Предопределённые константы ldap

Содержание

XLVIII. LDAP functions

LDAP is the Lightweight Directory Access Protocol, and is a protocol used to access «Directory Servers». The Directory is a special kind of database that holds information in a tree structure.

The concept is similar to your hard disk directory structure, except that in this context, the root directory is «The world» and the first level subdirectories are «countries». Lower levels of the directory structure contain entries for companies, organisations or places, while yet lower still we find directory entries for people, and perhaps equipment or documents.

To refer to a file in a subdirectory on your hard disk, you might use something like:

The forwards slash marks each division in the reference, and the sequence is read from left to right.

The equivalent to the fully qualified file reference in LDAP is the «distinguished name», referred to simply as «dn». An example dn might be:

cn=John Smith,ou=Accounts,o=My Company,c=US

The comma marks each division in the reference, and the sequence is read from right to left. You would read this dn as:

country = US
organization = My Company
organizationalUnit = Accounts
commonName = John Smith

In the same way as there are no hard rules about how you organise the directory structure of a hard disk, a directory server manager can set up any structure that is meaningful for the purpose. However, there are some conventions that are used. The message is that you can not write code to access a directory server unless you know something about its structure, any more than you can use a database without some knowledge of what is available.

Lots of information about LDAP can be found at

The Netscape SDK contains a helpful Programmer’s Guide in HTML format.

You will need to get and compile LDAP client libraries from either the University of Michigan ldap-3.3 package or the Netscape Directory SDK 3.0 to compile PHP with LDAP support.

LDAP support in PHP is not enabled by default. You will need to use the —with-ldap[=DIR] configuration option when compiling PHP to enable LDAP support. DIR is the LDAP base install directory.

Note to Win32 Users: In order to enable this module on a Windows environment, you must copy libsasl.dll from the DLL folder of the PHP/Win32 binary package to the SYSTEM32 folder of your windows machine. (Ex: C:\WINNT\SYSTEM32 or C:\WINDOWS\SYSTEM32)

�� php.ini .

�� 1. LDAP configuration options

Name	Default	Changeable
ldap.max_links	«-1»	PHP_INI_SYSTEM

�� .

�� , �� PHP �� , �� .

LDAP Functions

�� PHP
��.	��.

LXIV. LDAP Functions

LDAP is the Lightweight Directory Access Protocol, and is a protocol used to access «Directory Servers». The Directory is a special kind of database that holds information in a tree structure.

To refer to a file in a subdirectory on your hard disk, you might use something like:

The forwards slash marks each division in the reference, and the sequence is read from left to right.

The equivalent to the fully qualified file reference in LDAP is the «distinguished name», referred to simply as «dn». An example dn might be:

cn=John Smith,ou=Accounts,o=My Company,c=US

The comma marks each division in the reference, and the sequence is read from right to left. You would read this dn as:

country = US
organization = My Company
organizationalUnit = Accounts
commonName = John Smith

Lots of information about LDAP can be found at

LDAP support in PHP is not enabled by default. You will need to use the —with-ldap[=DIR] configuration option when compiling PHP to enable LDAP support. DIR is the LDAP base install directory. To enable SASL support, be sure —with-ldap-sasl[=DIR] is used, and that sasl.h exists on the system.

Note to Win32 Users: In order to enable this module on a Windows environment, you must copy several files from the DLL folder of the PHP/Win32 binary package to the SYSTEM folder of your windows machine. (Ex: C:\WINNT\SYSTEM32 , or C:\WINDOWS\SYSTEM ). For PHP libsasl.dll , for PHP >= 4.3.0 copy libeay32.dll and ssleay32.dll to your SYSTEM folder.

In order to use Oracle LDAP libraries, proper Oracle environment has to be set.

�� php.ini .

�� 1. LDAP configuration options

Name	Default	Changeable	Changelog
ldap.max_links	«-1»	PHP_INI_SYSTEM

�� .

�� , �� PHP �� , �� .

Retrieve information for all entries where the surname starts with «S» from a directory server, displaying an extract with name and email address.

�� 1. LDAP search example

// basic sequence with LDAP is connect, bind, search, interpret search
// result, close connection

LDAP query test

» ;
echo «Connecting . » ;
$ds = ldap_connect ( «localhost» ); // must be a valid LDAP server!
echo «connect result is » . $ds . «
» ;

if ( $ds ) <
echo «Binding . » ;
$r = ldap_bind ( $ds ); // this is an «anonymous» bind, typically
// read-only access
echo «Bind result is » . $r . «
» ;

echo «Searching for (sn=S*) . » ;
// Search surname entry
$sr = ldap_search ( $ds , «o=My Company, c=US» , «sn=S*» );
echo «Search result is » . $sr . «
» ;

echo «Number of entires returned is » . ldap_count_entries ( $ds , $sr ) . «
» ;

echo «Getting entries .

» ;
$info = ldap_get_entries ( $ds , $sr );
echo «Data for » . $info [ «count» ] . » items returned:

for ( $i = 0 ; $i $info [ «count» ]; $i ++) <
echo «dn is: » . $info [ $i ][ «dn» ] . «
» ;
echo «first cn entry is: » . $info [ $i ][ «cn» ][ 0 ] . «
» ;
echo «first email entry is: » . $info [ $i ][ «mail» ][ 0 ] . »
» ;
>

echo «Closing connection» ;
ldap_close ( $ds );

Unable to connect to LDAP server

Before you can use the LDAP calls you will need to know ..

The name or address of the directory server you will use

The «base dn» of the server (the part of the world directory that is held on this server, which could be «o=My Company,c=US»)

Whether you need a password to access the server (many servers will provide read access for an «anonymous bind» but require a password for anything else)

The typical sequence of LDAP calls you will make in an application will follow this pattern:

ldap_connect() // establish connection to server
|
ldap_bind() // anonymous or authenticated «login»
|
do something like search or update the directory
and display the results
|
ldap_close() // «logout»

��

�� , �� PHP �� , �� .

LDAP_DEREF_NEVER ( integer ) LDAP_DEREF_SEARCHING ( integer ) LDAP_DEREF_FINDING ( integer ) LDAP_DEREF_ALWAYS ( integer ) LDAP_OPT_DEREF ( integer ) Specifies alternative rules for following aliases at the server. LDAP_OPT_SIZELIMIT ( integer )

Specifies the maximum number of entries that can be returned on a search operation.

��: The actual size limit for operations is also bounded by the server’s configured maximum number of return entries. The lesser of these two settings is the actual size limit.

��: The actual time limit for operations is also bounded by the server’s configured maximum time. The lesser of these two settings is the actual time limit.

��
��

01.10.2020 — 05:20: ��, ��, �� — Upbringing, Inlightening, Education ->
[center][Youtube]69vJGqDENq4[/Youtube][/center]
[center]14:36[/center]
Osievskii Global News
29 ��. �� 05:20, 01.10.2020 �.’ target=_top>�� — ��_��.
30.09.2020 — 12:51: ��, ��, �� — Upbringing, Inlightening, Education ->
[center][Ok]376309070[/Ok][/center]
[center]11:03[/center] �� 12:51, 30.09.2020 �.’ target=_top>�� — ��_��.
30.09.2020 — 11:53: ��, ��, �� — Upbringing, Inlightening, Education ->
[center][Youtube]VVQv1EzDTtY[/Youtube][/center]
[center]10:43[/center]

�� https://cursorinfo.co.il/all-news/rav.
�� https://t.me/peshekhonovandrei
�� https://twitter.com/Andrey54708595
�� https://www.instagram.com/andreipeshekhonow/

[b]�� :
�� : �� — �� , �� ?
— ��, ��, �� , � �� , �� . �� .

[center][Youtube]CLegyQkMkyw[/Youtube][/center]
[center]10:22 [/center]

�� : �� (�� ):
https://tainy.net/22686-predskazaniya-dominika-rikardi-o-budushhem-rossii-sdelannye-v-2000-godu.html

�� / �� (�� = ��-��-��-��)
http://av-inf.blogspot.com/2013/12/dalles.html

[center][b]�� [/center]

[center][Youtube]CLegyQkMkyw[/Youtube][/center]
[center]10:22 [/center]

�� : �� (�� ):
https://tainy.net/22686-predskazaniya-dominika-rikardi-o-budushhem-rossii-sdelannye-v-2000-godu.html

�� / �� (�� = ��-��-��-��)
http://av-inf.blogspot.com/2013/12/dalles.html

[center][b]�� [/center]

��

�� , �� PHP �� , �� .

