Ldap

De Wiki REDDES

Tabla de contenidos

Introdução

É uma arvore de diretórios que pode armazenar informações sobre pessoas, recursos e grupos, foi desenvolvido na Universidade de Michigan, pode ser usado em diversas alternativas de acesso seja em login de estações como em aplicações, uma vez o usuário logado podemos definir o que o mesmo pode acessar, através de bind.

LDAP e PHP

http://wiki.reddes.bvsalud.org/index.php/Ldap_php

Armazenamento

Cada usuário tem seus dados obrigatórios e também pode ter dados que somente um pequeno grupo de usuários precisar ter, por exemplo nome dos filhos dos funcionários. Dados com siglas como uid, cn e sn e comuns como mail.

LDIF

  1. LDAP Interchange Format is described in RFC 2849 (http://www.rfc-archive.org/getrfc.php?rfc=2849)
  2. LDIF is a plain text representation for storing LDAP configuration information and directory contents.
  3. An LDIF file contains:
    1. A collection of entries separated from each other by blank lines;
    2. A mapping of attribute names to values;
    3. A collection of directives that instruct the parser how to process the information.
  4. Very simple syntax:
    1. Comments start with a pounc character (#) on position 1 and continues to the end of the current line.
    2. Attributes are on the lefthand side of the colon (:) and values on the righthand side. The colon is separated from the value by a space.
    3. The dn attribute uniquely identified the DN of the entry

LDIF Sample

dn: dc=be
objectClass: top
objectClass: dcObject
dc: be

dn: dc=net
objectClass: top
objectClass: dcObject
dc: net

dn: o=kangaroot, dc=net
objectClass: organisation
o: kangaroot

Instalacao

Debian: apt-cache search ldap - apt-get install (nome encontrado) Fedora: yum search ldap - yum install (nome encontrado) OpenSuse: zypper search ldap - zypper install (nome encontrado) http://www.openldap.org/software/download/ chown -R ldap:ldap /etc/openldap

Acesso gráfico

Ferramenta para visualização do diretório "LDAP Browser Softerra" http://www.ldapadministrator.com/download.htm Ferramenta para administração do diretório diversas http://www.ldap.org.br em Documentações/Ferramentas Gráficas

Configurando Server LDAP

OpenLdap:/etc/openldap # vi slapd.conf

suffix "dc=empresa,dc=com,dc=br" rootdn "cn=Manager,dc=empresa,dc=com,dc=br" rootpw tecnologia

Criptografando a senha do Server LDAP

CursoOpenLdap:/etc/openldap # slappasswd -s tecnologia {SSHA}VsgDpQ39E7Ntnd2wCtdL81xuuu6PC3D4

Adicionando a senha criptografada do LDAP

OpenLdap:/etc/openldap # vi slapd.conf

suffix "dc=empresa,dc=com,dc=br" rootdn "cn=Manager,dc=empresa,dc=com,dc=br" rootpw {SSHA}VsgDpQ39E7Ntnd2wCtdL81xuuu6PC3D4

Testando configuracao do Server LDAP

CursoOpenLdap:/etc/openldap # slaptest -u -v config file testing succeeded

Configurando Client LDAP

OpenLdap:/etc/openldap # vi ldap.conf

host    localhost
base    dc=empresa,dc=com,dc=br

Exemplo aplicado

//------ LDAP General Server Settings ------//
//
// Name or address of the LDAP server 
//  For SSL/TLS use 'ldaps://localhost'
$ldap_server = '172.27.1.50';          

// Port LDAP listens on (default 389)        
$ldap_port = '389';                   

// base DN to search for users      
// $ldap_base_dn = 'ou=people,dc=company,dc=com';
$ldap_base_dn = 'cn=Users,dc=bvs,dc=bireme,dc=local';
// The ldap attribute used to find a user (login). 
// E.g., if you use cn,  your login might be "Jane Smith"
//       if you use uid, your login might be "jsmith"
//$ldap_login_attr = 'uid';
$ldap_login_attr = 'sAMAccountName';

Preparando o diretório

lista todo conteudo ldapsearch -x -b dc=empresa,dc=com,dc=br

cadastrando empresa

ldapadd -x -D cn=Manager,dc=empresa,dc=com,dc=br -w tecnologia -f aula_ldap/empresa.ldif 

cadastrando as OU's

ldapadd -x -D cn=Manager,dc=empresa,dc=com,dc=br -w tecnologia -f aula_ldap/unidades.ldif 

cadastrando os Users

ldapadd -x -D cn=Manager,dc=empresa,dc=com,dc=br -w tecnologia -f aula_ldap/usuarios.ldif 

Verificando base de consulta

ldapsearch -x -LLL -s base -b ''  namingContexts

Consultas no diretório

ldapsearch -x -b dc=empresa,dc=com,dc=br uid=sonia

ldapsearch -x -LLL uid=sonia

ldapsearch -x -b dc=empresa,dc=com,dc=br uid=k*

ldapsearch -x "sn=*zurra"

