Hardware and Computer Knowledge Society

There has been a lot of talk about LDAP since we decided to roll it out for central HACKS authentication.

LDAP stands for Lightweight Directory Access protocol. LDAP is a protocol for exchanging objects over a variety of links. LDAP does not specify how the information is stored. So, an LDAP server is just a computer that takes formatted text objects and presents them over a socket in an organized way.

The primary uses for LDAP are central authentication, online phone books, and cryptographic keyservers.

Examples of LDAP servers @ the University of Arizona include NetID (authentication server for many campus services including e-mail, WebReg, employee link, ...), UA Phonebook (ldap.arizona.edu; an online phonebook containing information about students, faculty and staff).

While the physical storae of the data is unregulated by the LDAP standards docs, the logical representation is tightly governed. Schema are defined that restrict and mandate what types of objects may/can exist in the directory.

When manually interacting with an LDAP compatible server, you use a file called an ldif. An ldif file defines an instance of an object and describes its place in the directory looks like this (a user object):

dn: cn=Shawn Nock,ou=members,dc=hacks,dc=arizona,dc=edu
givenName: Shawn
sn: nock
cn: Shawn Nock
uid: nock
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
mail: nock@hacks.arizona.edu
userPassword: deadbeef(password hash)deadbeef
shell:/usr/local/bin/bash
home: /home/nock

Description of terms (for an object of type posixUser):
cn= "Common Name" The name of the object instance
ou= "Organizational Unit" A container for objects
dn: "Distinguished Name" Describes where the object exists in the directory heirarchy. In the above example: Theobject named "Shawn Nock" exists in a container called "members" in the directory "dc=hacks,dc=arizona,dc=edu"
sn: "Surname" Last Name
givenName: First Name
objectClass: The object type. The above object inherits the requirements for a person (inetOrgPerson; allowing surname, givenname, mail), posix account (means the object get a uid [login name] userPassword [login password], login shell, home directory, etc.) and "top" a basic toplevel object which all objects inheirit (allows common name and distinguished name)

Once in the directory, HACKS uses a PAM (pluggable authentication module) to query the directory for a uid (login name) and compare the psasword for login to multiple machines. Assuming the password is correct, the server can pull all the relevant information (where the users home directory is , what shell they like, etc. and use it to customize their environment.

For example, the main web site uses uid and userPassword to authenticate a user and pulls in mail to allow the user to be contacted through a web form. given and surnames are used to mark a post by a user so others know who posted it.

More information about LDAP can be found from various sources on the internet. Try searching for OpenLDAP (the name of the LDAP server/client software HACKS uses).