Presentation is loading. Please wait.

Presentation is loading. Please wait.

Netprog: LDAP1 Lightweight Directory Access Protocol (LDAP) Refs: –Netscape LDAP server docs – U. of Michigan LDAP docs – www.openldap.org docs –RFCs:

Published byJuniper Golden Modified over 8 years ago

Similar presentations

Presentation on theme: "Netprog: LDAP1 Lightweight Directory Access Protocol (LDAP) Refs: –Netscape LDAP server docs – U. of Michigan LDAP docs – www.openldap.org docs –RFCs:"— Presentation transcript:

1 Netprog: LDAP1 Lightweight Directory Access Protocol (LDAP) Refs: –Netscape LDAP server docs – U. of Michigan LDAP docs – www.openldap.org docs –RFCs: 1777, 1773, 1823,...

2 Netprog: LDAP2 Directory Services A "directory" service is a network accessible database: –Small amount of information in each request/reply. –Limited functionality (as compared to a complete database system) –Updates (changes) are much less frequent than queries.

3 Netprog: LDAP3 Directories Some typical examples include: –telephone directories –lists of addresses (email, network, P.O., etc) Each record is referenced by a unique key: –given a name, look up a phone number –given a name, look up an email address

4 Netprog: LDAP4 Applications Some applications simply provide a front-end to a directory service. –Electronic phone book. Some applications use a directory service to store configuration information, auxiliary databases,etc.

5 Netprog: LDAP5 Information Structure Typically, the information in a directory is structured hierarchically (but it doesn't have to be). The structure of the data (the hierarchy) is often useful in finding data and provides some (minimal) relationship between records.

6 Netprog: LDAP6 Example: DNS The Domain Name System is an example of a directory: hierarchical structure for each item there is a unique key (the hostname) and a number of attributes: –IP address –Mail exchanger –Host information –etc...

7 Netprog: LDAP7 X.500 X.500 is a Directory Service that has been used for a while: –Based on O.S.I. Protocol Stack requires upper layers (above transport) of the OSI Stack –Heavyweight service (protocol).

8 Netprog: LDAP8 LDAP A number of lightweight front-ends to X.500 have been developed - the most recent is LDAP: –Lightweight Directory Access Protocol –Based on TCP (but can be mapped to other protocols). –90% of the functionality of X.500 –10% of the cost

9 Netprog: LDAP9 LDAP & U. of Michigan LDAP originated at the University of Michigan. LDAP can be used as a front-end to X.500 or stand-alone. LDAP is now available commercially from a number of sources (including Netscape)

10 Netprog: LDAP10 LDAP definition RFC 1777: –data representation scheme –defined operations and mapping to requests/response protocol. RFC 1823: Application Programming Interface (has become a standard) API provided – no sockets programming required!

11 Netprog: LDAP11 LDAP Data Representation Each record has a unique key called a distinguished name ( dn for short). A distinguished name (RFC 1779) is meant to be used by humans (not just computers). Each dn is a sequence of components. –Each component is a string containing an attribute=value pair.

12 Netprog: LDAP12 Example DN CN=Dave Hollinger, OU=Computer Science, O=Rensselaer Polytechnic Institute, C=US Typically written all on one line.

13 Netprog: LDAP13 Hierarchy Like Domain Names, the name can be interpreted as part of a hierarchy. The last component of the dn is at the highest level in the hierarchy. CN=Joe Integral, OU=Math, O=RPI, C=US

14 Netprog: LDAP14 Sample Hierarchy C=US O=RPIO=MIT OU=Computer ScienceOU=Math CN=Dave Hollinger

15 Netprog: LDAP15 Component Names The components can be anything, but there is a standard hierarchy used (for a global LDAP namespace): C country name O organization name OU organizational unit CN common name L locality name ST state or province STREET street address

16 Netprog: LDAP16 Relative DNs Relative Distinguished Names are the individual components of a Distinguished Name (interpreted as relative to some position in the hierarchy). For example, the RDN "ou=Math" falls in the hierarchy below "o=RPI, c=US".

17 Netprog: LDAP17 DN usage A distinguished name is a key used to access a record. Each record can contain multiple attribute/value pairs. Examples of attributes: phone numberemail address titlehome page public keyproject 3 grade

18 Netprog: LDAP18 ObjectClass A commonly used attribute is "objectClass". Each record represents an object, and the attributes associated with that object are defined according to it's objectClass –The value of the objectClass attribute.

19 Netprog: LDAP19 Object Type examples Examples of objectClass: –organization (needs a name and address) –person (needs name, email, phone & address) –course (needs a CRN, instructor, mascot) –cookie (needs name, cost & taste index)

20 Netprog: LDAP20 Defining ObjectClass types You can define what attributes are required for objects with a specific value for the objectclass attribute. You can also define what attributes are allowed. New records must adhere to these settings!

21 Netprog: LDAP21 Multiple Values Each attribute can have multiple values, for example we could have the following record: DN: cn=Dave Hollinger, O=RPI, C=US CN: Dave Hollinger CN: David Hollinger Email: hollingd@cs.rpi.edu Email: hollid2@rpi.edu Email: satan@hackers.org

22 Netprog: LDAP22 LDAP Services Add, Delete, Change entry Change entry name (dn). Searching (the primary operation) –Search some portion of the directory for entries that match some criteria.

