本文内容摘自http://www.openldap.org/doc/admin24/index.html和https://www.centos.org/docs/5/html/CDS/ag/8.0,全面介绍了OpenLDAP的方方面面。
1. What is LDAP?
LDAP stands for Lightweight Directory Access Protocol(轻量级目录访问协议)。The LDAP information model is based on entries. An entry is a collection of attributes that has a globally-unique Distinguished Name(DN). In LDAP, directory entries are arranged in a hierarchical tree-like structure.
2. What is slapd?
slapd(standalone ldap daemon) is a LDAP directory server. slurpd is a daemon that, with slapd help, provides replicated service.
command:
ldapsearch -x -b 'dc=xrssw,dc=com' -s base '(objectclass=*)'
is used to search information through LDAP tree
use your favorite editor and create an LDIF file, then run with command:
ldapadd -x -D "cn=admin,dc=xrssw,dc=com" -W -f example.ldif
to add information you defined in file example.ldif
To see if it works, run ldapsearch command to check the output.
3. Configuration Choices
a. local directory service: you run a slapd which provides directory service for local domain only.
b. local directory service with referrals
c. Replicated Directory Service: the slurpd daemon is used to propagate changes from a master slapd to one or more slave slapds.
The default LDAP URL is ldap:/// which implies LDAP over TCP on all interfaces on the default LDAP port 389.
3. LDIF text entry format
The LDAP Data Interchange Format(LDIF) is used to represent LDAP entries in a simple text format. The basic form of an entry is:
# comment
dn: <distinguished name>
<attrdesc>: <attrvalue>
<attrdesc>: <attrvalue>
... ...
example:
dn: cn=Barbara J Jensen,dc=example,dc=com
cn: Barbara J Jensen
cn: Babs Jensen
objectClass: person
sn: Jensen
4. LDIF Update Statements
LDIF update statements define how ldapmodify changes the directory entry. In general, LDIF update statements contain the following information:
a. the DN of the entry to be modified.
b. a changetype that defines how a specific entry is to be modified(add, delete, modify, modrdn)
c. a series of attributes and their changed values.
changetype, modrdn, specifies how the relative distinguished name(RDN) is to be modifed. A distinguished name's RDN is the left-most value in the DN. For example, the distinguished name uid=ssarette,dc=example,dc=com has an RDN of uid=ssarette.
The general format of LDIF update statements is as follows:
dn:distinguished_namechangetype:changetype_identifierchange_operation_identifier: list_of_attributeschange_operation_identifier: list_of_attributes-change_operation_identifier: list_of_attributes-A dash (-) must be used to denote the end of a change operation if subsequent change operations are specified. For example, the following statement adds the telephone number and manager attributes to the entry:
dn: cn=Lisa Jangles,ou=People,dc=example,dc=comchangetype: modifyadd: telephonenumbertelephonenumber: (408) 555-2468-add: managermanager: cn=Harry Cruise,ou=People,dc=example,dc=comIn addition, the line continuation operator is a single space。 Therefore, the following two statements are identical:
dn: cn=Lisa Jangles,ou=People,dc=example,dc=comdn: cn=Lisa Jangles,ou=People,dc=example,dc=com
5. Renaming an Entry using LDIF
changetype: modrdn only changes the RDN, and it cannot change other parts of a DN. For example, the entry cn=Sue Jacobs,ou=people,dc=example,dc=com can be changed to cn=Susan Jacobs,ou=people,dc=example,dc=com, but it cannot be modified to be cn=Sue Jacobs,ou=old employees,dc=example,dc=com
The following command renames Sue Jacobs to Susan Jacobs:
dn: cn=Sue Jacobs,ou=Marketing,dc=example,dc=comchangetype: modrdnnewrdn: cn=Susan Jacobsdeleteoldrdn: 0Because deleteoldrdn is 0, this example retains the existing RDN as a value in the new entry. If set it to 1, server will delete Sue Jacobs and only Susan Jacobs remains.
Note: the modrdn change type cannot move an entry to a completely different subtree. To move an entry to a completely different branch, you must create a new entry in the alternative subtree using the old entry's attributes, and then delete the old entry. Also, for the same reasons that you cannot delete an entry if it is a branch point, you cannot rename an entry if it has any children. Doing so would orphan the children in the tree, which is not allowed by the LDAP protocol.
6. Modifying an entry using LDIF
changetype: modify can add, replace, or remove attributes or attribute values in an entry. When you specify changetype: modify, you must also provide a change operation to indicate how the entry is to be modified.
a. add
dn: cn=Barney Fife,ou=People,dc=example,dc=com changetype: modify add: telephonenumber telephonenumber: 555-1212 telephonenumber: 555-6789 - add: manager manager: cn=Sally Nixon,ou=People,dc=example,dc=comb. replace
dn: cn=Barney Fife,ou=People,dc=example,dc=com changetype: modify replace: manager manager: cn=Wally Hensford, ou=People, dc=example,dc=comIf the entry has multiple instances of the attribute, then to change one of the attribute values, you must delete the attribute value first and then add the replacement value. For example, this entry has two telephone numbers:cn=Barney Fife,ou=People,dc=example,dc=com objectClass: inetOrgPerson cn: Barney Fife sn: Fife telephonenumber: 555-1212 telephonenumber: 555-6789To change the telephone number 555-1212 to 555-4321, use the following LDIF update statement:dn: cn=Barney Fife,ou=People,dc=example,dc=com changetype: modify delete: telephonenumber telephonenumber: 555-1212 - add: telephonenumber telephonenumber: 555-4321The entry is now as follows:cn=Barney Fife,ou=People,dc=example,dc=com objectClass: inetOrgPerson cn: Barney Fife sn: Fife telephonenumber: 555-6789 telephonenumber: 555-4321c. deletechangetype: modify with the delete operation deletes an attribute from an entry. If the entry has more than one instance of the attribute, you must indicate which of the attributes to delete, otherwise, you delete all instances of the attribute.
For example, consider the following entry:
cn=Barney Fife,ou=People,dc=example,dc=com objectClass: inetOrgPerson cn: Barney Fife sn: Fife telephonenumber: 555-1212 telephonenumber: 555-6789To delete the
555-1212telephone number from this entry, use the following LDIF update statement:dn: cn=Barney Fife,ou=People,dc=example,dc=com changetype: modify delete: telephonenumber telephonenumber: 555-1212Barney's entry then becomes:
cn=Barney Fife,ou=People,dc=example,dc=com objectClass: inetOrgPerson cn: Barney Fife sn: Fife telephonenumber: 555-6789To delete all telephonenumbers:dn: cn=Barney Fife,ou=People,dc=example,dc=com changetype: modify delete: telephonenumberd. replacedn: bjensen,dc=example,dc=com changetype: modify replace: homePostalAddress;lang-fr homePostalAddress;lang-fr: 34 rue de Seinelang-fr indicates the value is in French instead of English, which is the default.
扫一扫
1658
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
