What is LDAP?

Lightweight Directory Access Protocol

Lightweight Directory - Directories are kind of like a database but not really. A directory is a specialized database that is optimized for lookups. Unlike a traditional RDBMS, LDAP is not designed to show complex relationships between relations. Imagine if 99% of your actions on were going to be simple "selects", and you wanted anyone, anywhere to be able to do these selects over the Internet. This is where LDAP excels. Examples of directories are the TVGuide, the phone book, a library card catalog, and DNS.

"Give me the phone number of John Smith."

"Give me all the tv shows that are on tonight on the Sci-Fi channel."

Access Protocol - LDAP is an outgrowth of the x.500 standard. LDAP is an open standard, unlike many other proprietary directory solutions. Most of the directory-like solutions that were out on the market are now very similar to LDAP. Some of these solution providers, Sun and Microsoft specifically, have designed JNDI and ADSI APIs so that you can connect with any kind of directory service. This is kind of like ODBC or JDBC is to an RDBMS.

Cool things you can do with LDAP

-Contact Management

-Users and Security

-Image storage

-Document Management

-Store business logic - actual code or SQL statements

-Your ideas?

How does LDAP work?

Client connects to server --> operations --> disconnect from server

These operations include:

1. binding to server

2. searching for an entry

3. comparing entries

4. adding an entry

5. modifying existing entries

6. removing an entry

 

What about LDAP heirarchies and schemas?

The directory schema is the outline of how the directory will be laid out and what kind of information it will hold. You design your directory’s schema by modifying some text .conf files. Netscape has a gui to help you with this.

Example1: slapd.oc.conf – objectclass conf file

Here is the file in which objectclasses are defined.

######################################################

objectclass person

oid 2.5.6.6

superior top

requires

sn,

cn

allows

description,

seeAlso,

telephoneNumber,

userPassword

Example 2: slapd.at.conf – attribute conf file

Here is the file in which we define attributes of each objectclass are defined.

#######################################################

# X.500(93) User Schema for use with LDAP

# Taken from <draft-ietf-asid-ldapv3schema-x500-00.txt>

#######################################################

attribute objectClass 2.5.4.0 cis

attribute aliasedObjectName 2.5.4.1 dn

attribute knowledgeInformation 2.5.4.2 cis

attribute cn commonName 2.5.4.3 cis

attribute sn surName 2.5.4.4 cis

attribute serialNumber 2.5.4.5 cis

attribute c countryName 2.5.4.6 cis

...

The format of this file is:

attribute attribute-name [attribute-aliases] [attribute-oid] syntax

Example 3: building a directory

Uniqueness and Heirarchy. Each entry in the LDAP directory is expected to be unique and heirarchical. All entries in an LDAP directory structure are uniquely identified through their DN (distinguished name). Since the directory structure is potentially the entire world, this means that each DN has to hold information that will make it unique in the directory and in the world. The DN is therefore a kind of unique key. In addition, each layer of the directory builds on the layer before it.

All this and more info goes into the LDIF file (LDAP Data Interchange Format). There are a bunch of scripts and utilities to help you modify these files if you have a server.

You can make your own attributes. First you should make a new objectclass. Then add your new attribute to the objectclass.

For example we would add to the slapd.oc.conf file:

airiusPerson

superior

inetOrgPerson

allowed

dateOfBirth,

preferredOS

airiusOrganization

superior

organization

allowed

buildingFloor,

vicePresident

OR

airiusEntry

allowed

dateOfBirth,

preferredOS,

buildingFloor,

vicePresident

More information can be found at "Customizing the Schema" http://developer.netscape.com/docs/manuals/directory/deploy30/data.htm

 




How do you make an LDAP client?

There are SDKs in many languages including perl, C, C++ and Java, to help you make an LDAP client. Go get the SDK for your language and use the functions that it provides to connect to and operate on an LDAP server. More details below.

How do you make an LDAP server?

