架构

主要模块

  • lloadd - stand-alone LDAP Load Balancer Daemon (server or slapd module)
  • slapd - stand-alone LDAP daemon (server)
  • libraries implementing the LDAP protocol, and
  • utilities, tools, and sample clients.

相关的工程

  • Fortress - Role-based identity access management Java SDK
  • JLDAP - LDAP Class Libraries for Java
  • JDBC-LDAP - Java JDBC - LDAP Bridge Driver
  • LMDB - Lightning Memory-Mapped Database

树状的层级结构,比如组织的划分

按照 DNS 来划分层次

命令

open ldap 的 bin 目录下的命令:

​Command​ ​Purpose​ ​Example Usage​
ldapadd Add entries to the LDAP directory. ldapadd -x -D "cn=admin,dc=example,dc=com" -W -f entry.ldif
ldapmodify Modify existing LDAP entries. ldapmodify -x -D "cn=admin,dc=example,dc=com" -W -f changes.ldif
ldapdelete Delete entries. ldapdelete -x -D "cn=admin,dc=example,dc=com" -W "uid=user1,ou=users,dc=example,dc=com"
ldapsearch Search entries in the directory. ldapsearch -x -b "dc=example,dc=com" "(uid=user1)"
ldappasswd Reset user passwords. ldappasswd -x -D "cn=admin,dc=example,dc=com" -W -s newpass "uid=user1,ou=users,dc=example,dc=com"
ldapwhoami Check the DN of the authenticated user. ldapwhoami -x -D "uid=user1,ou=users,dc=example,dc=com" -W
ldapcompare Compare attribute values (e.g., for validation). ldapcompare -x -D "cn=admin,dc=example,dc=com" -W "uid=user1,ou=users,dc=example,dc=com:userPassword=secret"

查询命令

1
2

ldapsearch -x -H ldap://localhost:389 -b "krbPrincipalName=admin/[email protected],cn=DATAC.COM,cn=kerberos,dc=datac,dc=com" \
 -D "cn=admin,dc=datac,dc=com" -w 123456

结果:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

# extended LDIF
#
# LDAPv3
# base <krbPrincipalName=admin/[email protected],cn=DATAC.COM,cn=kerberos,dc=datac,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# admin/[email protected], DATAC.COM, kerberos, datac.com
dn: krbPrincipalName=admin/[email protected],cn=DATAC.COM,cn=kerberos,dc=datac,d
 c=com
krbLoginFailedCount: 0
krbPrincipalName: admin/[email protected]
krbPrincipalKey:: MIIB6KADAgEBoQMCAQGiAwIBAaMDAgEBpIIB0DCCAcwwVKAHMAWgAwIBAKFJ
 MEegAwIBEqFABD4gAL4XqF00IxByBoSVqvJac4z38ga8jmfcqqvZ5nZmF2ipkWyr/05/z16KjyRpk
 u4CeIns5hHo61wwqeVjnDBEoAcwBaADAgEAoTkwN6ADAgERoTAELhAAMxRGy4zS53OhrqqN4cQLCw
 Tu1uwmLA+x2XOOEpTaOEV/0F3QnOurhIyc4aMwRKAHMAWgAwIBAKE5MDegAwIBF6EwBC4QABaQtam
 i/Vcm52+i+G7NY7UNOFzjLZajeOW3cw3AE18VLSc08BwPh7eIyBUlMFSgBzAFoAMCAQChSTBHoAMC
 ARqhQAQ+IACwpEUfvd67yvNoVCnXB/EgAnlDixpjC3J0ri8yGeklS9G7Bd0PlHsI395f/6w28vzqP
 VKY+2EmfQEeUlowRKAHMAWgAwIBAKE5MDegAwIBGaEwBC4QAFxMx2wG3ustOySLoQuDutcOAxzumr
 qxLBxXUWtLKk35h1KUEX84rklQorOrMEygBzAFoAMCAQChQTA/oAMCARChOAQ2GABKdiLleTCy557
 A5paLXz+IbTtpSxQMbdV7WjEWyZwSTrxVFctN9ll1WwEaGcrQFXuZRVW9
krbLastPwdChange: 20250327072850Z
krbExtraData:: AAIy/uRncm9vdC9hZG1pbkBEQVRBQy5DT00A
krbExtraData:: AAgBAA==
objectClass: krbPrincipal
objectClass: krbPrincipalAux
objectClass: krbTicketPolicyAux

其他一系列命令:

