Scribd
Upload
427 views41 pages

LDAP Setup and Management Guide

This document provides an overview of LDAP (Lightweight Directory Access Protocol) and directory services using the UnixWare 7 directory. It describes key LDAP concepts like the directory information tree, available directory solutions, setting up and configuring the UnixWare 7 directory server, defining attribute and objectclass schemas, configuring access control lists, backing up and restoring directory data using LDIF, and using the LDAP C API to perform common operations like searching, comparing, adding, and modifying directory entries.

Uploaded by

Paulo Repa
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
427 views41 pages

LDAP Setup and Management Guide

This document provides an overview of LDAP (Lightweight Directory Access Protocol) and directory services using the UnixWare 7 directory. It describes key LDAP concepts like the directory information tree, available directory solutions, setting up and configuring the UnixWare 7 directory server, defining attribute and objectclass schemas, configuring access control lists, backing up and restoring directory data using LDIF, and using the LDAP C API to perform common operations like searching, comparing, adding, and modifying directory entries.

Uploaded by

Paulo Repa
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd

Paulo Repa

Lightweight Directory Access Protocol

Paulo Repa
[email protected]

1 . 1 . 2 0 10 1
LDAP Paulo Repa

What is a directory?

2
LDAP Paulo Repa

Directory Information Tree


o=acme

ou=Sales ou=Marketing ou=Product Development

cn=Fred cn=Fred cn=Joe

cn=lpr1 cn=Lotty

cn=eng_lw3

DN for Fred in Sales: cn=Fred,ou=Sales,o=acme

3
LDAP Paulo Repa

Directory Solutions

 Netscape Directory Server (iPlanet)


 SCO UnixWare 7
 IBM SecureWay (formerly eNetwork)
 Novell NDS
 OpenLdap (Linux)  Recommended

4
LDAP Paulo Repa

UnixWare 7 Directory

 Directory server setup


 Schema
 ACLs
 Data backup and restore
 LDIF

5
LDAP Paulo Repa

Directory Setup
scoadmin ldap

6
LDAP Paulo Repa

Backend Setup

7
LDAP Paulo Repa

UnixWare 7 Directory

 Directory server setup


 Schema
 ACLs
 Data backup and restore
 LDIF

8
LDAP Paulo Repa

Attribute Schema

 Defined in slapd.at.conf
 Specifies attribute syntax

attribute jpegphoto bin


attribute telephonenumber tel
attribute userpassword ces

9
LDAP Paulo Repa

Objectclass Schema
objectclass simplePerson
requires
cn,
sn,
objectClass
allows  Defines object contents
jpegPhoto,  Defined in slapd.oc.conf
mail,
telephoneNumber,
userPassword,
creatorsName,
createtimestamp,
modifiersname,
modifytimestamp

10
LDAP Paulo Repa

UnixWare 7 Directory

 Directory server setup


 Schema
 ACLs
 Data backup and restore
 LDIF

11
LDAP Paulo Repa

ACLs
 Controls access for read, write, search, compare and delete
operations
 Entry or attribute level
 Defined in slapd.acl.conf

ldapstop -i acme
ldapstart -i acme

access to attr=userPassword by self write


by * none

12
LDAP Paulo Repa

UnixWare 7 Directory

 Directory server setup


 Schema
 ACLs
 Data backup and restore
 LDIF

13
LDAP Paulo Repa

Data Backup and Restore


 ldbmcat -n id2entry.dbb
 ldif2ldbm -i data.ldif
 Don’t forget directory configuration

14
LDAP Paulo Repa

UnixWare 7 Directory

 Directory server setup


 Schema
 ACLs
 Data backup and restore
 LDIF

15
LDAP Paulo Repa

LDIF
 LDAP Data Interchange Format
 Portable
 Human readable (almost...)

dn: o=acme
objectclass: organization
o: acme

16
LDAP Paulo Repa

LDIF Update Statements


 add
 delete
 modify (attribute add, delete, replace)
 moddn

dn: cn=Joe, ou=Product Development, o=acme


changetype: modify
replace: telephoneNumber
telephoneNumber: 958-1234

17
LDAP Paulo Repa

LDAP Commands

 ldapsearch
 ldapmodify
 ldapadd
 ldapdelete
 ldapmodrdn

18
LDAP Paulo Repa

ldapsearch

ldapsearch -h ldapsvr.acme.com -D “cn=admin”


