The English full name of LDAP is lightweight directory access protocol, generally referred to as LDAP. It is based on the X.500 standard,
But it is much simpler and can be customized as needed. Unlike X.500, LDAP supports TCP/IP, which is necessary for accessing the Internet. lightweightdirectoryaccessprotocol
The core specification defined in RFC, all RFC related to LDAP can be found on the LDAPman RFC page. Now LDAP technology not only
It is developing rapidly and exciting. Implementing LDAP within an enterprise can make all applications run on almost all computer platforms.
Get information from LDAP directory through the program. LDAP directory can store various types of data: e-mail address, mail routing information, manpower.
Resource data, public keys, contact lists, etc. By taking LDAP directory as an important part of system integration, employees can be simplified.
The steps of querying information within an enterprise, even the main data source, can be placed anywhere.
Advantages of LDAP directory
If it is necessary to develop a system that provides public information query, the general design method may be the database design method based on WEB, that is, the front end.
Use a browser, and the back end uses a WEB server and a relational database. The typical implementation of backend in Windows may be Windows NT+IIS+Acess.
Database or SQL server, IIS and database are connected by ODBC through ASP technology to realize the function of filling out forms and querying data;
The typical implementation of the backend in Linux system may be Linux+ Apache+postgresql, and the functions provided by PHP3 are used between Apache and database.
Row connection. The disadvantage of using the above method is that the introduction of the back-end relational database leads to the decline of the overall performance of the system and the complicated management of the system, because it is necessary
Need to constantly verify the data type and confirm the integrity of the transaction; Moreover, the front-end users' control of data is not flexible enough, and the setting of user permissions is one of them.
Generally, it can only be set at the table level, not at the record level.
The introduction of directory service is mainly to solve the problems existing in the above database. A directory, similar to a relational database, refers to descriptive attribute-based records.
Recordset, but its data type is mainly character type. BIN (binary data), CIS (case-insensitive) and CES are added for retrieval.
Grammar such as (case-sensitive) and TEL (telephone type), instead of integer, floating point number, date, currency and other types provided by relational databases,
Similarly, it does not provide a lot of functions like those usually included in relational databases, but mainly provides data-oriented query services (the ratio of query and modification operations is generally greater than
10: 1) does not provide a rollback mechanism for transactions, and its data modification uses a simple locking mechanism to achieve the purpose of all or nothing.
It is a quick response and large-capacity query, and provides the information replication function of multiple directory servers.
Now it's time to talk about the advantages of LDAP directory. Now the popularity of LDAP is the result of many factors. Perhaps the biggest advantage of LDAP is:
You can access the LDAP directory on any computer platform, as long as there are an increasing number of LDAP client programs that are easy to use. And it is very simple.
Customize the application and add LDAP support to it.
LDAP protocol is a cross-platform standard protocol, so applications don't have to worry about which server the LDAP directory is placed on. In fact, LDAP
Because it is the standard of the Internet, it has been widely recognized by the industry. Manufacturers are willing to add LDAP support to their products because they don't need it at all.
Consider what the other end (client or server) is like. The LDAP server can be any developed source code or commercial LDAP directory server (or
It may also be a relational database with LDAP interface), because you can use the same protocol, client connection package and query command as LDAP server.
Interaction. Unlike LDAP, if software manufacturers want to integrate DBMS support into their software products, they usually have to serve every database.
The device is customized separately. Unlike many business relational databases, you don't have to pay for most LDAP services for every client connection or license agreement of LDAP.
The device is easy to install, maintain and optimize.
The LDAP server can copy part or all of the data by pushing or pulling. For example, it can push the data to a remote office to increase the number of users.
Security of data. Replication technology is built into LDAP server and easy to configure. If you want to use the same replication function in DBMS, the database
Manufacturers will ask you to pay extra, which is also difficult to manage.
LDAP allows you to use ACI (usually called ACL or access control list) to control access to data as needed. For example, the equipment manager can
Have the right to change the employee's work place and office number, but cannot change other fields in the record. ACI can access data according to users and content.
According to, the location where the data exists, and other access control to the data. Because these are all done by LDAP directory server, there is no need to worry about being among the guests.
