6. LDAP Lightweight Directory Access Protocol
What is LDAP
- Lightweight Directory Access Protocol
- Based on X.500
- Directory service (RFC1777)
- Stores attribute based data
- Data generallly read more than written to
- No transactions
- No rollback
- Hierarchical data structure
- Entries are in a tree-like structure called Directory Information Tree (DIT)
Hierachical
![[Hierachial Directory Tree]](images/directory-tree-hierachial.png)
Flat
![[Flat Directory Tree]](images/directory-tree-flat.png)
- Client-server model
- Consistant view of data
- Answers request
- Refer to server with answer
Referrals
-
![[ Referral ]](images/referral.png)
- Client requests information
- Server 1 returns referral to server 2
- Client resends request to server 2
- Server 2 returns information to client
Global View
![[ Global Structure ]](images/global.png)
Based on entries
- Collection of attributes
- Has a distinguished name (DN) - like domain name
Acronyms
- LDAP
- Lightweight Directory Access Protocol
- DN
- Distinguish Name
- RDN
- Relative Distinuished Name
- DIT
- Directory Information Tree
- LDIF
- LDAP Data Interchange Format
- OID
- Object Identifier
LDIF
- LDAP Data Interchange Format
- Represents LDAP entries in text
- Human readable format
- Allows easy modification of data
- ldbmcat converts ldbm database to ldif
- ldif2ldbm converts ldif back to ldbm database
- Example extract
dn: uid=bmarshal,ou=People,dc=pisoftware,dc=com uid: bmarshal cn: Brad Marshall objectclass: account objectclass: posixAccount objectclass: top loginshell: /bin/bash uidnumber: 500 gidnumber: 120 homedirectory: /mnt/home/bmarshal gecos: Brad Marshall,,,, userpassword: {crypt}KDnOoUYN7Neac
Schema
- Set of rules that describes what kind of data is stored
- Helps maintain consistancy and quality of data
- Reduces duplication of data
- Object class attribute determines schema rules the entry must follow
- Schema contains the following:
- Required attributes
- Allowed attributes
- How to compare attributes
- Limit what the attributes can store - ie, restrict to integer etc
- Restrict what information is stored - ie, stops duplication etc
Attribute abbreviations
See RFC2256 - LDAP Data Interchange Format
- uid
- User id
- cn
- Common Name
- sn
- Surname
- l
- Location
- ou
- Organisational Unit
- o
- Organisation
- dc
- Domain Component
- st
- State
- c
- Country
Search Filters
- Criteria for attributes that must be fulfilled for entry to be returned
- Base dn = base object entry search is relative to
- Prefix notation
- Standards
- RFC 1960: LDAP String Representation of Search Filters
- RFC 2254: LDAPv3 Search Filters
- Operators
- & = and
- | = or
- ! = not
- ~= = approx equal
- >= = greater than or equal
- <= = less than or equal
- * = any
- Eg
- (objectclass=posixAccount)
- (cn=Mickey M*)
- (|(uid=fred)(uid=bill))
- (&(|(uid=jack)(uid=jill))(objectclass=posixAccount))
Deploying LDAP
Servers
- Slapd
- University of Michigan
- Openldap
- Open Directory S
- Netscape Directory Server
- Microsoft Active Directory (AD)
- Novell Directory Services (NDS)
- Sun Directory Services (SDS)
- Lucent's Internet Directory Server (IDS)
Openldap
LDAP Server architecture
- LDAP daemon called slapd
- Choice of databases
- LDBM - high performance disk based db
- SHELL - db interface to unix commands
- PASSWORD - simple password file db
- SQL - mapping sql to ldap (in OpenLDAP 2.x)
- Multiple database instances
- Access control
- Threaded
- Replication
LDAP Architecture
![[ LDAP Architecture ]](images/architecture.png)
- Choice of databases
- Replication daemon called slurpd
- Frees slapd from worrying about hosts being down etc
- Communicates with slapd through text file
Replication Architecture
