ldap
play

LDAP (Lightweight Directory Access Protocol) wangth Computer - PowerPoint PPT Presentation

Nov 14, 2022 •148 likes •554 views

LDAP (Lightweight Directory Access Protocol) wangth Computer Center, CS, NCTU What is Directory Service? What is Directory Service ( ) Highly optimized for reads Implements a distributed model for storing information

  1. LDAP (Lightweight Directory Access Protocol) wangth

  2. Computer Center, CS, NCTU What is Directory Service? ❑ What is Directory Service ( 目錄服務 ) • Highly optimized for reads • Implements a distributed model for storing information • Can extend the type of information it stores • Has advanced search capabilities • Has loosely consistent replication among directory servers ❑ Domain Name Service 2

  3. Computer Center, CS, NCTU What is LDAP ❑ Lightweight Directory Access Protocol (LDAP) • LDAPv3: RFC 3377 • RFC 2251-2256, 2829, 2830, 3377 ❑ Why LDAP is lightweight • A subset of the X.500 standard • X.500 is based on OSI model • LDAP is based on TCP/IP model • LDAP omits many X.500 operations that are rarely used • Provides a smaller and simpler set of operations 3

  4. Computer Center, CS, NCTU LDAP Directory Information Tree (DIT) dc: domain component dc=cc ou: organization unit cn: common name dc=nctucs o: organizationName c: countryName dc=na ou=Group ou=People cn=student cn=ta cn=tzute cn=zswu cn=tzute,ou=People,dc=na,dc=nctucs,dc=cc o="na, nctucs, cc " , c=TW o=na.nctucs.cc 4

  5. Computer Center, CS, NCTU LDAP Directory Information Tree (DIT) dn: ou=People,dc=na,dc=nctucs,dc=cc dc=cc ou: People objectClass: top dc=nctucs objectClass: organizationalUnit objectClass: domainRelatedObject dc=na associatedDomain: na.nctucs.cc ou=Group ou=People objectClass: person cn: tzute sn: Kuo cn=tzute telephoneNumber: 123-4567 DN (distinguished name): cn=tzute,ou=People,dc=na,dc=nctucs,dc=cc RDN: Relative Distinguished Name 5

  6. Computer Center, CS, NCTU LDAPv3 Overview – LDIF (1/4) ❑ LDAP Interchange Format (LDIF) • Defined in RFC 2849 • Standard text file format for storing LDAP configuration information and directory contents • An LDIF file is 1. A collection of entries separated from each other by blank lines 2. A mapping of attribute names to values 3. A collection of directives that instruct the parser how to process the information • The data in the LDIF file must obey the schema rules of your LDAP directory 6

  7. Computer Center, CS, NCTU LDAPv3 Overview – LDIF (2/4) ❑ Sample LDIF # A sample entry dc=cc # Format: <Attribute>: <Value> dn: cn=tzute,ou=people,dc=na,dc=nctucs,dc=cc dc=nctucs objectClass: person cn: tzute telephoneNumber: 123-4567 dc=na ou=people ou=group cn=tzute 7

  8. Computer Center, CS, NCTU LDAPv3 Overview – LDIF (3/4) ❑ Sample LDIF – Modify one DN # Modify user info dn: cn=tzute,ou=people,dc=na,dc=nctucs,dc=cc changetype: modify add: description description: NA TA - replace: telephoneNumber telephoneNumber: 0987654321 objectClass: person objectClass: person cn: tzute cn: tzute sn: abc sn: abc telephoneNumber : 123-4567 description : NA TA telephoneNumber : 0987654321 8

  9. Computer Center, CS, NCTU LDAPv3 Overview – LDIF (4/4) ❑ Sample LDIF – Modify more than one DN # Modify user info dn: cn=tzute,ou=people,dc=na,dc=nctucs,dc=cc changetype: modify add: description description: NA TA dn: cn=zswu,ou=people,dc=na,dc=nctucs,dc=cc changetype: modify add: description description: NA TA 9

  10. Computer Center, CS, NCTU LDAPv3 Overview – objectClass ❑ /usr/local/etc/openldap/schema/core.schema http://www.openldap.org/doc/admin24/schema.html 10

  11. Computer Center, CS, NCTU LDAPv3 Overview – objectClass (Cont.) http://www.openldap.org/doc/admin24/schema.html 11

  12. Computer Center, CS, NCTU LDAPv3 Overview – Attribute Matching rules Type Server should support values of this length http://www.openldap.org/doc/admin24/schema.html 12

