LDAP

Gii thiu chung

Ngy

03 23, 2010

Phin bn

1.0

Trng thi

Hon thnh

Tc gi

Trng Th Mai

Reviewed by

[Name, Position]

Approved by

[Name, Position]

Lch s thao tc
Ngy

Phin bn

M t

Tc gi

03 23 2010

1.0

Gii thiu v Ldap

Trng Th Mai

Mc Lc
1 GII THIU......................................................................................4
1.1 MC CH...............................................................................................................................................4
1.2 PHM VI..................................................................................................................................................4
1.3 NH NGHA T VIT TT.......................................................................................................................4
1.4 TI LIU THAM KHO..............................................................................................................................5
1.5 TNG QUAN.............................................................................................................................................5

2 GII THIU CHUNG V LDAP.......................................................6

2.1 GII THIU C BN.................................................................................................................................6
2.1.1 LDAP - Lightweight Directory Access Protocol.............................................................................6
2.1.2 Phng thc hot ng ca LDAP................................................................................................7
2.1.3 Cu trc file Ldif...........................................................................................................................10
2.2 M HNH LDAP....................................................................................................................................13
2.2.1 M hnh thng tin Ldap (LDAP information model).....................................................................13
2.2.2 M hnh t tn Ldap (LDAP naming model)...............................................................................15
2.2.3 M hnh chc nng Ldap (LDAP function model)........................................................................17
1. Thao tc thm tra (LDAP Interrogation)........................................................................................................17
2. Thao tc cp nht (update).............................................................................................................................19
3. Thao tc xc thc v iu khin (authentiaction and control)........................................................................19
4. Cc thao tc m rng.....................................................................................................................................19

2.2.4 M hnh bo mt Ldap (LDAP Security model)............................................................................20

2.3 CHNG THC TRONG LDAP.................................................................................................................20
2.4 MT S DCH V S DNG NGHI THC LDAP.....................................................................................21

3 HNG DN CI T OPENDS.................................................24
4 P DNG VO KHOA CNTT........................................................31
4.1 XY DNG CSDL BAN U.................................................................................................................31
4.2 S ....................................................................................................................................................31
4.3 NI DUNG FILE LDIF.............................................................................................................................32

5 HNG DN CI T LDAP SERVER......................................33

1 Gii thiu
1.1

Mc ch

Gii thiu chung v cng ngh Ldap dng chng thc tp trung, m hnh lm vic ca n v
xy dng m hnh ph hp vi khoa CNTT.
1.2

Phm vi

p dng vo m hnh khoa CNTT trng i hc Nng Lm.

1.3

STT
1

nh ngha t vit tt

Tn

M t
Ldap

Ldif

RDN

DIT

OID

SSL

TSL

Lightweight Directory Access Protocol : giao thc truy cp

dch v th mc nhanh.
LDAP Data Interchange Format : nh ngha ra khun
dng trao i d liu dng thc vn bn dng m t
thng tin v th mc . LDIF cn c th m t mt tp hp
cc th mc hay cp nht c th c p dng trn th
mc.
Relative Distingguished Name : l thuc tnh ca DN lm
cho i tng l duy nht trong ng cnh .
Directory Information Tree : cy thng tin th mc
Object Identifier : l mt s duy nht trn ton cu xc nh
i tng.
Secure Sockets Layer - l mt giao thc thng c s
dng qun l an ninh ca mt truyn tin trn Internet.
Transport Layer Security - l mt giao thc m bo s
ring t (private) gia cc ng dng truyn thng v
ngi dng ca h trn Internet.

SASL

Simple Authentication v Security Layer

1.4

1.5

Ti liu tham kho

Lightweight Directory Access Protocol - Wikipedia, the free encyclopedia.htm
Understanding LDAP design and Implementation, IBM redbooks (sg244986.pdf).
http://www.ust.hk/itsc/ldap/understand.html
Tng quan

2 Gii thiu chung v LDAP

2.1

Gii thiu c bn

Hin nay, xy dng cc h thng ln, iu ti quan trng l phi lm cch no c

th tch hp d liu t c th dng chung gia cc h thng khc nhau. Trong ,
tch hp ti khon ca ngi s dng l vn cn thit nht.

Hy tng tng mt h thng vi khong 5 - 6 m un khc nhau, mi m un li c

thit k trn mt nn tng khc nhau (C ngi th dng Oracle + AS Portal, c ngi th
dng DB2 vi WebSphere, ngi khc th dng MySQL vi phpnuke, ngi th dng
Window, ngi th ci Linux), do cn c mt h thng ngi dng khc nhau. Vy th
vi mi m un, ngi s dng cn phi c mt User Name, mt mt khu khc nhau,
l iu khng th chp nhn c. Ngi dng chng my chc m chn ght h
thng.

Lm cch no c th tch hp c ngi dng gia cc h thng trn? Cu tr li

l LDAP. Vy LDAP l g?

