Re: How to test ActiveDirectory using ApacheDS
I've attempted to answer your questions: dn: CN=Role1,OU=MyApp,OU=Applications,OU=Groups,DC=myCompany,DC=com objectClass: top objectClass: *groupofnames* cn: Role1 description: Standard-User Or you can use the groupofuniquenames objectclass. dn: CN=FirstName LastName,OU=AD,OU=MyDepartment,DC= My Company,DC=ch Looks like the dc portion of your dn values for your group and user differ: group entry: DC=myCompany,DC=com user entry: DC= My Company,DC=ch I am going to guess that "DC=myCompany,DC=com" is the correct value, not "DC= My Company,DC=ch" so I am revising the user entry to: dn: CN=FirstName LastName,OU=AD,OU=MyDepartment,DC=MyCompany,DC=com objectClass: top *objectClass: someAccount* objectClass: person objectclass:inetOrgPerson objectClass: organizationalPerson *objectClass: user* cn: FirstName LastName sn: LastName givenName: FirstName displayName: FirstName LastName Question, in ApacheDS directory, if the OU=AD,OU=MyDepartment,DC=MyCompany,DC=com& OU=MyApp,OU=Applications,OU=Groups,DC=myCompany,DC=com container structures do not exist, they need to be created before you can add your user and group entry. On your user entry, I've removed the objectclass line that contains the someAccount and user words. And added inetorgperson. Once your group and user are created you can add your user to your group via the ApacheDS admin tool or via ldapmodify command line tool via an ldif file. On 8/16/18 10:33 AM, Milan Tomic wrote: Hello I am compleatelly new to LDAP and it is much more difficult than I thought. I am trying to develop in Java simple app that would access LDAP. For given userName it would read user rights stored in LDAP (associated user groups) and user properties (givenName, sn, postalCode...). I got .ldif file exported from ActiveDirectory, installed ApacheDS, and naive tried to import .ldif from ActiveDirectory into ApacheDS. It didn't worked. Some objectClases that ActiveDirectory has, ApacheDS doesn't have/support. Now I would like to create as close as possible structure in my local installation of ApacheDS as it is in real ActiveDirectory. User group example: dn: OU=MyApp,OU=Applications,OU=Groups,DC=myCompany,DC=comobjectClass: topobjectClass: organizationalUnitou: MyApp dn: CN=Role1,OU=MyApp,OU=Applications,OU=Groups,DC=myCompany,DC=comobjectClass: topobjectClass: groupcn: Role1description: Standard-UsersAMAccountName: Role1groupType: -2147483646 User example: dn: CN=FirstName LastName,OU=AD,OU=MyDepartment,DC= My Company,DC=chobjectClass: topobjectClass: someAccountobjectClass: personobjectClass: organizationalPersonobjectClass: usercn: FirstName LastName sn: LastName givenName: FirstName displayName: FirstName LastName 1. How do I need to modify original group and user (exported from ActiveDirectory) so that I can import it into ApacheDS?2. How do I assign "group Role1" to the "user" in ApacheDS? Should I add "objectClass: Role1" to the user or something else? Thank you very much in advance,Milan -- D o n a l d L o h r I n f o r m a t i o n S y s t e m s J a m e s M a d i s o n U n i v e r s i t y 5 4 0 . 5 6 8 . 3 7 3 0 DOS: Bad command or file name bash: command not found smime.p7s Description: S/MIME Cryptographic Signature
Re: How to test ActiveDirectory using ApacheDS
LDAP is not a directory. It is a protocol (lightweight directory access protocol) that can be used to search for, create, modify and delete entries in a directory services product (e.g. ApacheDS, Active Directory, Oracle Internet Directory, Oracle Unified Directory, OpenLDAP, Novell eDirectory and etc). Just like HTTP is not a web server, but a protocol used to access data on a web server. All directories have a schema that defines the type of entries (e.g. container, user, group and etc) that the directory can contain and the items (attributes) that each entry can have (e.g. cn, sn, givenname, mail & etc). You do not want to "port" the AD schema or any other directories schema to another directory. If you want to stand up any directory product, you must learn it so you can have it contain the types of entries and attribute data for your needs. An additional requirement is to understand the security components to protect those entries and attributes. Some vendors, like Microsoft design their directory product so any connected user can see all entries and attributes in the directory, which might be more data that should be exposed. While other vendor designed their directory product where you (the admin) have to all assign access controls, because nothing is exposed by default. It would be best to use the ApacheDS admin tool and admin guide to build a similar ou= and dc= container structure in ApacheDS that loosely matches your AD environment. Then using the ApacheDS