localhostldapserver

ldapserver  时间:2021-05-01  阅读:()
CopyrightIBMCorporation2013TrademarksImportusersfromanLDAPdirectorytoIBMSecurityAccessManagerPage1of9ImportusersfromanLDAPdirectorytoIBMSecurityAccessManagerUsePythontoeasilyfindandimportuseraccountsintoIBMSecurityAccessManager—withnoscriptingexperiencerequiredOriPomerantzOctober15,2013SystemsadministratorsfrequentlyneedawaytoimportexistinguseraccountsfromanLDAPrepositoryintoIBMSecurityAccessManager.
Inthisarticle,getstartedwithanimportscriptwritteninPythonthatyoucanusetoreadusersinanLDAPrepository,thenimportthemusingtheIBMSecurityAccessManagerpdadmincommand.
IdentityandAccessManagementLearnmoreaboutidentityandaccessmanagementtoolsinIBM's"IdentityandAccessManagementBuyer'sGuide.
"IBMsecurityproductsareoftenimplementedasbrownfielddevelopments,meaningtheyarebuiltforanenvironmentwheresomesimilarapplicationalreadyexists.
IBMSecurityAccessManagerissuchaproduct,beingfrequentlydeployedintoenvironmentswhereaLightweightDirectoryAccessProtocol(LDAP)directoryserverisalreadyinplace.
Inthatcase,systemadministratorsneedtoknowhowtoimportuserentriesfromtheLDAPdirectoryserverintoIBMSecurityAccessManager.
Figure1showsasystemarchitecturewhereIBMSecurityAccessManagerhasbeenintroducedtoanexistingsystemthatincludesanLDAPdirectoryserverandback-endapplications.
developerWorksibm.
com/developerWorks/ImportusersfromanLDAPdirectorytoIBMSecurityAccessManagerPage2of9Figure1.
AdirectoryserverarchitecturewithIBMSecurityAccessManagerInthisarticle,IpresentaPythonscript(seeDownload)youcanusefromthecommand-linetoautomaticallyfindandimportnewusersfromanLDAPrepositorytreeintoIBMSecurityAccessManager.
NotethatthisarticleassumesthatyouarefamiliarwithIBMSecurityAccessManagerandtheLightweightDirectoryAccessProtocol.
Youneedn'tbefamiliarwithPythontousetheimportscript.
AboutPythonPythonisascriptinglanguagethatisastandardpartofmostLinuxdistributions.
IfyourinstallationofIBMSecurityAccessManagerisrunningonWindows,youcandownloadPythontofollowthedemonstrationhere.
SeeRelatedtopicstolearnmoreaboutPython.
TheimportscriptInthissection,Iintroduceandexplainsomeelementsandstagesoftheimportscript,whichyoumaydownloadatanytime.
NotethatthescriptreliesonIBMSecurityAccessManager'spdadmincommand,soyoumustrunitonacomputerwiththeIBMSecurityAccessManagerruntimeenvironmentinstalled.
Figure2isaflowdiagramshowingthemajorprogressionsofthescript.
Figure2.
ThemajorstagesofthescriptListing1showstheimportscript.
Listing1.
Theimportscript#!
/usr/bin/pythonibm.
com/developerWorks/developerWorksImportusersfromanLDAPdirectorytoIBMSecurityAccessManagerPage3of9#Authenticationldap_dn="cn=root"ldap_pwd="object00"ldap_server="localhost"sameb_uid="sec_master"sameb_pwd="object00"#ThepartoftheLDAPtreewhereyouexpectusersldap_base="o=xyz"#ThepartoftheLDAPtreewheretheSAMeb#configurationislocatedldap_sameb_base="secAuthority=Default"#Internalconfigurationldap_user_file="ldap_users"uid_file="uid_file"fromsubprocessimportcallcall("ldapsearch-LLL-D"+ldap_dn+"-w"+ldap_pwd+"-b"+ldap_base+"-h"+ldap_server"objectclass=inetOrgPersondn>"+ldap_user_file,shell=True)ldap_users=open(ldap_user_file,"r")forlineinldap_users:iflen(line)>1:dn=line[4:-1]ret_val=call("ldapsearch-D"+ldap_dn+"-w"+ldap_pwd+"-h"+ldap_server+"-b"+ldap_sameb_base+"secDN="+dn+"|grepnumEntries>/dev/null",shell=True)if(ret_val==1):print"Needtoimport"+dncall("ldapsearch-D"+ldap_dn+"-w"+ldap_pwd+"-h"+ldap_server+"-b"+dn+"objectClass=inetOrgPersonuid"+"|grepuid:>"+uid_file,shell=True)uid_f=open(uid_file,"r")uid=uid_f.
read()uid_f.
close()uid=uid[5:-1]call("pdadmin-a"+sameb_uid+"-p"+sameb_pwd+"userimport"+uid+""+dn,shell=True);call("pdadmin-a"+sameb_uid+"-p"+sameb_pwd+"usermodify"+uid+"account-validyes",shell=True);Inthenextsection,Iwon'texplaineverypartofthescript,justitsmajorfeatures.