  13. Computer Center, CS, NCTU Comparison with relational databases ❑ It is tempting to think that having a RDBMS backend to the directory solves all problems. However, it is wrong. ❑ This is because the data models are very different. Representing directory data with a relational database is going to require splitting data into multiple tables. 13

  14. OpenLDAP An open source implementation of the Lightweight Directory Access Protocol

  15. Computer Center, CS, NCTU OpenLDAP on FreeBSD ❑ Three main components • slapd – stand-alone LDAP daemon and associated modules and tools • libraries implementing the LDAP protocol and ASN.1 Basic Encoding Rules (BER) • client software: ldapsearch, ldapadd, ldapdelete, and others ❑ Installation • pkg install openldap-server • cd /usr/ports/net/openldap-server24; make install clean ❑ slapd.conf • Blank lines and lines beginning with a pound sign (#) are ignored • Parameters and associated values are separated by whitespace characters • A line with a blank space in the first column is considered to be a 15 continuation of the previous one.

  16. Computer Center, CS, NCTU slapd.conf include /usr/local/etc/openldap/schema/core.schema pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args loglevel 256 modulepath /usr/local/libexec/openldap moduleload back_mdb moduleload back_ldap database mdb maxsize 1073741824 suffix "dc=na,dc=nctucs,dc=cc" rootdn "cn=Manager,dc=na,dc=nctucs,dc=cc" rootpw <generated by slappasswd> directory /var/db/openldap-data # Indices to maintain index objectClass eq # ACL rules here for specific database 16

  17. Computer Center, CS, NCTU Directory ACL # access to <what> [ by <who> [<accesslevel>] [<control>] ]+ access to dn.exact="cn=Manager,dc=na,dc=nctucs,dc=cc" by peername.ip="127.0.0.1" auth by users none by anonymous none by * none access to attrs=userPassword by self write by anonymous auth by dn.base="cn=Manager,dc=na,dc=nctucs,dc=cc" write by * none access to attrs=englishname,birthdate by self write by users read by anonymous read If one access directive is more specific than another in terms of the entries it selects, it should appear first in the configuration 17

  18. Computer Center, CS, NCTU Directory ACL ❑ Access Entity Specifiers (Who) ❑ Access Levels http://www.openldap.org/doc/admin24/access-control.html 18

  19. Computer Center, CS, NCTU Overlays ❑ Software components that provide hooks to functions analogous to those provided by backends, which can be stacked on top of the backend calls and as callbacks on top of backend responses to alter their behavior ❑ Frontend Frontend • handles network access and protocol processing ❑ Backend Overlay • deals strictly with data storage Backend https://www.openldap.org/doc/admin24/overlays.html https://en.wikipedia.org/wiki/OpenLDAP#Overlays 19

  20. Computer Center, CS, NCTU Overlays – memberOf dc=cc ❑ Membership dc=nctucs dc=na ou=People ou=Group cn=tzute cn=nata objectClass: posixGroup objectClass: posixGroup objectClass: top objectClass: top objectClass: posixAccount cn: nata cn: tzute displayName: nata gidNumber: 1234 description: Domain Unix group gidNumber: 1234 20

  21. Computer Center, CS, NCTU Overlays – memberOf ❑ Installation • Ports • make config → enable option https://www.openldap.org/doc/admin24/overlays.html 21

  22. Computer Center, CS, NCTU Overlays – memberOf ❑ Edit /usr/local/etc/openldap/slapd.conf ❑ restart slapd ❑ Query Result dn: cn=nata,ou=MemberGroup,dc=na,dc=nctucs,dc=cc objectclass: groupOfNames cn: nata member: cn=tzute,ou=People,dc=na,dc=nctucs,dc=cc https://www.openldap.org/doc/admin24/overlays.html 22

  23. Computer Center, CS, NCTU OLC – Online Configuration (1/3) ❑ OpenLDAP Version 2.3 → New feature ❑ OpenLDAP Version 2.4 → Still optional ❑ Uses a configuration DIT to control the operational configuration ❑ Modifying entries in this DIT immediate changes to slapd's operational behavior https://www.openldap.org/doc/admin24/slapdconf2.html http://www.zytrax.com/books/ldap/ch6/slapd-config.html 23