2.1.1

LDAP - Lightweight Directory Access Protocol

nh ngha v LDAP

LDAP (Lightweight Directory Access Protocol) l giao thc truy cp nhanh cc dch v
th mc - l mt chun m rng cho nghi thc truy cp th mc.

LDAP c to ra c bit cho hnh ng "c". Bi th, xc thc ngi dng bng
phng tin "lookup" LDAP nhanh, hiu sut, t tn ti nguyn, n gin hn l truy vn
n 1 ti khon ngi dng trn CSDL

LDAP dng giao thc dng Client/Server truy cp dch v th mc.

LDAP chy trn TCP/IP hoc cc dch v hng kt ni khc.

C cc LDAP Server nh: OpenLDAP, OPENDS, Active Directory,

Gii thch cm t Lightweight Directory Access Protocol

1. Lightweight

Ti sao LDAP c coi l lightweight? Lightweight c so snh vi ci g? tr li

nhng cu hi ny, bn cn tm hiu ngun gc ca LDAP.

Bn cht ca LDAP l mt phn ca dch v th mc X.500. LDAP thc cht c thit

k nh mt giao thc nh nhng, dng nh gateway tr li nhng yu cu ca X.500
server.

X500 c bit nh l mt heavyweight, l mt tp cc chun. N yu cu client v

server lin lc vi nhau s dng theo m hnh OSI . M hnh 7 tng ca OSI - m hnh
chun ph hp trong thit k vi giao thc mng, nhng khi so snh vi chun TCP/IP
th n tr nn khng cn hp l.

LDAP c so snh vi lightweight v n s dng gi tin overhead thp, n c xc

nh chnh xc trn lp TCP ( mc nh l cng 389) ca danh sch cc giao thc
TCP/IP. Cn X.500 l mt lp giao thc ng dng, n cha nhiu th hn, v d nh
cc network header c bao quanh cc gi tin mi layer trc khi n c chuyn i
trong mng.

Hnh 1. X.500 thng qua m hnh OSI LDAP thng qua TCP/IP

Tm li, LDAP c coi l lightweight bi v n lc b rt nhiu nhng phng thc

t c dng ca X.500 .

2. Directory

Dch v th mc khng c nhm vi mt c s d liu. Th mc c thit k c

nhiu hn l ghi vo, cn i vi c s d liu, n ph hp vi c cng vic c v
ghi mt cch thng xuyn v lp i lp li.

LDAP ch l mt giao thc, n l tp thng tin cho vic x l cc loi d liu. Mt giao
thc khng th bit d liu c lu tr u. LDAP khng h tr x l v nhng c
trng khc nh ca c s d liu.

Client s khng bao gi thy c hoc bit rng c mt b my lu tr backend. V l

do ny, LDAP client cn lin tc vi LDAP server theo m hnh chun sau:

Hnh 2. Mi quan h gia LDAP client, LDAP server

v ni cha d liu
3. Access Protocol

LDAP l mt giao thc truy cp. N a ra m hnh dng cy ca d liu, v m hnh

dng cy ny c nhc ti khi bn truy cp mt LDAP server.

Giao thc truy cp client/server, mt client c th a ra mt lot nhng yu cu v

nhng tr li cho nhng yu cu li c tr li theo nhng cch sp xp khc nhau.

2.1.2

Phng thc hot ng ca LDAP

Ldap dng giao thc giao tip client/sever

Giao thc giao tip client/sever l mt m hnh giao thc gia mt chng trnh client
chy trn mt my tnh gi mt yu cu qua mng n cho mt my tnh khc ang chy
mt chng trnh sever (phc v).

Chng trnh server ny nhn ly yu cu v thc hin sau n tr li kt qu cho

chng trnh client

tng c bn ca giao thc client/server l cng vic c gn cho nhng my tnh

c ti u ho thc hin cng vic .

Mt my server LDAP cn c rt nhiu RAM(b nh) dng lu tr ni dung cc th

mc cho cc thao tc thc thi nhanh v my ny cng cn a cng v cc b vi x l
tc cao.

y l mt tin trnh hot ng trao i LDAP client/server :

Hnh 3. M hnh kt ni gia client/server

Client m mt kt ni TCP n LDAP server v thc hin mt thao tc bind. Thao tc

bind bao gm tn ca mt directory entry ,v thng tin xc thc s c s dng trong
qu trnh xc thc, thng tin xc thc thng thng l pasword nhng cng c th l ID
ca ngi dng.

Sau khi th mc c c s xc nh ca thao tc bind, kt qu ca thao tc bind c

tr v cho client. Client pht ra cc yu cu tm kim.

Server thc hin x l v tr v kt qu cho client.

Server gi thng ip kt thc vic tm kim.

Client pht ra yu cu unbind.

Server ng kt ni.

LDAP l mt giao thc hng thng ip

Do client v sever giao tip thng qua cc thng ip, Client to mt thng ip (LDAP
message) cha yu cu v gi n n cho server. Server nhn c thng ip v x l
yu cu ca client sau gi tr cho client cng bng mt thng ip LDAP.

