LDAP is used for authentication and management of tree-structured data. Compared to RDB, LDAP is used less often and is used differently, so I will summarize how to operate LDAP with python. In addition, LDAP authentication samples are available in many places, but here's a simple example to make things easier.
The LDAP server can also be installed with ldap on Ubuntu or Centos, but since there was a docker image, I will use that.
The docker image is simply pulled.
docker pull osixia/openldap
When starting the image, set the ldap password, top domain, and mount each port. If you are using docker network, set the network and IP address without mounting the port.
docker run -p 389:389 -p 636:636 --env LDAP_DOMAIN="sample-ldap" --env LDAP_ADMIN_PASSWORD="LdapPass" --name LDAPSERVER --detach osixia/openldap
result
> docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
4f6e1b4eaf29 osixia/openldap "/container/tool/run" 2 hours ago Up 2 hours 0.0.0.0:389->389/tcp, 0.0.0.0:636->636/tcp LDAPSERVER
Since the client is used by python, install the LDAP client library `` `ldap3``` with pip.
pip install ldap3
Now that the LDAP server and client are ready, it's time to create the source of the operation.
You need to log in to operate LDAP, so log in first. Set the Server class with the necessary settings such as the IP address, port number, and timeout of the LDAP server. Generate a Connection class using that Server class. At this time, it will not connect to the LDAP server, but will connect for the first time with `bind ()`
. dc and password will be the values you specified during docker run, and cn will default to admin.
main.py
conn = Connection(server, 'cn=admin,dc=sample-ldap', password='LdapPass')
result = conn.bind()
print(result)
result
> python main.py'
True
Since the result of bind is True, you can see that the connection to the LDAP server was successful.
Now that we have a connection, we will add and get LDAP. LDAP is composed of a tree structure in the order of dc, ou, cn from the top, so first add and get from dc.
The sample code is a continuation of the source above. Specify the character string that connects the dc you want to add and the top dc in the first argument of the add function `` `of the created connection, and specify
domain''`` `in the second argument. I will. At this time, if you put a space after the comma of the character string of the first argument, an error will occur, so be careful.
main.py
#Add domain
dc_result = conn.add('dc=sample-component,dc=sample-ldap', 'domain')
print(dc_result)
result
True
The execution result is the same as the bind, and True is returned as the result of add, so you can see that it was possible to add.
The sample code is a continuation of the source above. Get the dc added above. Specify the LDAP path you want to check in the first argument of `conn.search ()`
. The second argument specifies domain
. As a result, you can get the sample-component information in `conn.entries`
.
main.py
#Obtaining a domain
conn.search('dc=sample-component,dc=sample-ldap', '(objectclass=domain)')
print(conn.entries)
result
True
[DN: dc=sample-component,dc=sample-ldap - STATUS: Read - READ TIME: 2020-03-25T22:35:26.491599
]
This time, since the domain is searched by specifying domain as the second argument, one target entries can be obtained. I will post the source later, but you can get more than one by putting other values in the second argument.
Now that we have added LDAP dc, we will add and acquire ou.
The sample code is a continuation of the source above. Specify the character string that connects ou and dc that you want to add to the first argument of the add function `` `of the created connection, and specify
organizationalUnit''``` to the second argument.
main.py
#Add domain
ou_result = conn.add('ou=sample-unit,dc=sample-component,dc=sample-ldap', 'organizationalUnit')
print(ou_result)
result
True
The execution result is the same as the bind, and True is returned as the result of add, so you can see that it was possible to add.
The sample code is a continuation of the source above. Get the ou added above. Specify the path you want to search for in the first argument of `conn.search ()`
. The second argument specifies organizationalUnit
. As a result, you can get the sample-unit information in `conn.entries`
.
main.py
#Obtaining an organization
conn.search('ou=sample-unit,dc=sample-component,dc=sample-ldap', '(objectclass=organizationalUnit)')
print(conn.entries)
#dc acquisition of specified organization
conn.search('dc=sample-component,dc=sample-ldap', '(objectclass=organizationalUnit)')
print(conn.entries)
result
[DN: ou=sample-unit,dc=sample-component,dc=sample-ldap - STATUS: Read - READ TIME: 2020-03-25T23:27:36.594396]
[DN: ou=sample-unit,dc=sample-component,dc=sample-ldap - STATUS: Read - READ TIME: 2020-03-25T23:27:36.604398
, DN: ou=sample-unit2,dc=sample-component,dc=sample-ldap - STATUS: Read - READ TIME: 2020-03-25T23:27:36.604398
]
If you are searching for an organization as the first argument, you can get one entry of interest. If you are searching for a domain, you can get as many as the number of ou that the domain contains.
