{"id":1524,"date":"2014-08-08T16:22:26","date_gmt":"2014-08-08T21:22:26","guid":{"rendered":"http:\/\/lisa.rushworth.us\/?p=1524"},"modified":"2020-04-28T09:33:41","modified_gmt":"2020-04-28T14:33:41","slug":"ldap-directories","status":"publish","type":"post","link":"https:\/\/www.rushworth.us\/lisa\/?p=1524","title":{"rendered":"LDAP Directories"},"content":{"rendered":"<p><strong>Origins<\/strong><\/p>\n<p>The International Telecommunication Union, ITU\u00a0<a href=\"http:\/\/www.itu.int\/home\/index.html\">http:\/\/www.itu.int\/home\/index.html<\/a>, is an organisation of the United Nations (sorry, Carra, now I guess all directories are on par with poodles) which submits recommendations for the coordination of global telecom and radio systems.\u00a0\u00a0The Telecommunication Standardisation Sector, ITU-T, is the branch submits recommendations for telecommunication standards.\u00a0\u00a0ITU-T was formerly known as\u00a0Comit\u00e9 Consultatif International T\u00e9l\u00e9phonique et T\u00e9l\u00e9graphique, CCITT.<\/p>\n<p>Published in volume eight of the 1988 CCITT Blue Book, X.500 is the recommendation for \u201cThe Directory\u201d.\u00a0\u00a0Additional recommendations X. 501, 509, 512, 518, 519, 520, 521, 525, and 530 farther defined ITU\u2019s idea for directory service functionality.\u00a0\u00a0Once ITU-T put forth the recommendation, several international standards bodies got involved, and eventually yielding the 9594-1 standard from ISO (from isos, name used by the International Organisation for Standardisation) and IEC (International Electro-technical Commission).\u00a0\u00a0\u00a0I\u2019ve got the 1993 version (<a href=\"https:\/\/csgdirsvcs.windstream.com:1977\/KBPrototype\/basics\/9594-1-X.500.A4.ps\">.\/9594-1-X.500.A4.ps<\/a>) but never bothered to get the updates.<\/p>\n<p><strong>X.500 Components<\/strong><\/p>\n<p>Some of the terminology used within the X.500 recommendation is used in non-X.500 directories.\u00a0\u00a0If you want to more about these or what they do, read the ISO\/IEC standard<\/p>\n<ul>\n<li>Directory Information Base (DIB) is used to store the directory data<\/li>\n<li>Directory Information Tree (DIT) is a hierarchy within the DIB<\/li>\n<li>Directory Service Agent (DSA) is a server which stores the DIB<\/li>\n<li>Directory User Agent (DUA) is an application interface over which queries are made to the DSA<\/li>\n<li>Directory Access Protocol (DAP) is the method used by the DUA to communicate with the DSA<\/li>\n<li>Directory System Protocol (DSP) is used for communication between DSA\u2019s<\/li>\n<li>Directory Management Domain (DMD) contains DSA\u2019s within an organisation<\/li>\n<li>Directory Management Organization (DMO) is the actual organisation of the DMD<\/li>\n<li>Directory Information Shadowing Protocol (DISP) is used to replicate information between DSA\u2019s in a DMD<\/li>\n<li>Directory Operational Binding Management Protocol (DOP) is policies which define the administrative information exchanged between DSA\u2019s<\/li>\n<\/ul>\n<p><strong>LDAP<\/strong><\/p>\n<p>X.500 directory access protocol in its actual form involves a lot of overhead we just don\u2019t want to incur to keep a guy, his password, his address, and his phone number all available somewhere.\u00a0\u00a0Lightweight Directory Access Protocol, LDAP, retains the directory structure of X.500 with a simplified TCP\/IP based access protocol.\u00a0\u00a0Referrals were simplified and the replication protocol generalized.<\/p>\n<p>The LDAP Technical Specification Roadmap is maintained by the Internet Engineering Task Force, IETF, as RFC 4510 (<a href=\"http:\/\/tools.ietf.org\/html\/rfc4510\">http:\/\/tools.ietf.org\/html\/rfc4510<\/a>).\u00a0\u00a0The multiple RFC\u2019s encompassed by LDAP are included in section 1, &#8220;The LDAP Technical Specification&#8221;.<\/p>\n<p><strong>Directory Components \u2013 Schema:<\/strong><\/p>\n<p>Every directory has a schema set which defines its components.\u00a0\u00a0The schema defines what type of objects exist in the directory and what attributes are valid for those objects.\u00a0\u00a0Schema \u201cattributes\u201d are types of values which can be on an object \u2013 anything from an asset ID number to a vendor ID.\u00a0\u00a0Schema \u201cclasses\u201d are categories of entries which can be made \u2013 and a group of attributes that category means the object can have.\u00a0\u00a0An attribute can be \u201cmandatory\u201d within a class \u2013 for example a user account may need a\u00a0<strong>cn<\/strong>\u00a0value, an\u00a0<strong>objectClass<\/strong>, and an\u00a0<strong>objectCategory<\/strong>.