LDAP

ディレクトリ・サービスに接続するために使用されるプロトコルである。

製品：Active Directory、OpenLDAPなど

DEMO

★Controlについて

サポートするControlを確認

ldapsearch -x -H ldap://localhost:389 -b "" -s base supportedControl

利用できるControl一覧 (unboundid-ldapsdk 2.3.8)

1.2.826.0.1.3344810.2.3 MatchedValuesRequestControl

1.2.840.113556.1.4.319 SimplePagedResultsControl

1.2.840.113556.1.4.473 ServerSideSortRequestControl

1.2.840.113556.1.4.474 ServerSideSortResponseControl

1.2.840.113556.1.4.805 SubtreeDeleteRequestControl

1.2.840.113556.1.4.841 ActiveDirectoryDirSyncControl

1.2.840.113556.1.4.1413 PermissiveModifyRequestControl

1.3.6.1.1.12 AssertionRequestControl

1.3.6.1.1.13.1 PreReadRequestControl

1.3.6.1.1.13.2 PostReadRequestControl

1.3.6.1.1.21.2 TransactionSpecificationRequestControl

1.3.6.1.1.22 DontUseCopyRequestControl

1.3.6.1.4.1.42.2.27.8.5.1 DraftBeheraLDAPPasswordPolicy10RequestControl

1.3.6.1.4.1.4203.1.9.1.1 ContentSyncRequestControl

1.3.6.1.4.1.4203.1.9.1.2 ContentSyncStateControl

1.3.6.1.4.1.4203.1.9.1.3 ContentSyncDoneControl

1.3.6.1.4.1.4203.1.10.2 DraftZeilengaLDAPNoOp12RequestControl

1.3.6.1.4.1.7628.5.101.1 SubentriesRequestControl

2.16.840.1.113730.3.4.2 ManageDsaITRequestControl

2.16.840.1.113730.3.4.3 PersistentSearchRequestControl

2.16.840.1.113730.3.4.4 PasswordExpiredControl

2.16.840.1.113730.3.4.5 PasswordExpiringControl

2.16.840.1.113730.3.4.7 EntryChangeNotificationControl

2.16.840.1.113730.3.4.9 VirtualListViewRequestControl

2.16.840.1.113730.3.4.10 VirtualListViewResponseControl

2.16.840.1.113730.3.4.12 ProxiedAuthorizationV1RequestControl

2.16.840.1.113730.3.4.15 AuthorizationIdentityResponseControl

2.16.840.1.113730.3.4.16 AuthorizationIdentityRequestControl

2.16.840.1.113730.3.4.18 ProxiedAuthorizationV2RequestControl

In memory (unboundid-ldapsdk 2.3.8)

1.2.840.113556.1.4.1413

1.2.840.113556.1.4.319

1.2.840.113556.1.4.473

1.2.840.113556.1.4.805

1.3.6.1.1.12

1.3.6.1.1.13.1

1.3.6.1.1.13.2

1.3.6.1.1.21.2

1.3.6.1.1.22

1.3.6.1.4.1.7628.5.101.1

2.16.840.1.113730.3.4.12

2.16.840.1.113730.3.4.16

2.16.840.1.113730.3.4.18

2.16.840.1.113730.3.4.2

2.16.840.1.113730.3.4.9

OpenLdap (2.4.28)

2.16.840.1.113730.3.4.18

2.16.840.1.113730.3.4.2

1.3.6.1.4.1.4203.1.10.1

1.3.6.1.1.13.2

1.3.6.1.1.13.1

1.3.6.1.1.12

1.2.840.113556.1.4.319

1.2.826.0.1.3344810.2.3

Active Directory（Windows Server 2008 R2）

1.2.840.113556.1.4.319

1.2.840.113556.1.4.801

1.2.840.113556.1.4.473

1.2.840.113556.1.4.528 Persistent search

1.2.840.113556.1.4.417 Deleted object search

1.2.840.113556.1.4.619

1.2.840.113556.1.4.841

1.2.840.113556.1.4.529

1.2.840.113556.1.4.805

1.2.840.113556.1.4.521

1.2.840.113556.1.4.970

1.2.840.113556.1.4.1338

1.2.840.113556.1.4.474

1.2.840.113556.1.4.1339

1.2.840.113556.1.4.1340

1.2.840.113556.1.4.1413

1.2.840.113556.1.4.1504

1.2.840.113556.1.4.1852

1.2.840.113556.1.4.802

1.2.840.113556.1.4.1907

1.2.840.113556.1.4.1948

1.2.840.113556.1.4.1974

1.2.840.113556.1.4.1341

1.2.840.113556.1.4.2026

1.2.840.113556.1.4.2064

1.2.840.113556.1.4.2065

1.2.840.113556.1.4.2066

2.16.840.1.113730.3.4.9

2.16.840.1.113730.3.4.10

★Extensionについて

サポートするExtensionを確認

ldapsearch -x -H ldap://localhost:389 -b "" -s base supportedExtension

利用できるExtension一覧 (unboundid-ldapsdk 2.3.8)

1.3.6.1.1.8 CancelExtendedRequest

1.3.6.1.1.21.1 StartTransactionExtendedRequest

1.3.6.1.1.21.3 EndTransactionExtendedRequest

1.3.6.1.4.1.1466.20037 StartTLSExtendedRequest

1.3.6.1.4.1.4203.1.11.1 PasswordModifyExtendedRequest

1.3.6.1.4.1.4203.1.11.3 WhoAmIExtendedRequest

In memory (unboundid-ldapsdk 2.3.8)

1.3.6.1.1.21.1

1.3.6.1.1.21.3

1.3.6.1.4.1.4203.1.11.1

1.3.6.1.4.1.4203.1.11.3

OpenLdap (2.4.28)

