Upload
keyser-soeze
View
238
Download
0
Embed Size (px)
Citation preview
8/3/2019 LDAP Basics
1/72
Directory-Enabled Applications
Tim Howes
Netscape Communications Corporation
8/3/2019 LDAP Basics
2/72
Overview
What LDAP can and cant do for you
LDAP history and overview The LDAP API
The Netscape LDAP SDK Integrating LDAP with your environment
What the future holds
8/3/2019 LDAP Basics
3/72
Setting the stage...
Directory services are the logical place atwhich network services, applications, and
people meet, find one another, and act.The Burton Group, July 1996
[HTTP] sparked a networking revolution...Now [LDAP] is poised to go even further...
Its potential is enormous.Network Computing, October 1996
8/3/2019 LDAP Basics
4/72
What LDAP can do for you
Three perspectives
As a user As an administrator
As a developer
8/3/2019 LDAP Basics
5/72
What LDAP can do for you
As a user
Single place to maintain personalinformation
Single source for informationabout others
The place to find what you needto access
Makes remote access as easyas local access
Unchains you from your desktop
Facilitates every day communicationand work
8/3/2019 LDAP Basics
6/72
What LDAP can do for you
As an administrator
Single place to administer usersand groups
Single place to administer enterprise
configuration information
Allows authority to be distributed
Allows data to be distributedand replicated for reliabilityand performance
8/3/2019 LDAP Basics
7/72
What LDAP can do for you
As an application developer
Allows you to provide these functionsto your users
Place to get and store information
about users Place to get and store configuration
information
Provides mobility to users of yourapplication
General attribute/value directory thatis fast, replicated, and reliable
8/3/2019 LDAP Basics
8/72
What LDAP cant do for you
Replace the relational database
Replace the DNS Replace Internet search services
LDAP complements all of these things
8/3/2019 LDAP Basics
9/72
LDAP history
First there was X.500: the OSIdirectory service
Some great ideas, but its OSI
Heavyweight
Separate infrastructure
Few implementations
Kitchen sink approach
8/3/2019 LDAP Basics
10/72
LDAP history
Along came the Lightweight DirectoryAccess Protocol: at first, a lightweight
front end to X.500
TCP transport
trimmed down functionality
string encodings
IETF-defined Spurred lots of client development
8/3/2019 LDAP Basics
11/72
LDAP history: X.500 roots
LDAP
client LDAPserver
X.500server
X.500
server
LDAP
DAP
DAP
DSP
8/3/2019 LDAP Basics
12/72
LDAP history
But if I have LDAP, do I reallyneed X.500?
NO!
University of Michigan slapd (stand-alone
LDAP daemon) provides the proof Netscape and 40+ other vendors picked
up this ball and are running with it
8/3/2019 LDAP Basics
13/72
LDAP history: stand-alone LDAP
LDAP
client
LDAP
LDAPserver
LDAP
server
LDAP
8/3/2019 LDAP Basics
14/72
LDAP models: overview
The Big Picture
Information: what can be stored Namespace: how it can be referenced
Functional: what can be done with it Security: how it can be protected
8/3/2019 LDAP Basics
15/72
The LDAP Big Picture
Listens on TCP port389 for LDAP
636 for LDAP over SSL
Requests
Responses
LDAP
server
LDAP
client
8/3/2019 LDAP Basics
16/72
LDAP models: overview
The Big Picture
Information: what can be stored Namespace: how it can be referenced
Functional: what can be done with it
Security: how it can be protected
8/3/2019 LDAP Basics
17/72
LDAP models: information
The basic unit of information isthe entry
An entry is a collection ofattributes
Each attribute has a type and one or
more values The type determines what kind ofvalues
can be stored
8/3/2019 LDAP Basics
18/72
Information model illustrated
Entry
...Attr Attr Attr
Attribute
...Type Value Value
8/3/2019 LDAP Basics
19/72
LDAP models: information
Example: a complete entry for a person
cn: Barbara Jensen
cn: Babs Jensen
sn: Jensen
mail: [email protected]
jpegphoto: /9j/4AAQSkZJRgABAA...
