. The initial OpenLDAP code was taken directly from the final version of the University of Michigan's open source release in 1996. In fact, today's OpenLDAP administration guide and the Michigan administration guide are still remarkably similar. Other vendors worked for years while the code that OpenLDAP uses sat without development.
A basic set of client tools is provided
A variety of client-based tools are provided with the OpenLDAP distribution. These tools range from ones to support the basic
LDAP operations to a few more advanced tools. Support for these tools is an integral part of the distribution, because each one uses the API library that OpenLDAP provides.
Client tools include all the standard LDAP operations
A command-line executable for a client is included in the distribution for each of the LDAP operations. The client executables include ldapdelete, ldapmodify, ldapadd, ldapmodrdn, ldapsearch, ldap_abandon, ldap_bind, and ldap_compare. Variants of each of these executables are also offered. All of the client tools are fully documented at the online OpenLDAP man pages at http://www.openldap.org/software/man.cgi, and this documentation is included in the distribution.
A few support tools are also included
In addition to these basic commands, executables that support basic functionality are also included. These include operations to use the password modify control, encode elements using BER, and format the output from an entry, as well as the operations needed to step through the LDAPMessage returned by the primary operations.
A couple of directory-enabled mail services are provided
The OpenLDAP distribution comes with a few applications that closely integrate with an LDAP directory. The majority of these applications allow sendmail to query an LDAP directory (or an X.500 directory with an LDAP gateway in front) with an e-mail address. The returned message contains information regarding where to route the mail. Additional functionality includes routing resolution to mail-enabled groups via a special object class called rfc822MailGroup
. There are a few other directory-enabled applications distributed with OpenLDAP, but they are unremarkable.
Programming support is very good
Support for LDAP programmers using OpenLDAP is quite good. The support for OpenLDAP tools is perhaps better than with any other vendor. The support is not without quirks or need of improvement, but it is amazing when you figure cost into the equation.
The public OpenLDAP forum provides solutions that are satisfactory to customers
Support is given primarily via online documentation, documentation distributed with the development tools, and mailing lists. As with other vendors, the online documentation is good for beginners, but it is sparse on issues of greater complexity. However, the mailing lists really fill this gap. Posts to the mailing list go to developers worldwide, and the hardest ones are regularly answered by the core programmers who volunteer their time. Most vendors filter access to their core programmers, but OpenLDAP gives you a direct and public forum to interact with them. This approach provides a real benefit to the OpenLDAP effort, because it draws new developers into donating their time to add a new feature to the code base that is shared by all.
OpenLDAP offers only a single control by default
By default, OpenLDAP supports only two LDAP controls. In addition to the aforementioned Password Modify Control, the ManageDsaIT
control (2.16.840.1.113730.3.4.2) is supported. It allows an LDAP client to add, modify, or delete a referral internal to the directory namespace. The referral must be an entry of objectclass=referral
. External referrals cannot be modified with this control. The small number of controls implemented is indicative mostly of how long OpenLDAP has been around. After a year, I'd expect that many of the common controls will be implemented. But for the time being, the lack of control support is a weakness of OpenLDAP when compared to other offerings.
The OpenLDAP schema follows all the standards
The default OpenLDAP schema includes every definition in an IETF RFC document, along with several draft and experimental definitions. Definitions follow the BNF schema format used in the RFC specifications, as described in Appendix B. The schema definitions do not follow the slapd.conf schema format, even though OpenLDAP uses a slapd.conf file like several other LDAP servers.
Several files define the default OpenLDAP schema
The default schema definitions are in a set of nine schema files, which are included by directives in the default slapd configuration file. If desired, you can remove these directives or modify the default schema files themselves. Exactly what is included in the default definitions is documented only in the text files for the code base itself. This is an oversight that should be corrected.
You can add definitions singly or in a set
In addition to the default schema definitions, directives in the slapd configuration file define schema elements. Modifications to the schema are fairly easy to make, with a short service outage required to put modifications into place. You can add schema definitions directly to the slapd configuration file, or you can place any number of schema definitions in a file(s) and include the file(s) with a directive in the slapd configuration file. Incidentally, OpenLDAP does allow you to turn off the schema-checking process, although this isn't recommended.
OpenLDAP supports a large number of syntaxes and allows extension
OpenLDAP supports 58 syntaxes by default and allows additional syntaxes to be added. OpenLDAP supports 33 matching rules by default and allows additional matching rules to be added. The syntaxes and matching rules are not referenced by the slapd configuration file and are listed only in the source code, in a file named schema_init.c. The slapd.conf man page does list syntaxes, but the list is incomplete and the placement of the information illogical. This poor documentation makes it harder to use. You would use the schema_init.c file to define additional syntaxes and matching rules. The file notes 20 additional matching rules, which may be added in future releases. Despite the poor documentation, the number of syntaxes and matching rules supported by default, along with the easy extensibility, represents a key benefit that OpenLDAP holds over competitors.