![[ Replication Architecture ]](images/rep-arch.png)
Replication
- Increases:
- Reliability - if one copy of the directory is down
- Availability - more likely to find an available server
- Performance - can use a server closer to you
- Speed - can take more queries as replicas are added
- Temporary inconsistances are ok
- Having replicas close to clients is important - network going down is same as server going down
- Removes single point of failure
Replication Options
a. All modifications go to the master LDAP server
![[ Replica A ]](images/replica-a.png) |
b. Using referrals
![[ Replica B ]](images/replica-b.png) |
- Client sends modification to replica
- Replica returns referral to master
- Client resubmits modification to master
- Master returns results to client
- Master updates replica with change
c. Using chaining
![[ Replica C ]](images/replica-c.png) |
|
Examples slapd.conf
|
/etc/ldap/slapd.conf
|
Start Manualmente:
>#slapd -h ldap://maquina.midominio.mx:9009/ o levantándolo como root en el puerto por default 389 ># slapd La primera vez habra que inicializar el directorio: Con los scripts de arranque: /etc/init.d/slapd start
archivo: initial.ldif
|
:># ldapadd -x -D "cn=Manager,dc=midominio,dc=mx" -W -h maquina.midominio.mx -p 9009 -f initial.ldif
Enter LDAP Password:
adding new entry "dc=midominio,dc=mx"
adding new entry "cn=Manager,dc=midominio,dc=mx"
:># ldapsearch -x -b 'cn=Manager,dc=midominio,dc=mx' -h maquina.midominio.mx -p 9009 '(objectclass=*)' # extended LDIF # # LDAPv3 # base <cn=Manager,dc=midominio,dc=mx> with scope sub # filter: (objectclass=*) # requesting: ALL #
# Manager, midominio.mx dn: cn=Manager,dc=midominio,dc=mx objectClass: organizationalRole cn: Manager
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1 Stop
kill -INT `cat /var/run/slapd/slapd.pid`
o en Solaris
kill `cat /var/run/slapd/slapd.pid`
Con los scripts de arranque:
/etc/init.d/slapd stop
LDAP Applications
Application Architecture![[ Applications Architecture ]](images/app-arch.png) |
Using Multiple Applications![[ LDAP Applications ]](images/app.png) |
LDAP Browsers
Phpldapadmin
http://phpldapadmin.sourceforge.net/
 |
 |
JXPLORER
 |
 |
 |
 |
LDAPBrowser
http://www-unix.mcs.anl.gov/~gawor/ldap/
 |
 |
GQ
 |
 |
 |
Programas ejemplo con el API de Novell
1:import com.novell.ldap.LDAPAttribute; 2:import com.novell.ldap.LDAPAttributeSet; 3:import com.novell.ldap.LDAPEntry; 4:import com.novell.ldap.LDAPConnection; 5:import com.novell.ldap.LDAPException; 6:import java.io.UnsupportedEncodingException; 7: 8:public class AddEntry 9:{ 10: public static void main( String[] args ) 11: { 12: if (args.length != 4) { 13: System.err.println("Usage: java AddEntry <host name> <login dn>" 14: + " <password> <container>"); 15: System.err.println("Example: java AddEntry Acme.com" 16: + " \"cn=admin,o=Acme\" secret \"ou=Sales,o=Acme\""); 17: System.exit(1); 18: } 19: 20: int ldapPort = LDAPConnection.DEFAULT_PORT; 21: int ldapVersion = LDAPConnection.LDAP_V3; 22: String ldapHost = args[0]; 23: String loginDN = args[1]; 24: String password = args[2]; 25: String containerName = args[3]; 26: LDAPConnection lc = new LDAPConnection(); 27: LDAPAttribute attribute = null; 28: LDAPAttributeSet attributeSet = new LDAPAttributeSet(); 29: 30: 31: /* To Add an entry to the directory, 32: * - Create the attributes of the entry and add them to an attribute set 33: * - Specify the DN of the entry to be created 34: * - Create an LDAPEntry object with the DN and the attribute set 35: * - Call the LDAPConnection add method to add it to the directory 36: */ 37: attributeSet.add( new LDAPAttribute( 38: "objectclass", new String("organizationalPerson"))); 39: attributeSet.add( new LDAPAttribute("cn", 40: new String[]{"James Smith", "Jim