ldapv3.pdf 7947KB Apr 17 2013 11:30:42 AM - mirror omadata

More documents

Recommendations

Info

dnattr The dnattr matching construct allows the administrator to specify an attribute within the object itself that contains dns to be matched. This usually requires the object to have an objectclass of some type meant to store a list of dns (groupofnames, groupofuniquenames, organizationalrole, etc...) Example: access to dn="cn=Staff,ou=ListAliases,ou=MailAliases,o=Morrison Industries,c=US" by dnattr=uniquemember write by * read This would grant write access to the cn=Staff,ou=ListAliases,... object to all connections whose authenticated dn is found in one of the objects uniquemember attributes, all other connections would have read access to the object.
Regular Expression Matching The use of regular expressions in the matching pattern provides the ability to construct intelligent and extrememly powerful access control rules. Example: access to dn="cn=([^,]+),ou=ListAliases,ou=MailAliases,o=Morrison Industries,c=US" by group/groupOfUniqueNames/uniquemember="cn=$1 ListAlias,ou=ACLGroups,o=Morrison Industries,c=US" write by group/groupOfUniqueNames/uniquemember="cn=CIS Dept,ou=ACLGroups,o=Morrison Industries, c=US" write by * read The above rule grants uniquemembers of the CIS Dept object under ou=ACLGroups write access to all objects directly under ou=ListAliases. For each object under ou=ListAliases a correspondingly named object under ou=ACLGroups is used to grant per object access to an arbitrary group of uniquemembers. So a uniquemember of object cn=Staff ListAlias,ou=ACLGroups,.... would have write access to the object cn=Staff,ou=MailAliases,..... All other connections would have read access.
Page 1 and 2:
LDAP and OpenLDAP (on the Linux Pla
Page 3 and 4:
KLUG The master copy of this docume
Page 5:
Versions For the most part this doc
Page 8 and 9:
What is a directory? A directory is
Page 10 and 11:
¤¥ § ¨ © ¨ ¨ £¡ ¡
Page 12 and 13:
Requirements An LDAPv3 compliant di
Page 14 and 15:
Gotcha: “requested“ protocol ve
Page 16 and 17:
Multi-Valued RDNs While most object
Page 19 and 20:
Schema A directory has a schema sim
Page 21 and 22:
1.1.x It is true that the 1.1.x OID
Page 23 and 24:
WARNING (Object Class Type) Early O
Page 25 and 26:
Attribute Schema OID Name (alias fo
Page 27 and 28:
Attribute Syntaxes Data Type OID De
Page 29:
The OID is the truth. The names of
Page 32 and 33:
Illegal Partitions The law of parti
Page 34:
Subordinate Information Subordinate
Page 37 and 38:
Operational ACI Attributes If your
Page 39 and 40:
subSchema One of the most useful bi
Page 41 and 42:
The ManageDsaIT Control OID: 2.16.8
Page 43 and 44:
The "alias" object The alias object
Page 45 and 46:
Start TLS Extended Operation OID: 1
Page 47:
2.1.x hasSubordinates Only implemen
Page 50 and 51:
Supported `Advanced' Features Featu
Page 52 and 53:
The Config Files Configuration file
Page 54 and 55:
slapd.conf (defaultsearchbase) The
Page 56 and 57:
equire The require configuration di
Page 58 and 59:
loglevel The loglevel directive con
Page 60 and 61:
Checking the SSL Configuration Once
Page 62:
Supported Bind Types Depending on h
Page 65 and 66:
SASL RPMs Redhat 8.0 is the first t
Page 67 and 68:
SASL Methods PLAIN (AUXPROP, SASLAU
Page 69 and 70:
C? KP Q >C >GP X O X > NN>K?[ TM >P
Page 71 and 72:
saslpasswd & saslpasswd2 saslpasswd
