Tohuwabohu excorcism

User Tools

Site Tools

Trace: ldap
ldap

This is an old revision of the document!

Table of Contents

LDAP

LDAP ist ein Format zum Speichern von Daten in Verzeichnissen (!= Ordner. Verzeichnis wie z.B. Telefonverzeichnis, Katalog)

Hier eine tolle Einleitung:

  1. http://www.effinger.org/blog/wp-content/uploads/2008/12/ldap-grundlagen.pdf
  2. http://archive.oreilly.com/pub/a/perl/excerpts/system-admin-with-perl/ten-minute-ldap-utorial.html
  • Partitions - unter Root hängt eine Partition. z.B. dc=otm,dc=intra
  • AttributeType - beschreibt den Type eines Wertes
  • ObjectClass - definiert einen Satz von attributen. z.B. Class person hat name, surname, .. als attribute

LDAP Server

Implementierung : http://directory.apache.org/apacheds/

LDAP Client

Nice implementation: http://directory.apache.org/studio/




Standard structure

Standard structure. May look as following.

Under Organisational Units “groups” and “users” put the Posix-Groups and Posix-Users

Achtung: The default POSIX group “users” must be created first.
Because at least one Group's GID (group id) must be referenced during user creation.
After that you can create

Example configuration with Jenkins

  • Exported partitition otm.intra.
  • The groups are managed in a separate ou.
  • The passwords (userPassword attributeType) are not mandatory, but have to be added as a separate attribute. Their values may be stored as saulted hashes.
version: 1

dn: ou=JenkinsAdmins,ou=groups,dc=otm,dc=intra
objectclass: groupOfNames
objectclass: top
cn: JenkinsAdmins
member: cn=admin,ou=users,dc=otm,dc=intra
member: cn=alexander.friesen,ou=users,dc=otm,dc=intra
member: cn=boris.jelzin,ou=users,dc=otm,dc=intra
ou: JenkinsAdmins

dn: cn=alexander.friesen,ou=users,dc=otm,dc=intra
objectClass: person
objectClass: top
cn: alexander.friesen
sn: alexander.friesen
userPassword:: e1NIQX13dVFVZXE0NjJuODJnbWJRYzZ6VXFSV01XZlU9

dn: ou=users,dc=otm,dc=intra
objectclass: organizationalUnit
objectclass: top
ou: users

dn: cn=stas.archontov,ou=users,dc=otm,dc=intra
objectclass: person
objectclass: top
cn: stas.archotov
cn: stas.archontov
sn: stas.archontov
userPassword:: e1NIQX13dVFVZXE0NjJuODJnbWJRYzZ6VXFSV01XZlU9

dn: cn=boris.jelzin,ou=users,dc=otm,dc=intra
objectclass: person
objectclass: top
cn: boris.jelzin
sn: boris.jelzin
userPassword:: e1NIQX13dVFVZXE0NjJuODJnbWJRYzZ6VXFSV01XZlU9

dn: ou=JenkinsHotSyncer,ou=groups,dc=otm,dc=intra
objectclass: groupOfNames
objectclass: top
cn: JenkinsHotSyncer
member: cn=admin,ou=users,dc=otm,dc=intra
member: cn=stas.archontov,ou=users,dc=otm,dc=intra
ou: JenkinsHotSyncer

dn: ou=JenkinsSyncer,ou=groups,dc=otm,dc=intra
objectclass: groupOfNames
objectclass: top
cn: JenkinsSyncer
member: cn=admin,ou=users,dc=otm,dc=intra
member: cn=stas.archontov,ou=users,dc=otm,dc=intra
ou: JenkinsSyncer

dn: cn=admin,ou=users,dc=otm,dc=intra
objectClass: person
objectClass: top
cn: admin
sn: admin
userPassword:: e1NIQX13dVFVZXE0NjJuODJnbWJRYzZ6VXFSV01XZlU9

dn: dc=otm,dc=intra
objectclass: top
objectclass: domain
dc: otm

dn: ou=groups,dc=otm,dc=intra
objectclass: organizationalUnit
objectclass: top
ou: groups

Configure Jenkins to use your LDAP server

Privilidges via ACLs - Access Control Lists

https://youtu.be/gNc3NcHOGC8?t=6m56s

Beispiel

Attributes

uid User id
cn Common Name
sn Surname
l Location
ou Organisational Unit
o Organisation
dc Domain Component
st State
c Country
dn distinguished name, like cn=sadique5,ou=people,dc=ldap,dc=example,dc=com

Search Scope

3 types of scope: 

base limits to just the base object
onelevel limits to just the immediate children
sub search the entire subtree from base down

Filling LDAP manually without file from script

ldapadd -H "ldap://localhost" -c -x -D "cn=admin,dc=ldap,dc=example,dc=com" -w "Jpk66g63ZifGYIcShSGM" << EOF

dn: cn=sadique5,ou=people,dc=ldap,dc=example,dc=com
cn: sadique5
sn: sadique
uid: sadique
displayName: Sadique Puthen Peedikayil
givenName: Sadique
mail: sadique@vanillanetworks.com
mobile: 9895643639
homePhone: 0466-2254274
objectClass: inetOrgPerson
userPassword: Jpk66g63ZifGYIcShSGM

EOF

OpenLDAP and phpldapadmin

Starting both in docker: 

docker network create ldapnetwork

sudo docker run --restart=always  -td --net ldapnetwork -h "opendj" --env ROOT_USER_DN="cn=Directory Manager" --env OPENDJ_USER="opendj" --env BASE_DN="dc=project,dc=intra" --env ROOT_PASSWORD="123abc" -p 1389:1389 -p 1636:1636 -p 3000:4444 --name opendj openidentityplatform/opendj

sudo docker run --restart=always  --env PHPLDAPADMIN_LDAP_HOSTS="#PYTHON2BASH:[{'opendj': [{'server': [{'tls': False}, {'port': 1389}]}, {'login': [{'bind_id': 'cn=Directory Manager'}, {'bind_pass': '123abc'}]}]}]"  --net ldapnetwork -p 4200:80 --env PHPLDAPADMIN_HTTPS=false  --detach --name php osixia/phpldapadmin:0.7.2 --loglevel debug

Navigate to http://localhost:4200

Login with 

Login DN:
cn=Directory Manager

Pass:
123abc

LDAP with Spring

Spring LDAP reference: https://docs.spring.io/autorepo/docs/spring-ldap/current/reference/#dns-as-attribute-values

Examples:

ldap.1554808943.txt.gz · Last modified: (external edit)