By default, 81 classes are defined, each of which corresponds to a definition in a documented standard
By default, the OpenLDAP schema supports 81 classes. As noted earlier, these classes are primarily standard classes denoted in RFC standards. In fact, there is little in the default schema that isn't documented in an Internet standard. And unlike other vendors, OpenLDAP doesn't arbitrarily change the standards to meet some proprietary need. The only modifications to the schema elements are minor changes to allow all the schema elements to be implemented despite minor discrepancies between the standards.
Multiple-class inheritance is supported
OpenLDAP uses a multiple-class inheritance model, in which more than one class can be superior for any given object class. For example, the openLDAPperson
class has both inetOrgPerson
and pilotPerson
as superior classes. This class inheritance model provides greater flexibility than the single-class model that most LDAP servers employ, and it is a nice feature for organizations looking to design a new class combining several existing definitions.
Aliases and referrals are supported
OpenLDAP implements the alias
object class, which provides a level of intra-directory redirection. OpenLDAP also implements the ref
object class, to support referral functionality. The combination of these two classes allows for any organizational hierarchy or distribution of a directory across multiple servers.
OpenLDAP provides the basic level of attribute support
By default, the OpenLDAP schema supports 192 attributes. As mentioned earlier, attribute subtypes are supported as well as attribute options, including language tags. This diversity of basic attribute support means that organizations can easily implement custom attributes.
Several OpenLDAP operational attributes are automatically maintained
OpenLDAP implements several operational attributes. These include the modifiersName
, modifyTimestamp
, creatorsName
, and createTimestamp
attributes to track modifications to entries. These attributes will be automatically maintained by slapd if the lastmod on | off
directive is set in the slapd configuration file. By default, the lastmod
directive is on. Following the LDAP standards, the subschemaSubentry
operational attribute is also on every entry.
A few unorthodox attributes enable access control functionality
There are also a few interesting attributes that OpenLDAP requires for basic functionality. Among these are the entry
and children
attributes. These cannot be modified by users and are maintained by the slapd process. They are used primarily to enable access control settings, but there may be secondary uses. The entry
attribute allows access control of the modifyRDN operation, so when a client wants to change the name (RDN and DN) of an entry, there is an attribute to be used as a target in an ACL. The children
attribute is used for a similar purpose to indicate the names of all the entries that are immediate children of the entry. How these attributes are used is covered in more detail in Appendix D.
OpenLDAP provides several management tools to make administration easier. Two tools are provided to support LDIF functionality, and a third tool helps manage directory indexing.
LDIF import is done via slapadd
You use the slapadd program to create the initial database (and therefore directory) along with the indexes. The slapadd command takes an LDIF file as input to create entries. The syntax of the slapadd command is
slapadd -l <inputfile> -f <slapdconfigfile> [-d <debuglevel>] [-n <integer> | -b <suffix>]
-l
is the LDIF input file.
-f
is the slapd configuration file.
-d
indicates the level of debugging desired.
The -n
and -b
arguments specify which database to modify.
The arguments in brackets are optional.
LDIF export is done via slapcat
You use the slapcat program to dump a database to LDIF, either to back up the directory or to have a template for changing multiple entries at the same time. For example, assume I want to change the value of the mail attribute for every person entry in the directory. The current value is in the form [email protected]; but for some reason, I need to change them all to the form [email protected]. I'd use the slapcat program to create a file. Then I might use pattern-matching software like perl to replace every instance of @mycompany.com with @mail.mycompany.com in the mail attribute. I could then clean up the file and use it with the slapadd program to modify all the entries. This solution would be quick compared to writing an LDAP-based application that did the same thing.
The syntax of the slapcat command is
slapcat -l <filename> -f <slapdconfigfile> [-d <debuglevel>] [-n <databasenumber>|-b <suffix>]
The arguments are identical to those of the slapadd command.
To rebuild the index, use slapindex
You use the slapindex program to rebuild the indexing on a database. When the index is rebuilt, it reflects all the data in the database. Rebuilding the index is necessary when you add new attributes or operators to the indexing directives. If the index isn't rebuilt after an indexing configuration change, only new entries will reflect the changed indexing configuration. The syntax of the slapindex command is
slapindex -f <slapdconfigfile> [-d <debuglevel>] [-n <databasenumber>|-b <suffix>]
Again, the arguments match those of the slapadd command.