Hnh 4. Thao tc tm kim c bn

Nu client tm kim th mc v nhiu kt qu c tm thy, th cc kt qu ny c

gi n client bng nhiu thng ip

Hnh 5. Nhng thng ip Client gi cho server

Do nghi thc LDAP l giao thc hng thng ip nn client c php pht ra nhiu
thng ip yu cu ng thi cng mt lc. Trong LDAP, message ID dng phn bit
cc yu cu ca client v kt qu tr v ca server.

Hnh 6. Nhiu kt qu tm kim c tr v

Vic cho php nhiu thng ip cng x l ng thi lm cho LDAP linh ng hn cc
nghi thc khc.

V d nh HTTP, vi mi yu cu t client phi c tr li trc khi mt yu cu khc

c gi i, mt HTTP client program nh l Web browser mun ti xung cng lc
nhiu file th Web browser phi thc hin m tng kt ni cho tng file, LDAP thc hin
theo cch hon ton khc, qun l tt c thao tc trn mt kt ni.

2.1.3

Cu trc file Ldif

Khi nim LDIF

LDIF ( LDAP Interchange Format) c nh ngha trong RFC 2849, l mt chun nh

dng file text lu tr nhng thng tin cu hnh LDAP v ni dung th mc.

File LDIF thng c s dng import d liu mi vo trong directory ca bn hoc

thay i d liu c. D liu trong file LDIF cn phi tun theo quy lut c trong
schema ca LDAP directory.

Schema l mt loi d liu c nh ngha t trc trong directory ca bn. Mi

thnh phn c thm vo hoc thay i trong directory ca bn s c kim tra li
trong schema m bo s chnh xc. Li vi phm schema s xut hin nu d liu
khng ng vi quy lut c.

y l gii php Import d liu ln vo LDAP. Nu d liu c lu trong excel khong

vi chc ngn mu tin, vit tool chuyn thnh nh dng trn ri import vo LDAP Server.

Cu trc tp tin Ldif

Thng thng mt file LDIF s theo khun dng sau:

o

Mi mt tp entry khc nhau c phn cch bi mt dng trng

tn thuc tnh : gi tr

Mt tp cc ch dn c php lm sao x l c thng tin

Nhng yu cu khi khai bo ni dung file LDIF :

o

Li ch gii trong file LDIF c g sau du # trong mt dng

Thuc tnh c lit k pha bn tri ca du (:) v gi tr c biu din bn

phi. Du c bit c phn cch vi gi tr bng du cch trng

Thuc tnh dn nh ngha duy nht mt DN xc nh trong entry

10

Di y l v d v cu trc mt file Ldif:

dn: dc=hcmuaf,dc=edu,dc=vn
objectClass: domain
objectClass: top
dc: hcmuaf
entryUUID: a1255ce5-2710-388c-95a6-3c030a59a8d3

Node root:
dc=hcmuaf,dc=edu,dc=com

dn: o=it,dc=hcmuaf,dc=edu,dc=vn
objectClass: top
objectClass: organization
description: information technology
o: it
entryUUID: fbcb85d5-e17c-494e-a36d-5932fb503125
createTimestamp: 20100326000527Z
creatorsName: cn=Directory Manager,cn=Root DNs,cn=config

Node child :
o=it, [Node root]

dn: uid=mai,o=it,dc=hcmuaf,dc=edu,dc=vn
objectClass: person
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: top
givenName: mai
uid: mai
cn: mai
telephoneNumber: 0633649470
sn: mai
userPassword: {SSHA}EI41fLuan5bQ1FQA0u8Nvg4/hqRF+i51yrAnNA==
mail: mai
facsimileTelephoneNumber: 123i
entryUUID: b9cb6886-263d-4a0c-bd1f-e315dde47b30
createTimestamp: 20100326000919Z
creatorsName: cn=Directory Manager,cn=Root DNs,cn=config
pwdChangedTime: 20100326000919.471Z

Node leaf :
uid=mai, [path
parrent] hoc
cn=mai,[path parent]

Ch : Nhng tn trng m ng sau c du :: th gi tr ca n c m ha theo

chun BASE64 Encoding, vi charset UTF-8. Nu g ting vit th khi import vo LDAP
Server s khng hiu, v th bt buc ta phi m ha theo chun BASE64.
o

V d: cn:Phm Thi Thy cn:: VHLhuqduIFRow6FpIExvbmc= (du :: cho bit

trng ny s dng basecode64)

11

Ni dung mt entry th mc dng Ldif:

Di y l ni dung mt entry trong tp tin Ldif.

