ldap
play

LDAP (Lightweight Directory Access Protocol) tzute Computer - PowerPoint PPT Presentation

Mar 05, 2023 •446 likes •854 views

LDAP (Lightweight Directory Access Protocol) tzute Computer Center, CS, NCTU What is Directory Service? What is Directory Service ( ) Highly optimized for reads. Implements a distributed model for storing

  1. LDAP (Lightweight Directory Access Protocol) tzute

  2. Computer Center, CS, NCTU What is Directory Service?  What is Directory Service ( 目錄服務 ) • Highly optimized for reads. • Implements a distributed model for storing information. • Can extend the type of information it stores • Has advanced search capabilities. • Has loosely consistent replication among directory servers.  Domain Name Service 2

  3. Computer Center, CS, NCTU What is LDAP  Lightweight Directory Access Protocol (LDAP) • LDAP v3: RFC 3377 • RFC 2251-2256, 2829, 2830, 3377  Why LDAP is lightweight • subset of X.500 • X.500 is based on OSI model • LDAP is based on TCP/IP model • LDAP omits many X.500 operations that are rarely used • Providing a smaller and simpler set of operations 3

  4. Computer Center, CS, NCTU LDAP Directory Information Tree (DIT) dc=cc dc=nctucs dc=na ou=Group ou=People cn=nata cn=sata cn=tzute cn=zswu cn=tzute,ou=People,dc=na,dc=nctucs,dc=cc o =“ na, nctucs , cc”, c=Taiwan o=na.nctucs.cc 4

  5. Computer Center, CS, NCTU LDAP Directory Information Tree (DIT) dn: ou=People,dc=na,dc=nctucs,dc=cc dc=cc ou: People objectClass: top dc=nctucs objectClass: organizationalUnit objectClass: domainRelatedObject dc=na associatedDomain: na.nctucs.cc ou=Group ou=People objectClass: person cn: tzute sn: abc cn=tzute telephoneNumber: 123-4567 DN(distinguished name): cn=tzute,ou=People,dc=na,dc=nctucs,dc=cc RDN: relative distinguished name 5

  6. Computer Center, CS, NCTU LDAPv3 overview – LDIF  LDAP Interchange Format (LDIF) • Defined in RFC 2849 • standard text file format for storing LDAP configuration information and directory contents • An LDIF file is 1. A collection of entries separated from each other by blank lines 2. A mapping of attribute names to values 3. A collection of directives that instruct the parser how to process the information • The data in the LDIF file must obey the schema rules of your LDAP directory 6

  7. Computer Center, CS, NCTU LDAPv3 overview – LDIF  Sample LDIF dc=cc # sample entry dn: cn=tzute,ou=people,dc=na,dc=nctucs,dc=cc dc=nctucs objectClass: person cn: tzute dc=na telephoneNumber: 123-4567 ou=people ou=group dn: distinguished name rdn: relative dn ou: organizational unit cn=tzute dc: domain component cn: comman name DN(distinguished name): cn=tzute,ou=people,dc=nap,dc=nctucs,dc=cc 7 RDN: relative distinguished name

  8. Computer Center, CS, NCTU LDAPv3 overview – LDIF  Sample LDIF - Modify one dn # modify user info dn: cn=tzute, ou=people,dc=na,dc=nctucs,dc=cc changetype: modify add: description description : NA TA - replace: telephoneNumber telephoneNumber : 0987654321 objectClass: person objectClass: person cn: tzute cn: tzute sn: abc sn: abc telephoneNumber : 123-4567 description : NA TA telephoneNumber : 0987654321 8

  9. Computer Center, CS, NCTU LDAPv3 overview – LDIF  Sample LDIF - Modify more than one dn # modify user info dn: cn=tzute, ou=people,dc=na,dc=nctucs,dc=cc changetype: modify add: description description : NA TA dn: cn=zswu, ou=people,dc=na,dc=nctucs,dc=cc changetype: modify add: description description : NA TA 9

  10. Computer Center, CS, NCTU LDAPv3 overview - objectClass  /usr/local/etc/openldap/schema/core.schema http://www.openldap.org/doc/admin24/schema.html 10

  11. Computer Center, CS, NCTU LDAPv3 overview - objectClass http://www.openldap.org/doc/admin24/schema.html 11

  12. Computer Center, CS, NCTU LDAPv3 overview - Attribute Matching rules Type Server should support values of this length http://www.openldap.org/doc/admin24/schema.html 12