There are many options, including Sun, Netscape, Microsoft, Qualcomm, OpenLDAP(free). If you don't want to install your own directory service, but just want to play with LDAP, instructions for using publically available LDAP servers, such as bigfoot and four11, are below.

 

Getting the client environment set up for perl

(1) Linux and perl 5.004 alone

  1. Install perl
  2. Install the LDAP SDK for C from http://developer.netscape.com/directory (binary)
  3. Install the LDAP SDK for perl from http://www.mozilla.org

(you build) or Netscape (binary)

(2) Windows NT and perl

  1. Install the non-ActiveState perl version ftp://ftp.cs.colorado.edu/pub/perl/CPAN/ports/win32/Standard/x86/perl5.00402-bindist04-bc.zip
  2. Install the LDAP SDK for C from Netscape
  3. Install the LDAP SDK for perl from Netscape

Getting the server environment set up

(1) Installing your own LDAP server

  1. Linux: OpenLDAP http://www.openldap.org
  2. Windows NT: Netscape Directory Server. Free evals from Netscape?

(2) Using a publically available LDAP server

This is generally easier to start with since you know it is set up properly and is functioning correctly. Plus you don't really need anything special other than a standard version 4 web browser.

Publically available LDAP servers:

ldap.bigfoot.com

ldap.four11.com (now Yahoo People?)

ldap.switchboard.com (used by AltaVista people searches?)

usdsa.psi.net

ldap.itd.umich.edu

mailhub.jpl.nasa.gov

 

How to connect your client to a server

We will use a publically available LDAP server in these examples, since that is very easy and everyone can participate. There are 4 ways to get started:

(1) LDAP url from the browser (no perl or SDK required)

(2) sample perl scripts that come with the SDK (perl and SDK required)

(3) write a little perl client to connect (perl and SDK required)

(4) write a little perl client to connect through an URL (perl and SDK required)

(1) You can use an LDAP url with IE 4+ or Netscape 4+.

In Netscape, you can put the search strings right on the URL line, but in Explorer, you just put the ldap address, and you are prompted for the rest (Explorer is kind of lame for this reason, and I do not recommend using it while you are trying to learn about LDAP). Helpful info http://www.ogre.com/mirror/nscp/jsdk3/url.htm.

This is the format of an LDAP URL:

ldap[s]://<hostname>:<port>/<base_dn>?<attributes>?<scope>?<filter>

Component

Description

<hostname>

Name (or IP address in dotted format) of the LDAP server (for example, ldap.netscape.com or 192.202.185.90).

<port>

Port number of the LDAP server. If no port is specified, the standard LDAP port (389) is used.

<base_dn>

Distinguished name (DN) of an entry in the directory. This DN identifies the entry that is starting point of the search. If this component is empty, the search starts at the root DN.

<attributes>

The attributes to be returned. To specify more than one attribute, use commas to delimit the attributes (for example, "mail,telephoneNumber").

If no attributes are specified in the URL, all attributes are returned.

<scope>

The scope of the search, which can be one of these values:

base: retrieves information only about the distinguished name (<base_dn>) specified in the URL.

one: retrieves information about entries one level below the distinguished name (<base_dn>) specified in the URL. The base entry is not included in this scope.

sub: retrieves information about entries at all levels below the distinguished name (<base_dn>) specified in the URL. The base entry is included in this scope.

If no scope is specified, the server performs a base search.

<filter>

Search filter to apply to entries within the

specified scope of the search.

If no filter is specified, the server uses the filter (objectClass=*).

Example 1

ldap://ldap.bigfoot.com:389/o=airius.com?cn,mail,?sub?(cn=billybob thornton)

In this example we are asking for specific fields (cn, mail).

Bigfoot returns:

billybob thornton

Name billybob thornton

Email punkguyz@hotmail.com

Four11 returns:

Billybob Thornton

Email big_bad_bill@yahoo.com

Example 2:

ldap://ldap.bigfoot.com:389/o=airius.com??sub?(cn=billybob thornton)

In this example, we left attributes blank, so we will end up with all the fields, which is interesting because then you can see that layer of the directory schema.