ItishelpfulifyouarefamiliarwithPython,butnotnecessary.
I'llexplaintherelevantaspectsofPythonsyntaxforeachsettingandalsoshowyouwhereyouwouldneedtomodifyitforyourownuse.
ScriptsettingsNormally,Pythonlinesthatstartwithanumbersign(#)arecomments.
ThislineinListing1isaspecialcase,however.
TheUNIXconventionisthatfilesthatstartwithanumbersignfolloweddeveloperWorksibm.
com/developerWorks/ImportusersfromanLDAPdirectorytoIBMSecurityAccessManagerPage4of9byanexclamationpoint(#!
)usetherestofthelineasthenameoftheinterpreterthatwillrunthefile.
Inthiscase,thefollowingcodeisthepathforthePythoninterpreter.
Youwouldmodifyitasneededforyourenvironment.
#!
/usr/bin/pythonThenextcodesnipcontainstheLDAPserver'slogon,password,andserverhostnameinformation.
Modifyitasneededforyourownsystem.
#Authenticationldap_dn="cn=root"ldap_pwd="object00"ldap_server="localhost"Next,thescriptpasseslogonandpasswordinformationtoIBMSecurityAccessManager.
Modifythesepartsforyourenvironment.
sameb_uid="sec_master"sameb_pwd="object00"ThenextpartisthebranchoftheLDAPtreethathasuserinformation.
Figure3showsanexampleofthelocationofusersintheLDAPtree.
Modifyasneededforyourconfiguration.
Figure3.
LDAPtreewithusers#ThepartoftheLDAPtreewhereyouexpectusersldap_base="ou=people,o=xyz"FilteringuseraccountsInadditiontolocatingusersintheLDAPtree,thescriptmustlimititselftouserswhoarenotalreadyinIBMSecurityAccessManager.
Tofilteroutthoseusers,thescriptneedstoknowthelocationintheLDAPtreeoftheIBMSecurityAccessManagerconfiguration.
Asshownbelow,thedefaultlocationissecAuthority=Default.
Youcanchangethisdefaultsettingwhenyoufirstconfigurethepolicyserver.
#ThepartoftheLDAPtreewheretheSAMeb#configurationislocatedldap_sameb_base="secAuthority=Default"Figure4showstheLDAPtreewiththedefaultlocationoftheIBMSecurityAccessManagerconfiguration.
ibm.
com/developerWorks/developerWorksImportusersfromanLDAPdirectorytoIBMSecurityAccessManagerPage5of9Figure4.
LDAPtreewithsecAuthority=DefaultTowardtheendofthescriptyouseethefilesusedasintermediatestoragefortheoutputofcommandsusedtoobtainuserinformation.
Unlessyouhaveareasontorunmultipleinstancesofthescriptatonce,youshouldn'tneedtochangethefollowingfilenames:#Internalconfigurationldap_user_file="ldap_users"uid_file="uid_file"ScriptfunctionsThenextpartofthescriptusestheparametersdeclaredabovetoactuallyreadusersfromLDAPandimportthemintoIBMSecurityAccessManager.
ThescriptusesPython'ssubprocess.
callfunctiontorunshellcommands.
Thefollowinglineimportsthefunctionsothatitisavailable:fromsubprocessimportcallThenextlinecallsldapsearchtofindthelistofusers.
call("ldapsearch-LLL-D"+ldap_dn+"-w"+ldap_pwd+"-b"+ldap_base+"-h"+ldap_server"objectclass=inetOrgPersondn>"+ldap_user_file,shell=True)Withthedefaultconfiguration,thelinesaboverunthefollowingshellcommand.
ThiscommandsearchesforentitiesoftypeinetOrgPerson,whichisusedtorepresentpeople.
Itreadsonlytheirdistinguishednameandsendstheoutputtoafilecalledldapusers:ldapsearch-LLL-Dcn=root-wobject00-bou=people,o=xyz-hlocalhostobjectclass=inetOrgPersondn>ldapusersNext,thescriptopenstheldapusersfileandreadsit,linebyline.
NotethatPythonhandlesblocksbyindentation;soeverythingthatisindentedatleastoncefromthispointonwardisdoneonceperuser.
ldap_users=open(ldap_user_file,"r")forlineinldap_users:developerWorksibm.
com/developerWorks/ImportusersfromanLDAPdirectorytoIBMSecurityAccessManagerPage6of9Note:Thelinesinldapusersareoftheform:dn:cn=jdoe,ou=users,o=xyz.
Thefirstfourcharactersaredn:followedbyaspace.
Theactualdistinguishednamestartsinthefifthcharacter,whichisnumber4whencountingfromzero.
Halfofthelinesinldapusersareblank.
Theotherhalfstartwithdn:.
Thiscodefragmentignorestheblanklinesanddiscardsthefirstfourcharactersoftheotherlines.
