几种常见的LDAP系统

Tags: 系统设计 

目录

介绍

OpenLDAP Administrator’s Guide对LDAP做很准确的描述:

Technically, LDAP is a directory access protocol to an X.500 directory service, the OSI directory service. 
Initially, LDAP clients accessed gateways to the X.5h0 directory service. 
This gateway ran LDAP between the client and gateway and X.500's Directory Access Protocol (DAP) between the gateway and the X.500 server.
DAP is a heavyweight protocol that operates over a full OSI protocol stack and requires a significant amount of computing resources. 
LDAP is designed to operate over TCP/IP and provides most of the functionality of DAP at a much lower cost.

服务端只需要支持LDAP协议,可以使用不同的后端存储。

LDAP协议

LDAP provides access to distributed directory services that act in accordance with X.500 data and service models.

2006年发布的rfc文档:

rfc4510rfc4511rfc4512rfc4513rfc4514rfc4515rfc4516rfc4517rfc4518、[rfc4519][20]

是最新的LDAP协议建议实现标准(2017-04-07 10:32:33)。

数据组织方式

LDAP以directory entry为最小单位管理数据。entries按照层级划分,组成一个树形结构。

每个entry拥有一个独一无二的DN(Distinguished Name),可以通过DN指定要操作的entry。

entry由一个DN和多个attribute组成,attribute可以自定义,rfc4519中给出了常用的attributes。

一些常用attribute被打包成了objectClass,可以直接在entry中应用,rfc4519中给出了常用的objectClass。

注意,不同的LDAP系统会有自己扩展的attributes和objectClass。

例如,OpenLDAP的实现,作为根目录的entry:

dn: dc=idevelopment,dc=info
dc: idevelopment
o: iDevelopment.info LDAP Server
description: Root entry for iDevelopment.info. 
 iDevelopment.info is a public website that provides a professional forum to exchange 
 information, ideas, and expertise on advanced topics in the IT and scientific fields. 
 The audience for iDevelopment.info includes Database Administrators, System Administrators, 
 Developers, Computer Scientists, Software Engineers, and Mathematicians.
objectClass: top
objectclass: dcObject
objectclass: organization

部门的entry(OpenLDAP):

dn: ou=People,dc=idevelopment,dc=info
ou: People
description: All people in iDevelopment.info
objectClass: top
objectClass: organizationalUnit

角色:

dn: cn=Manager,dc=idevelopment,dc=info
cn: Manager
description: Rootdn
objectclass: organizationalRole

用户:

dn: uid=usuario1,dc=ldap-kike,dc=com,dc=uy                 //DN
uid: usuario1
cn: usuario1
objectClass: account                                       //直接应用的objectClass
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$1$TEDFGNB3$m24Mo06Q06EXMop7INKrC/    //其它属性
shadowLastChange: 14335
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 10000
gidNumber: 10000
homeDirectory: /home/usuario1
gecos: usuario1

OPENLDAP Initialize a New LDAP Directoryinstall-and-configure-openldap-on-centos-5中介绍了如何在OpenLDAP中创建entry。

通信格式

rfc4511中定义消息格式:

    LDAPMessage ::= SEQUENCE {
         messageID       MessageID,
         protocolOp      CHOICE {
              bindRequest           BindRequest,
              bindResponse          BindResponse,
              unbindRequest         UnbindRequest,
              searchRequest         SearchRequest,
              searchResEntry        SearchResultEntry,
              searchResDone         SearchResultDone,
              searchResRef          SearchResultReference,
              modifyRequest         ModifyRequest,
              modifyResponse        ModifyResponse,
              addRequest            AddRequest,
              addResponse           AddResponse,
              delRequest            DelRequest,
              delResponse           DelResponse,
              modDNRequest          ModifyDNRequest,
              modDNResponse         ModifyDNResponse,
              compareRequest        CompareRequest,
              compareResponse       CompareResponse,
              abandonRequest        AbandonRequest,
              extendedReq           ExtendedRequest,
              extendedResp          ExtendedResponse,
              ...,
              intermediateResponse  IntermediateResponse },
         controls       [0] Controls OPTIONAL }

    MessageID ::= INTEGER (0 ..  maxInt)

    maxInt INTEGER ::= 2147483647 -- (2^^31 - 1) 

主要操作

BindRequest:

认证
allow authentication information to be exchanged between the client and server

clients may send multiple Bind requests 
to change the authentication and/or security associations or 
to complete a multi-stage Bind process

The serverSaslCreds field is used as part of a SASL-defined bind
mechanism to allow the client to authenticate the server to which it
is communicating, or to perform "challenge-response" authentication.

