Using LDAP in your enterprise for PHP Programmers - PowerPoint PPT Presentation

1 / 44

About This Presentation

Title:

Using LDAP in your enterprise for PHP Programmers

Description:

Annoy me: darcrist_at_gmail.com. Who is Justin Dearing. Multi Talented Programmer/Network Admin ... Annoy me: zippy1981_at_gmail.com. What is LDAP ... – PowerPoint PPT presentation

Number of Views:648

Avg rating:3.0/5.0

Slides: 45

Provided by: lip5

Category:

more less

Transcript and Presenter's Notes

Title: Using LDAP in your enterprise for PHP Programmers

1
Using LDAP in your enterprise for PHP Programmers

By Justin Dearing and Alex Ames

2
Who is Alex Ames

Network Administrator
Background in mixed systems
Linux/BSD Windows Netware - i/5 OS
12 years in professional IT
LDAP usage
Tie together authentication across Apache running
on multiple platforms.
Annoy me darcrist_at_gmail.com

3
Who is Alex Ames

Network Administrator
Background in mixed systems
Linux/BSD Windows Netware - i/5 OS
12 years in professional IT
LDAP usage
Tie together authentication across Apache running
on multiple platforms.
Annoy me darcrist_at_gmail.com

4
Who is Justin Dearing

Multi Talented Programmer/Network Admin
I write C at the moment professionally
Done some PHP
Former Unix Admin and iSeries Operator
Will admin windows boxes if forced to
Variety of Open Source Contributions
https//www.ohloh.net/accounts/zippy1981
Annoy me zippy1981_at_gmail.com

5
What is LDAP

The Lightweight Directory Access Protocol,
or LDAP (IPA '?l dæp), is an application
protocol for querying and modifying directory
services running over TCP/IP.1A directory is a
set of objects with similar attributes organized
in a logical and hierarchical manner. The most
common example is the telephone directory, which
consists of a series of names (either of persons
or organizations) organized alphabetically, with
each name having an address and phone number
attached.
Source http//en.wikipedia.org/wiki/Lightweight_D
irectory_Access_Protocol

6
But really, What is LDAP?

Lightweight Directory Access Protocol
A light version of the X.500 Directory Access
protocol
Developed by the Telecommunications industry
based on 70 years of phone book printing wisdom

7
So its like a database?

Sort of, but not exactly
(Relational Database Management Systems) RDBMSs
store data is a collection of relational tables
Directories store hierarchies of data in a tree
format

8
Principles of LDAP

Hierarchical Directory of information
think folder/dir tree!
LDAP Bind Connection
requires a username/password with privileges to
read/search the LDAP Directory.
Can limit query results to a specific OU/CN or
branch
Microsoft AD must be able to browse the entire
AD structure to reach desired container.
If you cant read a container, you cant perform
operations against it (i.e. you cant
authenticate a user you cant see attributes
for!).

9
Security

Authentication
name/password
Kerberos authentication
Accounts
Users are stored in the directory with attribute
objectClassuser
Sometimes there is an admin account stored
outside the directory structure.
Connections
Unencrypted
SSL
TLS

10
LDAP Client Libraries

PHP
Built in
Windows
ADSI/ADSI.NET
Novell .NET Library
Wldap32

C
Novell Directory Library
OpenLDAP SDK
JAVA
JNDI
OpenLDAP
Novell

11
Using LDAP with Apache
12
LDAP in Apache 2.2

Generally not compiled or available by default.
Requirements
OpenLDAP 1.x or 2.x SDK installed
Novell LDAP SDK installed
Others Microsoft, Mozilla/Sun/iPlanet
2 LDAP modules in Apache
mod_ldap
mod_authnz_ldap (depends on mod_ldap)
Best when compiled from source (IMHO, YMMV)
Some RPMs work out-of-the-box RedHat, SuSE

13
Apache modules

mod_ldap
Provides automatic connection pooling minimal
connections, many requests
Provides search bind cache for
username, password and DN
Provides SSL support varies by SDK used to
compile. RTFM!
mod_authnz_ldap
Base permissions on groups, users filters
No more .htpasswd files to mess with!

14
Compiling LDAP for Apache

Prerequisites
LDAP SDK installed configured.
You dont need an LDAP server on the box...
Get SSL support installed configured
From the apache source
in srclib/apr-util
./configure with-ldap-include
/usr/local/include/with-ldap-lib/usr/local/lib/
with-ldapldap with-apr../apr
in ././configure with-ssl enable-soenable-m
ods-sharedall with-ldap with-auth-ldap
enable-ldap enable-auth-ldap

15
Apache .conf for LDAP
methods provided by
mod_auth_basic AuthType basicAuthName LDAP
Authentication Required"AuthBasicProvider
ldap methods provided by mod_authnz_ldapAuthLD
APURL ldap//ldap.myserver.com/dcyourdomain,dcco
m?uid AuthLDAPBindDN oAdminContainer,dcyourdom
ain,dccom AuthLDAPBindPassword
badidea-thanx-bill Require ldap-group
cnAdministrators, oAdminContainer
16
iSeries LDAP support

Using Apache and LDAP on the iSeries

17
Installing OpenLDAP client tools on Windows

Go to http//bowmansolutions.com/mingw-openldap/
Follow those direction
You need MinGW, MSYS, lots of dependencies
Its a giant pain to build
Add dig.exe while your at it.
http//ftp.isc.org/isc/bind8/contrib/ntbind-9.3.0r
c3/

18
OpenLDAP Client tools on Windows made easy

Install this MSI I made just for you.
No need to thank me.