-w “secret” -b “o=acme” -s one
“objectclass=*”

19
LDAP Paulo Repa

ldapmodify

ldapmodify -h ldapsvr.acme.com -D “cn=admin”


-w “secret” -f modifications.ldif

dn: cn=Joe, ou=Product Development, o=acme


replace: telephoneNumber
telephoneNumber: 958-1234

20
LDAP Paulo Repa

ldapadd

ldapadd -h ldapsvr.acme.com -D “cn=admin”


-w “secret” -f additions.ldif

ldapmodify -a -h ldapsvr.acme.com -D “cn=admin”


-w “secret” -f additions.ldif

21
LDAP Paulo Repa

ldapdelete

ldapdelete -h ldapsvr.acme.com -D “cn=admin”


-w “secret” cn=Fred,ou=Sales,o=acme

22
LDAP Paulo Repa

ldapmodrdn

ldapmodrdn -h ldapsvr.acme.com -D “cn=admin”


-w “secret” -r cn=lpr,ou=Sales,o=acme
cn=sales_lw1

23
LDAP Paulo Repa

Using the UnixWare 7 LDAP API

 Library / Binding to the server


 Search
 Compare
 Add
 Modify
 Asynchronous LDAP calls

24
LDAP Paulo Repa

LDAP C API

 UnixWare 7 ldap package


 LDAP C API - RFC1823
 LDAP v2 - RFC1777

#include <ldap.h>
#include <lber.h>

cc -o app -lldap -llber -lresolv src.c

25
LDAP Paulo Repa

Binding to the server


LDAP *ld;
ld = ldap_open(“ldapsvr.acme.com”,LDAP_PORT);
if (ldap_simple_bind_s(ld,“cn=admin”,“secret”) != LDAP_SUCCESS) {
ldap_perror(ld,“bind example”);
return;
}

LDAP directory operations (search, modify, ...)
...
if (ldap_unbind_s(ld) != LDAP_SUCCESS) {
ldap_perror(ld,“bind example”);
return;
}

26
LDAP Paulo Repa

Using the UnixWare 7 LDAP API

 Library / Binding to the server


 Search
 Compare
 Add
 Modify
 Asynchronous LDAP calls

27
LDAP Paulo Repa

Search - API call

LDAPMessage *res, *entry;


BerElement *ber;
char *attr, *dn, **vals, **vp;
if (ldap_search_s(ld, “o=acme”, LDAP_SCOPE_SUBTREE,
“telephoneNumber=958*”, 0, &res) != LDAP_SUCCESS) {
ldap_perror(ld, “search example”);
exit(EXIT_FAILURE);
}

28
LDAP Paulo Repa

Search - Process Data


for (entry = ldap_first_entry(ld, res); entry != NULL;
entry = ldap_next_entry(ld, entry)) {
if (dn = ldap_get_dn(ld, entry)) {
printf(“dn: %s\n”, dn);
free(dn);
}
for (attr=ldap_first_attribute(ld, entry, &ber);
attr != NULL;
attr=ldap_next_attribute(ld, entry, ber)) {
vals = ldap_get_values(ld, entry, attr);
for (vp = vals; vp && *vp; vp++)
printf(“%s: %s\n”, attr, *vp);
ldap_value_free(vals);
}
if (ber)
ber_free(ber, 0);
}
ldap_msgfree(res);

29
LDAP Paulo Repa

Using the UnixWare 7 LDAP API

 Library / Binding to the server


 Search
 Compare
 Add
 Modify
 Asynchronous LDAP calls

30
LDAP Paulo Repa

Compare - API call


if ((res = ldap_compare_s(ld, “cn=Fred, ou=Sales, o=acme”,
“telephoneNumber”, “9589876”)) == -1) {
ldap_perror(ld, “compare example”);
exit(EXIT_FAILURE);
}
if (res = LDAP_COMPARE_TRUE)
// Attribute type and value found
else Matches for an
// Not found attribute type of “tel”
dn: cn=Fred, ou=Sales, o=acme syntax
objectclass: simplePerson
cn: Fred
sn: Jones
telephoneNumber: 958-9876