  13. Computer Center, CS, NCTU Comparison with relational databases  It is tempting to think that having a RDBMS backend to the directory solves all problems. However, it is wrong.  This is because the data models are very different. Representing directory data with a relational database is going to require splitting data into multiple tables. 13

  14. OpenLDAP

  15. Computer Center, CS, NCTU OpenLDAP (on FreeBSD)  Installation • pkg install openldap-server • cd /usr/ports/net/openldap-server24 ; make install clean  slapd.conf • Blank lines and lines beginning with a pound sign (#) are ignored • Parameters and associated values are separated by whitespace characters • A line with a blank space in the first column is considered to be a continuation of the previous one. 15

  16. Computer Center, CS, NCTU slapd.conf include /usr/local/etc/openldap/schema/core.schema pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args loglevel 256 modulepath /usr/local/libexec/openldap moduleload back_mdb moduleload back_ldap # ACL rules here for global database mdb maxsize 1073741824 suffix "dc=na,dc=nctucs,dc =cc“ rootdn "cn=Manager,dc=na,dc=nctucs,dc=cc" rootpw <generated by slappasswd> directory /var/db/openldap-data # Indices to maintain index objectClass eq # ACL rules here for specify database 16

  17. Computer Center, CS, NCTU Directory ACL access to dn.exact="cn=Manager,dc=na,dc=nctucs,dc=cc" by peername.ip =“127.0.0.1" auth by users none by anonymous none by * none access to attrs=userPassword by self write by anonymous auth by dn.base="cn=Manager,dc=na,dc=nctucs,dc=cc" write by * none access to attrs=englishname,birthdate by self write by users read by anonymous read 17

  18. Computer Center, CS, NCTU Directory ACL http://www.openldap.org/doc/admin24/access-control.html 18

  19. Computer Center, CS, NCTU Overlay  Software components that provide hooks to functions analogous to those provided by backends, which can be stacked on top of the backend calls and as callbacks on top of backend responses to alter their behavior.  Frontend Frontend • handles network access and protocol processing  Backend Overlay • deals strictly with data storage Backend https://www.openldap.org/doc/admin24/overlays.html https://en.wikipedia.org/wiki/OpenLDAP#Overlays 19

  20. Computer Center, CS, NCTU Overlay - memberOf dc=cc  Membership dc=nctucs dc=na ou=People ou=Group cn=nata cn=tzute objectClass: posixGroup objectClass: posixGroup objectClass: top objectClass: top objectClass: posixAccount cn: nata cn: tzute displayName: nata gidNumber: 1234 description: Domain Unix group gidNumber: 1234 20

  21. Computer Center, CS, NCTU Overlay - memberOf  Installation • Ports • make config -> enable option https://www.openldap.org/doc/admin24/overlays.html 21

  22. Computer Center, CS, NCTU Overlay - memberOf  slapd.conf  restart slapd  Schema dn: cn=nata,ou=MemberGroup,dc=na,dc=nctucs,dc=cc objectclass: groupOfNames cn: nata member: cn=tzute,ou=People,dc=na,dc=nctucs,dc=cc https://www.openldap.org/doc/admin24/overlays.html 22

  23. Computer Center, CS, NCTU OLC - on-line configuration  OpenLDAP version 2.3 -> new feature  OpenLDAP version 2.4 -> still optional  Uses a configuration DIT to control the operational configuration  Modifying entries in this DIT immediate changes to slapd's operational https://www.openldap.org/doc/admin24/slapdconf2.html http://www.zytrax.com/books/ldap/ch6/slapd-config.html 23

  24. Computer Center, CS, NCTU OLC - on-line configuration 24

  25. Computer Center, CS, NCTU OLC - on-line configuration # {1}mdb, config dn: olcDatabase={1}mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: {1}mdb olcDbDirectory: /var/db/openldap-data/na olcSuffix: dc=na,dc=nctucs,dc=cc olcAddContentAcl: FALSE olcLastMod: TRUE olcMaxDerefDepth: 15 olcReadOnly: FALSE olcRootDN: cn=Manager,dc=na,dc=nctucs,dc=cc olcRootPW: password 25