Configuration parameters are primarily set in the slapd configuration file via directives. But because the code base is open source, motivated organizations can implement their own changes and settings as needed. We've already discussed most of the directives that can be set, except for a few omissions, which are covered here.
The backend directive allows new modules to be added to slapd
Backends are a way to support databases smoothly. Backends can be any module that you want to implement to extend the functionality of the slapd process. They are not limited to new database functionality. To create a backend, you use a backend directive.
Basic limit and log settings are configurable
OpenLDAP supports the typical limit settings that most LDAP servers support. An idletimeout
directive specifies how long slapd should wait before forcibly closing idle connections. A sizelimit
directive specifies the maximum number of directory entries that can be returned from a search operation. A directive called loglevel
controls the logging performed by the slapd process and the level of detail.
OpenLDAP supports all the security elements suggested by RFC 2829 and 2830. It provides a diversity of authentication methods, each of which also can be used as an access control factor. The authorization support it provides is diverse, with a great number of possible access control factors, but configuration changes are subject to service interruption. Privacy support is provided, but the management features are basic. OpenLDAP takes security seriously, and future development should address some of the shortcomings.
SASL support comes from Cyrus SASL
Carnegie Mellon University's Cyrus Project provides the SASL module used with OpenLDAP. The code is freely available and widely used. The Cyrus SASL module supports several strong authentication mechanisms. The full set of supported mechanisms consists of ANONYMOUS, CRAM-MD5, KERBEROS_V4, PLAIN, SCRAM-MD5 (deprecated), GSSAPI (MIT Kerberos 5 or Heimdal Kerberos 5), DIGEST-MD5, LOGIN, and SRP.
An authentication identity should be mapped to an authorization identity
After installing and configuring the SASL module to support authentication, you must perform additional work to establish an authorization identity on the OpenLDAP server. When a user has successfully authenticated, the SASL module passes an authentication identity to OpenLDAP. This identity does not necessarily exist within the LDAP namespace, but it does exist within the namespace of the authentication mechanism used. Usually you will map this successful authentication identity to the DN of a directory entry. This step simplifies interaction within the directory and clearly establishes the identity of the user in the context of the LDAP namespace, so the directory entry can be used as authorization information. This step isn't strictly required, however, because you can use the native authentication identity that SASL returns in access control lists.
For example, the SASL module might pass to OpenLDAP the authentication identity: uid=barkills,cn=MYCOMPANY.COM, cn=KERBEROS_V4,cn=AUTH
. This identity appears to correspond to an LDAP DN, but it does not exist within the directory namespace (but it could if you just happened to use this model). The authentication identities that are passed correspond to the following format: uid=<username>,cn=<realm>,cn=<mechanism>, cn=auth
. The cn=<realm>
component is not used by all the mechanisms, and it may be absent.
Directives in the slapd configuration file perform the authentication mapping
To map the SASL authentication identity to a directory entry, you need to create one or more directives in the slapd configuration file that effectively transform the identity to correspond to a valid directory entry. The saslRegexp
directives perform this transformation by using a few simple text-based pattern-matching rules to search and replace text. You must use great care in forming these directives so the wrong entry isn't mapped.
The Regular Expression (regex) format is used to match a pattern and substitute a DN
The regex or Regular Expression documentation is at http://www.openldap.org/software/man.cgi. This man page can be consulted for details. Regular expressions are a lengthy subject unto themselves, but a brief example will illustrate their use. I want to map the identity I noted above to the directory entry with the DN uid=barkills,ou=People,dc=Mycompany,dc=com
. I might use the following directive to accomplish my goal:
saslRegexp uid=(.*),cn=MYCOMPANY.COM,cn=Kerberos_v4,cn=auth uid=$1,ou=People,dc=Mycompany,dc=com
The first line has the pattern match statement that must be met for the second line to be triggered. The pattern match statement uses parentheses to denote what text to save for later use. The first set of parentheses is saved to a temporary variable called $1
, and additional sets of parentheses would likewise be saved to temporary numbered variables. The period character is used as a wildcard to denote any character. The asterisk character is used to denote one or more occurrences of a character. So a period followed by an asterisk could potentially match any text string, if the two were all that was used in a pattern match. The pattern-matching statement used here basically says match any identity that employs Kerberos 4 and is in the MYCOMPANY.COM realm, while saving the uid
value. The second line has the replacement statement that maps to a directory entry. The variable $1
is used and would be replaced by barkills
, in my example. This would yield the DN I wanted.