  24. Computer Center, CS, NCTU OLC – Online Configuration (2/3) 24

  25. Computer Center, CS, NCTU OLC – Online Configuration (3/3) # {1}mdb, config dn: olcDatabase={1}mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: {1}mdb olcDbDirectory: /var/db/openldap-data/na olcSuffix: dc=na,dc=nctucs,dc=cc olcAddContentAcl: FALSE olcLastMod: TRUE olcMaxDerefDepth: 15 olcReadOnly: FALSE olcRootDN: cn=Manager,dc=na,dc=nctucs,dc=cc olcRootPW: secret 25

  26. Computer Center, CS, NCTU Enable slapd ❑ Edit /etc/rc.conf • slapd_enable= " YES " • slapd_flags for specific options ❑ service slapd start http://www.openldap.org/doc/admin24/runningslapd.html 26

  27. Computer Center, CS, NCTU slapd tools ❑ slapcat • This tool reads records from a slapd database and writes them to a file or standard output ❑ slapadd • This tool reads LDIF entries from a file or standard input and writes the new records to a slapd database ❑ slapindex • This tool regenerates the indexes in a slapd database ❑ slappasswd • This tool generates a password hash suitable for use as an Lq in slapd.conf 27

  28. Computer Center, CS, NCTU LDAP tools ❑ ldapsearch • This tool issues LDAP search queries to directory servers ❑ ldapadd, ldapmodify • These tools send updates to directory servers ❑ ldapcompare • This tool asks a directory server to compare two values ❑ ldapdelete • This tool deletes entries from an LDAP directory 28

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Introduction to LDAP Frank A. Kuse Introduction to LDAP AGENDA Understanding LDAP

Introduction to LDAP Frank A. Kuse Introduction to LDAP AGENDA Understanding LDAP

Introduction to LDAP Frank A. Kuse Introduction to LDAP AGENDA Understanding LDAP LDAP Servers Information Structure Protocol Overview LDAP operations UNDERSTANDING LDAP LDAP stands for Lightweight Directory Access

268 views • 12 slides
How we implemented an LDAP directory Multiple Simultaneous Requests . . . . . . . . . . . . . . .

How we implemented an LDAP directory Multiple Simultaneous Requests . . . . . . . . . . . . . . .

Getting Started What do you already know about ldap ? . . . . . . . . . . . . . . slide #3 What Do You Want? . . . . . . . . . . . . . . . . . . . . . . . . . . . . slide #4 Argument for LDAP Account Information . . . . . . . . . . . . . . . . .

442 views • 26 slides
LDB and the LDAP server in Samba4 Simo Sorce Samba Team idra@samba.org simo.sorce@quest.com

LDB and the LDAP server in Samba4 Simo Sorce Samba Team idra@samba.org simo.sorce@quest.com

LDB and the LDAP server in Samba4 Simo Sorce Samba Team idra@samba.org simo.sorce@quest.com http://www.samba.org/~idra What is LDB ? LDB is an LDAP-like database interface LDAP-like data model support LDAP like search expressions but it

1.03k views • 24 slides
DESIRE II LDAP Indexing System 45 IETF, Oslo LDAP Service Deployment - Take 2 BoF 15. July 1999

DESIRE II LDAP Indexing System 45 IETF, Oslo LDAP Service Deployment - Take 2 BoF 15. July 1999

DESIRE DESIRE II LDAP Indexing System 45 IETF, Oslo LDAP Service Deployment - Take 2 BoF 15. July 1999 Peter Gietz, University of Tbingen Peter.Gietz@directory.dfn.de DESIRE LDAP Index system

855 views • 12 slides
Security with LDAP Andrew Findlay Skills 1st Ltd www.skills-1st.co.uk February 2002

Security with LDAP Andrew Findlay Skills 1st Ltd www.skills-1st.co.uk February 2002

Security with LDAP Andrew Findlay Skills 1st Ltd www.skills-1st.co.uk February 2002 andrew.findlay@skills-1st.co.uk Security with LDAP Applications of LDAP White Pages NIS (Network Information System) Authentication

257 views • 15 slides
LDAP LDAPv3, Internet Standard RFC4510 RFC 4510-4521 and about 40 others for extensions Many

LDAP LDAPv3, Internet Standard RFC4510 RFC 4510-4521 and about 40 others for extensions Many

