By Mark Paget
[problem]
You want to add an LDAP record. Effectively create a record.
[/problem]
[solution]
To add a record to LDAP, you simply run an ldapmodify with the -a flag.
[/solution]
[example]
ldapmodify -x -a -v-D”cn=Manager,dc=demo,dc=net”-w secret < ldifFile
Where ldifFile is a file either hand crafted or generated with ldapsearch -L.
[/example]
[reference]
[tags]ldapadd, ldapmodify, LDAP Training School[/tags]
[/reference]
[problem]
Whilst working on the automatic production of web statistics – came across the following problem:
“How do I get relational data from an Hierarchical structure?”
[/problem]
[solution]
It didn’t take long to realize – I’d have to use PHP to talk to LDAP, pull off records & upload into a series of tables, using the cn as primary key. Which then could be queried relationally. Pulling off large, queries and repeatedly transcending LDAP trees is pretty slow – so I built my LDAP to SQL engine, by flattening dns into table names. Then used PHP scripts to query produce
daily snap shots.
This is the Perl port of the PHP version. Requires some setting up on db side, but invaluable once implemented.
Perl LDAP to SQL – Traverses LDAP trees and spits out SQL:
Now on github
Please leave a comment if you want help with this.
[/solution]
[problem]
Looking for a given user, searching on 2 fields – first name and surname.
[/problem]
[solution]
Here is an example of searching against 2 fields, effectively a logical AND.
[/solution]
[example]
Searching on two fields and returning those fields, plus email.
ldapsearch -x -v-D"cn=Manager,dc=demo,dc=net"-w secret
-b'dc=demo,dc=net' -s sub '(&(givenname=John)(sn=Doe))'
givenname sn mail
[/example]
[reference]
[tags]ldapsearch syntax, openldap ldapsearch, LDAP Training School[/tags]
[/reference]
I purposely kept the first beginning ldap post simple, to help get across the syntax.
[problem]
Looking for a given user, searching my first name.
[/problem]
[solution]
ldapsearch can match on any field, within the LDAP record and perform wildcard matches.
[/solution]
[example]
Here are some more examples:
ldapsearch -L -x -v -D’cn=Manager,dc=demo,dc=net’ -w secret -b’dc=demo,dc=net’ -s sub ‘givenname=*' givenname sn mail
[/example]
[reference]
[tags]ldapsearch syntax, openldap ldapsearch, LDAP Training School[/tags]
[/reference]
[problem]
You want to talk to LDAP from Java.
[/problem]
[solution]
Java as well as Perl, PHP and plain old Shell have APIs to be able to talk to LDAP.
The Java API is probably most complex one to use – I have provided some demos on how to use the others on this site.
More will be added in time.
[/solution]
[example]
Here is a full example of using Java’s JNDI to talk to LDAP, performing a search and supplying results:
import java.util.*;
import java.io.*;
import javax.naming.*;
import javax.naming.directory.*;
import javax.naming.ldap.*;
public class getLdapDetails {
public static void main(String argv[]) {
String url="ldap://127.0.0.1:389";
Hashtable env=new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY,
"com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL,url);
env.put(Context.SECURITY_AUTHENTICATION,"simple");
env.put(Context.SECURITY_PRINCIPAL,
"cn=Manager,dc=demo,dc=net");
env.put(Context.SECURITY_CREDENTIALS,"secret");
try {
DirContext ctx=new InitialDirContext(env);
String[] attrIDs = { "givenname","sn","mail" } ;
Attributes matchAttrs = new BasicAttributes(true); //ignore case
matchAttrs.put(new BasicAttribute("sn",argv[0]));
NamingEnumeration myenum =
ctx.search("dc=demo,dc=net",matchAttrs, attrIDs);
while( myenum.hasMore()) {
String PersonRecord="";
SearchResult result = (SearchResult)myenum.next();
Attributes attributes = result.getAttributes();
Attribute attr = attributes.get( "givenname" );
NamingEnumeration values = attr.getAll();
while( values.hasMore()) {
PersonRecord += values.next().toString();
PersonRecord += ", ";
}
attr = attributes.get( "sn" );
values = attr.getAll();
while( values.hasMore()) {
PersonRecord += values.next().toString();
PersonRecord += " - ";
}
attr = attributes.get( "mail" );
values = attr.getAll();
while( values.hasMore()) {
PersonRecord += values.next().toString();
}
System.out.println(PersonRecord);
}
ctx.close();
} catch(NamingException ne) { System.err.println(ne.toString()); }
}
}
Then a run through:
$ java getLdapDetails Doe
John, Doe - [email protected]
[/example]
[reference]
[tags]Java JNDI to LDAP, JNDI LDAP, LDAP Training School[/tags]
[/reference]
[problem]
You want to perform an LDAP search
[/problem]
[solution]
Starting this topic slowly, by giving practical tips on LDAP commands.
