230 likes | 253 Views
LDAP and perl. Jim Harle US Naval Academy (until January 2004) harle@usna.edu jimharle@comcast.net. What is LDAP. Lightweight Directory Access Protocol Simplification of X.500 Hierarchical database Access methods Communications protocols Common API. What uses LDAP?.
E N D
LDAP and perl Jim Harle US Naval Academy (until January 2004) harle@usna.edu jimharle@comcast.net
What is LDAP • Lightweight Directory Access Protocol • Simplification of X.500 • Hierarchical database • Access methods • Communications protocols • Common API
What uses LDAP? • Email address books • White pages • NOS directory • Custom applications • Lots of commercial apps now use it: Remedy, Web Intelligence, Blackboard at USNA • Authentication/authorization (web, unix/linux via PAM, etc)
What servers? • Novel NDS eDirectory • SunONE / iPlanet Directory Server • OpenLDAP • M$ Active Directory • Lotus Notes / Domino • M$ Exchange • IBM (SecureWay) Directory Server • more
How do I organize my server? • No fixed rules. • Religious wars. • May be strongly influenced by server vendor (e.g., max objects per node). • Security / Administrative rights primary importance. • Think through carefully before you implement. Try to foresee future.
Schema • Object classes • Similar to RDBMS tables but same attributes may be in more than one • Can vary from vendor to vendor • Attributes • Similar to RDBMS columns, but might be multi-valued • Can vary from vendor to vendor • Matching rules • Define for equality, substring, ordering e.g.: • Case sensitive or not • Telephone number match • String vs integer
objectClasses: ( 2.5.6.6 NAME 'person' DESC 'Standard ObjectClass' SUP (top $ ndsLoginProperties ) STRUCTURAL MUST (cn $ sn ) MAY (description $ seeAlso $ telephoneNumber $ fullName $ givenName $ initials $ generationQualifier $ uid $ assistant $ assistantPhone $ city $ st $ company $ co $ directReports $ ma nager $ mailstop $ mobile $ personalTitle $ pager $ workforceID $ instantMess agingID $ preferredName $ Photo $ jobCode $ siteLocation $ employeeStatus $ employeeType $ costCenter $ costCenterDescription $ tollFreePhoneNumber $ othe rPhoneNumber $ managerWorkforceID $ roomNumber $ jackNumber $ departmentNumber $ vehicleInformation $ accessCardNumber $ isManager $ userPassword ) X-NDS_ NAMING ('cn' 'uid' ) X-NDS_CONTAINMENT ('organization' 'organizationalUnit' ' domain' ) X-NDS_NAME 'Person' X-NDS_NOT_CONTAINER '1' X-NDS_NONREMOVABLE '1' )attributeTypes: ( 2.5.4.42 NAME 'givenName' DESC 'Standard Attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32} X-NDS_NAME 'Given Name' X-NDS_PUBLIC_READ '1 ' X-NDS_LOWER_BOUND '1')
Add your own attributesRegister an OID arcBuild object classesDefine attributesobjectClasses: ( 2.16.840.1.113719.2.153 NAME 'USNAperson' DESC 'Standard Obje ctClass' AUXILIARY MAY (personalTitle $ buildingName $ USNAalpha $ USNAmailLi st $ USNAbattalion $ USNAdeptCode $ USNAclassification $ USNAservicebranch $ USNAacDeptGidNumber $ USNAmidshipmanInBrigade $ USNAcompany $ USNAmiddleName $ USNAmidshipmanMajor $ USNApageMaintainer $ USNAmidshipmanStatus $ USNAmailStop $ USNAoRep $ USNAcourseSect $ USNAacctTransitionDate $ USNAplatoon $ USNAsquad $ USNAacctTransitionTime ) X-NDS_NOT_CONTAINER '1' )attributeTypes: ( 2.16.840.1.113719.2.153.1.18 NAME 'USNAsquad' DESC 'Standard Attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{64512} SINGLE-VALUE X-NDS_NO T_SCHED_SYNC_IMMEDIATE '1' )
Net::LDAP Written by Graham Barr, author of many well respected CPAN modules. Actively maintained. Pure perl – no C code.