What is LDAP Lightweight Directory Access Protocol Phonebook Based on X.500 DAP on OSI stack Developed in '93 @ UMich LDAP LDAPv3, Internet Standard RFC4510 RFC 4510-4521 and about 40 others for extensions Many implementations OpenLDAP

544 views • 6 slides
KDC LDAP Schema IETF 11/02 Donna Skibbie, IBM Overview KDC LDAP Schema draft: Defines all KDC

KDC LDAP Schema IETF 11/02 Donna Skibbie, IBM Overview KDC LDAP Schema draft: Defines all KDC

KDC LDAP Schema IETF 11/02 Donna Skibbie, IBM Overview KDC LDAP Schema draft: Defines all KDC attributes except for those used to store key data Keys Extension draft: Defines attributes used to store key data Flow of Data to LDAP

798 views • 10 slides
From LDAP to IdM Presentation at the Athens Eurocamp 2008 by Roland Hedberg

From LDAP to IdM Presentation at the Athens Eurocamp 2008 by Roland Hedberg

From LDAP to IdM Presentation at the Athens Eurocamp 2008 by Roland Hedberg &lt;roland.hedberg@adm.umu.se&gt; The transition -starting point Admin interface LDAP Scripts The transition - toward nirvana Admin interface LDAP Scripts

497 views • 22 slides
Testing LDAP Implementations Emmanuel Lcharny Do who need tests anyway ? OSS projects don't

Testing LDAP Implementations Emmanuel Lcharny Do who need tests anyway ? OSS projects don't

Testing LDAP Implementations Emmanuel Lcharny Do who need tests anyway ? OSS projects don't need it... We have users ! We have users ! LDAP project phases Initial analysis Development + tests Costs Conformance tests Tests are

501 views • 27 slides
dCache and LDAP AuthN Ron Trompert SURFsara A :ny Bit

dCache and LDAP AuthN Ron Trompert SURFsara A :ny Bit

dCache and LDAP AuthN Ron Trompert SURFsara A :ny Bit of History Number of systems Own user administra:on system Some users had access

519 views • 10 slides
UCSB Identity and LDAP The central campus directory and authentication system UCSB Identity

UCSB Identity and LDAP The central campus directory and authentication system UCSB Identity

UCSB Identity and LDAP The central campus directory and authentication system UCSB Identity System UCSBnetID authentication UCSB-wide student and employee info http://www.identity.ucsb.edu/ LDAP Overview Lightweight Directory Access Protocol

604 views • 24 slides
Towards a Common Java LDAP API Emmanuel Lecharny Apache Directory elecharny@apache.org Ludovic

Towards a Common Java LDAP API Emmanuel Lecharny Apache Directory elecharny@apache.org Ludovic

Towards a Common Java LDAP API Emmanuel Lecharny Apache Directory elecharny@apache.org Ludovic Poitou OpenDS ludovic.poitou@sun.com A poor man's choice: JNDI or JLDAP/Netscape LDAP SDK Good News: Apache Directory Client API OpenDS

678 views • 20 slides
Logistics E-mail UML 2 Should have received mail from me. If not: Check LDAP

Logistics E-mail UML 2 Should have received mail from me. If not: Check LDAP

Logistics E-mail UML 2 Should have received mail from me. If not: Check LDAP entry Indicate on attendance sheet Announcements Plan for today Its Co-op time Building a software system Orientation

475 views • 3 slides
How we implemented an LDAP directory for Laboratories A Case Study at Hong Kong Institute of

How we implemented an LDAP directory for Laboratories A Case Study at Hong Kong Institute of

How we implemented an LDAP directory for Laboratories Nick Urbanik How we implemented an LDAP directory for Laboratories A Case Study at Hong Kong Institute of Vocational Education (Tsing Yi), Department of ICT Nick Urbanik

1.17k views • 106 slides
Logistics The never-ending LDAP problems Latest Developments Dave, got your e-mail

Logistics The never-ending LDAP problems Latest Developments Dave, got your e-mail

Logistics The never-ending LDAP problems Latest Developments Dave, got your e-mail (Cant change in mycourses) Jon, your mail bounced March 17 Lets settle things after class Enter stage left Spacethe final

382 views • 5 slides
The LDAP Directory Schema AGENDA Why do we need a good schema? From the White Pages to

The LDAP Directory Schema AGENDA Why do we need a good schema? From the White Pages to

