- 浏览: 10010 次
- 来自: ...
最新评论
LDAP
Basic Concepts
What is LDAP
-
LDAP stands for Ligthweight Directory Access Protocol.
-
LDAP protocol is a message-oreiented protocol.
LDAP Protocol Operations
LDAP has nine protocol operations, which can be divided into 3 categories:
-
Interrogation operations: search, compare.
-
Update operations: add, delete, modify, modify DN(rename).
-
Authentication and control operations: bind, unbind, abondon.
-
The bind operation allows a client to identify itself to the directory by providing an identity and authentication credentials;
-
the unbind operation allows the client to terminate a session;
-
the abandon operation allows a client to indicate that it is no longer interested in the results of an operation it had previously submitted.
A typical LDAP client/server exchange:
Step 1. The client opens a TCP connection to an LDAP server and submits a bind operation. This bind operation includes the name of the directory entry the client wants to authenticate as, along with the credentials to be used for authenticating. Credentials are often simple passwords, but they might also be digital certificates used to authenticate the client.
Step 2. After the directory has verified the bind credentials by checking that the password or digital certificate is correct, it returns a success result to the client.
Step 3. The client issues a search request.
Step 4 and 5. The server processes this request, which results in two matching entries.
Step 6. The server sends a result message.
Step 7. The client then issues an unbind request, which indicates to the server that the client wants to disconnect.
Step 8. The server obliges by closing the connection.
Suffixes, subsuffixes and chained suffixes
-
A suffix is a subtree or branch whose entire contents are treated as a unit for administrative tasks. Located in the root of the directory tree.
For example, “dc=example,dc=com “.
Entries, Attributes and Values
-
Entry is basic unit of information in the directory. An entry is composed of a set of attributes.
-
-
Each Attribute has a type and one or more values. Such as cn=abc,uid=swang,mail=swang@sun.com.
-
-
Attribute types have an syntax and a set of rules.
-
An attribute can hold multiple values or only single value. This can be specified by administrator.
-
Required Attributes and Allowed Attributes
For example, an entry to describe a person has required attributes(cn and sn). other attributes are allowed, not required.
-
User Attributes and Operation Attributes
For operation attributes:
-
-
a typical operation attribute is modifyTimeStamp.
-
maintained by directory server.
-
not be included in the entry when sent to client side unless the client requests then by name.
-
LDAP Schema
-
Schema decide what types of entries the directory tree contains and the attributes available to each entry.
-
LDAP Schemas don't have any bearing on the arrangement and relationship of entries in the directory, contrast to RDB.
-
Standard schema located in /var/opt/mps/serverroot/slapd-cod/config/schema. See the file 00core.ldif.
DN (Distinguished Name )
-
a name refer to an entry.
uid=bjensen, ou=people, dc=example, dc=com.
uid=bjensen,ou=people,dc=example,dc=com
-
space is optional, so the two above are equivalent.
RDN (Relative Distinguished Name)
-
the leftmost components in DN.
-
Among a set of peer entries, RDN must be unique.
Groups and Roles
-
A group is an entry that identifies the other entries that are its members.
-
Roles are grouping mechanism that enable you to determine role membership as soon as an entry is retrieved from the directory.
Static Groups and Dynamic Groups
-
Static groups explicitly name their member entries. For examples,
dn: cn=PD Managers,ou=groups,dc=example,dc=com
ou: groups
description: People who can manage engineer entries
objectClass: top
objectClass: groupOfUniqueNames
uniqueMember: uid=kwinters, ou=People, dc=example,dc=com
uniqueMember: uid=trigden, ou=People, dc=example,dc=com
cn: PD Managers
-
Static groups are suitable for groups with few members. For better performance, a group don't have more than 20000 members.
-
Dynamic groups speicfy a filter, and all entries that match the filter belong to this group.
Managed, Filtered, and Nested Roles
LDIF
LDAP Data Interchange Format is a standard text-based format for describing directory entries, defined in RFC 2849
LDIF allows you to export your directory data and import it into another directory server.