1
2
3

ldapsearch -x -H ldap://localhost:389 -b "cn=yarn,ou=users,dc=datac,dc=com" -D "cn=admin,dc=datac,dc=com" -w 123456

ldapsearch -x -H ldap://localhost:389 -b "ou=users,dc=datac,dc=com" -D "cn=admin,dc=datac,dc=com" -w 123456 "(cn=hdfs)"

查询所有

1

ldapsearch -x -H ldap://localhost:389 -b "dc=datac,dc=com" -D "cn=admin,dc=datac,dc=com" -w 123456

这里存储的 kerberos 的 keytab 实际是

  • 经过了 ASN.1 加密,包含了一些其他信息
  • 再做了 base64

类似下面解码过程

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

// 从 LDAP 获取 krbPrincipalKey 的 Base64 字符串  
String krbPrincipalKey = "MIIBGK...";  
byte[] decodedKey = Base64.getDecoder().decode(krbPrincipalKey);  

// 解析 ASN.1 结构并解密(需主密钥)  
KrbPrincipalKey principalKey = asn1Decode(decodedKey);  

// 将解密后的密钥写入 Keytab  
Keytab keytab = Keytab.getInstance();  
keytab.addEntry(principalKey.toKeytabEntry());  
keytab.write(new File("krbtgt.keytab"));

配置信息

/opt/openldap/etc/openldap/ cat slapd.ldif

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57

dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /opt/openldap/var/run/slapd.args
olcPidFile: /opt/openldap/var/run/slapd.pid
olcIdleTimeout: 0
olcAuthzRegexp: uid=([^,]*),cn=gssapi,cn=auth uid=$1,ou=users,dc=datac,dc=com
olcConnMaxPending: 100
olcConnMaxPendingAuth: 1000
olcGentleHUP: FALSE
olcLogFile: /opt/openldap/logs/slapd.log
olcLogLevel: -1

dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /opt/openldap/libexec/openldap
olcModuleload: back_mdb.la

dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema

include: file:///opt/openldap/etc/openldap/schema/core.ldif
include: file:///opt/openldap/etc/openldap/schema/cosine.ldif
include: file:///opt/openldap/etc/openldap/schema/nis.ldif
include: file:///opt/openldap/etc/openldap/schema/inetorgperson.ldif
include: file:///opt/openldap/etc/openldap/schema/kerberos.ldif
include: file:///opt/openldap/etc/openldap/schema/msuser.ldif

dn: olcDatabase=frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: frontend
olcSizeLimit: 500

dn: olcDatabase=mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: mdb
olcDbMaxSize: 1073741824
olcDbCheckpoint: 512 30
olcLastMod: TRUE
olcSuffix: dc=datac,dc=com
olcRootDN: cn=admin,dc=datac,dc=com
olcRootPW: 123456
olcDbDirectory: /data
olcDbIndex: objectClass eq
olcDbIndex: cn,uid eq
olcDbIndex: uidNumber,gidNumber eq
olcDbIndex: member,memberUid eq

dn: olcDatabase=monitor,cn=config
objectClass: olcDatabaseConfig
olcDatabase: monitor
olcRootDN: cn=config
olcMonitoring: FALSE

Key Components of an LDIF File​​:

  • ​​dn​​: Distinguished Name, the unique identifier of an entry.
  • ​​objectClass​​: Defines the entry’s structure and allowed attributes.
  • ​​changetype​​: Specifies the operation (e.g., add, modify, delete).

Core Abbreviations​

​Abbreviation​ ​Full Name​ ​Definition & Example​
​CN​ Common Name Represents the name of an object (e.g., user/group). Example: cn=John Doe
​DN​ Distinguished Name Unique identifier for an entry, specifying its hierarchical path. Example: dn: uid=jdoe,ou=People,dc=example,dc=com
​OU​ Organizational Unit Container for grouping related entries (e.g., departments). Example: ou=Engineering,dc=example,dc=com
​DC​ Domain Component Represents a domain segment in the directory hierarchy. Example: dc=example,dc=com (domain “example.com”)
​UID​ User Identifier Unique username. Example: uid=jdoe
​SN​ Surname Last name. Example: sn=Doe
​C​ Country ISO 2-letter country code. Example: c=US
​O​ Organization Organization name. Example: o=Example Corp
​RDN​ Relative Distinguished Name Immediate part of a DN. Example: uid=jdoe in uid=jdoe,ou=People,dc=example,dc=com

web控制台

界面
ldap/1.jpg

文档