blogger templates blogger widgets
This is part of a list of blog posts.
To browse the contents go to

Prerequisites and basic setup

  • Setup connection (Note that I skipped "the setting of admin password")

How to view all available objects and attributes within the LDAP Schema?

Right click on connection ("TestConn") and select Schema browser. Type in a object class to filter it out.

What are partitions?

In ApacheDS entries are stored in partitions. Each partition contains a complete entry tree, also referred to as a DIT. Multiple partitions may exist and the entry trees they contain are disconnected from each other, meaning that changes to entries in partition Awould never affect entries in partition B. The entries in a particular partition are stored below some naming context called the partition suffix.
The default implementation of partitions is based on JDBM B+Trees (but it's possible to add custom partition implementations). The ApacheDS default configuration contains a a data partition with the suffix "dc=example,dc=com". The image below shows the suffixes of a freshly installed ApacheDS within Apache Directory Studio.
The schema subsystem and ApacheDS itself store their information in special partitions, "ou=schema", "ou=config" and "ou=system" respectively.

Create partition

To create a partition open the server configuration :

Click advanced partions configuration and add.

As you can see, we have modified the ID and the Suffix, all the other parameters remaining to their default values.

Notice is default objectclass (domain objectclass) used for top level entry and the other attributes generated.

Save the configuration now, and restart the server and reopen the connection.

Adding entries

The most commonly used methods are by loading a

  1. LDAP Data Interchange Format. IETF term for a textual format for loading (importing) and saving (exporting) entries into a LDAP enables directory.
  2. Programmatically using a API provided by the LDAP product. In our case ApacheDS LDAP API is an ongoing effort to provide an enhanced LDAP API, as a replacement for JNDI and the existing LDAP API (jLdap and Mozilla LDAP API).
  3. Programmatically using JNDI

I'll try methods 1 and 3.

Method 1: Using IETF

Load a ldiff file using either command line or Directory Studio.

# sample.ldif
# create a entry under organization for all employees
dn: ou=employees,o=csRepository
objectclass: organizationalUnit
objectclass: top
ou: employees

# sample.ldif
# create a employee under employees
dn: cn=John Eipe,ou=employees,o=csRepository
changetype: add
userpassword: qwer1234
description: the fist and the single employee as of now
objectclass: inetOrgPerson
objectclass: organizationalPerson
objectclass: person
objectclass: top
sn: Eipe
cn: John Eipe

Notice how the object classes themselves enforce certain policies. Changing the password to something more stronger works.
userpassword: manager

Let's add one more entry.
# sample.ldif
# create a employee under employees
dn: cn=Jack Sparrow,ou=employees,o=csRepository
changetype: add
userpassword: assistant
description: my side kick
objectclass: inetOrgPerson
objectclass: organizationalPerson
objectclass: person
objectclass: top
sn: Jacky
cn: Jack Sparrow

After loading,

Method 3: Using JNDI

Since we are focused on java, let's see how we do various operations through JNDI.

Both the JNDI and LDAP models define a hierarchical namespace in which you name objects. Each object in the namespace may have attributes that can be used to search for the object. At this high level, the two models are similar, so it is not surprising that the JNDI maps well to the LDAP.

You can think of an LDAP entry as a JNDI DirContext. Each LDAP entry contains a name and a set of attributes, as well as an optional set of child entries.

Mapping JNDI methods to LDAP operations

Operation What it does JNDI equivalent
Search Search directory for matching directory entries
Compare Compare directory entry to a set of attributes
Add Add a new directory entry DirContext.bind(),DirContext.createSubcontext()
Modify Modify a particular directory entry DirContext.modifyAttributes()
Delete Delete a particular directory entry Context.unbind(),Context.destroySubcontext()
Rename Rename or modify the DN Context.rename()
Bind Start a session with an LDAP server new InitialDirContext()
Unbind End a session with an LDAP server Context.close()
Lookup Find the object associated with a name Context.lookup()
Abandon Abandon an operation previously sent to the server Context.close(),NamingEnumneration.close()
Extended Extended operations command LdapContext.extendedOperation()

Inital Steps:
  • Connect to the server
    To connect to the server, you must obtain a reference to an object that implements the DirContext interface. In most applications, this is done by using an InitialDirContext object that takes a Hashtable as an argument. The Hashtablecontains various entries, such as the hostname, port, and JNDI service provider classes to use:
    //In the main() method of the program, create an initial directory context. 
    //This is similar to creating an initial context in the previous naming example, 
    //except that you use the constructor for InitialDirContext
    Hashtable env = new Hashtable();
    env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");  
    env.put(Context.PROVIDER_URL, "ldap://localhost:10389/o=csRepository");
    DirContext ctx = new InitialDirContext(env);
  • Authenticate to server
    In LDAP version 2, all clients had to authenticate while connecting, but version 3 defaults to anonymous and, if the default values are used, the connections are anonymous as well. LDAP servers maintain rights using access control lists (ACLs) that determine what particular access is available to an entry by an application. LDAP supports three different security types:
    - Simple: Authenticates fast using plain text usernames and passwords.
    - SSL: Authenticates with SSL encryption over the network.
    - SASL: Uses MD5/Kerberos mechanisms. SASL is a simple authentication and security layer-based scheme
    Hashtable env = new Hashtable();
    env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");  
    env.put(Context.PROVIDER_URL, "ldap://localhost:10389/o=csRepository");
    env.put(Context.SECURITY_PRINCIPAL,"cn=admin"); // specify the username
    env.put(Context.SECURITY_CREDENTIALS,"password"); // specify the password
    DirContext ctx = new InitialDirContext(env);

Operations on LDAP

Note that the examples that follow doesn't use any authentication. All operations are done as anonymous user.


No comments:

Post a Comment