dn: uid=tuanh,ou=Teacher,o=it,dc=hcmuaf,dc=edu,dc=vn
objectClass: person
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: top
givenName: tuanh
uid: tuanh
cn: tuanh
telephoneNumber: 125698742
sn: tuanh
userPassword: {SSHA}WixBYpdCo4bEZPRPwUriImctcWZ9sDgQQ/WElg==
mail: tuanh
facsimileTelephoneNumber: 5426
entryUUID: bc95b0ee-6e3e-480d-83c1-2c1e13c89dc9
createTimestamp: 20100326001110Z
creatorsName: cn=Directory Manager,cn=Root DNs,cn=config
pwdChangedTime: 20100326001110.323Z

STT

Mt entry l tp hp ca cc thuc tnh, tng thuc tnh ny m t mt nt t trng tiu

biu ca mt i tng. Mt entry bao gm nhiu dng :
o

dn : distinguished name - l tn ca entry th mc, tt c c vit trn mt

dng.

Sau ln lt l cc thuc tnh ca entry, thuc tnh dng lu gi d liu.

Mi thuc tnh trn mt dng theo nh dng l kiu thuc tnh : gi tr thuc
tnh.

Th t cc thuc tnh khng quan trng, tuy nhin d c c thng tin

chng ta nn t cc gi tr objectclass trc tin v lm sao cho cc gi tr ca
cc thuc tnh cng kiu gn nhau.

Mt s cc thuc tnh c bn trong file Ldif:

Tn

M t

dn

Distinguished Name : tn gi phn bit

country 2 k t vit tt tn ca mt nc

organization t chc

ou

organization unit n v t chc

12

STT

Tn

M t
Mi gi tr objectClass hot ng nh mt khun
mu cho cc d liu c lu gi trong mt entry.
N nh ngha mt b cc thuc tnh phi c trnh
by trong entry (V d : entry ny c gi tr ca thuc

objectClass

tnh objectClass l eperson, m trong eperson c

quy nh cn c cc thuc tnh l tn, email, uid ,
th entry ny s c cc thuc tnh ), cn b cc
thuc tnh ty chn c th c hoc c th
khng c mt.

givenName

tn

uid

id ngi dng

cn

common name tn thng gi

telephoneNumber

s in thoi

10

sn

surname h

11

userPassword

mt khu ngi dng

12

mail

a ch email

13

facsimileTelephoneNumber

s phch

14

createTimestamp

thi gian to ra entry ny

15

creatorsName

tn ngi to ra entry ny

16

pwdChangedTime

thi gian thay i mt khu

17

entryUUID

id ca entry

2.2

M hnh LDAP

LDAP cn nh ngha ra bn m hnh, cc m hnh ny cho php linh ng trong vic sp t cc

th mc:

M hnh LDAP information - xc nh cu trc v c im ca thng tin trong th mc.

M hnh LDAP Naming - xc nh cch cc thng tin c tham chiu v t chc.

M hnh LDAP Functional - nh ngha cch m bn truy cp v cp nht thng tin trong
th mc ca bn.

M hnh LDAP Security - nh ngha ra cch thng tin trong th mc ca bn c bo

v trnh cc truy cp khng c php.

2.2.1

M hnh thng tin Ldap (LDAP information model)

Khi nim

M hnh LDAP Information nh ngha ra cc kiu d liu v cc thnh phn thng tin c
bn m bn c th cha trong th mc. Hay n m t cch xy dng ra cc khi d liu
m chng ta c th s dng to ra th mc.

13

M hnh thng tin Ldap

Thnh phn c bn ca thng tin trong mt th mc gi l entry. y l tp hp cha

cc thng tin v mt i tng (Object).

Hnh 7. Mt cy th mc vi cc entry l cc thnh phn c bn

Hnh 8. Mt entry vi cc thuc tnh c bn

Thng tin m t d liu c lu tr theo cu trc trong tp tin *.ldif. Cu trc file Ldif
c gii thiu phn trn.

14

2.2.2

M hnh t tn Ldap (LDAP naming model)

Khi nim

M hnh LDAP Naming nh ngha ra cch chng ta c th sp xp v tham chiu n

d liu ca mnh.

Hay c th ni m hnh ny m t cch sp xp cc entry vo mt cu trc c logic, v

m hnh LDAP Naming ch ra cch chng ta c th tham chiu n bt k mt entry
th mc no nm trong cu trc .

M hnh LDAP Naming cho php chng ta c th t d liu vo th mc theo cch m

chng ta c th d dng qun l nht.

Cch sp xp d liu

V d nh chng ta c th to ra mt container cha tt c cc entry m t ngi trong

mt t chc(o), v mt container cha tt c cc group ca bn, hoc bn c th thit k
entry theo m hnh phn cp theo cu trc t chc ca bn. Vic thit k tt cn phi c
nhng nghin cu tho ng.

Hnh 9. Mt cy th mc LDAP

Ta c th thy rng entry trong th mc c th ng thi l tp tin v l th mc.

Hnh 10. Mt phn th mc LDAP vi cc entry cha thng tin

Ging nh ng dn ca h thng tp tin, tn ca mt entry LDAP c hnh thnh

bng cch ni tt c cc tn ca tng entry cp trn (cha) cho n khi tr ln root.