Complex regular expressions are supported
More complicated statements are possible, including replacement statements that use an LDAP URL with a search filter. This would be especially useful if the DN of entries in Mydirectory didn't use the uid
attribute as the RDN, but the uid
attribute was a mandatory attribute. An example of this might be
saslRegexp uid=(.*),cn=MYCOMPANY.COM,cn=Kerberos_v4,cn=auth ldap://server1.mycompany.com/ou=People,dc=Mycompany, dc=com??sub?uid=$1
OpenLDAP supports impersonation of another authorization identity
OpenLDAP also offers an impersonation feature within its authentication support. An impersonation feature helps to simplify authorization and allows special directory services to act on behalf of other identities. The online OpenLDAP documentation calls the impersonation functionality “authorization,” which is a less descriptive name than is deserved and can be confusing.
Two attributes are used to delegate impersonation authorization
Impersonation is directed using the same syntax as was used with the regex directive, but it is not done via the slapd configuration file. Instead, two attributes are used on the authorization entry that is mapped from the authentication identity. The attribute saslAuthzTo
is used as a source rule, and the attribute saslAuthzFrom
is used as a destination rule. The source rule lists what other authorization identities can impersonate this authorization entry. The destination rule lists what authorization identities this authorization identity can impersonate.
You can use either attribute, and each is equally effective
You can use both source and destination rules, but only one is required. Suppose I wanted to allow my entry, DN cn=Brian Arkills,ou=People,dc=Mycompany,dc=com
, to be able to impersonate Han Solo's entry with DN cn=Han Solo,ou=People, dc=Mycompany,dc=com
. I could enable this impersonation in either of two ways. Using my entry, I could set saslAuthzTo= cn=Han Solo,ou=People,dc=Mycompany,dc=com
. Using Han Solo's entry, I could set saslAuthzFrom= cn=Brian Arkills, ou=People,dc=Mycompany,dc=com
. Either is effective and would accomplish the same end.
Impersonation is useful
But impersonation is more useful than this example illustrates. For example, let's say I have a special Web site where users can change their directory entry without having to use unfriendly LDAP syntax. Users authenticate to the Web site, view their directory entry, and visually edit their information. Behind the scenes, an application service running at the Web site retrieves their entries using an LDAP search and makes modifications using LDAP operations. To do this, the application service must have an authorization entry in the directory, and that entry must be granted the ability to impersonate each of the users. For this purpose, its entry might have saslAuthzTo=uid=.*,ou=People, dc=Mycompany,dc=com
or saslAuthzTo=ldap://host/ ou=People,dc=Mycompany,dc=com??sub?objectclass=Person
. Many entries are indicated by the value. Another approach would be set the saslAuthzFrom
attribute of every person's entry to the service's DN.
Impersonation also can enable the access controls to be simpler
Some directory administrators use the concept of impersonation in a manner similar to how security groups are used in most file systems. They set a simple set of access controls on naming contexts that give access rights to a small set of authorization identities. These authorization identities are effectively proxy accounts that are used to provide different levels of access. Then users are given impersonation rights to these special accounts depending on the level of access they need. This scheme simplifies the access controls that need to be set on the directory while also simplifying the delegation needed. But it also obscures the audit trail and makes it difficult to monitor access. This is bad security practice but optimizes performance. However, if you keep this fault in mind and minimize the impact, you can use impersonation to simplify the access controls.
Access control is set by a policy, using directives
Speaking of access controls, it's high time to discuss how OpenLDAP provides this functionality. OpenLDAP implements an access control in the form of an open, flexible access control policy. A traditional access control list (ACL) model would place a separate ACL on each entry, possibly with inherited settings from parent entries. With OpenLDAP, there is not a separate access control list for each entry. Instead, directives in the slapd configuration file form the basis for an access control policy. The directives are set at two levels, one at the database level (in other words, the naming context level) and one at the global level. Access is determined by the first matching access directive, starting at the database level and proceeding to the global level. A simple example of an access directive is provided here. For more details and examples, see Appendix D.
Access control directives look like an ACE
The access directives themselves resemble access control entries (ACEs) with the added information of the directory entries to which the ACE applies. There are three primary elements to an access directive: <what>
entries, <who>
should have access, and what level of <access>
. As you might expect, most of the format of these elements relies on the formatting expected by the regex command. The basic format of an access directive is:
access to <what> by <who> <access>
There can be multiple instances of the by <who>
and <access>
elements for each <what>
element.
Here is an example access directive:
access to dn=_.*,ou=People,dc=Mycompany,dc=com by dn=_cn=Han Solo,ou=People,dc=Mycompany,dc=com write by dn=_.*,ou=People,dc=Mycompany,dc=com read
This directive gives control access to all the entries immediately subordinate to the People
OU. The user authenticated as the Han Solo entry has write-level access, and users authenticated as one of the entries within the People
OU have read-level access.
