LDAP for Rocket Scientists

This Open Source Guide is about LDAP, OpenLDAP 2.x and ApacheDS on Linux and the BSD's (FreeBSD, OpenBSD and NetBSD). It is meant for newbies, Rocket Scientist wannabees and anyone in between.

LDAP is a complex subject. This Guide was born out of our pathetic attempts to understand LDAP, since it promised a veritable nirvana - common source for information, unlimited scalability using a replication model, inherent resilience, fast read performance, fine-grained control over who can do what to what data - the list goes on. Wonderful stuff.

That's the end of the good news.

The bad news is that IOHO never has so much been written so incomprehensibly about a single topic with the possible exceptions of BIND and ... and ... There are innumerable excellent HOWTOs scattered over the Internet, which are great if you need a tactical solution to a particular problem, and are happy to put up with the vaguely uncomfortable feeling that you are entirely dependent on something you don't really understand. We didn't want a tactical solution, we wanted a strategic solution to a whole set of problems, all of which all appeared to be ideally suited to LDAP, but we had to understand stuff ... we needed a WHYTO. This is our - perhaps pathetic - attempt to create it.

Once upon a time OpenLDAP was the only game in the Open Source LDAP town. It is still regarded as the LDAP reference implementation and remains an excellent system with many production implementations, is actively developed and ferociously complex to implement for other than trivial applications. It is, however, no longer the only game in town. There is now the 389 Directory Server (ex-Fedora Directory Server), another University of Michigan derivative, OpenDJ (a fork of OpenDS a Sun-led Java-based LDAP implementation which now appears inactive), and the ApacheDS (Apache Directory) project. All appear excellent projects and together with OpenLDAP provide an embarrassment of riches in the Open Source LDAP space - driving forward capabilities and functionality. Some notes about the projects and our decision if you are interested in this kind of stuff.

All future versions of this guide will progressively introduce material describing the use of ApacheDS while continuing to document OpenLDAP.

<warning> This is very much a work in progress. If you find errors don't grumble - tell us. Look at our to do list and if you want to contribute something please do so. And for all that hard work we promise only a warm sense of well-being and an acknowledgment of your work in the licence. </warning>

Contents

What's new in Guide version 0.1.19

1. Boilerplate and Terminology

1. 1.1 Objectives and Scope
2. 1.2 How to read this Guide
3. 1.3 Terminology and Conventions used
4. 1.4 Acknowledgements
5. 1.5 Copyright and License

Section 1 - Overview & Concepts

2. LDAP - Overview

1. 2.1 A brief History of LDAP
2. 2.2 LDAP Overview
3. 2.3 LDAP vs. Database
   1. 2.3.1 LDAP Usage Summary
4. 2.4 LDAP Data (Object) Model
   1. 2.4.1 Object Tree Structure
   2. 2.4.2 Object Classes
   3. 2.4.3 Attributes
   4. 2.4.4 Describing the Tree by Adding (Data) Entries
   5. 2.4.5 Navigating the Tree (DNs and RDNs)
5. 2.5 LDAP Replication and Referrals
   1. 2.5.1 Referrals
   2. 2.5.2 Replication

3. LDAP Schemas, ObjectClasses and Attributes

1. 3.1 LDAP Stuff Overview
2. 3.2 Schemas
3. 3.3 ObjectClasses
4. 3.4 Attributes
5. 3.5 Matching Rules
6. 3.6 LDAP Operational Attributes and Objects

Section 2 - Get Something Running

Section 3 - Reference

Section 4 OpenLDAP Operations

12. OpenLDAP Trouble Shooting & Errors

13. OpenLDAP Performance

14. LDAP Tools

OpenLDAP Tools

ldapadd - add LDIF entries to an LDAP directory
ldapauth - add LDIF entries to an LDAP directory
ldapdelete - delete LDAP entries
ldapmodify - modify existing LDAP entries
ldapmodrdn - modify an LDAP entry's DN
ldappasswd - modify an entry's password
ldapsearch - search LDAP entries
ldapwhoami - perform an LDAP Who Am I operation of a server
slapacl - verify access to attributes by inspecting the configuraion of a DIT
slapadd - add LDAP entries to a database - STOP SLAPD FIRST
slapauth - verify SASL data against a DIT
slapcat - export an LDIF from an LDAP database - STOP SLAPD FIRST
slapdn - verify a DN against a DIT configuration
slapindex - re-index an LDAP database - STOP SLAPD FIRST
slappasswd - generate password
slaptest - verify a slapd.conf file or a cn=config directory (slapd.d)

LDAP Browsers

LDAPBrowser/Editor - some notes on usage

ApacheDS Tools

ApacheDS Tools - tools and Utilities

Section 5 LDAP Security

15. LDAP Security

1. 15.1 OpenLDAP Security Overview
2. 15.4 OpenLDAP TLS/SSL Configuration

Appendices: Resources

1. Appendix A: LDAP Notes and Explanations
2. Appendix B: LDAP Resources
3. Appendix C: LDAP RFCs and Documentation
4. Appendix D: LDAP Glossary
5. Appendix E: LDAP Schemas, objectClasses and Attributes

Document Maintenance Information

To do list - Stuff that still needs to be done.

Change log.

---

Problems, comments, suggestions, corrections (including broken links) or something to add? Please take the time from a busy life to 'mail us' (at top of screen), the webmaster (below) or info-support at zytrax. You will have a warm inner glow for the rest of the day.