DIRECTORY SYSTEMS USING LDAP

ASSIGNMENT NO: 2 TITLE: Directory Systems using LDAP Name: ROLL NO. : DATE: REMARK: BATCH:

as many organizations. The information stored could be user accounts. a particular directory server may store information for Bell Laboratories employees in Murray Hill. IT organizations must choose Directory Services that are:     Flexible enough to store a range of information types Secure when accessing from both the Internet and intranet Scalable from a small business to the largest enterprise Extensible as business needs change In addition. The most widely used among them today is the Lightweight Directory Access Protocol (LDAP). For example. such as at home and at work. giving both sites autonomy in controlling their local data. while another may store information for Bell Laboratories employees in Bangalore. In order to succeed. The directory access protocol can be used to obtain data from both directories. and so on. which can be used in a distributed directory system to specify what information is stored in each of the directory servers. without user intervention. Several directory access protocols have been developed to provide a standardized way of accessing data in a directory. The amount of information stored varies greatly with the customer. and more important.DIRECTORY SYSTEMS USING LDAP DIRECTORY ACCESS PROTOCOL Enterprise Computing Environments have a need to store information in a centralized data store so that it can be added to. similar to file system directory names. why come up with a specialized protocol for accessing directory information? There are at least two answers to the question. However. Using an open protocol enables the information in the Directory Service to be accessible from clients from different vendors. Directories can be used for storing other types of information. Directory information can be made available through Web interfaces. For instance. A user can thus access the same settings from multiple locations. . The question then is. network names. e-mail addresses.  First. deleted.  Second. programs too. digital certificates. There is a need to access this information both from within the enterprise and from the Internet. Obviously all the types of data in our examples can be stored without much trouble in a database system. across a network. Such interfaces are good for humans. the Directory Service must be accessible via an open. directory systems provide a simple mechanism to name objects in a hierarchical fashion. and queried by users and applications. Directory Services from different vendors communicating using an open protocol can exchange information with each other to create aggregated directories. need to access directory information. They evolved in parallel with the database access protocols. the directory system can be set up to automatically forward queries made at one site to the other site. directory access protocols are simplified protocols that cater to a limited type of access to data. standards-based protocol. This data store has come to be known as a Directory Service. without having to share a file system. much like file system directories. modified. and phone companies in particular do. More important. component object names. and accessed through protocols such as JDBC or ODBC. Web browsers can store personal bookmarks and other browser settings in a directory system.

LDAP allows the definition of object classes with attribute names and types. and country (c). or countries. c=USA As you can see. Unlike those in the relational model. and all entries below it have the value USA for the RDN c. LDAP Data Model In LDAP. cn=Silberschatz. The children of a node have a DN containing all the RDNs of the parent. In the rest of this section. so it is possible to store multiple telephone numbers or addresses for an entry. starting with a person's name. which uniquely identifies the entry. The set of RDNs for a DN is defined by the schema of the directory system. For instance. and is widely used. directories store entries. the distinguished name in this example is a combination of a name and (organizational) address. then giving the organizational unit (ou). Entries at the leaf level of the tree usually represent specific objects. according to their distinguished names. the system can generate the distinguished name of an entry by traversing up the DIT from the entry. Each entry must have a distinguished name (DN).500 features. For example. which are similar to objects. and time types. The X. However.DIRECTORY SYSTEMS USING LDAP LDAP: LIGHTWEIGHT DIRECTORY ACCESS PROTOCOL In general a directory system is implemented as one or more servers. defined by the International Organization for Standardization (ISO). Entries that are internal nodes represent objects such as organizational units. and one or more additional RDNs. o =Lucent. an internal node may have a DN c=USA.500 directory access protocol. ou=Bell Labs. The Lightweight Directory Access Protocol (LDAP) provides many of the X. collecting the RDN=value components to create the full distinguished name. and PostalAddress for addresses (lines separated by a "$" character). organizations. It is not necessary that there be a single most-specific object class to which an entry belongs. we shall outline the data model and access protocol details of LDAP. Inheritance can be used in defining object classes. but with less complexity. the organization (o). . Clients use the application programme interface defined by directory system to communicate with the directory servers. A DN is in turn made up of a sequence of relative distinguished names (RDNs). an entry may have the following distinguished name. Directory access protocols also define a data model and access control. which service multiple clients. is a standard for accessing directory information. Moreover. entries can be specified to be of one or more object classes. The order of the components of a distinguished name reflects the normal postal address order. attributes are multi valued by default. The entire distinguished name need not be stored in an entry. string. Entries are organized into a directory information tree (DIT). LDAP provides binary. and is not widely used. Entries can also have attributes. the protocol is rather complex. and additionally the types tel for telephone numbers. rather than the reverse order used in specifying path names for files.