Bigfoot returns:

billybob thornton

Email punkguyz@hotmail.com

Name billybob thornton

Organization hotmail.com

First Name billybob

surname thornton

Four11 returns:

Billybob Thornton

City Fargo

c US

Email big_bad_bill@yahoo.com

First Name Billybob

Last Name Thornton

st ND

Name Billybob Thornton

 

(2) You can use the sample scripts that come with the LDAPSDK

Just use the qsearch program and customize the parameters appropriately.

C:\ldapsdk\perldap-1.0\examples>perl qsearch.pl –h ldap.bigfoot.com -b "o=airius.com" "cn=billybob thornton"

Searched for `cn=billybob thornton':

dn: cn="billybob thornton",mail=punkguyz@hotmail.com,c=US,o=hotmail.com

mail: punkguyz@hotmail.com

cn: billybob thornton

o: hotmail.com

surname: thornton

 

(3) You can write a little script to connect.

This is good for testing your install. I lifted this code from Mark Wilcox's book. Thanks Mark.

SCRIPT VARIATION #1

This is the simplest test. Just search for your own email address in the bigfoot directory, and return all the information that is listed for that record. In the RDBMS world this would be kind of like a SELECT statement, i.e. SELECT * FROM directory WHERE mail='megan@gate.net'

#!/usr/local/bin/perl

use Mozilla::LDAP::Conn;

my $host = "ldap.bigfoot.com";

my $port = 389;

my $dn = "";

my $password = "";

my $base = "o=airius.com";

my $scope = "subtree";

my $filter = "(mail=punkguyz\@hotmail.com)";

my $ldap = new Mozilla::LDAP::Conn($host,$port,$dn,$password)

|| die("Failed to open LDAP connection\n");

my $entry = $ldap->search($base, $scope, $filter);

if(! $entry)

{

print "Search failed. Try again.\n";

}

else

{

while($entry)

{

$entry->printLDIF();

$entry= $ldap->nextEntry();

}

}

SCRIPT VARIATION #2

This one shows an array of attribs being returned instead of the entire attributes list being returned by default. This could be a substantial savings in a directory with large records. In the RDBMS world, this operation is kind of like a "project" in which

you choose a few columns to display from a larger set of columns: SELECT cn,mail,telephonenumber FROM directory WHERE mail='megan@gate.net'

The 0 means "do you want to return both values and attribute names or just the attribute names?" 0 is the default and means that you want to return both.

In the RDBMS world, an attribute name is a column. And a value is the field value for that attribute.

The @attribs is the list of attribs you are asking for.

#!/usr/local/bin/perl

use Mozilla::LDAP::Conn;

my $host = "ldap.bigfoot.com";

my $port = 389;

my $dn = "";

my $password = "";

my $base = "o=airius.com";

my $scope = "subtree";

my $filter = "(mail=punkguyz\@hotmail.com)";

my @attribs;

push (@attribs,"cn");

push (@attribs,"mail");

push (@attribs,"telephonenumber");

my $ldap = new Mozilla::LDAP::Conn($host,$port,$dn,$password)

|| die("Failed to open LDAP connection\n");

>> my $entry = $ldap->search($base,$scope,$filter,0,@attribs);

if(! $entry)

{

print "Search failed. Try again.\n";

}

else

{

while($entry)

{

$entry->printLDIF();

$entry= $ldap->nextEntry();

}

}

 

(4) You could use an LDAP url from within a perl script.

Use your @attribs array to build the url, then searchURL().

