Ldap agent description

Purpose

The Ldap agent (ag_ldap) is used to access LDAP directory. It is part of YaST2 SCR, the system configuration repository, used to access configuration data on the target system. The general SCR API allows Read(), Write() and Execute() access to get and change data.

Implementation

Agent uses c++ library (ldapcpplib) for all LDAP operations.
During initialization (Execute (.ldap) call), new object of type LDAPConnection is created and all further actions with LDAP contens are called as the methods of this object.

The methods of ldapcpp library are described in ldapcpplib package documentation.

The complete development documentation is available in the autodocs/ directory.

Interface for ldap-agent

The interface is implemented as a SCR agent with the usual Read(), Write() and Execute() interface. The path prefix used is .ldap. For more see the paths tables.

Restrictions, limits and future enhancements

If you want to use agent, don't forget to call Execute(.ldap) at first to initialize it.

See the TODO.txt file for the current status of support and also for the list of possible future enhancements.

Complete Read paths table

Path	Argument	Type of Result	Result
`.ldap.error`		YCPMap	Map with last error message and code number. Example of result: $[ "msg" : "Can't contact LDAP server", "code" : 81, "server_msg": "Some additional error info from LDAP server" ]
`.ldap.search`	YCPMap	YCPMap or YCPList	Generic search command. Return value is list of objects (as default) or map of type `$[ dn: object ]` (when the value of `map` argument is `true`). Example of argument map: $[ "base_dn" : "dc=suse,dc=cz", "filter" : "(objectClass=posixGroup)", "scope" : 0, //0:base, 1:one, 2:sub "attrsOnly" : false, // true: return map instead of the list "map" : true, // true: one-item values are // returned as string, not as list with one value "single_values" : false, // true: return only list of DN's "dn_only" : false, // true: no error message is written when // object was not found (empty list/map is returned) "not_found_ok" : true, // true: "dn" key is included in a map of each entry "include_dn" : true, // which attrinbutes do we search for "attrs" : [ "objectClass", "cn", "gidNumber" ] ] Example of result map: $[ "cn=users,dc=suse,dc=cz" : $[ "objectClass" : [ "posixGroup"], "cn" : "users", "gidNumber" : 500 ], "cn=group,dc=suse,dc=cz" : $[ "objectClass" : [ "posixGroup"], "cn" : "group", "gidNumber" : 501 ] ]
`.ldap.schema.object_class`	YCPMap	YCPMap	Get the map of object class with given name. Argument map has to contain `name` entry. Example of argument map: $[ "name": "userTemplate"] Result map contains entries `oid, desc, must, may, sup`. `"sup"` is a name of superior class.
`.ldap.schema.attr_types`	YCPMap	YCPMap	Get the map of attribute type with given name. Argument map has to contain `name` entry. Example of argument map: $[ "name": "uidNumber"] Result map contains entries `oid, desc, single, usage`. When `single` is true, only single value is allowed for this attribute type. `usage` defines the attribute usage in these operations: 0=userApplications, 1=directoryOperation, 2=distributedOperation, 3=dSAOperation
`.ldap.users`		YCPMap	Return map of users, generated by `Execute (.ldap.users.search)` call. For the special use of yast2-users module.
`.ldap.users.by_uidnumber`		YCPMap	Return mapping of UID's to user names. Map was generated by `Execute (.ldap.users.search)` call. For the special use of yast2-users module.
`.ldap.users.homes`		YCPList	Return list of home directories, previously generated by `Execute (.ldap.users.search)` call. For the special use of yast2-users module.
`.ldap.users.uids`		YCPList	Return list of UID's, previously generated by `Execute (.ldap.users.search)` call. For the special use of yast2-users module.
`.ldap.users.usernames`		YCPList	Return list of user names, previously generated by `Execute (.ldap.users.search)` call. For the special use of yast2-users module.
`.ldap.users.userdns`		YCPList	Return list of user DN's, previously generated by `Execute (.ldap.users.search)` call. For the special use of yast2-users module.
`.ldap.groups`		YCPMap	Return map of groups (indexed by cn attribute), generated by `Execute (.ldap.groups.search)` call. For the special use of yast2-users module.
`.ldap.groups.by_gidnumber`		YCPMap	Return map of group names, indexed by gidnumber attribute. Map was generated by `Execute (.ldap.groups.search)` call. For the special use of yast2-users module.
`.ldap.groups.gids`		YCPList	Return list of GID's, previously generated by `Execute (.ldap.groups.search)` call. For the special use of yast2-users module.
`.ldap.groups.groupnames`		YCPList	Return list of group names, previously generated by `Execute (.ldap.groups.search)` call. For the special use of yast2-users module.

Complete Write paths table

Return value is YCPBoolean (usually the success of the object method call).

