ldap basics

8/3/2019 LDAP Basics

1/72

Directory-Enabled Applications

Tim Howes

Netscape Communications Corporation


2/72

Overview

What LDAP can and cant do for you

LDAP history and overview The LDAP API

The Netscape LDAP SDK Integrating LDAP with your environment

What the future holds


3/72

Setting the stage...

Directory services are the logical place atwhich network services, applications, and

people meet, find one another, and act.The Burton Group, July 1996

[HTTP] sparked a networking revolution...Now [LDAP] is poised to go even further...

Its potential is enormous.Network Computing, October 1996


4/72

What LDAP can do for you

Three perspectives

As a user As an administrator

As a developer


5/72


As a user

Single place to maintain personalinformation

Single source for informationabout others

The place to find what you needto access

Makes remote access as easyas local access

Unchains you from your desktop

Facilitates every day communicationand work


6/72


As an administrator

Single place to administer usersand groups

Single place to administer enterprise

configuration information

Allows authority to be distributed

Allows data to be distributedand replicated for reliabilityand performance


7/72


As an application developer

Allows you to provide these functionsto your users

Place to get and store information

about users Place to get and store configuration

information

Provides mobility to users of yourapplication

General attribute/value directory thatis fast, replicated, and reliable


8/72

What LDAP cant do for you

Replace the relational database

Replace the DNS Replace Internet search services

LDAP complements all of these things


9/72

LDAP history

First there was X.500: the OSIdirectory service

Some great ideas, but its OSI

Heavyweight

Separate infrastructure

Few implementations

Kitchen sink approach


10/72

LDAP history

Along came the Lightweight DirectoryAccess Protocol: at first, a lightweight

front end to X.500

TCP transport

trimmed down functionality

string encodings

IETF-defined Spurred lots of client development


11/72

LDAP history: X.500 roots

LDAP

client LDAPserver

X.500server

X.500

server

LDAP

DAP

DAP

DSP


12/72

LDAP history

But if I have LDAP, do I reallyneed X.500?

NO!

University of Michigan slapd (stand-alone

LDAP daemon) provides the proof Netscape and 40+ other vendors picked

up this ball and are running with it


13/72

LDAP history: stand-alone LDAP

LDAP

client

LDAP

LDAPserver

LDAP

server

LDAP


14/72

LDAP models: overview

The Big Picture

Information: what can be stored Namespace: how it can be referenced

Functional: what can be done with it Security: how it can be protected


15/72

The LDAP Big Picture

Listens on TCP port389 for LDAP

636 for LDAP over SSL

Requests

Responses

LDAP

server

LDAP

client


16/72


The Big Picture

Information: what can be stored Namespace: how it can be referenced

Functional: what can be done with it

Security: how it can be protected


17/72

LDAP models: information

The basic unit of information isthe entry

An entry is a collection ofattributes

Each attribute has a type and one or

more values The type determines what kind ofvalues

can be stored


18/72

Information model illustrated

Entry

...Attr Attr Attr

Attribute

...Type Value Value


19/72


Example: a complete entry for a person

cn: Barbara Jensen

cn: Babs Jensen

sn: Jensen

mail: [email protected]

jpegphoto: /9j/4AAQSkZJRgABAA...

objectclass: top

objectclass: person


20/72


Notice special objectclass attribute

Objectclass controls what other attributesare requiredand allowed in the entry

This is how LDAP does schema


21/72


Information: what can be stored

Namespace: how it can be referenced Functional: what can be done with it



22/72

LDAP models: namespace

One or more attributes from the entryare used to form the entrys relative

distinguished name (RDN)

Entries can, but need not, be arrangedin a hierarchical tree-like structure

An entrys full name is formed using itsRDN and the RDNs of its ancestors

The format is defined in RFC 1779


23/72

cn=Barbara Jensencn: Barbara Jensen

cn: Babs Jensensn: Jensen


...


c=AUc: AU

co: Australia

...

c=US

c: USco: America

...

o=Ace Industryo: Ace Industry

fax: +1 415 555-1212

...

o=Netscapeo: Netscape

url: http://home.netscape.com/

...

RDN: c=AU

DN: c=AU RDN: c=USDN: c=US

RDN: o=Ace Industry

DN: o=Ace Industry, c=US

RDN: cn=Barbara Jensen

DN: cn=Barbara Jensen, o=Ace Industry, c=US

Example Hierarchical LDAP Tree


24/72


For corporate directories, the namespaceusually follows a country, locality,

organization model

LDAP the protocol does notrequire this

You can construct your own flatnamespace or other configurations


25/72


cn=Gern Jensencn: Gern Jensen

sn: Jensenmail: [email protected]

...

cn=Bjorn Jensencn: Bjorn Jensen

sn: Jensen


objectclass: top

objectclass: person

...

cn=Barbara Jensen

cn: Barbara Jensen

cn: Babs Jensen

sn: Jensen


...