  26. Computer Center, CS, NCTU Enable slapd  Edit /etc/rc.conf • slapd_enable =“YES” • slapd_flags for specific options  service slapd start http://www.openldap.org/doc/admin24/runningslapd.html 26

  27. Computer Center, CS, NCTU Slapd tools  slapcat • This tool reads records from a slapd database and writes them to a file or standard output  slapadd • This tool reads LDIF entries from a file or standard input and writes the new records to a slapd database  slapindex • This tool regenerates the indexes In a slapd database  slappasswd • This tool generates a password hash suitable for use as an Lq in slapd.conf 27

  28. Computer Center, CS, NCTU LDAP tools  ldapsearch • This tool issues LDAP search queries to directory servers  ldapadd, ldapmodify • These tools send updates to directory servers  ldapcompare • This tool asks a directory server to compare two values  ldapdelete • This tool deletes entries from an LDAP directory 28

  29. Computer Center, CS, NCTU ldapsearch  Options • -b searchbase • -s {base|one|sub|children} #defult is sub • -D binddn • -x #Use simple authentication instead of SASL. • -W #password for simple authentication • -H ldapuri  ldapsearch [options] filter • default filter, (objectClass=*) • ldapsearch -H ldap://ldap.na.nctucs.cc - D “ cn=tzute,dc=na,dc=nctucs,dc =cc” - b “dc= na,dc=nctucs,dc =cc” -s one  man ldapsearch 29

  30. Computer Center, CS, NCTU ldapsearch dc=cc dc=nctucs dc=na ou=Group ou=People cn=nata cn=sata cn=tzute cn=zswu 30

Recommend

Introduction to LDAP Frank A. Kuse Introduction to LDAP AGENDA Understanding LDAP

Introduction to LDAP Frank A. Kuse Introduction to LDAP AGENDA Understanding LDAP

Introduction to LDAP Frank A. Kuse Introduction to LDAP AGENDA Understanding LDAP LDAP Servers Information Structure Protocol Overview LDAP operations UNDERSTANDING LDAP LDAP stands for Lightweight Directory Access

268 views • 12 slides
How we implemented an LDAP directory Multiple Simultaneous Requests . . . . . . . . . . . . . . .

How we implemented an LDAP directory Multiple Simultaneous Requests . . . . . . . . . . . . . . .

Getting Started What do you already know about ldap ? . . . . . . . . . . . . . . slide #3 What Do You Want? . . . . . . . . . . . . . . . . . . . . . . . . . . . . slide #4 Argument for LDAP Account Information . . . . . . . . . . . . . . . . .

442 views • 26 slides
LDB and the LDAP server in Samba4 Simo Sorce Samba Team idra@samba.org simo.sorce@quest.com

LDB and the LDAP server in Samba4 Simo Sorce Samba Team idra@samba.org simo.sorce@quest.com

LDB and the LDAP server in Samba4 Simo Sorce Samba Team idra@samba.org simo.sorce@quest.com http://www.samba.org/~idra What is LDB ? LDB is an LDAP-like database interface LDAP-like data model support LDAP like search expressions but it

1.03k views • 24 slides
DESIRE II LDAP Indexing System 45 IETF, Oslo LDAP Service Deployment - Take 2 BoF 15. July 1999

DESIRE II LDAP Indexing System 45 IETF, Oslo LDAP Service Deployment - Take 2 BoF 15. July 1999

DESIRE DESIRE II LDAP Indexing System 45 IETF, Oslo LDAP Service Deployment - Take 2 BoF 15. July 1999 Peter Gietz, University of Tbingen Peter.Gietz@directory.dfn.de DESIRE LDAP Index system

855 views • 12 slides
Security with LDAP Andrew Findlay Skills 1st Ltd www.skills-1st.co.uk February 2002

Security with LDAP Andrew Findlay Skills 1st Ltd www.skills-1st.co.uk February 2002

Security with LDAP Andrew Findlay Skills 1st Ltd www.skills-1st.co.uk February 2002 andrew.findlay@skills-1st.co.uk Security with LDAP Applications of LDAP White Pages NIS (Network Information System) Authentication

257 views • 15 slides
LDAP LDAPv3, Internet Standard RFC4510 RFC 4510-4521 and about 40 others for extensions Many

LDAP LDAPv3, Internet Standard RFC4510 RFC 4510-4521 and about 40 others for extensions Many

