多余的人  • • •  Review of Golden Boy       all posts in Archive

Uncover LDAP

Already knowing about LDAP for some years, but never really understand it. This week, I spent some time to get more familiar with it, there's more stuff than expected to really  master it. So, I just record some simple and plain understanding here at first.

What is LDAP short for ?

LDAP means Lightweight Directory Access Protocol.  So it's just a LIGHTWEIGHT DAP, then new question would be :

What is DAP ?

In the earlier 1970s, there's a requirement for Telecommunication companies to produce and manage telephone directories. So X.500 Directory is introduced, X.500 directory services were traditionally accessed via the X.500 Directory Access Protocol, which required Open Systems Interconnection protocol stack (OSI protocol).

We can just think DAP as a phone yellow book. where contains all the entries with telephone number, person names and address that we may look for.

So why LDAP is a Lightweight DAP?

we know INTRANET or later INTERNET was started from around 1974, and they also need a way to use DAP. However, internet is build on TCP/IP protocol, not OSI protocol. Thus LDAP comes, it was build to using TCP/IP to access DAP at the beginning. And LDAP becomes more and more popular in the later days, thus we are mostly referring LDAP to DAP now. But there's no LDAP directory, only DAP directory. We can think LDAP as a way to access DAP.

The Usage of LDAP

As a directory service, it must be very convenient and quick to look for some thing.  Just like,

"Search in the company email directory for all people located in Boston whose name contains 'Jesse' that have an email address. Please return their full name, email, title, and description."

This could also be a main reason, a common usage of LDAP is to provide a "single sign-on" function. That means one password for a user is shared between many services, such as applying a company login code to web pages , so that staff log in only once to company computers, and then are automatically logged into the company intranet.

Structure of LDAP

although the structure of LDAP seems relatively complex, it is fairly simple to understand. There's just Entry and Attribute in it.

  • An entry consists of a set of attributes
  • An attribute has a name (an attribute type or attribute description) and one or more values. The attributes are defined in a schema.
  • Each attribute has  a unique identifier : it's Distinguished Name (DN). This consists of its Relative Distinguished Name (RDN), constructed from some attribute(s) in the entry.

** Think of DN as the full file path and RDN as relative filename (e.g. /var/tmp/myfile.txt is DN, myfile.txt is RDN)

Let's see a example data:

 dn: cn=John Doe,ou=people,dc=example,dc=com
 cn: John Doe
 givenName: John
 sn: Doe
 telephoneNumber: +1 888 555 6789
 telephoneNumber: +1 888 555 1232
 mail: john@example.com
 manager: cn=Barbara Doe,dc=example,dc=com
 objectClass: inetOrgPerson
 objectClass: organizationalPerson
 objectClass: person
 objectClass: top

The dn just like a primary key, cn, givenName, sn, telephoneNumber, mail, manager are attributes. These attributes are defined in objectClass, like inetOrgPerson, organizationalPerson, person, top. These objectClass are referring to their schemas.

Here, the DN is "cn=John Doe, ou=people,dc=example, dc=com". what's ou=people,dc=example, dc=com ? LDAP is directory, in nowadays we usually organise directory by DNS name. so the directory tree is like following:

        dc=com
            |
        dc=example
       /          \
 ou=people     ou=groups
  /
cn=John Doe

dc means Domain Component. In fact, this DN is not good enough. we say DN is distinguished Name, but the name "John Doe" may encounter a lot of duplication of names. Usually in real situation we use uid as the key, so DN is some thing like "uid=123456, ou=people,dc=example, dc=com".

 

Operations on LDAP

there are  a plethora of operations that can be performed on the LDAP

  • Add - Used to insert a new entry into the directory-to-server database. If the name entered by a user already existed, the server fails to add a duplicate entry and instead shows an "entryAlreadyExists" message.
  • Delete - Used to delete an entry from the directory. In order to do this, the LDAP client has to transmit a perfectly composed delete request to the server.
  • Modify - Used by LDAP clients to make a request for making changes to the already existing database. The change to be made must be one of the following operations: add (including a new value), delete (deleting an already existing value), replace ( overwriting an existing value with a new one)
  • Bind - on connection with the LDAP server, the default authentication state of the session is anonymous. There are basically two types of LDAP authentication methods - the simple authentication method and the SASL authentication method.
  • Unbind -  this is the inverse of the bind operation. Unbind aborts any existing operations and terminates the connection, leaving no response in the end.

Bind is a relative important concept. lets simply understand it as a way of authentication, only Binded user has the permission to search some directory.

for example, "ou=people,dc=example, dc=com" this directory we defined as can be accessed as Anonymous , the use is to authenticate user, and "ou=group,dc=example, dc=com" will be defined as accessed by authenticated user. so when researching, we have to bind or user to "ou=people,dc=example, dc=com" at first to be able to do real search.

** for how to configure these directory rules, you have to read later "OpenLdap using OLC (cn=config)"

Using LDAPSearch

NAME
       ldapsearch - LDAP search tool

SYNOPSIS
       ldapsearch  [-n]  [-u] [-v] [-k] [-K] [-t] [-A] [-C] [-L[L[L]]] [-M[M]]
       [-d debuglevel] [-f file] [-D binddn] [-W] [-w bindpasswd] [-H ldapuri]
       [-h ldaphost]  [-p ldapport] [-P 2|3] [-b searchbase] [-s base|one|sub]
       [-a never|always|search|find] [-l timelimit]  [-z sizelimit]  [-O secu-
       rity-properties]  [-I]  [-Q]  [-U username] [-x] [-X authzid] [-Y mech]
       [-Z[Z]] filter [attrs...]

The parameter we have to aware is -b, -D and -x. if we don't use -x, then ldapsearch will use SASL.

Let's see some exaples :

Search with Bind :

ldapsearch -H ldaps://xxx.xxx.dev:636 -b "ou=whitepages,dc=example,dc=com" -D "uid=123456,ou=people,dc=example,dc=com" -w JW3p497s -x "uid=*"

Using filter:

ldapsearch -LLL -s one -b "c=US" "(o=University*)" o description

ldapsearch -x -h 10.2.250.100 -b o=spm -LLL "(&(objectclass=inetorgperson)(mail=*))" mail | grep 'mail:'

There's really too many to talk about search, I dont want to write down here, just remember to use shell manual. want to know more, please read more at using ldapsearch

OpenLDAP using OLC (cn=config)

When checking OpenLDAP configuration, I was confused about it. Later I found it using OLC. OLC is introduced after openladp 2.3, means online configuration. So we can do real deployment without restart.

in OLC configuration, it will define schema, data store location, and permission.  Just try to find out under your /etc/openldap directory.

read more about OLC at here

 

 

At last, there's really more about how LDAP works and LDAP configuration questions I haven't find out. Here, just give a basic understanding, and you need practise more ldapsearch by yourself.

But that's enough at this moment and let's do it later.