RDN: cn=Gern Jensen

DN: cn=Gern JensenRDN: cn=Bjorn Jensen

DN: cn=Bjorn Jensen

RDN: cn=Barbara Jensen

DN: cn=Barbara Jensen

Example Flat LDAP Tree


26/72



Namespace: how it can be referenced Functional: what can be done with it



27/72

LDAP models: functional

Nine protocol operations

Bind, Unbind Search, Compare

Add, Delete, Modify, Modify RDN

Abandon


28/72


Bind: authenticate to the server

Unbind: end a protocol session Search: search for and retrieve entries

based on some search criteria

Compare: see if an entry contains agiven attribute value


29/72


Add: add entries to the directory

Delete: delete entries from the directory Modify: change an existing directory entry

Modify RDN: change the RDN of anexisting directory entry

Abandon: cancel an operation in progress


30/72

LDAP model: functional

Search is very powerful...you specify:

Where to begin the search(base object)

The scope of the search

(subtree, one-level, base object) The filter used to select entries

(RFC 1960)

The attributes to return

Size and time limits


31/72


Example search: return the emailaddress of all entries in the o=Ace

Industry, c=US subtree that have asurname of Jensen

Base: o=Ace Industry, c=US

Scope: LDAP_SCOPE_SUBTREE

Filter: (sn=Jensen)

Attrs: mail


32/72


Example search: find the phone andemail of all people in Ace Industry who

have an email address and are in themarketing department

Base: o=Ace Industry, c=US

Scope: LDAP_SCOPE_SUBTREE

Filter: (&(mail=*)(dept=marketing)(objectclass=person))

Attrs: telephonenumber, mail


33/72


Modify lets you change existing entries

You specify a sequence of changes that

Add values

Delete values

Replace all values

They all succeed or fail as a group


34/72



Namespace: how it can be referenced

Functional: what can be done with it



35/72

LDAP models: security

LDAP connections can be authenticated

The Bind operation does this at theLDAP level

Simple password-based

authentication in v2 Extensible authentication in v3

SSL does this at the transport level Allows an access control framework to

secure the information in the server


36/72

LDAP models: security

The Netscape LDAP server provides richaccess control

Protects subtrees, entries, and attributes

Access can be granted or denied

based on Distinguished name

Domain name IP address


37/72

The LDAP API

History and overview

A quick example

Synchronous interface

Asynchronous interface

Parsing and other routines

Support for threads, alternate I/O,SSL, etcetera


38/72

The LDAP API: history

Developed at the University of Michiganto be simple, flexible, and powerful

Defined in RFC 1823 The LDAPApplication Program Interface

Widely adopted and implementedin the LDAP community

C bindings now, Java andJavaScript soon


39/72

LDAP API: history

RFC 1823 defines the basics

The Netscape SDK includes a fewenhancements for

Information hiding

Threading

Security (SSL)

The core calls are the same


40/72

A quick example

Problem: print out the name and everyattribute of all Jensens at Ace Industry

Four steps

Initialize

Search

Parse and print

Clean up


41/72

A quick example: code#include

#include

main(int argc, char **argv)

{

LDAP *ld;

LDAPMessage *e, *result;

char *dn, *a, **vals;BerElement *ber;

if ((ld = ldap_init(ldap.aceindustry.com, LDAP_PORT)) == NULL)

fail();

if (ldap_simple_bind_s(ld, NULL, NULL) != LDAP_SUCCESS)

fail();

if (ldap_search_s(ld, o=Ace Industry, c=US, LDAP_SCOPE_SUBTREE, (sn=Jensen), NULL,

0, &result) != LDAP_SUCCESS)

fail(); for (e = ldap_first_entry( ld, res ); e != NULL; e = ldap_next_entry(ld, e)) {

dn = ldap_get_dn(ld, e);

printf(dn: %s\n, dn);

ldap_memfree(dn);

for (a = ldap_first_attribute(ld, e, &ber); a != NULL;

a = ldap_next_attribute(ld, e, ber)) {

if ((vals = ldap_get_values(ld, e, a)) != NULL) {

for (i = 0; vals[i] != NULL; i++)printf(%s: %s\n, a, vals[i] );

ldap_value_free(vals);

}

}

if (ber != NULL)

ber_free(ber, 0);

printf(\n);

} ldap_msgfree(res);

ldap_unbind(ld);

}

Init

Search

Parse

And

Print

Cleanup


42/72

A quick example: output

dn: cn=Barbara Jensen, o=Ace Industry, c=US

cn: Barbara Jensen

sn: Jensen


objectclass: top

objectclass: person

dn: cn=Bjorn Jensen, o=Ace Industry, c=US

cn: Bjron Jensen

sn: Jensen


telephonenumber: +1 415 555-1212

objectclass: top

objectclass: person

...


