几种常见的LDAP系统

作者: 李佶澳   转载请保留:原文地址   发布时间:2017/04/01 17:41:15

介绍

OpenLDAP Administrator’s Guide对LDAP做很准确的描述:

Technically, LDAP is a directory access protocol to an X.500 directory service, the OSI directory service. 
Initially, LDAP clients accessed gateways to the X.5h0 directory service. 
This gateway ran LDAP between the client and gateway and X.500's Directory Access Protocol (DAP) between the gateway and the X.500 server.
DAP is a heavyweight protocol that operates over a full OSI protocol stack and requires a significant amount of computing resources. 
LDAP is designed to operate over TCP/IP and provides most of the functionality of DAP at a much lower cost.

服务端只需要支持LDAP协议,可以使用不同的后端存储。

LDAP协议

LDAP provides access to distributed directory services that act in accordance with X.500 data and service models.

2006年发布的rfc文档:

rfc4510rfc4511rfc4512rfc4513rfc4514rfc4515rfc4516rfc4517rfc4518、[rfc4519][20]

是最新的LDAP协议建议实现标准(2017-04-07 10:32:33)。

数据组织方式

LDAP以directory entry为最小单位管理数据。entries按照层级划分,组成一个树形结构。

每个entry拥有一个独一无二的DN(Distinguished Name),可以通过DN指定要操作的entry。

entry由一个DN和多个attribute组成,attribute可以自定义,rfc4519中给出了常用的attributes。

一些常用attribute被打包成了objectClass,可以直接在entry中应用,rfc4519中给出了常用的objectClass。

注意,不同的LDAP系统会有自己扩展的attributes和objectClass。

例如,OpenLDAP的实现,作为根目录的entry:

dn: dc=idevelopment,dc=info
dc: idevelopment
o: iDevelopment.info LDAP Server
description: Root entry for iDevelopment.info. 
 iDevelopment.info is a public website that provides a professional forum to exchange 
 information, ideas, and expertise on advanced topics in the IT and scientific fields. 
 The audience for iDevelopment.info includes Database Administrators, System Administrators, 
 Developers, Computer Scientists, Software Engineers, and Mathematicians.
objectClass: top
objectclass: dcObject
objectclass: organization

部门的entry(OpenLDAP):

dn: ou=People,dc=idevelopment,dc=info
ou: People
description: All people in iDevelopment.info
objectClass: top
objectClass: organizationalUnit

角色:

dn: cn=Manager,dc=idevelopment,dc=info
cn: Manager
description: Rootdn
objectclass: organizationalRole

用户:

dn: uid=usuario1,dc=ldap-kike,dc=com,dc=uy                 //DN
uid: usuario1
cn: usuario1
objectClass: account                                       //直接应用的objectClass
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$1$TEDFGNB3$m24Mo06Q06EXMop7INKrC/    //其它属性
shadowLastChange: 14335
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 10000
gidNumber: 10000
homeDirectory: /home/usuario1
gecos: usuario1

OPENLDAP Initialize a New LDAP Directoryinstall-and-configure-openldap-on-centos-5中介绍了如何在OpenLDAP中创建entry。

通信格式

rfc4511中定义消息格式:

    LDAPMessage ::= SEQUENCE {
         messageID       MessageID,
         protocolOp      CHOICE {
              bindRequest           BindRequest,
              bindResponse          BindResponse,
              unbindRequest         UnbindRequest,
              searchRequest         SearchRequest,
              searchResEntry        SearchResultEntry,
              searchResDone         SearchResultDone,
              searchResRef          SearchResultReference,
              modifyRequest         ModifyRequest,
              modifyResponse        ModifyResponse,
              addRequest            AddRequest,
              addResponse           AddResponse,
              delRequest            DelRequest,
              delResponse           DelResponse,
              modDNRequest          ModifyDNRequest,
              modDNResponse         ModifyDNResponse,
              compareRequest        CompareRequest,
              compareResponse       CompareResponse,
              abandonRequest        AbandonRequest,
              extendedReq           ExtendedRequest,
              extendedResp          ExtendedResponse,
              ...,
              intermediateResponse  IntermediateResponse },
         controls       [0] Controls OPTIONAL }

    MessageID ::= INTEGER (0 ..  maxInt)

    maxInt INTEGER ::= 2147483647 -- (2^^31 - 1) 

主要操作

BindRequest:

认证
allow authentication information to be exchanged between the client and server

clients may send multiple Bind requests 
to change the authentication and/or security associations or 
to complete a multi-stage Bind process

The serverSaslCreds field is used as part of a SASL-defined bind
mechanism to allow the client to authenticate the server to which it
is communicating, or to perform "challenge-response" authentication.

UnbindRequest:

to terminate an LDAP session

SearchRequest:

The Search operation is used to request a server to return, subject
to access controls and other restrictions, a set of entries matching
a complex search criterion.  

This can be used to read attributes from
a single entry, from entries immediately subordinate to a particular
entry, or from a whole subtree of entries.

ModifyRequest:

allows a client to request that a modification
of an entry be performed on its behalf by a server.

AddRequest:

allows a client to request the addition of an entry into the Directory

DelRequest:

allows a client to request the removal of an entry from the Directory.