Page 73 and 74:
PLAIN Authentication PLAIN SASL aut
Page 75 and 76:
2.1.x Authentication Request DN Map
Page 77 and 78:
2.1.x sasl-regexp rewrite pattern s
Page 79 and 80:
OpenLDAP + SASL + PAM 1. Make sure
Page 81 and 82:
OpenLDAP + SASL + GSSAPI (OpenLDAP
Page 83 and 84:
OpenLDAP + SASL + GSSAPI (OpenLDAP
Page 86 and 87:
slapd.conf (Database) # ldbm databa
Page 88 and 89: ack-ldbm back-ldbm is the standard
Page 90 and 91: ack-bdb back-bdb configuration dire
Page 92 and 93: ack-sql The SQL backend is not buil
Page 94 and 95: ack-shell The back-shell backend al
Page 96 and 97: LDAP Indexes pres - An index of wha
Page 99 and 100: Buffer Stuffing (Single Threaded In
Page 101 and 102: Filesystem Since the LDAP database
Page 103 and 104: Journalized Filesystems Journalized
Page 106 and 107: The purpose of back-sql The back-sq
Page 108 and 109: Mapping Concept back-sql uses a set
Page 110 and 111: Objectclass Mappings ldap_oc_mappin
Page 112 and 113: Attribute Mappings Stored procedure
Page 114 and 115: Objectclass Mapping ldap_entry_objc
Page 116 and 117: Stored Procedures
Page 118: Using Triggers & Events
Page 121 and 122: Replication Diagram Replication Dia
Page 123 and 124: Populating Slaves One of the most d
Page 125 and 126: The Replication Log On serveral dis
Page 127 and 128: The Rejection Log The rejection log
Page 129 and 130: Chasing Referrals If a client submi
Page 132 and 133: The ACL Stack Access control for ob
Page 134 and 135: Default Access defaultaccess { none
Page 136 and 137: Examples The following are example
Page 140 and 141: {}|~ € ‚ z x¢y w ttuv z ‡ ˆ
Page 142 and 143: children & entry The ability to cre
Page 144: A Limitation? One "limitation" of O
Page 147 and 148: Advantages of ACI The single bigges
Page 149 and 150: OpenLDAPacl & OpenLDAPaci Every obj
Page 151 and 152: The ACI ACL (OpenLDAPaci) In order
Page 153 and 154: OpenLDAPaci: Rights The rights fiel
Page 156 and 157: RFC2798 (inetOrgPerson) The inetOrg
Page 158 and 159: RFC2739 http://www.faqs.org/rfcs/rf
Page 160 and 161: Hierarchy: cosine.schema dSA pilotD
Page 162 and 163: Hierarchy: Kerberos V & Samba krb5-
Page 165 and 166: syslog On most platforms OpenLDAP u
Page 167 and 168: etc/openldap/ldap.conf The defaults
Page 169 and 170: The LDAP PAM Module PAM is a system
Page 171 and 172: A PAM LDAP login file #%PAM-1.0 aut
Page 173 and 174: etc/ldap.conf timelimit 30 The maxi
Page 175 and 176: passwd PAM file (/etc/pam.d/passwd)
Page 178 and 179: Migration Scripts PADL.com (Luke Ho
Page 180 and 181: Using the scripts... Once the prope
Page 182: What can be migrated? The stock mig
Page 187 and 188: An entry of posixAccount Object stu
Page 189 and 190:
ipHost Object An entry of 127.0.0.1
Page 191 and 192:
oncRpc Object An entry of fypxfrd60
Page 194 and 195:
What is an SRV record? Traditionall
Page 196 and 197:
1123 vs. 2181 SRV protocol and serv
Page 198 and 199:
SRV and nss_ldap To use SRV records
Page 201 and 202:
Root Referrals To configure with Op
Page 204 and 205:
Loading Tip: Objectclass When loadi
Page 206 and 207:
Misc. Data Loading Tips 1. If a lin
Page 208 and 209:
Non-English Data If your data conta
Page 211 and 212:
OpenLDAP Utilities ldapsearch Allow
Page 213 and 214:
LDAP Queries ldapsearch "(&(uid=awi
Page 215 and 216:
Requesting Attributes If you do not
Page 217 and 218:
ldapmodrdn While the dn of an objec