Generaly, 1st argument is a map, containing value of DN (of modified object) and possibly other values. (e.g.$[ "dn" : "ou=Groups,dc=suse,dc=cz" ])

Path 1st argument 2nd argument Result

.ldap.add YCPMap YCPMap Add a new LDAP object. Second argument is map of its attributes.
Example of attributes map:
$[ "objectClass" : [ "organizationalUnit"], "ou" : "Groups" ]

.ldap.modify YCPMap YCPMap Modifies an existing LDAP object.
Second argument is map of attributes (and its values) which should be changed/added/deleted. To remove some attribute, use empty value ("" or []) for it.
Parameter "new_dn" (DN of new object) is necessary for renaming.
For moving the object, use additionaly "newParentDN" value for new parent DN of object.
If argument map contains "check_attrs" key with true value, there will be done a search for current object's attributes before modify. When some attribute in attributes map (2nd argument) has an empty value it will be ignored, if the object currently has not such attribute. Otherwise ("check_attrs" is false as default), this situation leads to error message, because non-existent attribute is set for deletion.
If you want to rename or move an entry, which is not a leaf of LDAP tree, you must include "subtree" key (with true as a value) in argument map. In such a case, the modify operation could take more time, according to the subtree size, because all subtree items must be copied to new location and deleted from the old one.
Example of argument map:
$[ "dn" : "ou=people,dc=suse,dc=cz", "new_dn" : "ou=lide,dc=suse,dc=cz", "deleteOldRDN" : true, "subtree" : true ]
Example of attributes map:
$[ "ou": "lide" ]

.ldap.delete YCPMap YCPMap Deletes LDAP object. With "subtree" set to true, it will delete the whole subtree of the given entry. Use carefully!
Example of argument map:
$[ "dn" : "ou=people,dc=suse,dc=cz", "subtree" : true ]

Path	1st argument	2nd argument	Result
`.ldap.add`	YCPMap	YCPMap	Add a new LDAP object. Second argument is map of its attributes. Example of attributes map: $[ "objectClass" : [ "organizationalUnit"], "ou" : "Groups" ]
`.ldap.modify`	YCPMap	YCPMap	Modifies an existing LDAP object. Second argument is map of attributes (and its values) which should be changed/added/deleted. To remove some attribute, use empty value ("" or []) for it. Parameter `"new_dn"` (DN of new object) is necessary for renaming. For moving the object, use additionaly `"newParentDN"` value for new parent DN of object. If argument map contains `"check_attrs"` key with `true` value, there will be done a search for current object's attributes before modify. When some attribute in attributes map (2nd argument) has an empty value it will be ignored, if the object currently has not such attribute. Otherwise (`"check_attrs"` is false as default), this situation leads to error message, because non-existent attribute is set for deletion. If you want to rename or move an entry, which is not a leaf of LDAP tree, you must include `"subtree"` key (with true as a value) in argument map. In such a case, the modify operation could take more time, according to the subtree size, because all subtree items must be copied to new location and deleted from the old one. Example of argument map: $[ "dn" : "ou=people,dc=suse,dc=cz", "new_dn" : "ou=lide,dc=suse,dc=cz", "deleteOldRDN" : true, "subtree" : true ] Example of attributes map: $[ "ou": "lide" ]
`.ldap.delete`	YCPMap	YCPMap	Deletes LDAP object. With "subtree" set to true, it will delete the whole subtree of the given entry. Use carefully! Example of argument map: $[ "dn" : "ou=people,dc=suse,dc=cz", "subtree" : true ]

Complete Execute paths table

Return value is YCPBoolean (usually the success of the object method call).

Path Argument Result

.ldap YCPMap Initialization. Input map has to contain hostname and may contain port number and "use_tls" entry. "use_tls" could have these values:

"no": Do not start TLS (same when "use_tls" is missing).

"try": Start TLS. If it was not successful, fall back to unencrypted LDAP.

"yes": Start TLS. If it fails, return false (check its value with ldap.error read call).

Example of SCR call:
Execute(.ldap, $[ "hostname" : "localhost", "port" : 389, "use_tls" : "try" ])

.ldap.ping YCPMap Checks if it is possible to run a search query on the server. Return value is boolean; in case false is returned, it is possible that server is not running - check the error value via error read call. Input map has to contain hostname and may contain port number.
Example of SCR call:

Execute (.ldap.ping, $[ "hostname" : "localhost",])

.ldap.ppolicy YCPMap Checks if server supports Password Policy. Return value is boolean. Input map has to contain hostname, bind DN and may contain port number. For bind DN, use base DN of the LDAP Database or a child of it.
Example of SCR call:

Execute (.ldap.ppolicy, $[ "hostname" : "localhost", "bind_dn" : "dc=suse,dc=cz" ])

