Extending OpenLDAP Luke Howard PADL Software Pty Ltd Copyright © 2003 PADL Software Pty Ltd. All rights reserved. PADL is a registered trademark of PADL.

Slides:

Advertisements

Similar presentations

Advertisements

CS 450 Module R4. R4 Overview Due on March 11 th along with R3. R4 is a small yet critical part of the MPX system. In this module, you will add the functionality.

Programming Paradigms Introduction. 6/15/2005 Copyright 2005, by the authors of these slides, and Ateneo de Manila University. All rights reserved. L1:

Indications in green = Live content Indications in white = Edit in master Indications in blue = Locked elements Indications in black = Optional elements.

Naming Computer Engineering Department Distributed Systems Course Asst. Prof. Dr. Ahmet Sayar Kocaeli University - Fall 2014.

 2006 Pearson Education, Inc. All rights reserved Introduction to Classes and Objects.

NFS. The Sun Network File System (NFS) An implementation and a specification of a software system for accessing remote files across LANs. The implementation.

ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.

LDAP LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL PRESENTATION BY ALAKESH APURVA DHAN AND ASH.

Authenticating REST/Mobile clients using LDAP and OERealm

1 Enabling Secure Internet Access with ISA Server.

Understanding Active Directory

A Framework for Smart Proxies and Interceptors in RMI Nuno Santos P. Marques, L. Silva CISUC, University of Coimbra, Portugal

Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.

03/07/08 © 2008 DSR and LDAP Authentication Avocent Technical Support.

A Scalable Application Architecture for composing News Portals on the Internet Serpil TOK, Zeki BAYRAM. Eastern MediterraneanUniversity Famagusta Famagusta.

REFACTORING Lecture 4. Definition Refactoring is a process of changing the internal structure of the program, not affecting its external behavior and.

LDAP Search Criteria Fall 2004 Rev. 2. LDAP Searches Can be performed on Single directory entry Contents of a single container Entire subtree Required.

A Java Based Prototype Grid User Interface Janice Drohan Project Supervisor: Prof. Peter Clarke.

GRID Centralized management of the Globus grid-mapfile Carlo Rocca INFN, Catania.

Directory Server Campus Booster ID: Copyright © SUPINFO. All rights reserved OpenLDAP.

Building a KDC. Kerberos Implementations RedHat 5 comes with MIT Kerberos 1.6 Ubuntu LTS comes with MIT Kerberos Admin through CLI, but from.

LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL Presented by Chaithra H.T.

SPARCS 10 이대근 (harry). Contents  Directory Service  What is LDAP?  Installation  Configuration  ldap-utils  User authentication with LDAP.

Understanding the CORBA Model. What is CORBA?  The Common Object Request Broker Architecture (CORBA) allows distributed applications to interoperate.

® Tivoli Directory Integrator IBM Software Group Tivoli Directory Integrator Bi-directional Active Directory – Domino Sync (part II – how to build it)

TWSd - Security Workshop Part I of III T302 Tuesday, 4/20/2010 TWS Distributed & Mainframe User Education April 18-21, 2010  Carefree Resort  Carefree,

Implementing LDAP Client/Server System for Directory Service By Maochun Sun Project Advisor: Dr. Chung-E Wang Department of Computer Science California.

Module 7: Resolving NetBIOS Names by Using Windows Internet Name Service (WINS)

© 2004 OPNET Technologies, Inc. All rights reserved. OPNET and OPNET product names are trademarks of OPNET Technologies, Inc. ARMing Apache David Carter.

Source: Operating System Concepts by Silberschatz, Galvin and Gagne.

LDAP: Accessing Operational Information CNS 4650 Fall 2004 Rev. 2.

Apache DS 2.0 Emmanuel Lécharny Nextury What's new ?

FTP Server API Implementing the FTP Server Registering FTP Command Callbacks Data and Control Port Close Callbacks Other Server Calls.

EGEE User Forum Data Management session Development of gLite Web Service Based Security Components for the ATLAS Metadata Interface Thomas Doherty GridPP.

Lightweight Replication for OpenLDAP Jong Hyuk Choi IBM Thomas J. Watson Research Center Enterprise Linux Group Mar 21, 2003.

Objective-C Drew Cheng CS420. Overview True superset of ANSI C Object-Oriented methods from SmallTalk There is no formal written standard for the language.

Silberschatz, Galvin and Gagne  2002 Modified for CSCI 399, Royden, Operating System Concepts Operating Systems Lecture 14 Threads 2 Read Ch.

ASP.NET Web Services.  A unit of managed code installed under IIS that can be remotely invoked using HTTP.

