[Highlights] [posting] sharing: One of the LDAP-based address book Basics

Source: Internet
Author: User
Tags crypt ldap ldap protocol rfc openldap
Build an LDAP-based address book

This tutorial demonstrates how to create an LDAP-based backend to store the shared contact information of multiple applications. At the same time, we provide an overview of the basic LDAP knowledge and introduce you to a pre-built contact management tool that will help you get started with this open technology.

Prerequisites
Readers should have a basic understanding of general management tasks and their concepts. This includes tasks such as setting permissions, managing user accounts, moving and copying files, and creating symbolic links.

To run the examples in this tutorial, you must install and configure the Linux System and the following software correctly:

Red Hat Linux 7.3. The specific operating system description is based on Red Hat Linux 7.3. Because Red Hat Linux is very popular and most administrators/users are at least familiar with its system layout and some conventions, we choose it.
OpenLDAP. OpenLDAP is used as the LDAP directory server. OpenLDAP is an open source code based on open standards and can be downloaded for free. However, to a large extent, the structure, layout, and management tasks we discuss can easily be transferred to commercial directory servers, such as IBM's SecureWay server and Netscape's Directory Server products.
LDAP getting started

Overview:

LDAP stands for the Lightweight Directory Access Protocol ). Unlike some computer terms, LDAP's self-description is amazing.

LDAP is an open standard based on X.500 Directory standards, but it is simpler, more refined, and more scalable-it is lightweight compared with some other communication protocols. LDAP standards are organized in the form of a series of RFC (or annotation requests, request for comment. For more information about LDAP-related RFC, see the ldapman RFC page listed in references.
Information is centrally stored in the LDAP directory on the server. The LDAP directory is a type of database. However, it is not a relational database. Its directory or database structure is very similar to the Unix File System: data is stored hierarchically; there are "root" or "Basic DN" (private name, Distinguished Name ); directories are further subdivided into organization units (units or ou), which contain data items. This tree-leaf structure not only makes LDAP scalable, but also faster than traditional relational databases for simple search or query.
By using the LDAP protocol, the client sends queries to the LDAP server (technically, LDAP does not have the "read" function; the client sends a search request to the server to read directory items ). The server checks the client permissions (that is, does the client have the right to access the database? Can I read the requested tree? Can I write information to the database? Can I delete an item ?), Then return the request information. Almost all modern programming languages have LDAP APIs, which means that almost any software can support LDAP.
Unfortunately, LDAP is often used in an inappropriate context without context. At present, there are a variety of methods that use this term (LDAP protocol, LDAP server, or LDAP client). Those who are not familiar with the LDAP world may be confused. For the purpose of this tutorial, I have made all efforts to ensure that the context is illustrated or that the context is clearly different from the relevant discussion.

Why use ladp

Over the past two or three years, LDAP has changed from an unfamiliar technology to a popular topic today ". The reason for its sudden popularity can be roughly summarized into two words: scalability and flexibility.

LDAP is both cross-platform and standard-based. This means that almost any application running on any computer platform can obtain information from the LDAP directory. In addition, no matter what server operating system, file system, or platform is irrelevant to the client.

The LDAP directory stores almost all types of data: email addresses, DNS information, NIS ing, security keys, contact information lists, and computer names. If you need a dedicated organizational unit or item, you can customize the rules for controlling the information that a given field can save based on the specific implementation (called the mode, which will be discussed in detail later ).

The installation and configuration of most LDAP servers are relatively simple, and can run for many years without maintenance, and it is easy to optimize for specific types of access.

You can easily configure the LDAP directory to copy some or all directory trees (using the push or pull (pull) method ). This eliminates the need for system administrators to worry about spof.

Access Control List (ACL) can be used to control access to directories. For example, the administrator can restrict who can see what content based on the membership qualifications in a given group or location, or grant special users the ability to modify the selected field in their own records. ACL provides extremely fine-grained access control, and the ACL combines this control with LDAP installation, rather than the client that requests information. In addition, LDAP can be easily integrated with most existing security layers and/or authentication systems (such as SSL, Kerberos, and Pam.