The LDAP Directory Schema AGENDA Why do we need a good schema? From the White Pages to Access Control The Design Process The available Standards Best Practices The User object The plumbing Implementing the Schema

494 views • 47 slides
Lawyerly Transitions Keith Swisher Swisher P.C. Keith Swisher Keith Swisher is Professor of

Lawyerly Transitions Keith Swisher Swisher P.C. Keith Swisher Keith Swisher is Professor of

Lawyerly Transitions Keith Swisher Swisher P.C. Keith Swisher Keith Swisher is Professor of Legal Ethics and Director of the Bachelor of Law and Master of Legal Studies Programs at the University of Arizona James E. Rogers College of Law.*

767 views • 22 slides
Small Busines Small Business s Finding, T Finding, Touching, P ouching, Partnering

Small Busines Small Business s Finding, T Finding, Touching, P ouching, Partnering

Small Busines Small Business s Finding, T Finding, Touching, P ouching, Partnering artnering Jack Hubbard Chief Experience Officer, St. Meyer &amp; Hubbard jhubbard@smandh.com Small Business Pr Small Busines s Products or

261 views • 8 slides
Socket clients and servers CSCI 136: Fundamentals of Computer Science II Keith Vertanen

Socket clients and servers CSCI 136: Fundamentals of Computer Science II Keith Vertanen

Socket clients and servers CSCI 136: Fundamentals of Computer Science II Keith Vertanen Overview Networking basics IP Addresses (review) Port numbers (review) Reliability, connecting, latency, firewalls Single threaded

336 views • 15 slides
Troubleshooting Service Dr. Susanne Naegele-Jackson DFN / University of Erlangen-Nuremberg

Troubleshooting Service Dr. Susanne Naegele-Jackson DFN / University of Erlangen-Nuremberg

Enabling Grids for E-sciencE perfSONAR-Lite TSS Troubleshooting Service Dr. Susanne Naegele-Jackson DFN / University of Erlangen-Nuremberg EGEE09, EGEE -III Activity SA2 www.eu-egee.org EGEE-III INFSO-RI-222667 EGEE and gLite are

421 views • 27 slides
Java Remote Method Java Remote Method Invocation (RMI) Invocation (RMI) Viraj Bhat ( Viraj Bhat

Java Remote Method Java Remote Method Invocation (RMI) Invocation (RMI) Viraj Bhat ( Viraj Bhat

Java Remote Method Java Remote Method Invocation (RMI) Invocation (RMI) Viraj Bhat ( Viraj Bhat (virajb@caip.rutgers.edu virajb@caip.rutgers.edu) ) Cristina Schmidt (cristins@caip.rutgerts.edu) Cristina Schmidt (cristins@caip.rutgerts.edu)

1.04k views • 65 slides
Installation Installation Procedures Procedures for Clusters for Clusters PART 4 Hands-on

Installation Installation Procedures Procedures for Clusters for Clusters PART 4 Hands-on

Moreno Baricevic CNR-INFM DEMOCRITOS Trieste, ITALY Installation Installation Procedures Procedures for Clusters for Clusters PART 4 Hands-on Laboratory Agenda Agenda Cluster Services Overview on Installation Procedures

332 views • 8 slides
DECAP-Distributed Extensible Cloud Authentication Protocol Andrea Huszti and Norbert Ol ah

DECAP-Distributed Extensible Cloud Authentication Protocol Andrea Huszti and Norbert Ol ah

Security requirements The proposed protocol Security analysis DECAP-Distributed Extensible Cloud Authentication Protocol Andrea Huszti and Norbert Ol ah University of Debrecen Nijmegen, Netherlands Andrea Huszti and Norbert Ol ah

402 views • 22 slides
RHCSA - EX200 RHCSA DAY - 02 RHCSA Trainer Ali Aydemir CISCO, CCIE #47287 SP/RS, CCSI#35413

RHCSA - EX200 RHCSA DAY - 02 RHCSA Trainer Ali Aydemir CISCO, CCIE #47287 SP/RS, CCSI#35413

RHCSA RHCSA - EX200 RHCSA DAY - 02 RHCSA Trainer Ali Aydemir CISCO, CCIE #47287 SP/RS, CCSI#35413 AVAYA, ACE-Fx #169 HUAWEI, HCDP RHCSA DAY - 02 RHCSA RHCSA Timetable Day AM Lunch PM -Essential File Management -Installing RHEL

2.07k views • 191 slides

More recommend