15

Nh hnh trn ta thy node c mu m s c tn l uid=bjensen, ou=people, dc=airius,

dc=com, nu chng ta i t tri sang phi th chng ta c th quay ngc li nh ca
cy, chng ta thy rng cc thnh phn ring l ca cy c phn cch bi du ,.

Vi bt k mt DN, thnh phn tri nht c gi l relative distingguished name (RDN),

nh ni DN l tn duy nht cho mi entry trn th mc, do cc entry c cng cha
th RDN cng phi phn bit.

Hnh 11.

V d nh hnh trn, mc d hai entry c cng RDN cn=Joohn Smith nhng hai entry
hai nhnh khc nhau.

B danh (Aliases) cch tham chiu n d liu

Nhng entry b danh (Aliases entry)trong th mc LDAP cho php mt entry ch n mt

entry khc.

Chng ta c th xy dng ra cu trc m th bc khng cn chnh xc na, khi nim

Aliases entry ging nh khi nim symbolic links trong UNIX hay shortcuts trn
Windows9x/NT.

to ra mt alias entry trong th mc trc tin bn phi to ra mt entry vi tn thuc

tnh l aliasedOjecctName vi gi tr thuc tnh l DN ca entry m chng ta mun alias
entry ny ch n.

Hnh di y cho ta thy c mt aliases entry tr n mt entry tht s.

Hnh 12. LDAP vi Alias entry

Nhng khng phi tt c cc LDAP Directory Server u h tr Aliases. Bi v mt alias

entry c th ch n bt k mt entry no, k c cc entry LDAP server khc. V vic tm
kim khi gp phi mt b danh c th phi thc hin tm kim trn mt cy th mc khc

16

nm trn cc server khc, do lm tng chi phi cho vic tm kim, l l do chnh m
cc phn mm khng h tr alias.
2.2.3

M hnh chc nng Ldap (LDAP function model)

Khi nim

y l m hnh m t cc thao tc cho php chng ta c th thao tc trn th mc.

M hnh LDAP Functional cha mt tp cc thao tc chia thnh 3 nhm:

Thao tc thm tra (interrogation) cho php bn c th search trn th mc v

nhn d liu t th mc.

Thao tc cp nht (update): add, delete, rename v thay i cc entry th mc.

Thao tc xc thc v iu khin(authentiaction and control) cho php client xc

nh mnh n ch th mc v iu kin cc hot ng ca phin kt ni.

Vi version 3 nghi thc LDAP ngoi 3 nhm thao tc trn, cn c thao tc LDAP
extended, thao tc ny cho php nghi thc LDAP sau ny c th m rng mt cch c t
chc v khng lm thay i n nghi thc.

M t cc thao tc
1. Thao tc thm tra (LDAP Interrogation)

Cho php client c th tm v nhn li thng tin t th mc.

Thao tc tm kim (LDAP search operation) yu cu 8 tham s (V d: search

(o=people,dc=airius,dc=com,base,derefInsearching,10,60,Filter,ArrayAttribute)
o

Tham s u tin l i tng c s m cc thao tc tm kim thc hin trn

, tham s ny l DN ch n nh ca cy m chng ta mun tm.

Tham s th hai l phm vi cho vic tm kim, chng ta c 3 phm vi thc hin
tm kim:

Phm vi base ch ra rng bn mun tm ngay ti i tng c s.

Phm vi onelevel thao tc tm kim din ra ti cp di (con trc tip

ca i tng c s)

Phm vi subtree thao tc ny thc hin tm ht trn cy m i tng

c s l nh.

Hnh 13. Thao tc tm kim vi phm vi base

17

Hnh 14. Thao tc tm kim vi phm vi onelevel

Hnh 15. Thao tc tm kim vi phm vi subtree

o

Tham s th ba derefAliases , cho server bit rng liu b danh aliases c b b

qua hay khng khi thc hin tm kim, c 4 gi tr m derefAliases c th nhn
c:

nerverDerefAliases - thc hin tm kim v khng b qua b danh

(aliases) trong lc thc hin tm kim v p dng vi c i tng c s.

derefInsearching - b qua cc aliases trong trong cc entry cp di ca

i tng c s, v khng quan tm n thuc tnh ca i tng c
s.

derefFindingBaseObject - tm kim s b qua cc aliases ca i tng

c s, v khng quan tm n thuc tnh ca cc entry thp hn i
tng c s.

derfAlways - b qua c hai nu vic tm kim thy i tng c s hay

l cc entry cp thp l cc entry aliases.

Tham s th bn cho server bit c ti a bao nhiu entry kt qu c tr v.

Tham s th nm qui nh thi gian ti a cho vic thc hin tm kim.

