LDAP (Pete's notes)

LDAP and Thunderbird
ldapsearch

LDAP and Thunderbird

To configure Thunderbird to use the NCAR LDAP server,

start Thunderbird
select Tools->Account Settings
select Composition and Addresses
under Addressing, check Use a different LDAP server
click Edit Directories...
click Add
under the General tab...
- Set the Name to "ncar"
- Set the Hostname to "ldap.ucar.edu"
- Set the Base DN to "ou=people,dc=ucar,dc=edu"
- leave the Port number at "389"
- click Ok
click the Advanced tab
- Set the Search filter to "(objectclass=*)"
click three "Ok" to get back to the Account Settings window.
Select ncar from the list under "Use a different LDAP server"
click OK and you're back in the main Thunderbird window.

To test it, click Write to compose a new email message. In the To field type the first few characters of a person's name. Thunderbird should complete the name for you.

ldapsearch

Subject: command line directory lookups
From: Greg Woods
To: nsag@ucar.edu
Date: 31 Dec 2002 08:13:09 -0700

It is now possible to do directory lookups from a command line, without having to log in to directory.ucar.edu or using a web browser. It is also possible to look up alias memberships this way. This is accomplished by using the LDAP server at ldap.ucar.edu.

To query, you of course need an LDAP client. I will let someone who knows about such things comment on available Windoze LDAP clients, but on the Unix side, GUI mail readers such as Netscape, Mozilla and Evolution can be set to do LDAP queries. The search base is "dc=ucar, dc=edu". This much is nothing new really, as F&A has had an LDAP server for quite some time. But this one directly uses the same database as the mail system uses (unlike F&A's LDAP server or the "call" command). This also paves the way for development of a web interface that will eventually replace the EQC completely. The final plan calls for merging in data from F&A (they have more reliable phone and location information for UCAR staff than does SCD, for instance).

For command line queries, the "ldapsearch" command is available as part of the Linux "openldap" package, and is also available for Solaris. A command to look up a user's directory information by username would look like this:

ldapsearch -x -b dc=ucar,dc=edu -h ldap.ucar.edu '(mail=USERNAME@ucar.edu)'

The syntax is ugly and so is the output format, so I expect to see some scripts to make things easier. I use a (csh) alias like this:

alias lds "ldapsearch -x -b dc=ucar,dc=edu -h ldap.ucar.edu '(mail=\!:1@ucar.edu)'"

so that I can look up my own information with "lds woods".

For aliases, it turns out that the Postfix system we are using on the central mail server can easily be configured to look up alias expansions via an LDAP server rather than from a local database, so this allows for this function to be centralized rather than having to use a rather kludgy system for distributing alias updates to all of the mail system cluster nodes. While this change won't actually be implemented until after my January vacation, the LDAP aliases database is in place now, and can be queried remotely. The search base for that is "ou=aliases, dc=ucar, dc=edu" and the filter key is "sn". So an alias like this works:

alias ldsa "ldapsearch -x -b ou=aliases,dc=ucar,dc=edu -h ldap.ucar.edu '(sn=\!:1)'"

and "ldsa nsag" shows the NSAG membership. This also paves the way for the possibility of allowing direct modification of the aliases database in the future.

Once again, the output format is quite ugly with line breaks being placed in the middle of words, so I expect to see some clever perl or sed scripts that will pretty this up :-)

Please note that the Mailman system is managed independently of this. If you look up a Mailman alias this way, the expansion will simply show "aliasname@mailman". The Mailman system has its own method of displaying memberships that is web based and accessed via http://mailman.ucar.edu.

--Greg

Pete Siemsen

Last modified: Thu Oct 13 14:21:04 MDT 2005