LDAP does not define either a data-definition language or a data-manipulation language. The LDAP protocol was designed by University of Michigan to provide access to the X. called a Directory System Agent (DSA).DIRECTORY SYSTEMS USING LDAP Data Manipulation Unlike SQL.  Attributes to return. the client does not need to wait for a response before sending the next request. The Lightweight Directory Access Protocol (LDAP) is a protocol for clients to query and manage information in a Directory Service over a TCP connection (Port 389). The client then sends an operation request to the server. and approximate equality are supported. without any join. which can be a Boolean combination of conditions on individual attributes. This makes it very suitable for use on the Internet.500 Directory while not incurring the resource requirements of the Directory Access Protocol (DAP). or the entire subtree beneath the base. and the server sends responses in return. by default on TCP port 389. Lightweight Directory Access Protocol (LDAP) Components:      A Data Model—which defines the syntax of the data in the directory An Organizational model—which defines how the data is organized in the directory A Security Model—which defines how the information in the directory is accessed in a secure manner The Functional Model—which defines the operations for querying and modifying the directory.  A scope. LDAP defines a network protocol for carrying out data definition and manipulation.  A search condition. a node within a DIT-by giving its distinguished name (the path from the root to the node). Directory structure: A client starts an LDAP session by connecting to an LDAP server. consisting of just selections and projections. However. matching by wild-card characters. With some exceptions. LDAP also defines a file format called LDAP Data Interchange Format (LDIF) that can be used for storing and exchanging information. The querying mechanism in LDAP is very simple. the base and its children. Equality. and the server may send the responses in any order. The Topological Model – defines how the directory service integrates with other directory services to form a global directory service on the internet. A query must specify the following:  A base-that is. which can be just the base. The client may request the following operations:    StartTLS — use the LDAPv3 Transport Layer Security (TLS) extension for a secure connection Bind — authenticate and specify LDAP protocol version Search — search for and/or retrieve directory entries .

txt were the DN. which follow the 1993 edition of the X. for instance.dc=example. Each entry has a unique identifier: its Distinguished Name (DN).g.dc=example.DIRECTORY SYSTEMS USING LDAP         Compare — test if a named entry contains a given attribute value Add a new entry Delete an entry Modify an entry Modify Distinguished Name (DN) — move or rename an entry Abandon — abort a previous request Extended Operation — generic operation used to define other operations Unbind — close the connection (not the inverse of Bind) In addition the server may send "Unsolicited Notifications" that are not responses to any request. This usage has been deprecated along with LDAPv2. An entry can look like this when represented in LDAP Data Interchange Format (LDIF) (LDAP itself is a binary protocol): dn: cn=John Doe. To reliably and unambiguously identify entries. The default port for LDAP over SSL is 636. The attributes are defined in a schema (see below). dc=com cn: John Doe givenName: John sn: Doe telephoneNumber: +1 888 555 6789 telephoneNumber: +1 888 555 1232 mail: john@example. This is denoted in LDAP URLs by using the URL scheme "ldaps". A common alternative method of securing LDAP communication is using an SSL tunnel. Be aware that a DN may change over the lifetime of the entry. when entries are moved within a tree.500 model:    An entry consists of a set of attributes. before it times out a connection. dc=com objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top .g. followed by the parent entry's DN. Think of the DN as the full file path and the RDN as its relative filename in its parent folder (e. This consists of its Relative Distinguished Name (RDN). if /foo/bar/myfile. then myfile. e. a UUID might be provided in the set of the entry's operational attributes.txt would be the RDN). which was officially retired in 2003 The protocol accesses LDAP directories. The use of LDAP over SSL was common in LDAP Version 2 (LDAPv2) but it was never standardized in any formal specification. constructed from some attribute(s) in the entry.com manager: cn=Barbara Doe. An attribute has a name (an attribute type or attribute description) and one or more values.

