Catch the Phillies Phever World Series 2008 Unique Collectibles and T's

Archive for the 'LDAP' Category

inetOrgPerson

Monday, January 14th, 2008

The InetOrgPerson object is used in several non-Microsoft LDAP and X.500 directory services to represent people within an organization.

The object class definition is considered an extension to LDAPv3 and, as such, is not included in the RFC 3377 LDAPv3 specifications.

Microsoft released the Windows 2000 inetOrgPerson Kit. The kit, which is freely available, derives inetOrgPerson from the user class within Active Directory’s schema.

Windows Server 2003 Active Directory schema includes the full definition and provides complete manageability of RFC 2798 and the inetOrgPerson LDAP Object Class.

ONE VERY IMPORTANT ITEM

you will need the :
.Net Universal LDAP Connector Documentation
http://www.novell.com/coolsolutions/tools/14274.html

to connect any .Net programming to a remote NDS eDirectory

Posted in LDAP | No Comments »

LDAP Authentication

Sunday, January 13th, 2008

To access the properties and methods of an object, you need to bind to it.
This creates a reference to the object.
ldapsearch -D “uid=jaaron, ou=People, o=MySite.com” -w “Irrefutable” -b “” -s base “objectclass=*” dn

and then the object should bind and authenticate

[LDAP article binding to Active Directory] [ LDAP binding to Novell LDAP Server]

Depending on your ACL privileges, you will be able to access “downtree”

Access control lists

Access control lists (ACLs) provide a means to protect information stored in a LDAP directory. Administrators use ACLs to restrict access to different portions of the directory, or specific directory entries. Changes to each entry and attribute in the directory can be controlled by using ACLs. An ACL for a given entry or attribute can be inherited from its parent entry or can be explicitly defined.

It is best to design your access control strategy by creating groups of users that you will use when setting the access for objects and attributes. Set ownership and access at the highest level in the tree possible and let the controls inherit down the tree.

heres an interesting project for Single Sign On

LDIF reference here

Posted in LDAP | No Comments »

LDAP URLs

Tuesday, January 8th, 2008

I use LDAP Browser Editor for all my LDAP exploration

LDAP book reference
An LDAP URL format exists which clients support in varying degree, and which servers return in referrals and continuation references (see RFC 4516):

ldap://host:port/DN?attributes?scope?filter?extensions

Most of the components, which are described below, are optional.

  • host is the DNS or IP address of the LDAP server to search.
  • port is the network port of the LDAP server.
  • DN is the distinguished name to use as the search base.
  • attributes is a comma-separated list of attributes to retrieve.
  • scope specifies the search scope and can be “base” (the default), “one” or “sub”.
  • filter is a search filter, e.g. (objectClass=*) (see RFC 4515).
  • extensions are extensions to the LDAP URL format.

For example, “ldap://ldap.example.com/cn=John%20Doe,dc=example,dc=com” refers to all user attributes in John Doe’s entry in ldap.example.com, while “ldap:///dc=example,dc=com??sub?(givenName=John)” searches for the entry in the default server. As in other URLs, special characters must be percent-encoded.

There is a similar non-standard “ldaps:” URL scheme for LDAP over SSL.

heres a schema study as viewed in the ScopePane:

ou= MYGROUP ( remember ou is Organization Unit )
|—- cn=jaaronUniqueIdentifier (remember cn is Common Name)
|—- mail=myemailaddress @ mydomain.com
*** the schema consists of jagged data parameters for this objectClass

Posted in LDAP | No Comments »

Security and access control

Monday, January 7th, 2008

LDAP provides for a complex level of access control instances, or ACIs. Because the access can be controlled on the server side, it’s much more secure than security methods that work by securing data through client software.

With LDAP ACIs, you can do things like:

  • Grant users the ability to change their home phone number and home address, while restricting them to read-only access for other data types (such as job title or manager’s login).
  • Grant anyone in the group “HR-admins” the ability to modify any user’s information for the following fields: manager, job title, employee ID number, department name, and department number. There would be no write permission to other fields.
  • Deny read access to anyone attempting to query LDAP for a user’s password, while still allowing a user to change his or her own password.
  • Grant managers read-only permission for the home phone numbers of their direct reports, while denying this privilege to anyone else.
  • Grant anyone in the group “host-admins” to create, delete, and edit all aspects of host information stored in LDAP.
  • Via a Web page, allow people in “foobar-sales” to selectively grant or deny themselves read access to subsets of the customer contact database. This would, in turn, allow these individuals to download the customer contact information to their local laptops or to a PDA. (This will be most useful if your sales force automation tool is LDAP-aware.)
  • Via a Web page, allow any group owner to add or remove any entries from groups they own. For example, this would allow sales managers to grant or remove access for salespeople to modify Web pages. This would allow owners of mail aliases to add and remove users without having to contact IT. Mailing lists designated as “public” could allow users to add or remove themselves (but only themselves) to or from those mail aliases. Restrictions can also be based on IP address or hostname. For example, fields can be made readable only if the user’s IP address begins with 192.168.200.*, or if the user’s reverse DNS hostname maps to *.foobar.com.

