Openldap is generally used as an account system in an enterprise. Openldap has lower development and maintenance costs than storing accounts in relational databases such as mysql. Therefore, OpenLDAP is the most suitable choice for an account system in an enterprise

You can quickly get started with the OpenLDAP account system by following the instructions below

Noun concept

There are a number of aliases used in this LDAP. Common aliases are listed below

Dn: the distinguished name, similar to the primary key ID of mysql

Cn: common name, analog user’s name (full name)

Sn: indicates the user’s last name

GiveName: user name (excluding last name)

Dc: indicates the owning domain name. A user can reside in multiple DCS

Uid: indicates the name used for login

C: Country. For example, CN indicates China

Ou: indicates the owning organization

LDIF: The data description format of OpenLDAP is similar to the /etc/passwd file format of Linux. It uses a fixed format to describe contained data

dn:uid=1,ou=firstunit,o=myorganization,dc=example,dc=org objectclass:top objectclass:person objectclass:uidObject Objectclass: simpleSecurityObject userPassword: 123456 cn: the first user sn: su uid: 1 telephoneNumber: 13288888888Copy the code

Note: Many ObjectClasses provide additional fields, such as the telephoneNumber field provided by the Person objectClass

ObjectClass list reference: www.zytrax.com/books/ldap/… Can be defined schema to create new objectClass: www.openldap.org/doc/admin24…

Set up the OpenLDAP server

You can use this Docker to start the OpenLDAP server with one click, see github.com/osixia/dock… Write docker-comemage.yml as follows

version: '3'Services: LDAP: image: osixia/ openLDAP :1.2.4 environment: -tz =PRC ports: -389:389-636:636 admin: image: Osixia/phpldapadmin: 0.8.0 volumes: -)/data/admin/config/container/service/phpldapadmin/assets/config ports: - 6443:443 links: - ldapCopy the code

Then start

docker-compose up -d
Copy the code

Use the docker-compose ps command to view the startup effect

Password: admin The default domain name is dc=example,dc=org

Organizational structure

The user system generally reflects the organizational structure of the company. There are two commonly used organizational structures

  1. The organization structure of Internet naming: the root node is the country, the domain name is under the country, the organization/organizational unit is under the domain name, and the user is below
  2. The organizational structure of an enterprise name is as follows: The root node is a domain name, the department under the domain name is a department, and the user under the department is a department

Here is an example of an enterprise-named component architecture

Command line operation

Create the data

Build an LDIF file, such as myo.ldif

Dn :o=myorganization,dc=example,dc=org objectclass:top objectclass:organization o:myorganization description: myorganization Dn: ou = firstunit, o = myorganization, dc example, dc = org objectclass: top objectclass: organizationalUnit description: the first unit in the organization dn:uid=1,ou=firstunit,o=myorganization,dc=example,dc=org objectclass:top objectclass:person objectclass:uidObject Objectclass: simpleSecurityObject userPassword: 123456 cn: the first user sn: su uid: 1Copy the code

Then import it to the LDAP server

docker-compose exec ldap bash
ldapadd  -x  -D "cn=admin,dc=example,dc=org"  -W  -f myo.ldif
Copy the code

The operation effect is as follows

Search data

You can use the ldapsearch command to find data, such as all data under the domain dc=example,dc=org

ldapsearch -x -H ldap://localhost -b dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin
Copy the code

The operation effect is as follows

You can see that the query executed successfully

The backup data

Using slapcat -v -l mybackup.ldif to backup data is as follows

Empty data

You can use ldapdelete -x -d “cn=admin,dc=example,dc=org” -w admin -r “dc=example,dc=org” to clear all oepnldap data under example,dc=org

The operation effect is as follows:

Note that dc=example,dc=org is not deleted

Restore data

Note: You need to delete these fields from the backup file before recovery

  1. creatorsName
  2. modifiersName
  3. modifyTimestamp
  4. createTimestamp
  5. entryUUID
  6. entryCSN
  7. StructuralObjectClass and then delete this record dn: dc=example,dc=org

Run ldapadd -x -d “cn=admin,dc=example,dc=org” -w admin -f mybackup.ldif to import

The operation effect is as follows

Use the ldapsearch command to verify

The client

Ldap currently has three clients to choose from

  1. jxplorer: jxplorer.org/
  2. Apache Directory Studio
  3. phpLDAPadmin

Jxplorer has a Chinese interface and is simple and easy to use. Apache Directory Studio has powerful functions. It is recommended to use Jxplorer first and then Apache Directory Studio

Program client

  • Java Reference: docs.spring. IO /spring-ldap…
  • PHP reference: github.com/Adldap2/Adl…
  • Go Reference: github.com/go-ldap/lda…

A couple of points to note

Define the objectClass simpleSecurityObject for users with passwords, for example

dn: cn=suxiaolin,dc=example,dc=org
objectClass: organizationalRole
objectclass: simpleSecurityObject
cn: suxiaolin
userPassword:123456
Copy the code

The value of the userPassword field is the userPassword

The resources

  1. Explainshell.com/explain/1/l…
  2. Github.com/osixia/dock…
  3. Github.com/osixia/dock…