Tohuwabohu excorcism

User Tools

Site Tools

Trace: protractor domain_driven_design ldap
ldap

This is an old revision of the document!

Table of Contents

LDAP

LDAP ist ein Format zum Speichern von Daten in Verzeichnissen (!= Ordner. Verzeichnis wie z.B. Telefonverzeichnis, Katalog)

Hier eine tolle Einleitung:

  1. http://www.effinger.org/blog/wp-content/uploads/2008/12/ldap-grundlagen.pdf
  2. http://archive.oreilly.com/pub/a/perl/excerpts/system-admin-with-perl/ten-minute-ldap-utorial.html
  • Partitions - unter Root hängt eine Partition. z.B. dc=otm,dc=intra
  • AttributeType - beschreibt den Type eines Wertes
  • ObjectClass - definiert einen Satz von attributen. z.B. Class person hat name, surname, .. als attribute

LDAP Server

Implementierung : http://directory.apache.org/apacheds/

LDAP Client

Nice implementation: http://directory.apache.org/studio/




Standard structure

Standard structure. May look as following.

Under Organisational Units “groups” and “users” put the Posix-Groups and Posix-Users

Achtung: The default POSIX group “users” must be created first.
Because at least one Group's GID (group id) must be referenced during user creation.
After that you can create

Example configuration with Jenkins

  • Exported partitition otm.intra.
  • The groups are managed in a separate ou.
  • The passwords (userPassword attributeType) are not mandatory, but have to be added as a separate attribute. Their values may be stored as saulted hashes.
version: 1

dn: ou=JenkinsAdmins,ou=groups,dc=otm,dc=intra
objectclass: groupOfNames
objectclass: top
cn: JenkinsAdmins
member: cn=admin,ou=users,dc=otm,dc=intra
member: cn=alexander.friesen,ou=users,dc=otm,dc=intra
member: cn=boris.jelzin,ou=users,dc=otm,dc=intra
ou: JenkinsAdmins

dn: cn=alexander.friesen,ou=users,dc=otm,dc=intra
objectClass: person
objectClass: top
cn: alexander.friesen
sn: alexander.friesen
userPassword:: e1NIQX13dVFVZXE0NjJuODJnbWJRYzZ6VXFSV01XZlU9

dn: ou=users,dc=otm,dc=intra
objectclass: organizationalUnit
objectclass: top
ou: users

dn: cn=stas.archontov,ou=users,dc=otm,dc=intra
objectclass: person
objectclass: top
cn: stas.archotov
cn: stas.archontov
sn: stas.archontov
userPassword:: e1NIQX13dVFVZXE0NjJuODJnbWJRYzZ6VXFSV01XZlU9

dn: cn=boris.jelzin,ou=users,dc=otm,dc=intra
objectclass: person
objectclass: top
cn: boris.jelzin
sn: boris.jelzin
userPassword:: e1NIQX13dVFVZXE0NjJuODJnbWJRYzZ6VXFSV01XZlU9

dn: ou=JenkinsHotSyncer,ou=groups,dc=otm,dc=intra
objectclass: groupOfNames
objectclass: top
cn: JenkinsHotSyncer
member: cn=admin,ou=users,dc=otm,dc=intra
member: cn=stas.archontov,ou=users,dc=otm,dc=intra
ou: JenkinsHotSyncer

dn: ou=JenkinsSyncer,ou=groups,dc=otm,dc=intra
objectclass: groupOfNames
objectclass: top
cn: JenkinsSyncer
member: cn=admin,ou=users,dc=otm,dc=intra
member: cn=stas.archontov,ou=users,dc=otm,dc=intra
ou: JenkinsSyncer

dn: cn=admin,ou=users,dc=otm,dc=intra
objectClass: person
objectClass: top
cn: admin
sn: admin
userPassword:: e1NIQX13dVFVZXE0NjJuODJnbWJRYzZ6VXFSV01XZlU9

dn: dc=otm,dc=intra
objectclass: top
objectclass: domain
dc: otm

dn: ou=groups,dc=otm,dc=intra
objectclass: organizationalUnit
objectclass: top
ou: groups

Configure Jenkins to use your LDAP server

Privilidges via ACLs - Access Control Lists

https://youtu.be/gNc3NcHOGC8?t=6m56s

Beispiel

Attributes

uid User id
cn Common Name
sn Surname
l Location
ou Organisational Unit
o Organisation
dc Domain Component
st State
c Country
dn distinguished name, like cn=sadique5,ou=people,dc=ldap,dc=example,dc=com