Now that we have added the LDAP ou, we will add and get the cn.
The sample code is a continuation of the source above. Specify the character string that connects cn, ou, and dc that you want to add to the first argument of the add function `` `of the created connection, and specify
'inetOrgPerson'`` `in the second argument. And specify additional information in the third argument.
main.py
#Add domain
cn_result = conn.add('cn=sample-name,ou=sample-unit,dc=sample-component,dc=sample-ldap', 'inetOrgPerson', {'sn':'sample'})
print(cn_result)
result
True
The execution result is the same as the bind, and True is returned as the result of add, so you can see that it was possible to add.
The sample code is a continuation of the source above. Get the cn added above. Specify the path you want to search for in the first argument of `conn.search ()`
. The second argument specifies inetOrgPerson
. As a result, you can get the sample-name information in `conn.entries`
.
main.py
#Obtaining a common name
conn.search('cn=sample-name,ou=sample-unit,dc=sample-component,dc=sample-ldap', '(objectclass=inetOrgPerson)')
print(conn.entries)
#Acquisition of ou designated common name
conn.search('ou=sample-unit,dc=sample-component,dc=sample-ldap', '(objectclass=inetOrgPerson)')
print(conn.entries)
#Get the common name specified by dc
conn.search('dc=sample-component,dc=sample-ldap', '(objectclass=inetOrgPerson)')
print(conn.entries)
result
[DN: cn=sample-name,ou=sample-unit,dc=sample-component,dc=sample-ldap - STATUS: Read - READ TIME: 2020-03-25T23:36:41.125246
]
[DN: cn=sample-name,ou=sample-unit,dc=sample-component,dc=sample-ldap - STATUS: Read - READ TIME: 2020-03-25T23:36:41.156378
, DN: cn=sample-name2,ou=sample-unit,dc=sample-component,dc=sample-ldap - STATUS: Read - READ TIME: 2020-03-25T23:36:41.157365
, DN: cn=sample-name3,ou=sample-unit,dc=sample-component,dc=sample-ldap - STATUS: Read - READ TIME: 2020-03-25T23:36:41.157365
, DN: cn=sample-name1,ou=sample-unit,dc=sample-component,dc=sample-ldap - STATUS: Read - READ TIME: 2020-03-25T23:36:41.157365
]
[DN: cn=sample-name,ou=sample-unit,dc=sample-component,dc=sample-ldap - STATUS: Read - READ TIME: 2020-03-25T23:51:20.773638
, DN: cn=sample-name2,ou=sample-unit,dc=sample-component,dc=sample-ldap - STATUS: Read - READ TIME: 2020-03-25T23:51:20.773638
, DN: cn=sample-name3,ou=sample-unit,dc=sample-component,dc=sample-ldap - STATUS: Read - READ TIME: 2020-03-25T23:51:20.774650
, DN: cn=sample-name1,ou=sample-unit,dc=sample-component,dc=sample-ldap - STATUS: Read - READ TIME: 2020-03-25T23:51:20.774650
, DN: cn=sample-name,ou=sample-unit1,dc=sample-component,dc=sample-ldap - STATUS: Read - READ TIME: 2020-03-25T23:51:20.774650
]
If you are searching for a common name by specifying inetOrgPerson as the second argument, you can get one target entry. If you are searching for an organization or domain, you can get as many as the number of cn that each contains.
Regarding LDAP, since it was only used as LDAP authentication, I did not add it from the LDAP domain or search from each directory by changing the search method like this time. I have a habit of using it, but it may be easier to use than RDB if it is tree-structured data because you can get the value in a simpler way than you think. Next, we will look at other operations.
Recommended Posts