Two types of LDIF files. The first type describes a set of directory entries, and the other type of LDIF file is a series of LDIF update statements that describe changes to be applied to directory entries.
Start and Stop Directory Server
/usr/sbin/directoryserver start
/usr/sbin/directoryserver start-admin
/usr/sbin/directoryserver startconsole
/usr/sbin/directoryserver stop-admin
/usr/sbin/directoryserver stop
Search Entries
8 parameters:
-
base object for the search DN
-
search scope one of base, one, sub. default is sub.
-
Alias dereferencing options
-
Size limit
-
Time limit
-
Attributes-only parameter
-
Search filter
-
List of attributes to return
Examples:
-
Simple retrieving
ldapsearch -b "dc=example,dc=com" "uid=swang"
-
Retrieving only certain attributes
ldapsearch -b "dc=example,dc=com" "uid=swang" cn mail
-
Binding a DN with password.
ldapsearch -h localhost -D "uid=bjensen,ou=people,dc=example,dc=com" -w hifalutin -s sub -b "dc=example,dc=com" "(cn=Barbara Jensen)"
-
Retrieve person which located in either cupertino or sunnyvale.
ldapsearch -h localhost -s sub -b "dc=example,dc=com" "(&(|(L=cupertino)(L=sunnyvale)) (objectclass=person))"
-
Retrieving a single entry
ldapsearch -b "uid=swang, ou=people, dc=example, dc=com" -s base "objectclass=*"
-
Listing all entries directly below an entry
ldapsearch -b "uid=swang, ou=people, dc=example, dc=com" -s one "objectclass=*"
-
Searching for matching entries within a subtree
ldapsearch -b "uid=swang, ou=people, dc=example, dc=com" -s sub "objectclass=*"
Managing Access Control
ACI
-
ACI stands for Access Control Instruction.
-
ACI defined in entries as an attribute. For example,
aci: (targetattr != "userPassword") (version 3.0; acl "Anonymous access"; allow (read, search, compare)userdn = "ldap:///anyone ";)
-
The aci attribute is multi-valued.
ACI Structures
-
Target - Determines the entry or attributes to which the permissions will apply.
-
Permission - Defines what operations are allowed or denied.
-
Bind Rule - Determines who is subject to the ACI based on their bind DN.
ACI Syntax
aci: ( target )(version 3.0;acl " name "; permission bindRules ;)
-
target specifies the entry, attributes, or set of entries and attributes for which you want to control access. The target can be a distinguished name, one or more attributes, or a single LDAP filter. The target is optional. When the target is not specified, the ACI applies to the entire entry where it is defined and all of its children.
-
name is a name for the ACI. The name can be any string that identifies the ACI. The ACI name is required and should describe the effect of the ACI.
-
permission specifically states what rights you are either allowing or denying, for example read or search rights.
-
bindRules specify the credentials and bind parameters that a user has to provide to be granted access. Bind rules can also be based on user or group membership or connection properties of the client.
Target and Target Attributes
Table 6-1 LDIF Target Keywords
-
(target = "ldap:///uid=bjensen,ou=People,dc=example,dc=com ")
-
(target != "ldap:///dc=example,dc=com ")
-
(targetattr = "cn || sn || uid")
-
(target="ldap:///uid=*,ou=Marketing,dc=example,dc=com") (targetattr="uid")
-
(targetfilter = "(| (status=contractor)(fulltime<=79))")
Permission
-
Syntax
allow|deny (rights )
-
rights
read, write, add, delete, search, compare, selfwrite, proxy, import and all.
aci: (target="ldap:///dc=example,dc=com") (version 3.0;acl \
"example"; allow (read, search, compare) bindRule ;)
Bind Rule
Table 6-2 LDIF Bind Rule Keywords
ldap:///distinguished_name |
||
ACI Examples
-
Anonymous access
aci: (targetattr != "userPassword") (version 3.0; acl "Anonymous access"; allow (read, search, compare)userdn = "ldap:///anyone";)
相关推荐
测试LDAP 认证的一个jmeter testing plan sample, sample中采用basic authentication, 对某些网关产品弹出的页面输入用户名和密码,测试认证的performance
The document is aimed at experienced system administrators with basic understanding of LDAP-based directory services. This document is meant to be used in conjunction with other OpenLDAP information ...
