[Freeipa-users] LDAP-101
Rob Crittenden
rcritten at redhat.com
Tue Dec 8 14:58:18 UTC 2009
Michael Wisniewski wrote:
> Hi!
>
> I'm just starting to jump into freeipa/ldap, and have another question
> about it. Basically, you have LDAP, which from everything I read, is
> just a directory server. It's sole purpose is like a phone book.
> Integrated (or on top of) ldap, you can have authentication. There's
> kerberos, smb/ldap, etc...
>
> Now, my question is when you add something like "smb/windows"
> authentication, do you just add a field in LDAP so it stores the
> password hashes (and other windows stuff)? When you "extend" the
> schema, is all you're doing is adding the fields to the ldap database
> to allow the storage of this? If this is the case, what prevents a
> malicious user from dumping the hashes to the passwords?
Schema is sort of a 2-step process. Step 1 is to tell the directory
server about the schema at all. This can be done offline by dropping a
schema file into a filesystem directory or online by uploading the
schema. Either way this just tells the LDAP server about the new
objectclasses and attributes available and their syntaxes.
Step 2 is to add those objectclasses and attributes to entries. An
objectclass tells which attributes are available to any entry, some of
which are mandatory. Think of an objectclass as sort of a building block
that adds more capabilities to an entry.
There are access controls that manage who can do what. A typical user
can write their password but cannot read it (e.g. you can't see the
hash(es)). A typical user cannot see anyone else's password info and
can't write any other records.
>
> I know this is really a basic question, but it would help me
> understand how all this works.
IPA will eventually hide most of this sort of detail so you can focus on
managing your users and not on dealing with attribute-level stuff.
rob
More information about the Freeipa-users
mailing list