LDAP

From techdocs
Jump to navigation Jump to search

LDAP (Lightweight Directory Access Protocol) is, as the name strongly hints, is a directory look-up protocol.

CSE/CSG-maintained systems — such as user-loginable lab computers and VLAB/login servers — use CSE's own LDAP to:

  1. Look up user account information (such as UID, GID, home directory location, etc.) when users log in,
  2. Use LDAP to determine file system object owner and group names,
  3. Use LDAP to look up user netgroup affiliations when managing user access to resources. A netgroup is effectively an LDAP instantiation of a UDB class — if a user is in a current member of a UDB class (either directly or by inheritance) then an LDAP query for the same-named netgroup will return a user list including that user,
  4. Use LDAP to authenticate users of non-person special accounts, such as class accounts, but not zID accounts.

CSG-maintained LDAP service, OpenLDAP and the New UDB

One of the roles of the UDB is to provide account information to CSE's user-loginable Linux hosts. The standard way of doing this via LDAP. The New UDB implements LDAP using the open-source OpenLDAP package.

OpenLDAP uses its own high-speed database to store the information it serves, and every 15 minutes the relevant contents of the New UDB's PostgreSQL are extracted, flattened and synchronised to the OpenLDAP's own database.

It's notable that the New UDB's database understands that known users may not be current, or that current users may once have been members of particular classes or groups but aren't any more. LDAP, on the other hand, is only about now and so historical users or historical class/group memberships are NOT represented in OpenLDAP's database and won't appear in LDAP query results.

The OpenLDAP service runs on bandleader, as do the synchronisation scripts.

LDAP and Active Directory (AD)

CSG-maintained user-loginable hosts use the LDAP service on bandleader primarily for account information, and use Kerberos via UNSW's own Active Directory servers to authenticate users' zID and zPass.

Some non-CSG maintained CSE services set up by academics and others authenticate via LDAP to UNSW's Active Directory servers and do not talk to CSG's UDB own OpenLDAP services at all.

The acc can query Active Directory to obtain users' personal information to display.

See also

  • LDAP on Wikipedia
  • The host class "ldap" which causes LDAP to be installed on configured on New World hosts which are members of this class
Retrieved from ‘https://techdocs.cseunsw.tech/mediawiki/index.php?title=LDAP&oldid=1016