Search Scope

3 types of scope: 

base limits to just the base object
onelevel limits to just the immediate children
sub search the entire subtree from base down

Filling LDAP manually without file from script

ldapadd -H "ldap://localhost" -c -x -D "cn=admin,dc=ldap,dc=example,dc=com" -w "Jpk66g63ZifGYIcShSGM" << EOF

dn: cn=sadique5,ou=people,dc=ldap,dc=example,dc=com
cn: sadique5
sn: sadique
uid: sadique
displayName: Sadique Puthen Peedikayil
givenName: Sadique
mail: sadique@vanillanetworks.com
mobile: 9895643639
homePhone: 0466-2254274
objectClass: inetOrgPerson
userPassword: Jpk66g63ZifGYIcShSGM

EOF

OpenLDAP and phpldapadmin

Starting both in docker: 

docker network create ldapnetwork

sudo docker run --restart=always  -td --net ldapnetwork -h "opendj" --env ROOT_USER_DN="cn=Directory Manager" --env OPENDJ_USER="opendj" --env BASE_DN="dc=project,dc=intra" --env ROOT_PASSWORD="123abc" -p 1389:1389 -p 1636:1636 -p 3000:4444 --name opendj openidentityplatform/opendj

sudo docker run --restart=always  --env PHPLDAPADMIN_LDAP_HOSTS="#PYTHON2BASH:[{'opendj': [{'server': [{'tls': False}, {'port': 1389}]}, {'login': [{'bind_id': 'cn=Directory Manager'}, {'bind_pass': '123abc'}]}]}]"  --net ldapnetwork -p 4200:80 --env PHPLDAPADMIN_HTTPS=false  --detach --name php osixia/phpldapadmin:0.7.2 --loglevel debug

Navigate to http://localhost:4200

Login with 

Login DN:
cn=Directory Manager

Pass:
123abc
display the configs
slapcat -b cn=config

Or within contianer 

docker exec ldap slapcat -b cn=config

LDAP with Spring

Spring LDAP reference: https://docs.spring.io/autorepo/docs/spring-ldap/current/reference/#dns-as-attribute-values

Examples:

Schema extension

This is an example for an extended schema

stored as local.schema 

# local.schema -- aaainetOrgPerson
# $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
## Copyright 1998-2014 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
## modification, are permitted only as authorized by the OpenLDAP
## Public License.
##
## A copy of this license is available in the file LICENSE in the
## top-level directory of the distribution or, alternatively, at
## <http://www.OpenLDAP.org/license.html>.
#
# aaainetOrgPerson
#
#   Defines additional attributes required by the SSP
#   TODO: request and add unique Private Enterprise Number from IANA Services
#

attributetype ( 5.12.345.1.123456.3.1.321
	NAME 'x-company-auth0userId'
	DESC 'the id identifying ofthe auth0 user'
	EQUALITY caseIgnoreMatch
	SUBSTR caseIgnoreSubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

attributetype ( 5.12.345.1.123456.3.1.322
	NAME 'x-company-auth0clientId'
	DESC 'the clientId of the machine to machine user'
	EQUALITY caseIgnoreMatch
	SUBSTR caseIgnoreSubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

attributetype ( 5.12.345.1.123456.3.1.323
	NAME 'x-company-tags'
	DESC 'the tags field containing all the tags without empty spaces'
	EQUALITY caseIgnoreMatch
	SUBSTR caseIgnoreSubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

attributetype ( 5.12.345.1.123456.3.1.324
	NAME 'x-company-b360id'
	DESC 'the building 360 identifier of a customer'
	EQUALITY caseIgnoreMatch
	SUBSTR caseIgnoreSubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

objectclass	( 5.12.345.1.123456.3.1.2
    NAME 'x-company-auth0subject'
	DESC 'auth0 service registered person or machine'
	AUXILIARY
	MAY ( x-company-auth0userId $ x-company-auth0clientId ) )

objectclass	( 5.12.345.1.123456.3.1.3
    NAME 'x-company-hastags'
	DESC 'an object which has a tag'
	AUXILIARY
	MAY ( x-company-tags ) )

objectclass	( 5.12.345.1.123456.3.1.4
    NAME 'x-company-b360customer'
	DESC 'b360 customer'
	AUXILIARY
	MAY ( x-company-b360id ) )
ldap.1593503148.txt.gz · Last modified: (external edit)