paulo repa 1. 1. 2 0 10 1 lightweight directory access protocol paulo repa [email protected]
TRANSCRIPT
2
LDAP Paulo Repa
What is a directory?
3
LDAP Paulo Repa
Directory Information Tree
o=acme
ou=Sales ou=Marketing ou=Product Development
cn=Fred cn=Fred cn=Joe
cn=Lotty
cn=Fred,ou=Sales,o=acmeDN for Fred in Sales:
cn=eng_lw3
cn=lpr1
4
LDAP Paulo Repa
Directory Solutions
Netscape Directory Server (iPlanet)
SCO UnixWare 7
IBM SecureWay (formerly eNetwork)
Novell NDS
OpenLdap (Linux) Recommended
5
LDAP Paulo Repa
Directory server setup
Schema
ACLs
Data backup and restore
LDIF
UnixWare 7 Directory
6
LDAP Paulo Repa
Directory Setup
scoadmin ldap
7
LDAP Paulo Repa
Backend Setup
8
LDAP Paulo Repa
Directory server setup
Schema
ACLs
Data backup and restore
LDIF
UnixWare 7 Directory
9
LDAP Paulo Repa
Attribute Schema
Defined in slapd.at.conf
Specifies attribute syntax
attribute jpegphoto bin
attribute telephonenumber tel
attribute userpassword ces
10
LDAP Paulo Repa
Objectclass Schema
objectclass simplePersonrequires
cn,sn,objectClass
allowsjpegPhoto,mail,telephoneNumber,userPassword,creatorsName,createtimestamp,modifiersname,modifytimestamp
Defines object contents
Defined in slapd.oc.conf
11
LDAP Paulo Repa
Directory server setup
Schema
ACLs
Data backup and restore
LDIF
UnixWare 7 Directory
12
LDAP Paulo Repa
ACLs
access to attr=userPassword by self write
by * none
ldapstop -i acme
ldapstart -i acme
Controls access for read, write, search, compare and delete operations
Entry or attribute level
Defined in slapd.acl.conf
13
LDAP Paulo Repa
Directory server setup
Schema
ACLs
Data backup and restore
LDIF
UnixWare 7 Directory
14
LDAP Paulo Repa
Data Backup and Restore
ldbmcat -n id2entry.dbb
ldif2ldbm -i data.ldif
Don’t forget directory configuration
15
LDAP Paulo Repa
Directory server setup
Schema
ACLs
Data backup and restore
LDIF
UnixWare 7 Directory
16
LDAP Paulo Repa
LDIF
LDAP Data Interchange Format
Portable
Human readable (almost...)
dn: o=acme
objectclass: organization
o: acme
17
LDAP Paulo Repa
LDIF Update Statements
add
delete
modify (attribute add, delete, replace)
moddn
dn: cn=Joe, ou=Product Development, o=acme
changetype: modify
replace: telephoneNumber
telephoneNumber: 958-1234
18
LDAP Paulo Repa
LDAP Commands
ldapsearch
ldapmodify
ldapadd
ldapdelete
ldapmodrdn
19
LDAP Paulo Repa
ldapsearch
ldapsearch -h ldapsvr.acme.com -D “cn=admin” -w “secret” -b “o=acme” -s one “objectclass=*”
20
LDAP Paulo Repa
ldapmodify
ldapmodify -h ldapsvr.acme.com -D “cn=admin” -w “secret” -f modifications.ldif
dn: cn=Joe, ou=Product Development, o=acme
replace: telephoneNumber
telephoneNumber: 958-1234
21
LDAP Paulo Repa
ldapadd
ldapmodify -a -h ldapsvr.acme.com -D “cn=admin” -w “secret” -f additions.ldif
ldapadd -h ldapsvr.acme.com -D “cn=admin” -w “secret” -f additions.ldif
22
LDAP Paulo Repa
ldapdelete
ldapdelete -h ldapsvr.acme.com -D “cn=admin” -w “secret” cn=Fred,ou=Sales,o=acme
23
LDAP Paulo Repa
ldapmodrdn
ldapmodrdn -h ldapsvr.acme.com -D “cn=admin” -w “secret” -r cn=lpr,ou=Sales,o=acme cn=sales_lw1
24
LDAP Paulo Repa
Using the UnixWare 7 LDAP API
Library / Binding to the server
Search
Compare
Add
Modify
Asynchronous LDAP calls
25
LDAP Paulo Repa
LDAP C API
UnixWare 7 ldap package
LDAP C API - RFC1823
LDAP v2 - RFC1777
#include <ldap.h>
#include <lber.h>
cc -o app -lldap -llber -lresolv src.c
26
LDAP Paulo Repa
Binding to the serverLDAP *ld;
ld = ldap_open(“ldapsvr.acme.com”,LDAP_PORT);
if (ldap_simple_bind_s(ld,“cn=admin”,“secret”) != LDAP_SUCCESS) {
ldap_perror(ld,“bind example”);
return;
}
if (ldap_unbind_s(ld) != LDAP_SUCCESS) {
ldap_perror(ld,“bind example”);
return;
}
…LDAP directory operations (search, modify, ...)
...
