410 likes | 544 Vues
Paulo Repa repapaul@gmail.com. Lightweight Directory Access Protocol. What is a directory?. Directory Information Tree. o=acme. ou=Sales. ou=Marketing. ou=Product Development. cn=Fred. cn=Fred. cn=Joe. cn=lpr1. cn=Lotty. cn=eng_lw3. DN for Fred in Sales:. cn=Fred,ou=Sales,o=acme.
E N D
Paulo Repa repapaul@gmail.com Lightweight Directory Access Protocol
Directory Information Tree o=acme ou=Sales ou=Marketing ou=Product Development cn=Fred cn=Fred cn=Joe cn=lpr1 cn=Lotty cn=eng_lw3 DN for Fred in Sales: cn=Fred,ou=Sales,o=acme
Directory Solutions • Netscape Directory Server (iPlanet) • SCO UnixWare 7 • IBM SecureWay (formerly eNetwork) • Novell NDS • OpenLdap (Linux) Recommended
UnixWare 7 Directory • Directory server setup • Schema • ACLs • Data backup and restore • LDIF
Directory Setup scoadmin ldap
UnixWare 7 Directory • Directory server setup • Schema • ACLs • Data backup and restore • LDIF
Attribute Schema • Defined in slapd.at.conf • Specifies attribute syntax attribute jpegphoto bin attribute telephonenumber tel attribute userpassword ces
Objectclass Schema objectclass simplePerson requires cn, sn, objectClass allows jpegPhoto, mail, telephoneNumber, userPassword, creatorsName, createtimestamp, modifiersname, modifytimestamp • Defines object contents • Defined in slapd.oc.conf
UnixWare 7 Directory • Directory server setup • Schema • ACLs • Data backup and restore • LDIF
ACLs • Controls access for read, write, search, compare and delete operations • Entry or attribute level • Defined in slapd.acl.conf ldapstop -i acme ldapstart -i acme access to attr=userPassword by self write by * none
UnixWare 7 Directory • Directory server setup • Schema • ACLs • Data backup and restore • LDIF
Data Backup and Restore • ldbmcat -n id2entry.dbb • ldif2ldbm -i data.ldif • Don’t forget directory configuration
UnixWare 7 Directory • Directory server setup • Schema • ACLs • Data backup and restore • LDIF
LDIF • LDAP Data Interchange Format • Portable • Human readable (almost...) dn: o=acme objectclass: organization o: acme
LDIF Update Statements • add • delete • modify (attribute add, delete, replace) • moddn dn: cn=Joe, ou=Product Development, o=acme changetype: modify replace: telephoneNumber telephoneNumber: 958-1234
LDAP Commands • ldapsearch • ldapmodify • ldapadd • ldapdelete • ldapmodrdn
ldapsearch ldapsearch -h ldapsvr.acme.com -D “cn=admin” -w “secret” -b “o=acme” -s one “objectclass=*”
ldapmodify ldapmodify -h ldapsvr.acme.com -D “cn=admin” -w “secret” -f modifications.ldif dn: cn=Joe, ou=Product Development, o=acme replace: telephoneNumber telephoneNumber: 958-1234
ldapadd ldapadd -h ldapsvr.acme.com -D “cn=admin” -w “secret” -f additions.ldif ldapmodify -a -h ldapsvr.acme.com -D “cn=admin” -w “secret” -f additions.ldif
ldapdelete ldapdelete -h ldapsvr.acme.com -D “cn=admin” -w “secret” cn=Fred,ou=Sales,o=acme
ldapmodrdn ldapmodrdn -h ldapsvr.acme.com -D “cn=admin” -w “secret” -r cn=lpr,ou=Sales,o=acme cn=sales_lw1
Using the UnixWare 7 LDAP API • Library / Binding to the server • Search • Compare • Add • Modify • Asynchronous LDAP calls
LDAP C API • UnixWare 7 ldap package • LDAP C API - RFC1823 • LDAP v2 - RFC1777 #include <ldap.h> #include <lber.h> cc -o app -lldap -llber -lresolv src.c
Binding to the server LDAP *ld; ld = ldap_open(“ldapsvr.acme.com”,LDAP_PORT); if (ldap_simple_bind_s(ld,“cn=admin”,“secret”) != LDAP_SUCCESS) { ldap_perror(ld,“bind example”); return; } … LDAP directory operations (search, modify, ...) ... if (ldap_unbind_s(ld) != LDAP_SUCCESS) { ldap_perror(ld,“bind example”); return; }
Using the UnixWare 7 LDAP API • Library / Binding to the server • Search • Compare • Add • Modify • Asynchronous LDAP calls