Tham s th su: attrOnly l tham s kiu bool, nu c thit lp l true, th

server ch gi cc kiu thuc tnh ca entry cho client, nhng sever khng gi

18

gi tr ca cc thuc tnh i, iu ny l cn thit nu nh client ch quan tm n

cc kiu thuc tnh cha trong.
o

Tham s th by l b lc tm kim(search filter) y l mt biu thc m t cc

loi entry s c gi li.

Tham s th tm: danh sch cc thuc tnh c gi li vi mi entry.

2. Thao tc cp nht (update)

Chng ta c 4 thao tc cp nht l add, delete, rename(modify DN), v modify
Add

Delete

Rename

Update

3. Thao tc xc thc v iu khin (authentiaction and control)

Thao tc xc thc gm: thao tc bind v unbind:

Bind : cho php client t xc nh c mnh vi th mc, thao tc ny cung cp s xc

nhn v xc thc chng thc

Unbind : cho php client hu b phn on lm vic hin hnh

Thao tc iu kin ch c abandon:

Abandon : cho php client ch ra cc thao tc m kt qu client khng cn quan tm n

na.

4. Cc thao tc m rng
Ngoi 9 thao tc c bn, LDAP version 3 c thit k m rng thng qua 3 thao tc :

Thao tc m rng LDAP (LDAP extended operations)

o

y l mt nghi thc thao tc mi. Trong tng lai nu cn mt thao tc mi, th

thao tc ny c th nh ngha v tr thnh chun m khng yu cu ta phi xy
dng li cc thnh phn ct li ca LDAP.

V d mt thao tc m rng l StarTLS, ngha l bo cho sever rng client mun

s dng transport layer security(TLS) m ho v tu chn cch xc thc khi
kt ni.

LDAP control
o

L nhng phn ca thng tin km theo cng vi cc thao tc LDAP, thay i

hnh vi ca thao tc trn cng mt i tng.

Xc thc n gin v tng bo mt (Simple Authentication and Security Layer SASL)

o

L mt m hnh h tr cho nhiu phng thc xc thc.

Bng cch s dng m hnh SASL thc hin chng thc, LDAP c th d
dng thch nghi vi cc phng thc xc thc mi khc.

SASL cn h tr mt m hnh cho client v server c th m phn trn h

thng bo mt din ra cc tng thp (dn n an ton cao).

19

2.2.4

M hnh bo mt Ldap (LDAP Security model)

Vn cui cng trong cc m hnh LDAP l vic bo v thng tin trong th mc khi
cc truy cp khng c php.

Khi thc hin thao tc bind di mt tn DN hay mt ngi v danh th vi mi user c

mt s quyn thao tc trn th mc entry. V nhng quyn no c entry chp nhn
tt c nhng iu trn gi l truy cp iu khin (access control).

Hin nay LDAP cha nh ngha ra mt m hnh Access Control, cc iu kin truy cp
ny c thit lp bi cc nh qun tr h thng bng cc server software.

2.3

Chng thc trong LDAP

Vic xc thc trong mt th mc LDAP l mt iu cn thit v khng th thiu. Qu

trnh xc thc c s dng thit lp quyn ca khch hng cho mi ln s dng.

Tt c cc cng vic nh tm kim, truy vn, vv c s kim sot bi cc mc u

quyn ca ngi c xc thc.

Khi xc nhn mt ngi dng ca LDAP cn tn ngi dng c xc nh nh l mt

DN (v d cn = tuanh, o = it, dc = nlu, dc = info) v mt khu tng ng vi DN .

Mt s phng thc xc thc ngi dng

Xc thc ngi dng cha xc nh (Anonymous Authentication)

o

Xc thc ngi dng cha xc nh l mt x l rng buc ng nhp vo th

mc vi mt tn ng nhp v mt khu l rng. Cch ng nhp ny rt thng
dng v uc thng xuyn s dng i vi ng dng client.

Xc thc ngui dng n gin ( Simple Authtication)

o

i vi xc thc ngui dng n gin, tn ng nhp trong DN c gi km

cng vi mt mt khu di dng clear text ti my ch LDAP.

My ch s so snh mt khu vi gi tr thuc tnh userPassword hoc vi

nhng gi tr thuc tnh c nh ngha truc trong entry cho DN .

Nu mt khu uc lu di dng b bm( m ho), my ch s s dng hm

bm tung ng bin i mt khu a vi v so snh vi gi tr vi gi tr
mt khu m ho t trc.

Nu c hai mt khu trng nhau, vic xc thc client s thnh cng.

Xc thc n gin qua SSL/TLS

o

Nu vic gi username v mt khu ca bn qua mng khin bn khng cm

thy yn tm v tinh bao mt, se la an toan hn khi truyn thng tin trong mt
lp truyn tai c ma hoa.