Predominately LDAP has a couple of main commands: ldapsearch and ldapmodify. With openLDAP there is additionally ldapadd, with netscape this is just ldapmodify -a.
[/solution]
[example]
ldapsearch [ -v ] -x -D'user' -w'password'
[ -h host -p port ] -b base
-s depth 'criteria' [ attribs ]
User – ldap user, quite often directory manager, so usually you can get away with cn=Manager,your_tree.
Password – is LDAP password for user. If using the manager, password configured in the LDAP configs. If not user password it is set within LDAP itself.
Host and port – self-explanatory (default localhost on port 389).
Base – starting point within LDAP tree. Remember LDAP is hierarchal, so search will traverse down from this point.
Depth – can just be base (only show the the base level, do not transcend the tree) – specify sub to transcend.
Criteria – requirements for fields equaling a specific value, more on this shortly.
Attribs – fields to return, the dn is normally returned by default.
Demo:
ldapsearch -x -v -D'cn=Manager,dc=users,dc=net' -w secret -b'dc=users,dc=net' -s sub 'objectclass=*'
[/example]
[reference]
[tags]ldapsearch syntax, ldapsearch demo, LDAP Training School[/tags]
[/reference]
[problem]
Getting errors in LDAP
[/problem]
[solution]
Click on LDAP error number below to see LDAP error description.
[/solution]
[example]
0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,16,
17,18,19,20,21,32,
33,34,35,36,48,
49,50,51,52,53,54,64,
65,66,67,68,69,70,71,76
| Number | Meaning |
|---|---|
| 0 | Success |
| 1 | Operations error |
| 2 | Protocol error |
| 3 | Timelimit exceeded |
| 4 | Sizelimit exceeded |
| 5 | Compare false |
| 6 | Compare true |
| 7 | Authentication method not supported |
| 8 | Strong authentication required |
| 9 | Parital results and referral received |
| 10 | Referral received |
| 11 | Administrative limit exceeded |
| 12 | Unavailable critical extension |
| 13 | Confidentiality required |
| 14 | SASL bind in progress |
| 16 | No such attribute |
| 17 | Undefined attribute type |
| 18 | Inappropriate matching |
| 19 | Constraint violation |
| 20 | Type or value exists |
| 21 | Invalid syntax |
| 32 | No such object |
| 33 | Alias problem |
| 34 | Invalid DN syntax |
| 35 | Object is a leaf |
| 36 | Alias deferenencing problem |
| 48 | Inappropriate authentication |
| 49 | Invalid credentials |
| 50 | Insufficient access |
| 51 | Server is busy |
| 52 | Server is unavailable |
| 53 | Server is unwilling to perform |
| 54 | Loop detected |
| 64 | Naming violation |
| 65 | Object class violation |
| 66 | Operation not permitted on non-leaf entry |
| 67 | Operation not permitted on a RDN |
| 68 | Entry already exists |
| 69 | Cannot modify object class |
| 70 | Results too large |
| 71 | Affects multiple servers |
| 76 | Virtual list view error |
[/example]
