Directory-Enabled Applications

Tim Howes Netscape Communications Corporation

Overview

What LDAP can and cant do for you LDAP history and overview The LDAP API The Netscape LDAP SDK What the future holds

Integrating LDAP with your environment

Setting the stage...

Directory services are the logical place at which network services, applications, and people meet, find one another, and act. The Burton Group, July 1996 [HTTP] sparked a networking revolution... Now [LDAP] is poised to go even further... Its potential is enormous. Network Computing, October 1996

What LDAP can do for you

Three perspectives As a user

As an administrator As a developer

What LDAP can do for you

As a user Single place to maintain personal information Single source for information about others The place to find what you need to access Makes remote access as easy as local access Unchains you from your desktop

Facilitates every day communication and work

What LDAP can do for you

As an administrator Single place to administer users and groups

Single place to administer enterprise configuration information Allows authority to be distributed Allows data to be distributed and replicated for reliability and performance

What LDAP can do for you

As an application developer
Allows you to provide these functions to your users Place to get and store information about users Provides mobility to users of your application Place to get and store configuration information General attribute/value directory that is fast, replicated, and reliable

What LDAP cant do for you

Replace the DNS

Replace the relational database Replace Internet search services

LDAP complements all of these things

LDAP history

First there was X.500: the OSI directory service Heavyweight

Some great ideas, but its OSI Separate infrastructure Few implementations Kitchen sink approach

LDAP history

Along came the Lightweight Directory Access Protocol: at first, a lightweight front end to X.500 TCP transport trimmed down functionality string encodings IETF-defined

Spurred lots of client development

LDAP history: X.500 roots

X.500 server

DAP LDAP client LDAP LDAP server DAP

DSP

X.500 server

LDAP history
NO!

But if I have LDAP, do I really need X.500? University of Michigan slapd (stand-alone LDAP daemon) provides the proof Netscape and 40+ other vendors picked up this ball and are running with it

LDAP history: stand-alone LDAP

LDAP server

LDAP LDAP client LDAP

LDAP server

LDAP models: overview

The Big Picture Information: what can be stored

Namespace: how it can be referenced Functional: what can be done with it Security: how it can be protected

The LDAP Big Picture

LDAP client

Requests LDAP server

Responses

Listens on TCP port 389 for LDAP 636 for LDAP over SSL

LDAP models: overview

The Big Picture Information: what can be stored

Namespace: how it can be referenced Functional: what can be done with it Security: how it can be protected

LDAP models: information

The basic unit of information is the entry

Each attribute has a type and one or more values

An entry is a collection of attributes

The type determines what kind of values can be stored

Information model illustrated

Entry
Attr Attr ... Attr

Attribute
Type Value ... Value

LDAP models: information

cn: Barbara Jensen cn: Babs Jensen sn: Jensen

Example: a complete entry for a person

mail: babs@aceindustry.com objectclass: top

jpegphoto: /9j/4AAQSkZJRgABAA... objectclass: person

LDAP models: information

This is how LDAP does schema

Objectclass controls what other attributes are required and allowed in the entry

Notice special objectclass attribute

LDAP models: overview

Information: what can be stored

Namespace: how it can be referenced Functional: what can be done with it Security: how it can be protected

LDAP models: namespace

One or more attributes from the entry are used to form the entrys relative distinguished name (RDN)

Entries can, but need not, be arranged in a hierarchical tree-like structure The format is defined in RFC 1779

An entrys full name is formed using its RDN and the RDNs of its ancestors

LDAP models: namespace

RDN: c=AU DN: c=AU c=AU c: AU co: Australia ... RDN: c=US DN: c=US c=US c: US co: America ...

o=Ace Industry RDN: o=Ace Industry o: Ace Industry DN: o=Ace Industry, c=US fax: +1 415 555-1212 ... RDN: cn=Barbara Jensen DN: cn=Barbara Jensen, o=Ace Industry, c=US

o=Netscape o: Netscape url: http://home.netscape.com/ ...

cn=Barbara Jensen cn: Barbara Jensen cn: Babs Jensen sn: Jensen mail: babs@aceindustry.com ...

