Introduction to OpenLDAP

Introduction to OpenLDAP

The installation will not be mentioned, starting from the configuration.
1. Main configuration file slapd. conf
The content includes three types: Global, backend specific, and database specific. Global settings, backend server settings, and database settings.
Global settings can be overwritten by the other two settings. Backend server settings can be overwritten by database settings. There may be multiple database settings.

1.1 global settings
1.1.1 authorization
# Grant different permissions to different users, which is equivalent to a role in the database and has one permission.
Access [ ] +
The complete syntax is:
Olcaccess:
::=
[ ] +
: = * |
[DN [. ] = | DN. = ]
[Filter = ] [Attrs =]
: = RegEx | exact
: = Base | one | subtree | children
: =[Val [. ] = ] |,
: =| Entry | children
: = * | [Anonymous | users | self
| DN [. ] = | DN. = ]
[Dnattr =]
[Group [/ [/] [. ] = ]
[Peername [. ] = ]
[Sockname [. ] = ]
[Domain [. ] = ]
[Sockurl [. ] = ]
[Set = ]
[ACI =]
::= [Self] { | }
: = None | auth | compare | search | read | write
::={=| + |-} {W | r | S | c | x | 0} +
: = [Stop | continue | break]

1.1.1.1 what
######################################## ############################
Several Methods:
"To * all directories, which is the same as DN =. *
"To DN [. ] = Match with regular expressions. Basic-style does not understand what it means.
"To DN. = Scope can be base, one, subtree, or children,
Base is to match the directory is the same, one matching the target parent directory is the DN defined here. The subtree matches all sub-trees whose dn is defined as root here.
Children is similar to subtree, but the directory itself is missing from the defined DN.
For example:
0: O = suffix
1: Cn = manager, O = suffix
2: ou = people, O = suffix
3: uid = kdz, ou = people, O = suffix
4: Cn = addresses, uid = kdz, ou = people, O = suffix
5: uid = hyc, ou = people, O = suffix

Then:
DN. base = "ou = people, O = suffix" match 2;
DN. One = "ou = people, O = suffix" Match 3, and 5;
DN. subtree = "ou = people, O = suffix" match 2, 3, 4, and 5; and
DN. Children = "ou = people, O = suffix" Match 3, 4, and 5.

"To filter =
To DN. One = "ou = people, O = suffix" filter = (objectclass = person) these two functions are the same

You can also add attribute restrictions in what.
Attrs =
Note: to add or delete a directory, you must have the attribute permission to write the Directory and the permission to write the children attribute of the parent directory of the directory.

1.1.1.2 who
Specifier entities
----------------------------------------------------------------
* All, including anonymous and Authenticated Users
Anonymous anonymous (non-authenticated) Users
Users Authenticated Users
Self user associated with target entry
DN [. ] = Users matching a regular expression
DN. = Users within scope of a DN

1.1.1.3 accesslevel
Level privileges description
----------------------------------------------------------------
None = 0 no access
Auth = x needed to bind
Compare = Cx needed to compare
Search = SCX needed to apply search filters
Read = rscx needed to read search results
Write = wrscx needed to modify/rename
Each level of permission includes all its permissions at the following levels

1.1.1.4 Control
Stop | continue | break

1.1.1.5 example
Olcaccess: *
By self write
By Anonymous auth
By * read

Olcaccess: To DN. subtree = "DC = example, Dc = com" ATTR = homephone
By self write
By DN. Children = Dc = example, Dc = com "Search
By peername. RegEx = IP: 10/... + Read
Olcaccess: To DN. subtree = "DC = example, Dc = com"
By self write
By DN. Children = "DC = example, Dc = com" Search
By Anonymous auth

######################################## ############################

1.1.2
None

1.1.3 idletimeout
In seconds, if the idle forcibly disconnects the client, the default value is 0, this function is disabled.

1.1.4 include
# If you need to include other files, be careful when using the nested include
In the schema directory of the OpenLDAP installation directory, you can see the following files that come with the OpenLDAP installation directory. Do not modify them. If you want to customize the attribute type,
Create your own file and include it in the slapd. conf file.
File description
--------------------------------------------------------------------
Core. schema OpenLDAP core (required)
Cosine. schema cosine and Internet X.500 (useful)
Inetorgperson. schema inetorgperson (useful)
Misc. schema assorted (experimental)
NIS. schema Network Information Services (fyi)
OpenLDAP. schema OpenLDAP Project (experimental)

1.1.5 loglevel
# LDAP logging level
######################################## ############################
Debugging levels level description
------------------------------------------
-1 enable all debugging
0 No debugging
1 trace function CILS
2 debug Packet Handling
4 heavy trace debugging
8 connection management
16 print out packets sent and received
32 search filter processing
64 Configuration File Processing
128 Access Control List Processing
256 stats log connections/Operations/results
512 stats log entries sent
1024 print communication with Shell backends
2048 print entry parsing debugging
######################################## ############################

1.1.6 objectclass
Define an object class, omitted.