LDAP se vt qua lp truyn tai a c ma hoa nay trc khi thc hin bt c
hoat ng kt ni nao. Do o, tt ca thng tin ngi dung se c am bao an
toan (it nht la trong sut session o)

Co hai cach s dung SSL/TSL vi LDAPv3

1. LDAP vi SSL

LDAP vi SSL (LDAPs-tcp/636) c h tr bi rt nhiu bi cac may

chu LDAP (ca phin ban thng mai va ma ngun m). Mc du c s
dung thng xuyn, no vn khng chp nhn qua trinh m rng LDAP
vi StartTLS.

20

SSL s dng mt lp chng trnh nm gia cc lp ca Internet

Hypertext Transfer Protocol (HTTP) v Transport Control Protocol
(TCP).

Trong iu khon ca layman, d liu c m ha trong trnh duyt

web ca ngi dng, s dng mt kho mt m m thuc v trang web.

D liu c chuyn t trnh duyt web vo trang web nh dng

c m ha. iu ny m bo rng thng tin c nhn ca ngi s
dng khng c chuyn giao trong nh dng c th c c cho bt
c ai nm bt v c khi n truyn trn Internet.

2. LDAP vi TSL

2.4

RFC 2830 a ra mt phng thc m rng i vi LDAPv3 cho vic

x ly TLS qua cng tiu chun tcp/389.

Phng thc nay c bit n nh la mt StartTLS, giup cho may chu

co th h tr cac vic ma hoa va giai ma cac phin giao dich trn cung
mt cng.

Khi my ch v my khch giao tip, TLS m bo rng khng c bn

th ba c th nghe trm hoc gi mo tin nhn bt k.

TLS cho php cc my ch v khch hng xc thc ln nhau v

thng lng mt thut ton m ha v kha m ha trc khi d liu
c trao i.

TLS l s k tha ca Secure Sockets Layer (SSL), v da trn cng

ngh . Bng cch ny, c th ni rng SSL pht trin thnh cc
giao thc TLS.

Mt s dch v s dng nghi thc LDAP

Bng cch kt hp cc thao tc LDAP n gin ny. Th mc client c th thc hin cc thao
tc phc tp nh cc v d sau y.
1. M hnh lu tr d liu

Mt chng trnh mail c th thc hin dng chng ch in t cha trong th

mc trn server LDAP k, bng cch gi yu cu tm kim cho LDAP server.
LDAP server gi li cho client chng ch in t ca n.
Sau chng trnh mail dng chng ch in t k v gi cho Message
sever.
Nhng gc ngi dng th tt c qu trnh trn u hot ng mt cch t
ng v ngi dng khng phi quan tm.

21

Hnh 16. Mt m hnh lu tr n gin

2. Qun l th

Netscape Message server c th s dng LDAP directory thc hin kim tra cc
mail.
Khi mt mail n t mt a ch, messeage server tm kim a ch email trong th
mc trn LDAP server lc ny Message server bit c hp th ngi s dng c
tn ti.

Hnh 17. Dng LDAP qun l th

22

3. Xc thc dng LDAP

Dng LDAP xc thc mt user ng nhp vo mt h thng qua chng trnh thm
tra, chng trnh thc hin nh sau :
o u tin chng trnh thm tra to ra mt i din xc thc vi LDAP
thng qua (1)
o Sau so snh mt khu ca user A vi thng tin cha trong th mc. Nu
so snh thnh cng th user A xc thc thnh cng.

Hnh 18. Xc thc dng LDAP

23

3 Hng dn ci t OpenDS
Dng cng c OpenDS lm LDAP server
Download OpenDS tai https://opends.dev.java.net/public/downloads_index.htm l
Ci t:

Giai nen, va chay file settup.bat trong th muc ..\OpenDS-1.2.0\bat i vi Windows

Giai nen, va chay file settup.sh trong th muc ..\OpenDS-1.2.0\bin i vi ubuntu, bng
on code
./setup.sh

Cai t theo cac bc sau tng t cho 2 HH:

24

Chn Next

Chn tn ng dn ci t, cu hnh port, tn ng nhp v mt khu qun tr ri chn

Configure cu hnh bo mt cho LDAP Server

Chn OK sau chn Next bc 2

25

Chn Next

Chn Base DN to cy th mc cha ti khon ngi dng ri chn Next (ch chn
import automaticcaly nu mun test th LDAP Server, Nu ci t tht th nn chn
Only Create Base Entry)

26

Chn Finish

Chn Lauch Control Panel ng nhp vo phn qun tr ca LDAP Server hoc chn
Close ng mn hnh setup

Trong mn hnh Control panle ca OpenDS ng nhp vi tn ng nhp v mt khu

ban u

27

To cu trc cy ca LDAP:

V d: o=nonglam,ou=cntt,dc=com

Chn OK

Trong Manage Entries, to New Organizational Unit: ou=dh06dt.

28

Chn OK

Lu : Bn c th chn v to cc cu trc cy th mc theo t chc LDAP Server ca

mnh

Trong to cc user mi : uid v password dng sau ny ng nhp.