UnbindRequest:

to terminate an LDAP session

SearchRequest:

The Search operation is used to request a server to return, subject
to access controls and other restrictions, a set of entries matching
a complex search criterion.  

This can be used to read attributes from
a single entry, from entries immediately subordinate to a particular
entry, or from a whole subtree of entries.

ModifyRequest:

allows a client to request that a modification
of an entry be performed on its behalf by a server.

AddRequest:

allows a client to request the addition of an entry into the Directory

DelRequest:

allows a client to request the removal of an entry from the Directory.

ModifyDNRequest:

allows a client to change the Relative Distinguished Name (RDN) of 
an entry in the Directory and/or to move a subtree of entries to a 
new location in the Directory.

CompareRequest:

allows a client to compare an assertion value with the values of a
particular attribute in a particular entry in the Directory.

OpenLDAP

OpenLDAP Software is an open source implementation of the Lightweight Directory Access Protocol.

The suite includes:

slapd - stand-alone LDAP daemon (server)
libraries implementing the LDAP protocol, and
utilities, tools, and sample clients. 

官网http://www.openldap.org/

安装

环境:

CentOS Linux release 7.3.1611 (Core)
openldap-clients-2.4.40-13.el7.x86_64
openldap-servers-2.4.40-13.el7.x86_64
openldap-2.4.40-13.el7.x86_64

安装Server:

yum install -y openldap-servers

查看一下都安装了哪些文件:

$rpm -ql openldap-servers
/etc/openldap/check_password.conf               <-- 配置文件
/etc/openldap/schema
/etc/openldap/schema/collective.ldif
...省略...
/etc/openldap/slapd.conf
/etc/openldap/slapd.conf.bak
/etc/openldap/slapd.d
/etc/sysconfig/slapd
/usr/lib/systemd/system/slapd.service           <-- 系统服务
/usr/lib/tmpfiles.d/slapd.conf
/usr/lib64/openldap/accesslog-2.4.so.2
...省略...
/usr/libexec/openldap/check-config.sh
/usr/libexec/openldap/convert-config.sh
/usr/libexec/openldap/functions
/usr/libexec/openldap/generate-server-cert.sh
/usr/libexec/openldap/upgrade-db.sh
/usr/sbin/slapacl                               <-- 可以使用的一些命令
/usr/sbin/slapadd
/usr/sbin/slapauth
/usr/sbin/slapcat
/usr/sbin/slapd
/usr/sbin/slapdn
/usr/sbin/slapindex
/usr/sbin/slappasswd
/usr/sbin/slapschema
/usr/sbin/slaptest
/usr/share/doc/openldap-servers-2.4.40          <-- 文档
...省略...
/var/lib/ldap
/var/run/openldap

启动服务:

systemct start slapd

OpenLDAP client:

yum install -y openldap-clients

查看安装了哪些文件:

$rpm -ql  openldap-clients
/usr/bin/ldapadd
/usr/bin/ldapcompare
/usr/bin/ldapdelete
/usr/bin/ldapexop
/usr/bin/ldapmodify
/usr/bin/ldapmodrdn
/usr/bin/ldappasswd
/usr/bin/ldapsearch
/usr/bin/ldapurl
/usr/bin/ldapwhoami
/usr/share/man/man1/ldapadd.1.gz
...省略...

使用

OpenLDAP的记录都以ldif格式导入导出。

查询:

// -b: 从这个base开始搜索
// -s: 搜索范围,[base|one|sub|children]
// '(objectclass=*)':  搜索条件search filter
// namingContexts:  查找的属性名

ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts

写入记录,记录文件manger.ldif:

dn: dc=my-domain,dc=com
objectclass: dcObject
objectclass: organization
o: Example Company
dc: my-domain

dn: cn=Manager,dc=my-domain,dc=com
objectclass: organizationalRole
cn: Manager

写入:

ldapadd -x -D "cn=Manager,dc=mydomain,dc=com" -W -f manger.ldif

需要输入密码,但是!默认秘密是多少?参照网上方法修改后也始终不生效,天坑。。。

Library

Golang

github上ldap的go代码库不多,go-ldap是功能相对比较完善的一个库。

https://github.com/go-ldap/ldap

参考

  1. rfc4510 LDAP: Technical Specification Road Map, June 2006
  2. rfc4511 LDAP: The Protocol, June 2006
  3. rfc4512 LDAP: Directory Information Models, June 2006
  4. rfc4513 LDAP: Authentication Methods and Security Mechanisms, June 2006
  5. rfc4514 LDAP: String Representation of Distinguished Names
  6. rfc4515 LDAP: String Representation of Search Filters
  7. rfc4516 LDAP: Uniform Resource Locator
  8. rfc4517 LDAP: Syntaxes and Matching Rules
  9. rfc4518 LDAP: Internationalized String Preparation
  10. rfc4519 LDAP: Schema for User Applications
  11. LDAP Linux HOWTO
  12. OpenLDAP Administrator’s Guide
  13. Sean’s Blog OpenLDAP
  14. OPENLDAP Initialize a New LDAP Directory
  15. install-and-configure-openldap-on-centos-5
  16. http://www.openldap.org/”
  17. config openladp

系统设计

  1. 各大云厂商的 API 设计风格
  2. Google 是如何实践 RESTful API 设计的?
  3. Netflix 的异地多活设计: Active-Active for Multi-Regional Resiliency
  4. Facebook 的缓存系统实践经验《Scaling Memcache at Facebook》
  5. 多机数据系统的正确性与一致性
  6. 《大型网站技术架构: 核心原理与案例分析》阅读摘录
  7. 《分布式金融架构课》阅读笔记2: 线性一致的分布式数据系统的实现过程
  8. 《分布式金融架构课》阅读笔记1: 单机&多机并发/多副本读写正确性和一致性
  9. 《消息队列高手课》阅读笔记: Rabbit/Rocket/Kafka/模型/消息事务/保序等
  10. 《消息队列高手课》阅读笔记: Rabbit/Rocket/Kafka/模型/消息事务/保序等
  11. 《Redis核心技术与实践》阅读笔记: 数据类型/存储开销/Rehash/案例等
  12. 《Redis核心技术与实践》阅读笔记: 数据类型/存储开销/Rehash/案例等
  13. 《高并发系统设计40问》阅读笔记: 数据库/缓存/消息队列/分布式服务
  14. 《高并发系统设计40问》阅读笔记: 数据库/缓存/消息队列/分布式服务
  15. 《MySQL实战45讲》阅读笔记: 索引类型/数据可靠性/事务/间隙锁/临时表等
  16. 系统性能分析方法论: 统计图谱工具
  17. 张磊《深入剖析Kubernetes》专栏的阅读笔记
  18. 代理服务软件haproxy、nginx、envoy对比,以及开源的API网关项目对比
  19. 蓝绿部署、金丝雀发布(灰度发布)、A/B测试的准确定义
  20. 阿里巴巴的应用限流和服务降级是怎样实现的?|如何打造平台稳定能力
  21. 陈皓《左耳听风》专栏的阅读笔记(持续更新)
  22. 好雨云帮,一款不错的国产开源PaaS
  23. 怎样为软件的不同版本命名?
  24. 怎样选择开源项目的license?
  25. Glusterfs的架构
  26. 怎样设计一个企业级的PaaS平台?
  27. 几种常见的LDAP系统
  28. DNS SRV介绍(一种用DNS做服务发现的方法)
  29. DNS,DNS-Domain Name System
  30. 思科的网络设备
  31. 虚拟化技术汇总
  32. 认证与授权系统的汇总
  33. 高可用实现方法汇总
  34. 编译器汇总
  35. Linux系统的优化方法
  36. CentOS7的一些变化
  37. 分布式系统的一些知识
  38. 计算机编程语言的特性汇总
  39. 网络通信的一些基础知识
  40. PCIE总线的一些知识
  41. 操作系统的API
  42. 网卡的一些知识
  43. Linux系统的构建过程
  44. 数据结构与算法
  45. CPU的相关知识

推荐阅读

Copyright @2011-2019 All rights reserved. 转载请添加原文连接,合作请加微信lijiaocn或者发送邮件: [email protected],备注网站合作

友情链接:  系统软件  程序语言  运营经验  水库文集  网络课程  微信网文  发现知识星球