LDAP is introduced
A directory service
A directory is a professional distributed database optimized for querying, browsing, and searching that organizes data in a tree structure, much like file directories on Linux/Unix systems. Different from relational databases, directory databases have excellent read performance but poor write performance, and do not have complex functions such as transaction processing and rollback. Therefore, they are not suitable for storing frequently modified data. So directories are built for queries. LDAP (Lightweight Directory Access Protocol) is designed to provide a way to manage directory data one by one.
The characteristics of
- LDAP structures are represented as trees rather than tables. Because of this, SQL statements cannot be used
- LDAP can get query results quickly, but writing is much slower
- LDAP provides a quick way to query static data
- Client/ Server model, server is used to store data, Client provides tools to manipulate directory information tree
- These tools bring the contents of the database to you in text format (LDAP Data Exchange Format, LDIF)
- LDAP is an open Internet standard. LDAP is a cross-platform Interent protocol
How LDAP organizes data
The following figure shows an LDAP directory tree:
In this tree, we need to understand the following concepts:
Entry Entry
Each grid in the figure is an Entry. An Entry has several attributes and several values, and can also contain several sub-entries.
Distinguished Name,DN
Similar to the Linux absolute path, the absolute path triggered from the root of the directory tree is the unique identifier of an entry. In the figure, the DN of baby can be expressed as:
cn=baby,ou-marketing,ou=people,dc=mydomain,dc=org
Copy the codeRelative identification DN
The relative identification name is the first thing to the left of DN
For example, the RDN of baby can be expressed as
cn=baby
Copy the codeThe general class says that the RDN takes entries dc=, ou=, C =, o= as containers, that is, they can contain sub-entries.
Base identification Name Base DN
Refers to the root of the directory, and the DN in this figure is:
dc=mydomain,dc=org
Copy the codeattribute
Each entry can have many attributes. For example, common people have names, addresses, phone numbers, and other attributes. Each attribute has a name and a corresponding value, which can be single or multiple, for example, if you have multiple email addresses.
Properties are not defined arbitrarily, but must conform to certain rules, which can be defined by the schema. For example, if an entry does not have an objectClass in the Schema inetorgPerson: InetOrgPerson, then you cannot specify the employeeNumber attribute for it, because employeeNumber is defined in inetOrgPerson.
LDAP has attributes for common objects in a people organization (for example, commonName, surname). Here are some common aliases:
| attribute | The alias | grammar | describe | Value (example) |
|---|---|---|---|---|
| commonName | cn | Directory String | The name | sean |
| surname | sn | Directory String | The surname | Chow |
| organizationalUnitName | ou | Directory String | Name of the organization (department) | IT_SECTION |
| organization | o | Directory String | Name of organization (company) | example |
| telephoneNumber | Telephone Number | The phone number | 110 | |
| objectClass | Built-in properties | organizationalPerson |
Object class
Object classes are collections of attributes, and LDAP envisions many common objects in human organizations and encapsulates them as object classes. For example, person contains the last name (SN), first name (CN), telephone (telephoneNumber), password (userPassword) and other attributes. OrganizationalPerson is the inheritance class of person. In addition to the above attributes, it also contains title, postalCode, postalAddress and other attributes.
LDAP also defines the attributes of objects. There are two types of attributes:
- Must/Required Basic attributes
- May/Optional Extended attribute
There are three types of object classes: Structural, Abstract, and Auxiliary. Structural types are the most basic types that specify the basic attributes of object entities. Each entry belongs to and only belongs to one structural object class. Abstract types can be structural types or other abstract type superclasses that group together the common parts of an object’s attributes and are called templates for other classes. Entries cannot be directly integrated with abstract object classes. Auxiliary types specify extended attributes of object entities. Each entry has at least one structural object class.
As with object orientation, LDAP object classes can perform operations such as inheritance polymorphism:
Schema
ObjectClass, AttributeType, and Syntax specify items, attributes, and values respectively. The relationship between them is shown in the figure below. So these make up schemas — collections of object classes.
LDAP file
LDAP Data Interchange Format file, which is stored as text and used to exchange data between servers. LDIF files are used to add and modify data. The analogy is with SQL files in a relational database.
The LDIF file format is as follows:
Dn: < identification name > < attribute 1>: < value 1> < attribute 2>: < value 2>...Copy the codeThe installation
Yum install - y openldap openldap - the servers openldap - clients service slapd start # check status netstat - antup | grep -i 389Copy the codeSet up the
Run the slappaswwd command to generate the ciphertext of the administrator password:
[root @ localhost openldap - 2.4.46] # slappasswd New password: Re - enter the New password: {SSHA} V66P95ZEFTur6OZYQf10L4h8hlTeUakCCopy the codeFirst we will create a new modify. Ldif file and enter the following content:
Dn: olcDatabase={2} HDB,cn=config Changetype: modify add: olcRootPW {SSHA} V66P95ZEFTur6OZYQf10L4h8hlTeUakC # administrator DN suffix (general Base DN) DN: olcDatabase = {2} HDB, cn = config changetype: Modify replace: olcSuffix olcSuffix: dc=my-domain,dc=com # Administrator's user name dn: olcDatabase={2} HDB,cn=config Changetype: modify replace: olcRootDN olcRootDN: cn=admin,dc=my-domain,dc=com dn: olcDatabase={1}monitor,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" read by dn.base="cn=admin,dc=my-domain,dc=com" read by * noneCopy the codeRun the following command to modify the LDAP service configuration:
ldapadd -Y EXTERNAL -H ldapi:/// -f modify.ldif
Copy the codeAdd a node
Create base.ldif and add the following Entry:
dn: dc=my-domain,dc=com
dc: my-domain
objectClass: top
objectClass: domain
dn: cn=admin,dc=my-domain,dc=com
objectClass: organizationalRole
cn: admin
uid: admin
mail: [email protected]
dn: cn=testuser,dc=my-domain,dc=com
objectClass: organizationalRole
cn: testuser
uid: testuser
mail: [email protected]
description: Just A Test User
Copy the codeRun the command to insert data:
Ldapadd -x -w -d "cn=admin,dc=my-domain,dc=com" -f base. Ldif # '(objectClass=*)'Copy the codeAdd user
P.S. The IP address of the test server is 10.10.101.29, the default port is 389, and the BDN is dc=my-domain,dc=com
It is inefficient to use commands. You can use LDAP Admin software for visual management.
You can see that the added user information is as follows (note the addition of the userPassword attribute, which can be generated using the previous command) :
Connections between LDAP and other tools
Configuration in Redmine
Add the following information to the management and authentication modes:
Click Admin > User to create a user. You can add the new user through LDAP:
You can then log in to the account using the UID and userPassword set by LDAP.
Jenkins
In system Administration, select Configure Global Security, select LDAP access control, and enter the following information (click Advanced Server Configuration to Configure BDN)
The following Test LDAP Settings can be used to Test:
reference
Step by Step OpenLDAP Server Configuration on CentOS 7 / RHEL 7
http://seanlook.com/2015/01/21/openldap-install-guide-ssl/
https://zhuanlan.zhihu.com/p/32732045
https://segmentfault.com/a/1190000002607140
https://www.cnblogs.com/lemon-le/p/6266921.html
http://www.pfeng.org/archives/564
http://www.pfeng.org/archives/580