Zf2LdapAuth Zend Framework 2 Basic LDAP Authentication Module 提供了一个易于使用的 LDAP 身份验证系统。特征登录回调以将 ldap 数据存储在您选择的函数中。 功能齐全的登录表单基于 Zend\Ldap 的完全可定制的 ...
This book was written for those readers who need to understand the basic principles and concepts of LDAP. Some background knowledge about heterogeneous, distributed systems is assumed and highly ...
kibana-auth-proxy 旨在用作Authelia的forwardAuth代理(可能还进行了其他测试,...AD组/ kibana角色映射中的本地用户生成并传递回Traefik标头: Authorization: Basic XXXYYYZZZZTraefik将用户通过Authorization标头
基本LDAP AddressBook网络搜索
关于ldap在.net方面的帮助文档,需要安装相关服务器,包含Visual Basic、C#、C++、JScript等.net开发语言
LDAP的安全性Oauth2请求令牌curl -X POST \ ' http://localhost:8080/oauth/token?grant_type=password&username=user&password=password&client_id=mandiri_mits ' \ -H ' Authorization: Basic bWFuZGlyaV9...
hydra-auth Node.js模块充当Passport Basic和LDAP auth的包装器,允许在两者之间轻松交换
PCredz 此工具可从以下位置提取信用卡号,NTLM(DCE-RPC,HTTP,SQL,LDAP等),Kerberos(AS-REQ预验证etype 23),HTTP Basic,SNMP,POP,SMTP,FTP,IMAP等pcap文件或实时界面。特征从pcap文件或实时接口IPv4和...
integrating directory services, and developing directory-enabled PHP or Python applications. Readers need only basic Linux system administration experience, not LDAP experience. Open-source OpenLDAP ...
- basic:展示了Spring Data JDBC的基本用法。 - immutables:展示了使用Immutables的Spring Data JDBC用法。 4. Spring Data JPA: - eclipselink:展示了如何在Spring Boot和Eclipselink中使用Spring Data JPA...
弹簧靴该项目的目标是创建一个简单的 REST API,并使用LDAP Authentication和Basic Authentication插件通过进行保护。 此外,我们将探索Kong提供的更多插件,例如: Rate Limiting , Prometheus和StatsD插件。项目...
I show you how to install and configure a variety of services for basic operation, including CUPS, NIS, LDAP, DHCP, DNS,Apache, NFS, Samba/CIFS, Postfix, sendmail, vsFTP, and NTP. Finally, I ...
loopback4-example-book 使用Express服务器公开自定义... AUTH = ldap | basic(默认值:ldap) HOST = 0.0.0.0(默认值:0.0.0.0) PORT = 3000(默认值:3000) 要开始,请运行:'npm start' 回送命令(可选):
Connect to external services such as LDAP, calendars, XMPP, and Skype Use Automatic Call Distribution to build a call queuing system Learn how to use Asterisk’s security, call routing, and faxing ...
curl is a command line tool and library for transferring data with URL syntax, supporting DICT, FILE, FTP, FTPS, Gopher, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, POP3, POP3S, RTMP, RTSP, SCP, SFTP, SMB,...
curl is a command line tool and library for transferring data with URL syntax, supporting DICT, FILE, FTP, FTPS, Gopher, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, POP3, POP3S, RTMP, RTSP, SCP, SFTP, SMB,...
在Visual Basic中为Win32编程的Web服务器(以后可能是VC)
DICT, FILE, FTP, FTPS, Gopher, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, POP3, POP3S, RTMP, RTSP, SCP, SFTP, SMB, SMBS, SMTP, SMTPS, Telnet and TFTP. curl supports SSL certificates, HTTP POST, HTTP PUT, ...