objectclass: top
objectclass: person
8/3/2019 LDAP Basics
20/72
LDAP models: information
Notice special objectclass attribute
Objectclass controls what other attributesare requiredand allowed in the entry
This is how LDAP does schema
8/3/2019 LDAP Basics
21/72
LDAP models: overview
Information: what can be stored
Namespace: how it can be referenced Functional: what can be done with it
Security: how it can be protected
8/3/2019 LDAP Basics
22/72
LDAP models: namespace
One or more attributes from the entryare used to form the entrys relative
distinguished name (RDN)
Entries can, but need not, be arrangedin a hierarchical tree-like structure
An entrys full name is formed using itsRDN and the RDNs of its ancestors
The format is defined in RFC 1779
8/3/2019 LDAP Basics
23/72
cn=Barbara Jensencn: Barbara Jensen
cn: Babs Jensensn: Jensen
mail: [email protected]
...
LDAP models: namespace
c=AUc: AU
co: Australia
...
c=US
c: USco: America
...
o=Ace Industryo: Ace Industry
fax: +1 415 555-1212
...
o=Netscapeo: Netscape
url: http://home.netscape.com/
...
RDN: c=AU
DN: c=AU RDN: c=USDN: c=US
RDN: o=Ace Industry
DN: o=Ace Industry, c=US
RDN: cn=Barbara Jensen
DN: cn=Barbara Jensen, o=Ace Industry, c=US
Example Hierarchical LDAP Tree
8/3/2019 LDAP Basics
24/72
LDAP models: namespace
For corporate directories, the namespaceusually follows a country, locality,
organization model
LDAP the protocol does notrequire this
You can construct your own flatnamespace or other configurations
8/3/2019 LDAP Basics
25/72
LDAP models: namespace
cn=Gern Jensencn: Gern Jensen
sn: Jensenmail: [email protected]
...
cn=Bjorn Jensencn: Bjorn Jensen
sn: Jensen
mail: [email protected]
objectclass: top
objectclass: person
...
cn=Barbara Jensen
cn: Barbara Jensen
cn: Babs Jensen
sn: Jensen
mail: [email protected]
...
RDN: cn=Gern Jensen
DN: cn=Gern JensenRDN: cn=Bjorn Jensen
DN: cn=Bjorn Jensen
RDN: cn=Barbara Jensen
DN: cn=Barbara Jensen
Example Flat LDAP Tree
8/3/2019 LDAP Basics
26/72
LDAP models: overview
Information: what can be stored
Namespace: how it can be referenced Functional: what can be done with it
Security: how it can be protected
8/3/2019 LDAP Basics
27/72
LDAP models: functional
Nine protocol operations
Bind, Unbind Search, Compare
Add, Delete, Modify, Modify RDN
Abandon
8/3/2019 LDAP Basics
28/72
LDAP models: functional
Bind: authenticate to the server
Unbind: end a protocol session Search: search for and retrieve entries
based on some search criteria
Compare: see if an entry contains agiven attribute value
8/3/2019 LDAP Basics
29/72
LDAP models: functional
Add: add entries to the directory
Delete: delete entries from the directory Modify: change an existing directory entry
Modify RDN: change the RDN of anexisting directory entry
Abandon: cancel an operation in progress
8/3/2019 LDAP Basics
30/72
LDAP model: functional
Search is very powerful...you specify:
Where to begin the search(base object)
The scope of the search
(subtree, one-level, base object) The filter used to select entries
(RFC 1960)
The attributes to return
Size and time limits
8/3/2019 LDAP Basics
31/72
LDAP models: functional
Example search: return the emailaddress of all entries in the o=Ace
Industry, c=US subtree that have asurname of Jensen
Base: o=Ace Industry, c=US
Scope: LDAP_SCOPE_SUBTREE
Filter: (sn=Jensen)
Attrs: mail
8/3/2019 LDAP Basics
32/72
LDAP models: functional
Example search: find the phone andemail of all people in Ace Industry who
have an email address and are in themarketing department
Base: o=Ace Industry, c=US
Scope: LDAP_SCOPE_SUBTREE
Filter: (&(mail=*)(dept=marketing)(objectclass=person))
Attrs: telephonenumber, mail
8/3/2019 LDAP Basics
33/72
LDAP models: functional
Modify lets you change existing entries
You specify a sequence of changes that
Add values
Delete values
Replace all values
They all succeed or fail as a group
8/3/2019 LDAP Basics
34/72
LDAP models: overview
Information: what can be stored
Namespace: how it can be referenced
Functional: what can be done with it
Security: how it can be protected
8/3/2019 LDAP Basics