43/72

Example detail: initialization

#include

LDAP *ld;

/* initialize the LDAP session */

if ((ld = ldap_init(ldap.aceindustry.com, LDAP_PORT))

== NULL)

fail();

/* authenticate as nobody */

if (ldap_simple_bind_s(ld, NULL, NULL) != LDAP_SUCCESS){

ldap_perror(ld, ldap_simple_bind_s);

ldap_unbind(ld);

exit(1);

}


44/72

Example detail: search

LDAPMessage *result;

if (ldap_search_s(ld, o=Ace Industry, c=US,LDAP_SCOPE_SUBTREE, (sn=Jensen), NULL, 0, &result)

!= LDAP_SUCCESS) {

ldap_perror(ld, ldap_search_s);

ldap_unbind(ld);}


45/72

Example detail: parse and print

LDAPMessage *e;

char *dn, *a, **vals;

BerElement *ber;

for (e = ldap_first_entry( ld, result ); e != NULL;e = ldap_next_entry(ld, e)) {

dn = ldap_get_dn(ld, e);

printf(dn: %s\n, dn);

ldap_memfree(dn);

for (a = ldap_first_attribute(ld, e, &ber); a != NULL;

a = ldap_next_attribute(ld, e, ber)) {

if ((vals = ldap_get_values(ld, e, a)) != NULL) {

for (i = 0; vals[i] != NULL; i++)

printf(%s: %s\n, a, vals[i] );ldap_value_free(vals);

}

}

if (ber != NULL) ber_free(ber, 0);printf(\n);

}


46/72

Example detail: cleanup

ldap_msgfree(res);

ldap_unbind(ld);


47/72

Synchronous vs. asynchronous

Two interfaces to the core LDAP APInetworking calls

Synchronous

Asynchronous


48/72

Synchronous API

Synchronous operation

ldap_search_s(), ldap_modify_s(), etc.

Caller is blocked until results arereceived

Useful for

Command-line apps

Directory-only apps

Simple apps

Threaded apps


49/72

Synchronous interaction

Client Server

initialize LDAP session

ldap_search_s(...)

process results

receive search request

process request

send search result


50/72

Synchronous example

LDAP *ld;

LDAPMessage *res;

/* ... initialize LDAP session via ldap_init() ... */

if (ldap_search_s(ld, o=Ace Industry, c=US,

LDAP_SCOPE_SUBTREE, (sn=Jensen), NULL, 0, &res)

!= LDAP_SUCCESS) {ldap_perror( ld, ldap_search_s );

fail();

}

/* ... parse the results in res, clean up ... */


51/72

Asynchronous API

Asynchronous operation

ldap_search(), ldap_modify(), etc.

Results returned later by callingldap_result()

Useful for

GUI apps

High performance apps

Low resource apps


52/72

Asynchronous interaction

Client Server

initialize LDAP session

ldap_search(...)

do other stuff

ldap_result(...)

parse results

receive search request

process request

send search result


53/72

Asynchronous example

LDAP *ld;

LDAPMessage *res;

struct timeval tv;

if ((msgid= ldap_search(ld, o=Ace Industry, c=US,

LDAP_SCOPE_SUBTREE, NULL, 0)) == -1) {

ldap_perror(ld, ldap_search);

fail();}

while (1) {

tv.tv_sec = 0; tv.tv_usec = 0;

if ((msgtype = ldap_result(ld, msgid, 0, &tv, &res))

> 0) {

/* got a result - parse it, print, etc. */

} else {

/* nothing yet (or error) - try again later */

}}


54/72

Result parsing

Stepping through entries

Stepping through attributes

Retrieving attribute values

Dealing with the name of an entry


55/72

Result parsing: entries

ldap_first_entry()

Get the first entry in a chain ofsearch results

ldap_next_entry()

Get the next entry in a chain ofsearch results

Return NULL when no more entries


56/72

Result parsing: attributes

ldap_first_attribute()

Retrieve the first attribute namefrom an entry

ldap_next_attribute()