LDAP_DEREF_NEVER (integer) LDAP_DEREF_SEARCHING (integer) LDAP_DEREF_FINDING (integer) LDAP_DEREF_ALWAYS (integer) LDAP_OPT_DEREF (integer) LDAP_OPT_SIZELIMIT (integer) LDAP_OPT_TIMELIMIT (integer) LDAP_OPT_NETWORK_TIMEOUT (integer) Option for ldap_set_option() to allow setting network timeout. (Available as of PHP 5.3.0) LDAP_OPT_PROTOCOL_VERSION (integer) LDAP_OPT_ERROR_NUMBER (integer) LDAP_OPT_REFERRALS (integer) LDAP_OPT_RESTART (integer) LDAP_OPT_HOST_NAME (integer) LDAP_OPT_ERROR_STRING (integer) LDAP_OPT_MATCHED_DN (integer) LDAP_OPT_SERVER_CONTROLS (integer) LDAP_OPT_CLIENT_CONTROLS (integer) LDAP_OPT_DEBUG_LEVEL (integer) GSLC_SSL_NO_AUTH (integer) GSLC_SSL_ONEWAY_AUTH (integer) GSLC_SSL_TWOWAY_AUTH (integer)

LDAP. �� LDAP ��

� �� 389 Directory Server (�� Fedora Directory Server, �� Redhat Directory Server). �� , �� LDAP. �� LDAP, � �� Wikipedia (�� c�� , � �� LDAP).

��, �� , �� (�� LDAP-��). LDAP-��, � ��, �� , � ��, �� . LDAP-�� , � �� .

�� , �� : � �� LDAP? �� MySQL �� PostgreSQL? �� =)

�� RDBMS �� :

�� . �� /�� LDAP;
�� , �� , �� ;
�� , � �� : �� rollback’��, �� , �� RDBMS;
�� , �� , �� , �� ;
��-�� , �� .

�� 389 Directory Server. �� LDAP �� Netscape (�� , �� ).

�� LDAP-��:

�� . �� , �� MM-��, �� , �� changelog �� . MM-�� master-slave � �� , �� . �� , �� , �� , �� ;
�� ACL. � �� ACL �� , ��, �� LDAP-��, � �� . ACL �� , �� , �� , �� .
�� Microsoft Active Directory. �� , �� (�� AD � 389-ds �� )
SSL/TLS. �� SSL/TLS �� . 389-ds �� /�� SSL-��. �� . �� .
�� LDAP. �� cn=config, �� . �� /�� task-� �� cn=tasks,cn=config.
Plugins. �� plugin-�� (MM-��, �� AD, ACL, � �.�.). �� plugin �� , �.�. �� .

�� 389 Directory Server �� .

�� 389 Directory Server

389 DS �� .

�� . �� ns-slapd, �� , �� , �� , �� , � �.�.
�� (Administration Server). �� . �� HTTP(S), �� -�� . �� apache + �� ns-slapd.
�� . Java-��, �� . �� windows � linux, �� mac os �� X-�� linux-��.

�� , �� , �� , � �� . �� .

��, ��. �� . �� , �� multimaster-�� IP-�� (pacemaker + openais).

�� , �� IP � �� .

�� IP-�� LDAP00, �� , � �� , �� LDAP01.

�� ns-slapd �� , ��, �� .�. �� Administration Server (�� admin server). admin server �� LDAP ��, �� run-time ��. �� admin server �� , �� , �� : �� admin server-�, � �� . � �� LDAP-��, �� .

�� ldap00 � ldap01. �� LDAP ��, �� admin server-��, �� .
�� :

�� ldap00;
�� ldap00;
�� ldap �� ldap01;
�� admin server-� �� ldap01;
�� ldap �� .

�� ldap00

�� rpm �� EPEL �� Centos, RHEL � Fedora Core. �� EPEL � �� yum.

�� SLES, �� OpenSUSE Build Service. �� debian/ubuntu � �� .

�� 389 DS �� perl ��, �� .

�� :

setup-ds.pl � �� LDAP-��, �� admin server-�;
setup-ds-admin.pl � �� admin server, �� LDAP-�� ;
register-ds-admin.pl � �� admin server-�, �� admin server;
remove-ds.pl � �� ;
remove-ds-admin.pl � �� admin server � �� ;
dsktune � �� , �� , �� .

�� dsktune:

# dsktune
389 Directory Server system tuning analysis version 10-AUGUST-2007.

NOTICE: System is x86_64-unknown-linux2.6.27.42-0.1-xen (1 processor).

NOTICE: The net.ipv4.tcp_keepalive_time is set to 7200000 milliseconds
(120 minutes). This may cause temporary server congestion from lost
client connections.

WARNING: There are only 1024 file descriptors (hard limit) available, which
limit the number of simultaneous connections.

WARNING: There are only 1024 file descriptors (soft limit) available, which
limit the number of simultaneous connections.

�� , �� . � �� net.ipv4.tcp_keepalive_time � �� .

tcp_keepalive_time � �� keepalive. �� , �� , �� (�� 120 ��). �� 10 ��.

echo 600 > /proc/sys/net/ipv4/tcp_keepalive_time

�� /etc/sysctl.conf:

�� /etc/security/limits.conf:

�� dsktune � ��, �� .

�� setup-ds-admin.pl
�� , �� 389 Directory � Administration Server, �� , �� dsktune �, ��, �� .

1. Express
Allows you to quickly set up the servers using the most
common options and pre-defined defaults. Useful for quick
evaluation of the products.

2. Typical
Allows you to specify common defaults and options.

3. Custom
Allows you to specify more advanced options. This is
recommended for experienced server administrators only.

To accept the default shown in brackets, press the Enter key.

Choose a setup type [2]:

�� (�� experienced server administrators =) )

�� FQDN � ��/��, �� (��) �� LDAP-��.

If you do not yet have a configuration directory server, enter ‘No’ to
be prompted to set up one.

Do you want to register this software with an existing
configuration directory server? [no]:

�� , �� . �� , �� No.

�� admin server-�: administrator ID, ��, Administration Domain, �� (�� ).

�� , �� LDAP-��. �� , �� , �� admin server-�, �� 6389. �� Directory server identifier. �� config-instance. �� , �� , �� .

�� Directory Manager DN.

Directory Manager � �� root-� � LDAP-��. � �� Directory Manager.

�� Directory Manager-�, �� root suffix � �� -�� , �� , IP-�� admin server �� . �� .

�� ldap00

�� 389-console.

� �� Adminstration URL �� admin server-� � �� .

�� . � �� , �� .

�� dc=edu,dc=scalaxy,dc=local

� �� , � �� admin server-�.

�� .

� �� , supplier � consumer.

supplier � ��, �� .

�� supplier ��:

�� ;
�� ;
�� consumer ��.

supplier �� , �� , � �� .

�� supplier �� , �� .

consumer � ��, �� . � �� , �� supplier-�� consumer-��.

consumer ��:

�� read �� ;
�� ;
�� , �� , �� supplier ��.

�� supplier �� changelog, � �� , �� .

Supplier �� consumer ��.

��, �� , �� .

�� changelog-� �� , �� Replication. Changelog �� .

�� NetscapeRoot. �� Replica ID � Supplier DNs.

Supplier DN � �� , �� LDAP-��. �� LDAP-��, �� .

�� ldapmodify. �� LDAP � �� ldif ��.

ldapmodify -h 127.0.0.1 -p 6389 -x -D «cn=root» -W
Enter LDAP Password:
dn: cn=replication manager,cn=config
changetype: add
objectClass: inetorgperson
objectClass: person
objectClass: top
objectClass: organizationalPerson
cn: replication manager
sn: RM
userPassword:

��
adding new entry «cn=replication manager,cn=config»

��, � �� :

�� Replication Agreement �� . � �� NetscapeRoot �� New Replication Agreement � �� :

�� , �� (�� ), �� , �� Do not initialize consumer.

�� ldap �� ldap01

�� LDAP-��. � �� , �.�. �� admin server-� �� LDAP-�� ldapmodify (�� , �� , �� ).