Andrewleading_h: 13:37:35

LDAP directory structure: Basic DN

So far, we have discussed what LDAP is, how it (at a high level) works, the general structure of the LDAP directory, and why LDAP implementation is so popular. Now, we should study the various components of the item. As mentioned on the previous page, the "root" or top of the LDAP directory tree is the basic DN. The basic DN usually has two forms: Organization = (for example, O = syroidmanor.com), or DN (Dc = syroidmanor, Dc = com) derived from the DNS domain component of the organization ).

For most installations, the latter is the preferred format because it separates two completely different components. If your company decides to merge with another company in the future, you do not need to modify the existing structure. Then, basically, the DN becomes the two company branches of the DC = com and COM trees (of course, if syroidmanor.com and syroidmanor.com are merged, this will not be of much help ).

All of these give us two very important tips: (1) 99% of successful LDAP implementation is to pre-plan a scalable and effective structure for your organization, (2) to some extent, each LDAP installation is unique. In other words, there are no static rules for the structure layout.

Shows an example of the LDAP directory structure of "DC" (relative to "Organization.

Andrewleading_h: 13:52:38

LDAP directory structure: organizational unit

Under the Basic DN of a directory is a container or organization unit (OU), which logically separates or groups your data. The options here are usually determined by the organization structure of your business or installation. In addition, level 2 ou can be used to further separate data. For example, international enterprises can use the following structures:

Dc = foobar, Dc = com
Ou = customers
Ou = NorthAmerica
Ou = SouthAmerica
Ou = Asia
Ou = Europe
Ou = employees
Ou = Group
Ou = Projects
Ou = Accounting
Ou = Resource
Ou = Service

The general empirical method can keep your organizational structure as simple as possible without compromising future scalability. Note that the deeper you nest the structure container, the longer it takes to return the query.

LDAP directory structure: Some items

The actual items are shown below the organizational unit of the LDAP structure. The following is an example of ldif format display (filling the LDAP directory with more examples of ldif format ).

DN: Cn = Tom syroid, ou = employee, Dc = syroidmanor, Dc = com
Objectclass: person
Objectclass: organizationalperson
Objectclass: inetorgperson
CN: Tom syroid
CN: Thomas syroid
SN: syroid
Givenname: Tom
Initials: TMS
Title: Project Manager
UID: tsyroid
Mail: tom@syroidmanor.com
Telephonenumber: 306 555 1212
Mobile: 306 555 1999
Roomnumber: 115
Employeenumber: 33
Employeetype: full time

First, pay attention to the following facts:

Item is only the place where the property is stored.
Attribute is used to store a type of information in a directory container.
Each attribute has one type and one or more values.
Therefore, CN: Tom syroid is an attribute of the item, CN is a type, and the values associated with this type are "Tom syroid" and "Thomas syroid ".

Now, let's take a closer look at the attributes of the above items. The first line contains the DN or "private name" of the item ". Each item in the LDAP directory has a unique DN, and each dn is composed of two parts-"relative private name" (or rdn) and reference the location of the stored records in the LDAP directory structure. Almost all data stored in the LDAP directory has a unique name, which is usually stored in the CN attribute. In the preceding example, the CN value used to uniquely identify or distinguish a record is "Tom syroid ". Note: You can also use "Thomas syroid", as long as the DN provided is unique to all other items in the database. The following ou and DC values point to the location recorded in the directory structure.

Object Class

The object class is used by the LDAP directory to define the attributes of a given type of object. The object class also defines the attributes that an item must have and the attributes that the item can have. All object classes inherit from their parent object classes and add their own requirements. The following is an example of an object class:

Objectclass (2.5.6.6 name 'person 'sup top structural
Must (Sn $ CN)
May (userpassword $ telephonenumber $ seealso $ description ))

The object class has five components: oid (Object ID), unique name, parent object (SUP), any required attribute (must), and allowed attribute list (May ). Oid is the data identifier used by the internal database mechanism of the LDAP directory. Conceptually, they are similar to IP addresses because each object class must have a unique number. And, like the relationship between DNS and IP addresses, the individuals who created them register and "own" them ". For more information about registering OID, see Internet Assigned Numbers Authority (or IANA ).

