What is LDAP?

LDAP stands for the "Lightweight Directory Access Protocol". It was originally designed to provide access to X.500 databases, however it is now more common to find LDAP servers in a standalone capacity. LDAP has become the defacto standard for internet directory services. Many of the internet email directories (such as bigfoot and four11) provide LDAP access to their databases. LDAP has caught on in many other capacities on the internet. Currently Netscape, Novell, Microsoft, Sun and many other large companies are incorporating LDAP into their directory strategies. Because LDAP is an internet standard, these separate directories will be able to communicate and share information. LDAP has a heirachal structure and can be used to store a wide variety of data, including email addresses, public keys, user authentication credentials, binary data, or just about anything else one would care to put into it.

LDAP provides a large degree of scalability by implementing server replication, a refferal mechanism, and its support for heirachal databases . A typical large network may have a LDAP master, and serveral LDAP replicas, or it could be stuctured in a heirachal method, with an LDAP server for network wide operations, then leaf LDAP servers for each department.

Setting up LDAP on your network.

The LDAP master server.

First download and install your LDAP server of choice. For linux this means installing the UofM LDAP server, with the Linux patches. The server is available in source or RPM format. After installing edit your /etc/slapd.conf file. You must change the organization name, the binddn, and password. You should then create some sort of database. If you are planning to use LDAP as a network information service, see the 'Populating the LDAP database' section below. Otherwise you will have to generate your own LDIF file and use ldif2ldbm to convert that file to the LDAP database format. Once you have data, you can start the database. If you used the RPM, do this by running '/etc/rc.d/init.d/ldap start', otherwise just running '/usr/sbin/slapd' should do the trick. You should check to see if your database is up. You can do this using the 'ldapsearch' command. Use "ldapsearch -b'YOUR_ORG_STRING' 'objectclass=*'" to see all of the objects in your database.

Scaling LDAP by setting up replicas.

If your site has a large degree of LDAP traffic you may wish to set up more than one ldap server on the network. The UofM software provides a tool (slurpd) that performs this function.

First install the ldap servers on the replica machine. Once they have been installed edit your /etc/slapd.conf file. It should look like the basic config that came out of the box, with the appropriate changes to organization name, rootdn and password. Add a line with binddn="cn=replicator,o=SomeOrgName', which matches the replica entry your about to put in the master /etc/slapd.conf Also make sure your slave has a 'referral' line pointing to the master.

On the master you'll want to specify a replica log file (you only have to do this once, not for each replica). you would include a replogfile directive such as:

replogfile /var/ldap/replica.log

Now, for each replica host, you will have to add a replica line in the master's slapd.conf. The line specifies the host, the user to bind as, and the credentials to use. This should all be on one line (although its shown here on multiple lines for readability).

replica host=slavehostname
binddn="cn=replicator,o=SomeOrgName"
bindmethod=simple credentials=binddn_password

Now you will have to shutdown the database, then copy the original database files (found in your 'directory' setting). to the slave. Then start up slapd on both the master and the slave. Start slurpd on the Master. Slurpd should monitor changes on the master and propigate them to the slaves. You can check this by changing something on the master and doing the approprate lookup on the slave's LDAP server.

Scaling LDAP by distributing data.

Another option for scaling your LDAP database is by using a hierarchal format. This may work well if you have a naturaly partitioned organization, such that different departments will each have their own LDAP server. The organization will still have a 'root' LDAP server, and this server will have referrals to the internal departments. For example, lets suppose you have a department called engineering, which you wish to partition from your root LDAP server. You would set up your Engineering LDAP server's suffix as: ou=Engineering,o=SomeOrgName". You would also set it up to referr clients to your root ldap server. On your root server, you would set up a referral in the database itself:

dn: ref="ldap://engineeringserver/ou=Engineering,o=SomeOrgName", \
ou=Engineering,o=SomeOrgName
objectclass: referral

Thus any request the root server gets for engineering data will be reffered to the engineering server, and any requests the engineering server does not have data for will be reffered to the root server.

Setting up LDAP as a network information service

Populating the LDAP Database

Use the MigrationTools to populate your database with existing information. You shoud edit migrate_common.pl to suit your environment. If your using the Linux RPM's, edit migrate_all_offline.sh to reflect the proper location of ldif2ldbm (/usr/sbin).

Make sure your ldap server is not running, then use migrate_all_offline.sh. This should populate your database with all the information required to use LDAP as an information service. You can now check your system to ensure it's properly populated by starting your ldap server, then running ldapsearch -b'YOUR_ORG_STRING' 'objectclass=*'. If everything worked you should see a dump of your database with all the entries.

Installing the Client machines

Download the nss_ldap module. untar the module then cd to the directory. make the module with 'make -f Makefile.linux'. Then install (as root) by typing 'make -f Makefile.linux install'. This should install the module, the configuration file (/etc/ldap.conf) and an nsswitch template (/etc/nsswitch.ldap). Edit the /etc/ldap.conf file to reflect your site, then to test it run 'make -F Makefile.linux test.pl'. This should test the major functionality of the nss_ldap module. You should see all system calls, and the results of the calls. If all goes well, copy /etc/nsswitch.ldap to /etc/nsswitch.conf.