\u00a0\u00a0You cannot make a user account without these values.\u00a0\u00a0The remaining values in a class are \u201coptional\u201d \u2013 you may or may not have facsimileTelephoneNumber on your account.<\/p>\n<p>There are three types of classes: abstract, auxiliary, and structural.\u00a0\u00a0Abstract classes are classes which an object cannot directly be \u2013 cannot be the object\u2019s objectClass \u2013 but are used through subordinate classes to define valid and required attributes..\u00a0\u00a0Auxiliary classes are somewhat like abstract classes in that an object cannot\u00a0<em>be<\/em>\u00a0an auxclass \u2013 auxclass\u2019s are instead \u2018attached\u2019 to structural classes to create additional valid attributes for the class.\u00a0\u00a0Structural classes are the objectClass \u201cthings\u201d you can make within the directory \u2013 a user account, a print queue, or even a replication partnership.\u00a0\u00a0The semantics may vary between directory services, but the idea remains.<\/p>\n<p>If you wish to add additional attributes to your objects, you need to\u00a0<em>extend<\/em>\u00a0the directory schema.\u00a0\u00a0I will note here that Novell seems to allow undefined schema extensions.\u00a0\u00a0Normally an organisation is issued an OID number (Object Identifier).\u00a0\u00a0A private enterprise would normally request an OID assignment from IANA (existing assignments are published to\u00a0<a href=\"http:\/\/www.iana.org\/assignments\/enterprise-numbers\">http:\/\/www.iana.org\/assignments\/enterprise-numbers<\/a>) or ANSI.\u00a0\u00a0ANSI\u2019s cost money whereas IANA\u2019s don\u2019t.\u00a0\u00a0Guess which we use!\u00a0\u00a01.3.6.1.4.1.12704 has been issued to Alltel, 1.3.6.1.4.1.25709 has been issued to Windstream.\u00a0\u00a0Additional decimal number groups past the organisation\u2019s enterprise number can be sub-allocated within the organisation.\u00a0\u00a0.5 within Alltel is used within the AD schema extensions, and 5.1 is specific to the test domain where 5.0 is specific to the production domain.\u00a0\u00a0The breakout an OID number within Alltel\u2019s production AD is:<\/p>\n<pre>1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 iso\r\n1.3\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 org\r\n1.3.6\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 dod\r\n1.3.6.1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 internet\r\n1.3.6.1.4\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 private\r\n1.3.6.1.4.1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 enterprise\r\n1.3.6.1.4.1.12794\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Alltel\r\n1.3.6.1.4.1.12794.5\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Alltel Active Directory\r\n1.3.6.1.4.1.12794.5.0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Production AD\r\n1.3.6.1.4.1.12794.5.0.1.#\u00a0\u00a0\u00a0\u00a0\u00a0 Production AD Classes\r\n1.3.6.1.4.1.12794.5.0.2.#\u00a0\u00a0\u00a0\u00a0\u00a0 Production AD Attributes\r\n<\/pre>\n<p>So 1.3.6.1.4.1.12704.5.1.2.7 (cSOBESPolicy) is an attribute within the allteltest.com test domain \u2013 the seventh one at that \u2013 and 1.3.6.1.4.1.12704.5.0.1.1 (alltelPerson) is a class in the production alltel.com domain (the first and only one).\u00a0\u00a0A different numbering scheme off the \u201c1.3.6.1.4.1.12794\u201d base should be used for other directories.<\/p>\n<p>Once you have created new attributes and appended an aux-class to an existing class, you may (iPlanet, IBM LDAP) need to restart the LDAP service or you may (Active Directory) need to wait for the change to propagate.\u00a0\u00a0Our customized attributes are associated to an aux-class of user called\u00a0<strong>alltelPerson<\/strong>.<strong>\u00a0<\/strong><\/p>\n<p><strong>Please<\/strong>\u00a0do not randomly modify the schema \u2013 especially in Active Directory.\u00a0\u00a0In AD you cannot remove the entries.\u00a0\u00a0You can deactivate an attribute but it cannot be deleted.<\/p>\n<p><strong>Directory Components \u2013 Structure:<\/strong><\/p>\n<p>A directory structure will begin at its root \u2013 an \u201cO\u201d, organisation name, in iPlanet\/NDS\/IBM LDAP, or \u201cDC\u201d, domain component, in Active Directory.\u00a0\u00a0OU\u2019s, Organisational Units may be contained under the directory root to provide some organisation to the objects housed within the directory.\u00a0\u00a0You may also see CN\u2019s under the domain root \u2013common name with an objectClass of container.\u00a0\u00a0There may be several layers of OU\u2019s or containers before you find the \u201cleaf\u201d objects \u2013 users, contacts, printers, servers, whatever.