What is LDAP Lightweight Directory Access Protocol Phonebook Based on X.500 DAP on OSI stack Developed in '93 @ UMich LDAP LDAPv3, Internet Standard RFC4510 RFC 4510-4521 and about 40 others for extensions Many implementations OpenLDAP

544 views • 6 slides
KDC LDAP Schema IETF 11/02 Donna Skibbie, IBM Overview KDC LDAP Schema draft: Defines all KDC

KDC LDAP Schema IETF 11/02 Donna Skibbie, IBM Overview KDC LDAP Schema draft: Defines all KDC

KDC LDAP Schema IETF 11/02 Donna Skibbie, IBM Overview KDC LDAP Schema draft: Defines all KDC attributes except for those used to store key data Keys Extension draft: Defines attributes used to store key data Flow of Data to LDAP

798 views • 10 slides
From LDAP to IdM Presentation at the Athens Eurocamp 2008 by Roland Hedberg

From LDAP to IdM Presentation at the Athens Eurocamp 2008 by Roland Hedberg

From LDAP to IdM Presentation at the Athens Eurocamp 2008 by Roland Hedberg &lt;roland.hedberg@adm.umu.se&gt; The transition -starting point Admin interface LDAP Scripts The transition - toward nirvana Admin interface LDAP Scripts

497 views • 22 slides
Testing LDAP Implementations Emmanuel Lcharny Do who need tests anyway ? OSS projects don't

Testing LDAP Implementations Emmanuel Lcharny Do who need tests anyway ? OSS projects don't

Testing LDAP Implementations Emmanuel Lcharny Do who need tests anyway ? OSS projects don't need it... We have users ! We have users ! LDAP project phases Initial analysis Development + tests Costs Conformance tests Tests are

501 views • 27 slides
dCache and LDAP AuthN Ron Trompert SURFsara A :ny Bit

dCache and LDAP AuthN Ron Trompert SURFsara A :ny Bit

dCache and LDAP AuthN Ron Trompert SURFsara A :ny Bit of History Number of systems Own user administra:on system Some users had access

519 views • 10 slides
UCSB Identity and LDAP The central campus directory and authentication system UCSB Identity

UCSB Identity and LDAP The central campus directory and authentication system UCSB Identity

UCSB Identity and LDAP The central campus directory and authentication system UCSB Identity System UCSBnetID authentication UCSB-wide student and employee info http://www.identity.ucsb.edu/ LDAP Overview Lightweight Directory Access Protocol

604 views • 24 slides
Towards a Common Java LDAP API Emmanuel Lecharny Apache Directory elecharny@apache.org Ludovic

Towards a Common Java LDAP API Emmanuel Lecharny Apache Directory elecharny@apache.org Ludovic

Towards a Common Java LDAP API Emmanuel Lecharny Apache Directory elecharny@apache.org Ludovic Poitou OpenDS ludovic.poitou@sun.com A poor man's choice: JNDI or JLDAP/Netscape LDAP SDK Good News: Apache Directory Client API OpenDS

678 views • 20 slides
Logistics E-mail UML 2 Should have received mail from me. If not: Check LDAP

Logistics E-mail UML 2 Should have received mail from me. If not: Check LDAP

Logistics E-mail UML 2 Should have received mail from me. If not: Check LDAP entry Indicate on attendance sheet Announcements Plan for today Its Co-op time Building a software system Orientation

475 views • 3 slides
How we implemented an LDAP directory for Laboratories A Case Study at Hong Kong Institute of

How we implemented an LDAP directory for Laboratories A Case Study at Hong Kong Institute of

How we implemented an LDAP directory for Laboratories Nick Urbanik How we implemented an LDAP directory for Laboratories A Case Study at Hong Kong Institute of Vocational Education (Tsing Yi), Department of ICT Nick Urbanik

1.17k views • 106 slides
Logistics The never-ending LDAP problems Latest Developments Dave, got your e-mail

Logistics The never-ending LDAP problems Latest Developments Dave, got your e-mail

Logistics The never-ending LDAP problems Latest Developments Dave, got your e-mail (Cant change in mycourses) Jon, your mail bounced March 17 Lets settle things after class Enter stage left Spacethe final

382 views • 5 slides
The LDAP Directory Schema AGENDA Why do we need a good schema? From the White Pages to