29

Click chut phi vo nhnh mun to user ri chn New User

in cc thng tin ca User v chn Naming Attribute mun tm kim trn cy LDAP (c
th chn l uid hoc l email) sau chn OK

Tip tc to cc User mi bng cc tng t.

30

4 p dng vo khoa CNTT

4.1

Xy dng CSDL ban u

LDAP t chc d liu dng cy. Do trong CSDL phi c mt c s, cc nhnh,

cc nhnh ca nhnh v cc nt l (cc entries trong CSDL).

Trong ng dng vi khoa CNTT trng H Nng Lm ta s xy dng CSDL c cu

trc nh sau:
C s (base): dc=hcmuaf, dc = edu, dc=vn

Nhnh ca khoa CNTT:

o = it : khoa cng ngh thng tin
ou=Teacher : lu tr thng tin v gio vin
ou=Student : lu tr thng tin v sinh vin
ou= EduServices : lu tr thng tin v gio v khoa

4.2

Vi c s d liu c cu trc nh trn ta c th biu din thnh s sau:

ng vi c s v mi nhnh s c mt ngi c ton quyn qun l. V do LDAP t

chc d liu kiu cy cho nn ngi mc cao hn s c quyn cao hn.

31

4.3

Ni dung file Ldif

Vi m hnh v cu trc c s d liu nh trn, tng ng vi ni dung trong file Ldif l:

dn: dc=hcmuaf,dc=edu,dc=vn
objectClass: domain
objectClass: top
dc: hcmuaf
entryUUID: a1255ce5-2710-388c-95a6-3c030a59a8d3
dn: o=it,dc=hcmuaf,dc=edu,dc=vn
objectClass: top
objectClass: organization
description: information technology
o: it
entryUUID: fbcb85d5-e17c-494e-a36d-5932fb503125
createTimestamp: 20100326000527Z
creatorsName: cn=Directory Manager,cn=Root DNs,cn=config
dn: ou=student,o=it,dc=hcmuaf,dc=edu,dc=vn
objectClass: organizationalUnit
objectClass: top
ou: student
entryUUID: a05481a4-f448-44a0-902f-a1f0cc6ee63f
createTimestamp: 20100326000608Z
creatorsName: cn=Directory Manager,cn=Root DNs,cn=config
dn: ou=Teacher,o=it,dc=hcmuaf,dc=edu,dc=vn
objectClass: organizationalUnit
objectClass: top
ou: Teacher
entryUUID: 675d5e04-fa4f-40fe-98fb-79fba17e2ba8
createTimestamp: 20100326000638Z
creatorsName: cn=Directory Manager,cn=Root DNs,cn=config
dn: ou=EduServices,o=it,dc=hcmuaf,dc=edu,dc=vn
objectClass: organizationalUnit
objectClass: top
ou: EduServices
entryUUID: 8150807d-d796-475d-968b-3fc1fcf231ff
createTimestamp: 20100326000705Z
creatorsName: cn=Directory Manager,cn=Root DNs,cn=config

Trong phn d liu trn th account Directory Manager c to ra qun l ton b

CSDL v ngi dng c to ra cho php cc my client kt ni c vo server
c c thng tin trong CSDL ca LDAP nhm phc v cho vic ng nhp.

Sau ny th ta s dng account Directory Manager thay i, thm vo thng tin ngi
dng.

32

5 HNG DN CI T LDAP SERVER

Dng cng c OpenDS lm LDAP server
Download OpenDS tai https://opends.dev.java.net/public/downloads_index.html
Giai nen, va chay file settup.bat trong th muc ..\OpenDS-1.2.0\bat. Cai t theo cac bc sau:

Chn Next

Chn tn ng dn ci t, cu hnh port, tn ng nhp v mt khu qun tr ri chn

Configure cu hnh bo mt cho LDAP Server

33

Chn OK sau chn Next bc 2

Chn Next

34

Chn Base DN to cy th mc cha ti khon ngi dng ri chn Next (ch chn import
automaticcaly nu mun test th LDAP Server, Nu ci t tht th nn chn Only Create Base
Entry)

Chn Finish

35

Chn Lauch Control Panel ng nhp vo phn qun tr ca LDAP Server hoc chn Close
ng mn hnh setup
Trong mn hnh Control panle ca OpenDS ng nhp vi tn ng nhp v mt khu ban u
Chn New Base DN to cu trc cy ca LDAP:
V d: o=nonglam,ou=cntt,dc=com

36

Chn OK

Trong Manage Entries, to New Organizational Unit: ou=dh06dt.

37

Chn OK
Lu : Bn c th chn v to cc cu trc cy th mc theo t chc LDAP Server ca mnh

Trong to cc user mi : uid v password dng sau ny ng nhp.

38

Click chut phi vo nhnh mun to user ri chn New User

in cc thng tin ca User v chn Naming Attribute mun tm kim trn cy LDAP (c th chn
l uid hoc l email) sau chn OK
Tip tc to cc User mi bng cc tng t.

39