1.1.7 referral
If slapd cannot find the database, go to Uri

1.1.8 sizelimit
Sets the maximum number of entries returned by a search operation.

1.1.9 timelimit
In seconds, you can set the maximum number of seconds to wait for a query. If the time is exceeded, the system returns and times out.

1.2 backend settings
Backend

All types include
Types description
-------------------------------------
Bdb Berkeley dB transactional backend
Dnssrv dns srv backend
HDB hierarchical variant of bdb backend
LDAP Lightweight Directory Access Protocol (proxy) backend
Ldbm lightweight dBm backend
Meta meta directory backend
Monitor backend
Passwd provides read-only access to passwd (5)
Perl programmable backend
Shell shell (extern program) backend
SQL programmable backend

1.3 General Database settings
1.3.1 Database
The type and backend are the same here.
1.3.2 readonly {on | off}
1.3.3 replica
Set the location of the replication Database
Replica uri = LDAP [s]: // [: ] | Host = [: ]
[Bindmethod = {simple | SASL}]
["Binddn = "]
[Saslmech = ]
[Authcid = ]
[Authzid = ]
[Credentials = ]

If the port is not written, it is the LDAP port's default 389 or 636.
Slurpd is responsible for copying Databases

1.3.4 replogfile
If you have set up database replication, set the log file here. slapd should record the database changes. This log file is written by slapd and read by slurpd.
If the replication database is not set, slurpd is not started. You can also use this file to record transaction logs.

1.3.5 suffix
# Set the directory suffix and add more DC, such as "DC = ENG, Dc = uni, Dc = Edu, Dc = Eu"
Suffix "DC = example, Dc = com"

1.3.6 rootdn
# Set the directory Administrator
Rootdn "cn = manager, Dc = example, Dc = com"

1.3.7 rootpw Rootpw secret
If you do not want to write the password in plain text, you can
Rootpw {ssha} zkkuqbekjfksxhubhg3fg8mdn9j1v4qn
The format is in RFC 2307 form and can be generated using the command slappasswd, for example, slappasswd-s password.

1.3.8 syncrepl replication engine
This database is a backup database, which is synchronized with the master database based on LDAP content synchronization protocol.
Syncrepl rid = The length cannot exceed 3 Characters
Provider = LDAP [s]: // [: Port] indicates the master database address.
[Type = refreshonly | refreshandpersist]
[Interval = DD: hh: mm: SS]
[Retry = [ <# Of retries>] +]
[Searchbase =]
[Filter = ]
[Scope = sub | one | base]
[Attrs =]
[Attrsonly]
[Sizelimit = ]
[Timelimit = ]
[Schemachecking = on | Off]
[Bindmethod = simple | SASL]
[Binddn = ]
[Saslmech = ]
[Authcid = ]
[Authzid = ]
[Credentials = ]
[Realm = ]
[Secprops = ]

1.3.9 updatedn
Applicable only to slave databases. DN directories that can be modified by slave Databases

1.3.10 updateref
Applicable only to slave databases. Set the URL returned to the client once the slave database changes.

1.4 example
1. # example config file-global configuration section
2. Include/usr/local/etc/Schema/CORE. Schema
3. Referral LDAP: // root.openldap.org
4. Access to * by * read
5. # bdb definition for the example.com
6. Database bdb
7. suffix "DC = example, Dc = com"
8. Directory/usr/local/var/openldap-Data
9. rootdn "cn = manager, Dc = example, Dc = com"
10. rootpw secret
11. # replication ctives ves
12. replogfile/usr/local/var/OpenLDAP/slapd. replog
13. Replica uri = LDAP: // slave1.example.com: 389
14. binddn = "cn = replicator, Dc = example, Dc = com"
15. bindmethod = simple credentials = secret
16. Replica uri = LDAPS: // slave2.example.com: 636
17. binddn = "cn = replicator, Dc = example, Dc = com"
18. bindmethod = simple credentials = secret
19. # indexed attribute Definitions
20. Index uid Pres, EQ
21. Index CN, Sn, uid Pres, EQ, approx, sub
22. Index objectclass EQ
23. # Database Access Control Definitions
24. Access to ATTR = userpassword
25. By self write
26. By Anonymous auth
27. by DN. base = "cn = admin, Dc = example, Dc = com" Write
28. By * None
29. Access *
30. By self write
31. by DN. base = "cn = admin, Dc = example, Dc = com" Write
32. By * read
33. # bdb definition for example.net
34. Database bdb
35. suffix "DC = example, Dc = net"
36. Directory/usr/local/var/openldap-data-Net
37. rootdn "cn = manager, Dc = example, Dc = com"
38. Index objectclass EQ
39. Access to * by users read

2. Start slapd
There are many parameters for starting slapd.
-F configuration file
/Usr/local/libexec/slapd-F/usr/local/etc/OpenLDAP/slapd. conf
-H
Configure multiple listening URLs. The default value is LDAP: //, Which is port 389, and the other value is LDAPS: // (Port 636) or ldapi ://
For example, if-h "LDAPS: // LDAP: // 127.0.0.1: 666" is enabled, two listeners are enabled, one of which is the listener Based on the ldap/SSL protocol of port 636,
The other is the TCP protocol based on port 666. Listeners can only be listened on the localhost address.
-N Defines the service name. The default value is slapd.
-L Set the user who writes syslogs. It can be local0, local1, local2,..., and local7. the default value is local4.
-U user-G group: the user or user group used to run slapd
-R directory during running, slapd will chroot to this directory. This is done after opening all listeners, but before reading various configuration files and initializing background services.
-D |? Debug level. The definition of each level is the same as that of 1.1.5 loglevel. You can open multiple levels of DEBUG at the same time. You can add it or not.
If you want to enable both 1 and 64, you can write-D 65 or-D 1-D 64.