ModifyDNRequest:

allows a client to change the Relative Distinguished Name (RDN) of 
an entry in the Directory and/or to move a subtree of entries to a 
new location in the Directory.

CompareRequest:

allows a client to compare an assertion value with the values of a
particular attribute in a particular entry in the Directory.

OpenLDAP

OpenLDAP Software is an open source implementation of the Lightweight Directory Access Protocol.

The suite includes:

slapd - stand-alone LDAP daemon (server)
libraries implementing the LDAP protocol, and
utilities, tools, and sample clients. 

官网http://www.openldap.org/

安装

环境:

CentOS Linux release 7.3.1611 (Core)
openldap-clients-2.4.40-13.el7.x86_64
openldap-servers-2.4.40-13.el7.x86_64
openldap-2.4.40-13.el7.x86_64

安装Server:

yum install -y openldap-servers

查看一下都安装了哪些文件:

$rpm -ql openldap-servers
/etc/openldap/check_password.conf               <-- 配置文件
/etc/openldap/schema
/etc/openldap/schema/collective.ldif
...省略...
/etc/openldap/slapd.conf
/etc/openldap/slapd.conf.bak
/etc/openldap/slapd.d
/etc/sysconfig/slapd
/usr/lib/systemd/system/slapd.service           <-- 系统服务
/usr/lib/tmpfiles.d/slapd.conf
/usr/lib64/openldap/accesslog-2.4.so.2
...省略...
/usr/libexec/openldap/check-config.sh
/usr/libexec/openldap/convert-config.sh
/usr/libexec/openldap/functions
/usr/libexec/openldap/generate-server-cert.sh
/usr/libexec/openldap/upgrade-db.sh
/usr/sbin/slapacl                               <-- 可以使用的一些命令
/usr/sbin/slapadd
/usr/sbin/slapauth
/usr/sbin/slapcat
/usr/sbin/slapd
/usr/sbin/slapdn
/usr/sbin/slapindex
/usr/sbin/slappasswd
/usr/sbin/slapschema
/usr/sbin/slaptest
/usr/share/doc/openldap-servers-2.4.40          <-- 文档
...省略...
/var/lib/ldap
/var/run/openldap

启动服务:

systemct start slapd

OpenLDAP client:

yum install -y openldap-clients

查看安装了哪些文件:

$rpm -ql  openldap-clients
/usr/bin/ldapadd
/usr/bin/ldapcompare
/usr/bin/ldapdelete
/usr/bin/ldapexop
/usr/bin/ldapmodify
/usr/bin/ldapmodrdn
/usr/bin/ldappasswd
/usr/bin/ldapsearch
/usr/bin/ldapurl
/usr/bin/ldapwhoami
/usr/share/man/man1/ldapadd.1.gz
...省略...

使用

OpenLDAP的记录都以ldif格式导入导出。

查询:

// -b: 从这个base开始搜索
// -s: 搜索范围,[base|one|sub|children]
// '(objectclass=*)':  搜索条件search filter
// namingContexts:  查找的属性名

ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts

写入记录,记录文件manger.ldif:

dn: dc=my-domain,dc=com
objectclass: dcObject
objectclass: organization
o: Example Company
dc: my-domain

dn: cn=Manager,dc=my-domain,dc=com
objectclass: organizationalRole
cn: Manager

写入:

ldapadd -x -D "cn=Manager,dc=mydomain,dc=com" -W -f manger.ldif

需要输入密码,但是!默认秘密是多少?参照网上方法修改后也始终不生效,天坑。。。

Library

Golang

github上ldap的go代码库不多,go-ldap是功能相对比较完善的一个库。

https://github.com/go-ldap/ldap

参考

  1. rfc4510 LDAP: Technical Specification Road Map, June 2006
  2. rfc4511 LDAP: The Protocol, June 2006
  3. rfc4512 LDAP: Directory Information Models, June 2006
  4. rfc4513 LDAP: Authentication Methods and Security Mechanisms, June 2006
  5. rfc4514 LDAP: String Representation of Distinguished Names
  6. rfc4515 LDAP: String Representation of Search Filters
  7. rfc4516 LDAP: Uniform Resource Locator
  8. rfc4517 LDAP: Syntaxes and Matching Rules
  9. rfc4518 LDAP: Internationalized String Preparation
  10. rfc4519 LDAP: Schema for User Applications
  11. LDAP Linux HOWTO
  12. OpenLDAP Administrator’s Guide
  13. Sean’s Blog OpenLDAP
  14. OPENLDAP Initialize a New LDAP Directory
  15. install-and-configure-openldap-on-centos-5
  16. http://www.openldap.org/”
  17. config openladp

欢迎加微信,最好备注姓名和方向

QQ交流群

区块链实践互助QQ群:576555864

Kubernetes实践互助QQ群:947371129

Prometheus实践互助QQ群:952461804

API网关Kong实践互助QQ群:952503851

Ansible实践互助QQ群:955105412

Copyright @2011-2018 All rights reserved. 转载请添加原文连接,合作请加微信lijiaocn或者发送邮件: lijiaocn@foxmail.com,备注网站合作 友情链接: lijiaocn github.com