1 / 23

LDAP and perl

LDAP and perl. Jim Harle US Naval Academy (until January 2004) harle@usna.edu jimharle@comcast.net. What is LDAP. Lightweight Directory Access Protocol Simplification of X.500 Hierarchical database Access methods Communications protocols Common API. What uses LDAP?.

quynh
Download Presentation

LDAP and perl

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. LDAP and perl Jim Harle US Naval Academy (until January 2004) harle@usna.edu jimharle@comcast.net

  2. What is LDAP • Lightweight Directory Access Protocol • Simplification of X.500 • Hierarchical database • Access methods • Communications protocols • Common API

  3. What uses LDAP? • Email address books • White pages • NOS directory • Custom applications • Lots of commercial apps now use it: Remedy, Web Intelligence, Blackboard at USNA • Authentication/authorization (web, unix/linux via PAM, etc)

  4. What servers? • Novel NDS eDirectory • SunONE / iPlanet Directory Server • OpenLDAP • M$ Active Directory • Lotus Notes / Domino • M$ Exchange • IBM (SecureWay) Directory Server • more

  5. How do I organize my server? • No fixed rules. • Religious wars. • May be strongly influenced by server vendor (e.g., max objects per node). • Security / Administrative rights primary importance. • Think through carefully before you implement. Try to foresee future.

  6. Deep Organization

  7. Shallow Tree

  8. Schema • Object classes • Similar to RDBMS tables but same attributes may be in more than one • Can vary from vendor to vendor • Attributes • Similar to RDBMS columns, but might be multi-valued • Can vary from vendor to vendor • Matching rules • Define for equality, substring, ordering e.g.: • Case sensitive or not • Telephone number match • String vs integer

  9. objectClasses: ( 2.5.6.6 NAME 'person' DESC 'Standard ObjectClass' SUP (top $ ndsLoginProperties ) STRUCTURAL MUST (cn $ sn ) MAY (description $ seeAlso $ telephoneNumber $ fullName $ givenName $ initials $ generationQualifier $ uid $ assistant $ assistantPhone $ city $ st $ company $ co $ directReports $ ma nager $ mailstop $ mobile $ personalTitle $ pager $ workforceID $ instantMess agingID $ preferredName $ Photo $ jobCode $ siteLocation $ employeeStatus $ employeeType $ costCenter $ costCenterDescription $ tollFreePhoneNumber $ othe rPhoneNumber $ managerWorkforceID $ roomNumber $ jackNumber $ departmentNumber $ vehicleInformation $ accessCardNumber $ isManager $ userPassword ) X-NDS_ NAMING ('cn' 'uid' ) X-NDS_CONTAINMENT ('organization' 'organizationalUnit' ' domain' ) X-NDS_NAME 'Person' X-NDS_NOT_CONTAINER '1' X-NDS_NONREMOVABLE '1' )attributeTypes: ( 2.5.4.42 NAME 'givenName' DESC 'Standard Attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32} X-NDS_NAME 'Given Name' X-NDS_PUBLIC_READ '1 ' X-NDS_LOWER_BOUND '1')

  10. Add your own attributesRegister an OID arcBuild object classesDefine attributesobjectClasses: ( 2.16.840.1.113719.2.153 NAME 'USNAperson' DESC 'Standard Obje ctClass' AUXILIARY MAY (personalTitle $ buildingName $ USNAalpha $ USNAmailLi st $ USNAbattalion $ USNAdeptCode $ USNAclassification $ USNAservicebranch $ USNAacDeptGidNumber $ USNAmidshipmanInBrigade $ USNAcompany $ USNAmiddleName $ USNAmidshipmanMajor $ USNApageMaintainer $ USNAmidshipmanStatus $ USNAmailStop $ USNAoRep $ USNAcourseSect $ USNAacctTransitionDate $ USNAplatoon $ USNAsquad $ USNAacctTransitionTime ) X-NDS_NOT_CONTAINER '1' )attributeTypes: ( 2.16.840.1.113719.2.153.1.18 NAME 'USNAsquad' DESC 'Standard Attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{64512} SINGLE-VALUE X-NDS_NO T_SCHED_SYNC_IMMEDIATE '1' )

  11. Net::LDAP Written by Graham Barr, author of many well respected CPAN modules. Actively maintained. Pure perl – no C code.