Whether to check the security of the application at the client.
LDAP (Lightweight Directory Access Protocol) is the implementation of directory service on TCP/IP (RFC 1777 V2 and RFC 225 1).
V3 version). It is the transplantation of X500 directory protocol, but it simplifies the implementation method, so it is called lightweight directory service. In LDAP, directories are based on
Tree structure organization, the directory consists of entries, which are equivalent to the records of tables in the relational database; The entry is the distinguished name DN (distinguished
Name), DN is equivalent to the key word (Primary) in the relational database table.
Key); An attribute consists of a type and multiple values, which is equivalent to a field in a relational database consisting of a domain name and a data type.
Just for the convenience of retrieval, the types in LDAP can have multiple values instead of the values in the relational database to reduce the redundancy of data.
Domain names must be irrelevant. The organization of entries in LDAP is generally organized according to geographical location and organizational relationship, which is very intuitive. LDAP stores data in
In order to improve efficiency, we can replace relational database with index-based file database. The LDAP protocol set also specifies the naming method and storage of DN.
Take control mode, search format, copy mode, URL format, development interface, etc.
LDAP is most suitable for storing information that needs to read data from different places, but it doesn't need to be updated frequently.
For example, it is very effective to store this information in an LDAP directory:
L telephone directory and organization chart of company employees
L Customer's contact information
Information needed for computer management, including NIS map, email pseudonym, and so on.
L configuration information of software package
L public certificate and security key
When should I use LDAP to store data?
Most LDAP servers are optimized for read-intensive operations. Therefore, it is more difficult to read data from LDAP server than from LDAP server.
Reading data in OLTP-optimized relational database is an order of magnitude faster. Also because it is optimized for reading performance, most LDAP directory servers
Not suitable for storing data that needs to be changed frequently. For example, using an LDAP server to store phone numbers is a good choice, but it cannot be used as.
Database server of e-commerce website.
If the answer to each of the following questions is "Yes", it is a good idea to store the data in LDAP.
Do I need to be able to read data on any platform?
L is there only a little change in each individual recording item every day?
L Can data be stored in a flat database instead of a relational database? In other words, no matter what paradigm.
Paradigm, record everything (almost as long as meet first normal form).
The last question may fool some people. In fact, it is very common to use a flat database to store some relational data. For example, a company employee
The record of can contain the manager's login name. It is convenient to use LDAP to store this kind of information. A simple way to judge: if you can save the data.
In a card, it can be easily stored in the LDAP directory.
Security and access control
LDAP provides complex access control or ACI at different levels. Because these accesses can be controlled on the server side, it is better than using client software to ensure data.
Much safer.
With ACI of LDAP, you can complete:
L Give users the right to change their phone number and home address, but restrict their access to other data (such as job title, manager's login name,
Wait a minute. ) has only Read Only permission.
L Grant everyone in the HR-admins group the right to change the following user information: manager, job name, employee number, department name and department number.
But has no write permission to other domains.
L No one is allowed to query the user password on the LDAP server, but users are allowed to change their own passwords.
Give managers read-only access to their superiors' home phone numbers, but forbid others to access them.
L Authorize anyone in the "host-admins" group to create, delete and edit all information related to the computer host stored in the LDAP server.
L Through the Internet, members of the "foobar-sales" group can selectively give or prohibit themselves from reading some customer contact data. this
They will be allowed to download customer contact information to a local laptop or personal digital assistant (PDA). (If the salesperson's software supports LDAP,
This will be very useful)
Through the network, group owners are allowed to delete or add members of the groups they own. For example, the sales manager can allow or prohibit salespeople from changing the website.
Permission of the page. You can also allow the owner of a mail alias to delete or add users directly from the mail alias without going through an IT technician.
Public mailing lists should allow users to add or delete their own email pseudonyms (but only themselves). You can also add an IP address or host name.
Restrict. For example, in some domains, only the IP address of users starts with 192. 168.200. *, or the host name obtained through the user's reverse DNS lookup must be
For *. foobar.com。
Structure of LDAP directory tree
The LDAP directory stores data in a tree hierarchy. If you are familiar with the top-down DNS tree or the directory tree of UNIX files, it is easy to master.
