Openldap is generally used as an account system in an enterprise. Openldap has lower development and maintenance costs than storing accounts in relational databases such as mysql. Therefore, OpenLDAP is the most suitable choice for an account system in an enterprise
You can quickly get started with the OpenLDAP account system by following the instructions below
Noun concept
There are a number of aliases used in this LDAP. Common aliases are listed below
Dn: the distinguished name, similar to the primary key ID of mysql
Cn: common name, analog user’s name (full name)
Sn: indicates the user’s last name
GiveName: user name (excluding last name)
Dc: indicates the owning domain name. A user can reside in multiple DCS
Uid: indicates the name used for login
C: Country. For example, CN indicates China
Ou: indicates the owning organization
LDIF: The data description format of OpenLDAP is similar to the /etc/passwd file format of Linux. It uses a fixed format to describe contained data
dn:uid=1,ou=firstunit,o=myorganization,dc=example,dc=org objectclass:top objectclass:person objectclass:uidObject Objectclass: simpleSecurityObject userPassword: 123456 cn: the first user sn: su uid: 1 telephoneNumber: 13288888888Copy the code
Note: Many ObjectClasses provide additional fields, such as the telephoneNumber field provided by the Person objectClass
ObjectClass list reference: www.zytrax.com/books/ldap/… Can be defined schema to create new objectClass: www.openldap.org/doc/admin24…
Set up the OpenLDAP server
You can use this Docker to start the OpenLDAP server with one click, see github.com/osixia/dock… Write docker-comemage.yml as follows
version: '3'Services: LDAP: image: osixia/ openLDAP :1.2.4 environment: -tz =PRC ports: -389:389-636:636 admin: image: Osixia/phpldapadmin: 0.8.0 volumes: -)/data/admin/config/container/service/phpldapadmin/assets/config ports: - 6443:443 links: - ldapCopy the code
Then start
docker-compose up -d
Copy the code
Use the docker-compose ps command to view the startup effect
Password: admin The default domain name is dc=example,dc=org
Organizational structure
The user system generally reflects the organizational structure of the company. There are two commonly used organizational structures
- The organization structure of Internet naming: the root node is the country, the domain name is under the country, the organization/organizational unit is under the domain name, and the user is below
- The organizational structure of an enterprise name is as follows: The root node is a domain name, the department under the domain name is a department, and the user under the department is a department
Here is an example of an enterprise-named component architecture
Command line operation
Create the data
Build an LDIF file, such as myo.ldif
Dn :o=myorganization,dc=example,dc=org objectclass:top objectclass:organization o:myorganization description: myorganization Dn: ou = firstunit, o = myorganization, dc example, dc = org objectclass: top objectclass: organizationalUnit description: the first unit in the organization dn:uid=1,ou=firstunit,o=myorganization,dc=example,dc=org objectclass:top objectclass:person objectclass:uidObject Objectclass: simpleSecurityObject userPassword: 123456 cn: the first user sn: su uid: 1Copy the code
Then import it to the LDAP server
docker-compose exec ldap bash
ldapadd -x -D "cn=admin,dc=example,dc=org" -W -f myo.ldif
Copy the code
The operation effect is as follows
Search data
You can use the ldapsearch command to find data, such as all data under the domain dc=example,dc=org
ldapsearch -x -H ldap://localhost -b dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin
Copy the code
The operation effect is as follows
You can see that the query executed successfully
The backup data
Using slapcat -v -l mybackup.ldif to backup data is as follows
Empty data
You can use ldapdelete -x -d “cn=admin,dc=example,dc=org” -w admin -r “dc=example,dc=org” to clear all oepnldap data under example,dc=org
The operation effect is as follows:
Note that dc=example,dc=org is not deleted
Restore data
Note: You need to delete these fields from the backup file before recovery
- creatorsName
- modifiersName
- modifyTimestamp
- createTimestamp
- entryUUID
- entryCSN
- StructuralObjectClass and then delete this record dn: dc=example,dc=org
Run ldapadd -x -d “cn=admin,dc=example,dc=org” -w admin -f mybackup.ldif to import
The operation effect is as follows
Use the ldapsearch command to verify
The client
Ldap currently has three clients to choose from
- jxplorer: jxplorer.org/
- Apache Directory Studio
- phpLDAPadmin
Jxplorer has a Chinese interface and is simple and easy to use. Apache Directory Studio has powerful functions. It is recommended to use Jxplorer first and then Apache Directory Studio
Program client
- Java Reference: docs.spring. IO /spring-ldap…
- PHP reference: github.com/Adldap2/Adl…
- Go Reference: github.com/go-ldap/lda…
A couple of points to note
Define the objectClass simpleSecurityObject for users with passwords, for example
dn: cn=suxiaolin,dc=example,dc=org
objectClass: organizationalRole
objectclass: simpleSecurityObject
cn: suxiaolin
userPassword:123456
Copy the code
The value of the userPassword field is the userPassword
The resources
- Explainshell.com/explain/1/l…
- Github.com/osixia/dock…
- Github.com/osixia/dock…