�� setup-ds.pl �� , �� admin server-��.

�� .

�� LDAP-�� ldapmodify � ��.

�� :

ldapmodify -h 127.0.0.1 -p 6389 -D «cn=root» -W

dn: cn=changelog5,cn=config
changetype: add
objectclass: top
objectclass: extensibleObject
cn: changelog5
nsslapd-changelogdir: /var/lib/dirsrv/slapd-ldap01/changelogdb

changelogdir �� .

2) �� replication manager:

dn: cn=replication manager,cn=config
changetype: add
objectClass: inetorgperson
objectClass: person
objectClass: top
objectClass: organizationalPerson
cn: replication manager
sn: RM
userPassword:

20380119031407Z ��, �� .

3) �� netscaperoot:

dn: cn=»o=netscaperoot»,cn=mapping tree,cn=config
changetype: add
objectclass: top
objectclass: extensibleObject
objectclass: nsMappingTree
nsslapd-state: backend
nsslapd-backend: NetscapeRoot
cn: «o=netscaperoot»

4) �� netscaperoot:

dn: cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config
changetype: add
objectclass: extensibleObject
objectclass: nsBackendInstance
nsslapd-suffix: o=netscaperoot

��, 389 DS �� Berkeley DB. �� , �� .

5) �� o=NetScapeRoot:

dn: o=NetscapeRoot
changetype: add
objectClass: organization
objectClass: top
o: NetscapeRoot

6) �� o=netscaperoot:

dn: cn=replica,cn=»o=netscaperoot», cn=mapping tree, cn=config
changetype: add
objectClass: nsDS5Replica
objectClass: top
nsDS5ReplicaId: 2
nsDS5ReplicaRoot: o=netscaperoot
cn: replica
nsDS5Flags: 1
nsDS5ReplicaBindDN: cn=replication manager,cn=config
nsds5ReplicaChangeCount: 0
nsds5ReplicaPurgeDelay: 604800
nsDS5ReplicaType: 3

�� nsDS5ReplicaId �� (nsDS5ReplicaType � �� , 3 � multimaster).

�� ldap00 �� ldap01.

�� :

7) �� ldap01 �� ldap00:

dn: cn=Multimaster replication, cn=replica, cn=»o=netscaperoot», cn=mapping
tree, cn=config
changetype: add
objectClass: top
objectClass: nsDS5ReplicationAgreement
cn: Multimaster replication
description: replication for netscaperoot
nsDS5ReplicaBindDN: cn=replication manager,cn=config
nsDS5ReplicaBindMethod: SIMPLE
nsds5replicaChangesSentSinceStartup:
nsDS5ReplicaCredentials:

nsDS5ReplicaHost: ldap00.edu.scalaxy.local
nsDS5ReplicaPort: 6389
nsDS5ReplicaRoot: o=netscaperoot
nsDS5ReplicaTransportInfo: LDAP
nsds5replicaUpdateInProgress: FALSE

nsDS5ReplicaBindDN � �� , ��
nsDS5ReplicaCredentials � ��

�� ldap00 �� ldap01:

�� �� �� :
dn: cn=Multimaster replication,cn=replica,cn=»o=netscaperoot»,cn=mapping tree,cn=config
changetype: modify
replace: nsds5beginreplicarefresh
nsds5beginreplicarefresh: start

�� ldap00 �� ldap01, �� , �� o=netscaperoot.

�� admin server-�.

�� admin server-� �� ldap01

�� admin server �� . �� register-ds-admin.pl

�� Configuration directory server URL, �� LDAP URL �� ldap://ldap01.edu.scalaxy.local:6389/o=NetscapeRoot

�� , �� .

�� ldap ��

�� admin server-�.

�� Server Group �� LDAP server-�, �� LDAP-server, � �� .

�� (�� GUI, �� ).

��! �� ! �� openais+pacemaker, �� .

Предопределенные константы

Перечисленные ниже константы определены данным расширением и могут быть доступны только в том случае, если PHP был собран с поддержкой этого расширения или же в том случае, если данное расширение подгружается во время выполнения.

LXXII. LDAP Functions

LDAP is the Lightweight Directory Access Protocol, and is a protocol used to access «Directory Servers». The Directory is a special kind of database that holds information in a tree structure.

To refer to a file in a subdirectory on your hard disk, you might use something like:

The forwards slash marks each division in the reference, and the sequence is read from left to right.

The equivalent to the fully qualified file reference in LDAP is the «distinguished name», referred to simply as «dn». An example dn might be:

cn=John Smith,ou=Accounts,o=My Company,c=US

The comma marks each division in the reference, and the sequence is read from right to left. You would read this dn as:

country = US
organization = My Company
organizationalUnit = Accounts
commonName = John Smith

Lots of information about LDAP can be found at

The Netscape SDK contains a helpful Programmer’s Guide in HTML format.

You will need to get and compile LDAP client libraries from either OpenLDAP or Bind9.net in order to compile PHP with LDAP support.

Note to Win32 Users: In order to enable this module on a Windows environment, you must copy several files from the DLL folder of the PHP/Win32 binary package to the SYSTEM folder of your windows machine. (Ex: C:\WINNT\SYSTEM32 , or C:\WINDOWS\SYSTEM ). For PHP libsasl.dll , for PHP >= 4.3.0 copy libeay32.dll and ssleay32.dll to your SYSTEM folder.

In order to use Oracle LDAP libraries, proper Oracle environment has to be set.

�� php.ini .

�� 1. LDAP configuration options

Name	Default	Changeable	Changelog
ldap.max_links	«-1»	PHP_INI_SYSTEM

�� .

�� , �� PHP �� , �� .

Retrieve information for all entries where the surname starts with «S» from a directory server, displaying an extract with name and email address.

�� 1. LDAP search example

// basic sequence with LDAP is connect, bind, search, interpret search
// result, close connection

LDAP query test

» ;
echo «Connecting . » ;
$ds = ldap_connect ( «localhost» ); // must be a valid LDAP server!
echo «connect result is » . $ds . «
» ;

if ( $ds ) <
echo «Binding . » ;
$r = ldap_bind ( $ds ); // this is an «anonymous» bind, typically
// read-only access
echo «Bind result is » . $r . «
» ;

echo «Searching for (sn=S*) . » ;
// Search surname entry
$sr = ldap_search ( $ds , «o=My Company, c=US» , «sn=S*» );
echo «Search result is » . $sr . «
» ;

echo «Number of entires returned is » . ldap_count_entries ( $ds , $sr ) . «
» ;

echo «Getting entries .

» ;
$info = ldap_get_entries ( $ds , $sr );
echo «Data for » . $info [ «count» ] . » items returned:

echo «Closing connection» ;
ldap_close ( $ds );

Unable to connect to LDAP server

Before you can use the LDAP calls you will need to know ..

The name or address of the directory server you will use

The «base dn» of the server (the part of the world directory that is held on this server, which could be «o=My Company,c=US»)

Whether you need a password to access the server (many servers will provide read access for an «anonymous bind» but require a password for anything else)

The typical sequence of LDAP calls you will make in an application will follow this pattern:

XLVIII. LDAP functions

LDAP is the Lightweight Directory Access Protocol, and is a protocol used to access «Directory Servers». The Directory is a special kind of database that holds information in a tree structure.

To refer to a file in a subdirectory on your hard disk, you might use something like:

The forwards slash marks each division in the reference, and the sequence is read from left to right.

The equivalent to the fully qualified file reference in LDAP is the «distinguished name», referred to simply as «dn». An example dn might be:

cn=John Smith,ou=Accounts,o=My Company,c=US

The comma marks each division in the reference, and the sequence is read from right to left. You would read this dn as:

country = US
organization = My Company
organizationalUnit = Accounts
commonName = John Smith

Lots of information about LDAP can be found at

The Netscape SDK contains a helpful Programmer’s Guide in HTML format.

You will need to get and compile LDAP client libraries from either the University of Michigan ldap-3.3 package , Netscape Directory SDK 3.0 or OpenLDAP to compile PHP with LDAP support.

LDAP support in PHP is not enabled by default. You will need to use the —with-ldap[=DIR] configuration option when compiling PHP to enable LDAP support. DIR is the LDAP base install directory.