Retrieve the next attribute namefrom an entry

Return NULL when no more attributes


57/72

Result parsing: attribute values

ldap_get_values(), ldap_get_values_len()

Retrieve the values for a given attribute

ldap_count_values(), ldap_count_values_len()

Count the number of values returned


58/72

Result parsing: names

ldap_get_dn()

Retrieve the name of an entry

ldap_explode_dn(), ldap_explode_rdn()

Break up a name into component parts

ldap_dn2ufn()

Convert a name to auser-friendly format


59/72

Freeing memory

ldap_memfree()

ldap_get_dn(), ldap_first/next_attribute(),

etc.

ldap_msgfree()

ldap_result(), ldap_search_s(),ldap_search_st()

ber_free()

ldap_first/next_attribute() cookie

ldap_unbind()

ldap_init(), ldap_sslinit()


60/72

Error handling

ldap_get_lderrno()

Gets information about the last

LDAP error

ldap_result2error()

Parses an LDAP result containingan error

ldap_err2string()

Returns a description of an LDAP error

ldap_perror()

Prints an error diagnostic on stderr


61/72

The Netscape LDAP SDK

One library/DLL

nsldap.dll or nsldap32.dll on Windows

NSLDAPLib on Macintosh

libldap.a libldap.so on Unix

One include file

ldap.h


62/72

Thread safety

The Netscape LDAP SDK is alwaysthread-safe if threads do not share

LDAP sessions Threads can share LDAP sessions with

a little setup on your part

Provide call-backs for critical sections

Provide call-backs for errors

This approach works in virtually anythreading environment


63/72

Thread safety: example

struct ldap_thread_fns tfn;

/* ... call ldap_init() to init the LDAP session */

tfn.ltf_mutex_alloc = my_mutex_alloc;

tfn.ltf_mutex_free = my_mutex_free;

tfn.ltf_mutex_lock = pthread_mutex_lock;

tfn.ltf_mutex_unlock = pthread_mutex_unlock;

tfn.ltf_get_errno = my_get_errno;tfn.ltf_set_errno = my_set_errno;

tfn.ltf_get_lderrno = my_get_lderrno;

tfn.ltf_set_lderrno = my_set_lderrno;

if (ldap_set_option(ld, LDAP_OPT_THREAD_FN_PTRS,

(void *) &tfn) != 0{

ldap_perror(ld, ldap_set_option);

fail();

}


64/72


int

my_get_errno(void)

{return(errno);

}

void

my_set_errno(int err)

{

errno = err;

}


65/72


struct ldap_error {

int le_errno;

char *le_matched;

char *le_errmsg;

}

int

my_get_lderrno(char **matchedp, char **errmsgp){

struct ldap_error *le = pthread_getspecific(key);

if (matchedp != NULL)

*matchedp = le->le_matched;

if (errmsgp != NULL)

*errmsgp = le->le_errmsg;

return(le->le_errno);

}


66/72

I/O environments

The LDAP library can be used in differentI/O environments with a little setup

You make one call to pass libldappointers to your I/O routines

Open/close Read/write

Socket/connect/ioctl


67/72

I/O environments: example

struct ldap_io_fns io;

io.liof_read = SSL_Read;io.liof_write = SSL_Write;

io.liof_socket = SSL_Socket;

io.liof_ioctl = SSL_Ioctl;

io.liof_connect = SSL_Connect;

io.liof_close = SSL_Close;io.liof_ssl_enable = SSL_Enable;

if (ldap_set_option(ld, LDAP_OPT_IO_FN_PTRS, (void *) &io)

!= 0) {ldap_perror(ld, ldap_set_option);

fail();

}


68/72

Using LDAP with SSL

Set up a key database

Call ldap_sslinit() instead of ldap_init()

LDAP *ld

ldap_init(char *host, int port);

LDAP *ld ldap_sslinit(char *host, int port,int secure);


69/72

Whats next

LDAP version 3 has many new features

International support (UTF-8 +language prefs)

Server-side sorting of search results

Extensible matching/sorting rules

Schema available over LDAP

Paged results (for typedown)

Better authentication and security


70/72

Whats next

Coming soon: a revision to the LDAP APIand RFC 1823 to support LDAPv3

Coming soon: another release of theNetscape LDAP SDK supporting LDAPv3

Coming soon: Java support for LDAPin Navigator


71/72

Final thoughts

LDAP has the potential to do fordirectories what HTTP and HTML

did for documents The Netscape LDAP SDK provides

the tools through which this potential

can be unlocked

Integration with YOURapplication

is the key


72/72

Netscape logo slide

ldap basics

Documents