Exclusões no diretório

ldapdelete -x -D cn=Manager,dc=empresa,dc=com,dc=br -w tecnologia -v uid=willian,ou=usuarios,dc=empresa,dc=com,dc=br

ldapdelete -x -D cn=Manager,dc=empresa,dc=com,dc=br -w tecnologia -r -v ou=usuarios,dc=empresa,dc=com,dc=br

ldapdelete -x -D cn=Manager,dc=empresa,dc=com,dc=br -w tecnologia -r -v dc=empresa,dc=com,dc=br

Arquivo empresa.ldif

dn: dc=empresa,dc=com,dc=br
objectClass: top
objectClass: dcObject
objectClass: organization
o: Bireme Curso Ltda.
dc: empresa

Arquivo unidades.ldif

dn: ou=usuarios,dc=empresa,dc=com,dc=br
objectClass: top
objectClass: organizationalUnit
ou: Usuarios

Arquivo usuarios.ldif

dn: ou=grupos,dc=empresa,dc=com,dc=br
objectClass: top
objectClass: organizationalUnit
ou: grupos

dn: uid=willian,ou=usuarios,dc=empresa,dc=com,dc=br
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: willian
cn: Willian
sn: Guedes
mail: willian@openldap.org
userPassword: {SSHA}z/yFNps5tqWl9pw0NVkuzZaPEqMqRp16

dn: uid=marcio,ou=usuarios,dc=empresa,dc=com,dc=br
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: marcio
cn: Marcio
sn: Galvao
mail: willian@openldap.org
userPassword: {SSHA}z/yFNps5tqWl9pw0NVkuzZaPEqMqRp16

dn: uid=claudia,ou=usuarios,dc=empresa,dc=com,dc=br
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: claudia
cn: Claudia
sn: Tomie
mail: claudia@openldap.org
userPassword: {SSHA}lTTeRoOHwnnqxptq/6AsFin+Vlh/yaNk 

dn: uid=daniela,ou=usuarios,dc=empresa,dc=com,dc=br
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: daniela
cn: Daniela
sn: Macedo
mail: daniela@openldap.org
userPassword: {SSHA}lTTeRoOHwnnqxptq/6AsFin+Vlh/yaNk 

dn: uid=patricia,ou=usuarios,dc=empresa,dc=com,dc=br
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: patricia
cn: Patricia
sn: Lima
mail: patricia@openldap.org
userPassword: {SSHA}lTTeRoOHwnnqxptq/6AsFin+Vlh/yaNk 

dn: uid=tatiane,ou=usuarios,dc=empresa,dc=com,dc=br
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: tatiane
cn: Tatiane
sn: Barros
mail: tatiane@openldap.org
userPassword: {SSHA}lTTeRoOHwnnqxptq/6AsFin+Vlh/yaNk 

dn: uid=michele,ou=usuarios,dc=empresa,dc=com,dc=br
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: michele
cn: Michele
sn: Guimaraes
mail: michele@openldap.org
userPassword: {SSHA}lTTeRoOHwnnqxptq/6AsFin+Vlh/yaNk 

dn: uid=luciane,ou=usuarios,dc=empresa,dc=com,dc=br
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: luciane
cn: Luciane
sn: Girardelli
mail: luciane@openldap.org
userPassword: {SSHA}lTTeRoOHwnnqxptq/6AsFin+Vlh/yaNk 

dn: uid=kali,ou=usuarios,dc=empresa,dc=com,dc=br
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: kali 
cn: Kali
sn: Azurra
mail: kali@openldap.org
userPassword: {SSHA}lTTeRoOHwnnqxptq/6AsFin+Vlh/yaNk 

dn: uid=erika,ou=usuarios,dc=empresa,dc=com,dc=br
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: erika
cn: Erika
sn: Pellegrini
mail: erika@openldap.org
userPassword: {SSHA}lTTeRoOHwnnqxptq/6AsFin+Vlh/yaNk 

dn: uid=karina,ou=usuarios,dc=empresa,dc=com,dc=br
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: karina
cn: Karina
sn: Torres
mail: karina@openldap.org
userPassword: {SSHA}lTTeRoOHwnnqxptq/6AsFin+Vlh/yaNk 

dn: uid=angelica,ou=usuarios,dc=empresa,dc=com,dc=br
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: angelica
cn: Angelica
sn: Tineo
mail: angelica@openldap.org
userPassword: {SSHA}lTTeRoOHwnnqxptq/6AsFin+Vlh/yaNk 

dn: uid=sonia,ou=usuarios,dc=empresa,dc=com,dc=br
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: sonia
cn: Sonia
sn: Cara
mail: sonia@openldap.org
userPassword: {SSHA}lTTeRoOHwnnqxptq/6AsFin+Vlh/yaNk 
Herramientas personales