Exercises are based on the OpenLDAP server implementation.

Related material at http://www.openldap.org.

  • Lightweight Directory Access Protocol

  • Vendor independent

  • IETF standard:

    Clients interact with servers using a directory access protocol

Command Result 
ldapsearch \
  -h localhost  \
  -D "cn=admin,dc=betrayer,dc=com" \
  -w password -x \
  -b "dc=betrayer,dc=com" \
  -s sub  \
  -LLL 
dn: dc=betrayer,dc=com 
objectClass: top
objectClass: dcObject
objectClass: organization
o: Betrayers heaven 
dc: betrayer 

dn: cn=admin,dc=betrayer,dc=com 
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin 
description: LDAP administrator
userPassword:: e1NT...dE53N1E=
Image layer 1
Image layer 2
Image layer 3
Image layer 4
Image layer 5
Image layer 6
Image layer 7
Image layer 8
Image layer 9
Image layer 1
Image layer 2
Image layer 3
Image layer 4
Image layer 5
Image layer 6
dn: uid=clark,ou=finance,dc=betrayer,dc=de 
cn: Sandy Clark
homeDirectory: /home/clark
sn: Clark
uid: clark 
uidNumber: 21101
givenName: Sandy
loginShell: /bin/bash
mail: clark@betrayer.com 
mail: finance@betrayer.com
postOfficeBox: 10G
userPassword: {SSHA}noneOfYourBusiness

  • Structuring LDAP entry data.

  • Categories:

    • Structural

    • Auxiliary

    • Abstract

Abstract classes:

To be extended by other classes

Structural classes:

  • Each entry requires exactly one.

  • Specify the main type of object.

  • Must not inherit from auxiliary classes.
Auxiliary classes:

  • Provide non-conflicting supplementary information.

  • Think of (Java) interfaces.

  • Must not inherit from structural classes.

 
Class                       |   Instance uid=clark,ou=finance,dc=betrayer,dc=de
----------------------------+---------------------------------------------------
inetOrgPerson (structural)  |                   
   sn                       |    sn: Clark
   cn                       |    cn: Sandy Clark
  ...                       |     
                            |     
posixAccount (auxiliary)    |     
  cn                        |   see above 
  gidNumber                 |   gidNumber: 23113
  homeDirectory             |   homeDirectory: /home/clark
  uid                       |   uid: clark
  uidNumber                 |   uidNumber: 21101
  userPassword              |   userPassword: {SSHA}noneOfYourBusiness
                          .....
Image layer 1
Image layer 2
Image layer 3
Image layer 4
Image layer 5
Image layer 6

RFC 4520 defines three LDAP search scopes:

RFC 4520 defines predicate based queries using RPN style:

  • (| (cn=k*) (uidNumber < 2000))

  • Anonymous bind: No user credentials.

    Note: This typically provides limited privileges.

  • Simple bind: User's DN + password: 

    DN: uid=clark,ou=finance,dc=betrayer,dc=de
password: 123456789

  • Ldap Data Interchange Format.

  • Importing and exporting LDAP Data.

  • Modifying existing entries (CRUD operations).

  • Pure ASCII. 

dn: uid=clark,ou=finance,dc=betrayer,dc=de
objectClass: posixAccount
objectClass: inetOrgPerson
cn: Sandy Clark
homeDirectory: /home/clark
sn: Clark
uid: clark 
uidNumber: 21101
givenName: Sandy
loginShell: /bin/bash
mail: clark@betrayer.com 
mail: finance@betrayer.com
postOfficeBox: 10G
userPassword: {SSHA}noneOfYourBusiness
Image layer 1
Image layer 2
Image layer 3
Image layer 4
  • LDAP
    • ➟ Exercises
      • ➟ Populating your DIT.
An example LDAP Tree