What is LDAPLDAP <br/> LDAP is a protocol used to publish directory information to many different resources. Generally, it is used as a centralized address book, not what LDAP is.
LDAP is a protocol used to publish directory information to many different resources. It is usually used as a centralized address book, but it can be more powerful according to the organizer's needs.
The most basic form of LDAP is a standard method for connecting to the database. The database is optimized for read queries. Therefore, it can quickly obtain the query results, but it is much slower in other aspects, such as updates. Note that LDAP is usually used as a hierarchal database instead of a relational database. Therefore, its structure is better to represent in a tree than in a table. Because of this, you cannot use SQL statements.
In short, LDAP is a quick way to obtain centralized and static data about people or resources.
LDAP is the abbreviation of Lightweight Directory Access Protocol. it is actually a phone number book, similar to what we use, such as NIS (Network Information Service), DNS (Domain Name Service) and other network directories are similar to the trees you see in the garden.
LDAP is a special database. But LDAP is different from general databases. it is very important to understand this point. LDAP optimizes the query performance, which is much better than the write performance of LDAP.
1.1 LDAP storage rules
Distinguished Name (DN, Distinguished Name)
Different from trees in nature, each leaf in the file system/LDAP/telephone address book Directory has at least one unique attribute, which can help us differentiate these branches.
In a file system, these unique attributes are file names with full paths. For example,/etc/passwd, the file name is unique under this path. Of course we can have/usr/passwd,/opt/passwd, but they are still unique based on their complete paths.
In LDAP, the distinguished name of an entry is "dn" or "Distinguished Name. This name is always unique in a directory. For example, my dn is "uid = aghaffar, ou = People, o = developer. ch ". There cannot be the same dn, but we can have dn for example, "uid = aghaffar, ou = Administrators, o = developer. ch. This is similar to the example of/etc/passwd and/usr/passwd in the file system.
We have unique attributes: uid in "ou = Administrators, o = developer. ch" and uid in "ou = People, o = developer. ch. This is not a conflict.
CN = Common Name is the user Name or server Name. it can contain a maximum of 80 characters and can be Chinese characters;
OU = Organization Unit is an organizational Unit. it can contain up to four levels. each level can contain up to 32 characters and can contain Chinese characters;
O = Organization is the Organization name, which can be 3-64 characters long
C = Country name. optional; 2 characters long
The LDAP directory stores record items in the form of a series of "attribute pairs, each record item includes the attribute type and attribute value (which is fundamentally different from that of a relational database to access data using rows and columns ).
Mail = testmail@mccc.net
Othermailbox = testmailother@mccc.com
Givenname = givenname
Sn = test sn
Attributes can be added. values must be assigned to the following attributes:
Objectclass = person (value: person, server, organization, or other custom value)
2. how does Php operate LDAP?
2.1 How Php connects and closes with LDAP
$ Ds = ldap_connect ("ServerName ")
ServerName is the name of the LDAP server,
Example:
$ Ds = ldap_connect ("10.31.172.30: 1000 ")
Return value: true or false
Close connection
Ldap_close ($ ds );
2.2 How to search user information in php
$ Ds = ldap_connect ("10.31.172.30: 1000 ");
// Connect to the server first
$ Justthese = array ("cn", "userpassword", "location ");
// Search for a parameter in the function, which information is required to be returned,
// The above parameters are returned to cn, userpassword, and location, all of which must be in lower case.
$ Sr = ldap_search ($ ds, "o = jite", "cn = dom *", $ justthese );
// The LDAP code is enabled for the first parameter.
// The most basic dn condition value of the second parameter, for example, "o = jite, c = cn"
// The third filter parameter is a Boolean condition. Its syntax can be used to find a dirsdkpg.pdf file on the Netscape website.
// 'O' is the organization name, 'cn' is the username, and the username can be a wildcard '*'
Echo "domadmin surnames include". ldap_count_entries ($ ds, $ sr )."
";
// The total number of records returned by ldap_count_entries ($ ds, $ sr)
$ Info = ldap_get_entries ($ ds, $ sr );
// All data returned from LDAP
Echo "data back". $ info ["count"]. "pen:
";
For ($ I = 0; $ I <$ info ["count"]; $ I ++ ){
Echo "dn:". $ info [$ I] ["dn"]."
";
Echo "cn:". $ info [$ I] ["cn"] [0]."
"; // Display the user name
Echo "email:". $ info [$ I] ["mail"] [0]."
"; // Display mail
Echo "email:". $ info [$ I] ["userpassword"] [0]."
"; // Display the encrypted password
}
2.3 add a user
$ Ds = ldap_connect ("10.31.172.30: 1000 ");
// Connect to the server first
$ R = ldap_bind ($ ds, "cn = domadmin, o = jite", "password ");
// Hold an administrator and have the write permission
// The order of cn = domadmin and o = jite cannot be changed
$ Info ["cn"] = "aaa"; // required
$ Info ["userpassword"] = "aaa ";
$ Info ["location"] = "shanghai ";
$ Info ["objectclass"] = "person"; // The person must be an individual, and the server...
Ldap_add ($ ds, "cn =". $ info ["cn"]. ", o = jite", $ info );
Ldap_unbind ($ ds );
// Unbind
Ldap_close ($ ds );
// Close the connection
2.4 delete a user
$ Ds = ldap_connect ("10.31.172.30: 1000 ");
// Connect to the server first
Ldap_bind ($ ds, "cn = domadmin, o = jite", "password ");
// Bind an administrator with the deletion permission
$ Dn = "cn = dingxf, o = jite ";
Ldap_delete ($ ds, $ dn );
// Delete a user
Ldap_unbind ($ ds );
// Unbind
Ldap_close ($ ds );
// Close the connection
2.5 modify user information
$ Ds = ldap_connect ("10.31.172.30: 1000 ");
// Connect to the server first
Ldap_bind ($ ds, "cn = domadmin, o = jite", "password ");
// Bind the administrator with the modification permission
$ Dn = "cn = dingxf, o = jite ";
// User dn
$ Info ["userpassword"] = "aaa"; // the information to be modified, which is placed in the array variable.
$ Info ["location"] = "shanghaisdaf ";
Ldap_modify ($ ds, $ dn, $ info );
// Modify the function
Ldap_unbind ($ ds );
// Unbind
Ldap_close ($ ds );
// Close the connection
2.6 user logon verification
$ Ds = ldap_connect ("10.31.172.30: 1000 ");
// Connect to the server first
If (ldap_bind ($ ds, "cn = dingxf, o = jite", "dingxf ")){
Echo "verified ";
} Else {
Echo "verification failed ";
}
Ldap_unbind ($ ds );
// Unbind
Ldap_close ($ ds );
// Close the connection
Note: This method is simple and practical. if it fails, ldap_bind () prompts the prompt "Warning: LDAP: Unable to bind to server: inappropriate authentication in/home/htdocs/jldl.net/ldap/test.php3 on line 16"