几种常见的LDAP系统
目录
介绍
OpenLDAP Administrator’s Guide对LDAP做很准确的描述:
Technically, LDAP is a directory access protocol to an X.500 directory service, the OSI directory service.
Initially, LDAP clients accessed gateways to the X.5h0 directory service.
This gateway ran LDAP between the client and gateway and X.500's Directory Access Protocol (DAP) between the gateway and the X.500 server.
DAP is a heavyweight protocol that operates over a full OSI protocol stack and requires a significant amount of computing resources.
LDAP is designed to operate over TCP/IP and provides most of the functionality of DAP at a much lower cost.
服务端只需要支持LDAP协议,可以使用不同的后端存储。
LDAP协议
LDAP provides access to distributed directory services that act in accordance with X.500 data and service models.
2006年发布的rfc文档:
rfc4510、rfc4511、rfc4512、rfc4513、rfc4514、rfc4515、rfc4516、rfc4517、rfc4518、[rfc4519][20]
是最新的LDAP协议建议实现标准(2017-04-07 10:32:33)。
数据组织方式
LDAP以directory entry为最小单位管理数据。entries按照层级划分,组成一个树形结构。
每个entry拥有一个独一无二的DN(Distinguished Name),可以通过DN指定要操作的entry。
entry由一个DN和多个attribute组成,attribute可以自定义,rfc4519中给出了常用的attributes。
一些常用attribute被打包成了objectClass,可以直接在entry中应用,rfc4519中给出了常用的objectClass。
注意,不同的LDAP系统会有自己扩展的attributes和objectClass。
例如,OpenLDAP的实现,作为根目录的entry:
dn: dc=idevelopment,dc=info
dc: idevelopment
o: iDevelopment.info LDAP Server
description: Root entry for iDevelopment.info.
iDevelopment.info is a public website that provides a professional forum to exchange
information, ideas, and expertise on advanced topics in the IT and scientific fields.
The audience for iDevelopment.info includes Database Administrators, System Administrators,
Developers, Computer Scientists, Software Engineers, and Mathematicians.
objectClass: top
objectclass: dcObject
objectclass: organization
部门的entry(OpenLDAP):
dn: ou=People,dc=idevelopment,dc=info
ou: People
description: All people in iDevelopment.info
objectClass: top
objectClass: organizationalUnit
角色:
dn: cn=Manager,dc=idevelopment,dc=info
cn: Manager
description: Rootdn
objectclass: organizationalRole
用户:
dn: uid=usuario1,dc=ldap-kike,dc=com,dc=uy //DN
uid: usuario1
cn: usuario1
objectClass: account //直接应用的objectClass
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$1$TEDFGNB3$m24Mo06Q06EXMop7INKrC/ //其它属性
shadowLastChange: 14335
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 10000
gidNumber: 10000
homeDirectory: /home/usuario1
gecos: usuario1
OPENLDAP Initialize a New LDAP Directory和install-and-configure-openldap-on-centos-5中介绍了如何在OpenLDAP中创建entry。
通信格式
rfc4511中定义消息格式:
LDAPMessage ::= SEQUENCE {
messageID MessageID,
protocolOp CHOICE {
bindRequest BindRequest,
bindResponse BindResponse,
unbindRequest UnbindRequest,
searchRequest SearchRequest,
searchResEntry SearchResultEntry,
searchResDone SearchResultDone,
searchResRef SearchResultReference,
modifyRequest ModifyRequest,
modifyResponse ModifyResponse,
addRequest AddRequest,
addResponse AddResponse,
delRequest DelRequest,
delResponse DelResponse,
modDNRequest ModifyDNRequest,
modDNResponse ModifyDNResponse,
compareRequest CompareRequest,
compareResponse CompareResponse,
abandonRequest AbandonRequest,
extendedReq ExtendedRequest,
extendedResp ExtendedResponse,
...,
intermediateResponse IntermediateResponse },
controls [0] Controls OPTIONAL }
MessageID ::= INTEGER (0 .. maxInt)
maxInt INTEGER ::= 2147483647 -- (2^^31 - 1)
主要操作
BindRequest:
认证
allow authentication information to be exchanged between the client and server
clients may send multiple Bind requests
to change the authentication and/or security associations or
to complete a multi-stage Bind process
The serverSaslCreds field is used as part of a SASL-defined bind
mechanism to allow the client to authenticate the server to which it
is communicating, or to perform "challenge-response" authentication.
UnbindRequest:
to terminate an LDAP session
SearchRequest:
The Search operation is used to request a server to return, subject
to access controls and other restrictions, a set of entries matching
a complex search criterion.
This can be used to read attributes from
a single entry, from entries immediately subordinate to a particular
entry, or from a whole subtree of entries.
