Professional Documents
Culture Documents
LDAP Documentation: Presented by - Kuldeep Pandey
LDAP Documentation: Presented by - Kuldeep Pandey
Introduction
Protocol
Architecture
Operations
Schemas
A directory is a listing of information about objects arranged in some order that gives details
about each object.
Common examples are a city telephone directory and a library card catalog.
In computer terms, a directory is a specialized database, also called a data repository, that
stores typed and ordered information about objects.
A particular directory might list information about printers (the objects) consisting of typed
information such as location (a formatted character string), speed in pages per minute
(numeric), print streams supported (for example PostScript or ASCII), and so on.
Local: means nearby for example information about names, email addresses and so on for a
department or for a workgroup
Global: Something is spread across the universe of interest. For example information about
persons in an entire company.
Centralized: there is one directory server at one location. Local or remote clients can access
it.
Distributed: information may be partitioned or replicated.
o =NY ,c=US
• Branched by agency
• Agencies in this example have branches containing:
• Groups which contain people
• People in the organization
• Resources such as printers and conference rooms
• Applications (where application specific info. could be maintained)© 2009 IBM Corporation
Sample User Object
Sam ple U ser Object
uid=jnortrup
• Objects contain attributes, e.g.,
• uid (user ID)
cn: Jim N ortrup
cn: Jam es N ortrup • cn (common name)
givennam e: Jim
givennam e: Jam es
• sn (surname)
sn: N ortrup • mail (e-mail address)
m ail: jnort@ oft.state.ny.us
• Attributes can be multi-valued,
ou: N YSOFT
e.g., givenname of both James
and Jim
telephonenum ber: 518-402-2018
• This object contains
facsim iletelephonenum ber: 518- 457-2019 • white-pages information
streetaddress: • X.509 certificate for PKI
N YSOFT $Executive Cham ber, S tate C apitol
Each record represents an object, and the attributes associated with that object
are defined according to it's objectClass
– The value of the objectClass attribute.
Examples of objectClass:
– organization (needs a name and address)
– person (needs name, email, phone & address)
– course (needs a CRN, instructor, mascot)
– cookie (needs name, cost & taste index)
You can define what attributes are required for objects with a specific value for the
objectclass attribute.
You can also define what attributes are allowed.
New records must adhere to these settings!
attributetype ( 0.9.2342.19200300.100.1.1
NAME ( 'uid' 'userid' )
DESC 'RFC1274: user identifier'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
# cd /opt/sw
# unzip -q ODSEE11_1_1_7_0_xxx.zip
# cd ODSEE_ZIP_Distribution
# unzip -q sun-dsee7.zip -d /opt/ODSee
# cd /opt/ODSee/dsee7
/opt/ODSee/bin/dsccsetup ads-create
Choose password for Directory Service Manager:directory-service-pwd
Confirm password for Directory Service Manager:directory-service-pwd
4.To create server instances on the same host on which DSCC is deployed, add the DSCC
agent to the DSCC registry.
a.Create a DSCC agent.
/opt/ODSee/dsee7/bin/dsccagent create
Enter DSCC agent password: ***
Confirm the password: ***
b.Add the new DSCC agent to the DSCC registry.
/opt/ODSee/dsee7/bin/dsccreg add-agent install-path/var/dcc/agent
c.Start the DSCC agent.
/opt/ODSee/dsee7/bin/dsccagent start
Directory Service Control Center (DSCC) is a user interface that enables you to manage
Directory Servers and by using a browser.
Please find more information on Directory Service Control Center (DSCC) in below link:
Directory Service Control Center
Interface - Oracle Directory Server Enterprise Edition Administration Guide
You can use the ldapsearch command-line utility to locate and retrieve directory entries.
This utility opens a connection to the server with a specified a user identity
(usually a distinguished name) and password, and locates entries based on a
search filter. Search scopes can include a single entry, an entry’s immediate
subentries, or an entire tree or subtree.
Search results are returned in LDIF format.
Here D is bind DN
b is search base
You can specify a search filter directly on the command line. If you do this, be sure to enclose
your filter in quotation marks (“filter”). Also, do not specify the -f option.
For example:
You can add delete and modify entry using ldapmodify utility:
ldapmodify
(1) (Oracle Fusion Middleware Man Page Reference for Oracle Directory Server Enterprise Ed
ition)
Managing Entries - Oracle Directory Server Enterprise Edition Administration Guide
Adding entry:
Create ldif file containing below entries:
dn: uid=Marcia Garza,ou=People,dc=example,dc=com
sn: Garza
givenName: Marcia
objectClass: person
objectClass: inetOrgPerson
objectClass: top
objectClass: organizationalPerson
ou: Accounting
ou: People
-a -f /usr/local/add_entry.ldif
changetype: modify
replace: telephonenumber
-f /usr/local/modify_attribute.ldif
1.Access
2.Error
3.Audit
Access logs contain information about connections between an LDAP client and a directory
server. A connection is a sequence of requests from the same client, and can contain the
following components:
• Connection index and the IP address of the client
• Bind record
• Bind result record
• Sequence of operation request/result pairs, or individual records in the case of connection,
closed, and abandon records
• Unbind record
• Closed record
Error logs contain a unique identifier of the error, warning or information message, and a
human readable message. Errors are defined according to the following severity.
