LDAP Basics

  

These are my personal notes that I use as a quick help in my work.
You are welcome to read them.

Contents of current page Top-level home page
 
Index  Java Internet Oracle Notes
Linux Basics Web Basics SQL Notes
Informatica Servlets Apache BkpRstore SQL*Plus
Teradata   LDAP Storage PL/SQL
Windows     Tables OEM
UML   Net8 Portal
SQL Server Python perl Performance OLAP
Vmware Visual Basic PHP/MySQL User Mgmt  
Git        
More technical pages here

Contents

 


Introduction

LDAP (Lightweight Directory Access Protocol) is based on the X.500 standard, but simpler. Supports TCP/IP.

Helpful pages:


Tree

Base Distiguished Name (Base DN):

o="my_organization.com", c="CH" # X.500 format
o=my_organization.com
o=my_organization, dc=com # most common; dc is Domain Component

Hierarchy with Organizational Units (ou)

o=my_organization, dc=com
  ou=it
    ou=sw
    ou=hw
  ou=financial
    ou=mis
    ou=accounting

Entries are Distinguished Names (DN), composed of Relative Distinguished Name (RDN) and location. Options for RDN are the Common Name (cn) or User ID (uid) such as login (note that uid is not the UNIX uid). Each RDN is unique in it's location, ensuring uniqueness of the DN. The RDN is "unqualified" whereas the DN is "fully qualified".

cn=This is me, ou=sw, ou=it, o=my_organization, dc=com
uid=my_login,  ou=sw, ou=it, o=my_organization, dc=com
\____  _____/  \_______________  ____________________/
     \/                        \/
    RDN                      location

A shallow hierarchy is recommended. Organizational Units don't have to be real departments because organizations change; instead group by logical entities e.g. employees (all in one box), locations, customers, devices. Plan so that entities do not have to be moved from one department to another. An exception could be creating a sub-ou so that the sub-ou may be given different security accesses.


One Entry

Example of one full entry. Always with attribute-value pairs.

dn: uid=my_login, ou=sw, ou=it, dc=my_organization, dc=com
objectclass: person                    # predefined classes
objectclass: organizationalPerson
objectclass: Person_in_my_organization # customized class
uid: my_login
givenname: Chris
sn: Yalkouye
cn: Chris Yalkouye
cn: Moussa Yalkouye
telephonenumber: +21-456-1234
roomnumber: 122G
o: My Organization
mailRoutingAddress: cy@my_organization.com
mailhost: mail.my_organization.com
userpassword: {crypt}glu328gla893glop
homedirectory: /home/cy
loginshell: /usr/local/bin/bash

Note that multiple attributes are possible.

Objectclasses contain groups of attibutes; attributes are name/value pairs.

 


Operations

Nine basic protocol operations:

Three methods in LDAP version 3

Note that updates are atomic (fully updated or nothing).

 

ldapbind -p 4032 -h the_host -D "cn=orcladmin" -w pwd
Bind to ldap, that is test the connection
ldapsearch -p 4032 -h the_host -b " " -s base "objectclass=*"
Returns the fields for the root
-s option: base, one, sub
"base" --> specified DN entry only, "one" entries one level below DN, "sub" all sub-directories
ldapsearch -p 4032 -h the_host -b "cn=Users,dc=the_host,dc=com" -s sub "objectclass=*"
Specify the DN in -b option. Note use of commas (not slashes) and note root is last.
ldapsearch -p 4032 -h the_host -b "..." -s base -D "cn=orcladmin" -w pwd "objectclass=*"
Sometimes the username and password are needed, depending on "sub-tree access".
ldifwrite -c iasdb -b " " -f file_name
Do a backup (enter ODS password)
ldapsearch -p 4032 -h the_host -L -b " " -s base -D "cn=orcladmin" -w pwd "objectclass=*" > filename
Supposedly, does a backup too, but there are differences between the files

 


Replication

Replication between directory servers with the same naming context. Read-only replicas are consumers; updateable replicas are suppliers.

Directory replication group (DRG) = set of directory servers
Replication agreement = replication relationship within the DRG. (is this specific to Oracle ???)

There is no standard concerning replication. The general approach is through "change logs".

Replication is part of the general notion of Distributed Directories. Distributed Directories can be replicated or partitioned (where each server has part of the data).

Oracle Directory Integration Platform

Two possibilities:

Note: Oracle applications are only certified to run against Oracle Internet Directory. The deployment will thus need to synchronize data between Oracle Internet Directory and the third-party directory.

 


Application Integration

Many applications allow an integration with an LDAP server, such as Active Directory, OpenLDAP or Linux LDAP.
This allows:

Several levels of integration exist:

Active directory:
Depending on the application, it does not have to be in the AD domain
Note that AD paginates 1'000 entries at a time.

Note that it is best to be able to configure a main LDAP server and a backup LDAP server so that users can log in even if the main server is not available.

Also look into the encryption on the network (LDAPS between the application server and the LDAP server) so that the passwords do not travel in plain text over the network. And also look at the connection between the client and the application server.

 


Oracle Internet Directory

Oracle's implementation of LDAP.

OID Administrator's Guide
Tutorial

Manage with ODM (Oracle Directory Manager)

Environment variables:

oidadmin is administrator's tool ($ORACLE_HOME/bin/oidadmin).

Port number in $ORACLE_HOME/install/portlist.ini (389 or 4032). Superuser orcladmin/welcome.