ModifyRequest:
allows a client to request that a modification
of an entry be performed on its behalf by a server.
AddRequest:
allows a client to request the addition of an entry into the Directory
DelRequest:
allows a client to request the removal of an entry from the Directory.
ModifyDNRequest:
allows a client to change the Relative Distinguished Name (RDN) of
an entry in the Directory and/or to move a subtree of entries to a
new location in the Directory.
CompareRequest:
allows a client to compare an assertion value with the values of a
particular attribute in a particular entry in the Directory.
OpenLDAP
OpenLDAP Software is an open source implementation of the Lightweight Directory Access Protocol.
The suite includes:
slapd - stand-alone LDAP daemon (server)
libraries implementing the LDAP protocol, and
utilities, tools, and sample clients.
安装
环境:
CentOS Linux release 7.3.1611 (Core)
openldap-clients-2.4.40-13.el7.x86_64
openldap-servers-2.4.40-13.el7.x86_64
openldap-2.4.40-13.el7.x86_64
安装Server:
yum install -y openldap-servers
查看一下都安装了哪些文件:
$rpm -ql openldap-servers
/etc/openldap/check_password.conf <-- 配置文件
/etc/openldap/schema
/etc/openldap/schema/collective.ldif
...省略...
/etc/openldap/slapd.conf
/etc/openldap/slapd.conf.bak
/etc/openldap/slapd.d
/etc/sysconfig/slapd
/usr/lib/systemd/system/slapd.service <-- 系统服务
/usr/lib/tmpfiles.d/slapd.conf
/usr/lib64/openldap/accesslog-2.4.so.2
...省略...
/usr/libexec/openldap/check-config.sh
/usr/libexec/openldap/convert-config.sh
/usr/libexec/openldap/functions
/usr/libexec/openldap/generate-server-cert.sh
/usr/libexec/openldap/upgrade-db.sh
/usr/sbin/slapacl <-- 可以使用的一些命令
/usr/sbin/slapadd
/usr/sbin/slapauth
/usr/sbin/slapcat
/usr/sbin/slapd
/usr/sbin/slapdn
/usr/sbin/slapindex
/usr/sbin/slappasswd
/usr/sbin/slapschema
/usr/sbin/slaptest
/usr/share/doc/openldap-servers-2.4.40 <-- 文档
...省略...
/var/lib/ldap
/var/run/openldap
启动服务:
systemct start slapd
OpenLDAP client:
yum install -y openldap-clients
查看安装了哪些文件:
$rpm -ql openldap-clients
/usr/bin/ldapadd
/usr/bin/ldapcompare
/usr/bin/ldapdelete
/usr/bin/ldapexop
/usr/bin/ldapmodify
/usr/bin/ldapmodrdn
/usr/bin/ldappasswd
/usr/bin/ldapsearch
/usr/bin/ldapurl
/usr/bin/ldapwhoami
/usr/share/man/man1/ldapadd.1.gz
...省略...
使用
OpenLDAP的记录都以ldif格式导入导出。
查询:
// -b: 从这个base开始搜索
// -s: 搜索范围,[base|one|sub|children]
// '(objectclass=*)': 搜索条件search filter
// namingContexts: 查找的属性名
ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
写入记录,记录文件manger.ldif:
dn: dc=my-domain,dc=com
objectclass: dcObject
objectclass: organization
o: Example Company
dc: my-domain
dn: cn=Manager,dc=my-domain,dc=com
objectclass: organizationalRole
cn: Manager
写入:
ldapadd -x -D "cn=Manager,dc=mydomain,dc=com" -W -f manger.ldif
需要输入密码,但是!默认秘密是多少?参照网上方法修改后也始终不生效,天坑。。。
Library
Golang
github上ldap的go代码库不多,go-ldap是功能相对比较完善的一个库。
https://github.com/go-ldap/ldap
参考
- rfc4510 LDAP: Technical Specification Road Map, June 2006
- rfc4511 LDAP: The Protocol, June 2006
- rfc4512 LDAP: Directory Information Models, June 2006
- rfc4513 LDAP: Authentication Methods and Security Mechanisms, June 2006
- rfc4514 LDAP: String Representation of Distinguished Names
- rfc4515 LDAP: String Representation of Search Filters
- rfc4516 LDAP: Uniform Resource Locator
- rfc4517 LDAP: Syntaxes and Matching Rules
- rfc4518 LDAP: Internationalized String Preparation
- rfc4519 LDAP: Schema for User Applications
- LDAP Linux HOWTO
- OpenLDAP Administrator’s Guide
- Sean’s Blog OpenLDAP
- OPENLDAP Initialize a New LDAP Directory
- install-and-configure-openldap-on-centos-5
- http://www.openldap.org/”
- config openladp