Smith", "Jimmy Smith"})); 41: 42: attributeSet.add( new LDAPAttribute("sn", new String("Smith"))); 43: attributeSet.add( new LDAPAttribute("telephonenumber", 44: new String("1 801 555 1212"))); 45: 46: attributeSet.add( new LDAPAttribute("userpassword", 47: new String("newpassword"))); 48: 49: String dn = "cn=Jim Smith," + containerName; 50: LDAPEntry newEntry = new LDAPEntry( dn, attributeSet ); 51: 52: try { 53: // connect to the server 54: lc.connect( ldapHost, ldapPort ); 55: // authenticate to the server 56: lc.bind( ldapVersion, loginDN, password.getBytes("UTF8") ); 57: 58: lc.add( newEntry ); 59: System.out.println( "\nAdded object: " + dn + " successfully." ); 60: 61: // disconnect with the server 62: lc.disconnect(); 63: } 64: catch( LDAPException e ) { 65: System.out.println( "Error: " + e.toString()); 66: } 67: catch( UnsupportedEncodingException e ) { 68: System.out.println( "Error: " + e.toString() ); 69: } 70: System.exit(0); 71: } 72:} |
digital@localhost:~/ldapsample> java AddEntry localhost "cn=Manager,dc=midominio,dc=mx" lolo "dc=midominio,dc=mx" Added object: cn=Jim Smith,dc=midominio,dc=mx successfully. |
1:import com.novell.ldap.*; 2:import java.io.UnsupportedEncodingException; 3: 4:public class AddUserToGroup 5:{ 6: public static void main( String[] args ) 7: { 8: 9: if (args.length != 5) { 10: usage(); 11: System.exit(1); 12: } 13: 14: int ldapPort = LDAPConnection.DEFAULT_PORT; 15: int ldapVersion = LDAPConnection.LDAP_V3; 16: boolean status = false; 17: LDAPConnection lc = new LDAPConnection(); 18: String ldapHost = args[0]; 19: String loginDN = args[1]; 20: String password = args[2]; 21: String userDN = args[3]; 22: String groupDN = args[4]; 23: 24: try { 25: // connect to the server 26: lc.connect( ldapHost, ldapPort); 27: // bind to the server 28: lc.bind( ldapVersion, loginDN, password.getBytes("UTF8") ); 29: 30: // call _AddUseToGroup() to add the user to the group 31: status = _AddUserToGroup( lc, userDN, groupDN ); 32: 33: if ( status ) 34: System.out.println( 35: "User: " + userDN + " was enrolled in group: " + groupDN); 36: else 37: System.out.println( "User: " + userDN + 38: " could not be enrolled in group: " + groupDN); 39: 40: // disconnect with the server 41: lc.disconnect(); 42: } 43: catch( LDAPException e ) { 44: System.out.println( "Error: " + e.toString() ); 45: } 46: catch( UnsupportedEncodingException e ) { 47: System.out.println( "Error: " + e.toString() ); 48: } 49: System.exit(0); 50: } 51: 52: public static void usage() { 53: System.err.println("Usage: java AddUserToGroup <ldap host>" 54: + " <login dn> <password> <user dn >\n" 55: +" <group dn>"); 56: System.err.println("Example: java AddUserToGroup Acme.com" 57: + " \"cn=Admin,o=Acme\" secret\n" 58: + " \"cn=James,ou=Sales,o=Acme\"" 59: + " \"cn=salesGroup,ou=Sales,o=Acme\""); 60: } 61: 62: public static boolean _AddUserToGroup( LDAPConnection lc, 63: String userdn, 64: String groupdn ) { 65: 66: // modifications for group and user 67: LDAPModification[] modGroup = new LDAPModification[1]; 68: 69: // Add modifications to modGroup 70: LDAPAttribute member = new LDAPAttribute("member", userdn); 71: modGroup[0] = new LDAPModification( LDAPModification.ADD, member); 72: 73: try { 74: // Modify the group's attributes 75: lc.modify( groupdn, modGroup); 76: System.out.println("Modified the group's attribute."); 77: } 78: catch( LDAPException e ) { 79: System.out.println( 80: "Failed to modify group's attributes: " + e.toString() ); 81: 82: return false; 83: } 84: return true; 85: } 86: 87: 88:} |
:> java AddUserToGroup localhost "cn=Manager,dc=midominio,dc=mx" lolo "cn=Carlos Proal,ou=usuarios,dc=midominio,dc=mx" "cn=amigos,dc=midominio,dc=mx"
Modified the group's attribute.