admin tool and admin guide, create a simple user and group. At which time you can then use any numerous LDAP browser or command line tools (I prefer the OpenLDAP command line tools) to search against your ApacheDS directory and list out your simple user and group entry (into a .ldif file format). Those same tools can also be used to pull data from AD. There are plenty of sample java code snip-its on the Internet to LDAP auth against a directory service, that you would not have to "develop one". Some directory vendors do have attribute uniqueness features where the "naming attribute" of a entry's distinguished name can be made "globally unique" like Microsoft did with the sAMAccountName. A user (David Allen Smith) might as an example be give a login account named smithDA and be part of the engineering department. The directory container structure might look like: dc=com dc=acme ou=engineering ...thus making his distinguished name: cn=smithDA,ou=engineering,dc=acme,dc=com In this distinguished name, the "naming attribute" is the cn attribute. In some directory products, an attribute uniqueness constant can be applied to the cn attribute so that David's login account is the only one named smithDA. On 8/16/18 10:45 AM, Lothar Haeger wrote: Milan Tomic wrote: Now I would like to create as close as possible structure in my local installation of ApacheDS as it is in real ActiveDirectory. I'd rather try to install a Windows Server in VMware and create "real" AD Domain. AD is very much doing stuff just like AD and not like most other LDAP directories, so if you want our app to work properly against all LDAP flavours make sure to test and develop against all (main) flavours. Even if you get the schame ported over, the backend server behaviour will not be the same. E.g. most LDAP directories use loginDisabled to lock accounts, AD uses a single binary attribute storing lock status together with a couple of different status bits and not all of them can be flipped though LDAP at all. Another one is the sAMAccountName, which AD enforces to be globally unique, but any "standard" LDAP won't do that and you could create JDOE accounts in several different containers. smime.p7s Description: S/MIME Cryptographic Signature
Re: How to test ActiveDirectory using ApacheDS
Milan Tomic wrote: > Now I would like to create as close as possible structure in my local > installation of ApacheDS as it is in real ActiveDirectory. I'd rather try to install a Windows Server in VMware and create "real" AD Domain. AD is very much doing stuff just like AD and not like most other LDAP directories, so if you want our app to work properly against all LDAP flavours make sure to test and develop against all (main) flavours. Even if you get the schame ported over, the backend server behaviour will not be the same. E.g. most LDAP directories use loginDisabled to lock accounts, AD uses a single binary attribute storing lock status together with a couple of different status bits and not all of them can be flipped though LDAP at all. Another one is the sAMAccountName, which AD enforces to be globally unique, but any "standard" LDAP won't do that and you could create JDOE accounts in several different containers.
How to test ActiveDirectory using ApacheDS
Hello I am compleatelly new to LDAP and it is much more difficult than I thought. I am trying to develop in Java simple app that would access LDAP. For given userName it would read user rights stored in LDAP (associated user groups) and user properties (givenName, sn, postalCode...). I got .ldif file exported from ActiveDirectory, installed ApacheDS, and naive tried to import .ldif from ActiveDirectory into ApacheDS. It didn't worked. Some objectClases that ActiveDirectory has, ApacheDS doesn't have/support. Now I would like to create as close as possible structure in my local installation of ApacheDS as it is in real ActiveDirectory. User group example: dn: OU=MyApp,OU=Applications,OU=Groups,DC=myCompany,DC=comobjectClass: topobjectClass: organizationalUnitou: MyApp dn: CN=Role1,OU=MyApp,OU=Applications,OU=Groups,DC=myCompany,DC=comobjectClass: topobjectClass: groupcn: Role1description: Standard-UsersAMAccountName: Role1groupType: -2147483646 User example: dn: CN=FirstName LastName,OU=AD,OU=MyDepartment,DC= My Company,DC=chobjectClass: topobjectClass: someAccountobjectClass: personobjectClass: organizationalPersonobjectClass: usercn: FirstName LastName sn: LastName givenName: FirstName displayName: FirstName LastName 1. How do I need to modify original group and user (exported from ActiveDirectory) so that I can import it into ApacheDS?2. How do I assign "group Role1" to the "user" in ApacheDS? Should I add "objectClass: Role1" to the user or something else? Thank you very much in advance,Milan