If port 389 unavailable, then OID server is started on a different port, which is logged in the following file: $ORACLE_HOME/ldap/install/oidca.out

 

After Installation

Tasks for OID after installation:

Basic LDAP operations

ldapbind -p 4032 -h localhost -D "cn=orcladmin" -w welcome1
Authenticate a user
 
ldapadd -p p -h h -D "cn=orcladmin" -w pw -f file-name.ldif
Add entries
ldapsearch -p p -h h -b " " -s {base | one | sub} "objectclass=*" aa
-b base for search, " " for root
-s base --> search in base only
-s one --> search in one level below
-s sub --> search in all sub-directories
"objectclass=*" is the filter
aa are the attributes to return (e.g. cn sn)
 
ldap://the_host:4032/b?a?s?f
b is base for search, "" for root
s is base, one or sub
f is the filter (e.g. "objectclass=*")
a are the attributes to return (e.g. cn,sn)
ldapmodify -p p -h h -D "cn=orcladmin" -w pw -v -f file-name.ldif
Modify; see further documentation for how to write the file
ldifwrite -c iasdb -b -f /tmp/backupDIT.ldif
Same output produced with ldapsearch -L. Note that this creates attributes (creatorsname, createtimestamp, modifiersname, modifytimestamp, aci, orclguid, pwdchangedtime) needed for bulkload but not for ldapadd.
ldapmoddn -p p -h h -D cn=orcladmin -w pw -b "cn=..., ou=..., ..., c=..." -R "cn=new_cn" -N "new_location"
Modify the RDN (-R "...") and / or the location (-D "...")
ldapdelete -p p -h h -D "cn=orcladmin" -w pw "entry"
Delete an entry
ldapcompare -p p -h h -b "distinguished_name" -a title -v "expected value of attribute title"
Is the expected value in the entry?
bulkdelete
bulkload
Script files. Use bulkload with files created with ldapwrite.

An LDAP schema has mainly four categories:

Objectclasses
Groups of attributes
Attributes
Name/value pairs
Syntax
Data types that may be stored in an attribute
Matching rules
Define formatting rules on attributes

Example (table cell is an objectclass):

top
objectclass=person
objectclass=organizationalperson
objectclass=inetorgperson
authpassword=welcome
person
title=manager
telephonenumber=2344569
attr=...
organizationalperson
cn=John Doe
sn=Doe
userPW=welcome
yob=1975
inetorgperson
employeenumber=1234
mail=jdoe@glu.com

Adding a new attribute involves defining:

Access Control

Anonymous
No anonymous access: set flag to 0
Entry access
d
Access to attribute
Browse, modify, self
orclACI
Policy for a directory and all sub-directories
orclEntryLevelACI
Overrides orclACI for an entry (leaf or directory)

 

 

 

View with ldapsearch -p p -h h -b "cn=subschemasubentry" -s base -v "objectclass=*"

 

Password Policy

OID: "Password Policy Management" (in oidadmin)

Expiry Time
0 for no expiration, 5184000 = 60 days
Account Lockout
1=enable, 0=disable
Account Lockout Duration
in case of unsuccessful binds (if account lockout), 86400 is 24 hours
Password Maximum Failure
Number of wrong password attempts
Password Failure Count Interval
0=failures are not purged,
Password expiration warning
3 days before expiry
Check Password Syntax
1=enabled
Old pw can be new pw
1=enabled=old can be new
 

Starting LDAP - Oracle Flavor

Start the monitor or guardian process. The guardian reads the table ods.ods_process to determine whether to start, restart or stop an instance.
oidmon start

Then start an instance with:
oidctl
Oidctl inserts a line in the table ods.ods_process. The oidmon actually starts the process.

At least three processes should be visible: oidmon start, oidldapd, oidldapd -i 1 ....

/u00/app/oracle/product/infra9i/ldap/bin/ldapcheck --> check which processes are running

Note that oidctl does not start or stop the server, but simply inserts or updates an entry in the table OID.OID_PROCESSES. oidmon will not start if there are records in this table with "state"=2 (=run). One option is to issue "oidctl stop" before "oidmon start" so as to remove any lines in "ods.ods_process" with "state"=2.

Summary:

  1. oidldapd server processes: oidctl connect=<db-sid> server={oidldapd | oidrepld | odisrv} instance=1 stop / start
    Optional parameter when starting: configset=1 flags=ff
  2. Is oidldapd server process stopped: ps -ef | grep oidldapd | grep -v grep
  3. OID monitor process: oidmon stop / start
  4. Oracle database: sqlplus '/as sysdba' (in Windows, use double quotes)
  5. database listener

Add a configuration set: navigate to Server Management -> Directory Server -> Default Configuration Set, then "Create Like".
SSL is also possible without SSL authentication: this uses the "Anonymous Diffie Hellman" algorithm.

Syntax:

oidmon [connect= connectstring] [sleep=sleeptime] start | stop
connectstring is the directory database connect string, defaults to the value of ORACLE_SID.
oidctl [connect=connectstring] server=servername instance=instanceno
  [configset=configsetno] [flags="flagsvalues"] start | stop
servername is the name of the OiD server, either osdldap/osdrepl
instanceno = the instance number
configsetno = the configuration set number to be used while starting a OID server.
flagvalues The flags needed while starting the OID server.

 

 

Replication

See also section Replication

Directory replication group (DRG) = set of directory servers
Replication agreement = replication relationship within the DRG.

 

Backup and Restore