一、LDAP和AD的定义
LDAP是轻量目录访问协议(Lightweight Directory Access Protocol)的缩写,LDAP标准实际上是在X.500标准基础上产生的一个简化版本;
AD是Active Directory的缩写,AD应该是LDAP的一个应用实例,而不应该是LDAP本身。比如:windows域控的用户、权限管理应该是微软公司使用LDAP存储了一些数据来解决域控这个具体问题;
LDAP(Lightweight Directory Access Protocol)轻量级DAP协议
AD(Active Direcctory)是LDAP的实现。不仅实现了LDAP协议,还实现了具体应用(windows 域控)
LDAP标准实际上是在X.500标准基础上产生的一个简化版本。
只是AD顺便还提供了用户接口,也可以利用Active Directory当做LDAP服务器存放一些自己的东西而已。比如LDAP是关系型数据库,微软自己在库中建立了几个表,每个表都定义好了字段。这些表和字段都是根据微软自己的需求定制的,而不是LDAP协议的规定。然后微软将LDAP做了一些封装接口,用户可以利用这些接口写程序操作LDAP,使得Active Directory也成了一个LDAP服务器。
总之:Active Directory = LDAP服务器+LDAP应用(Windows域控)。Active Directory先实现一个LDAP服务器,然后自己先用这个LDAP服务器实现了自己的一个具体应用(域控)
二、认证源应用
公司内的各种人员账户,电脑打印机等设备管理是AD最常见的应用。可以将人员和设备加在活动目录里,对资源进行统一的管理。可以把公司分为多个域,每个域存储不同的信息,存储公司里各个资源的信息。
存储用户名密码
对外提供LDAP协议的身份认证——LDAP BIND
跟各种应用系统的统一集成
数据源应用
设立群组,把人加到群组里,给群组配权限,就可以对打印机、文件共享和计算机实施组的权限管理。活动目录天然的树形结构特别适合管理企业内部资源。
特点
通过数据结构存储公司内部资源信息
多用于查询操作,读大于写,读写比=10:1
和普通数据库相比,没有事务和回滚机制
C/S架构,服务器端存储数据,客户端调用接口进行增删改查(主要是查)
三、与SSO的区别
SSO(single signon):单点登录,登录一次就不用再登录。本质上是B/S架构,需要借助浏览器来实现。
LDAP/AD无法做到单点登录,如果要访问别人的电脑,需要输入用户名密码。
GOAL
This note provides an example of using DBMS_LDAP to authenticate to an OID and an Microsoft (MS) Active Directory (AD) server.
Notes:
1. There is very little error handling in either of the code examples. These are very simple code samples that are used to illustrate the necessary calls to authenticate a user.
2. The ldap server name, port, dn and authentication realm values have also been hard coded into the program. For example, the dn is coded as cn= as the rdn. If you wish to test this against a SunOne Iplanet server then this needs to be changed to uid=. The realm has been coded to 'cn=users,dc=<COMPANY>,dc=com'. These values will need to be changed before compiling/running the provided code on another system.
3. Support for DBMS_LDAP against a 3rd party directory will not be supported unless/until the problem can be reproduced in an OID environment (see note:215532.1)
SOLUTION
THE BELOW CODE SAMPLE IS PROVIDED BY ORACLE AS AN EXAMPLE ONLY. NO SUPPORT FOR THIS CODE WILL BE SUPPLIED BY ORACLE SUPPORT. THE CODE HAS BEEN TESTED AND FOUND TO WORK BUT CANNOT BE GUARANTEED TO WORK ON ALL SYSTEMS.
Using the dbms_ldap PL/SQL functions
The sample code below uses the Oracle dbms_ldap PL/SQL packages to bind to the directory server. A return code of '0' indicates success and a return code of '1' indicates failure.
