- 22.4.1 About LDAP Data Interchange Format
- 22.4.2 Configuring an LDAP Server
- 22.4.3 Replacing the Default Certificates
- 22.4.4 Creating and Distributing Self-signed CA Certificates
- 22.4.5 Initializing an Organization in LDAP
- 22.4.6 Adding an Automount Map to LDAP
- 22.4.7 Adding a Group to LDAP
- 22.4.8 Adding a User to LDAP
- 22.4.9 Adding Users to a Group in LDAP
- 22.4.10 Enabling LDAP Authentication
The Lightweight Directory Access Protocol (LDAP) allows client systems to access information stored on LDAP servers over a network. An LDAP directory server stores information in a directory-based database that is optimized for searching and browsing, and which also supports simple functions for accessing and updating entries in the database.
Database entries are arranged in a hierarchical tree-like structure, where each directory can store information such as names, addresses, telephone numbers, network service information, printer information, and many other types of structured data. Systems can use LDAP for authentication, which allows users to access their accounts from any machine on a network.
The smallest unit of information in an LDAP directory is an entry, which can have one or
more attributes. Each attribute of an entry has a name (also known as an attribute
type or attribute description) and one or more values.
Examples of types are domain component (dc
),
common name (cn
), organizational unit
(ou
) and email address (mail
). The
objectClass
attribute allows you to specify whether an attribute is
required or optional. An objectClass
attribute's value specifies the schema
rules that an entry must obey.
A distinguished name (dn
) uniquely identifies an
entry in LDAP. The distinguished name consists of the name of the entry (the
relative distinguished name or RDN) concatenated with the names of its
ancestor entries in the LDAP directory hierarchy. For example, the distinguished name of a
user with the RDN uid=arc815
might be
uid=arc815,ou=staff,dc=mydom,dc=com
.
The following are examples of information stored in LDAP for a user:
# User arc815 dn: uid=arc815,ou=People,dc=mydom,dc=com cn: John Beck givenName: John sn: Beck uid: arc815 uidNumber: 5159 gidNumber: 626 homeDirectory: /nethome/arc815 loginShell: /bin/bash mail: johnb@mydom.com objectClass: top objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount userPassword: {SSHA}QYrFtKkqOrifgk8H4EYf68B0JxIIaLga
and for a group:
# Group employees dn: cn=employees,ou=Groups,dc=mydom,dc=com cn: employees gidNumber: 626 objectClass: top objectClass: posixGroup memberUid: arc815 memberUid: arc891