Candidates should be able to perform queries and updates to an LDAP client.
LDAP utilities for data management and queries
Change user passwords
Querying the LDAP directory
LDAP stands for Lightweight Directory Access Protocol. As the name suggests, it is a lighter version of DAP, which stands for the Directory Access Protocol that is defined by the X.500 standard. For more information on X.500, please read RFC 2116 .
The reason for a lightweight version is that DAP was rather heavy on processor load, thereby asking for more than the processors could provide at the time. LDAP is described in RFC 2251 .
The LDAP project was started at the University of Michigan , but, as can be read on their site, is no longer maintained there. For current information, the University of Michigan site points visitors to the OpenLDAP site instead.
The type of information best suited for storage in a directory is information with a low mutation grade. The reason for this is that directories can not compete with RDBM systems because they are only optimized for read access. So then, what do we store in a directory? Typically, LDAP directories contain employee data such as surname, christian name, address, phone number, department, social security number, E-mail address. Alternatively, directories might store newsletters for everyone to read, description of company policies and procedures, templates supporting the house style of documents.
Table 10.4. LDAP field operators
|Equality||=||Creates a filter which requires a field to have a given value.|
|Presence||*||Wildcard to represent that a field can equal anything except NULL.|
|Substring||=string* string||Returns entries containing attributes containing the specified substring.|
|Parentheses||()||Separates filters to allow other logical operators to function.|
|And||&||Joins filters together. All conditions in the series must be true.|
|Or|||||Joins filters together. At least one condition in the series must be true.|
|Not||!||Excludes all objects that match the filter.|
|Approximate||~=||Returns entries containing the specified attribute with a value that is approximately equal to the value specified in the search filter.|
|Greater than or equal to||>=||Returns entries containing attributes that are greater than or equal to the specified value.|
|Less than or equal to||<=||Returns entries containing attributes that are less than or equal to the specified value.|
ldapsearch is a shell-accessible interface to the ldap_search(3) library call. ldapsearch opens a connection to an LDAP server, binds, and performs a search using specified parameters. The filter should conform to the string representation for search filters as defined in RFC 2254 .
ldapsearch -h myhost -p 389 -s base -b "ou=people,dc=example,dc=com" "objectclass=*"
This command searches the directory server myhost, located at port 389. The scope of the search (-s) is base, and the part of the directory searched is the base DN (-b) designated. The search filter “objectclass=*” means that values for all of the entry's object classes are returned. No attributes are returned because they have not been requested. The example assumes anonymous authentication because authentication options are not specified.
ldappasswd - change the password of an LDAP entry
ldappasswd is a tool to set the password of an LDAP user. ldappasswd uses the LDAPv3 Password Modify ( RFC 3062 ) extended operation.
ldappasswd sets the password associated with the user (or an optionally specified user). If the new password is not specified on the command line and the user doesn't enable prompting, the server will be requested to generate a password for the user.
ldappasswd -x -h localhost -D "cn=root,dc=example,dc=com" \ -s secretpassword -W uid=admin,ou=users,ou=horde,dc=example,dc=com
Set the password for “uid=admin,ou=users,ou=horde,dc=example,dc=com on localhost”.
ldapadd - LDAP add entry tool
ldapadd is implemented as a link to the
ldapmodify tool. When invoked as
-a (add new
entry) flag is turned on automatically.
-a Adds new entries. The default for ldapmodify is to modify existing entries. If invoked as ldapadd, this option is always set.
ldapadd -h myhost -p 389 -D "cn=orcladmin" -w welcome -f jhay.ldif
Using this command, user orcladmin authenticates to the directory myhost, located at port 389. The command then opens the file jhay.ldif and adds its contents to the directory. The file might, for example, add the entry “uid=jhay,cn=Human Resources,cn=example,dc=com” and its object classes and attributes.
ldapdelete - LDAP delete entry tool
ldapdelete is a shell-accessible interface to the ldap_delete_ext(3) library call.
ldapdelete opens a connection to an LDAP server, binds, and deletes one or more entries. If one or more DN arguments are provided, entries with those Distinguished Names are deleted.
ldapdelete -h myhost -p 389 -D "cn=orcladmin" -w welcome \ "uid=hricard,ou=sales,ou=people,dc=example,dc=com"
This command authenticates user orcladmin to the directory myhost, using the password welcome. Then it deletes the entry “uid=hricard,ou=sales,ou=people,dc=example,dc=com”.