23 Netprog: LDAP23 Authentication LDAP authentication can be based on simple passwords (cleartext) or Kerberos. LDAP V3 includes support for other authentication techniques including reliance on public keys.

24 Netprog: LDAP24 LDAP Requests bind/unbind (authentication) search modify add delete compare

25 Netprog: LDAP25 LDAP Protocol Definition The protocol is defined in RFC 1777 using ASN.1 (abstract syntax notation) and encoding is based on BER (Basic Encoding Rules) - all very formal. All requests/responses are packaged in an "envelope" (headers) and include a messageID field.

26 Netprog: LDAP26 Example - LDAP bind request Bind request must be the first request. BindRequest = [Application 0] SEQUENCE { versionINTEGER (1…127), nameLDAPDN, authentication CHOICE { simple [0] OCTET STRING, krbv42LDAP[1] OCTET STRING, krbv42DSA [2] OCTET STRING }

27 Netprog: LDAP27 Other Requests Search/modify/delete/change requests can include maximum time limits (and size limits in the case of search). There can be multiple pending requests (each with unique messageID). –Asynchronous replies (each includes messageID of request).

28 Netprog: LDAP28 Search Request Parameters basescope sizetime attributes attrsonly search_filter

29 Netprog: LDAP29 Search Parameter: Base The base is the DN of root of the search. A server typically serves only below some subtree of the global DN namespace. –You can ask the server to restrict the search to a subtree of what it serves.

30 Netprog: LDAP30 Search Parameter: Scope base – search only the base element. onelevel – search all elements that are children of the base. subtree – search everything in the subtree base

31 Netprog: LDAP31 Search Parameter: Time Limit on number of seconds the search can take. Value of 0 means “no limit”.

32 Netprog: LDAP32 Search Parameter: Size Limit on the number of entries to return from the search. A value of 0 means no limit.

33 Netprog: LDAP33 Search Parameter: Attributes A list of attributes that should be returned for each matched entry. NULL mean “all attributes” Attribute names are strings.

34 Netprog: LDAP34 Search Parameter: Attrsonly a flag that indicates whether values should be returned –TRUE: return both attributes and values. –FALSE: return just list of attributes.

35 Netprog: LDAP35 Search Parameter: Filter a search filter that defines the conditions that constitute a match. Filters are text strings. There is an entire RFC that describes the syntax of LDAP filters. (RFC 1558)

36 Netprog: LDAP36 Search Filters Restrict the search to those records that have specific attributes, or those whose attributes have restricted values. "objectclass=*" match all records "cn=*dave*" matches any record with "dave" in the value of cn

37 Netprog: LDAP37 Complex Filters You can combine simple filters with boolean &, | and !: (&(cn=*da)(email=*hotmail*)) (&(!(age>=18))(drinks=yes)) (|(grade>=90)(cookies>10))

38 Netprog: LDAP38 Search Reply Each search can generate a sequence of Search Response records: –Distinguished Name for record –list of attributes, possibly with list of values for each attribute. –Result code LDAP includes an extensive error/status reporting facility.

39 Netprog: LDAP39 Other Requests/Responses The other requests and responses are detailed in RFC1777. However, to write a client we don't need to know the details of the protocol, there is an API (RFC 1823) and library available! yippie!

40 Netprog: LDAP40 LDAP API There are actually a couple of well- established APIs: –the original (RFC 1823) from U. of Michigan. –Netscape has one. In both cases we are spared the details of the protocol, we just call some subroutines. The socket stuff is handled for us.

41 Netprog: LDAP41 Writing a client 1. Open connection with a server 2. Authenticate (or authentificate if you must). 3. Do some searches/modification/deletions. 4. Close the connection

42 Netprog: LDAP42 Opening a connection int ldap_bind( LDAP *ld, connection handle char *dn, who you are (your dn) char *cred, your credentials int method) which kind of authenticaton return value is LDAP_SUCCESS on success or else ldap_errno is set to indicate the error.

43 Netprog: LDAP43 Simple bind There are actually a bunch of ldap_bind functions, this is the simplest: int ldap_simple_bind( LDAP *ld, connection handle char *dn, who you are (your dis. name) char *passwd) your ldap password The sample LDAP server on monte.cs.rpi.edu is set up so you don't need a password (or dn) to do anything. : ldap_simple_bind(l,NULL,NULL);

44 Netprog: LDAP44 Synchronous vs. Asynchronous Synchronous calls all end in " _s " ldap_simple_bind_s(l,NULL,NULL); Easier to use (returns the result right away).

45 Netprog: LDAP45 Simple Search Query int ldap_search_s( LDAP *ld, connection handle char *base, dn of the base of the search int scope, scope of the search char *filter, search filter char *attrs[], list of attributes to return int attrsonly, flag - return no values? LDAPMessage **res) result of query

46 Netprog: LDAP46 Search Scope LDAP_SCOPE_BASE : search only the base for a match. LDAP_SCOPE_ONELEVEL : search only one level below the base. LDAP_SCOPE_SUBTREE : search the entire subtree below the base.