.ldap.bind YCPMap Bind to server. Items of input map should be "bind_dn" and "bind_pw". For anonymous acess, let input map empty.
Example of SCR call:

Execute (.ldap.bind, $[ "bind_dn": "uid=manager,dc=suse,dc=cz", "bind_pw": "heslo"])

.ldap.start_tls none Starts TLS on current connection. Returns false when operation failed (check error via ldap.error then). Example of SCR call:

Execute (.ldap.start_tls)

.ldap.schema YCPMap Initialize LDAP schema: read it (defined by "schmema_dn"), parse it and save lists of its object classes and attribute types to internal structures. From now, they are available for Read(.ldap.schema.*) calls.
Example of SCR call:

Execute (.ldap.schema, $[ "schema_dn": "cn=Subschema"])

.ldap.users.search YCPMap LDAP search command for users and groups. Specialized call for the use of yast2-users module. Additionaly to normal search, it builds many helper structures - they are read by the calls of type Read(.ldap.users.*) and Read(.ldap.groups.*).
Example of SCR call:

Execute (.ldap.users.search, $[ "user_base" : "dc=suse,dc=cz", "group_base" : "dc=suse,dc=cz", "user_filter" : "objectClass=posixAccount", "user_attrs" : [ "objectClass", "cn", "uid", "uidNumber", "gidNumber"], "group_filter" : "objectClass=posixGroup", "group_attrs" : [ "objectClass", "cn", "gidNumber", "uniqueMember" ], "group_scope" : 1, "member_attribute" : "uniquemember", ])

.ldap.unbind none Performs the UNBIND-operation on the current server.

Execute (.ldap.unbind)

.ldap.close none Closes current connection: does UNBIND and destroys current object.

Execute (.ldap.close)

Path	Argument	Result
`.ldap`	YCPMap	Initialization. Input map has to contain hostname and may contain port number and "use_tls" entry. "use_tls" could have these values: "no": Do not start TLS (same when "use_tls" is missing). "try": Start TLS. If it was not successful, fall back to unencrypted LDAP. "yes": Start TLS. If it fails, return false (check its value with ldap.error read call). Example of SCR call: Execute(.ldap, $[ "hostname" : "localhost", "port" : 389, "use_tls" : "try" ])
`.ldap.ping`	YCPMap	Checks if it is possible to run a search query on the server. Return value is boolean; in case false is returned, it is possible that server is not running - check the error value via error read call. Input map has to contain hostname and may contain port number. Example of SCR call: Execute (.ldap.ping, $[ "hostname" : "localhost",])
`.ldap.ppolicy`	YCPMap	Checks if server supports Password Policy. Return value is boolean. Input map has to contain hostname, bind DN and may contain port number. For bind DN, use base DN of the LDAP Database or a child of it. Example of SCR call: Execute (.ldap.ppolicy, $[ "hostname" : "localhost", "bind_dn" : "dc=suse,dc=cz" ])
`.ldap.bind`	YCPMap	Bind to server. Items of input map should be `"bind_dn"` and `"bind_pw"`. For anonymous acess, let input map empty. Example of SCR call: Execute (.ldap.bind, $[ "bind_dn": "uid=manager,dc=suse,dc=cz", "bind_pw": "heslo"])
`.ldap.start_tls`	none	Starts TLS on current connection. Returns false when operation failed (check error via ldap.error then). Example of SCR call: Execute (.ldap.start_tls)
`.ldap.schema`	YCPMap	Initialize LDAP schema: read it (defined by `"schmema_dn"`), parse it and save lists of its object classes and attribute types to internal structures. From now, they are available for `Read(.ldap.schema.)` calls. Example of SCR call:* Execute (.ldap.schema, $[ "schema_dn": "cn=Subschema"])
`.ldap.users.search`	YCPMap	LDAP search command for users and groups. Specialized call for the use of yast2-users module. Additionaly to normal search, it builds many helper structures - they are read by the calls of type `Read(.ldap.users.)` and `Read(.ldap.groups.)`. Example of SCR call: Execute (.ldap.users.search, $[ "user_base" : "dc=suse,dc=cz", "group_base" : "dc=suse,dc=cz", "user_filter" : "objectClass=posixAccount", "user_attrs" : [ "objectClass", "cn", "uid", "uidNumber", "gidNumber"], "group_filter" : "objectClass=posixGroup", "group_attrs" : [ "objectClass", "cn", "gidNumber", "uniqueMember" ], "group_scope" : 1, "member_attribute" : "uniquemember", ])
`.ldap.unbind`	none	Performs the UNBIND-operation on the current server. Execute (.ldap.unbind)
`.ldap.close`	none	Closes current connection: does UNBIND and destroys current object. Execute (.ldap.close)

Jiří Suchomel <jsuchome@suse.cz>