|OpenLDAP authentication||Tuesday 8th January 2013|
I've been trying to get my head around how to restrict access to openSUSE's LDAP server. My confusion comes round some of the terminology and how the administrator's account works.|
Firstly, the administrator's account is "special", and the password is defined as a configuration item, not as a user entry in a directory or something - so lets ignore that.
To authenticate with LDAP the client must perform a "bind" action. In the rest of the world, we call this a logon. Simple authentication is plain-text passwords, but this doesn't matter if you're using TLS or SSL. The username is the full path to an entry inside the same LDAP directory.
A quick reminder of how LDAP entries are formatted - to select an entry in the directory you have to use a "Distinguished Name" (a unique reference to the object). Its like a username, but used for identifying everything and is hierarchical.
So to build the DN that identifies the user we want to authenticate we have to have some knowledge of the directory (not so helpful, but hey). And it's written backwards too...
The first entry, is the bottom most object, or our user. This user will have a "common name" defined that we can use to uniquely identify it within it's parent contain. But we also need to ensure we list any container's to guarantee uniqueness, and of course, their parents. These containers tend to be "Organisational Units". We finally get all the way to the root of our directory which is called a "Domain Component", there could be nested DCs.
An example of a simple DN for a user would be:
This would identify a user called "MyUser", within a OU of "users" in the "AddressBook" directory.
Great, so now we've figured out our username, we can then progress to setting the password. Each entry in the directory has a series of attributes (such as the common name), one of these is the userPassword, which as you may have guessed is where the password is saved. Using the "ldappasswd" or similar tool will allow you to set this as a hash correctly.
So in the AddressBook example above, if you wanted to create an addressbook but restrict access to certain people, you would need to create an entry within your addressbook for your user, and give that entry a password. You can then use that user, or DN to "bind" to LDAP.