The LDAP Directory Schema AGENDA Why do we need a good schema? From the White Pages to

The LDAP Directory Schema AGENDA Why do we need a good schema? From the White Pages to Access Control The Design Process The available Standards Best Practices The User object The plumbing Implementing the Schema

494 views • 47 slides
EuroCAMP Summary (in 15 mins) Diego We are at the teenager stage of IDM IDM is maturing

EuroCAMP Summary (in 15 mins) Diego We are at the teenager stage of IDM IDM is maturing

EuroCAMP Summary (in 15 mins) Diego We are at the teenager stage of IDM IDM is maturing Welcome to the schema Onion Jasmina Welcome to LDAP [the syntax] Flat tends to be better than hierarchical Feed your LDAP

297 views • 17 slides
5.2) Injections (part 2) Shell Injection, XML Injection, LDAP injection Emmanuel Benoist Spring

5.2) Injections (part 2) Shell Injection, XML Injection, LDAP injection Emmanuel Benoist Spring

5.2) Injections (part 2) Shell Injection, XML Injection, LDAP injection Emmanuel Benoist Spring Term 2016 Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 1 Table of Contents Injection in PHP

995 views • 73 slides
SER Authentication with Radius and LDAP Nimal Ratnayake &lt;nimalr@learn.ac.lk&gt; Lanka

SER Authentication with Radius and LDAP Nimal Ratnayake &lt;nimalr@learn.ac.lk&gt; Lanka

SER Authentication with Radius and LDAP Nimal Ratnayake &lt;nimalr@learn.ac.lk&gt; Lanka Education and Research Network (LEARN) and Department of Electrical &amp; Electronic Engineering, University of Peradeniya 1 SER Authentication

1.03k views • 22 slides
Dr. Pat Selinger IBM Fellow and VP of Data Management Architecture and Technology IBM, USA DB2

Dr. Pat Selinger IBM Fellow and VP of Data Management Architecture and Technology IBM, USA DB2

Dr. Pat Selinger IBM Fellow and VP of Data Management Architecture and Technology IBM, USA DB2 and e-business Infrastructure DB2 J2EE Support JDBC, SQLJ, JTA DB2 EJB Everyplace Stored Procedures DB2 LDAP Support DB2 LDAP Support Data

478 views • 4 slides
SSO and LDAP Open Mic Webcast Josh Edwards October 7, 2015 Summary Overview of SSO What

SSO and LDAP Open Mic Webcast Josh Edwards October 7, 2015 Summary Overview of SSO What

SSO and LDAP Open Mic Webcast Josh Edwards October 7, 2015 Summary Overview of SSO What kind of SSO mechanisms are supported with Sametime? How does the rich client handle sso settings? How to configure Websphere and Sametime to

493 views • 30 slides
Integrating OpenStack with Active Directory (Because AD != LDAP) Craig Jellick

Integrating OpenStack with Active Directory (Because AD != LDAP) Craig Jellick

Integrating OpenStack with Active Directory (Because AD != LDAP) Craig Jellick Mike Dorman cjellick@godaddy.com mdorman@godaddy.com Go Daddy OpenStack Cloud Platform Group Agenda OpenStack at Go Daddy Keystone

875 views • 28 slides
UNDERSTAND PASSWORD POLICY IN OPENLDAP AND DISCOVER TOOLS TO MANAGE IT Pass the SALT 2020 $

UNDERSTAND PASSWORD POLICY IN OPENLDAP AND DISCOVER TOOLS TO MANAGE IT Pass the SALT 2020 $

UNDERSTAND PASSWORD POLICY IN OPENLDAP AND DISCOVER TOOLS TO MANAGE IT Pass the SALT 2020 $ ldapwhoami LemonLDAP::NG LDAP Tool Box LDAP Synchronization Connector FusionIAM WSweet Clment OUDOT KPTN Identity Solutions Manager

508 views • 24 slides
Best Practices in LDAP Security Andrew Findlay Skills 1st Ltd October 2011 What is

Best Practices in LDAP Security Andrew Findlay Skills 1st Ltd October 2011 What is

Best Practices in LDAP Security Andrew Findlay Skills 1st Ltd October 2011 What is &quot;Security&quot;? ISO/IEC 27000:2009 Information Security is... Confidentiality Integrity Availability And some other things Controls

236 views • 20 slides

More recommend