Lightweight Directory Access Protocol

Paulo Repa
Lightweight Directory Access Protocol
Paulo Repa
repapaul@gmail.com
1 . 1 . 2 0 10 1
LDAP Paulo Repa
What is a directory?
2
LDAP Paulo Repa
Directory Information Tree

o=acme
ou=Sales ou=Marketing ou=Product Development
cn=Fred cn=Fred cn=Joe
cn=lpr1 cn=Lotty
cn=eng_lw3
DN for Fred in Sales: cn=Fred,ou=Sales,o=acme
3
LDAP Paulo Repa
Directory Solutions
 Netscape Directory Server (iPlanet)

 SCO UnixWare 7
 IBM SecureWay (formerly eNetwork)
 Novell NDS
 OpenLdap (Linux)  Recommended
4
LDAP Paulo Repa
UnixWare 7 Directory
 Directory server setup

 Schema
 ACLs
 Data backup and restore
 LDIF
5
LDAP Paulo Repa
Directory Setup
scoadmin ldap
6
LDAP Paulo Repa
Backend Setup
7
LDAP Paulo Repa

 Schema
 ACLs
 LDIF
8
LDAP Paulo Repa
Attribute Schema
 Defined in slapd.at.conf
 Specifies attribute syntax
attribute jpegphoto bin

attribute telephonenumber tel
attribute userpassword ces
9
LDAP Paulo Repa
Objectclass Schema
objectclass simplePerson
requires
cn,
sn,
objectClass
allows  Defines object contents
jpegPhoto,  Defined in slapd.oc.conf
mail,
telephoneNumber,
userPassword,
creatorsName,
createtimestamp,
modifiersname,
modifytimestamp
10
LDAP Paulo Repa

 Schema
 ACLs
 LDIF
11
LDAP Paulo Repa
ACLs
 Controls access for read, write, search, compare and delete
operations
 Entry or attribute level
 Defined in slapd.acl.conf
ldapstop -i acme
ldapstart -i acme
access to attr=userPassword by self write

by * none
12
LDAP Paulo Repa

 Schema
 ACLs
 LDIF
13
LDAP Paulo Repa
Data Backup and Restore

 ldbmcat -n id2entry.dbb
 ldif2ldbm -i data.ldif
 Don’t forget directory configuration
14
LDAP Paulo Repa

 Schema
 ACLs
 LDIF
15
LDAP Paulo Repa
LDIF
 LDAP Data Interchange Format
 Portable
 Human readable (almost...)
dn: o=acme
objectclass: organization
o: acme
16
LDAP Paulo Repa
LDIF Update Statements

 add
 delete
 modify (attribute add, delete, replace)
 moddn
dn: cn=Joe, ou=Product Development, o=acme

changetype: modify
replace: telephoneNumber
telephoneNumber: 958-1234
17
LDAP Paulo Repa
LDAP Commands
 ldapsearch
 ldapmodify
 ldapadd
 ldapdelete
 ldapmodrdn
18
LDAP Paulo Repa
ldapsearch
ldapsearch -h ldapsvr.acme.com -D “cn=admin”

-w “secret” -b “o=acme” -s one
“objectclass=*”
19
LDAP Paulo Repa
ldapmodify
ldapmodify -h ldapsvr.acme.com -D “cn=admin”

-w “secret” -f modifications.ldif
dn: cn=Joe, ou=Product Development, o=acme

replace: telephoneNumber
20
LDAP Paulo Repa
ldapadd
ldapadd -h ldapsvr.acme.com -D “cn=admin”

-w “secret” -f additions.ldif
ldapmodify -a -h ldapsvr.acme.com -D “cn=admin”

-w “secret” -f additions.ldif
21
LDAP Paulo Repa
ldapdelete
ldapdelete -h ldapsvr.acme.com -D “cn=admin”

-w “secret” cn=Fred,ou=Sales,o=acme
22
LDAP Paulo Repa
ldapmodrdn
ldapmodrdn -h ldapsvr.acme.com -D “cn=admin”

-w “secret” -r cn=lpr,ou=Sales,o=acme
cn=sales_lw1
23
LDAP Paulo Repa
Using the UnixWare 7 LDAP API
 Library / Binding to the server