Note to Win32 Users: In order to enable this module on a Windows environment, you must copy libsasl.dll from the DLL folder of the PHP/Win32 binary package to the SYSTEM32 folder of your windows machine. (Ex: C:\WINNT\SYSTEM32 or C:\WINDOWS\SYSTEM32)

�� php.ini .

�� 1. LDAP configuration options

Name	Default	Changeable
ldap.max_links	«-1»	PHP_INI_SYSTEM

�� .

�� , �� PHP �� , �� .

4.5.19 �� LDAP (Lightweight Directory Access Protocol)

�� .�. (��-��)
Yu. Semenov (ITEP-MIPT)

1. ��

LDAP (Lightweight Directory Access Protocol) �� -�� , �� X.500 (1993�). �� (��, X.511). �� «�� , �� » [X.500]. �� , �� -�� , �� (Directory) �� DUA (Directory User Agent). �� DSA (Directory System Agents). �� , �� . �� (directory) �� : ��, �� (��) �� . �� TCP/IP �� 389. �� (entries). �� , �� . �� . �� (�� ) � �� . �� , �� DIT (Directory Information Tree). �� . �� , �� , �� . LDAP �� , � �� . LDAP-�� . �� , �� .

�� , �� , �� . �� , ��:

�� , �� .
�� , �� .
�� , �� .
�� OID � �� , �� , � �� .
�� .
�� , �� RDN ��.
�� , �� .
�� , �� , �� .

�� , �� , � �� , �� , �� , �� , � �� .

�� , �� , �� .

�� . �� objectClass, �� , �� . �� , �� — ��, ��, �� . �� , �� , �� .

��, ��, �� , �� «top» � «person». �� «person» �� «sn» � «cn», � �� «userPassword», «telephoneNumber», � �� . �� ObjectClasses, �� , �� , �� . ObjectClasses �� , � �� ObjectClasses, �� . �� objectClass �� -�� LDAP objectClass � LDAP-��, ��.

�� , �� DN (Distinguished Name). DN �� , ��-�� . �� subschemaSubentry. (�� , � �� , � �� , �� ).

�� LDAP �� , �� . �� LDAP-��, �� , �� DN. �� LDAP-�� DNS-�� (SRV).

�� example.org �� LDAP DN dc=example,dc=org (�� dc �� ). �� LDAP-�� ldap.example.org, �� LDAP URL �� ldap://ldap.example.org/dc=example,dc=org.

�� , �� X.500 [2008], �� and LDAPv3, �� ITU � IETF RFC. �� , �� , ��, c=US, c=FR. �� , �� . �� c=FR, o=�� , ou=�� , L=Locality, �� : c=US, st=CA, o=�� , ou=�� , L=Locality � CN=�� (Common Name).

�� LDAP Tutorial. Brad Marshall (�� LDAP) � LDAPSEARCH (�� LDAP); LDAP Theory and Management. Brad Marshall.; LDAP Servers and Applications. Brad Marshall.

�� : �� DN. �� RDN (Relative Distinguished Name), �� , �� DN �� . DN �� , � RDN — �� (��. �� C:\foo\bar\myfile.txt, �� DN, �� myfile.txt �� RDN). LDAP �� .

�� (�� LDAP = LDIF):

�� dc=example,dc=com �� Yuri Semenov �� :

$ ldapsearch -b dc=example,dc=com «(cn=Yuri Semenov)».

�� , �� , �� .

«dn» �� ; �� . «cn=John Doe» �� RDN ��, � «dc=example,dc=com» �� DN �� , �� «dc» �� ‘Domain Component’. � �� . �� , ��, «cn» common name (�� ), «dc» — domain component (�� ), «mail» — e-mail �� «sn» — �� (surname). �� -�� . 1.

��. 1. �� -�� LDAP

�� , �� , ��. «dc=example,dc=com» � �� . �� , �� «ou=department,dc=example,dc=com» �� , �� . �� . �� , �� .

�� 3 �� LDAP (LDAPv3 — 1997�)). �� :

�� [RFC-4510]
�� [RFC-4511]
�� [RFC-4512]
�� [RFC-4513]
�� [RFC-4514]
�� [RFC-4515]
�� (URL) [RFC-4516]
�� [RFC-4517]
�� [RFC-4518]
�� [RFC-4519]

�� , �� RFC-3377, RFC-2830 �� RFC-2251, �� . �� RFC-4511, �� .

2. ��

�� Unicode. ��, �� «a» �� .

�� «�� » �� , �� .

�� «�� TLS» �� (TLS), �� .

�� «�� SASL» �� SASL, �� .

�� «�� LDAP» �� LDAP, �� .

�� «�� LDAP» �� (�� , �� TLS, �� SASL, �� LDAP).

3. ��

� �� , �� , �� . � �� , �� , �� , �� . �� . �� , �� .

�� . �� , �� .

�� , �� , �� , �� . �� . �� , �� . �� , �� , �� X.500.

��, �� LDAP-�� X.500 �� DAP. LDAP �� DAP. �� X.500 � �� DAP-��, �� LDAP.

3.1. �� LDAP

�� LDAP. �� , �� LDAP-�� (�� ) �� (�� ). �� , �� , �� .

4. ��

�� ASN.1 (Abstract Syntax Notation One) � �� ([BER]).

� �� .

�� , �� , �� ‘supportedLDAPVersion’ � �� DSE (Distinguished Service Entry) [RFC4512].

4.1. ��

�� LDAPMessage, � �� , �� .

4.1.1. ��

�� LDAPMessage, �� :

�� LDAPMessage �� , �� , �� . �� messageID � �� .

�� LDAPMessage, � �� LDAPMessage �� , �� messageID �� , �� protocolOp �� , �� , �� Notice �� Disconnection �� 4.4.1, �� resultCode �� protocolError, � �� LDAP �� .

� ��, �� LDAP PDU, �� LDAP �� . � �� resultCode �� protocolError.

4.1.1.1. MessageID

�� LDAPMessage ��, �� messageID, �� LDAPMessage ��.

�essageID �� , �� messageID �� LDAP. �� .

�� .

�� messageID, �� , �� , �� (��., �� ). � �� .

4.1.2. ��

LDAPString �� , �� LDAPString-�� ASN.1 �� [ISO10646] (�� [Unicode] � �� UTF-8 [RFC3629]). ��, �� U+0000 �� U+007F �� ASCII � 0 �� 127, ��, � �� UTF-8. �� UTF-8.

LDAPOID �� , �� (UTF-8 ��) ��-�� �� . �� LDAPOID �� , �� , �� 1.4 [RFC4512].

4.1.3. ��

LDAPDN �� DN (Distinguished Name), �� [RFC4514].

RelativeLDAPDN �� RDN (Relative Distinguished Name), �� [RFC4514] .

4.1.4. ��

�� 2.5 [RFC4512]. ��, �� .

4.1.5. ��

�� AttributeValue �� , �� . �� LDAP. �� LDAP �� [RFC4517].

AttributeValue ::= OCTET STRING

��, �� ; �� , �� (��., ��).

�� . �� , �� . �� ‘attributeTypes’ �� [RFC4512].

�� , �� , �� .

4.1.6. ��

�� AttributeValueAssertion (AVA) �� X.500. �� ([RFC4512], �� 4.1.3) �� .

�� AssertionValue �� LDAP. ��, �� EQUALITY �� , �� Compare. �� , �� , �� . ��, ��, objectIdentiferFirstComponentMatch � [RFC4517].

4.1.7. �� PartialAttribute

�� . �� PartialAttribute �� , � �� , �� , �� .

� �� 2.2 [RFC4512] �� .

4.1.8. ��

�� 4.1.3 [RFC4512]. �� , �� [RFC4512], ��., ‘caseIgnoreMatch’ �� ‘2.5.13.2’.

4.1.9. ��

LDAPResult �� , �� , �� . �� , �� , �� LDAPResult, �� .

�� resultCode �� , �� 3.8 [RFC4520]. ��, �� , �� A. �� , �� . �� , �� .

�� diagnosticMessage �� , �� , �� , �� , �� , �� , �� resultCode. �� , diagnosticMessage �� .

�� (��, �� noSuchObject, aliasProblem, invalidDNSyntax � aliasDereferencingProblem), �� matchedDN �� (�� ) �� (�� ). �� .

�� , �� , �� . � �� matchedDN �� .