User: cn=Carlos Proal,ou=usuarios,dc=midominio,dc=mx was enrolled in group: cn=amigos,dc=midominio,dc=mx |
1:import com.novell.ldap.LDAPAttribute; 2:import com.novell.ldap.LDAPAttributeSet; 3:import com.novell.ldap.LDAPConnection; 4:import com.novell.ldap.LDAPEntry; 5:import com.novell.ldap.LDAPException; 6:import com.novell.ldap.LDAPSearchResults; 7:import com.novell.ldap.util.Base64; 8:import java.util.Enumeration; 9:import java.util.Iterator; 10:import java.io.UnsupportedEncodingException; 11: 12:public class Read 13:{ 14: public static void main( String[] args ) 15: { 16: if (args.length != 4) { 17: System.out.println("Usage: java Search <host name> <login dn>" 18: + " <password> <user dn>"); 19: 20: System.out.println("Example: java Search Acme.com" 21: + " \"cn=admin,o=Acme\"" 22: + " secret \"cn= John Smith, ou=sales,o=Acme\""); 23: 24: System.exit(0); 25: } 26: 27: int ldapPort = LDAPConnection.DEFAULT_PORT; 28: int ldapVersion = LDAPConnection.LDAP_V3; 29: String ldapHost = args[0]; 30: String loginDN = args[1]; 31: String password = args[2]; 32: String userDN = args[3]; 33: 34: LDAPConnection lc = new LDAPConnection(); 35: 36: try { 37: // connect to the server 38: lc.connect( ldapHost, ldapPort ); 39: // bind to the server 40: lc.bind( ldapVersion, loginDN, password.getBytes("UTF8") ); 41: 42: LDAPEntry resultEntry = 43: lc.read( userDN ); 44: 45: /* To print out the search results, 46: * -- The first while loop goes through all the attributes 47: * -- The second while loop goes through all the attribute values 48: */ 49: 50: System.out.println("\n" + resultEntry.getDN()); 51: System.out.println(" Attributes: "); 52: 53: LDAPAttributeSet attributeSet = resultEntry.getAttributeSet(); 54: Iterator allAttributes = attributeSet.iterator(); 55: 56: while(allAttributes.hasNext()) { 57: LDAPAttribute attribute = 58: (LDAPAttribute)allAttributes.next(); 59: String attributeName = attribute.getName(); 60: 61: System.out.println(" " + attributeName); 62: 63: Enumeration allValues = attribute.getStringValues(); 64: 65: if( allValues != null) { 66: while(allValues.hasMoreElements()) { 67: String Value = (String) allValues.nextElement(); 68: if (Base64.isLDIFSafe(Value)) { 69: // is printable 70: System.out.println(" " + Value); 71: } 72: else { 73: // base64 encode and then print out 74: Value = Base64.encode(Value.getBytes()); 75: System.out.println(" " + Value); 76: } 77: } 78: } 79: } 80: 81: // disconnect with the server 82: lc.disconnect(); 83: } 84: catch( LDAPException e ) { 85: System.out.println( "Error: " + e.toString() ); 86: } 87: catch( UnsupportedEncodingException e ) { 88: System.out.println( "Error: " + e.toString() ); 89: } 90: System.exit(0); 91: } 92:} |
:> java Read localhost "cn=Jim Smith,dc=midominio,dc=mx" newpassword "cn=Jim Smith,dc=midominio,dc=mx"
Attributes:
sn
Linda
cn
Hermelinda Linda
objectClass
organizationalPerson
person
top
userPassword
feya
|
