LDAP BasicsThese are my personal notes that I use as a quick help in my work.
|
|
LDAP (Lightweight Directory Access Protocol) is based on the X.500 standard, but simpler. Supports TCP/IP.
Helpful pages:
Base Distiguished Name (Base DN):
o="my_organization.com", c="CH" # X.500 format
o=my_organization.com
o=my_organization, dc=com # most common; dc is Domain Component
Hierarchy with Organizational Units (ou)
o=my_organization, dc=com
ou=it
ou=sw
ou=hw
ou=financial
ou=mis
ou=accounting
Entries are Distinguished Names (DN), composed of Relative Distinguished Name (RDN) and location. Options for RDN are the Common Name (cn) or User ID (uid) such as login (note that uid is not the UNIX uid). Each RDN is unique in it's location, ensuring uniqueness of the DN. The RDN is "unqualified" whereas the DN is "fully qualified".
cn=This is me, ou=sw, ou=it, o=my_organization, dc=com
uid=my_login, ou=sw, ou=it, o=my_organization, dc=com
\____ _____/ \_______________ ____________________/
\/ \/
RDN location
A shallow hierarchy is recommended. Organizational Units don't have to be real departments because organizations change; instead group by logical entities e.g. employees (all in one box), locations, customers, devices. Plan so that entities do not have to be moved from one department to another. An exception could be creating a sub-ou so that the sub-ou may be given different security accesses.
Example of one full entry. Always with attribute-value pairs.
dn: uid=my_login, ou=sw, ou=it, dc=my_organization, dc=com
objectclass: person # predefined classes
objectclass: organizationalPerson
objectclass: Person_in_my_organization # customized class
uid: my_login
givenname: Chris
sn: Yalkouye
cn: Chris Yalkouye
cn: Moussa Yalkouye
telephonenumber: +21-456-1234
roomnumber: 122G
o: My Organization
mailRoutingAddress: cy@my_organization.com
mailhost: mail.my_organization.com
userpassword: {crypt}glu328gla893glop
homedirectory: /home/cy
loginshell: /usr/local/bin/bash
Note that multiple attributes are possible.
Objectclasses contain groups of attibutes; attributes are name/value pairs.
Nine basic protocol operations:
Three methods in LDAP version 3
Note that updates are atomic (fully updated or nothing).
ldapbind -p 4032 -h the_host -D "cn=orcladmin" -w pwd
ldapsearch -p 4032 -h the_host -b " " -s base "objectclass=*"
-s option: base, one, sub
ldapsearch -p 4032 -h the_host -b "cn=Users,dc=the_host,dc=com"
-s sub "objectclass=*"
ldapsearch -p 4032 -h the_host -b "..." -s base -D "cn=orcladmin"
-w pwd "objectclass=*"
ldifwrite -c iasdb -b " " -f file_name
ldapsearch -p 4032 -h the_host -L -b " " -s base -D "cn=orcladmin"
-w pwd "objectclass=*" > filename
Replication between directory servers with the same naming context. Read-only replicas are consumers; updateable replicas are suppliers.
Directory replication group (DRG) = set of directory servers
Replication agreement = replication relationship within the DRG. (is this specific
to Oracle ???)
There is no standard concerning replication. The general approach is through "change logs".
Replication is part of the general notion of Distributed Directories. Distributed Directories can be replicated or partitioned (where each server has part of the data).
Two possibilities:
Note: Oracle applications are only certified to run against Oracle Internet Directory. The deployment will thus need to synchronize data between Oracle Internet Directory and the third-party directory.
Many applications allow an integration with an LDAP server, such as Active
Directory, OpenLDAP or Linux LDAP.
This allows:
Several levels of integration exist:
Active directory:
Depending on the application, it does not have to be in the AD domain
Note that AD paginates 1'000 entries at a time.
Note that it is best to be able to configure a main LDAP server and a backup LDAP server so that users can log in even if the main server is not available.
Also look into the encryption on the network (LDAPS between the application server and the LDAP server) so that the passwords do not travel in plain text over the network. And also look at the connection between the client and the application server.
Oracle's implementation of LDAP.
OID
Administrator's Guide
Tutorial
Manage with ODM (Oracle Directory Manager)
Environment variables:
ORACLE_HOME
DISPLAY
TMP
TNS_ADMIN (ORACLE_HOME/network/admin )
oidadmin is administrator's tool ($ORACLE_HOME/bin/oidadmin
).
Port number in $ORACLE_HOME/install/portlist.ini (389 or 4032). Superuser orcladmin/welcome.
If port 389 unavailable, then OID server is started on a different port, which is logged in the following file: $ORACLE_HOME/ldap/install/oidca.out
Tasks for OID after installation:
ldapbind -p 4032 -h localhost -D "cn=orcladmin" -w welcome1
ldapadd -p p -h h -D "cn=orcladmin" -w pw -f file-name.ldif
ldapsearch -p p -h h -b " " -s {base | one | sub} "objectclass=*"
aa
ldap://the_host:4032/b?a?s?f
ldapmodify -p p -h h -D "cn=orcladmin" -w pw -v -f file-name.ldif
ldifwrite -c iasdb -b -f /tmp/backupDIT.ldif
ldapdelete -p p -h h -D "cn=orcladmin" -w pw "entry"
ldapcompare -p p -h h -b "distinguished_name" -a title -v "expected
value of attribute title"
bulkdelete
bulkload
An LDAP schema has mainly four categories:
Example (table cell is an objectclass):
top |
|
|
person |
|
|
organizationalperson |
|
|
inetorgperson |
|
Adding a new attribute involves defining:
Access Control
View with ldapsearch -p p -h h -b "cn=subschemasubentry" -s base -v "objectclass=*"
OID: "Password Policy Management" (in oidadmin)
Start the monitor or guardian process. The guardian reads the table ods.ods_process
to determine whether to start, restart or stop an instance.
oidmon start
Then start an instance with:
oidctl
Oidctl inserts a line in the table ods.ods_process. The oidmon actually
starts the process.
At least three processes should be visible: oidmon start, oidldapd, oidldapd
-i 1 ....
/u00/app/oracle/product/infra9i/ldap/bin/ldapcheck
--> check
which processes are running
Note that oidctl does not start or stop the server, but simply inserts or updates an entry in the table OID.OID_PROCESSES. oidmon will not start if there are records in this table with "state"=2 (=run). One option is to issue "oidctl stop" before "oidmon start" so as to remove any lines in "ods.ods_process" with "state"=2.
Summary:
oidctl connect=<db-sid> server={oidldapd
| oidrepld | odisrv} instance=1 stop / start
Optional parameter when starting: configset=1 flags=ff
ps -ef | grep oidldapd | grep
-v grep
oidmon stop / start
sqlplus '/as sysdba'
(in Windows, use double
quotes) Add a configuration set: navigate to Server Management -> Directory Server
-> Default Configuration Set, then "Create Like".
SSL is also possible without SSL authentication: this uses the "Anonymous Diffie
Hellman" algorithm.
Syntax:
oidmon [connect= connectstring] [sleep=sleeptime] start | stop
oidctl [connect=connectstring] server=servername instance=instanceno
[configset=configsetno] [flags="flagsvalues"] start | stop
See also section Replication
Directory replication group (DRG) = set of directory servers
Replication agreement = replication relationship within the DRG.