35/72
LDAP models: security
LDAP connections can be authenticated
The Bind operation does this at theLDAP level
Simple password-based
authentication in v2 Extensible authentication in v3
SSL does this at the transport level Allows an access control framework to
secure the information in the server
8/3/2019 LDAP Basics
36/72
LDAP models: security
The Netscape LDAP server provides richaccess control
Protects subtrees, entries, and attributes
Access can be granted or denied
based on Distinguished name
Domain name IP address
8/3/2019 LDAP Basics
37/72
The LDAP API
History and overview
A quick example
Synchronous interface
Asynchronous interface
Parsing and other routines
Support for threads, alternate I/O,SSL, etcetera
8/3/2019 LDAP Basics
38/72
The LDAP API: history
Developed at the University of Michiganto be simple, flexible, and powerful
Defined in RFC 1823 The LDAPApplication Program Interface
Widely adopted and implementedin the LDAP community
C bindings now, Java andJavaScript soon
8/3/2019 LDAP Basics
39/72
LDAP API: history
RFC 1823 defines the basics
The Netscape SDK includes a fewenhancements for
Information hiding
Threading
Security (SSL)
The core calls are the same
8/3/2019 LDAP Basics
40/72
A quick example
Problem: print out the name and everyattribute of all Jensens at Ace Industry
Four steps
Initialize
Search
Parse and print
Clean up
8/3/2019 LDAP Basics
41/72
A quick example: code#include
#include
main(int argc, char **argv)
{
LDAP *ld;
LDAPMessage *e, *result;
char *dn, *a, **vals;BerElement *ber;
if ((ld = ldap_init(ldap.aceindustry.com, LDAP_PORT)) == NULL)
fail();
if (ldap_simple_bind_s(ld, NULL, NULL) != LDAP_SUCCESS)
fail();
if (ldap_search_s(ld, o=Ace Industry, c=US, LDAP_SCOPE_SUBTREE, (sn=Jensen), NULL,
0, &result) != LDAP_SUCCESS)
fail(); for (e = ldap_first_entry( ld, res ); e != NULL; e = ldap_next_entry(ld, e)) {
dn = ldap_get_dn(ld, e);
printf(dn: %s\n, dn);
ldap_memfree(dn);
for (a = ldap_first_attribute(ld, e, &ber); a != NULL;
a = ldap_next_attribute(ld, e, ber)) {
if ((vals = ldap_get_values(ld, e, a)) != NULL) {
for (i = 0; vals[i] != NULL; i++)printf(%s: %s\n, a, vals[i] );
ldap_value_free(vals);
}
}
if (ber != NULL)
ber_free(ber, 0);
printf(\n);
} ldap_msgfree(res);
ldap_unbind(ld);
}
Init
Search
Parse
And
Cleanup
8/3/2019 LDAP Basics
42/72
A quick example: output
dn: cn=Barbara Jensen, o=Ace Industry, c=US
cn: Barbara Jensen
sn: Jensen
mail: [email protected]
objectclass: top
objectclass: person
dn: cn=Bjorn Jensen, o=Ace Industry, c=US
cn: Bjron Jensen
sn: Jensen
mail: [email protected]
telephonenumber: +1 415 555-1212
objectclass: top
objectclass: person
...
8/3/2019 LDAP Basics
43/72
Example detail: initialization
#include
LDAP *ld;
/* initialize the LDAP session */
if ((ld = ldap_init(ldap.aceindustry.com, LDAP_PORT))
== NULL)
fail();
/* authenticate as nobody */
if (ldap_simple_bind_s(ld, NULL, NULL) != LDAP_SUCCESS){
ldap_perror(ld, ldap_simple_bind_s);
ldap_unbind(ld);
exit(1);
}
8/3/2019 LDAP Basics
44/72
Example detail: search
LDAPMessage *result;
if (ldap_search_s(ld, o=Ace Industry, c=US,LDAP_SCOPE_SUBTREE, (sn=Jensen), NULL, 0, &result)
!= LDAP_SUCCESS) {
ldap_perror(ld, ldap_search_s);
ldap_unbind(ld);}
8/3/2019 LDAP Basics
45/72
Example detail: parse and print
LDAPMessage *e;
char *dn, *a, **vals;
BerElement *ber;
for (e = ldap_first_entry( ld, result ); e != NULL;e = ldap_next_entry(ld, e)) {
dn = ldap_get_dn(ld, e);
printf(dn: %s\n, dn);
ldap_memfree(dn);
for (a = ldap_first_attribute(ld, e, &ber); a != NULL;
a = ldap_next_attribute(ld, e, ber)) {
if ((vals = ldap_get_values(ld, e, a)) != NULL) {
for (i = 0; vals[i] != NULL; i++)
printf(%s: %s\n, a, vals[i] );ldap_value_free(vals);
}
}
if (ber != NULL) ber_free(ber, 0);printf(\n);
}
8/3/2019 LDAP Basics
46/72
Example detail: cleanup
ldap_msgfree(res);
ldap_unbind(ld);
8/3/2019 LDAP Basics
47/72
Synchronous vs. asynchronous
Two interfaces to the core LDAP APInetworking calls
Synchronous
Asynchronous
8/3/2019 LDAP Basics
48/72
Synchronous API
Synchronous operation
ldap_search_s(), ldap_modify_s(), etc.