4.1.10. �� (referrals)

�� , �� , � �� . �� :

�� , �� -��.
�� — �� -�� , �� .

�� referral �� LDAPResult, �� (resultCode) �� referral, � �� .

��-Referrals � LDAP

�� , �� LDAP �� . �� (�� Unbind � Abandon, �� ). � ReferralAt �� URI.

�� (Search), �� baseObject ��, � �� , �� referral �� . �� , �� , �� (��. �� 4.5.3).

�� , �� , �� (referral). �� URI, �� , �� URI. ��, �� referrals �� , �� . �� . �� , �� referral �� , �� , �� , � �� .

URI �� , �� LDAP � �� TCP/IP (v4 �� v6) [RFC793][RFC791], �� LDAP URL �� [RFC4516].

�� Referral, �� LDAP URLs �� :

�� , -�� LDAP URL �� .
��, �� -�� , �� .
�� -�� , �� , �� , � �� , �� , �� .
�� (��., �� ) �� URL � referral �� .
�� LDAP URL, �� , �� , � �� , �� , �� (Search).
�� , �� .
�� , �� .
�� , �� (��).

�� URI. �� URI �� . �� URI, �� .

��, �� UTF-8, �� DN, �� referral, �� URI (��., ��) � �� %-��, �� [RFC3986].

4.1.11. ��

Controls �� , �� LDAP �� . �� LDAP. �� , � �� .

��, �� , �� , � �� — �� .

�� controlType �� -�� , �� . �� . ��, �� , �� controlType, �� .

�� , �� (�� UnbindRequest). �� , �� UnbindRequest, �� FALSE, � �� . �� TRUE ��, �� . � �� :

�� , ��, �� , �� -�� , �� TRUE, �� , � �� , �� , �� resultCode �� unavailableCriticalExtension.
�� , ��, �� , �� -�� , �� FALSE, �� .
�� , �� , �� .

controlValue �� , �� controlType. �� . �� controlValue, �� . �� , �� , �� .

�� controlType, �� , � �� ‘supportedControl’ � �� DSE (�� 5.1 [RFC4512]).

�� , �� . �� , �� , �� (�� ), �� , �� protocolError. �� FALSE �� .

�� , �� , �� , �� (SEQUENCE). �� , �� , �� , � �� protocolError. �� FALSE �� .

�� . ��, �� , �� :

OBJECT IDENTIFIER �� ,
��, �� (��, �� , �� , �� ),
�� controlValue, �, �� , �� ,
��
��, �� .

4.2. �� Bind

�� Bind �� . �� Bind �� . �� [RFC4513].

�� Bind �� :

�� BindRequest ��:

��

�� . �� , �� BindResponse, �� resultCode �� protocolError.

��: �� , �� Directory, � �� . �� (�� ) �� ([RFC4513], �� 5.1) �� SASL [RFC4422] �� ([RFC4513], �� 5.2). �� , �� .

��: ��, �� . �� , �� 3.7 [RFC4520]. ��, �� , �� , �� BindResponse � �� resultCode �� authMethodNotSupported.

�� (�� ) �� AuthenticationChoice �� UTF-8 [RFC3629] [Unicode]. �� SASLprep [RFC4013] �� [RFC3454]. ��, �� (�� ) �� . �� , �� , �� .

4.2.1. �� Bind

�� BindRequest, �� , �� . �� , �� . �� Bind. �� BindResponse, �� .

�� BindRequest, �� LDAP PDU �� BindResponse. ��, �� BindRequest.

�� bind �� operationsError, �� BindRequest. �� bind � �� LDAP-��, �� , �� , � �� BindRequest. �� , �� LDAP.

�� Bind, �� Bind. �� Bind �� .

�� SASL, �� BindRequest �� ([RFC4513], �� 5.2). �� Bind-��, �� Bind.

�� SASL-�� BindRequest � �� SaslCredentials, �� AuthenticationChoice.

�� BindRequest �� sasl-�� , �� BindResponse �� resultCode �� authMethodNotSupported. �� , �� SASL.

4.2.2. �� Bind

�� Bind �� .

BindResponse �� .

�� Bind �� BindResponse � �� resultCode, �� . � �� BindResponse. �� BindResponse, �� protocolError, �� , �� , �� , �� .

�� BindResponse, �� resultCode �� protocolError, �� , �� LDAP. � �� (�� ), �� . ��, �� , �� LDAP-��.

�� ServerSaslCreds �� SASL bind, �� , � �� , �� «��-��». �� , �� SASL �� , �� BindResponse.

4.3. �� Unbind

�� Unbind �� LDAP.

�� Unbind �� Bind, �� . �� .

�� Unbind �� «��» («quit»).

�� Unbind �� :

UnbindRequest ::= [APPLICATION 2] NULL

��, �� UnbindRequest, � �� UnbindRequest, �� LDAP, �� 5.3.

�� 3.1.

4.4. ��

�� LDAPMessage, �� , �� -�� LDAPMessage, �� .

�� LDAP-�� .

�� , � �� -�� .

�� LDAPMessage, � �� messageID �� extendedResp, �� ExtendedResponse (�� 4.12).

�� responseName ExtendedResponse �� LDAPOID, �� .

�� (�� ) �� . �� :

�� (�� responseName),
�� responseValue,
��, �� , �
�� .

4.4.1. ��

�� , �� LDAP-�� .

�� , �� .

��, �� Unbind, �� . �� 3.1.

responseName �� 1.3.6.1.4.1.1466.20036, �� responseValue ��t, � resultCode �� .

�� strongerAuthRequired �� resultCode � �� , �� , �� -��.

�� Notice of Disconnection (�� ), �� LDAP-��, �� 5.3.

4.5. ��

�� Search �� , �� .

�� , �� .

4.5.1. ��

�� :

��, �� X.500 �� singleLevel � ��, �� ‘objectClass’, � �� baseObject � �� . ��, �� X.500, �� Read �� List.

4.5.1.1. �� SearchRequest

�� (�� ) �� , �� .

4.5.1.2. �� SearchRequest

�� . �� (�� [X.511]) �� :

baseObject: �� baseObject.

singleLevel: �� , �� baseObject.

wholeSubtree: �� , �� baseObject � �� .

4.5.1.3. SearchRequest.derefAliases

�� , �� (�� [RFC4512]) �� Search.

�� , �� .

�� , �� DoS-�� .

�� :

neverDerefAliases: �� .
derefInSearching: �� , �� . �� , �� Search. �� wholeSubtree, �� . �� singleLevel, �� , �� .

�� , �� -�� .

�� , �� .

�� , �� , �� .

4.5.1.4. �� SearchRequest

�� , �� , �� . �� , �� -�� . �� .

4.5.1.5. SearchRequest.timeLimit

�� , �� (� ��) �� . �� , �� . �� .

4.5.1.6. SearchRequest.typesOnly

�� , �� , �� . �� TRUE �� (� �� ). �� FALSE �� , �� .

4.5.1.7. �� SearchRequest

��, �� , �� .

�� ‘and’, ‘or’ � ‘not’. �� ‘and’ �� ‘or’ �� , �� , �� .

�� [X.511] — «TRUE», «FALSE» �� «Undefined».

�� TRUE �� , �� .

�� FALSE �� Undefined, �� .

�� «and» �� TRUE, �� TRUE, � FALSE, ��, �� , �� FALSE, � �� Undefined. �� «or» �� FALSE, �� FALSE, � TRUE, �� TRUE, � �� Undefined. �� ‘not’ �� TRUE, �� FALSE.

�� Undefined, �� . � �� :

�� equalityMatch, greaterOrEqual, lessOrEqual, approxMatch �� extensibleMatch �� .
�� .
MatchingRuleId � extensibleMatch �� .
�� .
�� .

��, �� shoeSize, abkmnhs (shoeSize=*), (shoeSize=12), (shoeSize>=12), � (shoeSize [RFC4512]). �� , �� , �� .

4.5.3. ��

�� , �� baseObject, �� , �� SearchResultReference, �� . �� -�� SearchResultReference, �� baseObject �, �� , �� . � �� SearchResultDone, �� (referral), �� noSuchObject (� �� baseObject).

�� (�� 5 [RFC4512]), �� , �� , �� SearchResultReference. � �� SearchResultReference �� , �� .

�� SearchResultReference �� , �� Referral.

