One of the things I hadn’t the chance of managing at work is centralized authentication, either via LDAP, Kerberos or ActiveDirectory (not sorry about this one).
LDAP in particular, has always been in the back of my mind because it’s often cited in conversation (“this service authenticates against the domain ldap server” or “the bind DN for in the configuration of X is wrong”) but I never really looked this up. Specifically, when preparing for the RHCSA exam, configuring network authentication was the hardest task for me because I really had no idea what I was talking about. In order to have the best chance at completing the task in the exam (I wasn’t sure there would have been one, but I was expecting it to be there) I performed the sample task over and over again, like a karate kata, until I could do almost-blindly (even though still I didn’t fully understand what I was doing).
Well since I’ve got a couple of years of vacation, I decided to spend some time fixing this, and learning something about LDAP. In this article I want to point at the resources I have used, since this could ideally help somebody else.
Which LDAP implementation?
I don’t know. Instinctively, I would say OpenLDAP as it seems to be the de-facto standard. OpenLDAP has been deprecated in RHEL though, in favor of 389d (aka Fedora Directory Server or Red Hat Directory Server). Also, it seems that there is another functional implementation by the Apache project, Apache Directory Services.
Also, there’s this big project called FreeIPA which bundles 389d along with a lot more stuff to provide a complete solution.
I haven’t tried much stuff yet so I am not sure which one to recommend. I just wanted to name a few implementations so that you, the reader, are aware of their existance.
Things that you shouldn’t bother about
If you’re like me, your ultimate goal is to be able to administer an LDAP service, at a reasonable functionality level, almost autonomously.
Given this ultimate goal, it would seem logical to start by looking for some well-done youtube videos on the subject, in order to then infer enough theory from practice and go forward from there.
Well, it’s a crappy idea and I am aware of this. But it’s a particularly crappy idea about LDAP because a lot of YT videos are about a specific implementation and reason in terms of the specific implementation toolchain. Also, some authors on YT speak English in a really atrocious accent that will really make your ears bleed and will make you want to go work in the country side as a gardener or something. You’ve been warned.
A long time ago I was in high school and studying databases on my own by watching this video course. This professor guy was outlining the course, and motivating the decision about splitting the course in two halves: the first half would have been a dump of theoretical concepts and the second half example implementation using Access from Microsoft. His motivation for doing so was that learning in the field of engineering (and possibly other fields too) has two well distinct sides: a methodological side and a technological side. The methodological side was the side about concepts and reasoning, mental models, the syntax and semantics of formulas and this kind of stuff. The technological side is about using stuff from the methodological side in real world, with a real database implementation. He was very right, and I’ve then learned that if theory is sound in your mind, you will not mind (pun not intended) receiving examples using some sub-par database implementation like MS Access (or anything else really).
Do this instead
Instead, I looked for some methodological course about LDAP, that will teach about LDAP itself, regardless of the implementation. I advice you to do the same.
An awesome resource I found thanks to reddit’s /r/sysadmin wiki was the following:
It’s a very long guide will eventually teach you how to configure ldap, but only after having laid out some serious conceptual background about it.
Other things worth mentioning are:
This guide from DigitalOcean’s KB:
It’s refreshingly simple, albeit not as thorough as the previous link (“LDAP for Rocket Scientists”) but imho a good complement.
This OpenLDAP docker image:
It’s probably not what you want to run in production or at home, but it’s very good to start a pre-configured ldap server to do some basic tests.
It’s an awesome Eclipse-based environment to operate on and administer an LDAP server. It’s a tool from Apache Directory Service (although it’s a standalone application that you can run without ApacheDS).
Enough for today, I’ll probably add more when I’ll learn something else 🙂