27
LDAP Paulo Repa
Using the UnixWare 7 LDAP API
Library / Binding to the server
Search
Compare
Add
Modify
Asynchronous LDAP calls
28
LDAP Paulo Repa
Search - API call
LDAPMessage *res, *entry;
BerElement *ber;
char *attr, *dn, **vals, **vp;
if (ldap_search_s(ld, “o=acme”, LDAP_SCOPE_SUBTREE, “telephoneNumber=958*”, 0, &res) != LDAP_SUCCESS) {
ldap_perror(ld, “search example”);
exit(EXIT_FAILURE);
}
29
LDAP Paulo Repa
Search - Process Data
for (entry = ldap_first_entry(ld, res); entry != NULL;entry = ldap_next_entry(ld, entry)) {
if (dn = ldap_get_dn(ld, entry)) {printf(“dn: %s\n”, dn);free(dn);
} for (attr=ldap_first_attribute(ld, entry, &ber);
attr != NULL; attr=ldap_next_attribute(ld, entry, ber)) {vals = ldap_get_values(ld, entry, attr);for (vp = vals; vp && *vp; vp++) printf(“%s: %s\n”, attr, *vp);ldap_value_free(vals);
} if (ber)
ber_free(ber, 0);}ldap_msgfree(res);
30
LDAP Paulo Repa
Using the UnixWare 7 LDAP API
Library / Binding to the server
Search
Compare
Add
Modify
Asynchronous LDAP calls
31
LDAP Paulo Repa
Compare - API call
Matches for an attribute type of “tel” syntax
if ((res = ldap_compare_s(ld, “cn=Fred, ou=Sales, o=acme”, “telephoneNumber”, “9589876”)) == -1) {
ldap_perror(ld, “compare example”);
exit(EXIT_FAILURE);
}
if (res = LDAP_COMPARE_TRUE)
// Attribute type and value found
else
// Not found
dn: cn=Fred, ou=Sales, o=acme
objectclass: simplePerson
cn: Fred
sn: Jones
telephoneNumber: 958-9876
32
LDAP Paulo Repa
Using the UnixWare 7 LDAP API
Library / Binding to the server
Search
Compare
Add
Modify
Asynchronous LDAP calls
33
LDAP Paulo Repa
LDAPMod structure
One structure per attribute type
Add, delete and replace operations
Text or binary data
Multiple values
mod_op
mod_type
mod_values
LDAP_MOD_ADD
“mailAliasMembers”
“Joe”
“Lotty”
34
LDAP Paulo Repa
char *cnvals[]={"John", NULL}, *snvals[]={"Smith", NULL};char *objvals[]={”simplePerson", NULL};LDAPMod mod[3], *mods[4];
mod[0].mod_op = LDAP_MOD_ADD;mod[0].mod_type = "cn";mod[0].mod_values = cnvals;mod[1].mod_op = LDAP_MOD_ADD;mod[1].mod_type = "sn";mod[1].mod_values = snvals;mod[2].mod_op = LDAP_MOD_ADD;mod[2].mod_type = "objectClass";mod[2].mod_values = objvals;
for (i=0; i < sizeof(mod) / sizeof(LDAPMod); i++)mods[i] = &mod[i];
mods[i] = NULL;
Add Entry - Data
35
LDAP Paulo Repa
if (ldap_add_s(ld, “cn=John,ou=Marketing,o=acme”,&mods[0]) != LDAP_SUCCESS) {
ldap_perror(ld, “add example”);exit(EXIT_FAILURE);
}
Add Entry - API call
dn: cn=John, ou=Marketing, o=acme
objectclass: simplePerson
cn: John
sn: Smith
36
LDAP Paulo Repa
Using the UnixWare 7 LDAP API
Library / Binding to the server
Search
Compare
Add
Modify
Asynchronous LDAP calls
37
LDAP Paulo Repa
char *snvals[] = { “Smithe”, NULL};char *telvals[] = { “958-2357”, NULL};LDAPMod mod[2], *mods[3];
mod[0].mod_op = LDAP_MOD_REPLACE;mod[0].mod_type = "sn";mod[0].mod_values = snvals;
mod[1].mod_op = LDAP_MOD_ADD;mod[1].mod_type = ”telephoneNumber";mod[1].mod_values = telvals;
for (i=0; i < sizeof(mod) / sizeof(LDAPMod); i++)mods[i] = &mod[i];
mods[i] = NULL;
Modify Entry - Data
38
LDAP Paulo Repa
if (ldap_modify_s(ld,“cn=John,ou=Marketing,o=acme”,&mods[0]) != LDAP_SUCCESS) {
ldap_perror(ld, “modify example”);exit(EXIT_FAILURE);
}
Modify Entry - API call
dn: cn=John, ou=Marketing, o=acme
objectclass: simplePerson
cn: John
sn: Smithe
telephoneNumber: 958-2357
39
LDAP Paulo Repa
Using the UnixWare 7 LDAP API
Library / Binding to the server
Search
Compare
Add
Modify
Asynchronous LDAP calls
40
LDAP Paulo Repa
Asynchronous LDAP calls Client need not block Operations may be multiplexed on a connection Function names omit “_s”
int msgid, rc;
if ((msgid = ldap_search(ld, “o=acme”, LDAP_SCOPE_SUBTREE, “objectclass=*”, NULL, 0)) == -1)
error_handler();
while ((rc = ldap_result(ld, msgid, 0, NULL, &result)) ==
LDAP_RES_SEARCH_ENTRY) {
process_results(result);
ldap_msgfree(result);
}
41
LDAP Paulo Repa
Bibliography
LDAP: Programming Directory-Enabled Applications with Lightweight Directory Access Protocol
– Howes, Smith RFC1777 - Lightweight Directory Access Protocol RFC1823 - The LDAP Application Program Interface