�� , �� Search �� SearchResultReference, �� . �� URI, �� , �� URI.

��, �� , �� , �� . �� . �� , �� , �� , �� .

��, �� Abandon (��), �� 4.11, �� . �� Search, �� .

URI �� , �� LDAP � �� TCP/IP (v4 �� v6) [RFC793][RFC791] �� LDAP URL � �� [RFC4516].

�� SearchResultReference, �� LDAP URL, �� :

�� -�� LDAP URL, � �� -��. �� , �� .
�� (��., �� ) �� LDAP URL.
�� -�� LDAP URL ��, �� , �� , � �� , �� , �� .
�� singleLevel, -�� LDAP URL �� «��».
�� , ��, �� -��. � �� -��, ��, �� .
�� , �� , �� SearchResultReference.
�� SearchResultReference �� .

�� URI. �� URI �� . �� URI, �� .

�� UTF-8, �� DN, �� , �� referral �� URI (��., ��) � �� %-�� [RFC3986].

4.5.3.1. ��

��, �� (hosta), �� . �� , �� LDAP-�� (hostb) � (hostc) �� (�� , �� — �� ), � �� LDAP-�� (hostd) �� . �� wholeSubtree , �� :

�� , �� SearchResultReference, �� SearchResultReference. �� , �� , �� (hostb), �� Search �� , �� :

��, �� singleLevel , �� :

�� , �� , �� (referral). � �� , �� hosta, �� SearchResultDone, �� .

4.6. ��

�� Modify �� , �� . �� Modify �� :

�� Modify ��:

object: �� , �� . �� , �� , �� .
changes: �� , �� . �� , �� .

� �� (�� DIT (Directory Information Tree)), �� , �� , �� [RFC4512].

operation: �� , �� . �� .

�� :

add: �� , �� , �� , �� .

delete: �� , �� . �� , �� , �� .

relace: �� , �� , �� . �� , �� , � �� , �� .

modification: PartialAttribute (�� ) �� , �� .

�� Modify, �� DIT � �� Modify, �� :

ModifyResponse ::= [APPLICATION 7] LDAPResult

�� Modify, �� DIT, �� , �� . ��-�� Modify, �� , �� DIT �� , �� Modify �� -�� , � �� , �� Modify Response �� Modify. �� , �� , �� Modify (��. , �� LDAP �� Modify ��).

�� , �� , �� . �� Modify �� , �.e., �� , �� DN ��. �� , �� notAllowedOnRDN. �� Modify DN, �� 4.9, �� .

�� , �� , �� 2.5.1 [RFC4512].

��, �� LDAP, �� LDAP ModifyRequest � �� DAP ModifyEntry.

4.7. �� Add

�� Add �� (Directory). �� Add �� :

�� Add ��:

entry:�� , �� . �� , �� .
attributes: �� , ��, �� RDN, �� , �� . �� RDN-�� . �� NO-USER-MODIFICATION, �� createTimestamp �� creatorsName, �� .

�� , �� , � �� . �� , �� , �� 2.5.1 [RFC4512].

�� AddRequest �� . �� , �� . ��, �� , �� , � �� , �� noSuchObject � �� matchedDN, �� .

�� Add �� . �� Add �� Add, �� :

AddResponse ::= [APPLICATION 9] LDAPResult

�� , �� .

4.8. �� Delete

�� Delete �� . �� Delete �� :

DelRequest ::= [APPLICATION 10] LDAPDN

�� Delete �� , �� . �� , �� .

�� (�� ) �� .

�� Delete �� Delete, �� :

DelResponse ::= [APPLICATION 11] LDAPResult

4.9. �� Modify DN

�� Modify DN �� RDN (Relative Distinguished Name) �� /�� . �� Modify DN �� :

�� Modify DN ��:

entry: �� , �� . �� , � �� .
newrdn: �� RDN-��. �� RDN �� RDN.

�� RDN, �� , �� .

deleteoldrdn: �� , �� , �� RDN-�� .
newSuperior: �� , �� , �� .

�� newSuperior.

�� ModifyDNRequest, �� Modify DN, �� :

ModifyDNResponse ::= [APPLICATION 13] LDAPResult

��, �� , �� newrdn �� , � �� newSuperior ��, �� . �� , �� entryAlreadyExists.

�� , �� . �� , �� , �� 2.5.1 [RFC4512].

� newSuperior �� . ��, �� , �� , � �� , �� noSuchObject � �� matchedDN, �� .

�� deleteoldrdn �� TRUE, �� , �� RDN (�� RDN), �� . �� deleteoldrdn �� FALSE, �� , �� RDN, �� .

��, �� X.500 �� ModifyDN �� , �� . �� LDAP-�� DAP, �� affectsMultipleDSAs, �� . ��, �� , �� .

4.10. ��

�� Compare �� . �� Compare �� :

�� :

entry: �� , �� . �� , �� .
ava: �� , �� .

�� Compare, �� Compare, �� :

CompareResponse ::= [APPLICATION 15] LDAPResult

resultCode �� compareTrue, compareFalse �� . compareTrue ��, �� ava �� EQUALITY �� . compareFalse ��, �� ava � �� . �� , �� (�� 4.5.1.7), �� -�� .

��, �� , �� (�� userPassword).

4.11. �� Abandon (��)

�� Abandon �� . �� Abandon �� :

AbandonRequest ::= [APPLICATION 16] MessageID

MessageID �� , �� LDAP-��. �� Abandon �� MessageID. �� MessageID �� , �� .

�� Abandon �� . �� AbandonRequest, �� , �� MessageID. �� , �� Abandon �� , �� .

�� Abandon, Bind, Unbind � StartTLS �� .

� ��, �� Abandon �� , �� SearchResultDone. ��, �� , �� LDAPMessage PDU.

�� Abandon �� , � �� , �� .

�� Abandon �� messageIDs, �� , �� , �� , � �� , �� .

4.12. ��

�� (Extended) �� , �� ; ��, �� (�� 4.14).

�� .

requestName �� -�� , �� . requestValue �� , �� , �� .

�� LDAPMessage, �� ExtendedResponse.

�� responseName, �� , �� LDAPOID, �� . �� (�� LDAPOID �� ). �� , �� LDAPOID �� , ��, �� requestName �� .

�� requestName �� , �� protocolError. (�� protocolError.)

�� requestValue � responseValue �� , �� . �� . �� , �� . ��, �� ASN.1 � BER-�� 5.1, �� 4.

�� requestName �� , �� , � �� ‘supportedExtension’ � �� DSE (�� 5.1 [RFC4512]).

�� . �� :

�� (OBJECT IDENTIFIER) �� requestName,
�� (�� ), �� responseName (��, �� requestName �� responseName),
�� requestValue � responseValue (�� ), �
�� .

4.13. �� IntermediateResponse

� �� Search �� -�� , �� , �� .

�� IntermediateResponse �� LDAP-�� . �� , �� , �� LDAP-�� .

��, �� , �� IntermediateResponse �� , �� IntermediateResponse �� .

�� IntermediateResponse �� , �� , �� . � �� : �� . �� IntermediateResponse �� , �� , � �� . �� :

�� IDENTIFIER (�� ) �� responseName, �� responseValue (�� ), �
��, �� IntermediateResponse.

��, �� IntermediateResponse, �� , �� responseName (��, �� ). � �� 4.13.1 � 4.13.2 �� responseName � responseValue � �� IntermediateResponse.

4.13.1. �� LDAP ExtendedRequest � ExtendedResponse

�� -��/��-�� ExtendedRequest, �� IntermediateResponse �� , �� ExtendedResponse.

4.13.2. �� LDAP-��

�� IntermediateResponse, �� . �� IntermediateResponse �� .

�� IntermediateResponse, �� , �� responseName. �� , �� IntermediateResponse, ��:

�� , �� IntermediateRespons, �� LDAP-��
�� , �� IntermediateResponse, �� LDAP-��, �� IntermediateResponse.

4.14. �� StartTLS

�� StartTLS (Start Transport Layer Security)�� TLS-��. �� StartTLS �� , �� 4.12.

4.14.1. �� StartTLS

�� TLS �� -�� StartTLS. �� StartTLS �� ExtendedRequest. requestName �� «1.3.6.1.4.1.1466.20037», � �� requestValue �� .