12/22/ Thread Model for Realizing Concurrency B. Ramamurthy.

ENEE150 – 0102 ANDREW GOFFIN Project 4 & Function Pointers.

29 October 2001Terena TF-LSD1 Certificate Retrieval With OpenLDAP David Chadwick.

AACLS Documentation LDAP and releasing information issue ACL and ACI AACLS Model Physical Architecture Logical Architecture Example : a French university.

4 October 2001 Tuning in to H.323 / LDAP security What this presentation is about - RADvision ECS registration control via LDAP - information and configs.

Paulo Repa Lightweight Directory Access Protocol Paulo Repa

13 Copyright © 2004, Oracle. All rights reserved. Adding Validation and Error Handling.

LDAP (Lightweight Directory Access Protocol)

GRID Centralized Management of the Globus grid-mapfile Carlo Rocca, INFN Catania.

Module 4: Configuring Active Directory ® Domain Sevices Sites and Replication.

Configuring MQ Connections and Handlers for MQ adapter 6.5 July 2008.

1 Copyright © 2008, Oracle. All rights reserved. Repository Basics.

Varnish Cache and its usage in the real world Ivan Chepurnyi Owner EcomDev BV.

WCDP: A protocol for web cache consistency Renu Tewari IBM Almaden Research Thirumale Niranjan IBM Software Group

Federated Access to Storage EGI CF 2012 Luke Howard, Daniel Kouril, Michal Prochazka.

1 Directory Services  What is a Directory Service?  Directory Services model  Directory Services naming model  X.500 and LDAP  Implementations of.

LDAP Overview Kevin Moseley Server Team Manager Walgreen Co.

CollegeSource Security Application &

Introduction to LDAP Frank A. Kuse.

Implementation and configuration of LDAP

Lecture 4: RPC Remote Procedure Call Coulouris et al: Chapter 5

Introduction to Name and Directory Services

Lecture 4: RPC Remote Procedure Call CDK: Chapter 5

AbbottLink™ - IP Address Overview

Chapter 15: File System Internals

Windows API: Network Policy Server Extensions

ACTIVE DIRECTORY An Overview.. By Karan Oberoi.

Overview Multimedia: The Role of WINS in the Network Infrastructure

Overview Directory Survey

LDAP LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL

Presentation transcript:

Extending OpenLDAP Luke Howard PADL Software Pty Ltd Copyright © 2003 PADL Software Pty Ltd. All rights reserved. PADL is a registered trademark of PADL Software Pty Ltd in the United States and other countries.

Why extend OpenLDAP? Custom backends OpenLDAP is a general purpose directory –Application or usage-specific extensions are unlikely to be included in OpenLDAP itself –Code forks are expensive –slapd(8) is often the wrong place for extensions Plug-ins!

Writing a backend Native plug-in or statically linked Implement LDAP operations: –Search –Modify –Add –etc Perfectly valid to return LDAP_UNWILLING_TO_PERFORM

Example: NetInfo Bridge Bridge between NetInfo and LDAP NetInfo differs to X.500/LDAP: –information and naming model –authorisation model –schema Bridge must thus map these Mac OS X 10.2 shipped bridge using OpenLDAP 2.1 (Open Directory)

NetInfo Bridge: Architecture slapdnetinfod LDAPRPC back-netinfo dsengine DIB

OpenLDAP native plug-ins Specific to OpenLDAP Complete access to slapd(8) internals API subject to change Required for certain extensions: –Syntaxes –Matching rules Limited hooks into operation flow

Writing a native plug-in Modules must implement: int init_module(int argc, char *argv[]); Initialisation function can call internal slapd API, e.g: –register_syntax() Private headers required to build Plugins are configured in slapd.conf : moduleload libfoo-plugin.so

SLAPI: A History Directory server plug-in API Introduced with Netscape DS 3.x Implemented by IBM in SecureWay/IDS Sun enhanced DS 5.x SLAPI: –computed attributes –object extensions IBM ported IDS SLAPI to OpenLDAP PADL adding support for DS 5.x API

SLAPI Plug-in Types Operation –Pre-operation (modify, add, bind, etc) –Post-operation (modify, add, bind, etc) –Extended Object –Computed attribute –Controls –Search rewriter

Operation Plug-in Flow Front-end Pre-operation Plug-ins Backend Post-operation Plug-ins Pre-operation plug-ins may abort an operation If so, they are responsible for sending the LDAP result to the client Post-operation plug-ins are called after backend Result will have been sent to client