If you want to check whether the service has been started and the configuration is correct, you can use:
Ldapsearch-X-B '-S base' (objectclass = *) 'namingcontexts
For example:
Ldapsearch-X-B 'Dc = LDAP, Dc = com' to check related records

3. Stop slapd
Kill-int 'cat/usr/local/var/slapd. Pi'

4. Database Operations
Query data ldapsearch
Insert data ldapadd
Ldapadd requires data import files in ldif format.
For example, the content of a file example. ldif:
DN: DC = , Dc =
Objectclass: dcobject
Objectclass: Organization
O:
DC:

DN: Cn = manager, Dc = , Dc =
Objectclass: organizationalrole
CN: Manager
Run the following command: ldapadd-X-d "cn = manager, Dc = , Dc = "-W-F example. ldif.
The data in the file is imported.
Modify data ldapmodify-X-d "cn = root, Dc = it, Dc = com"-w-F modify. ldif
-X indicates to use simple verification.-D indicates to specify the directory.-W indicates to display the Password Input prompt.

Re-create index slapindex-F
[-D ] [-N |-B ]

Export data slapcat-l -F
[-D ] [-N |-B ]
Set the User Password ldappasswd-X-d "cn = root, Dc = it, Dc = com"-W "uid = qq1, Dc = it, Dc = com"-S

5. schema Introduction
Schema is similar to the schema definition of a database table. The elements in the schema include:
Oid assignment
------------------------------
1.1 Organization's OID
1.1.1 SNMP Elements
1.1.2 LDAP Elements
1.1.2.1 attributetypes
1.1.2.1.1 myattribute
1.1.2.2 objectclasses
1.1.2.2.1 myobjectclass

5.1 attributetypes
Attributetypes is equivalent to the table attribute in the database. Unlike the database, one record and one attribute can have multiple values.
Attributetype Syntax:
Attributetypedescription = "(" WHSP
Numericoid WHSP; attributetype identifier
["Name" qdescrs]; name used in attributetype
["DESC" qdstring]; Description
["Obsolete" WHSP]
["Sup" woid]; derived from this other
; Attributetype, if there is no sup top
["Equality" woid; matching rule name
["Ordering" woid; matching rule name
["Substr" woid]; matching rule name
["Syntax" WHSP noidlen WHSP]; Syntax OID
["Single-value" WHSP]; default multi-valued
["Collective" WHSP]; default not collective
["No-user-modification" WHSP]; Default User modifiable
["Usage" WHSP attributeusage]; default userapplications
WHSP ")"

Example:
Attributetype (2.5.4.41 name 'name'
Desc 'name (s) associated with the Object'
Equality caseignorematch
Substr caseignoresubstringsmatch
Syntax 1.3.6.1.4.1.1466.115.121.1.15 {32768 })
Attributetype (2.5.4.3 name ('cn' 'commonname ')
Desc 'common name (s) assciated with the Object'
Sup name)

5.2 objectclass
Objectclass is equivalent to a table in the database. It is actually a directory. the attribute of the element in the directory is defined here. However, the relationship between directories is not defined,
Hierarchies are defined by the DN when data is inserted. For different data, the directory relationship can be different, which is very flexible.

Objectclassdescription = "(" WHSP
Numericoid WHSP; objectclass identifier
["Name" qdescrs]
["DESC" qdstring]
["Obsolete" WHSP]
["Sup" oids]; Superior objectclasses
[("Abstract"/"structural"/"Auxiliary") WHSP]
; Default structural
["Must" oids]; attributetypes
["May" oids]; attributetypes
WHSP ")"

5.3
DN is equivalent to the primary key in the database)
CN = manager, Dc = LDAP, Dc = com

6. Introduction to jldap Development
Ldapconnection ldapconn = new ldapconnection ();
Ldapconn. Connect (ldaphost, Port );
Ldapconn. BIND (ldapversion, logindn, password. getbytes ("utf8 "));
Ldapconn. Disconnect ();
Common Methods:
Query: ldapconn. Search (searchbase, searchscope, SearchFilter, attrs, attributeonly );
Modify: ldapconn. Modify (DN, modset. toarray (New ldapmodification [modset. Size ()]);
Delete: ldapconn. Delete (deletedn );
Add: ldapconn. Add (New ldapentry (DN, attributeset );