�� -�� LDAP PDU �� LDAP-�� , �� StartTLS �, � �� , �� TLS.

� �� (� �� , �� 3.1.1 [RFC4513]), �� resultCode �� operationsError.

�� TLS (�� -�� , �� ), �� resultCode �� protocolError, �� 4.12.

4.14.2. �� StartTLS

�� StartTLS, ��, �� , �� StartTLS. responseName, �� , �� «1.3.6.1.4.1.1466.20037» (�� 4.12). responseValue �� .

�� TLS, �� StartTLS � �� resultCode �� success. �� StartTLS, �� TLS, �� 3 [RFC4513].

�� , �� , �� . ��, �� TLS � �� , �� , �� unavailable (��). � ��, �� , LDAP-�� TLS-��.

4.14.3. �� TLS

�� , �� TLS � �� LDAP-�� , �� TLS.

�� TLS � �� TLS �� , �� LSAP PDU.

�� TLS, �� LDAP-�� . � �� TLS. �� LDAP PDU.

�� LDAP-�� TLS.

5. �� , ��

�� , �� .

�� , LDAP �� TCP, �� 5.2.

�� , �� X.500 � ��. �� .

�� LDAP �� TCP �� , �� 5.2.

�� , �� :

��. 2. �� LDAP

5.1. ��

�� LDAP �� BER (Basic Encoding Rules) [ASN.1] �� :

�� .
�� (OCTET STRING) �� .
�� , �� «FF».
�� «��-��», �� . � �� -��.

�� BER.

�� ASN.1-��, �� , �� .

5.2. �� (TCP)

�� LDAPMessage PDU �� TCP [RFC793], � �� BER-��, �� 5.1. ��, �� , �� TCP �� LDAP 389 [PortReg]. �� . �� TCP-��.

5.3. �� LDAP-��

�� LDAP-�� UnbindRequest (�� 4.3), �� Notice of Disconnection (�� ) (�� 4.4.1). � �� , �� LDAP-��, �� SASL �� TLS � �� .

�� , �� -�� , � � �� , �� , �� .

�� LDAP-�� , �� , �� 3.1.

6. ��

�� , � �� SASL-�� [RFC4422]. �� SASL �/�� TLS �� .

�� , �� .

�� , �� , �� .

�� , �� [RFC4513].

�� , �� SASL � TLS �� [RFC4513].

��, �� SASL �� , �� BindRequest, resultCode, diagnosticMessage �� referral BindResponse, � �� , �� , �� . �� , ��, �� , �� , �� -�� (��, �� ).

�� , �� . ��, �� -�� , �� . �� .

� �� , �� . ��, �� Abandon �� . � �� , �� , �� . ��, �� , �� .

��, �� , �� LDAP, �� , �� . � �� , �� .

�� (��) �� , �� . �� , �� . �� , �� . �� StartTLS.

�� matchedDN � diagnosticMessage, � �� resultCode (��. , attributeOrValueExists � entryAlreadyExists), �� , �� . �� , �� , �� .

�� . �� : �� BER, �� UTF-8, �� , �� , � �� , �� on/off.

� ��, �� , �� , �� LDAP-��, �� 5.3.

7. ��

[ASN.1]	ITU-T Recommendation X.680 (07/2002) \| ISO/IEC 8824-1:2002 «Information Technology — Abstract Syntax Notation One (ASN.1): Specification of basic notation».
[BER]	ITU-T Rec. X.690 (07/2002) \| ISO/IEC 8825-1:2002, «Information technology — ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) � Distinguished Encoding Rules (DER)», 2002.
[ISO10646]	Universal Multiple-Octet Coded Character Set (UCS) — Architecture � Basic Multilingual Plane, ISO/IEC 10646-1 : 1993.
[RFC791]	Postel, J., «Internet Protocol», STD 5, RFC 791, September 1981.
[RFC793]	Postel, J., «Transmission Control Protocol», STD 7, RFC 793, September 1981.
[RFC2119]	Bradner, S., «Key words for use in RFCs to Indicate Requirement Levels», BCP 14, RFC 2119, March 1997.
[RFC3454]	Hoffman P. � M. Blanchet, «Preparation of Internationalized Strings (‘stringprep’)», RFC 3454, December 2002.
[RFC3629]	Yergeau, F., «UTF-8, a transformation format of ISO 10646», STD 63, RFC 3629, November 2003.
[RFC3986]	Berners-Lee, T., Fielding, R., � L. Masinter, «Uniform Resource Identifier (URI): Generic Syntax», STD 66, RFC 3986, January 2005.
[RFC4013]	Zeilenga, K., «SASLprep: Stringprep Profile for User Names � Passwords», RFC 4013, February 2005.
[RFC4234]	Crocker, D. � P. Overell, «Augmented BNF for Syntax Specifications: ABNF», RFC 4234, October 2005.
[RFC4346]	Dierks, T. � E. Rescorla, «The TLS Protocol Version 1.1», RFC 4346, March 2006.
[RFC4422]	Melnikov, A., Ed. � K. Zeilenga, Ed., «Simple Authentication � Security Layer (SASL)», RFC 4422, June 2006.
[RFC4510]	Zeilenga, K., Ed., «Lightweight Directory Access Protocol (LDAP): Technical Specification Road Map», RFC 4510, June 2006.
[RFC4512]	Zeilenga, K., Lightweight Directory Access Protocol (LDAP): Directory Information Models», RFC 4512, June 2006.
[RFC4513]	Harrison, R., Ed., «Lightweight Directory Access Protocol (LDAP): Authentication Methods � Security Mechanisms», RFC 4513, June 2006.
[RFC4514]	Zeilenga, K., Ed., «Lightweight Directory Access Protocol (LDAP): String Representation of Distinguished Names», RFC 4514, June 2006.
[RFC4516]	Smith, M., Ed. � T. Howes, «Lightweight Directory Access Protocol (LDAP): Uniform Resource Locator», RFC 4516, June 2006.
[RFC4517]	Legg, S., Ed., «Lightweight Directory Access Protocol (LDAP): Syntaxes � Matching Rules», RFC 4517, June 2006.
[RFC4520]	Zeilenga, K., «Internet Assigned Numbers Authority (IANA) Considerations for the Lightweight Directory Access Protocol (LDAP)», BCP 64, RFC 4520, June 2006.
[Unicode]	The Unicode Consortium, «The Unicode Standard, Version 3.2.0» is defined by «The Unicode Standard, Version 3.0» (Reading, MA, Addison-Wesley, 2000. ISBN 0-201-61633-5), as amended by the «Unicode Standard Annex #27: Unicode 3.1» (http://www.unicode.org/reports/tr27/) � by the «Unicode Standard Annex #28: Unicode 3.2» (http://www.unicode.org/reports/tr28/).
[X.500]	ITU-T Rec. X.500, «The Directory: Overview of Concepts, Models � Service», 1993.
[X.511]	ITU-T Rec. X.511, «The Directory: Abstract Service Definition», 1993.

9. ��

[CharModel]	Whistler, K. � M. Davis, «Unicode Technical Report #17, Character Encoding Model», UTR17, , August 2000.
[Glossary]	The Unicode Consortium, «Unicode Glossary», .
[PROTOS-LDAP]	University of Oulu, «PROTOS Test-Suite: c06-ldapv3»

�� A. �� LDAP (RFC-4511)

�� , �� LDAP � �� , �� LDAP �� 4.1.9.

�� [RFC4520]. �� , �� , �� .

�� , �� , � �� (��, �� noSuchObject �� insufficientAccessRights �� invalidCredentials �� insufficientAccessRights).

A.1. ��

�� (�� ) �� :

�� success, compareTrue � compareFalse �� (�, ��, �� ).

�� (referral) � saslBindInProgress ��, �� , �� .

A.2. ��

�� LDAP �� :

�� . ��: �� Compare. �� compareFalse (5) � compareTrue (6).

�� , �� (�� ).

��, �� , �� StartTLS [RFC4346], � �� , �� TLS-�� .

�� , �� .

�� Bind ��, �� , �� .

�� , �� , �� (�� ) �� , �� requestName.

�� , �� , �� , �� , �� , �� .

�� , �� , �� .

�� , �� , �� , �� .

�� , �� Compare �� FALSE �� Undefined.

�� , �� Compare �� TRUE.

�� , �� .

