Mastering OpenLDAP: Configuring, Securing and Integrating Directory Services

"Mastering OpenLDAP" by Matt Butcher is a good introduction to both OpenLDAP and LDAP in general. While it covers the specifics of OpenLDAP, there is a lot of information covering a wide variety of LDAP topics. It's a good read for both the novice and expert with quite a bit of detail about just about everything to do with LDAP. While it does delve into the theory regularly, it's always related back to the practicalities of actually doing something with it.

The first chapter is a introduction into what LDAP is, with an excellent analogy between LDAP and a phone book, showing how similar and different they are. As well, there's a discussion about what you can actually use LDAP for, something that occasionally is misunderstood. It then covers exactly what OpenLDAP consists of, which leads into the second chapter that covers installation and configuration. Throughout this chapter a basic OpenLDAP server and client config is built up, starting with the basics of defining what schemas are loaded, to back end database configuration and ACLs. Testing the LDAP server is also covered as well as how to ensure it starts up on boot correctly. Finally it covers basic client configuration to allow you to talk to the LDAP server that was just set up. These first two chapters serve as a good introduction if you are new to both LDAP and OpenLDAP, but if you have used it before there's probably nothing new here.

The third chapter starts to get into a bit more detail about how to actually use OpenLDAP, building a basic LDAP tree, searching the data inside it, as well as covering authentication basics. LDAP operations are also covered, including binding, searching, addition, modification, and deletion, as well as the less frequently used ones. Filters are covered to a reasonable depth as well, as they are an important part of dealing with LDAP. Representing an LDAP tree in ASCII format is covered as well, explaining how LDIF works, and how to build up a basic directory tree, including the base DN, users and system accounts. There's also a very good discussion about the options in directory tree structure, with a useful comparision between two major options. The OpenLDAP command line utilities are also covered to a good level of detail, both the ones that talk LDAP (ldapsearch, ldapadd, ldapmodify, ldapdelete etc) and the ones that talk directly to the server (slapadd, slapcat, slapindex, slappasswd etc). Operational attributes are also touched on. This chapter felt a bit more useful to me, and gave a lot of detailed information about the command line utilities that you might not know if you don't use them all in great depth.

Chapter 4 covers securing the OpenLDAP server from 3 main points of view, client / server communication via SSL / TLS, authentication with SASL and authorization with ACLs. The SSL section goes into great detail about how it works, the differences between LDAPS and StartTLS and explains a lot about PKI. It also explains how to create a local certificate authority using OpenSSL and how to install a certificate generated from it into OpenLDAP. Security Strength Factors or SSF are also described, and how to use them to ensure that data is accessed in an appropriately secured fashion. Authentication is delved into great depth, showing some of the options available. SASL is also covered for those who need a much stronger authentication source, using the Cyrus SASL libraries. This includes both password style authentication, and using client SSL certificates as an authentication source as well. The last section of this chapter focuses on an in depth look at access control lists (ACLs), explaining how to control access to LDAP data. The options are explained very well, and a basic ACL setup is built that can be used as a starting point for your own directory.

The next chapter covers advanced slapd configuration, which includes performance tuning, directory overlays, integrity and uniquness constraints, and multiple back end databases. The performance tuning section covers a fair bit of ground, from simple things like time limits, idle timeouts and size limits, to indexes and cache tuning. There is also a useful section on how to tune the backend database, which is something that's easily overlooked but can give some good performance increases. Directory overlays are covered, with a brief overview of some of the available modules, and a description on how to use the referential integrity and uniqueness overlays. Although it's a shorter chapter, it does cover some fairly important ground, and explained a few new things to me that I hadn't had a chance to use before.

Chapter 6 is a bit more heavy going to start with, covering LDAP schemas. It covers what a schema consists of, how to define both object classes and attributes, as well as the details about how to define attribute matching and syntax. Object class and attribute hierachy is covered to great depth, really explaining how it works and the implications of it. The different type of object classes - abstract, structural and auxiliary - are explained and shown how they fit into the hierachy. The next section of the chapter shows how to implement two overlays that require their own schemas, password policy and access log. The access log overlay allows logging of access to the LDAP server to be stored in an LDAP tree, and the password policy overlay allows implementation of password strength, expiration and other password related activities. The last section runs through creating your own schema by showing an example schema being built. I felt by the end of the chapter that it gave a really good understanding of schemas, and some good practical examples of working with them.

Multiple directories is the focus of the next chapter, covering 2 main types, replication, and proxying. On the replication side it covers the basics of how LDAP works in general, then the specifics of SyncRepl, the newer replication for OpenLDAP that replaces slurpd. The two modes that the replication can work in - refresh only, and refresh and persist is explained, and 2 directories servers are setup, with one a master and the other a slave using SyncRepl. Proxying is where an OpenLDAP server talks to the clients and retrieves the data from another LDAP server. In OpenLDAP it is done via the ldap backend, and a simple configuration using it is shown, as well as briefly touching on the more advanced identity management features it can do. The next step, turning the proxy into a cache is also explained, which can help speed up queries to the directory tree quite significantly. The last example of proxying is a translucent proxy - this is a proxy that pulls information from a remote directory server, but any modifications to the LDAP tree are stored locally and not forwarded to the upstream directory server. This chapter gives a good feeling for how to work with multiple directories, and shows some of the possibilities of proxying.

The last chapter talks about LDAP and web services, specifically about Apache and a web based LDAP administration application, phpLDAPadmin. Apache LDAP authentication is explained, both for Apache 2.0 and 2.2, including the various ways of restricting who has access by LDAP attribute, group, filter and more. phpLDAPadmin is a web based LDAP authentication module, written in php, and installation, configuration and usage of it are covered. I felt this was the weakest chapter in the book as it is possibly the most likely to date badly, and only useful if you are interested in those particular applications. It would be useful to newer users of OpenLDAP though, specifically people interested in Apache.

The appendixes cover the basics of building OpenLDAP from source if your OS doesn't have it available in a packaged format, or you wish to try a later version that available to you. For experienced systems administrators it's fairly straight forward, but good for the less experienced out there. The LDAP URL appendix describes in detail how LDAP URLs are constructed, and uses of them. The most useful appendix to me was the last one, which covers some more advanced common LDAP command line tool usage, such as returning the Root DSE, finding out what subschemas are available, backing up the LDAP tree, and more.

Note in the interest of full disclosure, the book was provided to me by the good people at Packt Publishing in return for a review, there was no conditions attached other than providing a review, and it has not affected my review in any way other than causing its existance.

Review by Brad Marshall (brad@humbug.org.au), 29th March 2008