From: http://www.freebsdchina.org original author: Jason P. Holland 27-February-2001 translation: ideal Linuxaid professional technical support website Introduction to LDAP LDAP (Lightweight Directory Access Protocol, LightWeight Directory Access Protocol is an information service that provides a directory service. Directory services are a special database system that is specifically optimized for read, browsing, and search operations. Directory is generally used to include descriptive, attribute-based information and support fine complex filtration capabilities. Directors generally do not support universal databases for complex transaction management or rollback policies required for a large number of update operations. The update of directory services is generally very simple. This directory can store various information including personal information, web link, JPEG image. In order to access the information stored in the directory, you need to use access protocols-LDAP running on TCP / IP. The information in the LDAP directory is in the data structure of the entry (Entry) in accordance with the tree structure organization. The entry is equivalent to the record of the table in the relational database; the entry is the property of the Distinguished Name (Attribute), DN is used to reference the entry, DN is equivalent to a keyword in the relational database table. The property consists of type (Type) and one or more values (VALUES), which is equivalent to the field (field) in the relational database consists of field name and data type, just to facilitate retrieval, Type in LDAP can have multiple Value Instead of relational databases must be unrelated to the redundancy requirements for reducing data. The organizations in the LDAP are generally organized in accordance with geographic and organizational relationships. LDAP stores the data in the file and uses an index-based file database to improve efficiency, not a relational database. An example of a type is Mail, and its value will be an email address. The information of the LDAP is stored in a tree structure, and the national (C = CN) or domain name (DC = COM) is generally defined in the tree root, which is often defined below one or more organizations (O = ACME) or Organizational Units (OU = People). An organizational unit may contain information such as all printers such as all employees and buildings. In addition, LDAP supports the entries and which properties must be supported, which is implemented in a special attribute called object category (ObjectClass). The value of this attribute determines some of the rules that the entry must follow, which specifies which properties should be included at least. For example, the inetorgperson object class requires support for SN (Surname) and CN (Common Name), but can also contain optional properties such as mail, telephone numbers. The catalog design design directory structure is one of the most important aspects of LDAP. Below we will explain how to design a reasonable directory structure through a simple example. This example will be thinned through the Netscape address. Suppose there is a company in US US US (C = US) and across multiple states called ACME (O = ACME). Acme hopes to implement a small address thin server for all employees. We started from a simple organizational DN: DN: O = ACME, C = US ACME All organizations classification and attributes will be stored under DN, this DN is unique in the directory of the server. .
Acme hopes to divide the information of its employees into two categories: OU = Managers and ordinary employees (OU = EMPLOYEES), this classification is generated relative distinction name (RDN, Relative Distinguished Names. Representation relative to vertices DN) Shi: = activity, c = US = acme, c = USDN: OU = Employees, o = acme, c = US below We will see the hierarchical structure: vertex Is the ACME of USA, below is the manager organizational unit and an employee organization unit. Therefore, the DN group including Managers and Employees is: DN: CN = Jason H. Smith, Ou = Managers, O = ACME, C = USDN: CN = ray D. Jones, Ou = Employees , O = ACME, C = US = Eric S. Woods, OU = Employees, o = acme, c = US in order to reference Jason H. Smith entry, LDAP will adopt CN = Jason H. Smith RDN. The foregoing is then combined together to form a parent entry as a tree structure: cn = Jason H. Smith ou = Managers O = ACME cn = jason H. Smith, OU = Managers, O = ACME, C = USS Now, the directory structure is now defined, and the directory information data needs to be imported. The directory information data will be stored in the LDIF file, which is the default storage file for importing directory information data. Users can easily write Perl scripts to automatically create an LDIF file from system files such as / etc / passwd, NIS. The following instance saves directory information data as a TestDate.ldif file, which will be available in Man LDIF. Before adding any organizational units, must first be defined Acme DN: dn: o = Acme, c = USobjectClass: organization property is required where o o: Acme following group management The unit's DN must define this entry before adding any administrator information.
OU: MANAGERS The first manager DN: DN: CN = jason H. Smith, Ou = Managers, o = ACME, C = US = ACME, C = US = ACME, C = US = ACME, C = US = ACME, C = US = ACME, C = US = ACME, C = US = ACME, C = USE / USE / USS / USA = jaason h. Smith smith but can also define some optional properties: TELEPHONENUMBER: 111-222-9999mail: headhauncho@acme.com #_ localityName: Houston can define another organizational unit: dn: ou = employees, o = Acme, c = USobjectClass: organizationalUnitou: employees employee information and add the following: dn: cn = Ray D. Jones, ou = Employees, o = Acme, c = USobjectClass: inetOrgPersoncn: Ray D. Jonessn: Jones TELEPHONENUMBER: 444-555-6767mail: Jonerd@acme.com = Eric S. Woods, OU = EMPLOYEES, O = ACME, C = USobjectClass: inetOrgPersoncn: Eric S. Woodssn: WoodstelephoneNumber: 444-555-6768mail: woodses@acme.com LOCALITYNAME: HOUSTON Installation Configuration Next Requires OpenLDAP to accept import and provide address of the address in Netscape. A common problem in the OpenLDAP mailing list is "How do I make NetScape addresses to use my LDAP server?" Save address thin information is a common application of LDAP because it has fast query and reading. And OpenLDAP supports, for example, session encryption and directory server replication such as SSL / TLS, so that a very good development source solution can be implemented. The following discussion is based on OpenLDAP-2.0.7, which supports LDAP V2 and LDAP V3. The most important of LDAP V3 relative to LDAP V2 is to add support for transport layer security (TLS, Transport Layer Security) and increase the authentication method. OpenLDAP has two installation methods: source code and packaging DEB / RPM mode. You can download source code from http://www.openldap.org/ or to get RPM packets from http://rpmfind.net/ and discs. The source code installation process is as follows: [Root @ radiusd src] # ar -xzvf openldap-2.0.7.tgz [root @ Radiusd SRC] # cd OpenLDAP-2.0.7 [ Root @ radiusd OpenLDAP-2.0.7] # ./configure --prefix = / usr / local here indicates that OpenLDAP is installed in the / usr / local directory, which is not necessary.