 Search
 Compare
 Add
 Modify
 Asynchronous LDAP calls
24
LDAP Paulo Repa
LDAP C API
 UnixWare 7 ldap package

 LDAP C API - RFC1823
 LDAP v2 - RFC1777
#include <ldap.h>
#include <lber.h>
cc -o app -lldap -llber -lresolv src.c
25
LDAP Paulo Repa
Binding to the server

LDAP *ld;
ld = ldap_open(“ldapsvr.acme.com”,LDAP_PORT);
if (ldap_simple_bind_s(ld,“cn=admin”,“secret”) != LDAP_SUCCESS) {
ldap_perror(ld,“bind example”);
return;
}
…
LDAP directory operations (search, modify, ...)
...
if (ldap_unbind_s(ld) != LDAP_SUCCESS) {
ldap_perror(ld,“bind example”);
return;
}
26
LDAP Paulo Repa

 Search
 Compare
 Add
 Modify
27
LDAP Paulo Repa
Search - API call
LDAPMessage *res, *entry;

BerElement *ber;
char *attr, *dn, **vals, **vp;
if (ldap_search_s(ld, “o=acme”, LDAP_SCOPE_SUBTREE,
“telephoneNumber=958*”, 0, &res) != LDAP_SUCCESS) {
ldap_perror(ld, “search example”);
exit(EXIT_FAILURE);
}
28
LDAP Paulo Repa
Search - Process Data

for (entry = ldap_first_entry(ld, res); entry != NULL;
entry = ldap_next_entry(ld, entry)) {
if (dn = ldap_get_dn(ld, entry)) {
printf(“dn: %s\n”, dn);
free(dn);
}
for (attr=ldap_first_attribute(ld, entry, &ber);
attr != NULL;
attr=ldap_next_attribute(ld, entry, ber)) {
vals = ldap_get_values(ld, entry, attr);
for (vp = vals; vp && *vp; vp++)
printf(“%s: %s\n”, attr, *vp);
ldap_value_free(vals);
}
if (ber)
ber_free(ber, 0);
}
ldap_msgfree(res);
29
LDAP Paulo Repa

 Search
 Compare
 Add
 Modify
30
LDAP Paulo Repa
Compare - API call

if ((res = ldap_compare_s(ld, “cn=Fred, ou=Sales, o=acme”,
“telephoneNumber”, “9589876”)) == -1) {
ldap_perror(ld, “compare example”);
exit(EXIT_FAILURE);
}
if (res = LDAP_COMPARE_TRUE)
// Attribute type and value found
else Matches for an
// Not found attribute type of “tel”
dn: cn=Fred, ou=Sales, o=acme syntax
objectclass: simplePerson
cn: Fred
sn: Jones
31
LDAP Paulo Repa

 Search
 Compare
 Add
 Modify
32
LDAP Paulo Repa
LDAPMod structure
 One structure per attribute type
 Add, delete and replace operations
 Text or binary data
 Multiple values
mod_op LDAP_MOD_ADD
mod_type “mailAliasMembers”
mod_values
“Joe”
“Lotty”
33
LDAP Paulo Repa
Add Entry - Data
char *cnvals[]={"John", NULL}, *snvals[]={"Smith", NULL};

char *objvals[]={”simplePerson", NULL};
LDAPMod mod[3], *mods[4];
mod[0].mod_op = LDAP_MOD_ADD;
mod[0].mod_type = "cn";
mod[0].mod_values = cnvals;
mod[1].mod_type = "sn";
mod[1].mod_values = snvals;
mod[2].mod_type = "objectClass";
mod[2].mod_values = objvals;
for (i=0; i < sizeof(mod) / sizeof(LDAPMod); i++)

mods[i] = &mod[i];
mods[i] = NULL;
34
LDAP Paulo Repa
Add Entry - API call
if (ldap_add_s(ld, “cn=John,ou=Marketing,o=acme”,&mods[0])
!= LDAP_SUCCESS) {
ldap_perror(ld, “add example”);
exit(EXIT_FAILURE);
}
dn: cn=John, ou=Marketing, o=acme

cn: John
sn: Smith
35
LDAP Paulo Repa

 Search
 Compare
 Add
 Modify
36
LDAP Paulo Repa
Modify Entry - Data
char *snvals[] = { “Smithe”, NULL};