The concept of LDAP directory tree is introduced. Just like the host name of DNS, it is read by using the distinguished name (DN) of the LDAP directory record.
Single record and return to the top of the tree. It will be introduced in detail later.
Why do you want to organize data with a hierarchy? There are many reasons. Here are some possible scenarios:
L If you want to "push" all the contact information of American customers to the LDAP server in the Seattle office (responsible for marketing), but you don't want to
Push the company's asset management information there.
L You may want to grant different permissions to different employee groups according to the structure of the directory tree. In the following example, the asset management team has completed the "Asset Management" section.
Full access, but no access to other places.
L Combined with LDAP storage and replication functions, the structure of directory tree can be customized, and the requirements for WAN bandwidth can be reduced. The marketing office in Seattle needs
Update the sales information in the United States every minute, while the sales information in Europe only needs to be updated every hour.
Get to the bottom of it: benchmark DN
At the top of the LDAP directory tree is the root, which is the so-called "benchmark DN". Reference DN usually uses one of the three formats listed below. Suppose I'm in a place called FooBar
E-commerce company, its name on the Internet is foobar.com.
O="FooBar Company ",c = USA.
(benchmark DN in X.500 format)
In this example, o = foobar, Inc. stands for organization name, which is synonymous with company name here. C=US means that the company is headquartered in the United States. In the past, generally speaking,
The reference DN is expressed in this way. But things are always changing, and now all the companies are online (or planned). along with
With the globalization of the Internet, it is easy to confuse the use of country codes in the benchmark DN. Now, the X.500 format has developed into the two formats listed below.
o=foobar.com
(DN is quoted according to the company's Internet address)
This format is intuitive, using the company's domain name as the benchmark DN. This is also the most commonly used format now.
dc=foobar,dc=com
(Basic DN consisting of different parts of DNS domain name)
Just like the above format, this format is also based on DNS domain name, but the above format does not change the domain name (more readable), and this format
Divide the domain name: foobar.com into two parts: DC = foobar and DC = com. Theoretically, this format may be more flexible, but for the end user,
It's a little hard to remember, too Take foobar.com as an example. When foobar.com and gizmo.com merge, we can simply take "dc=com" as the basis.
Quasi-DN puts new records in the existing dc=gizmo, dc=com directory, which simplifies a lot of work (of course, if foobar.com and wocket.edu
Merger, this method will not work). If the LDAP server is newly installed, I suggest you use this format. Please note again that if you plan to use this activity.
Actrive directory, Microsoft restricts your use of this format.
Going up a flight of stairs: how to organize data in the directory tree?
In UNIX file systems, the top level is the root directory. There are many files and directories under the root directory. As mentioned above, the same is true for LDAP directories.
Organized in the same way.
In the root directory, data should be logically separated. For historical reasons (X.500), most LDAP directories use OU to logically separate data. man
It means "organizational unit". In the X.500 protocol, it is used to represent the internal organization of the company: sales department, financial department and so on. Now LDAP still retains ou= this.
Sample naming rules, but expand the scope of classification, which can be classified as: ou = people, ou = groups, ou = devices, and so on. Sometimes lower-level OU is used.
Make a more detailed classification. For example, an LDAP directory tree (excluding a single record) might look like this:
dc=foobar,dc=com
Ou = customer
Ou = Asia
Ou = Europe
Ou = USA
Ou = employee
Ou = room
Ou = group
Ou = asset management
ou=nisgroups
Ou = recipe
Separate LDAP records
DN is the name of the LDAP record entry.
All records in the LDAP directory have a unique "distinguished name", that is, DN. The DN of each LDAP entry consists of two parts.
Includes the relative DN(RDN) and the location recorded in the LDAP directory.
RDN is the part of DN that has nothing to do with the directory tree structure. Each record item stored in the LDAP directory should have a name, which usually exists in cn (common name).
In this attribute. Because almost everything has a name, objects stored in LDAP use their cn values as the basis of RDN. If I put my favorite
If the oatmeal recipe is kept as a record, I will use cn=Oatmeal Deluxe as the RDN of the record item.