[Root @ Radiusd OpenLDAP-2.0.7] # make depend; make Test before the installation ends: @ RadiusD OpenLDAP-2.0.7] # Make test @ @ Make Test RadiusD OpenLDAP-2.0.7] # make install If any compile error occurs, you should go to the OpenLDAP mailing list to seek help. You may need to add the following path in the PATH environment variable: / usr / local / libexec, / usr / local / bin and / usr / local / sbin. The installation of the PRM package is as follows: rpm -ivh OpenLDAP-2.0.7-14-i386.rpm rpm -ivh openldap-wevel-2.0.7-14-i386.rpm then edit SLAPD .conf file, which is a configuration file for the SLAPD daemon. The SLAPD process is responsible for responding to the customer application access directory service request. Profile storage / usr / local / etc / OpenLDAP. In order to use Netscape address thin properties, you need to add some additional "Mode" configuration information. Add the following INCLUDE content at the beginning of the SLAPD.CONF file, but according to the different installation path, the mode directory path may not be the same. The defined Suffix and RootDN line modifications can be reacted with DN you need: = ACME, C = US " = root, o = ACME, C = US "here CN = root entries are our management DN, which is not subject to any access control or restrictions. Its default is CN = Manager, but I want root to access. Add the following content to the end of the slapd.conf file, implement the read rights of the NetsAcpe for directory filtering and search operation. All requests that are not authorized to access directory services are treated as an anonymous users. The following DN entry is formatted, that is, all spaces are removed and their values are spaced apart from comma. In access control, you must format your entry. Otherwise, you will not work. Adapt to a variety of needs. OpenLDAP 2.0 Administration Guide has a very good document description for configuring access licenses. This access control level is sufficient for testing purposes. Below we will start the SLAPD server. If the system's LDAP is installed through the RPM / DEB format, the launch script may be /etc/rc.d/init.d/ldap or /etc/init.d/ldap based on the Linux published version used. Of course, you can also be tested manually.
slapd & the following test to see if slapd is running> ps -ef | grep -i slapd | grep -v greproot 154791 0 10:42 00:? 00: 00 slapdroot 15483 154790 10:42 00:? 00 : 00 slapdroot 15484 154830 10:42 00:? 00: 00 slapdroot 15491 154830 10 : 43? test whether ldap default port 389 is listening: netstat -an | grep 389tcp00 0.0.0.0:3890.0.0.0:* LLISten is here, everything looks normal, and will import LDAP information data to the database: LDAPADD -D "CN = root, o = acme, c = us" -w -v - f TestData.ldif We use the -D parameter and unlimited CN to bundle the directory so that you write information to the directory. -W parameters cause the server to access the password to access. The default password is set in the rootpw in the slapd.conf file, the default is SECRE. Using this default password is very dangerous, so after the test is completed, the password should be changed. Remember to use the -V parameter to perform the detailed output to determine if and how to fix an error. 7 Test When the data import ends, the next step is required to configure the client to test. The Netscape address is thin supporting a lot of directory properties, and the resource section below will contain the Netscape address thin API standard link address. The following simple test instances will be used: CN, Sn, Mail.TelephoneNumber and LocalityName. The Nickname entry in the address is supported by attribute XMozillanickName, which is not default in any "mode" and needs to be modified by default. This article will not design how to modify the "mode". Open the Netscape address book, select File-> information New Directory, the LDAP server: Description: Acme Address BookLDAP Server: the IP / hostname address of your LDAP serverServer Root : o = ACME, C = US port number and other information do not need to be modified. And since the link will be made as an anonymous user, it is not necessary to set the username and password. Select the OK button, then select "Acme Address Book" on the left side of the directory column, and finally enter a query in the "Show Names Containing" box, such as Smith and enter. You will be able to see returns a line of data. If you want to get a separate list of each organizational unit, you can create another new directory entry in NetsAcpe: Description: Acme ManagerRlDap Server: The IP / Hostname Address of Your LDAP Server Server root: ou = managers, o = acme, c = US This will result in searching for the Nanagers organization unit simply in the ACEM directory, that is, a certain filtering is achieved. Of course, EMPLOYEES can be used for the same limit.