Error:
The error is severe. Immediate action should be taken to avoid the loss or corruption of
directory data.
Warning:
The error is important. Action should be taken at some stage to prevent a severe error
occurring in the future.
Info:
An informative message, usually describing server activity , no action is necessary.
Audit logs:
Audit logs contain records of all modifications to configuration or suffix entries it is in ldif format
Access, Error, and Audit Logs - Oracle Directory Server Enterprise Edition Reference
Many aspects of the log files can be modified. Some examples include the following:
• Enabling the audit log
• Unlike the access log and the errors log, the audit log is not enabled by default. For
information, see To Enable the Audit Log.
• General settings
• Enabling or disabling logging
• Enabling or disabling log buffering
• Log file location
• Verbose logging
To modify log configuration use below command:
dsconf set-log-prop -h host -p port log-type property:value
For example, to set the rotation interval for the error log to two days, use this command:
$ dsconf set-log-prop -h host1 -p 1389 error rotation-interval:2d
Replication is the mechanism by which directory contents are automatically copied from a
Directory Server to one or more other Directory Servers.
Master or read-write replica. A read-write database that contains a master copy of the
directory data. A master replica can process update requests from directory clients. A topology
that contains more than one master is called a multi-master topology.
Consumer replica. A read-only database that contains a copy of the information in the master
replica. A consumer replica can process search requests from directory clients but refers
update requests to master replicas.
Hub replica. A read-only database (like a consumer replica) that is stored on a Directory
Server that supplies one or more consumer replicas.
A Directory Server that replicates to other servers is called a supplier. A Directory Server that
is updated by other servers is called a consumer. The supplier replays all updates on the
consumer through specially designed LDAP v3 extended operations. In terms of performance,
a supplier is therefore likely to be a demanding client application for the consumer.
We use DSCC console tool to perform replication status monitoring. It should show 0 as
missing changes in destination.
Using SSL with simple authentication (bind DN and password) encrypts all data sent to and
from the server. Encryption guarantees confidentiality and data integrity.
When your self-signed certificate expires, stop the server instance and renew the certificate.
$ dsadm stop instance-path
$ dsadm renew-selfsign-cert instance-path cert-alias
For example, to request a CA-signed server certificate for the Example company, use this
command:
2.Transmit the certificate request to your Certificate Authority, according to its procedures.
3.Save the certificate that you receive from the Certificate Authority.
For example, to install a trusted certificate from a Certificate Authority, you might use this
command:
LDAP restore
Offline restore:
dsadm import instance-path LDIF-file suffix-DN
/opt/Odsee/dsee7/bin/dsadm import /ldap/UMC/iDS <Path to ldif backup> o=UMC
Online restore:
dsconf import –h host –p port LDIF-file suffix-DN
dsconf import –h <hostname> -p 389 <Path to ldif backup> o=UMC
We can tune the underlying operating system according to recommendations made by the
idsktune command.
https://docs.oracle.com/cd/E29127_01/doc.111170/e28967/idsktune-1m.htm#ODSMP00033
As Directory Server handles more and more entries, searches potentially consume more and
more time and system resources. Indexes are one tool to improve search performance.
You can modify the following properties for each index:
1.eq-enabled equality
2.pres-enabled presence
3.sub-enabled substring
eq-enabled equality:
The equality index includes all entries in the database that have a specified value for a given
attribute. This index requires a value to be specified in the search filter.
sub-enabled substring:
Substring indexes are used for searches on three-character groups, for example, sn=*abc*.
The three-character groups are stored in the index
The value of the nsslapd-allidsthreshold attribute can be configured globally for a Directory
Server instance, or can be configured for a suffix, or can be configured for an index type. If the
value of the nsslapd-allidsthreshold attribute is configured globally for a suffix, it can then be
changed for a specific index.
You must rebuild all indexes after you change the nsslapd-allidsthreshold attribute.
Here you find the basic recommendations for maximizing search rates or maximizing
modification rates achieved by Directory Server. Set cache sizes according to the following
recommendations:
If the directory data fit into available physical memory with physical memory to spare, allocate
memory to the entry cache until either the entry cache is full or, on a 32–bit system, the entry
cache reaches maximum size. Then allocate memory to the database cache until it is full or
reaches maximum size.
If the directory data fit into available physical memory with physical memory to spare, allocate
memory to the entry cache until either the entry cache is full or, on a 32–bit system, the entry
cache reaches maximum size. Then allocate memory to the database cache until it is full or
reaches maximum size.
o Authentication
https://docs.oracle.com/cd/E29127_01/doc.111170/e28969/ds-security.htm#gdzcu
o Attribute Encryption
https://docs.oracle.com/cd/E29127_01/doc.111170/e28969/ds-security.htm#gbghy
o Access Control
https://docs.oracle.com/cd/E29127_01/doc.111170/e28969/ds-security.htm#gdzct