1:import com.novell.ldap.LDAPAttribute; 2:import com.novell.ldap.LDAPAttributeSet; 3:import com.novell.ldap.LDAPConnection; 4:import com.novell.ldap.LDAPEntry; 5:import com.novell.ldap.LDAPException; 6:import com.novell.ldap.LDAPSearchResults; 7:import com.novell.ldap.util.Base64; 8:import java.util.Enumeration; 9:import java.util.Iterator; 10:import java.io.UnsupportedEncodingException; 11: 12:public class Search 13:{ 14: public static void main( String[] args ) 15: { 16: if (args.length != 5) { 17: System.out.println("Usage: java Search <host name> <login dn>" 18: + " <password> <search base>\n" 19: + " <search filter>"); 20: System.out.println("Example: java Search Acme.com" 21: + " \"cn=admin,o=Acme\"" 22: + " secret \"ou=sales,o=Acme\"\n" 23: + " \"(objectclass=*)\""); 24: System.exit(0); 25: } 26: 27: int ldapPort = LDAPConnection.DEFAULT_PORT; 28: int searchScope = LDAPConnection.SCOPE_ONE; 29: int ldapVersion = LDAPConnection.LDAP_V3; 30: String ldapHost = args[0]; 31: String loginDN = args[1]; 32: String password = args[2]; 33: String searchBase = args[3]; 34: String searchFilter = args[4]; 35: LDAPConnection lc = new LDAPConnection(); 36: 37: try { 38: // connect to the server 39: lc.connect( ldapHost, ldapPort ); 40: // bind to the server 41: lc.bind( ldapVersion, loginDN, password.getBytes("UTF8") ); 42: 43: LDAPSearchResults searchResults = 44: lc.search( searchBase, 45: searchScope, 46: searchFilter, 47: null, // return all attributes 48: false); // return attrs and values 49: 50: /* To print out the search results, 51: * -- The first while loop goes through all the entries 52: * -- The second while loop goes through all the attributes 53: * -- The third while loop goes through all the attribute values 54: */ 55: while ( searchResults.hasMore()) { 56: LDAPEntry nextEntry = null; 57: try { 58: nextEntry = searchResults.next(); 59: } 60: catch(LDAPException e) { 61: System.out.println("Error: " + e.toString()); 62: 63: // Exception is thrown, go for next entry 64: 65: continue; 66: } 67: 68: System.out.println("\n" + nextEntry.getDN()); 69: System.out.println(" Attributes: "); 70: 71: LDAPAttributeSet attributeSet = nextEntry.getAttributeSet(); 72: Iterator allAttributes = attributeSet.iterator(); 73: 74: while(allAttributes.hasNext()) { 75: LDAPAttribute attribute = 76: (LDAPAttribute)allAttributes.next(); 77: String attributeName = attribute.getName(); 78: 79: System.out.println(" " + attributeName); 80: 81: Enumeration allValues = attribute.getStringValues(); 82: 83: if( allValues != null) { 84: while(allValues.hasMoreElements()) { 85: String Value = (String) allValues.nextElement(); 86: if (Base64.isLDIFSafe(Value)) { 87: // is printable 88: System.out.println(" " + Value); 89: } 90: else { 91: // base64 encode and then print out 92: Value = Base64.encode(Value.getBytes()); 93: System.out.println(" " + Value); 94: } 95: } 96: } 97: } 98: } 99: // disconnect with the server 100: lc.disconnect(); 101: } 102: catch( LDAPException e ) { 103: System.out.println( "Error: " + e.toString() ); 104: } 105: catch( UnsupportedEncodingException e ) { 106: System.out.println( "Error: " + e.toString() ); 107: } 108: System.exit(0); 109: } 110:} |
:> java Search localhost "cn=Jim Smith,dc=midominio,dc=mx" newpassword "dc=midominio,dc=mx" "(objectclass=*)" cn=Manager,dc=midominio,dc=mx
Attributes:
cn
Manager
objectClass
organizationalRole
cn=Carlos Proal,dc=midominio,dc=mx
Attributes:
sn
Proal
title
Mtro.