47 Netprog: LDAP47 Search Filters LDAP search filters are described in RFC 1960. –attribute=value pairs with support for boolean connectives and relational operators Examples: " (objectclass=*) " " (&(objectclass=Cookie)(tasteindex>=30))"

48 Netprog: LDAP48 Example Search ldap_search_s(l, "course=Netprog, school=RPI", LDAP_SCOPE_SUBTREE, "(cn=Joe Student)", NULL,0,&mesg); On success, mesg is a pointer to the result. To access the records in the result you have to use more of the LDAP library.

49 Netprog: LDAP49 Search Results The result is a list of records - you do something like this to scan the list: LDAPMessage *p; char *dn; for (p=ldap_first_entry(l,msg); p != NULL; p=ldap_next_entry(l,p)) { dn = ldap_get_dn(l,p); printf("dn: %d\n",dn); }

50 Netprog: LDAP50 Attributes of each entry Extracting the attributes (and values) from each entry is similar - step through a list of attributes using: ldap_first_attribute() ldap_next_attribute() Example code in RFC 1823!!!

Download ppt "Netprog: LDAP1 Lightweight Directory Access Protocol (LDAP) Refs: –Netscape LDAP server docs – U. of Michigan LDAP docs – www.openldap.org docs –RFCs:"

Similar presentations

DDI3 Uniform Resource Names: Locating and Providing the Related DDI3 Objects Part of Session: DDI 3 Tools: Possibilities for Implementers IASSIST Conference,

DDI3 Uniform Resource Names: Locating and Providing the Related DDI3 Objects Part of Session: DDI 3 Tools: Possibilities for Implementers IASSIST Conference,
LDAP Lightweight Directory Access Protocol LDAP.

LDAP Lightweight Directory Access Protocol LDAP.
Naming Computer Engineering Department Distributed Systems Course Asst. Prof. Dr. Ahmet Sayar Kocaeli University - Fall 2014.

Naming Computer Engineering Department Distributed Systems Course Asst. Prof. Dr. Ahmet Sayar Kocaeli University - Fall 2014.
Directory Services BICS 565. What is a Directory Service (DS)? A service that allows users to lookup information about entities in an organization Entities.

Directory Services BICS 565. What is a Directory Service (DS)? A service that allows users to lookup information about entities in an organization Entities.
CPE 401 / 601 Computer Network Systems

CPE 401 / 601 Computer Network Systems
LDAP Jianwen Luo School of CTI, Depaul Univ. Oct.23, 1998.

LDAP Jianwen Luo School of CTI, Depaul Univ. Oct.23, 1998.
TCP/IP Protocol Suite 1 Chapter 21 Upon completion you will be able to: Network Management: SNMP Understand the SNMP manager and the SNMP agent Understand.

TCP/IP Protocol Suite 1 Chapter 21 Upon completion you will be able to: Network Management: SNMP Understand the SNMP manager and the SNMP agent Understand.
Directory & Naming Services CS-328 Dick Steflik. A Directory.

Directory & Naming Services CS-328 Dick Steflik. A Directory.
CS603 Directory Services January 30, 2002. Name Resolution: What would you like? Historical? –Mail –Telephone DNS? X.500 / LDAP? DCE? ActiveDirectory?

CS603 Directory Services January 30, Name Resolution: What would you like? Historical? –Mail –Telephone DNS? X.500 / LDAP? DCE? ActiveDirectory?
CS603 Active Directory February 1, 2001.

CS603 Active Directory February 1, 2001.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
LDAP LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL PRESENTATION BY ALAKESH APURVA DHAN AND ASH.

LDAP LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL PRESENTATION BY ALAKESH APURVA DHAN AND ASH.
1 CSIT 320. Just as the combination of a database and a database management system collects and organizes information about an institution/company/… as.

1 CSIT 320. Just as the combination of a database and a database management system collects and organizes information about an institution/company/… as.
Distributed Computing COEN 317 DC2: Naming, part 1.

Distributed Computing COEN 317 DC2: Naming, part 1.
Directory services Unit objectives

Directory services Unit objectives
Locating objects identified by DDI3 Uniform Resource Names Part of Session: Concurrent B2: Reports and Updates on DDI activities 2nd Annual European DDI.

Locating objects identified by DDI3 Uniform Resource Names Part of Session: Concurrent B2: Reports and Updates on DDI activities 2nd Annual European DDI.
Session 5: Working with MySQL iNET Academy Open Source Web Development.

Session 5: Working with MySQL iNET Academy Open Source Web Development.
1 Internet Based Applications Lightweight Directory Access Protocol (LDAP) Piotr Wierzejewski.

1 Internet Based Applications Lightweight Directory Access Protocol (LDAP) Piotr Wierzejewski.
23/4/2001LDAP Overview - HEPix - LAL 2001 LDAP Overview HEPix – LAL Apr. 2001 Michel Jouvin

23/4/2001LDAP Overview - HEPix - LAL 2001 LDAP Overview HEPix – LAL Apr Michel Jouvin

Similar presentations

Ads by Google