Search (Object) Plug-in Flow Search rewriters: rewrite the search filter (useful for searching on computed attributes) Computed attributes: plug-ins are called by send_search_entry() Front-end Pre-operation Plug-ins Search Rewriters Backend Post-operation Plug-ins Computed Attributes

SLAPI API Most plug-ins have the prototype: –int myPluginFunc(Slapi_PBlock *); A ‘pblock’ is a parameter dictionary: –Operation –Connection –Modifications –Entry being added Computed attributes: different API

Controls & Extended Operations slapi_register_supported_control() Use slapi_control_present() to check for control in operation plug-in Controls are stored in SLAPI_REQCONTROLS parameter Extended operation is another plug-in type Check for extended operation OID

Object Extensions Associate arbitrary state with an object: –Connection –Operation Useful for passing state from pre- operation to post-operation plug-ins Plug-in registers constructor, destructor slapi_register_object_extension() SLAPI returns object extension handle slapi_{get,set}_object_extension()

Plug-in configuration slapd.conf Plug-ins are invoked in the order specified in the configuration file Syntax: plugin Example: plugin preoperation libfoo-plugin.so \ foo_preop_init

Sample: pre-operation (1) int abort_on_kurt_preop_add(Slapi_PBlock *pb) { Slapi_Entry *e; char *uid; int rc = 0; slapi_pblock_get(pb, SLAPI_ADD_ENTRY, &e); uid = slapi_entry_attr_get_charptr(e, “uid”); if (uid != NULL) { if (strcasecmp(uid, “kurt”) == 0) { slapi_send_ldap_result( pb, LDAP_CONSTRAINT_VIOLATION, NULL, “Sorry, Kurt!”, 0, NULL); rc = -1; /* abort operation */ } slapi_ch_free_string(&uid); } return rc; }

Sample: pre-operation (2) int default_drink_preop_add(Slapi_PBlock *pb) { Slapi_Entry *e; slapi_pblock_get(pb, SLAPI_ADD_ENTRY, &e); /* set default value for favouriteDrink attribute */ slapi_entry_attr_set_charptr(e, “favouriteDrink”, “Schnaps”); return 0; } int default_drink_preop_init(Slapi_PBlock *pb) { return slapi_pblock_set(pb, SLAPI_PLUGIN_PRE_ADD_FN, (void *)default_drink_preop_add); }

Sample: computed attribute int favourite_food_compute(computed_attr_context *c, char *type, Slapi_Entry *e, slapi_compute_output_fn outputfn) { int rc = -1; /* no attribute sent */ if (strcasecmp(type, “favouriteFood”) == 0) { Slapi_Value *value; Slapi_Attr *attr; attr = slapi_attr_init(slapi_attr_new(), “favouriteFood”); value = slapi_value_new_string(“Schnitzel”); slapi_attr_add_value(attr, value); rc = (*outputfn)(c, attr, e); slapi_value_free(&value); slapi_attr_free(&attr); } return rc; }

LinkEngine: Overview Complex SLAPI plug-in: –Pre-operation, post-operation –Computed attributes Distributed referential integrity service Assumes responsibility from backend for managing DN references Links are made by UUID; DNs may change Back-links

LinkEngine: Architecture Each linked attribute has an integer ID Even/odd ID = forward link/back-link –e.g. member (2) / memberOf (3) Links are stored in private DIT Proxy objects cache remote DSA references Link Referring Entry Referred Entry UUID pointer

LinkEngine: Example Group entry (forward link) dn: cn=OpenLDAP,cn=Users,dc=padl,dc=com objectClass: Group member: cn=Luke Howard,cn=Users,dc=padl,dc=com User entry (back-link) dn: cn=Luke Howard,cn=Users,dc=padl,dc=com objectClass: User memberOf: cn=OpenLDAP,cn=Users,dc=padl,dc=com member/memberOf are computed at search time

LinkEngine: Implementation Pre-operation plug-in: –“Captures” updates on linked attributes –Back-end will not see them –Does pre-commit check Post-operation plug-in: –Commits linked attributes to DIB Computed attribute plug-in: –Activates linked attributes from links (resolves UUID to DNs)

OpenLDAP SLAPI Extensions Denoted by SLAPI_X_XXX slapi_x_filter_append() slapi_x_compute_get_pblock() SLAPI_X_CONN_CLIENTPATH SLAPI_X_CONN_SERVERPATH SLAPI_X_CONN_IS_UDP SLAPI_X_CONN_SSF

Conclusion OpenLDAP is extensible Backend API Native plug-ins and SLAPI are complementary at this time Expect native plug-in API to evolve over time Use SLAPI for operation notifications, computed attributes, or portability

Further information PADL Software OpenLDAP Apple Open Directory SLAPI