Page 219 and 220:
slapadd slapadd is used to initiall
Page 222 and 223:
gq gq is an LDAP v3 utility for Gna
Page 224 and 225:
gq (Schema browser)
Page 226 and 227:
HAD Hyperactive Directory Administr
Page 228 and 229:
Directory Administrator (http://www
Page 230 and 231:
LDAP Browser / Editor (http://www.i
Page 232 and 233:
LDIF To VCard http://www.pawebworld
Page 234 and 235:
From the cpu manual page CPU (http:
Page 236 and 237:
Wallal (http://www.mnot.net/wallal/
Page 238 and 239:
mod_auth_ldap (http://nona.net/soft
Page 240 and 241:
Gnarwl (http://www.oss.billiton.de/
Page 242 and 243:
š š š
Page 244 and 245:
MaxWare Directory Explorer Version
Page 246 and 247:
ActiveX LDAP Client http://www.polo
Page 249 and 250:
saslauthd saslauthd is a stand alon
Page 251 and 252:
saslauthd Options saslauthd a authm
Page 253 and 254:
RedHat's saslauthd The RedHat Cyrus
Page 255 and 256:
saslauthd -a ldap LDAP related sasl
Page 257 and 258:
saslauthd -a ldap saslauthd -a ldap
Page 260 and 261:
m4: LDAPDefaultSpec The first m4 va
Page 262 and 263:
m4: LDAPROUTE_DOMAIN The m4 sendmai
Page 264 and 265:
¨ Ÿ ¦ «° µ¬ ¨ Ÿ ¦ «° µ
Page 266 and 267:
RFC822 rfc822 defines a the concept
Page 268 and 269:
LDAP + sendmail You can also define
Page 270 and 271:
LDAP SMTP Access Control cn=Allow S
Page 272 and 273:
The Sendmail Schema
Page 274 and 275:
sendmailMTAHost attributetype ( 1.3
Page 276 and 277:
sendmailMTAKey attributetype ( 1.3.
Page 278 and 279:
sendmailMTAMapValue attributetype (
Page 280 and 281:
sendmailMTAMapObject objectclass (
Page 282 and 283:
sendmailMTAAlias objectclass ( 1.3.
Page 284 and 285:
sendmailMTAClassName & sendmailMTAC
Page 286 and 287:
Installing GNARWL GNARWL in an LDAP
Page 288 and 289:
GNARWL Integration
Page 290 and 291:
This information now exclusively ap
Page 292 and 293:
Building Samba 1. Grab the latest s
Page 294 and 295:
[globals] encrypt passwords = yes d
Page 296 and 297:
The Admin And His Secrets Since the
Page 298 and 299:
Samba Users Samba users must be UN*
Page 300 and 301:
Samba User Attributes profilePath -
Page 302 and 303:
Samba Times The sambaAccount object
Page 304 and 305:
Samba Security The ntpassword and l
Page 306 and 307:
Samba Attribute Indexes For good pe
Page 309 and 310:
What is Squid? http://www.squid-cac
Page 311 and 312:
Authentication Helpers Squid uses h
Page 313 and 314:
squid_ldap_auth The helper for dire
Page 315 and 316:
squid_ldap_match The squid_ldap_mat
Page 317 and 318:
squid_ldap_match squid_ldap_match -
Page 319:
Example Squid Configuration auth_pa
Page 322 and 323:
DNS & Cosine The Cosine schema (inc
Page 324 and 325:
objectclass: dNSZone (¼) DNS recor
Page 326 and 327:
objectclass: dNSZone (¾) dNSTTL (1
Page 328 and 329:
objectclass: dNSZone (5/6) dn: rela
Page 330 and 331:
Configuring sbd ldap zone "3.168.19
Page 332 and 333:
Ü Misc. Points Features LDAP URLS
Page 335 and 336:
The ISC DHCP Server http://www.isc.
Page 337 and 338:
LDAP DHCP Configuration In order to
Page 339 and 340:
Indexes /etc/openldap/slapd.conf in
Page 341 and 342:
dhcpServer & dhcpService dn:cn=esta
Page 343 and 344:
dhcpGroup Object dn: cn=group,cn=wh
Page 347 and 348:
What is pppd? The pppd daemon is an
Page 349 and 350:
Challenge Host Authentication Proto
Page 351 and 352:
LDAP chap-secrets entry If you are
Page 353 and 354:
Other LDAP enabled pppds ftp://ftp.
