Presentation is loading. Please wait.

Presentation is loading. Please wait.

LDAP and perl Jim Harle US Naval Academy (until January 2004)

Similar presentations


Presentation on theme: "LDAP and perl Jim Harle US Naval Academy (until January 2004)"— Presentation transcript:

1 LDAP and perl Jim Harle US Naval Academy (until January 2004) harle@usna.edu jimharle@comcast.net

2 What is LDAP Lightweight Directory Access Protocol Simplification of X.500 Hierarchical database Access methods Communications protocols Common API

3 What uses LDAP? Email address books White pages NOS directory Custom applications Lots of commercial apps now use it: Remedy, Web Intelligence, Blackboard at USNA Authentication/authorization (web, unix/linux via PAM, etc)

4 What servers? Novel NDS eDirectory SunONE / iPlanet Directory Server OpenLDAP M$ Active Directory Lotus Notes / Domino M$ Exchange IBM (SecureWay) Directory Server more

5 How do I organize my server? No fixed rules. Religious wars. May be strongly influenced by server vendor (e.g., max objects per node). Security / Administrative rights primary importance. Think through carefully before you implement. Try to foresee future.

6 Deep Organization O=myorg Ou = people Ou=Academic Dean Ou=Math and Science Ou=Physics Uid=tsmithers Ou=serversOu=workstations Ou=Academic Dean …

7 Shallow Tree Top of Tree O=people cn=tsmtherscn=jane O=machines cn=mailhostcn=www cn=pc- tsmithers

8

9

10 Schema Object classes –Similar to RDBMS tables but same attributes may be in more than one –Can vary from vendor to vendor Attributes –Similar to RDBMS columns, but might be multi-valued –Can vary from vendor to vendor Matching rules –Define for equality, substring, ordering e.g.: Case sensitive or not Telephone number match String vs integer

11 objectClasses: ( 2.5.6.6 NAME 'person' DESC 'Standard ObjectClass' SUP (top $ ndsLoginProperties ) STRUCTURAL MUST (cn $ sn ) MAY (description $ seeAlso $ telephoneNumber $ fullName $ givenName $ initials $ generationQualifier $ uid $ assistant $ assistantPhone $ city $ st $ company $ co $ directReports $ ma nager $ mailstop $ mobile $ personalTitle $ pager $ workforceID $ instantMess agingID $ preferredName $ Photo $ jobCode $ siteLocation $ employeeStatus $ employeeType $ costCenter $ costCenterDescription $ tollFreePhoneNumber $ othe rPhoneNumber $ managerWorkforceID $ roomNumber $ jackNumber $ departmentNumber $ vehicleInformation $ accessCardNumber $ isManager $ userPassword ) X-NDS_ NAMING ('cn' 'uid' ) X-NDS_CONTAINMENT ('organization' 'organizationalUnit' ' domain' ) X-NDS_NAME 'Person' X-NDS_NOT_CONTAINER '1' X-NDS_NONREMOVABLE '1' ) attributeTypes: ( 2.5.4.42 NAME 'givenName' DESC 'Standard Attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32} X-NDS_NAME 'Given Name' X-NDS_PUBLIC_READ '1 ' X-NDS_LOWER_BOUND '1')

12 Add your own attributes Register an OID arc Build object classes Define attributes objectClasses: ( 2.16.840.1.113719.2.153 NAME 'USNAperson' DESC 'Standard Obje ctClass' AUXILIARY MAY (personalTitle $ buildingName $ USNAalpha $ USNAmailLi st $ USNAbattalion $ USNAdeptCode $ USNAclassification $ USNAservicebranch $ USNAacDeptGidNumber $ USNAmidshipmanInBrigade $ USNAcompany $ USNAmiddleName $ USNAmidshipmanMajor $ USNApageMaintainer $ USNAmidshipmanStatus $ USNAmailStop $ USNAoRep $ USNAcourseSect $ USNAacctTransitionDate $ USNAplatoon $ USNAsquad $ USNAacctTransitionTime ) X-NDS_NOT_CONTAINER '1' ) attributeTypes: ( 2.16.840.1.113719.2.153.1.18 NAME 'USNAsquad' DESC 'Standard Attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{64512} SINGLE-VALUE X-NDS_NO T_SCHED_SYNC_IMMEDIATE '1' )

13 Net::LDAP Written by Graham Barr, author of many well respected CPAN modules. Actively maintained. Pure perl – no C code.