Example Hierarchical LDAP Tree

LDAP models: namespace

For corporate directories, the namespace usually follows a country, locality, organization model LDAP the protocol does not require this You can construct your own flat namespace or other configurations

LDAP models: namespace

cn=Gern Jensen cn: Gern Jensen sn: Jensen mail: gern@bjorn.com ... cn=Barbara Jensen cn: Barbara Jensen cn: Babs Jensen sn: Jensen mail: babs@aceindustry.com ... RDN: cn=Barbara Jensen DN: cn=Barbara Jensen cn=Bjorn Jensen cn: Bjorn Jensen sn: Jensen mail: bjorn@bjorn.com objectclass: top objectclass: person ... RDN: cn=Bjorn Jensen DN: cn=Bjorn Jensen

RDN: cn=Gern Jensen DN: cn=Gern Jensen

Example Flat LDAP Tree

LDAP models: overview

Information: what can be stored

Namespace: how it can be referenced Functional: what can be done with it Security: how it can be protected

LDAP models: functional

Nine protocol operations Bind, Unbind Search, Compare Abandon

Add, Delete, Modify, Modify RDN

LDAP models: functional

Bind: authenticate to the server Unbind: end a protocol session Search: search for and retrieve entries based on some search criteria Compare: see if an entry contains a given attribute value

LDAP models: functional

Add: add entries to the directory

Delete: delete entries from the directory Modify RDN: change the RDN of an existing directory entry

Modify: change an existing directory entry Abandon: cancel an operation in progress

LDAP model: functional

Search is very powerful...you specify: Where to begin the search (base object) The scope of the search (subtree, one-level, base object) The filter used to select entries (RFC 1960) The attributes to return Size and time limits

LDAP models: functional

Example search: return the email address of all entries in the o=Ace Industry, c=US subtree that have a surname of Jensen Base: o=Ace Industry, c=US Filter: (sn=Jensen) Attrs: mail Scope: LDAP_SCOPE_SUBTREE

LDAP models: functional

Example search: find the phone and email of all people in Ace Industry who have an email address and are in the marketing department Base: o=Ace Industry, c=US Scope: LDAP_SCOPE_SUBTREE Filter: (&(mail=*)(dept= marketing)(objectclass=person)) Attrs: telephonenumber, mail

LDAP models: functional

Modify lets you change existing entries Add values

You specify a sequence of changes that Delete values

They all succeed or fail as a group

Replace all values

LDAP models: overview

Information: what can be stored

Namespace: how it can be referenced Functional: what can be done with it Security: how it can be protected

LDAP models: security

LDAP connections can be authenticated The Bind operation does this at the LDAP level Simple password-based authentication in v2 Extensible authentication in v3

SSL does this at the transport level

Allows an access control framework to secure the information in the server

LDAP models: security

The Netscape LDAP server provides rich access control Protects subtrees, entries, and attributes Access can be granted or denied based on Distinguished name Domain name IP address

The LDAP API

History and overview A quick example Synchronous interface

Asynchronous interface

Parsing and other routines

Support for threads, alternate I/O, SSL, etcetera

The LDAP API: history

Developed at the University of Michigan to be simple, flexible, and powerful Defined in RFC 1823 The LDAP Application Program Interface C bindings now, Java and JavaScript soon Widely adopted and implemented in the LDAP community

LDAP API: history

RFC 1823 defines the basics Information hiding Threading Security (SSL)

The Netscape SDK includes a few enhancements for

The core calls are the same

A quick example
Four steps Initialize Search

Problem: print out the name and every attribute of all Jensens at Ace Industry

Parse and print Clean up

A quick example: code

#include <stdio.h> #include <ldap.h> main(int argc, char **argv) { LDAP *ld; LDAPMessage *e, *result; char *dn, *a, **vals; BerElement *ber; if ((ld = ldap_init(ldap.aceindustry.com, LDAP_PORT)) == NULL) fail(); if (ldap_simple_bind_s(ld, NULL, NULL) != LDAP_SUCCESS) fail(); if (ldap_search_s(ld, o=Ace Industry, c=US, LDAP_SCOPE_SUBTREE, (sn=Jensen), NULL, 0, &result) != LDAP_SUCCESS) fail(); for (e = ldap_first_entry( ld, res ); e != NULL; e = ldap_next_entry(ld, e)) { dn = ldap_get_dn(ld, e); printf(dn: %s\n, dn); ldap_memfree(dn); for (a = ldap_first_attribute(ld, e, &ber); a != NULL; a = ldap_next_attribute(ld, e, ber)) { if ((vals = ldap_get_values(ld, e, a)) != NULL) { for (i = 0; vals[i] != NULL; i++) printf(%s: %s\n, a, vals[i] ); ldap_value_free(vals); } } if (ber != NULL) ber_free(ber, 0); printf(\n); } ldap_msgfree(res); ldap_unbind(ld); }