Example of OID Authentication:
CREATE OR REPLACE FUNCTION ldap_login (
p_user IN VARCHAR2,
p_pass IN VARCHAR2,
p_server IN VARCHAR2 DEFAULT '<OID_HOSTNAME>.<COMPANY>.com',
p_port IN PLS_INTEGER DEFAULT <OID_LDAP_NONSSL_PORT>
)
RETURN NUMBER
IS
v_sess DBMS_LDAP.SESSION;
v_dn VARCHAR2 (80) := 'cn='||p_user||','||'cn=users,dc=<COMPANY>,dc=com';
retval PLS_INTEGER;
ignore PLS_INTEGER;
v_errm VARCHAR2 (1000);
BEGIN
IF p_pass is null THEN -- Capture and reject empty credentials
RETURN 1;
END IF;
DBMS_LDAP.use_exception := TRUE;
v_sess := DBMS_LDAP.init (p_server, p_port);
retval := DBMS_LDAP.simple_bind_s (v_sess, v_dn, p_pass);
ignore := DBMS_LDAP.unbind_s (v_sess);
RETURN retval; -- 0 = Success.
EXCEPTION
WHEN OTHERS
THEN
v_errm := SQLERRM;
ignore := DBMS_LDAP.unbind_s (v_sess);
dbms_output.put_line(v_errm);
IF v_errm LIKE '%Invalid credentials%' -- bad pass
OR v_errm LIKE '%No such object%' -- bad user or invalid base
THEN
RETURN 1; -- try again
ELSE
RETURN 2; -- see SQLERRM for more details
END IF;
END;
/
How To Test:
1. A dbms_ldap function should be saved into a file named <FUNCTION_NAME>.sql. Using the example above, you would name the file: ldap_login.sql
2. Connect to sqlplus as system/<PASSWORD> and run the file as follows:
[11gRDBMS] sqlplus ods/<PASSWORD>
SQL*Plus: Release 11.2.0.1.0 Production on Thu Aug 18 14:33:54 2011
Copyright (c) 1982, 2009, Oracle. All rights reserved.
Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL> @ldap_login.sql
Function created.
SQL>
3. Test the function use it in a SELECT statement as follows:
SQL> select ldap_login('orcladmin','<PASSWORD>') from dual;
LDAP_LOGIN('ORCLADMIN','<PASSWORD>')
----------------------------------
0
SQL>
Notice that the function returned a zero, indicating success.
4. Retest the function with an incorrect password as follows:
SQL> select ldap_login('orcladmin','<WRONG_PASSWORD>') from dual
LDAP_LOGIN('ORCLADMIN','<WRONG_PASSWORD>')
----------------------------------
1
Notice that the function returned a value of 1. Rerun with serveroutput set to on to see the Error Messsage defined in the code.
SQL> set serveroutput on
SQL> select ldap_login('orcladmin','<WRONG_PASSWORD>') from dual;
LDAP_LOGIN('ORCLADMIN','<WONG_PASSWORD>')
----------------------------------
1
ORA-31202: DBMS_LDAP: LDAP client/server error: Invalid credentials
SQL>
Example of Microsoft Active Directory Authentication:
1. Make a copy of the sql code file and rename it
2. Edit it and change as follows:
change the FUNCTION name to ldap_loginAD
change the p_server to the AD hostname
chagne the p_port to the AD ldap port
For example:
CREATE OR REPLACE FUNCTION ldap_loginAD (
p_user IN VARCHAR2,
p_pass IN VARCHAR2,
p_server IN VARCHAR2 DEFAULT '<AD_HOSTNAME>.<COMPANY>.com',
p_port IN PLS_INTEGER DEFAULT <AD_LDAP_NONSSL_PORT>
)
3. Repeat the steps in the OID example but provide a username and password that you know works in Active Directory.
Example of SunOne / Iplanet Directory Authentication:
1. Make a copy of the sql filename and rename it
2. Edit it and change as follows:
* change the FUNCTION name to ldap_loginSun
* change the p_server to the Sun/Iplanet hostname
* chagne the p_port to the Sun ldap port
For example:
CREATE OR REPLACE FUNCTION ldap_loginSun (
p_user IN VARCHAR2,
p_pass IN VARCHAR2,
p_server IN VARCHAR2 DEFAULT '<SUN_HOSTNAME>.<COMPANY>.com',
p_port IN PLS_INTEGER DEFAULT <SUN_LDAP_NONSSL_PORT>
)
3. Repeat the steps in the OID example but provide a username and password that you know works in the Sun/Iplanet Directory.