BecausePythonblocksaredesignatedbyindentation,therestofthescriptrunsonlyforlinesthatarenotblank.
iflen(line)>1:dn=line[4:-1]CheckingforexistingaccountsAspreviouslynoted,it'simportanttoensurethatyoudon'tduplicateexistingaccountswhenyouimportusersfromtheLDAPrepositoryintoIBMSecurityAccessManager.
UserentriesinIBMSecurityAccessManagerhaveasecDNattributewiththevalueoftheoriginaldistinguishedname.
ThefollowingcodesegmentusesldapsearchtolookforanentrywiththeappropriatesecDNvalue.
ret_val=call("ldapsearch-D"+ldap_dn+"-w"+ldap_pwd+"-h"+ldap_server+"-b"+ldap_sameb_base+"secDN="+dn+"|grepnumEntries>/dev/null",shell=True)Areturnvalueof1indicatesthatgrepfailed,meaningthatnoLDAPentrymatchesthefilter.
Inthatcase,thescriptimportstheuser,creatinganewLDAPentityfortheIBMSecurityAccessManageruserinformation.
if(ret_val==1):print"Needtoimport"+dnImportinganewuserToimportauserintoIBMSecurityAccessManageryoumustspecifytheuser'sUID,theidentifierthatheorsheusestologon.
Thefollowinglinesretrievethatvalue:call("ldapsearch-D"+ldap_dn+"-w"+ldap_pwd+"-h"+ldap_server+"-b"+dn+"objectClass=inetOrgPersonuid"+"|grepuid:>"+uid_file,shell=True)Thislinereadsthefirstlineofthefile:uid_f=open(uid_file,"r")uid=uid_f.
read()uid_f.
close()Notethattheabovelinespecifiesthatthefirstfivecharacters(uid:)shouldbediscarded.
Theremainingcharactersrepresenttheactualattributevalue.
ibm.
com/developerWorks/developerWorksImportusersfromanLDAPdirectorytoIBMSecurityAccessManagerPage7of9uid=uid[5:-1]CreatingnewaccountsFinally,thescriptcreatesthenewaccountsinIBMSecurityAccessManagerusingpdadmin:call("pdadmin-a"+sameb_uid+"-p"+sameb_pwd+"userimport"+uid+""+dn,shell=True);call("pdadmin-a"+sameb_uid+"-p"+sameb_pwd+"usermodify"+uid+"account-validyes",shell=True)Notethatthescriptneedstoissuethesecondcommand(usermodify>uidInconclusionInthisarticle,I'veintroducedyoutoaPythonscriptthatmakesiteasytoimportnewuserstoIBMSecurityAccessManager.
Whilethescriptdoesn'tprovidealltheflexibilityofIBMTivoliDirectoryIntegrator,orthefunctionalityofIBMSecurityIdentityManager(seeRelatedtopics),itdoeshavetheadvantageofbeingfree.
AcknowledgmentsIwouldliketothankWindayaniAchmadZaenullahforidentifyingtheneedforthisarticleandLanceClintonforreviewingit.
Anyremainingmistakesaremyfault.
developerWorksibm.
com/developerWorks/ImportusersfromanLDAPdirectorytoIBMSecurityAccessManagerPage8of9DownloadableresourcesDescriptionNameSizeImportpythonscriptautomatic_import_src.
zip(HTTP|FTP|Downloaddirector—)ibm.
com/developerWorks/developerWorksImportusersfromanLDAPdirectorytoIBMSecurityAccessManagerPage9of9Relatedtopics"IBMSecurityAccessManagerunboxed"(developerWorks,January2013):GetupandrunningwithIBMSecurityAccessManagerforWeb.
Thisseriesoffourvideosdemonstrateshowtoinstallthevirtualmachine,configurethecommand-lineinterface,andcreateareverseproxy.
IBMIdentityManagementandAccessManagementSolutions:GetanoverviewofIBMsecuritysolutionsforidentityandaccessmanagement.
"ApplicationdevelopmentinPythonwithibm_db:"GetstartedwithPythonfunctionsforaccessingandmanipulatingdatainanIBMdataserverdatabaseviatheibm_dbAPI.
"DiscoverPython,Part8:ReadingandwritingdatausingPython'sinputandoutputfunctionality"(developerWorks,January2006):LearnmoreaboutthemanyusesofPython.
IntroductiontoComputerScience:TryafreeonlinecourseteachingnewprogrammershowtowriteawebcrawlerusingPython.
IBMTivoliDirectoryIntegrator:DownloadafreetrialversionofIBMTivoliDirectoryIntegratorv7.
1andfindouthowyouuseittoenableconsistentdataacrossmultipleidentityorgenericdataresources.
IBMSecurityIdentityManager:Automatethecreation,modification,recertification,andterminationofuserprivilegesthroughouttheuserlifecycle.
DownloadPython.
CopyrightIBMCorporation2013(www.
ibm.
com/legal/copytrade.
shtml)Trademarks(www.
ibm.
com/developerworks/ibm/trademarks/)