\u00a0\u00a0The fully qualified LDAP syntax of an object begins at the object and \u2018walks\u2019 up the tree \u2013 \u201ccn=e0082643,ou=core1,ou=lit,ou=ar,ou=sc,o=alltel\u201d for my ID in the ALLTEL-TREE for example.\u00a0\u00a0\u201cSpecial\u201d characters are encoded or escaped as required \u2013 \u201ccn=Landers\\, Lisa,ou=GPOTest,ou=IT,ou=ACI,dc=alltel,dc=com\u201d<\/p>\n<p><strong>LDAP Operations<\/strong><\/p>\n<p>Connections to LDAP are normally made on port 389 for clear text and 636 for encrypted.\u00a0\u00a0Ldap.alltel.com (iplanet), metatreeldap.alltel.com (CSO metatree), litexchldap.alltel.com (active directory ldap), and any NetWare 6.0+ server within the alltel-tree use these standard ports, but alternate ports\u00a0<em>can<\/em>\u00a0be assigned within most directory servers.<\/p>\n<p>Once a connection is made, it may be possible to query the directory.\u00a0\u00a0A limited set of data should be returned as any directory enumeration at this point is done under an anonymous credential.\u00a0\u00a0To specify the user with which you wish to perform directory operations, a BIND must be made.<\/p>\n<p>Search operations include a base and scope (where to begin the search and how deep to traverse the directory under the base), and usually a filter (what to search for) and attributes requested.\u00a0\u00a0Ldapsearch.exe (Win32 available from\u00a0\\\\neohtwnlx810.windstream.com\\NDSSupport\\softlib\\misc\\ldaputils\\) can be used to search an LDAP compliant directory.\u00a0\u00a0Ldapsearch options: -h\u00a0<em>hostname.alltel.com<\/em>\u00a0\u00a0-b \u201c<em>ou=search,ou=base,dc=alltel,dc=com<\/em>\u201d \u2013s \u201c<em>scope<\/em>\u201d \u2013D \u201c<em>cn=user,ou=location,dc=alltel,dc=com<\/em>\u201d \u2013W \u201c<em>RFC-2254 compliant filter<\/em>\u201d\u00a0<em>attributes to return go here<\/em><\/p>\n<p>The search scope can be base (just the object defined as the search base), one (the search base and one level under), or sub (everything subordinate to the search base).\u00a0\u00a0Eg:<\/p>\n<p>ldapsearch -h litexchldap.alltel.com -b &#8220;ou=GPOTest,ou=IT,ou=ACI,dc=alltel,dc=com&#8221; -s &#8220;one&#8221; -LLL -D &#8220;cn=Landers\\, Lisa,ou=GPOTest,ou=IT,ou=ACI,dc=alltel,dc=com&#8221; -W &#8220;(&amp;(objectClass=user)(mail=*))&#8221; displayName mail<\/p>\n<p>The \u2013W option prompts for a password, alternately -w \u201c<em>PasswordGoesHere<\/em>\u201d can be used.\u00a0\u00a0Once a password has been supplied in this example, the display name and email address for users who have an email address will be returned:<\/p>\n<pre>dn: CN=ACI WWC LDS Undeliverables,OU=GPOTest,OU=IT,OU=ACI,DC=alltel,DC=com\r\ndisplayName: ACI WWC LDS Undeliverables\r\nmail: ACI.WWC.LDS.Undeliverables@alltel.com\r\n\u00a0\r\ndn: CN=bob,OU=GPOTest,OU=IT,OU=ACI,DC=alltel,DC=com\r\ndisplayName: bob\r\nmail: bob@alltel.com\r\n\u00a0\r\ndn: CN=Landers\\, Lisa,OU=GPOTest,OU=IT,OU=ACI,DC=alltel,DC=com\r\ndisplayName: Landers, Lisa\r\nmail: Lisa.Landers@alltel.com\r\n\u00a0\r\n<\/pre>\n<p>Additional operations to add objects, delete objects, modify objects, and modify the distinguished name of the object can be done.\u00a0\u00a0More information on this will be provided later.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Origins The International Telecommunication Union, ITU\u00a0http:\/\/www.itu.int\/home\/index.html, is an organisation of the United Nations (sorry, Carra, now I guess all directories are on par with poodles) which submits recommendations for the coordination of global telecom and radio systems.\u00a0\u00a0The Telecommunication Standardisation Sector, ITU-T, is the branch submits recommendations for telecommunication standards.\u00a0\u00a0ITU-T was formerly known as\u00a0Comit\u00e9 Consultatif International &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[30],"tags":[303],"class_list":["post-1524","post","type-post","status-publish","format-standard","hentry","category-system-administration","tag-ldap"],"_links":{"self":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/1524","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1524"}],"version-history":[{"count":3,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/1524\/revisions"}],"predecessor-version":[{"id":6327,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/1524\/revisions\/6327"}],"wp:attachment":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1524"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1524"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1524"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}