# Simple search use Net::LDAP; my $ldap = Net::LDAP->new(‘myldapsrv.where.com’); $ldap->bind (); my $mesg = $ldap->search ( filter => ‘(cn=smith)’, attrs => [‘givenName’,’mail’] ); foreach my $entry ($mesg->all_entries) { print $entry->dn(),"\n"; #Distinguished name print “Name(s)“; foreach my $val ($entry->get_value(‘givenname’)) { print “ $val”; } print “\n”; my $mail = $entry->get_value(‘mail’); #1st value only print “Mail $mail\n”; }
Search Filters • Examples (from RFC2254): – (cn=Babs Jensen) – (!(cn=Tim Howes)) – (&(objectClass=Person)(|(sn=Jensen)(cn=Babs J*))) – (o=univ*of*mich*) • Comparison operators: = =* ~= >= <= * • Logical operators: & | ! • Must quote: * ( ) \ NUL
#simplest authenticationuse Net::LDAP;my $ldap = Net::LDAP->new(‘myldapsrv.where.com’);print “login “; chomp (my $login = <>);print “password “; chomp (my $passw = <>);my $mesg = $ldap->bind(“uid=$login,ou=accts,o=myorg”, password => $passw);print ($mesg->code)?”Wrong”: “Right”;
#more complex authentication# already connected, know login and password$ldap->bind (); # anonymousmy $mesg = $ldap->search (filter=>“uid=$login”, base => ‘o=userBranch’, attrs = [ ]);my $bad = $mesg->code || ($mesg->count() != 1);unless ($bad) { my $dn = $mesg->entry(0)->dn; $mesg = $ldap->bind($dn, $password); $bad = $mesg->code;}
Adding entries use Net::LDAP; use Net::LDAP::Entry; # connect, bind as a privileged account here my $entry = Net::LDAP::Entry->new(); $entry->dn(‘cn=harle, ou=ITSD, ou=people, dc=usna, dc=edu’); $entry->add( sn => ‘Harle’, fullName => ‘Jim Harle’, mail => ‘harle@usna.edu’, userPassword => $psw, objectClass => ‘top’, objectClass => ‘person’, … ); $res = $ldap->update($entry); die "add error:" . $res->error() if $res->code();
Changing values use Net::LDAP; # connect and bind as privileged account or as self if you have rights # search to find appropriate DN $mesg = $ldap->modify ( $dn, replace => {fullname => ‘James Albert Harle’, mail => ‘jimharle@comcast.net’} ); warn ‘No replace’ if $mesg->code; $mesg = $ldap->modify ( $dn, delete => [employeeType]); $mesg = $ldap->modify ( $dn, delete => {givenname => ‘Jimbo’}); $mesg = $ldap->modify ( $dn, add => {givenName => ‘Jimmy’} );
Deleting and renaming objects $ldap->delete($dn); $ldap->moddn( ‘cn=harle, ou=ITSD, ou=people, dc=usna, dc=edu’, ‘cn=jimharle’);
Synchronization • Normally ‘automatic’ within a vendor’s servers • Tools exist for cross vendor synchronization, but seem broken. • Can’t read passwords in eDirectory or Active Directory • Capture at source (e.g. web page) • Regular checker for other attributes
Join mailing list: perl-ldap-subscribe@perl.orgFAQ at http://perl-ldap.sourceforge.net/FAQ.htmlRecent well written introductory article at http://www.linuxjournal.com/article.php?sid=7086Also http://www.otterbook.com/materials/lisa02-LDAP.pdfAlso Chapter 7 of Professional Perl Development, Kobes et.al, Wrox Press.Several LDAP books. Most have very little of use unless you are a hard core developer.Nice free Windows LDAP browser from http://www.softerra.com/download/download.php