Page 356 and 357:
What is Turba? Turba is a web addre
Page 358 and 359:
Source Parameters The params array
Page 360 and 361:
Turba Source Search Keys The search
Page 362 and 363:
Turba LDAP Personal Address Books L
Page 364:
Turba LDAP Personal Address Book De
Page 367 and 368:
Setting Up To Use The DSA DSA Host
Page 369 and 370:
Viewing The Object From the address
Page 372 and 373:
What is evolution? http://www.ximia
Page 374 and 375:
evolutionPerson The evolution sourc
Page 376 and 377:
Calender Entries
Page 378 and 379:
Viewing An LDAP Addressbook LDAP ad
Page 380 and 381:
Contact Details (Dialog relations t
Page 383 and 384:
What is Mozilla?
Page 387 and 388:
What is GQ?
Page 389 and 390:
Drag-n-Drop
Page 391 and 392:
Handling Complex Attribtues Import
Page 394 and 395:
What Is Star Office? What is Open O
Page 396 and 397:
Creating an LDAP Data Source Bring
Page 398 and 399:
Browsing The Address Book Selecting
Page 400 and 401:
Using The Address Book Available da
Page 403 and 404:
ILS The Internet Locator Service is
Page 405 and 406:
ILS and LDAP The Netmeeting Directo
Page 407 and 408:
OpenLDAP as an ILS Agent (OBJECTCLA
Page 409 and 410:
OpenLDAP as an ILS Agent (The secon
Page 411 and 412:
GNOMEMeeting and ILS Before you can
Page 413 and 414:
GNOMEMeeting and ILS GNOME Meeting
Page 415 and 416:
Netmeeting Quibbles The Netmeeting
Page 417:
389 vs. 1002 Prior to Windows 2000
Page 420 and 421:
Why DSML What do directories and XM
Page 422 and 423:
DSML Misc For binary data DSML supp
Page 424 and 425:
DSML Tools A set of DSML utilities
Page 426:
Castor (http://castor.exolab.org/in
Page 429 and 430:
LDAP Authentication Module The LDAP
Page 431 and 432:
Active Directory is a registered tr
Page 433 and 434:
MKSADExtPlugin* (http://www.css-sol
Page 436 and 437:
Using LDAP via PHP Establish Connec
Page 438 and 439:
ldap_connect with URLs If you have
Page 440 and 441:
ldap_set_option / controls if (ldap
Page 442 and 443:
ldap_bind boolean ldap_bind (resour
Page 444 and 445:
ldap_error string ldap_error (resou
Page 446 and 447:
ldap_err2str Error Constant Value L
Page 448 and 449:
ldap_search & dereferencing The der
Page 450 and 451:
ldap_free_result boolean ldap_free_
Page 452 and 453:
ldap_add boolean ldap_add(resource
Page 454 and 455:
ldap_mod_add boolean ldap_mod_add(r
Page 456:
ldap_mod_replace boolean ldap_mod_d
Page 459 and 460:
ldap_init & ldap_open Before any ot
Page 461 and 462:
ldap_bind & ldap_bind_s Once a conn
Page 463 and 464:
ldap_search & ldap_search_s int lda
Page 465 and 466:
ldap_count_entries int ldap_count_e
Page 467 and 468:
ldap_next_entry LDAPMessage* ldap_n
Page 469 and 470:
ldap_first_attribute char* ldap_fir
Page 471 and 472:
ldap_get_values char **ldap_get_val
Page 473 and 474:
void ldap_value_free(char** vals) l
Page 475 and 476:
ldap_unbind & ldap_unbind_s int lda
Page 477 and 478:
#include "stdio.h" #include "stdlib
Page 479 and 480:
la[0] = "givenname"; la[1] = "sn";
Page 481 and 482:
Simple C LDAP Query Walk the Attrib
Page 483 and 484:
ldap_result
Page 485 and 486:
ldap_add & ldap_add_s
Page 487:
ldap_modrdn & ldap_modrdn_s
Page 490 and 491:
NSS LDAP & AIX Since version ~198 P
Page 492 and 493:
Authentication via NSS LDAP on AIX
Page 494 and 495:
The AIX Name Service The NSORDER en
Page 496 and 497:
etc/irs.conf Name spaces: services
Page 498 and 499:
More Information For more informati
Page 500:
More Information... Understanding a
show all

ldapv3.pdf 7947KB Apr 17 2013 11:30:42 AM - mirror omadata

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?