Caller is blocked until results arereceived
Useful for
Command-line apps
Directory-only apps
Simple apps
Threaded apps
8/3/2019 LDAP Basics
49/72
Synchronous interaction
Client Server
initialize LDAP session
ldap_search_s(...)
process results
receive search request
process request
send search result
8/3/2019 LDAP Basics
50/72
Synchronous example
LDAP *ld;
LDAPMessage *res;
/* ... initialize LDAP session via ldap_init() ... */
if (ldap_search_s(ld, o=Ace Industry, c=US,
LDAP_SCOPE_SUBTREE, (sn=Jensen), NULL, 0, &res)
!= LDAP_SUCCESS) {ldap_perror( ld, ldap_search_s );
fail();
}
/* ... parse the results in res, clean up ... */
8/3/2019 LDAP Basics
51/72
Asynchronous API
Asynchronous operation
ldap_search(), ldap_modify(), etc.
Results returned later by callingldap_result()
Useful for
GUI apps
High performance apps
Low resource apps
8/3/2019 LDAP Basics
52/72
Asynchronous interaction
Client Server
initialize LDAP session
ldap_search(...)
do other stuff
ldap_result(...)
parse results
receive search request
process request
send search result
8/3/2019 LDAP Basics
53/72
Asynchronous example
LDAP *ld;
LDAPMessage *res;
struct timeval tv;
if ((msgid= ldap_search(ld, o=Ace Industry, c=US,
LDAP_SCOPE_SUBTREE, NULL, 0)) == -1) {
ldap_perror(ld, ldap_search);
fail();}
while (1) {
tv.tv_sec = 0; tv.tv_usec = 0;
if ((msgtype = ldap_result(ld, msgid, 0, &tv, &res))
> 0) {
/* got a result - parse it, print, etc. */
} else {
/* nothing yet (or error) - try again later */
}}
8/3/2019 LDAP Basics
54/72
Result parsing
Stepping through entries
Stepping through attributes
Retrieving attribute values
Dealing with the name of an entry
8/3/2019 LDAP Basics
55/72
Result parsing: entries
ldap_first_entry()
Get the first entry in a chain ofsearch results
ldap_next_entry()
Get the next entry in a chain ofsearch results
Return NULL when no more entries
8/3/2019 LDAP Basics
56/72
Result parsing: attributes
ldap_first_attribute()
Retrieve the first attribute namefrom an entry
ldap_next_attribute()
Retrieve the next attribute namefrom an entry
Return NULL when no more attributes
8/3/2019 LDAP Basics
57/72
Result parsing: attribute values
ldap_get_values(), ldap_get_values_len()
Retrieve the values for a given attribute
ldap_count_values(), ldap_count_values_len()
Count the number of values returned
8/3/2019 LDAP Basics
58/72
Result parsing: names
ldap_get_dn()
Retrieve the name of an entry
ldap_explode_dn(), ldap_explode_rdn()
Break up a name into component parts
ldap_dn2ufn()
Convert a name to auser-friendly format
8/3/2019 LDAP Basics
59/72
Freeing memory
ldap_memfree()
ldap_get_dn(), ldap_first/next_attribute(),
etc.
