This section is about running the snoop utility with the LDAP protocol in mind. If you are not familiar with LDAP protocol, then tracing the protocol exchange using snoop will not make much sense. In this short section, we will take a look at the basics of the protocol exchange between an LDAP client and a Directory (LDAP) server. The general model adopted by the LDAP v3 protocol is whereby clients perform protocol operations against a server. Using this model, a client transmits a protocol request describing the operation that needs to be performed on a server. The server is then responsible for performing the necessary operations in the directory. Upon completion of the operations, the server returns a response containing any results or errors to the requesting client, as illustrated in FIGURE C-1. Figure C-1. LDAP Protocol Big Picture
LDAP Protocol Big PictureIn the first sequence of events, the LDAP session is initialized . LDAP structure is created which contains information about the LDAP server and LDAP session. Initializing this LDAP session uses the ldap-init() function call. if ( (ld = ldap_init( LDAP_HOST, LDAP_PORT )) == NULL) { perror ( "ldap_init" ); return ( 1 ); } Next , the client binds to the Directory (LDAP) Server. The bind request is optional, and is only needed if the client wants to indicate who it is. When connecting to a Directory (LDAP) server, the client must send a bind operation request to the server. This LDAP bind request contains various pieces of information, such as the DN of the client that is attempting to authenticate, and so on. When the client binds to the server in the most basic form, it binds as an anonymous client, whereby NULL values are provided for the DN and password. To be sure that the server responds, I always recommend that you use the synchronous function, ldap_simple_bind_s() , which enables you to wait for the bind operation to complete. If this bind operation is successful, the function returns LDAP_SUCCESS . if ( ldap_simple_bind_s( ld, NULL, NULL ) != LDAP_SUCCESS) { ldap_perror( ld, "ldap_simple_bind_s" ); ldap_unbind( ld ); return ( 1 ); } On completion of the binding to the directory server, the client performs LDAP operations. Once the client has initialized a session with the LDAP directory server, and the authentication process is complete, the client performs LDAP operations. The client might use the ldap_search_s() function. For Example: if ( ldap_search_s(ld, LDAP_SEARCHBASE, LDAP_SCOPE_SUBTREE, MY_FILTER, NULL, 0, &result ) != LDAP_SUCCESS ) { ldap_perror( ld, "ldap_search_s" }; if( result == NULL ) { ldap_unbind( ld ); return( 1 ); } } After completing this, the client parses and prints the results. For Example: for (e = ldap_first_entry( ld, result ); e != NULL; e = ldap_next_entry( ld, e ) ) { if ( (dn = ldap_get_dn( ld, e )) != NULL ) { printf("dn: %s\n", dn ); ldap_memfree(dn); } for ( a = ldap_first_attribute( ld, e, &ber ); a != NULL; a = ldap_next_attribute( ld, e, ber ) ) { if ((vals = ldap_get_values( ld, e, a)) != NULL) { for ( i = 0; vals[i] != NULL; i++ ) { printf( "%s: %s\n", a, vals[i] ); } ldap_value_free( vals ); } ldap_memfree( a ); } if ( ber != NULL ) { ber_free( ber, 0 ); } printf( "\n" ); } The client then closes the connection to the LDAP server by calling one of two functions, ldap_unbind() or ldap_unbind_s() . ldap_msgfree( result ); ldap_unbind( ld ); return ( 0 ); The following code example searches for all entries of Ruble and prints every attribute that is a associated with Ruble at example.com . dn: uid=LRuble,ou=People, dc=sun,dc=com telephoneNumber: 1-201-513-1084 mail: Lucy.Ruble@example.com uid: LRuble givenName: Lucy uidNumber: 1002 gidNumber: 2002 homeDirectory: /export/home/lruble loginShell: /usr/bin/sh gecos: Sun ONE Directory User objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson objectClass: posixAccount objectClass: shadowAccount objectClass: account sn: Ruble cn: Lucy Ruble dn: uid=TRuble,ou=People, dc=sun,dc=com telephoneNumber: 1-187-244-7705 mail: Chris.Ruble@example.com givenName: Chris uid: TRuble uidNumber: 1001 gidNumber: 2001 homeDirectory: /export/home/truble loginShell: /usr/bin/ksh gecos: Sun ONE Directory Administrator objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson objectClass: posixAccount objectClass: shadowAccount objectClass: account sn: Ruble cn: Chris Ruble |