Paulo Repa Lightweight Directory Access Protocol Paulo Repa

Paulo Repa Lightweight Directory Access Protocol Paulo Repa repapaul@gmail. com 1. 1. 2 0 10 1

LDAP Paulo Repa What is a directory? 2

Paulo Repa LDAP Directory Information Tree o=acme ou=Sales cn=Fred cn=lpr 1 ou=Marketing cn=Fred ou=Product Development cn=Joe cn=Lotty cn=eng_lw 3 DN for Fred in Sales: cn=Fred, ou=Sales, o=acme 3

LDAP Paulo Repa Directory Solutions 4 Netscape Directory Server (i. Planet) 4 SCO Unix. Ware 7 4 IBM Secure. Way (formerly e. Network) 4 Novell NDS 4 Open. Ldap (Linux) Recommended 4

Paulo Repa LDAP Unix. Ware 7 Directory 4 Directory server setup 4 Schema 4 ACLs 4 Data backup and restore 4 LDIF 5

LDAP Paulo Repa Directory Setup scoadmin ldap 6

LDAP Paulo Repa Backend Setup 7

Paulo Repa LDAP Unix. Ware 7 Directory 4 Directory server setup 4 Schema 4 ACLs 4 Data backup and restore 4 LDIF 8

Paulo Repa LDAP Attribute Schema 4 Defined in slapd. at. conf 4 Specifies attribute syntax attribute jpegphoto bin attribute telephonenumber tel attribute userpassword ces 9

LDAP Paulo Repa Objectclass Schema objectclass simple. Person requires cn, sn, object. Class allows jpeg. Photo, mail, telephone. Number, user. Password, creators. Name, createtimestamp, modifiersname, modifytimestamp 4 Defines object contents 4 Defined in slapd. oc. conf 10

Paulo Repa LDAP Unix. Ware 7 Directory 4 Directory server setup 4 Schema 4 ACLs 4 Data backup and restore 4 LDIF 11

Paulo Repa LDAP ACLs 4 Controls access for read, write, search, compare and delete operations 4 Entry or attribute level 4 Defined in slapd. acl. conf ldapstop -i acme ldapstart -i acme access to attr=user. Password by self write by * none 12

Paulo Repa LDAP Unix. Ware 7 Directory 4 Directory server setup 4 Schema 4 ACLs 4 Data backup and restore 4 LDIF 13

LDAP Paulo Repa Data Backup and Restore 4 ldbmcat -n id 2 entry. dbb 4 ldif 2 ldbm -i data. ldif 4 Don’t forget directory configuration 14

Paulo Repa LDAP Unix. Ware 7 Directory 4 Directory server setup 4 Schema 4 ACLs 4 Data backup and restore 4 LDIF 15

LDAP Paulo Repa LDIF 4 LDAP Data Interchange Format 4 Portable 4 Human readable (almost. . . ) dn: o=acme objectclass: organization o: acme 16

LDAP Paulo Repa LDIF Update Statements 4 add 4 delete 4 modify (attribute add, delete, replace) 4 moddn dn: cn=Joe, ou=Product Development, o=acme changetype: modify replace: telephone. Number: 958 -1234 17

LDAP Paulo Repa LDAP Commands 4 ldapsearch 4 ldapmodify 4 ldapadd 4 ldapdelete 4 ldapmodrdn 18

LDAP Paulo Repa ldapsearch -h ldapsvr. acme. com -D “cn=admin” -w “secret” -b “o=acme” -s one “objectclass=*” 19

LDAP Paulo Repa ldapmodify -h ldapsvr. acme. com -D “cn=admin” -w “secret” -f modifications. ldif dn: cn=Joe, ou=Product Development, o=acme replace: telephone. Number: 958 -1234 20

LDAP Paulo Repa ldapadd -h ldapsvr. acme. com -D “cn=admin” -w “secret” -f additions. ldif ldapmodify -a -h ldapsvr. acme. com -D “cn=admin” -w “secret” -f additions. ldif 21

LDAP Paulo Repa ldapdelete -h ldapsvr. acme. com -D “cn=admin” -w “secret” cn=Fred, ou=Sales, o=acme 22

LDAP Paulo Repa ldapmodrdn -h ldapsvr. acme. com -D “cn=admin” -w “secret” -r cn=lpr, ou=Sales, o=acme cn=sales_lw 1 23

Paulo Repa LDAP Using the Unix. Ware 7 LDAP API 4 Library / Binding to the server 4 Search 4 Compare 4 Add 4 Modify 4 Asynchronous LDAP calls 24

LDAP Paulo Repa LDAP C API 4 Unix. Ware 7 ldap package 4 LDAP C API - RFC 1823 4 LDAP v 2 - RFC 1777 #include <ldap. h> #include <lber. h> cc -o app -lldap -llber -lresolv src. c 25

Paulo Repa LDAP Binding to the server LDAP *ld; ld = ldap_open(“ldapsvr. acme. com”, LDAP_PORT); if (ldap_simple_bind_s(ld, “cn=admin”, “secret”) != LDAP_SUCCESS) { ldap_perror(ld, “bind example”); return; } … LDAP directory operations (search, modify, . . . ). . . if (ldap_unbind_s(ld) != LDAP_SUCCESS) { ldap_perror(ld, “bind example”); return; } 26

Paulo Repa LDAP Using the Unix. Ware 7 LDAP API 4 Library / Binding to the server 4 Search 4 Compare 4 Add 4 Modify 4 Asynchronous LDAP calls 27

