Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Overview
What LDAP can and cant do for you LDAP history and overview The LDAP API The Netscape LDAP SDK What the future holds
As an administrator As a developer
Single place to administer enterprise configuration information Allows authority to be distributed Allows data to be distributed and replicated for reliability and performance
LDAP history
Some great ideas, but its OSI Separate infrastructure Few implementations Kitchen sink approach
LDAP history
Along came the Lightweight Directory Access Protocol: at first, a lightweight front end to X.500 TCP transport trimmed down functionality string encodings IETF-defined
DSP
X.500 server
LDAP history
NO!
But if I have LDAP, do I really need X.500? University of Michigan slapd (stand-alone LDAP daemon) provides the proof Netscape and 40+ other vendors picked up this ball and are running with it
LDAP server
Namespace: how it can be referenced Functional: what can be done with it Security: how it can be protected
LDAP client
Responses
Listens on TCP port 389 for LDAP 636 for LDAP over SSL
Namespace: how it can be referenced Functional: what can be done with it Security: how it can be protected
Attribute
Type Value ... Value
Objectclass controls what other attributes are required and allowed in the entry
Namespace: how it can be referenced Functional: what can be done with it Security: how it can be protected
One or more attributes from the entry are used to form the entrys relative distinguished name (RDN)
Entries can, but need not, be arranged in a hierarchical tree-like structure The format is defined in RFC 1779
An entrys full name is formed using its RDN and the RDNs of its ancestors
o=Ace Industry RDN: o=Ace Industry o: Ace Industry DN: o=Ace Industry, c=US fax: +1 415 555-1212 ... RDN: cn=Barbara Jensen DN: cn=Barbara Jensen, o=Ace Industry, c=US
cn=Barbara Jensen cn: Barbara Jensen cn: Babs Jensen sn: Jensen mail: babs@aceindustry.com ...
For corporate directories, the namespace usually follows a country, locality, organization model LDAP the protocol does not require this You can construct your own flat namespace or other configurations
Namespace: how it can be referenced Functional: what can be done with it Security: how it can be protected
Bind: authenticate to the server Unbind: end a protocol session Search: search for and retrieve entries based on some search criteria Compare: see if an entry contains a given attribute value
Delete: delete entries from the directory Modify RDN: change the RDN of an existing directory entry
Search is very powerful...you specify: Where to begin the search (base object) The scope of the search (subtree, one-level, base object) The filter used to select entries (RFC 1960) The attributes to return Size and time limits
Example search: return the email address of all entries in the o=Ace Industry, c=US subtree that have a surname of Jensen Base: o=Ace Industry, c=US Filter: (sn=Jensen) Attrs: mail Scope: LDAP_SCOPE_SUBTREE
Example search: find the phone and email of all people in Ace Industry who have an email address and are in the marketing department Base: o=Ace Industry, c=US Scope: LDAP_SCOPE_SUBTREE Filter: (&(mail=*)(dept= marketing)(objectclass=person)) Attrs: telephonenumber, mail
Namespace: how it can be referenced Functional: what can be done with it Security: how it can be protected
LDAP connections can be authenticated The Bind operation does this at the LDAP level Simple password-based authentication in v2 Extensible authentication in v3
The Netscape LDAP server provides rich access control Protects subtrees, entries, and attributes Access can be granted or denied based on Distinguished name Domain name IP address
Asynchronous interface
Developed at the University of Michigan to be simple, flexible, and powerful Defined in RFC 1823 The LDAP Application Program Interface C bindings now, Java and JavaScript soon Widely adopted and implemented in the LDAP community
RFC 1823 defines the basics Information hiding Threading Security (SSL)
A quick example
Four steps Initialize Search
Problem: print out the name and every attribute of all Jensens at Ace Industry
Cleanup
/* initialize the LDAP session */ if ((ld = ldap_init(ldap.aceindustry.com, LDAP_PORT)) == NULL) fail(); /* authenticate as nobody */ if (ldap_simple_bind_s(ld, NULL, NULL) != LDAP_SUCCESS){ ldap_perror(ld, ldap_simple_bind_s); ldap_unbind(ld); exit(1); }
Synchronous API
Synchronous operation
ldap_search_s(), ldap_modify_s(), etc. Caller is blocked until results are received Command-line apps Directory-only apps Simple apps Threaded apps
Useful for
Synchronous interaction
Client
initialize LDAP session ldap_search_s(...) process results process request receive search request
Server
Synchronous example
LDAP LDAPMessage *ld; *res;
/* ... initialize LDAP session via ldap_init() ... */ if (ldap_search_s(ld, o=Ace Industry, c=US, LDAP_SCOPE_SUBTREE, (sn=Jensen), NULL, 0, &res) != LDAP_SUCCESS) { ldap_perror( ld, ldap_search_s ); fail(); } /* ... parse the results in res, clean up ... */
Asynchronous API
Asynchronous operation
ldap_search(), ldap_modify(), etc. Results returned later by calling ldap_result() GUI apps
Useful for
Asynchronous interaction
Client
initialize LDAP session ldap_search(...) receive search request
Server
do other stuff
process request
Asynchronous example
LDAP LDAPMessage struct timeval *ld; *res; tv;
if ((msgid = ldap_search(ld, o=Ace Industry, c=US, LDAP_SCOPE_SUBTREE, NULL, 0)) == -1) { ldap_perror(ld, ldap_search); fail(); } while (1) { tv.tv_sec = 0; tv.tv_usec = 0; if ((msgtype = ldap_result(ld, msgid, 0, &tv, &res)) > 0) { /* got a result - parse it, print, etc. */ } else { /* nothing yet (or error) - try again later */ } }
Result parsing
Stepping through attributes Retrieving attribute values Dealing with the name of an entry
ldap_next_entry()
ldap_next_attribute()
ldap_get_values(), ldap_get_values_len()
ldap_count_values(), ldap_count_values_len()
Retrieve the values for a given attribute Count the number of values returned
Freeing memory
ldap_memfree() ldap_msgfree() ber_free() ldap_get_dn(), ldap_first/next_attribute(), etc. ldap_result(), ldap_search_s(), ldap_search_st() ldap_first/next_attribute() cookie ldap_init(), ldap_sslinit()
ldap_unbind()
Error handling
ldap_get_lderrno()
Gets information about the last LDAP error Parses an LDAP result containing an error Returns a description of an LDAP error Prints an error diagnostic on stderr
Thread safety
The Netscape LDAP SDK is always thread-safe if threads do not share LDAP sessions
Threads can share LDAP sessions with a little setup on your part Provide call-backs for errors
I/O environments
The LDAP library can be used in different I/O environments with a little setup You make one call to pass libldap pointers to your I/O routines Open/close Read/write
Socket/connect/ioctl
Whats next
LDAP version 3 has many new features International support (UTF-8 + language prefs) Server-side sorting of search results Extensible matching/sorting rules Schema available over LDAP Paged results (for typedown)
Whats next
Coming soon: a revision to the LDAP API and RFC 1823 to support LDAPv3 Coming soon: Java support for LDAP in Navigator
Coming soon: another release of the Netscape LDAP SDK supporting LDAPv3
Final thoughts
LDAP has the potential to do for directories what HTTP and HTML did for documents
The Netscape LDAP SDK provides the tools through which this potential can be unlocked Integration with YOUR application is the key