LDAP (add-on)
See introductory section LDAP connection .
LDAP stands for Lightweight Directory Access Protocol and is a TCP/IP-based directory access protocol that has become established on the Internet and in intranets as a standard solution for accessing network directory services for databases, email, storage areas and other resources.
An LDAP directory has a tree-like structure. All objects (entries) in the directory have a defined position within this hierarchy. This hierarchy is called Directory Information Tree. The complete path to the desired entry that uniquely identifies the entry is called Distinguished Name or DN. The individual nodes on the way to this entry are called Relative Distinguished Name or RDN. Objects (entries) can generally be assigned to two different types.
Container. These objects can contain other objects. Those object classes are Root (root element of the directory tree that does not really exist), c (country), ou (organizational unit), and dc (domain component). This model is similar to directories (folders) in the file system.
Leaf. These objects are at the end of a branch. They do not have any other subordinate objects. Examples are Person, InetOrgPerson or groupofNames.
At the top of the directory hierarchy, there is a root element Root. Children in the next level can either be c (country), dc (domain component), or o (organization).
LDAP object name
Each object has many name attributes. First and last name, display name, login name, etc. However, the LDAP object name often referred to as the LDAP path, is always unique ('distinguished name'). This name identifies the object within the hierarchy of the directory, from the lowest level (the object itself) through all containers to the origin of the directory (which is the domain in Active Directory). The object Tux Linux, whose account is stored in the organizational unit (ou) devel and the domain suse.de, has the following DN.
|
cn=Tux Linux, ou=devel, dc=suse, dc=de |
LDAP attributes
Each object can have multiple attributes or attribute groups. So a user object may have the attribute mailNickname or title. In addition, there are structure attributes such as objectClass. These special attributes must have the prefix struct_ in Lobster Integration (so struct_ <attribute>).
Note: Active Directory requires the "unicodePwd" attribute to create new users. This contains the encrypted password of the user.
To create the attribute map in a profile, you have to use function fill-map-from-fields() .
LDAP search syntax
|
Character |
Meaning |
Example |
|
= |
Equal to |
(givenName=John) |
|
& |
Logical AND |
(&(givenName=John)(l=Dallas)) |
|
| |
Logical OR |
(|(givenName=John)(l=Dallas)) |
|
! |
Logical NOT |
(!givenName=John) |
|
* |
Wildcard |
(title=*) or (givenName=Jo*) or (givenName=Jo*n) |
|
<= |
Lesser |
(mdbStorageQuota<=10000) |
|
>= |
Greater |
(mdbStorageQuota>=10000) |
|
~= |
Approximate |
(displayName~=Mueller) |
Special characters
An LDAP filter (the search string) can be defined with Unicode characters. You can, for example, use German umlauts without any problems if the filtered attribute is a Unicode string. However, the characters ( ) & | = ! > < ~ * / \ play a special role in the definition of LDAP filters. If you want to search or compare these characters within an attribute string, you must specify them with a preceding backslash and their hexadecimal ASCII code.
|
Character |
Hexadecimal ASCII code |
|
( |
\28 |
|
) |
\29 |
|
& |
\26 |
|
| |
\7c |
|
= |
\3d |
|
> |
\3e |
|
< |
\3c |
|
~ |
\7e |
|
* |
\2a |
|
/ |
\2f |
|
\ |
\5c |