Paulo Repa LDAP Search - API call LDAPMessage *res, *entry; Ber. Element *ber; char *attr, *dn, **vals, **vp; if (ldap_search_s(ld, “o=acme”, LDAP_SCOPE_SUBTREE, “telephone. Number=958*”, 0, &res) != LDAP_SUCCESS) { ldap_perror(ld, “search example”); exit(EXIT_FAILURE); } 28

LDAP Paulo Repa Search - Process Data for (entry = ldap_first_entry(ld, res); entry != NULL; entry = ldap_next_entry(ld, entry)) { if (dn = ldap_get_dn(ld, entry)) { printf(“dn: %sn”, dn); free(dn); } for (attr=ldap_first_attribute(ld, entry, &ber); attr != NULL; attr=ldap_next_attribute(ld, entry, ber)) { vals = ldap_get_values(ld, entry, attr); for (vp = vals; vp && *vp; vp++) printf(“%s: %sn”, attr, *vp); ldap_value_free(vals); } if (ber) ber_free(ber, 0); } ldap_msgfree(res); 29

Paulo Repa LDAP Using the Unix. Ware 7 LDAP API 4 Library / Binding to the server 4 Search 4 Compare 4 Add 4 Modify 4 Asynchronous LDAP calls 30

Paulo Repa LDAP Compare - API call if ((res = ldap_compare_s(ld, “cn=Fred, ou=Sales, o=acme”, “telephone. Number”, “ 9589876”)) == -1) { ldap_perror(ld, “compare example”); exit(EXIT_FAILURE); } if (res = LDAP_COMPARE_TRUE) // Attribute type and value found else // Not found dn: cn=Fred, ou=Sales, o=acme Matches for an attribute type of “tel” syntax objectclass: simple. Person cn: Fred sn: Jones telephone. Number: 958 -9876 31

Paulo Repa LDAP Using the Unix. Ware 7 LDAP API 4 Library / Binding to the server 4 Search 4 Compare 4 Add 4 Modify 4 Asynchronous LDAP calls 32

Paulo Repa LDAPMod structure 4 One structure per attribute type 4 Add, delete and replace operations 4 Text or binary data 4 Multiple values mod_op mod_type LDAP_MOD_ADD “mail. Alias. Members” mod_values “Joe” “Lotty” 33

LDAP Paulo Repa Add Entry - Data char *cnvals[]={"John", NULL}, *snvals[]={"Smith", NULL}; char *objvals[]={”simple. Person", NULL}; LDAPMod mod[3], *mods[4]; mod[0]. mod_op = LDAP_MOD_ADD; mod[0]. mod_type = "cn"; mod[0]. mod_values = cnvals; mod[1]. mod_op = LDAP_MOD_ADD; mod[1]. mod_type = "sn"; mod[1]. mod_values = snvals; mod[2]. mod_op = LDAP_MOD_ADD; mod[2]. mod_type = "object. Class"; mod[2]. mod_values = objvals; for (i=0; i < sizeof(mod) / sizeof(LDAPMod); i++) mods[i] = &mod[i]; mods[i] = NULL; 34

LDAP Paulo Repa Add Entry - API call if (ldap_add_s(ld, “cn=John, ou=Marketing, o=acme”, &mods[0]) != LDAP_SUCCESS) { ldap_perror(ld, “add example”); exit(EXIT_FAILURE); } dn: cn=John, ou=Marketing, o=acme objectclass: simple. Person cn: John sn: Smith 35

Paulo Repa LDAP Using the Unix. Ware 7 LDAP API 4 Library / Binding to the server 4 Search 4 Compare 4 Add 4 Modify 4 Asynchronous LDAP calls 36

LDAP Paulo Repa Modify Entry - Data char *snvals[] = { “Smithe”, NULL}; char *telvals[] = { “ 958 -2357”, NULL}; LDAPMod mod[2], *mods[3]; mod[0]. mod_op = LDAP_MOD_REPLACE; mod[0]. mod_type = "sn"; mod[0]. mod_values = snvals; mod[1]. mod_op = LDAP_MOD_ADD; mod[1]. mod_type = ”telephone. Number"; mod[1]. mod_values = telvals; for (i=0; i < sizeof(mod) / sizeof(LDAPMod); i++) mods[i] = &mod[i]; mods[i] = NULL; 37

LDAP Paulo Repa Modify Entry - API call if (ldap_modify_s(ld, “cn=John, ou=Marketing, o=acme”, &mods[0]) != LDAP_SUCCESS) { ldap_perror(ld, “modify example”); exit(EXIT_FAILURE); } dn: cn=John, ou=Marketing, o=acme objectclass: simple. Person cn: John sn: Smithe telephone. Number: 958 -2357 38

Paulo Repa LDAP Using the Unix. Ware 7 LDAP API 4 Library / Binding to the server 4 Search 4 Compare 4 Add 4 Modify 4 Asynchronous LDAP calls 39

Paulo Repa LDAP Asynchronous LDAP calls 4 Client need not block 4 Operations may be multiplexed on a connection 4 Function names omit “_s” int msgid, rc; if ((msgid = ldap_search(ld, “o=acme”, LDAP_SCOPE_SUBTREE, “objectclass=*”, NULL, 0)) == -1) error_handler(); while ((rc = ldap_result(ld, msgid, 0, NULL, &result)) == LDAP_RES_SEARCH_ENTRY) { process_results(result); ldap_msgfree(result); } 40

LDAP Paulo Repa Bibliography 4 LDAP: Programming Directory-Enabled Applications with Lightweight Directory Access Protocol – Howes, Smith 4 RFC 1777 - Lightweight Directory Access Protocol 4 RFC 1823 - The LDAP Application Program Interface 41