Init Search Parse And Print

Cleanup

A quick example: output

dn: cn=Barbara Jensen, o=Ace Industry, c=US cn: Barbara Jensen sn: Jensen mail: babs@aceindustry.com objectclass: top objectclass: person dn: cn=Bjorn Jensen, o=Ace Industry, c=US cn: Bjron Jensen sn: Jensen mail: bjorn@aceindustry.com telephonenumber: +1 415 555-1212 objectclass: top objectclass: person ...

Example detail: initialization

#include <ldap.h> LDAP *ld;

/* initialize the LDAP session */ if ((ld = ldap_init(ldap.aceindustry.com, LDAP_PORT)) == NULL) fail(); /* authenticate as nobody */ if (ldap_simple_bind_s(ld, NULL, NULL) != LDAP_SUCCESS){ ldap_perror(ld, ldap_simple_bind_s); ldap_unbind(ld); exit(1); }

Example detail: search

LDAPMessage *result; if (ldap_search_s(ld, o=Ace Industry, c=US, LDAP_SCOPE_SUBTREE, (sn=Jensen), NULL, 0, &result) != LDAP_SUCCESS) { ldap_perror(ld, ldap_search_s); ldap_unbind(ld); }

Example detail: parse and print

LDAPMessage *e; char *dn, *a, **vals; BerElement *ber; for (e = ldap_first_entry( ld, result ); e != NULL; e = ldap_next_entry(ld, e)) { dn = ldap_get_dn(ld, e); printf(dn: %s\n, dn); ldap_memfree(dn); for (a = ldap_first_attribute(ld, e, &ber); a != NULL; a = ldap_next_attribute(ld, e, ber)) { if ((vals = ldap_get_values(ld, e, a)) != NULL) { for (i = 0; vals[i] != NULL; i++) printf(%s: %s\n, a, vals[i] ); ldap_value_free(vals); } } if (ber != NULL) ber_free(ber, 0); printf(\n); }

Example detail: cleanup

ldap_msgfree(res); ldap_unbind(ld);

Synchronous vs. asynchronous

Synchronous

Two interfaces to the core LDAP API networking calls Asynchronous

Synchronous API

Synchronous operation

ldap_search_s(), ldap_modify_s(), etc. Caller is blocked until results are received Command-line apps Directory-only apps Simple apps Threaded apps

Useful for

Synchronous interaction
Client
initialize LDAP session ldap_search_s(...) process results process request receive search request

Server

send search result

Synchronous example
LDAP LDAPMessage *ld; *res;

/* ... initialize LDAP session via ldap_init() ... */ if (ldap_search_s(ld, o=Ace Industry, c=US, LDAP_SCOPE_SUBTREE, (sn=Jensen), NULL, 0, &res) != LDAP_SUCCESS) { ldap_perror( ld, ldap_search_s ); fail(); } /* ... parse the results in res, clean up ... */

Asynchronous API

Asynchronous operation

ldap_search(), ldap_modify(), etc. Results returned later by calling ldap_result() GUI apps

Useful for

High performance apps Low resource apps

Asynchronous interaction
Client
initialize LDAP session ldap_search(...) receive search request

Server

do other stuff

process request

ldap_result(...) parse results

send search result

Asynchronous example
LDAP LDAPMessage struct timeval *ld; *res; tv;

if ((msgid = ldap_search(ld, o=Ace Industry, c=US, LDAP_SCOPE_SUBTREE, NULL, 0)) == -1) { ldap_perror(ld, ldap_search); fail(); } while (1) { tv.tv_sec = 0; tv.tv_usec = 0; if ((msgtype = ldap_result(ld, msgid, 0, &tv, &res)) > 0) { /* got a result - parse it, print, etc. */ } else { /* nothing yet (or error) - try again later */ } }

Result parsing

Stepping through entries

Stepping through attributes Retrieving attribute values Dealing with the name of an entry

Result parsing: entries

ldap_first_entry() Get the first entry in a chain of search results Get the next entry in a chain of search results

ldap_next_entry()

