introduction to perl net::ldap

Net::LDAP

Clément OUDOTFOSDEM 2014

2

Clément::OUDOT

Work

10

Free software

3

Table::of::contents● LDAP protocol● Net::LDAP● Usage examples

4

LDAP

5

LDAP::protocol● Defined by standards (RFC)● LDAPv2 in 1995, LDAPv3 in 1997● TCP/IP, LBER, ASN1 ● 9 core operations, and extended

operations● Schema define object classes, attributes,

syntaxes and matching rules● Data organized hierarchically (tree)

6

Directory::Information::Tree

dc=linid,dc=org

ou=people ou=groupsou=structures

uid=coudot cn=admin

Entry::Attribute::Value

Attribute Attribute

AttributeAttribute

Entry

Attribute

Value

Value

Value

LDIF● LDAP Data Interchange Format

dn: uid=coudot,ou=users,dc=example,dc=comobjectClass: inetOrgPersonobjectClass: organizationalPersonobjectClass: personobjectClass: topuid: coudotmail: coudot@linagora.comcn: Clément OUDOTsn: OUDOYgivenName: Clément

Tips::Devel::LDAP● LDAP is a connected protocol: 1 connection,

several operations● For each operation, a return code: test it!● LDAPS is deprecated, use startTLS● Use LDAPv3● Say hello! (BIND)● Say goodbye! (UNBIND)● Use search parameters to improve

performances

10

Net::LDAP

11

A module with modules● Net::LDAP: main module● Net::LDAP::LDIF: manipulate LDIF files● Net::LDAP::RFC: list of RFC (POD)● Net::LDAP::Schema: parse schema● Net::LDAP::Extensions::*● Net::LDAP::Control::*● And many others...

12

Credits● Graham Barr <gbarr@pobox.com>● Peter Marschall <peter@adpm.de>● Chris Ridd <chris.ridd@isode.com>

13

Create a connection● Create a new Net::LDAP object● Specify host, port, scheme● Other options:

● dsebug● IO::Socket options● async● version (v3 is the default)● onerror

14

Authentication● Bind with a DN and a password● Bind anonymously● Bind with SASL● Client certificate with startTLS

15

Search● You need to provide:

● Base● Scope● Filter● Attributes

● Search can return 0 entries and be successful

16

Entry● Entries object are returned by search or

generated from LDIF, or generated from scratch

● Methods to:● browse attributes and values● to add/modify/delete values● export to LDIF

17

Add and delete● Add method parameters:

● Net::LDAP::Entry● DN and list of attributes

● Delete method parameters:● Net::LDAP::Entry● DN

18

Modification● Add, replace, delete values● Modification applies to one entry:

● Net::LDAP::Entry● DN

● To rename/move an entry, use moddn:● Define a new RDN● Define a new superior

19

Password::Policy● Password policy controls password quality

at modification, and prevent brute force attack at authentication

● Net::LDAP::Control::PasswordPolicy:● Sent by client● Sent back by server

20

Usage::examples

21

Apache::Session::LDAP● Implements Apache::Session interface● Store sessions as entries in LDAP● See also

Apache::Session::Browseable::LDAP for indexed sessions

22

Scripts● Provided by LDAP Tool Box project:

● Monitoring scripts:– Check LDAP response time– Check OpenLDAP syncrepl status– Check OpenLDAP monitor data

● Data manipulation:– CSV to LDIF or LDIF to LDIF– Convert data from SUN/Oracle to OpenLDAP

23

LemonLDAP::NG● WebSSO, Access Control and Identity

Federation free software● Authentication against LDAP● Password modification in LDAP● Session storage in LDAP● Configuration storage in LDAP● Notification storage in LDAP● Implements Password Policy

24

Almost the end...

25

Thanks● Special thanks to:

● FOSDEM and their organizers● Company LINAGORA● All Perl developers

● Keep in touch:● Twitter: @clementoudot ● IRC: KPTN #linagora@freenode● Web: http://coudot.blogs.linagora.com

26

Questions?

Thanks for your attention

http://www.linid.org

Logiciels et services Open Source80 rue Roque de Fillol l 92800 PUTEAUXTel : 0810 251 251 l Fax : +33 1 46 96 63 64www.linagora.com