1 / 41

Lightweight Directory Access Protocol

Paulo Repa repapaul@gmail.com. Lightweight Directory Access Protocol. What is a directory?. Directory Information Tree. o=acme. ou=Sales. ou=Marketing. ou=Product Development. cn=Fred. cn=Fred. cn=Joe. cn=lpr1. cn=Lotty. cn=eng_lw3. DN for Fred in Sales:. cn=Fred,ou=Sales,o=acme.

kovit
Télécharger la présentation

Lightweight Directory Access Protocol

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Paulo Repa repapaul@gmail.com Lightweight Directory Access Protocol

  2. What is a directory?

  3. Directory Information Tree o=acme ou=Sales ou=Marketing ou=Product Development cn=Fred cn=Fred cn=Joe cn=lpr1 cn=Lotty cn=eng_lw3 DN for Fred in Sales: cn=Fred,ou=Sales,o=acme

  4. Directory Solutions • Netscape Directory Server (iPlanet) • SCO UnixWare 7 • IBM SecureWay (formerly eNetwork) • Novell NDS • OpenLdap (Linux)  Recommended

  5. UnixWare 7 Directory • Directory server setup • Schema • ACLs • Data backup and restore • LDIF

  6. Directory Setup scoadmin ldap

  7. Backend Setup

  8. UnixWare 7 Directory • Directory server setup • Schema • ACLs • Data backup and restore • LDIF

  9. Attribute Schema • Defined in slapd.at.conf • Specifies attribute syntax attribute jpegphoto bin attribute telephonenumber tel attribute userpassword ces

  10. Objectclass Schema objectclass simplePerson requires cn, sn, objectClass allows jpegPhoto, mail, telephoneNumber, userPassword, creatorsName, createtimestamp, modifiersname, modifytimestamp • Defines object contents • Defined in slapd.oc.conf

  11. UnixWare 7 Directory • Directory server setup • Schema • ACLs • Data backup and restore • LDIF

  12. ACLs • Controls access for read, write, search, compare and delete operations • Entry or attribute level • Defined in slapd.acl.conf ldapstop -i acme ldapstart -i acme access to attr=userPassword by self write by * none

  13. UnixWare 7 Directory • Directory server setup • Schema • ACLs • Data backup and restore • LDIF

  14. Data Backup and Restore • ldbmcat -n id2entry.dbb • ldif2ldbm -i data.ldif • Don’t forget directory configuration

  15. UnixWare 7 Directory • Directory server setup • Schema • ACLs • Data backup and restore • LDIF

  16. LDIF • LDAP Data Interchange Format • Portable • Human readable (almost...) dn: o=acme objectclass: organization o: acme

  17. LDIF Update Statements • add • delete • modify (attribute add, delete, replace) • moddn dn: cn=Joe, ou=Product Development, o=acme changetype: modify replace: telephoneNumber telephoneNumber: 958-1234

  18. LDAP Commands • ldapsearch • ldapmodify • ldapadd • ldapdelete • ldapmodrdn

  19. ldapsearch ldapsearch -h ldapsvr.acme.com -D “cn=admin” -w “secret” -b “o=acme” -s one “objectclass=*”

  20. ldapmodify ldapmodify -h ldapsvr.acme.com -D “cn=admin” -w “secret” -f modifications.ldif dn: cn=Joe, ou=Product Development, o=acme replace: telephoneNumber telephoneNumber: 958-1234

  21. ldapadd ldapadd -h ldapsvr.acme.com -D “cn=admin” -w “secret” -f additions.ldif ldapmodify -a -h ldapsvr.acme.com -D “cn=admin” -w “secret” -f additions.ldif

  22. ldapdelete ldapdelete -h ldapsvr.acme.com -D “cn=admin” -w “secret” cn=Fred,ou=Sales,o=acme

  23. ldapmodrdn ldapmodrdn -h ldapsvr.acme.com -D “cn=admin” -w “secret” -r cn=lpr,ou=Sales,o=acme cn=sales_lw1

  24. Using the UnixWare 7 LDAP API • Library / Binding to the server • Search • Compare • Add • Modify • Asynchronous LDAP calls

  25. LDAP C API • UnixWare 7 ldap package • LDAP C API - RFC1823 • LDAP v2 - RFC1777 #include <ldap.h> #include <lber.h> cc -o app -lldap -llber -lresolv src.c

  26. Binding to the server LDAP *ld; ld = ldap_open(“ldapsvr.acme.com”,LDAP_PORT); if (ldap_simple_bind_s(ld,“cn=admin”,“secret”) != LDAP_SUCCESS) { ldap_perror(ld,“bind example”); return; } … LDAP directory operations (search, modify, ...) ... if (ldap_unbind_s(ld) != LDAP_SUCCESS) { ldap_perror(ld,“bind example”); return; }

  27. Using the UnixWare 7 LDAP API • Library / Binding to the server • Search • Compare • Add • Modify • Asynchronous LDAP calls