19
LDAP Queries

Three components
BaseDN
What portion of the tree are you searching
Filter
Attributes and values to limit the result set
Attributes returned
What attributes from the result set to what we
want?

20
LDAP Query filters

Prefix notation Boolean logic
Still has parenthesis
Simple syntax

21
Ok, wheres the PHP?

...with just apache LDAP, authenticated user data
can be found in _SERVER...
_SERVERPHP_AUTH_USER
_SERVERPHP_AUTH_PW
_SERVERPHP_AUTH_TYPE
...but to get PHP to cook in LDAP without
apache....

22
PHP and LDAP

Prerequisites
LDAP SDK installed configured.
You dont need an LDAP server on the box...
Get SSL support installed configured
From the PHP source
in ./
./configure --with-ldapPATH
Uncomment the module in php.ini

23
Using LDAP in PHP
sr someuser ldappwd somepass dn
OUUsers,DCyourdomain,DCcom filterusers
(CN) conn ldap_connect(server) If
(!ldap_bind(conn, ldapusr, ldappwd) ) die(
No LDAP Bind. Nuts!) srch
ldap_search(conn, dn, filterusers) results
ldap_get_entries(conn, srch) usercount
resultscount for (c0 c c) echo resultscdisplayname .
"\n" ldap_unbind(conn) ?
24
PHP LDAP API

ldap_add Add entries to LDAP directory
ldap_bind Bind to LDAP directory
ldap_close Alias of ldap_unbind
ldap_compare Compare value of attribute found
in entry specified with DN
ldap_connect Connect to an LDAP server
ldap_count_entries Count the number of entries
in a search
ldap_delete Delete an entry from a directory
ldap_dn2ufn Convert DN to User Friendly Naming
format
ldap_err2str Convert LDAP error number into
string error message
ldap_errno Return the LDAP error number of the
last LDAP command
ldap_error Return the LDAP error message of the
last LDAP command
ldap_explode_dn Splits DN into its component
parts
ldap_first_attribute Return first attribute
ldap_first_entry Return first result id
ldap_first_reference Return first reference
ldap_free_result Free result memory
ldap_get_attributes Get attributes from a
search result entry
ldap_get_dn Get the DN of a result entry
ldap_get_entries Get all result entries

ldap_get_values_len Get all binary values from
a result entry
ldap_get_values Get all values from a result
entry
ldap_list Single-level search
ldap_mod_add Add attribute values to current
attributes
ldap_mod_del Delete attribute values from
current attributes
ldap_mod_replace Replace attribute values with
new ones
ldap_modify Modify an LDAP entry
ldap_next_attribute Get the next attribute in
result
ldap_next_entry Get next result entry
ldap_next_reference Get next reference
ldap_parse_reference Extract information from
reference entry
ldap_parse_result Extract information from
result
ldap_read Read an entry
ldap_rename Modify the name of an entry
ldap_sasl_bind Bind to LDAP directory using
SASL
ldap_search Search LDAP tree
ldap_set_option Set the value of the given
option
ldap_set_rebind_proc Set a callback function to
do re-binds on referral chasing
ldap_sort Sort LDAP result entries

25
LDAP Browser Software

All LDAP browsers suck

26
LDAP Browsers from worst to not as bad

LDAP Browser/Editor
JXplorer
Apache Studio One
For web based administration
phpLDAPAdmin

27
LDAP Browser/Editor

That crappy LDAP browser app that everyone uses
http//www.mcs.anl.gov/gawor/ldap/
Not really free for commercial use
Ugly AWT
The author is worse at naming software than I am.

28
JXplorer

Open Source Software
Decent AD Support (When I finish writing and
submitting the patch)
Not a very active project
Was originally developed by Computer Associates
The code seems well documented

29
Apache Studio One

Eclipse with LDAP browsing plugins
Probably possible to add ldap plugins to other
Ellipse setups
Most mature browser
A bit resource heavy
Its eclipse (you might like or hate it.)

30
Show me the screenshots
31
JXPlorer
32
LDAP Browser/Editor
33
phpLDAPAdmin
34
What is my Active Directory LDAP servers
hostname?

How the simple php programmer can connect to the
companies LDAP server without bothering the
Windows Admin

35
Scenario

Youre the company programmer/unix admin
The windows admin cant give you the name of the
LDAP server
No time to research
Doesnt know what LDAP is
You are also the windows admin

36
Scenario (cont.)

You want to use LDAP (presumably in PHP)
You have authorization to do this
You have a user account on the windows domain.

37
What are my domain credentials?

Environmental variables
USERDNSDOMAINTurn foo.com into dcfoo,dccom
to get basedn
USERNAME_at_USERDOMAINThis is the user name you
bind as
Password
Refer to the post it note on your monitor

38
What's the ldap servers hostname?

You have to do a DNS query
Record _ldap._tcp.foo.com
Record Type SRV

39
Whats a SRV?

An SRV record or Service record is a category of
data in the Internet Domain Name
System specifying information on available
services. It is defined in RFC 2782. Newer
internet protocols such as SIP and XMPP often
require SRV support from clients.
http//en.wikipedia.org/wiki/SRV_record

40
Whats a SRV? (cont)