1.3.6.1.1.8

1.3.6.1.4.1.4203.1.11.1

1.3.6.1.4.1.4203.1.11.3

★com.unboundid.ldap.sdk.ResultCode

SUCCESS 0

OPERATIONS_ERROR 1

PROTOCOL_ERROR 2

TIME_LIMIT_EXCEEDED 3

SIZE_LIMIT_EXCEEDED 4

COMPARE_FALSE 5

COMPARE_TRUE 6

AUTH_METHOD_NOT_SUPPORTED 7

STRONG_AUTH_REQUIRED 8

REFERRAL 10

ADMIN_LIMIT_EXCEEDED 11

UNAVAILABLE_CRITICAL_EXTENSION 12

CONFIDENTIALITY_REQUIRED 13

SASL_BIND_IN_PROGRESS 14

NO_SUCH_ATTRIBUTE 16

UNDEFINED_ATTRIBUTE_TYPE 17

INAPPROPRIATE_MATCHING 18

CONSTRAINT_VIOLATION 19

ATTRIBUTE_OR_VALUE_EXISTS 20

INVALID_ATTRIBUTE_SYNTAX 21

NO_SUCH_OBJECT 32

ALIAS_PROBLEM 33

INVALID_DN_SYNTAX 34

ALIAS_DEREFERENCING_PROBLEM 36

INAPPROPRIATE_AUTHENTICATION 48

INVALID_CREDENTIALS 49

INSUFFICIENT_ACCESS_RIGHTS 50

BUSY 51

UNAVAILABLE 52

UNWILLING_TO_PERFORM 53

LOOP-DETECT 54

SORT_CONTROL_MISSING 60

OFFSET_RANGE_ERROR 61

NAMING_VIOLATION 64

OBJECT_CLASS_VIOLATION 65

NOT_ALLOWED_ON_NONLEAF 66

NOT_ALLOWED_ON_RDN 67

ENTRY_ALREADY_EXISTS 68

OBJECT_CLASS_MODS_PROHIBITED 69

AFFECTS_MULTIPLE_DSAS 71

VIRTUAL_LIST_VIEW_ERROR 76

OTHER 80

SERVER_DOWN 81

LOCAL_ERROR 82

ENCODING_ERROR 83

DECODING_ERROR 84

TIMEOUT 85

AUTH_UNKNOWN 86

FILTER_ERROR 87

USER_CANCELED 88

PARAM_ERROR 89

NO_MEMORY 90

CONNECT_ERROR 91

NOT_SUPPORTED 92

CONTROL_NOT_FOUND 93

NO_RESULTS_RETURNED 94

MORE_RESULTS_TO_RETURN 95

CLIENT_LOOP 96

REFERRAL_LIMIT_EXCEEDED 97

CANCELED 118

NO_SUCH_OPERATION 119

TOO_LATE 120

CANNOT_CANCEL 121

ASSERTION_FAILED 122

AUTHORIZATION_DENIED 123

E_SYNC_REFRESH_REQUIRED 4096

NO_OPERATION 16654

INTERACTIVE_TRANSACTION_ABORTED 30221001

DATABASE_LOCK_CONFLICT 30221002

★専門用語

dc = domain component

dn = distinguished name

o = organization

ou = organization unit

c = country

cn = common name (last name)

sn = (first name)

uid= User ID

userPassword = uidに対するパスワード

★OpenLDAP (install in ubuntu)

sudo apt-get install slapd ldap-utils

sudo slapcat

ls /etc/ldap

/usr/sbin/slapd -V

★コマンド一覧

ldapadd

ldapdelete

ldapmodify

ldappasswd

ldapurl

ldapcompare

ldapexop

ldapmodrdn

ldapsearch

ldapwhoami

ldapsearch -x -b "" -s base supportedFeatures

ldapsearch -x -b "" -s base supportedControl

ldapsearch -x -b "" -s base supportedExtension

★コマンドでのデータ処理

rootdn = 'cn=admin,dc=nodomain'

rootpw = 'ldap'

データの追加

ldapadd -x -H ldap://localhost:389 -D "cn=admin,dc=nodomain" -w ldap -f add.ldif

add.ldif

#部署ツリー

dn: ou=sale,dc=nodomain

objectClass: organizationalUnit

ou: sale

#社員ツリー

dn: uid=u001,ou=sale,dc=nodomain

objectClass:inetOrgPerson

cn: jiro

sn: tokyo

uid: u001

userPassword: p-1

データの検索

ldapsearch -x -H ldap://localhost:389 -b "dc=nodomain" -s sub "(uid=*01)" dn

データの削除

ldapdelete -x -H ldap://localhost:389 -D "cn=admin,dc=nodomain" -w ldap "uid=u003,ou=develop,dc=nodomain"

データの更新

ldapmodify -x -H ldap://localhost:389 -D "cn=admin,dc=nodomain" -w ldap -f modify.ldif

modify.ldif

dn: uid=u001,ou=sale,dc=nodomain

changetype: modifty

replace: sn

sn: osaka

-

add: homeDirectory

homeDirectory: /home/osaka

-

delete: telephoneNumber

★Eclipse plugin

http://directory.apache.org/studio/

★LDAP Java library

・JNDI

・Apache Directory LDAP API http://directory.apache.org/api/

・UnboundID LDAP SDK for Java https://www.ldap.com/unboundid-ldap-sdk-for-java

参考リンク

https://docs.ldap.com/ldap-sdk/docs/getting-started/index.html

http://www.gosynaptic.com/blog/2012/08/15/ldap-ssl-connection-pooling/

https://tt4cs.wordpress.com/2014/01/18/ldap-over-ssltls-and-starttls/

http://tt4cs.blogspot.jp/2014/01/how-to-connect-to-ldap-via-ssl-tls.html