31
LDAP Paulo Repa

Using the UnixWare 7 LDAP API

 Library / Binding to the server


 Search
 Compare
 Add
 Modify
 Asynchronous LDAP calls

32
LDAP Paulo Repa

LDAPMod structure
 One structure per attribute type
 Add, delete and replace operations
 Text or binary data
 Multiple values

mod_op LDAP_MOD_ADD
mod_type “mailAliasMembers”
mod_values

“Joe”
“Lotty”

33
LDAP Paulo Repa

Add Entry - Data

char *cnvals[]={"John", NULL}, *snvals[]={"Smith", NULL};


char *objvals[]={”simplePerson", NULL};
LDAPMod mod[3], *mods[4];

mod[0].mod_op = LDAP_MOD_ADD;
mod[0].mod_type = "cn";
mod[0].mod_values = cnvals;
mod[1].mod_op = LDAP_MOD_ADD;
mod[1].mod_type = "sn";
mod[1].mod_values = snvals;
mod[2].mod_op = LDAP_MOD_ADD;
mod[2].mod_type = "objectClass";
mod[2].mod_values = objvals;

for (i=0; i < sizeof(mod) / sizeof(LDAPMod); i++)


mods[i] = &mod[i];

mods[i] = NULL;

34
LDAP Paulo Repa

Add Entry - API call

if (ldap_add_s(ld, “cn=John,ou=Marketing,o=acme”,&mods[0])
!= LDAP_SUCCESS) {
ldap_perror(ld, “add example”);
exit(EXIT_FAILURE);
}

dn: cn=John, ou=Marketing, o=acme


objectclass: simplePerson
cn: John
sn: Smith

35
LDAP Paulo Repa

Using the UnixWare 7 LDAP API

 Library / Binding to the server


 Search
 Compare
 Add
 Modify
 Asynchronous LDAP calls

36
LDAP Paulo Repa

Modify Entry - Data

char *snvals[] = { “Smithe”, NULL};


char *telvals[] = { “958-2357”, NULL};
LDAPMod mod[2], *mods[3];

mod[0].mod_op = LDAP_MOD_REPLACE;
mod[0].mod_type = "sn";
mod[0].mod_values = snvals;

mod[1].mod_op = LDAP_MOD_ADD;
mod[1].mod_type = ”telephoneNumber";
mod[1].mod_values = telvals;

for (i=0; i < sizeof(mod) / sizeof(LDAPMod); i++)


mods[i] = &mod[i];

mods[i] = NULL;

37
LDAP Paulo Repa

Modify Entry - API call

if (ldap_modify_s(ld,“cn=John,ou=Marketing,o=acme”,&mods[0])
!= LDAP_SUCCESS) {
ldap_perror(ld, “modify example”);
exit(EXIT_FAILURE);
}
dn: cn=John, ou=Marketing, o=acme
objectclass: simplePerson
cn: John
sn: Smithe
telephoneNumber: 958-2357

38
LDAP Paulo Repa

Using the UnixWare 7 LDAP API

 Library / Binding to the server


 Search
 Compare
 Add
 Modify
 Asynchronous LDAP calls

39
LDAP Paulo Repa

Asynchronous LDAP calls


 Client need not block
 Operations may be multiplexed on a connection
 Function names omit “_s”

int msgid, rc;


if ((msgid = ldap_search(ld, “o=acme”, LDAP_SCOPE_SUBTREE,
“objectclass=*”, NULL, 0)) == -1)
error_handler();
while ((rc = ldap_result(ld, msgid, 0, NULL, &result)) ==
LDAP_RES_SEARCH_ENTRY) {
process_results(result);
ldap_msgfree(result);
}

40
LDAP Paulo Repa

Bibliography

 LDAP: Programming Directory-Enabled Applications with Lightweight Directory


Access Protocol
– Howes, Smith
 RFC1777 - Lightweight Directory Access Protocol
 RFC1823 - The LDAP Application Program Interface

41

You might also like