  28. Search - API call LDAPMessage *res, *entry; BerElement *ber; char *attr, *dn, **vals, **vp; if (ldap_search_s(ld, “o=acme”, LDAP_SCOPE_SUBTREE, “telephoneNumber=958*”, 0, &res) != LDAP_SUCCESS) { ldap_perror(ld, “search example”); exit(EXIT_FAILURE); }

  29. Search - Process Data for (entry = ldap_first_entry(ld, res); entry != NULL; entry = ldap_next_entry(ld, entry)) { if (dn = ldap_get_dn(ld, entry)) { printf(“dn: %s\n”, dn); free(dn); } for (attr=ldap_first_attribute(ld, entry, &ber); attr != NULL; attr=ldap_next_attribute(ld, entry, ber)) { vals = ldap_get_values(ld, entry, attr); for (vp = vals; vp && *vp; vp++) printf(“%s: %s\n”, attr, *vp); ldap_value_free(vals); } if (ber) ber_free(ber, 0); } ldap_msgfree(res);

  30. Using the UnixWare 7 LDAP API • Library / Binding to the server • Search • Compare • Add • Modify • Asynchronous LDAP calls

  31. Compare - API call if ((res = ldap_compare_s(ld, “cn=Fred, ou=Sales, o=acme”, “telephoneNumber”, “9589876”)) == -1) { ldap_perror(ld, “compare example”); exit(EXIT_FAILURE); } if (res = LDAP_COMPARE_TRUE) // Attribute type and value found else // Not found Matches for an attribute type of “tel” syntax dn: cn=Fred, ou=Sales, o=acme objectclass: simplePerson cn: Fred sn: Jones telephoneNumber: 958-9876

  32. Using the UnixWare 7 LDAP API • Library / Binding to the server • Search • Compare • Add • Modify • Asynchronous LDAP calls

  33. mod_op mod_type mod_values LDAPMod structure • One structure per attribute type • Add, delete and replace operations • Text or binary data • Multiple values LDAP_MOD_ADD “mailAliasMembers” “Joe” “Lotty”

  34. Add Entry - Data char *cnvals[]={"John", NULL}, *snvals[]={"Smith", NULL}; char *objvals[]={”simplePerson", NULL}; LDAPMod mod[3], *mods[4]; mod[0].mod_op = LDAP_MOD_ADD; mod[0].mod_type = "cn"; mod[0].mod_values = cnvals; mod[1].mod_op = LDAP_MOD_ADD; mod[1].mod_type = "sn"; mod[1].mod_values = snvals; mod[2].mod_op = LDAP_MOD_ADD; mod[2].mod_type = "objectClass"; mod[2].mod_values = objvals; for (i=0; i < sizeof(mod) / sizeof(LDAPMod); i++) mods[i] = &mod[i]; mods[i] = NULL;

  35. Add Entry - API call if (ldap_add_s(ld, “cn=John,ou=Marketing,o=acme”,&mods[0]) != LDAP_SUCCESS) { ldap_perror(ld, “add example”); exit(EXIT_FAILURE); } dn: cn=John, ou=Marketing, o=acme objectclass: simplePerson cn: John sn: Smith

  36. Using the UnixWare 7 LDAP API • Library / Binding to the server • Search • Compare • Add • Modify • Asynchronous LDAP calls

  37. Modify Entry - Data char *snvals[] = { “Smithe”, NULL}; char *telvals[] = { “958-2357”, NULL}; LDAPMod mod[2], *mods[3]; mod[0].mod_op = LDAP_MOD_REPLACE; mod[0].mod_type = "sn"; mod[0].mod_values = snvals; mod[1].mod_op = LDAP_MOD_ADD; mod[1].mod_type = ”telephoneNumber"; mod[1].mod_values = telvals; for (i=0; i < sizeof(mod) / sizeof(LDAPMod); i++) mods[i] = &mod[i]; mods[i] = NULL;

  38. Modify Entry - API call if (ldap_modify_s(ld,“cn=John,ou=Marketing,o=acme”,&mods[0]) != LDAP_SUCCESS) { ldap_perror(ld, “modify example”); exit(EXIT_FAILURE); } dn: cn=John, ou=Marketing, o=acme objectclass: simplePerson cn: John sn: Smithe telephoneNumber: 958-2357

  39. Using the UnixWare 7 LDAP API • Library / Binding to the server • Search • Compare • Add • Modify • Asynchronous LDAP calls

  40. Asynchronous LDAP calls • Client need not block • Operations may be multiplexed on a connection • Function names omit “_s” int msgid, rc; if ((msgid = ldap_search(ld, “o=acme”, LDAP_SCOPE_SUBTREE, “objectclass=*”, NULL, 0)) == -1) error_handler(); while ((rc = ldap_result(ld, msgid, 0, NULL, &result)) == LDAP_RES_SEARCH_ENTRY) { process_results(result); ldap_msgfree(result); }

  41. Bibliography • LDAP: Programming Directory-Enabled Applications with Lightweight Directory Access Protocol • Howes, Smith • RFC1777 - Lightweight Directory Access Protocol • RFC1823 - The LDAP Application Program Interface

More Related