[[TOC(Internal/Rbac,Internal/Rbac/OrbitRbacLevels,Internal/Rbac/OrbitRbacDesign,Internal/Rbac/LdapResources,Internal/Rbac/RbacResources)]] == LDAP client / server implementation on ORBIT and WINLAB == Current installation is migrating to: OpenLDAP server using TLS, and clients using SSSD and TLS. Replication is done via built in LDAP methods, also secured with TLS. Reference for setup: Guide: https://help.ubuntu.com/lts/serverguide/openldap-server.html == LDAP Resources == ORBIT uses the open-source implementation of the The Lightweight Directory Access Protocol (LDAP) from [[http://www.openldap.org/ OpenLDAP]]. Many of the ideas about using LDAP to implement RBAC on ORBIT are from this site, see also [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/guide.pdf OpenLDAP Software 2.3 Administrator's Guide]]. There is also an O'Reilly book: [[http://www.amazon.com/gp/product/1565924916/ Car03]] Gerald Carter. ''LDAP System Administration''. O'Reilly Media, Inc., Sebastopol, CA, USA, March 2003; and an IBM Redbook: [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/sg244986.pdf TEGE04]] Steven Tuttle, Ami Ehlenberger, Ramakrishna Gorthi, Jay Leiserson, Richard Macbeth, Nathan Owen, Sunil Ranahandola, Michael Storrs, and Chunhui Yang. ''Understanding LDAP Desgn and Implementation''. IBM Redbook. IBM International Technical Support Organization, ibm.com/redbooks, second edition, June 2004. The OpenLDAP site and guide and the two books each reference many more useful sites and documents. == LDAP References == Most of the links for these LDAP references are to documents on the Web in Adobe Acrobat (.pdf) format. '''LDAP Version 2 documents:''' [[ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc1777.txt.pdf RFC1777 Lightweight Directory Access Protocol]] [[ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc1778.txt.pdf RFC1778 The String Representation of Standard Attribute Syntaxes]] [[ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc1779.txt.pdf RFC1779 A String Representation of Distinguished Names]] [[ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc1959.txt.pdf RFC1959 An LDAP URL format]] [[ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc1960.txt.pdf RFC1960 A String Representation of LDAP Search Filters]] [[ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc1823.txt.pdf RFC1823 The LDAP Application Program Interface (C language API)]] [[ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc2596.txt.pdf RFC2596 Use of Language Codes in LDAP]] '''LDAP Version 3 Documents, obsoleted:''' [[ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc2251.txt.pdf RFC2251 Lightweight Directory Access Protocol (v3)]] [[ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc3112.txt.pdf RFC3112 LDAP Authentication Password Schema]] [[ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc2252.txt.pdf RFC2252 LDAPv3: Attribute Syntax Definitions]] [[ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc2253.txt.pdf RFC2253 LDAPv3: UTF-8 String Representation of Distinguished Names]] [[ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc2254.txt.pdf RFC2254 LDAPv3: The String Representation of LDAP Search Filters]] [[ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc2255.txt.pdf RFC2255 LDAPv3: The LDAP URL Format]] [[ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc2256.txt.pdf RFC2256 LDAPv3: A Summary of the X.500(96) User Schema for use with LDAPv3]] [[ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc2829.txt.pdf RFC2829 Authentication Methods for LDAP]] [[ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc2830.txt.pdf RFC2830 LDAPv3: Extension for Transport Layer Security]] [[ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc3377.txt.pdf RFC3377 LDAPv3: Technical Specification]] [[ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc3771.txt.pdf RFC3771 LDAP Intermediate Response Message]] '''LDAP Version 3 Documents, current:''' [[ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc4510.txt.pdf RFC4510 LDAP: Technical Specification Road Map]] [[ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc4511.txt.pdf RFC4511 LDAP: The Protocol]] [[ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc4512.txt.pdf RFC4512 LDAP: Directory Information Models]] [[ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc4513.txt.pdf RFC4513 LDAP: Authentication Methods and Security Mechanisms]] [[ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc4514.txt.pdf RFC4514 LDAP: String Representation of Distinguished Names]] [[ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc4515.txt.pdf RFC4515 LDAP: String