LDAP is a nothing more than a communication protocol between client which request to get some information and the server which store or know the place to store the information, so LDAP is only a communication rule but not a product you can buy.
OpenLDAP is an open product implemented according to LDAP.
Experience has shown that the best way to understand a new tool is simply to use or play around with it. That is what we will do in this article.
Before you can enter any objects into a directory, you must first define what kind of objects the directory will accept. This is much like the design of an object-oriented database. For example, if we want to describe an company abc.com as an object, we consider the abc.com is an instance of object class "organization".
Object class is some structure that is already standardized defined in OpenLDAP schemas, and most of them is derived from the original X.500 protocol. Schema is just like the header files of C language, which show the data structure used in C libraries. So we don't have to invent these object class all by ourselves just like we don't have to invent the printf functions when we program using C language.
When a company can be described as an object, the department of a large company also can be described as an object of object class "organization unit", and person in this company as object class "person".
Directory is made up of a number of entries, each entry is corresponding to an object in the real world. The object always belongs to an object class which is characterized by a number of "attributes". For example, a company has a name, phone number, and so on. The attributes are made up of an attribute name and one or more attribute values. The attribute names, like the class names, are standard, most of them being inherited from X.500 protocol.
An object(entry) must have "distinguished name" to identify itself, so the "dn" must be unique. How to give distinguished name to object will be explained in detail in following sections.
The directory is build up like a tree, and the tree is always called as DIT(Directory Information Tree). We will take the company abc.com as an example. When we began to store the information of abc.com, we consider the abc.com as a tree with the root entry which have the attribute "o"(stand for organization) and the attribute value "abc.com". So the root entry have the distinguished name o=abc.com.
The departments of abc.com is subtree of the DIT of the entire enterprise, and which have the attribute ou(stand for organization unit) and the value of department name. For example the marketing department have the distinguished name "ou=marketing, o=abc.com". Likewise we give the distinguish name to the IT department as "ou=IT, o=abc.com".
After the dn given the object may be add to the DIT using client tools which released with the OpenLdap software distribution like:
#ldapmodify -a -D "uid=admin, o=abc.com" -w password
dn: o=abc.com
object class: top
object class: organization
o: abc.com
l: ShangHai
adding new entry "o=abc.com"
The parameter following -D is the administrator account name of the ldap server running on the machine, and the -w speak out the password of this administrator account. Both the account and the password are stored in the configuration file which can be modified using vi before starting the server.
The first line of the actual data begins with:
dn: o=abc.com
which is the distinguished name of this entry. The distinguished name is just a key to access this particular entry. It must be unique across the whole directory.
The following lines:
object class: top
object class: organization
Means the o=abc.com is an object of the object class "organization", and "organization" is a subclass of "top". Both "organization" and "top" are declared in the configuration files.
o: abc.com
l: ShangHai
The object o=abc.com has two other properties(attributes): "o"(organization) and "l"(location), both of them defined in the schema. Reading the configuration files, we'll note some properties are required, and others are optional.
the last line:
adding new entry "o=abc.com"
is the output of the command which means that the command has been executed successfully. Otherwise, you will get an error message.
After the root entry(o=abc.com) was added, the department can be added as subtrees. For example:
# ldapmodify -a -D "cn=admin, o=abc.com" -w password
dn: ou=HR, o=abc.com
objectclass: top
objectclass: organizationalUnit
ou: HR
description: Human Resources
adding new entry "ou=HR, o=abc.com"
dn: ou=R&D, o=abc.com
objectclass: top
objectclass: organizationalUnit
ou: R&D
description: Research and Development
adding new entry "ou=R&D, o=abc.com"
dn: ou=Mkt, o=abc.com
objectclass: top
objectclass: organizationalUnit
ou: Mkt
description: Marketing
adding new entry "ou=Mkt, o=abc.com"
After all these entries added to the DIT, we can retrieve the information from the ldap sever using command ldapsearch:
#ldapsearch -b "o=abc.com" "(objectclass=*)"
# extended LDIF
#
# LDAPv3
# filter: (objectclass=*)
# requesting: ALL
#
# abc.com
dn: o=abc.com
objectclass: top
objectclass: organization
o: abc.com
l: ShangHai
# HR, abc.com
dn: ou=HR, o=abc.com
objectclass: top
objectclass: organizationalUnit
ou: HR
description: Human Resources
# R&D, abc.com
dn: ou=R&D, o=abc.com
objectclass: top
objectclass: organizationalUnit
ou: R&D
description: Research and Development
# Mkt, abc.com
dn: ou=Mkt, o=abc.com
objectclass: top
objectclass: organizationalUnit
ou: Mkt
description: Marketing
# search result
search: 2
result: 0 Success
# numResponses: 5
# numEntries: 4
When the DIT is created, root entry and subtrees entries are added into it. We'll find that if we want put personal information of hundreds of employees in abc.com is a difficult thing, for we must input these message entry by entry without mistake. Fortunately, the ldapmodify command also accepts a file as input:
#cat persons.ldif
dn: uid=ZhaoJia, ou=Mkt, o=abc.com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: Zhao
sn: Jia
givenName: Thomas
ou: Mkt
uid: ZhaoJia
mail: zhaojia@abc.com
dn: uid=QianYi, ou=Mkt, o=abc.com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: Qian
sn: Yi
givenName: Peter
ou: Mkt
uid: QianYi
mail: QianYi@abc.com
#ldapmodify -a -D "uid=admin, o=abc.com" -w "password" -f persons.ldif
adding new entry "uid=ZhaoJia, ou=Mkt, o=abc.com"
adding new entry "uid=QianYi, ou=Mkt, o=abc.com"
Subscribe to:
Post Comments (Atom)
1 comment:
Gosh, there is really much useful information above!
Post a Comment