With some exceptions.DIRECTORY SYSTEMS USING LDAP "dn" is the distinguished name of the entry.an entry is defined as a set of attributes. e. by default on TCP port 389. and the server may send the responses in any order. where "dc" denotes 'Domain Component'. The client can then contact the other server. A server holds a subtree starting from a specific entry.directory. dc=example. the attributes in an entry. "mail" for e-mail address and "sn" for surname. "dc" for domain component. and sets need not be ordered. like "cn" for common name. and an attribute is a set of values. The client then sends an operation request to the server.naming. so an attempt to access "ou=department. which means the server contacts the other server and returns the results to the client. This follows from the formal definitions . e.g. The other lines show the attributes in the entry. dc=com" and its children.InitialDirContext. Attribute names are typically mnemonic strings. "cn=John Doe" is the entry's RDN (Relative Distinguished Name). "dc=example. import javax. Servers may also hold references to other servers. LDAP rarely defines any ordering: The server may return the values of an attribute. .DirContext. and the server sends responses in return.directory. The client may request the following operations:            StartTLS — use the LDAPv3 transport layer security (TLS) extension for a secure connection Bind — authenticate and specify LDAP protocol version Search — search for and/or retrieve directory entries Compare — test if a named entry contains a given attribute value Add a new entry Delete an entry Modify an entry Modify Distinguished Name (DN) — move or rename an entry Abandon — abort a previous request Extended Operation — generic operation used to define other operations Unbind — close the connection (not the inverse of Bind) In addition the server may send "Unsolicited Notifications" that are not responses to any request. called a Directory system agent (DSA). Protocol overview: A client starts an LDAP session by connecting to an LDAP server. and the entries found by a search operation in any order. it's neither an attribute nor a part of the entry. dc=com" could return a referral or continuation reference to a server which holds that part of the directory tree.g. the client does not need to wait for a response before sending the next request. before it times out a connection LDAP example in JAVA import javax.naming. and "dc=example. Some servers also support chaining. dc=com" is the DN of the parent entry.

http.naming. o="+"abc.// This is root DN Hashtable env = new Hashtable()."com.servlet. // LDAP URL try{ env.StringTokenizer.sql. import javax. import java.internet.StringTokenizer.Attributes.naming. .100"+":389"). import java.*.net. import javax.//DN env.*.com"+".*.*.naming.jndi.*. import java. import java.LdapCtxFactory").naming.servlet. o="+"abc. import javax.naming. import javax.PROVIDER_URL. import javax. env.*.naming. env.naming.util. import java.*.directory.*. import javax.mail.directory. import javax. import java. import javax.//This is password DirContext ctx = new InitialDirContext(env).******* import javax.*.net.*.*.put(Context. *****This program is used to retrieve the password from LDAP.http. import javax. import java."cn=admin.100.sql.c=US". import java. import javax.*.SECURITY_PRINCIPAL.put(Context.*.INITIAL_CONTEXT_FACTORY. import javax.directory. import java. c=US"). Attributes userAttributes = new BasicAttributes(true). import javax.Attributes.util. import javax. import javax.directory. ou=usermast.*.directory.*.sun.*.InitialDirContext.servlet.NamingException.com"+".naming.SECURITY_CREDENTIALS.DIRECTORY SYSTEMS USING LDAP import javax.DirContext.mail.activation.*.NamingException.*. import javax.mail.*.io. public class ldap { public static void main(String a[]) { String ENTRYDN = "cn="+"abc"+".io.*."ldap://"+"100.internet.mail.*.*.*. import javax.directory.servlet."mandiracharu").put(Context.util.util.naming.put(Context. import java.100.ldap. import javax. import javax.*.naming.activation.

add(1. userAttributes. userAttributes."abc")). userAttributes."top"). userAttributes. groups. update and remove objects within a directory. o=abc. computers.put(new BasicAttribute("sn".put(new BasicAttribute("ispid".put(basicattribute).printStackTrace(). c=US". userAttributes.add(2. userAttributes).com. ctx.put(new BasicAttribute("uid". A directory contains objects. //This depends upon your LDAP tree structure userAttributes. "OpenLDAPperson"). }catch(Exception e){ e. } //return "true"." ")).put(new BasicAttribute("parentid"."no")). generally those related to users. .put(new BasicAttribute("jpegphoto". //return "false".put(new BasicAttribute("filename".createSubcontext("uid="+"abc"+".put(new BasicAttribute("userpassword"."abc"))."")). //DN ctx."0005")). basicattribute. basicattribute.DIRECTORY SYSTEMS USING LDAP BasicAttribute basicattribute = new BasicAttribute("objectclass". "connectme").add(3.close(). "person"). userAttributes. ou=usermast. userAttributes. printers etc and company structure information. }//end of verify }//end of class CONCLUSION: LDAP is a protocol for accessing a directory."abc"))."abc")). userAttributes."hello")). userAttributes. basicattribute.put(new BasicAttribute("cn". LDAP gives you query methods to add.put(new BasicAttribute("userblocked".

Sign up to vote on this title
UsefulNot useful