char *telvals[] = { “958-2357”, NULL};
LDAPMod mod[2], *mods[3];
mod[0].mod_op = LDAP_MOD_REPLACE;
mod[0].mod_type = "sn";
mod[0].mod_values = snvals;
mod[1].mod_type = ”telephoneNumber";
mod[1].mod_values = telvals;
for (i=0; i < sizeof(mod) / sizeof(LDAPMod); i++)

mods[i] = &mod[i];
mods[i] = NULL;
37
LDAP Paulo Repa
Modify Entry - API call
if (ldap_modify_s(ld,“cn=John,ou=Marketing,o=acme”,&mods[0])
!= LDAP_SUCCESS) {
ldap_perror(ld, “modify example”);
exit(EXIT_FAILURE);
}
dn: cn=John, ou=Marketing, o=acme
cn: John
sn: Smithe
38
LDAP Paulo Repa

 Search
 Compare
 Add
 Modify
39
LDAP Paulo Repa
Asynchronous LDAP calls

 Client need not block
 Operations may be multiplexed on a connection
 Function names omit “_s”
int msgid, rc;

if ((msgid = ldap_search(ld, “o=acme”, LDAP_SCOPE_SUBTREE,
“objectclass=*”, NULL, 0)) == -1)
error_handler();
while ((rc = ldap_result(ld, msgid, 0, NULL, &result)) ==
LDAP_RES_SEARCH_ENTRY) {
process_results(result);
ldap_msgfree(result);
}
40
LDAP Paulo Repa
Bibliography
 LDAP: Programming Directory-Enabled Applications with Lightweight Directory

Access Protocol
– Howes, Smith
 RFC1777 - Lightweight Directory Access Protocol
 RFC1823 - The LDAP Application Program Interface
41

Lightweight Directory Access Protocol

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Lightweight Directory Access Protocol

Uploaded by

Copyright:

Available Formats

Paulo Repa

Lightweight Directory Access Protocol

Directory Information Tree

ou=Sales ou=Marketing ou=Product Development

cn=Fred cn=Fred cn=Joe

DN for Fred in Sales: cn=Fred,ou=Sales,o=acme

 Netscape Directory Server (iPlanet)

 Directory server setup

 Directory server setup

attribute jpegphoto bin

 Directory server setup

access to attr=userPassword by self write

 Directory server setup

Data Backup and Restore

 Directory server setup

LDIF Update Statements

dn: cn=Joe, ou=Product Development, o=acme

ldapsearch -h ldapsvr.acme.com -D “cn=admin”

ldapmodify -h ldapsvr.acme.com -D “cn=admin”

dn: cn=Joe, ou=Product Development, o=acme

ldapadd -h ldapsvr.acme.com -D “cn=admin”

ldapmodify -a -h ldapsvr.acme.com -D “cn=admin”

ldapdelete -h ldapsvr.acme.com -D “cn=admin”

ldapmodrdn -h ldapsvr.acme.com -D “cn=admin”

Using the UnixWare 7 LDAP API

 Library / Binding to the server

 UnixWare 7 ldap package

cc -o app -lldap -llber -lresolv src.c

Binding to the server

Using the UnixWare 7 LDAP API

 Library / Binding to the server

Search - API call

LDAPMessage *res, *entry;

Search - Process Data

Using the UnixWare 7 LDAP API

 Library / Binding to the server

Compare - API call

Using the UnixWare 7 LDAP API

 Library / Binding to the server

Add Entry - Data

char *cnvals[]={"John", NULL}, *snvals[]={"Smith", NULL};

for (i=0; i < sizeof(mod) / sizeof(LDAPMod); i++)

Add Entry - API call

dn: cn=John, ou=Marketing, o=acme

Using the UnixWare 7 LDAP API

 Library / Binding to the server

Modify Entry - Data

char *snvals[] = { “Smithe”, NULL};

for (i=0; i < sizeof(mod) / sizeof(LDAPMod); i++)

Modify Entry - API call

Using the UnixWare 7 LDAP API

 Library / Binding to the server

Asynchronous LDAP calls

int msgid, rc;

 LDAP: Programming Directory-Enabled Applications with Lightweight Directory

You might also like

LDAPMessage res, entry;

char cnvals[]={"John", NULL}, snvals[]={"Smith", NULL};