  12. # Simple search use Net::LDAP; my $ldap = Net::LDAP->new(‘myldapsrv.where.com’); $ldap->bind (); my $mesg = $ldap->search ( filter => ‘(cn=smith)’, attrs => [‘givenName’,’mail’] ); foreach my $entry ($mesg->all_entries) { print $entry->dn(),"\n"; #Distinguished name print “Name(s)“; foreach my $val ($entry->get_value(‘givenname’)) { print “ $val”; } print “\n”; my $mail = $entry->get_value(‘mail’); #1st value only print “Mail $mail\n”; }

  13. Search Filters • Examples (from RFC2254): – (cn=Babs Jensen) – (!(cn=Tim Howes)) – (&(objectClass=Person)(|(sn=Jensen)(cn=Babs J*))) – (o=univ*of*mich*) • Comparison operators: = =* ~= >= <= * • Logical operators: & | ! • Must quote: * ( ) \ NUL

  14. #simplest authenticationuse Net::LDAP;my $ldap = Net::LDAP->new(‘myldapsrv.where.com’);print “login “; chomp (my $login = <>);print “password “; chomp (my $passw = <>);my $mesg = $ldap->bind(“uid=$login,ou=accts,o=myorg”, password => $passw);print ($mesg->code)?”Wrong”: “Right”;

  15. #more complex authentication# already connected, know login and password$ldap->bind (); # anonymousmy $mesg = $ldap->search (filter=>“uid=$login”, base => ‘o=userBranch’, attrs = [ ]);my $bad = $mesg->code || ($mesg->count() != 1);unless ($bad) { my $dn = $mesg->entry(0)->dn; $mesg = $ldap->bind($dn, $password); $bad = $mesg->code;}

  16. Adding entries use Net::LDAP; use Net::LDAP::Entry; # connect, bind as a privileged account here my $entry = Net::LDAP::Entry->new(); $entry->dn(‘cn=harle, ou=ITSD, ou=people, dc=usna, dc=edu’); $entry->add( sn => ‘Harle’, fullName => ‘Jim Harle’, mail => ‘harle@usna.edu’, userPassword => $psw, objectClass => ‘top’, objectClass => ‘person’, … ); $res = $ldap->update($entry); die "add error:" . $res->error() if $res->code();

  17. Changing values use Net::LDAP; # connect and bind as privileged account or as self if you have rights # search to find appropriate DN $mesg = $ldap->modify ( $dn, replace => {fullname => ‘James Albert Harle’, mail => ‘jimharle@comcast.net’} ); warn ‘No replace’ if $mesg->code; $mesg = $ldap->modify ( $dn, delete => [employeeType]); $mesg = $ldap->modify ( $dn, delete => {givenname => ‘Jimbo’}); $mesg = $ldap->modify ( $dn, add => {givenName => ‘Jimmy’} );

  18. Deleting and renaming objects $ldap->delete($dn); $ldap->moddn( ‘cn=harle, ou=ITSD, ou=people, dc=usna, dc=edu’, ‘cn=jimharle’);

  19. Synchronization • Normally ‘automatic’ within a vendor’s servers • Tools exist for cross vendor synchronization, but seem broken. • Can’t read passwords in eDirectory or Active Directory • Capture at source (e.g. web page) • Regular checker for other attributes

  20. Join mailing list: perl-ldap-subscribe@perl.orgFAQ at http://perl-ldap.sourceforge.net/FAQ.htmlRecent well written introductory article at http://www.linuxjournal.com/article.php?sid=7086Also http://www.otterbook.com/materials/lisa02-LDAP.pdfAlso Chapter 7 of Professional Perl Development, Kobes et.al, Wrox Press.Several LDAP books. Most have very little of use unless you are a hard core developer.Nice free Windows LDAP browser from http://www.softerra.com/download/download.php

More Related