Do you need an oId number to create your own object class? The answer depends on your directory server software-Some allow and some do not. For more information, see the LDAP documentation. For more information about the defined object classes and their attributes, see the ldapman mode reference page or the extremely useful LDAP mode viewer website.

What is the mode? The mode is only a set of object classes grouped by similarity. For example, the inetorgperson mode contains object classes such as departmentnumber, employeetype, givenname, homephone, and manager. The inetorgperson mode also inherits many object classes in the "parent" mode.

Summary

This chapter discusses a lot of basic knowledge in a short space. Although you do not need to understand the content discussed before installing and configuring the LDAP server (the topic of the next chapter, however, the basic concepts behind the LDAP directory service can help administrators better understand the principles behind LDAP operations. For more information about LDAP structures, object classes, and attributes, see OpenLDAP Administrator's Guide and many FAQs available at www.openldap.org.

Andrewleading_h: 13:55:12

Install and configure

... It's a little slow.

Andrewleading_h: 14:06:33

[Color = Red] [size = 18] install and configure OpenLDAP [/size] [/color]

Required software packages

In most software package-based systems (for example, in the rpm-based distribution version (distribution), such as red hat, Mandrake, and SUSE) installing and configuring OpenLDAP is a relatively simple process. The first step is to determine which OpenLDAP components (if any) will be installed as part of the initial Linux settings.

In the console window or command line, enter:

[Root @ Thor root] # rpm-Qa | grep OpenLDAP
Openldap-devel-2.0.23-4
Openldap-2.0.23-4
Openldap-servers-2.0.23-4
Openldap-clients-2.0.23-4
[Root @ Thor root] #

You should see the output similar to the above. Note: The Red Hat distribution version installs OpenLDAP client software, but does not install the openldap-servers software package, even if you select the server configuration. To install the RPM package, locate the location of the desired file on the distribution media and enter:

Rpm-IVH packagename

Configure OpenLDAP Server

After necessary software is installed, the next step is to configure the server. First, back up the original configuration file for future reference (CP/etc/OpenLDAP/slapd. CONF/etc/OpenLDAP/slapd. conf. orig ). Open the/etc/OpenLDAP/slapd. conf file in your favorite text editor and spend several minutes reading comments. In addition to defining the directory database type, suffix, rootdn, and location of the storage directory database, most default settings in slapd. conf are appropriate.

Database ldbm
Suffix "DC = syroidmanor, Dc = com"
Rootdn "cn = root, Dc = syroidmanor.com, Dc = com"
Rootpw {crypt} 05 t/jkdwo0sui
Directory/var/lib/ldap
Index objectclass, uid, uidnumber, gidnumber, memberuid EQ
Index CN, mail, surname, givenname EQ, subinitial
Protects rootdn

The rootdn item controls who can perform write operations on the directory database and the password they need to provide. Please be sure to read the note in the end part of "Access Control:

# If no access controls are present, the default is:
# Allow read by all
#
# Rootdn can always write!

"Rootdn can always write !" (Rootdn can always be written !) As it indicates. All the items you fill in the CN = Section of the rootdn item are users who have full read/write access to the database. In addition, the default configuration file uses "secret" as the password, which is sent in plaintext. If you can only access your LDAP server from an intranet with a firewall isolated from the outside, and are sure that the user who will access the LDAP server does not know anything about information packet sniffing, you can probably send the rootdn password in plain text safely (just make sure that the password "secret" is slightly modified to make it difficult to guess ). However, if the data you want to store in the directory is only a little confidential, the password will be hashed. You can use the slappasswd utility to complete it, as shown below:

[Root @ Thor root] # slappasswd-H {crypt}

This program requires you to enter the password, and then slappasswd will give the crypt string corresponding to the provided items. Cut and paste the string to slapd. conf, as shown on the previous page. Other hash options include ssha (default), smd5, MD5, and Sha. Enter man slappasswd to obtain more information.

