S 3.85 Introduction to OpenLDAP

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator

OpenLDAP is a directory service based on the LDAP project of the University of Michigan. The original project aimed to develop an equivalent for the Directory Access Protocol (DAP) on the basis of the directory service standard X.500. DAP was tailored to the OSI stack, whereas LDAP as Lightweight DAP uses the TCP/IP stack. In this respect, the adjective "lightweight" indicates that LDAP does not implement the full range of X.500 DAP functions. The University of Michigan also developed a server which can handle the log particularly well. In this context, a LDAP server is referred to, although LDAP actually only refers to a log. These servers are, as hierarchical databases, designed to support the LDAP log particularly well and to store the data exchanged with the log efficiently.

Open source software

OpenLDAP is open source software. On the basis of the original project of the University of Michigan, the OpenLDAP developers have developed the server further and make their work including the source text available to the general public free of charge on the Internet. OpenLDAP is the most commonly used software on Unix and Linux operating systems; however, it can also be used in Microsoft Windows or on other platform, for example z/OS. For the OpenLDAP developers, it is very important that the software complies with the LDAP standard. In contrast to deviating implementations such as Active Directory or explicitly modified forms of the LDAP log such as Novell eDirectory, OpenLDAP strictly complies with the LDAP standard in the current version 3 (LDAPv3). Among other things, this is shown by the fact that OpenLDAP uses the LDAP Data Interchange Format (LDIF) for configuration files and the import and export of data. Thus, OpenLDAP is also referred to as reference implementation of LDAPv3.

In addition to LDAPv3, OpenLDAP also supports the LDAP standard in version 2 (LDAPv2), but does not guarantee strict compliance with the standard. There are no longer any interfaces to the original X.500 DAP. In general, however, it is possible to exchange data between LDAP servers and X.500 DAP Directory System Agents, but OpenLDAP does not contain a corresponding function. OpenLDAP provides native support for IPv4 as well as IPv6 and the Unix interprocess communication (IPC).

Method of operation

Like any other LDAP server, OpenLDAP stores data in a defined hierarchical tree structure, the Directory Information Tree (DIT). S 3.61 Introduction to directory service basics describes the common structure and the terms used. OpenLDAP makes its data available via a client-server infrastructure in a session-based manner, i.e. each user of the directory service uses client applications to connect with the server. Via the client, the user initiates operations such as searching for a phone directory entry or changing the user's own password. The server responds to these user actions, for example transmitting the searched entry or confirming the successful password change. If values of attributes are read or changed, it must be distinguished if they are normal attributes or operational attributes used by OpenLDAP for internal administration purposes. Operational attributes include, for example, the distinguished name (DN) or the time stamp which are important with respect to replication. After the user has carried out all operations, the connection to the server is terminated ("unbind" to terminate a session).

OpenLDAP architecture

The LDAP server of OpenLDAP is the slapd server (stand-alone LDAP daemon). In addition to the LDAP libraries required by an IT system to use the LDAP functions, it is the most important part of the OpenLDAP software. The slapd server does not store the data of the directory service itself, but uses a database management system (DBMS) that is not part of the OpenLDAP software.

Backends and databases

A subcomponent of OpenLDAP is referred to as backend. The slapd server does not communicate directly with a DBMS, but uses the functions of a backend for this purpose. Backends are designated in the "back-*" form. In general, a difference is made between

This general distinction should be known when planning the components, but it is no longer important for subsequent configuration and during operation.

In OpenLDAP, an instance of a backend is understood as a database, for example, the database in which the subdirectory "OU=BSI, O=Federal, C=DE" is stored. In general, several instances of the same backend can be used; for example, there might be a database for the subdirectory "I=Bonn, OU=BSI, O=Federal, C=DE" and another database for the subdirectory "I=Berlin, OU=BSI, O=Federal, C=DE". For some backends, it is also possible to have only one instance; for instance, there is only a "back-monitor" instance regarding the runtime. In practice and also in the literature covering OpenLDAP, the terms "backend" and "database" are often used synonymously. However, it must always be ensured that databases as logical (sub)database of a backend are not confused with the DBMS as a separate software component.

Overlays

Overlays are used to influence the behaviour of an existing backend without having to adapt or rewrite the backend itself. For this purpose, the overlay is connected upstream to the slapd server to ensure that messages reach the server in a filtered way or leave it in a changed manner. Most overlays are to be used at the database level, but often not restricted to a backend type.

The following graphic shows an overview of the OpenLDAP architecture:

OpenLDAP architecture
Figure: OpenLDAP architecture

To use backends or databases and overlays, two steps are required: On the one hand, the source text of backends and overlays must also be compiled when compiling OpenLDAP (see S 4.383 Secure installation of OpenLDAP) and, on the other, backends and overlays must be called up during the configuration (see S 4.384 Secure configuration of OpenLDAP). Backends and overlays can also be compiled as dynamic modules.

Tools

In addition to libraries and the slapd server, OpenLDAP also comprises a collection of tools. These tools are divided into ldap* tools and slap* tools.

The ldap* tools include the following tools:

The ldap* tools use the LDAP log themselves and always address operations as clients to a running directory service. In doing so, they are independent from the type of the slapd server. This means that they can communicate with other LDAP servers and their function can in turn be implemented by other tools than those of OpenLDAP. Graphic tools especially are used in practice.

The slap* tools include the following tools:

The slap* tools do not use the LDAP log. These tools work independently from the slapd server or bypass it and directly access, among other things, configuration files or the files of a database. The slap* tools are adjusted to the slapd server and the BerkeleyDB. As a rule of thumb, the slapd server must always run when ldap*tools are used and should never run when slap* tools are used.

OpenLDAP adaptation

OpenLDAP is documented in detail. Internal relationships and processing steps are known based on the availability of the source text. Thus, it is possible to easily generate and use aids for administration purposes such as scripts. It is also possible to change the source text and to compile them yourselves. In addition, there is a generic application programming interface (API), by means of which even separate backends and overlays can be generated and used without making any changes to OpenLDAP.

Additional information

IT-Grundschutz catalogues can only provide a general introduction to OpenLDAP and take into account security aspects in particular. Other aspects, for example settings to improve the performance, are not considered, although they might play a significant role during planning and installation. In addition to the existing technical literature covering OpenLDAP, the documentation provided by the OpenLDAP developers free of charge is a very good source of information. As a main document, the OpenLDAP Administrator's Guide (http://www.openldap.org/doc) associated to the version used must be mentioned. Frequently asked questions (FAQs) and answers are collected at http://www.openldap.org/faq. However, the FAQ also includes questions and answers which were written for an older OpenLDAP version and are currently no longer valid.

With respect to the extensive setting options and parameters, the man pages are referred to in particular. The OpenLDAP man pages are usually installed together with OpenLDAP itself, but are also separately available on the Internet (http://www.openldap.org/software/man.cgi). However, there are no man pages of sufficient quality available yet regarding some parts of the software, especially on the newly developed backends and overlays.

For detailed information or in case of problems, it is recommended to take a glance at the official mailing lists of the project at http://www.openldap.org/lists. It is also possible to subscribe to the lists; older messages are also available at the stated address in archives.

© Federal Office for Information Security. All rights reserved.