Return NULL when no more entries

Result parsing: attributes

ldap_first_attribute() Retrieve the first attribute name from an entry Retrieve the next attribute name from an entry

ldap_next_attribute()

Return NULL when no more attributes

Result parsing: attribute values

ldap_get_values(), ldap_get_values_len()

ldap_count_values(), ldap_count_values_len()

Retrieve the values for a given attribute Count the number of values returned

Result parsing: names

ldap_get_dn() Retrieve the name of an entry

ldap_explode_dn(), ldap_explode_rdn() ldap_dn2ufn()

Break up a name into component parts Convert a name to a user-friendly format

Freeing memory
ldap_memfree() ldap_msgfree() ber_free() ldap_get_dn(), ldap_first/next_attribute(), etc. ldap_result(), ldap_search_s(), ldap_search_st() ldap_first/next_attribute() cookie ldap_init(), ldap_sslinit()

ldap_unbind()

Error handling

ldap_get_lderrno()

ldap_result2error() ldap_err2string() ldap_perror()

Gets information about the last LDAP error Parses an LDAP result containing an error Returns a description of an LDAP error Prints an error diagnostic on stderr

The Netscape LDAP SDK

One library/DLL nsldap.dll or nsldap32.dll on Windows NSLDAPLib on Macintosh One include file ldap.h libldap.a libldap.so on Unix

Thread safety

The Netscape LDAP SDK is always thread-safe if threads do not share LDAP sessions

Threads can share LDAP sessions with a little setup on your part Provide call-backs for errors

Provide call-backs for critical sections

This approach works in virtually any threading environment

Thread safety: example

struct ldap_thread_fns tfn; /* ... call ldap_init() to init the LDAP session */ tfn.ltf_mutex_alloc = my_mutex_alloc; tfn.ltf_mutex_free = my_mutex_free; tfn.ltf_mutex_lock = pthread_mutex_lock; tfn.ltf_mutex_unlock = pthread_mutex_unlock; tfn.ltf_get_errno = my_get_errno; tfn.ltf_set_errno = my_set_errno; tfn.ltf_get_lderrno = my_get_lderrno; tfn.ltf_set_lderrno = my_set_lderrno; if (ldap_set_option(ld, LDAP_OPT_THREAD_FN_PTRS, (void *) &tfn) != 0{ ldap_perror(ld, ldap_set_option); fail(); }

Thread safety: example

int my_get_errno(void) { return(errno); } void my_set_errno(int err) { errno = err; }

Thread safety: example

struct ldap_error { int le_errno; char *le_matched; char *le_errmsg; } int my_get_lderrno(char **matchedp, char **errmsgp) { struct ldap_error *le = pthread_getspecific(key); if (matchedp != NULL) *matchedp = le->le_matched; if (errmsgp != NULL) *errmsgp = le->le_errmsg; return(le->le_errno); }

I/O environments

The LDAP library can be used in different I/O environments with a little setup You make one call to pass libldap pointers to your I/O routines Open/close Read/write

Socket/connect/ioctl

I/O environments: example

struct ldap_io_fns io; io.liof_read = SSL_Read; io.liof_write = SSL_Write; io.liof_socket = SSL_Socket; io.liof_ioctl = SSL_Ioctl; io.liof_connect = SSL_Connect; io.liof_close = SSL_Close; io.liof_ssl_enable = SSL_Enable; if (ldap_set_option(ld, LDAP_OPT_IO_FN_PTRS, (void *) &io) != 0) { ldap_perror(ld, ldap_set_option); fail(); }

Using LDAP with SSL

Set up a key database Call ldap_sslinit() instead of ldap_init()
LDAP *ld ldap_init(char *host, int port); LDAP *ld ldap_sslinit(char *host, int port, int secure);

Whats next

LDAP version 3 has many new features International support (UTF-8 + language prefs) Server-side sorting of search results Extensible matching/sorting rules Schema available over LDAP Paged results (for typedown)

Better authentication and security

Whats next

Coming soon: a revision to the LDAP API and RFC 1823 to support LDAPv3 Coming soon: Java support for LDAP in Navigator

Coming soon: another release of the Netscape LDAP SDK supporting LDAPv3

Final thoughts

LDAP has the potential to do for directories what HTTP and HTML did for documents

The Netscape LDAP SDK provides the tools through which this potential can be unlocked Integration with YOUR application is the key

Netscape logo slide