Test Server

Now is a good time to test the server. The configuration here is relatively simple and it is easy to diagnose possible problems. In Red Hat Linux, the command is:

[Root @ Thor root] # service LDAP start

Next, test your ability to access the directory:

[Root @ Thor root] # ldapsearch-X-B '-S base' (objectclass = *) 'namingcontexts

If the server is correctly configured, you should see the output similar to the following (of course, there are different DC ):

Version: 2

#
# Filter: (objectclass = *)
# Requesting: namingcontexts
#

#
DN:
Namingcontexts: DC = syroidmanor, Dc = com

# Search result
Search: 2
Result: 0 success

# Numresponses: 2
# Numentries: 1

If you get an error message or the output is very different from the above, return and check the configuration. To enable the LDAP service to automatically start Upon reboot, enter the following command:
[Root @ Thor root] # chkconfig LDAP on

The preceding command is specific to the Red Hat distribution version.
Configure ACL

The last step to configure the LDAP server is to set some basic access control. This ensures that users can only access the items they need.

You can set the ACL (access control table, access control list) in OpenLDAP by placing the include row in/etc/OpenLDAP/slapd. at the top of conf, point to a separate file (for example, include/etc/OpenLDAP/slapd. access. conf); or you can add the ACL directly to slapd. conf. This is entirely because you select-The include line is usually used by the mandrake; Red Hat adds the ACL to the configuration file.

On the next page, you will see a set of example ACLs and their descriptions.

ACL example

# Define ACLs -- Access Control Definitions

Access to DN = ". *, Dc = syroidmanor, Dc = com" ATTR = userpassword
By DN = "cn = root, Dc = syroidmanor, Dc = com" Write
By self write
By * auth

Access to DN = ". *, Dc = syroidmanor, Dc = com" ATTR = Mail
By DN = "cn = root, Dc = syroidmanor, Dc = com" Write
By self write
By * read

Access to DN = ". *, ou = people, Dc = syroidmanor, Dc = com"
By * read

Access to DN = ". *, Dc = syroidmanor, Dc = com"
By self write
By * read

The above configuration only allows the owner to modify the userpassword attribute, but only allows modification when the owner provides his or her priority password. In all other cases, you can only access this item for authentication purposes, but cannot view it. The second access to... option allows you to modify your email address (ATTR = Mail ). The third item specifies that all DN except rootdn are read-only for all, ou = people, Dc = syroidmanor, Dc = com. This prevents you from changing the user name, uid, GID, and home directory. Finally, the last item is a "hodgedge" that embraces the security of anything not covered in the previous access control ". For example, it allows users to change the items in their own address book.

Restart service LDAP restart before the server can use the new ACL.

After completing the basic configuration, you should fill in some useful items to the database.

Fill data

At this stage, you should have a general understanding of the internal mechanism and structure of LDAP, and have a running OpenLDAP server. The next step is to fill in the contact data to your directory, and then the email application will use the data to query the email address. Unfortunately, this will make things a little tricky.

There are three basic methods to enter contact information in the directory tree: manually input from the command line, import through ldif (LDAP database Interchange File), or use scripts. The tricky part is to select an effective method and enter the data correctly in the database without errors. The advantage is that once the process is completed, you do not have to execute the entire process again-the premise is that you continue to use LDAP-enabled applications.

Manual database filling is the most direct one of the three methods (although, as the word "Manual" implies, it requires the most labor), so we should first deal with this process.

Manual data input

First, enter the following commands in the console window or command line:

[Root @ Thor root] # ldapadd-d "cn = root"-H
Server
Password :*******
DN: uid = juser, ou = people, Dc = syroidmanor, Dc = com
UID: juser
CN: Joe User
Givenname: Joe
SN: User
Mail: juser@syroidmanor.com
Objectclass: Top
Objectclass: mailrecipient
Objectclass: person
Objectclass: inetorgperson
^ D

Adding new entry uid = juser, ou = people, Dc = syroidmanor, Dc = com
[Root @ Thor root] #

The process described above uses three basic LDAP operations: binding, update, and implicit unbinding. To modify a directory, you must bind or connect to the LDAP server as a privileged user. The displayed example uses Cn = root because it is the configuration method of the OpenLDAP server. If you use another name for the rootdn entry in slapd. conf, replace it with an appropriate one.