Posted in LDAP | No Comments »

LDAP Structures

Monday, January 7th, 2008

Because your LDAP directory can be customized to store any type of text or binary data, what you store is really up to you. LDAP directories use the concept of object classes to define which attributes are allowed for objects of any given type. In almost every LDAP implementation, you’ll want to extend the basic functionality of your LDAP directory to meet your specific needs, either by creating new object classes or by extending existing ones.LDAP directories store all information for a given record’s entries as a series of attribute pairs, each one consisting of an attribute type and an attribute value. (This is completely different from the way relational database servers store data, in columns and rows.) Consider this portion of my student record, as stored in an LDAP directory:

dn: cn=My University, ou=student, dc=MyWebsite, dc=com
cn: My University Student Info
studentMajor: art
studentClass: 1 nude drawing class
studentClass: 1 paper-sculpture class
studentClass: 1 painting class

Note that in this case, each studentClass is listed as a value of attribute type studentMajor. LDAP directories are designed to store multiple values of a single type in this fashion, rather than storing the entire list in a single database field with some sort of delimiter to distinguish the individual values.Because the data is stored in this way, the shape of the database can be completely fluid - you don’t need to recreate a database table (and all its indexes) to start tracking a new piece of data. Even more important, LDAP directories use no memory or storage to handle “empty” fields - in fact, having unused optional fields costs you nothing at all. These data records can be “jagged” and do not have to remain “boxed”…

Secure SASL next

Here’s how to modify LDIF directories

Posted in LDAP | No Comments »

Record Construct

Monday, January 7th, 2008

What’s in a name? The DN of an LDAP entry
All entries stored in an LDAP directory have a unique “Distinguished Name,” or DN. The DN for each LDAP entry is composed of two parts: the Relative Distinguished Name (RDN) and the location within the LDAP directory where the record resides.

The RDN is the portion of your DN that is not related to the directory tree structure. Most items that you’ll store in an LDAP directory will have a name, and the name is frequently stored in the cn (Common Name) attribute. Since nearly everything has a name, most objects you’ll store in LDAP will use their cn value as the basis for their RDN. If I’m storing a record for my favorite oatmeal recipe, I’ll be using cn=Oatmeal Deluxe as the RDN of my entry.

  • My directory’s base DN is dc=foobar,dc=com
  • I’m storing all the LDAP records for my recipes in ou=recipes
  • The RDN of my LDAP record is cn=Oatmeal Deluxe

Given all this, what’s the full DN of the LDAP record for this oatmeal recipe? Remember, it reads backwards - just like a host name in DNS.cn=Oatmeal Deluxe,ou=recipes,dc=foobar,dc=com

People are always more trouble than inanimate objects
Now it’s time to tackle the DN of a company employee. For user accounts, you’ll typically see a DN based either on the cn or on the uid (User ID). For example, the DN for FooBar’s employee Fran Smith (login name: fsmith) might look like either of these two formats:

uid=janderson,ou=employees,dc=foobar,dc=com
(login-based)
LDAP (and X.500) use uid to mean “User ID”, not to be confused with the UNIX uid number. Most companies try to give everyone a unique login name, so this approach makes good sense for storing information about employees. You don’t have to worry about what you’ll do when you hire the next JAaron Anderson, and if JAaron changes My name (or like women in marriage? divorce? religious experience?), you won’t have to change the DN of the LDAP entry.

cn=JAaron Anderson,ou=employees,dc=foobar,dc=com
(name-based)
Here we see the Common Name (CN) entry used. In the case of an LDAP record for a person, think of the common name as their full name. One can easily see the downside to this approach: if the name changes, the LDAP record has to “move” from one DN to another. As indicated above, you want to avoid changing the DN of an entry whenever possible. So design carefully…

Posted in LDAP | No Comments »

OU

Monday, January 7th, 2008

ou in LDAP stands for Organizational Unit

Posted in LDAP | No Comments »

LDAP

Monday, January 7th, 2008

LDAP, Lightweight Directory Access Protocol, is an Internet protocol that email and other programs use to look up information from a server.

LDAP defines how clients should access data on the server, not how that data is stored on the server. This allows LDAP to become a frontend to any type of data store.

LDAP is used to look up encryption certificates, pointers to printers and other services on a network, and provide “single signon” where one password for a user is shared between many services. LDAP is appropriate for any kind of directory-like information, where fast lookups and less-frequent updates are the norm.

single sign on valves are pg 142
I see you can enable a valve on a host but what about multiple Tomcat instances on mutiple Server ‘hostS’ ??? Can this be done with having the same web application path stored in the same identified Realm on each Server ?

As a protocol, LDAP does not define how programs work on either the client or server side. It defines the “language” used for client programs to talk to servers (and servers to servers, too). On the client side, a client may be an email program, a printer browser, or an address book. The server may speak only LDAP, or have other methods of sending and receiving data—LDAP may just be an add-on method.

Most LDAP clients can only read from a server. Search abilities of clients (as seen in email programs) vary widely. A few can write or update information, but LDAP does not include security or encryption, so updates usually requre additional protection such as an encrypted SSL connection to the LDAP server.

LDAP also defines: Permissions, set by the administrator to allow only certain people to access the LDAP database, and optionally keep certain data private. Schema: a way to describe the format and attributes of data in the server. For example: a schema entered in an LDAP server might define a “groovyPerson” entry type, which has attributes of “instantMessageAddress”, and “coffeeRoastPreference”. The normal attributes of name, email address, etc., would be inherited from one of the standard schemas, which are rooted in X.500 (see below).

LDAP was designed at the University of Michigan to adapt a complex enterprise directory system (called X.500) to the modern Internet. X.500 is too complex to support on desktops and over the Internet, so LDAP was created to provide this service “for the rest of us.”

LDAP servers exist at three levels: There are big public servers, large organizational servers at universities and corporations, and smaller LDAP servers for workgroups. Most public servers from around year 2000 have disappeared, although directory.verisign.com exists for looking up X.509 certificates. The idea of publicly listing your email address for the world to see, of course, has been crushed by spam.

While LDAP didn’t bring us the worldwide email address book, it continues to be a popular standard for communicating record-based, directory-like data between programs.

Novell LDAP Classes Developer Link here

Posted in LDAP | No Comments »