亚洲云-浙江高防BGP,至强铂金8270,提供自助防火墙管理,超大内存满足你各种需求

官方网站:点击访问亚洲云官网618活动方案:618特价活动(6.18-6.30)全站首月活动月底结束!地区:浙江高防BGPCPU:至强铂金8270主频7 默频3.61 睿频4.0核心:8核(最高支持64核)内存:8G(最高支持128G)DDR4 3200硬盘:40G系统盘+80G数据盘带宽:上行:20Mbps/下行:1000Mbps防御:100G(可加至300G)防火墙:提供自助 天机盾+金盾 管...

virmach:3.23美元用6个月,10G硬盘/VirMach1核6个月Virmach

virmach这是第二波出这种一次性周期的VPS了,只需要缴费1一次即可,用完即抛,也不允许你在后面续费。本次促销的是美国西海岸的圣何塞和美国东海岸的水牛城,周期为6个月,过后VPS会被自动且是强制性取消。需要临时玩玩的,又不想多花钱的用户,可以考虑下!官方网站:https://www.virmach.comTemporary Length Service Specials圣何塞VPS-一次性6个...

乐凝网络支持24小时无理由退款,香港HKBN/美国CERA云服务器,低至9.88元/月起

乐凝网络怎么样?乐凝网络是一家新兴的云服务器商家,目前主要提供香港CN2 GIA、美国CUVIP、美国CERA、日本东京CN2等云服务器及云挂机宝等服务。乐凝网络提供比同行更多的售后服务,让您在使用过程中更加省心,使用零云服务器,可免费享受超过50项运维服务,1分钟内极速响应,平均20分钟内解决运维问题,助您无忧上云。目前,香港HKBN/美国cera云服务器,低至9.88元/月起,支持24小时无理...

ldapserver为你推荐
全国企业信息查询全国企业信用信息公示系统查询入口 及操作说明哪里有?美要求解锁iPhone美版解锁的iphone在大陆怎么用360防火墙在哪里怎么查找到360防火墙在自己电脑里的位置?并且关闭掉zhuo爱作文:温暖的( )温州都市报招聘劳务市场找工作可靠吗无忧登陆无忧登陆这个软件有毒吗网上支付功能网银有什么功能?管理员密码请输入管理员密码什么意思邮件管理系统哪个邮件管理软件好?超级用户隐藏超级用户
动态ip的vps 西安电信测速 arvixe bbr 好看的留言 godaddy域名转出 发包服务器 php空间申请 linux空间 web服务器架设 微信收钱 什么是刀片服务器 tna官网 cn3 台湾谷歌 卡巴斯基免费试用版 环聊 沈阳主机托管 电信网络测速器 云服务器比较 更多