#!/usr/local/bin/perl

use Mozilla::LDAP::Conn;

use Mozilla::LDAP::Utils;

use Mozilla::LDAP::Entry;

my $host = "ldap.bigfoot.com";

my $port = 389;

my $dn = "";

my $password = "";

my $base = "o=airius.com";

my $filter = "(cn=BillyBob Thornton)";

my $scope = "sub";

my $url = "ldap://$host:$port/$base?";

my @attribs;

push (@attribs, "cn");

push (@attribs, "mail");

push (@attribs, "sn");

my $ldap = new Mozilla::LDAP::Conn($host,$port,$dn,$password)

|| die("Failed to open LDAP connection.\n");

my $attribute;

foreach $attribute(@attribs)

{

$url .= $attribute. ",";

}

$url .= "?".$scope;

$url .= "?".$filter;

print "url: $url\n";

my $entry = new Mozilla::LDAP::Entry();

if ($ldap->isURL($url))

{

$entry=$ldap->searchURL($url);

}

else

{

die("$url is not a valid LDAP URL\n");

}

if (! $entry)

{

print "Search failed. Try again.";

}

else

{

while ($entry)

{

$entry->printLDIF();

$entry = $ldap->nextEntry();

}

}

 

 

 

Bigfoot returns a nicely formatted list like this:

url: ldap://ldap.bigfoot.com:389/o=airius.com?cnmailsn?sub?(cn=BillyBob Thornton)

dn: cn="billybob thornton",mail=punkguyz@hotmail.com,c=US,o=hotmail.com

mail: punkguyz@hotmail.com

cn: billybob thornton

o: hotmail.com

surname: thornton

You could even add a portion of code that accepted a filter from the commandline and searched on that.

c:\> perl test.pl "(cn=billybob thornton)"

...

my $term = shift;

my $filter = $term;

...

 

More operations on the LDAP directory

  1. Bind. You must be able to bind (authenticate) as "Directory Manager" in some cases.
  2. Search. We already did this.
  3. Compare. We already did this.
  4. Create. You create (add) a new entry using Mozilla::LDAP::Entry, and use setDN() to set up the DN of the entry. Assign. You assign attributes to your new entry in name-value pairs with $entry->addValue("cn", "BillyBob Thornton")
  5. Modify. You can modify existing values using these same create/assign methods also. If an entry has two values for an attribute, when you replace the attribute, you will write over both values.
  6. Delete. You can delete entries with the delete(dn) method.

Example 1: replacing one of many attributes

#!/usr/local/bin/perl

use Mozilla::LDAP::Conn;

>> my $host = "ldap.myldapserver.com";

my $port = 389;

>> my $dn = "Directory Manager";

>> my $password = "secret";

>> my $base = "uid=bthornton, ou=People,o=airius.com";

>> my $scope = "base";

>> my $filter = "uid=bthornton";

my @attribs;

attribs[0] = "cn";

my $goodValue = "William Robert Thornton";

my $badValue = "billybob thornton";

my $ldap = new Mozilla::LDAP::Conn($host,$port,$dn,$password)

|| die("Failed to open LDAP connection\n");

my $entry = $ldap->search($base, $scope, $filter,0,@attribs);

if(! $entry)

{

print "Search failed. Try again.\n";

}

else

{

my @cn = @{$entry->{‘cn’}};

$entry->removeValue("cn",$badValue);

$entry->addValue("cn",$goodValue);

$ldap->update($entry);

if ($ldap->getErrorCode())

{

print $ldap->printError();

}

my $newEntry =

$ldap->search($base,$scope,$filter,0,@attribs);

if(! $newEntry)

{

die("Search failed. Try again.\n");

}

else

{

$newEntry->printLDIF();

}

}

 

Putting It All Together

  1. Building an LDAP Gateway in Perl. You can write a cgi script take data from a to search or update an LDAP gateway. You could even make it a pure client-side (non-cgi) implementation since you can use javascript to build a URL based on form input. GQ (http://biot.com/gq/) is a small GTK-based LDAP client which lets you query any LDAP server with a graphical interface.
  2. Hooking LDAP to an email client. It’s even easier if the client is web based, again because we can use the URL method.
  3. LDAP for user authentication.
  4. LDAP for holding snippets of business logic. If you put your SQL statements in LDAP, you could call them from anywhere in the world.
  5. LDAP for tax calculation. This is my idea that I think would be really cool.