LDAP: Bind and Modify

whooploafSoftware and s/w Development

Dec 13, 2013 (3 years and 8 months ago)

91 views

LDAP: Bind and Modify

CNS 4650

Fall 2004

Rev. 2

Source Code


PERL


bind.pl


Shows how to bind to the LDAP directory


modattrs.pl


Shows how to modify an object attributes


C/C++


bind.c


Shows how to bind to the LDAP directory


modattrs.c


Shows how to modify an objects attributes

Libraries and Includes


Same apply for search


PERL


use Net::LDAP


C/C++


#include <ldap.h>


Compiler flag for gcc ‘
-
lldap’

Initialize LDAP Connection


PERL


new Net::LDAP($server, $port);


C/C++


ldap_init( MY_HOST, MY_PORT )

C/C++ LDAP Options


Call ldap_set_option() prior to ldap_init()


Found in ldap.h


ldap_set_option( LDAP *ld, int option, LDAP_CONST void *invalue);


Options listed in ldap.h (lines 81
-
157)


#define LDAP_OPT_API_INFO 0x0000


#define LDAP_OPT_DESC 0x0001 /* deprecated */


#define LDAP_OPT_DEREF 0x0002


#define LDAP_OPT_SIZELIMIT 0x0003


#define LDAP_OPT_TIMELIMIT 0x0004


#define LDAP_OPT_REFERRALS 0x0008


#define LDAP_OPT_RESTART 0x0009


/* 0x0a
-

0x10 not defined by current draft */


#define LDAP_OPT_PROTOCOL_VERSION 0x0011


#define LDAP_OPT_SERVER_CONTROLS 0x0012


#define LDAP_OPT_CLIENT_CONTROLS 0x0013


/* 0x14 not defined by current draft */


#define LDAP_OPT_API_FEATURE_INFO 0x0015

C/C++ LDAP Options


Most often used


LDAP_OPT_PROTOCOL_VERSION


Used to force LDAPv3


LDAP_OPT_SIZELIMIT


Used to limit number of returns


Pass NULL in for LDAP handle (first value)


Second Value is constant from ldap.h


Example: LDAP_OPT_PROTOCOL_VERSION


Third is value to set the option


Example: for LDAP_OPT_PROTOCOL_VERSION you
would pass in ‘3’

LDAP Bind


PERL


$conn
-
>bind($dn,password=>$pass)


$conn

is LDAP handle


C/C++


ldap_simple_bind_s( ld, ENTRYDN, ENTRYPW )


“ld” is LDAP handle


Pass in LDAP handle, the DN to be used for the bind, and the
DN account password.


The password for simple binds is compared against the
“userPassword” attribute


For SASL binds, the creditials are passed in not a “password”


Kerberos Authentication assumes the user already has a TGT

LDAP Unbind


PERL


$conn
-
>unbind;


$conn

is the LDAP handle


C/C++


ldap_unbind( ld );


“ld” is the LDAP handle

Modify an Entry


PERL


$conn
-
>modify($dn, replace => { ”sn" => “doe” } );


$conn

is the LDAP Handle


Call
modify()


First value is the DN of the object you wish to
modify


Second value is the name of the attribute and
the new value

Modify an Entry


Create LDAPMod
structure for each
attribute (or you can
reuse)


Create an Array of
LDAPMods’, one greater
than you need (the array
is zero based)


The final value will be
NULL

LDAPMod

mod0, *mods[ 2 ];


LDAPMod

typedef struct ldapmod {


int


mod_op;


#define LDAP_MOD_ADD


(0x0000)

#define LDAP_MOD_DELETE


(0x0001)

#define LDAP_MOD_REPLACE

(0x0002)

#define LDAP_MOD_BVALUES

(0x0080)



char


*mod_type;


union mod_vals_u {



char


**modv_strvals;



struct berval

**modv_bvals;


} mod_vals;

#define mod_values

mod_vals.modv_strvals

#define mod_bvalues

mod_vals.modv_bvals

} LDAPMod;

Modify an Entry


Populate the LDAPMod
mod_op


Populate the mod_type
with the name of the
attribute you wish to
modify


Example is “sn”

mod0.mod_op = LDAP_MOD_REPLACE;

mod0.mod_type = ”sn";


Modify an Entry


Populate the value
for the attribute

mod0.mod_values = vals;


Modify an Entry


Place the
LDAPMod struct in
the LDAPMod
array


Place a NULL in
the last array slot
of LDAPMod

mods[ 0 ] = &mod0;

mods[ 1 ] = NULL;

Modify an Entry


First value “ld” is
the LDAP handle


Second value is
the DN of the entry


Third value is the
LDAPMod array

ldap_modify_s( ld, ENTRYDN, mods )