�� Notice of Disconnection, �� , �� , �� .

�� , �� , �� , �� (�� 4.1.10).

�� , �� .

�� , �� (�� 4.1.11).

�� , �� .

�� , �� bind, � �� SASL, �� (�� 4.2).

�� , �� .

�� , �� , �� .

�� , �� , �� , �� .

��, �� , �� , �� .

�� , �� , �� , �� .

�� , �� .

�� , �� DIT.

�� , �� . ��, �� , �� .

�� , �� LDAPDN �� RelativeLDAPDN (��., �� , �� , ModifyDN newrdn, � �.�.) �� , �� .

�� , �� . �� , �� .

�� , �� .

�� , �� (��., �� ) �� .

�� , �� , �� .

�� , �� offline.

�� , �� .

�� , �� (��., � �� ).

�� , �� .

�� , �� (non-leaf).

�� , �� , �� RDN ��.

�� , �� , �� .

�� , �� .

��, �� , �� .

�� , �� , �� (DSAs).

�� , �� .

�� B. �� ASN.1 �� (RFC-4511)

�� .

��.

�� , �� -�� , �� , �� «�� » — �� , �� . �� — �� , �� ACL � �� .
�� OpenLDAP � �� . �� , �� , �� , �� , �� , �� -��. ��, �� , �� . � �� , � �� — �� , �� , � �� .
�� — �� OpenLDAP � �� , �� redmine �� LDAP � �� /�� SVN. �� .

��, �� — �� . �� — �� . �� (��). �� -��, �� . �� , �� . � �� , �� . ��-�� . �� , �� , �� . �� — �� . �� , �� RFC �� LDAP-��.
�� . �� -�� FreeBSD 9.1 � �� OpenLDAP. �� ? � ��, ��, �� LDAP ��, �� , �� .
�� slapd.conf, �� . �� , �� ACL, �� . �� (�� BerkeleyDB, �� ). �� , �� bdb, ��, �� directory (�� ).
�� -�� DNS, �� -�� :
«dc=example,dc=org»
� ��, �� , �� dc=vasia,dc=pupkin — �� DNS �� (�� ). �� dc — �� domain component.
�� «cn= ,dc=example,dc=org» (cn — common name, �� ).

�� ? �� plain text, �� . �� , �� , � �� ldif � �� ldapadd, �� , �� ldapadmin, �� ldapphpadmin. �� ldif’��, � �� . ��, �� ldapvi (�� EDITOR �� ) � shelldap (�� ).

�� , �� . � �� — �� . ��

�� 4 �� — �� (�� rootdn �� ), �� . DN — �� (�� ). �� , ��, �� objectClass, � ��, �� . �� top, �� , �� — �� . � �� . �� , �� , � �� , �� (��). �� organization �� . � �� . �� example �� , � �� dc �� dcObject. �� organizationalUnit — �� , �� . �� , �� , �� ou. �� , �� , �� . �� , � �� , �� SVN.
�� — �� :

�� , �� , ��, shadowAccount, �� person — ��, �� userPassword. �� uid, �� sAMAccountName.
�� , �� (�� ). � �� :

Redmine

�� . �� wiki ��, ��, �� . �� . �� .

� �� , �� . �� , �� , �� (� �� redmine_ldap_sync)
�� , �� /��, �� , �� , �� . �� , ��, �� inetOrgPerson.

�� SVN �� , �� : �� (�� ), �� svn �� LDAP. � ��, �� — �� svn �� , �� .
�� :

Илон Маск рекомендует: CSS отражение

XLVIII. LDAP functions

LDAP Functions

LXIV. LDAP Functions

LDAP query test

Unable to connect to LDAP server

���������������� ���������

���������������� ���������

LDAP. ��������� ����������������� LDAP �������

����� ��������� 389 Directory Server

��������� ������� ������� �� ldap00

��������� ���������� �� ldap00

��������� � ��������� ldap �������� �� ldap01

��������� admin server-� �� ldap01

��������� � ��������� ldap ��������� ��� �������� ���������������� ������

Предопределенные константы

LXXII. LDAP Functions

LDAP query test

Unable to connect to LDAP server

XLVIII. LDAP functions

4.5.19 �������� LDAP (Lightweight Directory Access Protocol)

������� �.�. (����-����)Yu. Semenov (ITEP-MIPT)

1. ��������

2. ����������

3. ������ ���������

3.1. ��������������� �������� � ������ ��������� LDAP

4. �������� ���������

4.1. ����� ��������

4.1.1. ������� ���������

4.1.1.1. MessageID

4.1.2. ���� �����

4.1.3. ���������� � ������������ ���������� �����

4.1.4. �������� ���������

4.1.5. �������� ��������

4.1.6. ���������� �������� ��������

4.1.7. ������� � PartialAttribute

4.1.8. ������������� ������� ������������

4.1.9. ��������� ����������

4.1.10. ������ (referrals)

4.1.11. ��������

4.2. �������� Bind

4.2.1. ��������� ������� Bind

4.2.2. ������ Bind

4.3. �������� Unbind

4.4. ������������� �����������

4.4.1. ����������� � ������������

4.5. �������� ������

4.5.1. ������ ������

4.5.1.1. ������� ������ SearchRequest

4.5.1.2. ���� SearchRequest

4.5.1.3. SearchRequest.derefAliases

4.5.1.4. ���������� ������ SearchRequest

4.5.1.5. SearchRequest.timeLimit

4.5.1.6. SearchRequest.typesOnly

4.5.1.7. ������ SearchRequest

4.5.3. ������ ����������� � ���������� ������

4.5.3.1. �������

4.6. ��������� ������

4.7. �������� Add

4.8. �������� Delete

4.9. �������� Modify DN

4.10. �������� ���������

4.11. �������� Abandon (����������)

4.12. ����������� ��������

4.13. ��������� IntermediateResponse

4.13.1. ������������� LDAP ExtendedRequest � ExtendedResponse

4.13.2. ������������� ��������� LDAP-��������

4.14. �������� StartTLS

4.14.1. ������ StartTLS

4.14.2. ������ StartTLS

4.14.3. �������� ������ TLS

5. �������� �����������, ���������� � ��������

5.1. �������� �����������

5.2. �������� ���������� ��������� ������ (TCP)

5.3. ���������� LDAP-������

6. ����������� ������������

7. ����������� ������

9. ������������� ������

���������� A. ���� ���������� LDAP (RFC-4511)

A.1. ����������� ���� �����������

A.2. ���� ����������

��

��

LDAP. �� LDAP ��

�� 389 Directory Server

�� ldap00

�� ldap00

�� ldap �� ldap01

�� admin server-� �� ldap01

�� ldap ��

4.5.19 �� LDAP (Lightweight Directory Access Protocol)

�� .�. (��-��)
Yu. Semenov (ITEP-MIPT)

1. ��

2. ��

3. ��

3.1. �� LDAP

4. ��

4.1. ��

4.1.1. ��

4.1.2. ��

4.1.3. ��

4.1.4. ��

4.1.5. ��

4.1.6. ��

4.1.7. �� PartialAttribute

4.1.8. ��

4.1.9. ��

4.1.10. �� (referrals)

4.1.11. ��

4.2. �� Bind

4.2.1. �� Bind

4.2.2. �� Bind

4.3. �� Unbind

4.4. ��

4.4.1. ��

4.5. ��

4.5.1. ��

4.5.1.1. �� SearchRequest

4.5.1.2. �� SearchRequest

4.5.1.4. �� SearchRequest

4.5.1.7. �� SearchRequest

4.5.3. ��

4.5.3.1. ��

4.6. ��

4.7. �� Add

4.8. �� Delete

4.9. �� Modify DN

4.10. ��

4.11. �� Abandon (��)

4.12. ��

4.13. �� IntermediateResponse

4.13.1. �� LDAP ExtendedRequest � ExtendedResponse

4.13.2. �� LDAP-��

4.14. �� StartTLS

4.14.1. �� StartTLS

4.14.2. �� StartTLS

4.14.3. �� TLS

5. �� , ��

5.1. ��

5.2. �� (TCP)

5.3. �� LDAP-��

6. ��

7. ��

9. ��

�� A. �� LDAP (RFC-4511)

A.1. ��

A.2. ��

�� B. �� ASN.1 �� (RFC-4511)

��.