Representation of Search Filters]] [[ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc4516.txt.pdf RFC4516 LDAP: Uniform Resource Locator]] [[ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc4517.txt.pdf RFC4517 LDAP: Syntaxes and Matching Rules]] [[ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc4518.txt.pdf RFC4518 LDAP: Internationalized String Preparation]] [[ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc4519.txt.pdf RFC4519 LDAP: Schema for User Applications]] '''LDAP Data Interchange Format (LDIF):''' [[ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc2849.txt.pdf RFC2849 The LDAP Data Interchange Format (LDIF)]] [[ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc4525.txt.pdf RFC4525 Lightweight Directory Access Protocol (LDAP) Modify-Increment Extension]] '''Other LDAP Documents:''' [[ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc1274.txt.pdf RFC1274 The COSINE and Internet X.500 Schema]] [[ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc2078.txt.pdf RFC2078 General Security Service Application Program Interface, Version 2 (GSSAPI)]] [[ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc2079.txt.pdf RFC2079 Definition of an X.500 Attribute Type and an Object Class to Hold URIs]] [[ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc2247.txt.pdf RFC2247 Using Domains in LDAP/X.500 Distinguished Names]] [[ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc2293.txt.pdf RFC2293 Representing Tables and Subtrees in the X.500 Directory]] [[ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc2294.txt.pdf RFC2294 Representing the O/R Address Hierarchy in the X.500 Directory Information Tree]] [[ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc2307.txt.pdf RFC2307 An Approach for Using LDAP as a Network Information Service]] [[http://ietfreport.isoc.org/idref/draft-howard-rfc2307bis/ RFC2307BIS An Approach for Using LDAP as a Network Information Service]] [[ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc2377.txt.pdf RFC2377 Naming Plan for Internet Directory-Enabled Applications]] [[ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc2587.txt.pdf RFC2587 Internet X.509 Public Key Infratructure LDAPv2 Schema]] [[ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc2589.txt.pdf RFC2589 LDAPv3: Extensions for Dynamic Directory Services]] [[ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc2649.txt.pdf RFC2649 An LDAP Control and Schema for Holding Operation Signatures]] [[ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc3112.txt.pdf RFC3112 LDAP Authentication Password Schema]] [[ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc2696.txt.pdf RFC2696 LDAPv3: LDAP Control Extension for Simple Paged Results Manipulation]] [[ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc2713.txt.pdf RFC2713 Schema for Representing Java™ Objects in an LDAP Directory]] [[ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc2714.txt.pdf RFC2714 Schema for Representing CORBA Object References in an LDAP Directory]] [[ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc2798.txt.pdf RFC2798 Information on the inetOrgPerson LDAP Object Class]] [[ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc2891.txt.pdf RFC2891 LDAP Control Extension for Server Side Sorting of Search Results]] [[ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc3112.txt.pdf RFC3112 LDAP Authentication Password Schema]] [[ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc3045.txt.pdf RFC3045 Storing Vendor Information in the LDAP root DSE]] [[ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc3062.txt.pdf RFC3062 LDAP Password Modify Extended Operation]] [[ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc3088.txt.pdf RFC3088 OpenLDAP Root Service: An experimental LDAP referral service]] [[ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc3296.txt.pdf RFC3296 Named Subordinate References in LDAP Directories]] [[ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc3112.txt.pdf RFC3112 LDAP Authentication Password Schema]] [[ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc3112.txt.pdf RFC3112 LDAP Authentication Password Schema]] [[ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc3383.txt.pdf RFC3383 Internet Assigned Numbers Authority (IANA) Considerations for LDAP]] '''Simple Authentication and Security Layer (SASL) documents:''' [[ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc2222.txt.pdf RFC2222 Simple Authentication and Security Layer (SASL)]] [[ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc2831.txt.pdf RFC2831 Using Digest Authentication as a SASL Mechanism]]