Ing.
ou
biblio
cn
Carlos Proal
objectClass
organizationalPerson
person
top
street
mi casa
userPassword
lele
cn=amigos,dc=midominio,dc=mx
Attributes:
cn
amigos
objectClass
groupOfNames
top
member
cn=Carlos Proal,dc=midominio,dc=mx
cn=Juan Perez,dc=midominio,dc=mx
cn=Juan Perez,dc=midominio,dc=mx
Attributes:
sn
Perez
cn
Juan Perez
objectClass
organizationalPerson
person
top
userPassword
lele
cn=Jim Smith,dc=midominio,dc=mx
Attributes:
sn
Smith
cn
James Smith
Jim Smith
Jimmy Smith
objectClass
organizationalPerson
userPassword
newpassword
telephoneNumber
1 801 555 1212 |
1:import com.novell.ldap.*; 2:import java.io.UnsupportedEncodingException; 3: 4:public class VerifyPassword 5:{ 6: public static void main( String[] args ) 7: { 8: if (args.length != 5) { 9: System.out.println("Usage: java VerifyPassword <host name>" 10: + " <login dn> <password> <object dn>\n" 11: + " <test password>"); 12: System.out.println("Example: java VerifyPassword Acme.com " 13: + "\"cn=Admin,o=Acme\" secret\n" 14: + " \"cn=JSmith,ou=Sales,o=Acme\" testPassword"); 15: System.exit(0); 16: } 17: 18: int ldapPort = LDAPConnection.DEFAULT_PORT; 19: int ldapVersion = LDAPConnection.LDAP_V3; 20: String ldapHost = args[0]; 21: String loginDN = args[1]; 22: String password = args[2]; 23: String objectDN = args[3]; 24: String testPassword = args[4]; 25: LDAPConnection lc = new LDAPConnection(); 26: 27: try { 28: // connect to the server 29: lc.connect( ldapHost, ldapPort ); 30: 31: // authenticate to the server 32: lc.bind( ldapVersion, loginDN, password.getBytes("UTF8") ); 33: 34: LDAPAttribute attr = new LDAPAttribute( 35: "userPassword", testPassword ); 36: boolean correct = lc.compare( objectDN, attr ); 37: 38: System.out.println( correct ? "The password is correct.": 39: "The password is incorrect.\n"); 40: 41: // disconnect with the server 42: lc.disconnect(); 43: } 44: catch( LDAPException e ) { 45: if ( e.getResultCode() == LDAPException.NO_SUCH_OBJECT ) { 46: System.err.println( "Error: No such entry" ); 47: } else if ( e.getResultCode() == 48: LDAPException.NO_SUCH_ATTRIBUTE ) { 49: System.err.println( "Error: No such attribute" ); 50: } else { 51: System.err.println( "Error: " + e.toString() ); 52: } 53: } 54: catch( UnsupportedEncodingException e ) { 55: System.out.println( "Error: " + e.toString() ); 56: } 57: System.exit(0); 58: } 59:} 60: |
:> java VerifyPassword localhost "cn=Jimmy Smith,dc=midominio,dc=mx" newpassword "cn=Jimmy Smith,dc=midominio,dc=mx" newpassword
Error: LDAPException: Invalid Credentials (49) Invalid Credentials
LDAPException: Matched DN:
digital@localhost:~/ldapsample> java VerifyPassword localhost "cn=Jim Smith,dc=midominio,dc=mx" newpassword "cn=Jimmy Smith,dc=midominio,dc=mx" newpassword
Error: No such entry
digital@localhost:~/ldapsample> java VerifyPassword localhost "cn=Jim Smith,dc=midominio,dc=mx" newpassword "cn=Jim Smith,dc=midominio,dc=mx" newpassword
The password is correct. |
1:import java.io.UnsupportedEncodingException; 2:import java.security.MessageDigest; 3:import java.security.NoSuchAlgorithmException; 4:import com.novell.ldap.util.Base64; 5:/** 6: * Test MD5 digest computation 7: * 8: */ 9:public class MD5 10: { 11: 12: /** 13: * test MD5 digest, requires Java 1.4+ 14: * 15: * @param args not used 16: */ 17: public static void main ( String[] args ) throws UnsupportedEncodingException, NoSuchAlgorithmException 18: { 19: byte[] theTextToDigestAsBytes = "lolo".getBytes( "ISO-8859-1" /* encoding */ ); 20: MessageDigest md = MessageDigest.getInstance( "MD5" ); 21: md.update( theTextToDigestAsBytes ); 22: byte[] digest = md.digest(); 23: System.out.println("{MD5}"+Base64.encode(digest)); 24: 25: 26: 27: } 28: } |
:> java MD5
{MD5}1lgdVCx+r4AShPCER4tfzA== |