OpenLDAP supports many access control factors
In addition to this traditional ACL approach, OpenLDAP supports many different access control factors. These factors include wildcards (used in the example above), membership in a group, dynamic access control, the DNS domain of the client, and the IP address of the client. Multiple combinations of these factors are also supported. You can also use authentication method as an access control factor, but not as part of the access directive. With a require directive, a certain type of authentication method can be mandated either on a global basis or by database. For example, you might accept access only via Kerberos authentication.
A service outage is required for every access control change
There is one problem with all of these access control methods. All of them are created in the slapd configuration file, and additions require that the slapd process be stopped and restarted. This means a short directory service outage on any access control configuration, which may not be acceptable in some environments. You can minimize this problem by configuring access controls that encompass all expected situations, but there will inevitably be situations that require a change.
An experimental feature eliminates the need for a service outage
OpenLDAP supports an experimental access control factor that is not subject to this problem. Experimental features in OpenLDAP are not fully supported, and assistance is on a best-effort basis. ACI expressions are considered experimental, mostly because the standard governing the definition hasn't been completed, but also because the full set of functionality in the existing definition hasn't been implemented in the code base yet. ACI expressions move the configuration and evaluation of access control from the slapd configuration file to an attribute on the entry. This approach provides a major benefit: access control changes can be made without restarting the slapd process. Appendix D includes pointers on how to find out more about ACI expressions.
A special entry has unrestricted access to the directory
There is a special entry called the rootdn
that is not limited by any authorization factors. Administrators can use this account for various activities. Within the slapd configuration file, two directives are required to initially identify this account. The rootdn
directive specifies the DN of this entry. The rootpw
directive specifies a password for the entry specified by the rootdn
directive. This password will work regardless of the userPassword
attribute that is set on the entry. This password is in cleartext in the configuration file. You should take measures to restrict access to this file because it holds the key to all of your directory data.
Transport Layer Security is provided by the OpenSSL libraries for SSL and TLS. OpenSSL is open source software, just as OpenLDAP is. You download the code, compile it for your platform, then install and configure it. The OpenSSL Web site, http://www.openssl.org/, documents common issues, as well as providing support and instructions.
It runs on any platform and is free!
OpenLDAP's biggest strength compared to other LDAP server options is the fact that it can be run on any operating system platform. This strength is tempered by the fact that the entire solution is free. Because the product is free, the support model is not formal; but OpenLDAP provides open interaction with the developers, which can be better than formal support.
You have an active part in what you implement, instead of being at the mercy of a cold vendor
Another key strength of OpenLDAP is an openly available code base that you can modify. This strength lends itself to other benefits. For example, you can obtain greater control of performance because you can get closer to the code. Another example is the high degree of interchangeable components that OpenLDAP supports. Being able to choose components like a database is a significant benefit. No other LDAP vendor allows this kind of choice. Another benefit is that you can pool development resources with other organizations to get a commonly desired feature implemented.
A diverse choice of security features is nice
The diversity of security features that OpenLDAP offers is useful. In particular, the variety of access control factors is impressive, when compared to a product that implements only a traditional ACL model. But this strength is marred by the service interruption issue, which hopefully will be addressed in the future.
OpenLDAP is riding a wave of intangibles
A number of intangibles also fall in OpenLDAP's favor. For example, primary contributors to the code have key roles in the current IETF LDAP working groups. OpenLDAP has a sense of historical familiarity. The University of Michigan package was widely used by organizations when LDAP was emerging, and many administrators are familiar with slapd already. OpenLDAP comes with the Red Hat Linux distribution, and many organizations are introduced to it in this way. Finally, OpenLDAP follows the standards closely, which means that long-term stability and interoperability are more assured.
The special features don't compare well
On the negative side, the special features that OpenLDAP provides aren't at all impressive compared to those of other LDAP servers. Some of the basic features that nearly every package provides, such as server-side sorting of search results (RFC 2891), haven't been implemented. Inclusion of extra functionality lags behind and may continue to lag behind because of the voluntary nature of development. The adage “you get what you pay for” closely fits the comparison of feature sets.
OpenLDAP is a quality package that many organizations are using
Although it may be cheap in cost, OpenLDAP isn't cheap in quality. The package is extremely resilient and dependable. The developers are constantly looking for ways to improve performance, dependability, and security. One can check the mailing list archives and read about many large deployments that have little or no problems running over long periods of time.
18.224.44.100