ldap_msgfree()
ldap_result(), ldap_search_s(),ldap_search_st()
ber_free()
ldap_first/next_attribute() cookie
ldap_unbind()
ldap_init(), ldap_sslinit()
8/3/2019 LDAP Basics
60/72
Error handling
ldap_get_lderrno()
Gets information about the last
LDAP error
ldap_result2error()
Parses an LDAP result containingan error
ldap_err2string()
Returns a description of an LDAP error
ldap_perror()
Prints an error diagnostic on stderr
8/3/2019 LDAP Basics
61/72
The Netscape LDAP SDK
One library/DLL
nsldap.dll or nsldap32.dll on Windows
NSLDAPLib on Macintosh
libldap.a libldap.so on Unix
One include file
ldap.h
8/3/2019 LDAP Basics
62/72
Thread safety
The Netscape LDAP SDK is alwaysthread-safe if threads do not share
LDAP sessions Threads can share LDAP sessions with
a little setup on your part
Provide call-backs for critical sections
Provide call-backs for errors
This approach works in virtually anythreading environment
8/3/2019 LDAP Basics
63/72
Thread safety: example
struct ldap_thread_fns tfn;
/* ... call ldap_init() to init the LDAP session */
tfn.ltf_mutex_alloc = my_mutex_alloc;
tfn.ltf_mutex_free = my_mutex_free;
tfn.ltf_mutex_lock = pthread_mutex_lock;
tfn.ltf_mutex_unlock = pthread_mutex_unlock;
tfn.ltf_get_errno = my_get_errno;tfn.ltf_set_errno = my_set_errno;
tfn.ltf_get_lderrno = my_get_lderrno;
tfn.ltf_set_lderrno = my_set_lderrno;
if (ldap_set_option(ld, LDAP_OPT_THREAD_FN_PTRS,
(void *) &tfn) != 0{
ldap_perror(ld, ldap_set_option);
fail();
}
8/3/2019 LDAP Basics
64/72
Thread safety: example
int
my_get_errno(void)
{return(errno);
}
void
my_set_errno(int err)
{
errno = err;
}
8/3/2019 LDAP Basics
65/72
Thread safety: example
struct ldap_error {
int le_errno;
char *le_matched;
char *le_errmsg;
}
int
my_get_lderrno(char **matchedp, char **errmsgp){
struct ldap_error *le = pthread_getspecific(key);
if (matchedp != NULL)
*matchedp = le->le_matched;
if (errmsgp != NULL)
*errmsgp = le->le_errmsg;
return(le->le_errno);
}
8/3/2019 LDAP Basics
66/72
I/O environments
The LDAP library can be used in differentI/O environments with a little setup
You make one call to pass libldappointers to your I/O routines
Open/close Read/write
Socket/connect/ioctl
8/3/2019 LDAP Basics
67/72
I/O environments: example
struct ldap_io_fns io;
io.liof_read = SSL_Read;io.liof_write = SSL_Write;
io.liof_socket = SSL_Socket;
io.liof_ioctl = SSL_Ioctl;
io.liof_connect = SSL_Connect;
io.liof_close = SSL_Close;io.liof_ssl_enable = SSL_Enable;
if (ldap_set_option(ld, LDAP_OPT_IO_FN_PTRS, (void *) &io)
!= 0) {ldap_perror(ld, ldap_set_option);
fail();
}
8/3/2019 LDAP Basics
68/72
Using LDAP with SSL
Set up a key database
Call ldap_sslinit() instead of ldap_init()
LDAP *ld
ldap_init(char *host, int port);
LDAP *ld ldap_sslinit(char *host, int port,int secure);
8/3/2019 LDAP Basics
69/72
Whats next
LDAP version 3 has many new features
International support (UTF-8 +language prefs)
Server-side sorting of search results
Extensible matching/sorting rules
Schema available over LDAP
Paged results (for typedown)
Better authentication and security
8/3/2019 LDAP Basics
70/72
Whats next
Coming soon: a revision to the LDAP APIand RFC 1823 to support LDAPv3
Coming soon: another release of theNetscape LDAP SDK supporting LDAPv3
Coming soon: Java support for LDAPin Navigator
8/3/2019 LDAP Basics
71/72
Final thoughts
LDAP has the potential to do fordirectories what HTTP and HTML
did for documents The Netscape LDAP SDK provides
the tools through which this potential
can be unlocked
Integration with YOURapplication
is the key
8/3/2019 LDAP Basics
72/72
Netscape logo slide