14 # Simple search use Net::LDAP; my $ldap = Net::LDAP->new(‘myldapsrv.where.com’); $ldap->bind (); my $mesg = $ldap->search ( filter => ‘(cn=smith)’, attrs => [‘givenName’,’mail’] ); foreach my $entry ($mesg->all_entries) { print $entry->dn(),"\n"; #Distinguished name print “Name(s)“; foreach my $val ($entry->get_value(‘givenname’)) { print “ $val”; } print “\n”; my $mail = $entry->get_value(‘mail’); #1 st value only print “Mail $mail\n”; }

15 Search Filters Examples (from RFC2254): – (cn=Babs Jensen) – (!(cn=Tim Howes)) – (&(objectClass=Person)(|(sn=Jensen)(cn=Babs J*))) – (o=univ*of*mich*) Comparison operators: = =* ~= >= <= * Logical operators: & | ! Must quote: * ( ) \ NUL

16 #simplest authentication use Net::LDAP; my $ldap = Net::LDAP->new(‘myldapsrv.where.com’); print “login “; chomp (my $login = <>); print “password “; chomp (my $passw = <>); my $mesg = $ldap->bind(“uid=$login,ou=accts,o=myorg”, password => $passw); print ($mesg->code)?”Wrong”: “Right”;

17 #more complex authentication # already connected, know login and password $ldap->bind (); # anonymous my $mesg = $ldap->search (filter=>“uid=$login”, base => ‘o=userBranch’, attrs = [ ]); my $bad = $mesg->code || ($mesg->count() != 1); unless ($bad) { my $dn = $mesg->entry(0)->dn; $mesg = $ldap->bind($dn, $password); $bad = $mesg->code; }

18 Adding entries use Net::LDAP; use Net::LDAP::Entry; # connect, bind as a privileged account here my $entry = Net::LDAP::Entry->new(); $entry->dn(‘cn=harle, ou=ITSD, ou=people, dc=usna, dc=edu’); $entry->add( sn => ‘Harle’, fullName => ‘Jim Harle’, mail => ‘harle@usna.edu’, userPassword => $psw, objectClass => ‘top’, objectClass => ‘person’, … ); $res = $ldap->update($entry); die "add error:". $res->error() if $res->code();

19 Changing values use Net::LDAP; # connect and bind as privileged account or as self if you have rights # search to find appropriate DN $mesg = $ldap->modify ( $dn, replace => {fullname => ‘James Albert Harle’, mail => ‘jimharle@comcast.net’} ); warn ‘No replace’ if $mesg->code; $mesg = $ldap->modify ( $dn, delete => [employeeType]); $mesg = $ldap->modify ( $dn, delete => {givenname => ‘Jimbo’}); $mesg = $ldap->modify ( $dn, add => {givenName => ‘Jimmy’} );

20 Deleting and renaming objects $ldap->delete($dn); $ldap->moddn( ‘cn=harle, ou=ITSD, ou=people, dc=usna, dc=edu’, ‘cn=jimharle’);

21 Synchronization Normally ‘automatic’ within a vendor’s servers Tools exist for cross vendor synchronization, but seem broken. Can’t read passwords in eDirectory or Active Directory Capture at source (e.g. web page) Regular checker for other attributes

22

23 Join mailing list: perl-ldap-subscribe@perl.org FAQ at http://perl-ldap.sourceforge.net/FAQ.html Recent well written introductory article at http://www.linuxjournal.com/article.php?sid=7086 Also http://www.otterbook.com/materials/lisa02-LDAP.pdf Also Chapter 7 of Professional Perl Development, Kobes et.al, Wrox Press. Several LDAP books. Most have very little of use unless you are a hard core developer. Nice free Windows LDAP browser from http://www.softerra.com/download/download.phpperl-ldap-subscribe@perl.org http://www.linuxjournal.com/article.php?sid=7086http://www.otterbook.com/materials/lisa02-LDAP.pdf


Download ppt "LDAP and perl Jim Harle US Naval Academy (until January 2004)"

Similar presentations


Ads by Google