Beruflich Dokumente
Kultur Dokumente
WHAT IS LDAP
LDAP IS LIGHT WEIGHT SUFFICIENT STRAIGHT FORWARD EASY TO IMPLEMENT AS AGAINST X.500 DAP WHICH IS HEAVY WEIGHT
LDAP
DIRECTORY BECAUSE DATA IS ORGANISED IN THE FORM OF TREE MUCH LIKE UNIX FILE SYSTEM USES SIMPLIFIED SET OF ENCODING RUNS DIRECTLY ABOVE TCP/IP USES STRING TO REPRESENT DATA
LDAP
LDAP SECURITY MODEL : DEFINES HOW INFORMATION CAN BE PROTECTED FROM UNAUTHORISED ACCESS
LDAP
LDAP API THERE ARE SEVERAL LDAP API APPLICATION PROGRAMMING INTERFACE OLDEST ONES WRITTEN IN C NOW A DAYS LDAP API S ARE AVAILABLE IN OTHER PROGRAMMING LANGUAGES LIKE PERL JAVA
LDAP BACKENDS
THE BASIC DAEMON PROCESS THAT RUNS ON THE LDAP SERVER CALLED SLAPD COMES WITH THREE DIFFERENT BACKEND DATABASES WE ASSUME THAT IN OUR CASE WE USE LDBM THE MOST USED ONE
LDIF
LDIF STANDS FOR LDAP DATA INTERCHANGE FORMAT DIRECTORY ENTRIES IN LDAP ARE IN THE FORM OF LDIF
LDIF FORMAT
BASIC FORM OF LDIF : #COMMENT DN: <DISTINGUSHED NAME> <ATTRDESC>: <ATTRVALUE> <ATTRDESC>: <ATTRVALUE> .. EXAMPLE : DN: UID=ALAKESH DC=IIT DC=EDU
LDAP
IN ADDITION TO BEING A NETWORK PROTOCOL IT ALSO DEFINES FOUR MODELS LDAP INFORMATION MODEL : DEFINES THE KIND OF DATA U PUT LDAP NAMING MODEL : HOW U ORGANISE AND REFER TO DIRECTORY INFORMATION
LDIF FORMAT
LINES STARTING WITH # ARE CONSIDERED TO BE COMMENTS ALL OTHER ATTRIBUTES ARE WRITTEN IN <ATTRDESC > = <VALUE> FORM
LDIF
EACH ENTRY IS UNIQUELY IDENTIFIED BY A DISTINIGUISHED NAME OR DN . THE DN CONSISTS OF THE NAME OF THE ENTRY PLUS A PATH IN THE DIRECTORY TREE TRACING BACK TO THE TOP OF THE DIRECTORY HIERARCHY
THE OBJECT CLASS DEFINES THE CLASS OF THE ATTRIBUTES THAT CAN BE USED TO DEFINE AN ENTRY
LDIF
DIRECTORY DATA IS REPRESENTED AS ATTRIBUTE-VALUE PAIR . ANY SPECIFIC PIECE OF INFORMATION IS ASSOSICATED WITH A DESCRIPTIVE ATTRIBUTE
LDAP CONFIGURATION
THE CONFIGURATION FILE SLAPD.OC.CONF CONTAINS THE DEFINITION OF ALL THE OBJECT CLASSES THE ATTRIBUTES OF THE OBJECT CLASSES ARE DEFINED IN SLAPD.AT.CONF FILE
LDAP CONFIGURATION
EACH OBJECT CLASS HAS REQUIRED AND ALLOWED ATTRIBUTE REQUIRED ATTRIBUTES MUST BE PRESENT WHILE ALLOWED ARE OPTIONAL
LDAP CONFIGURATION
EACH ATTRIBUTE HAS CORRESPONDING SYNTAX DEFINITION
LDAPADD
OPENLDAP PACKAGE COMES WITH SHELL EXECUTABLE NAMED LDAPADD USED TO ADD ENTRIES TO THE DATABASE WHILE LDAP SERVER IS RUNNING BASIC SYNTAX IS LDAPADD -F <DATAFILE> -D <DN> -w <PASSWD> / -W ( IF PASSWORD IS TO BE PROMPTED .
LDAPDELETE
ANOTHER SHELL EXECUTABLE FOR DELETING ENTRIES
ITS SYNTAX IS LDAPDELETE CN=HI,O=IITB,C=INDIA
LDAPMODIFY
ITS ANOTHER SHELL EXECUTABLE TO MODIFY DATA IN THE DIRECTORY DATABASE
IT HAS SIMILAR SYNTAX TO LDAPADD
LDAPSEARCH
SHELL ACCESSIBLE INTERFACE TO LDAP_SEARCH() C ROUTINE LDAPSEARCH OPENS CONNECTION TO THE LDAPSERVER PERFORMS SEARCH WHICH FOLLOWS FILTERING RULES DEFINED IN RFC1558
LDAPSEARCH
FOR EXAMPLE LDAPSEARCH -B C=INDIA O=IITB IF * IS ALLOWED READ ACCESS BY DEFAULT THE O=IITB WILL BE RETURNED
-B OPTION SEARCHES FOR THE SEARCH BASE
JNDI EXAMPLE
A typical code WRITTEN USING JNDI TO DO LDAP SEARCH will be like this ..
import import import import java.util.Hashable ; java.util.Enumeration ; javax.naming.* ; javax.naming.directory.* ;
class Search { public static void main(String[] args){ Hashtable env = new Hashtable(5 , 0.75f) ; env.put(Context.INITIAL_CONTEXT_FACTORY,Env.INITCTX) ; env.put(Context.PROVIDER_URL , Env.MY_SERVICE ) ; .
Why Ldap?
Most ldap servers are optimized for read-intensive operations.Thus, one can see an order of magnitude difference when reading data from an ldap directory versus obtaining the same data from a relational database server optimized for OLTP. Because of this optimization , however , most LDAP directories are not suited for