After the password prompts, enter the DN, followed by the data to be associated with the DN (rdn item), followed by the object class containing the type/value pair attributes. The CTRL-D at the end of the process sends data to the server and implicitly unbinds the server. Then, the LDAP server responds with a message or error message that has successfully entered (displayed) data. A common error is to try to add a type/value without specifying the correct object class, adding an existing user or rdn, or forgetting the "must" item (for example, the object class personnel need givenname and Sn at the same time.

In addition, when entering manual data, you must know the following:

You must know which object class has the attributes of the type/value rdn data you are adding.
This process requires a large amount of work.
It is easy to enter an item incorrectly, which causes an error message in the directory tree.
In general, it is important to visualize your directory tree layout and be familiar with the mode in which LDAP servers are configured.
The last point applies to all data input methods. It is the goal of the LDAP getting started Chapter. Understanding the structure of LDAP and clearly understanding what you are trying to accomplish will be helpful in eliminating failures and inevitable errors associated with filling the LDAP database.

Ldif Method

The second method for inserting data into the LDAP directory is to use the ldif file. The ldif file is only a plain text document containing the data to be inserted in a specific syntax. You are familiar with the Syntax: DN: followed by the location of the stored items in the tree, followed by one or more rdn items (including data type/value pairs), followed by necessary object classes. To create ldif, use a plain text editor and enter the data you want to add to the directory. Use our previous example:

DN: uid = juser, ou = people, Dc = syroidmanor, Dc = com
UID: juser
CN: Joe User
Givenname: Joe
SN: User
Mail: juser@syroidmanor.com
Objectclass: Top
Objectclass: mailrecipient
Objectclass: person
Objectclass: inetorgperson

Save the file (for example, example. ldif). In the console window or command line, enter:

[Root @ Thor root] # ldapadd-X-d "cn = root, Dc = syroidmanor, Dc = com"-w-F sample. ldif

You will be prompted to enter the rootdn password. After Authentication, data contained in ldif will be written into the LDAP database.

Advantages and disadvantages of ldif Method

The ldif method has both advantages and disadvantages. Its advantages include:

Before importing files to the database, you can check the spelling and syntax.
You can create ldif files with many items and add them to the directory with one operation.
If the Import fails, you only need to open the ldif file, locate the error, and try to import it again.
Ldif files are open standards and can be imported to almost any directory server.
Disadvantages:

This process still requires a lot of work-you must enter all the items in ldif and follow the correct syntax.
When the LDAP server encounters an error in the import file, it is not always easy to handle. Although you may get a "syntax error (syntax error)" message, it does not tell you where the error is in a large ldif file.
In summary, the ldif file has some obvious advantages over manual data input from the command line. However, you must still follow the correct syntax to input the contact information into the file and import it into the directory. Is there a more automated way to fill the LDAP database? -Continue reading.

Script Method

You can use scripts typically written in Perl or PHP to receive your data and "automatically" it into the LDAP directory. This method has two problems. First, and most importantly, any script I personally tried has many bad errors. In some of the worst cases, data will be destroyed during the import or the directory tree itself will be damaged. Next, use a script to import data, assuming that the data already exists in some form. This is certainly good when importing user passwords and group information from/etc/passwd and/etc/groups respectively, but your contact information may not be in a commonly identifiable format. After all, the main purpose of this tutorial is to prevent the contact information from being dominated by a dedicated format.

What if I export the contact information data to a plain text file separated by commas and find a script that can import the data into the LDAP directory? If you can find this script, and if it runs as it claims, you will get all the functions. Remember that your email client has its own exact explanation of the comma-separated files. Do you want to add a carriage return at the end of each line? How does the Export program process spaces in embedded fields? Some people usually steal the LDAP import script to transfer their data from application a (exported in format X) to the LDAP directory. If their application and export format are consistent with yours, try it. However, make sure that you back up your directory database first, so that if the Import fails, you can return to the "known good" status.

Link: http://www.chinaunix.net/jh/49/387963.html

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.