[Freeipa-users] LDAP-101

[Rob Crittenden]

Michael Wisniewski wrote:
> Hi!
> 
> I'm just starting to jump into freeipa/ldap, and have another question
> about it.  Basically, you have LDAP, which from everything I read, is
> just a directory server.  It's sole purpose is like a phone book.
> Integrated (or on top of) ldap, you can have authentication.  There's
> kerberos, smb/ldap, etc...
> 
> Now, my question is when you add something like "smb/windows"
> authentication, do you just add a field in LDAP so it stores the
> password hashes (and other windows stuff)?  When you "extend" the
> schema, is all you're doing is adding the fields to the ldap database
> to allow the storage of this?  If this is the case, what prevents a
> malicious user from dumping the hashes to the passwords?

Schema is sort of a 2-step process. Step 1 is to tell the directory 
server about the schema at all. This can be done offline by dropping a 
schema file into a filesystem directory or online by uploading the 
schema. Either way this just tells the LDAP server about the new 
objectclasses and attributes available and their syntaxes.

Step 2 is to add those objectclasses and attributes to entries. An 
objectclass tells which attributes are available to any entry, some of 
which are mandatory. Think of an objectclass as sort of a building block 
that adds more capabilities to an entry.

There are access controls that manage who can do what. A typical user 
can write their password but cannot read it (e.g. you can't see the 
hash(es)). A typical user cannot see anyone else's password info and 
can't write any other records.

> 
> I know this is really a basic question, but it would help me
> understand how all this works.

IPA will eventually hide most of this sort of detail so you can focus on 
managing your users and not on dealing with attribute-level stuff.

rob