Search - API call LDAPMessage *res, *entry; BerElement *ber; char *attr, *dn, **vals, **vp; if (ldap_search_s(ld, “o=acme”, LDAP_SCOPE_SUBTREE, “telephoneNumber=958*”, 0, &res) != LDAP_SUCCESS) { ldap_perror(ld, “search example”); exit(EXIT_FAILURE); }
Search - Process Data for (entry = ldap_first_entry(ld, res); entry != NULL; entry = ldap_next_entry(ld, entry)) { if (dn = ldap_get_dn(ld, entry)) { printf(“dn: %s\n”, dn); free(dn); } for (attr=ldap_first_attribute(ld, entry, &ber); attr != NULL; attr=ldap_next_attribute(ld, entry, ber)) { vals = ldap_get_values(ld, entry, attr); for (vp = vals; vp && *vp; vp++) printf(“%s: %s\n”, attr, *vp); ldap_value_free(vals); } if (ber) ber_free(ber, 0); } ldap_msgfree(res);
Using the UnixWare 7 LDAP API • Library / Binding to the server • Search • Compare • Add • Modify • Asynchronous LDAP calls
Compare - API call if ((res = ldap_compare_s(ld, “cn=Fred, ou=Sales, o=acme”, “telephoneNumber”, “9589876”)) == -1) { ldap_perror(ld, “compare example”); exit(EXIT_FAILURE); } if (res = LDAP_COMPARE_TRUE) // Attribute type and value found else // Not found Matches for an attribute type of “tel” syntax dn: cn=Fred, ou=Sales, o=acme objectclass: simplePerson cn: Fred sn: Jones telephoneNumber: 958-9876
Using the UnixWare 7 LDAP API • Library / Binding to the server • Search • Compare • Add • Modify • Asynchronous LDAP calls
mod_op mod_type mod_values LDAPMod structure • One structure per attribute type • Add, delete and replace operations • Text or binary data • Multiple values LDAP_MOD_ADD “mailAliasMembers” “Joe” “Lotty”
Add Entry - Data char *cnvals[]={"John", NULL}, *snvals[]={"Smith", NULL}; char *objvals[]={”simplePerson", NULL}; LDAPMod mod[3], *mods[4]; mod[0].mod_op = LDAP_MOD_ADD; mod[0].mod_type = "cn"; mod[0].mod_values = cnvals; mod[1].mod_op = LDAP_MOD_ADD; mod[1].mod_type = "sn"; mod[1].mod_values = snvals; mod[2].mod_op = LDAP_MOD_ADD; mod[2].mod_type = "objectClass"; mod[2].mod_values = objvals; for (i=0; i < sizeof(mod) / sizeof(LDAPMod); i++) mods[i] = &mod[i]; mods[i] = NULL;
Add Entry - API call if (ldap_add_s(ld, “cn=John,ou=Marketing,o=acme”,&mods[0]) != LDAP_SUCCESS) { ldap_perror(ld, “add example”); exit(EXIT_FAILURE); } dn: cn=John, ou=Marketing, o=acme objectclass: simplePerson cn: John sn: Smith
Using the UnixWare 7 LDAP API • Library / Binding to the server • Search • Compare • Add • Modify • Asynchronous LDAP calls
Modify Entry - Data char *snvals[] = { “Smithe”, NULL}; char *telvals[] = { “958-2357”, NULL}; LDAPMod mod[2], *mods[3]; mod[0].mod_op = LDAP_MOD_REPLACE; mod[0].mod_type = "sn"; mod[0].mod_values = snvals; mod[1].mod_op = LDAP_MOD_ADD; mod[1].mod_type = ”telephoneNumber"; mod[1].mod_values = telvals; for (i=0; i < sizeof(mod) / sizeof(LDAPMod); i++) mods[i] = &mod[i]; mods[i] = NULL;
Modify Entry - API call if (ldap_modify_s(ld,“cn=John,ou=Marketing,o=acme”,&mods[0]) != LDAP_SUCCESS) { ldap_perror(ld, “modify example”); exit(EXIT_FAILURE); } dn: cn=John, ou=Marketing, o=acme objectclass: simplePerson cn: John sn: Smithe telephoneNumber: 958-2357
Using the UnixWare 7 LDAP API • Library / Binding to the server • Search • Compare • Add • Modify • Asynchronous LDAP calls
Asynchronous LDAP calls • Client need not block • Operations may be multiplexed on a connection • Function names omit “_s” int msgid, rc; if ((msgid = ldap_search(ld, “o=acme”, LDAP_SCOPE_SUBTREE, “objectclass=*”, NULL, 0)) == -1) error_handler(); while ((rc = ldap_result(ld, msgid, 0, NULL, &result)) == LDAP_RES_SEARCH_ENTRY) { process_results(result); ldap_msgfree(result); }
Bibliography • LDAP: Programming Directory-Enabled Applications with Lightweight Directory Access Protocol • Howes, Smith • RFC1777 - Lightweight Directory Access Protocol • RFC1823 - The LDAP Application Program Interface