L the base DN of my LDAP directory is dc=foobar, dc=com.
I save my own recipes as LDAP records, ou=recipes.
L the RDN of my LDAP entry is set to cn = oatmeal deluxe edition.
These constitute the complete DN of the oatmeal recipe LDAP record. Remember, DN sounds like DNS host name. The following is the complete DN:
Cn = oatmeal deluxe edition, ou = recipe, dc=foobar, dc=com.
Give a practical example to illustrate DN.
Now set up a DN for the employees in the company. You can use cn-based or uid (User id) as a typical user account. For example, Fran Smith, an employee of FooBar.
DN (login name: fsmith) of can be in the following two formats:
uid=fsmith,ou=employees,dc=foobar,dc=com
(based on login name)
LDAP (and X.500) uses uid as the "user id", so don't confuse it with the uid number of UNIX. Most companies give each employee a unique login name.
Therefore, employee information can be well preserved in this way. You don't have to worry about another Fran Smith joining the company in the future, if Fran changes her.
Name (Married? Divorce? Or religious reasons? ), there is no need to change the DN of the LDAP entry.
Cn = Fran Smith, ou = employee, dc=foobar, dc=com.
(based on name)
You can see that this format uses a common name (CN). You can think of common names as a person's full name. This format has an obvious disadvantage:
If the name changes, LDAP records will be transferred from one DN to another. However, we should try our best to avoid changing the DN of the record item.
Object type of custom directory
You can use LDAP to store various types of data objects as long as they can be represented by attributes. Here are some information that can be stored in LDAP:
Employee information: employee's name, login name, password, employee number, manager's login name, mail server, etc.
L Item tracking information: computer name, IP address, label, model, location, etc.
L Customer contact list: customer company name, telephone number, fax number and e-mail number of main contacts, etc.
L conference hall information: name, location, number of people who can sit in the conference hall, telephone number and whether there is a projector.
L Menu information: the name of the dish, ingredients, cooking methods and making methods.
Because the LDAP directory can be customized to store any text or binary data, it is up to you to decide what to store. Object type of LDAP directory
The concept of (object class) is used to define what attributes are used to run what types of objects. In almost all LDAP servers, you must use the.
Expand the basic LDAP directory according to your own needs
Create a new object type or extend an existing object type.
LDAP directory stores records in the form of a series of "attribute pairs", each of which includes attribute type and attribute value (this is different from relational database.
There is a basic difference between using rows and columns to access data). Here are some recipe records I have stored in the LDAP directory:
Dn:cn = oatmeal deluxe edition, ou = recipe, dc=foobar, dc=com.
Cn: luxury instant oatmeal
RecipeCuisine: breakfast
Recipient: 1 package of instant oatmeal
Receiving content: 1 glass of water
Recipingredient: 1 salt
Recipient: 1 teaspoon of brown sugar
To: 1/4 Apple, any type.
Note that each of the above components is used as the value of the property recipeIngredient. As mentioned above, LDAP directories are designed to store multiple values of attributes,
Instead of separating a series of values with commas after each attribute.
Because the data is stored in this way, the database has great flexibility, and there is no need to re-create tables and indexes to add some new data. more
Importantly, LDAP directories don't have to spend memory or hard disk space to handle "empty" domains, that is, using optional domains actually costs you nothing.
Any resources.
For example, a single data item
Let's look at the following example. We use the LDAP record of Fran Smith, an employee of Foobar, Inc. The format of this record entry is LDIF, which is used to
Import and export records of LDAP directory.
dn: uid=fsmith,ou=employees,dc=foobar,dc=com
Object Class: People
Object class: organizationalPerson
objectclass: inetOrgPerson
objectclass: foobarPerson
uid: fsmith
Given name: Fran
Sn: Smith
Cn: Fran Smith
Cn: Francis Smith
Telephone number: 5 10-555- 1234
Room number: 122G
O: Foobar company.
E-mail address :fsmith@foobar.com
Mail Moderator: mail.foobar.com.
User password: 3x 123 1v76T89N.
uidnumber: 1234
ID number: 1200
homedirectory: /home/fsmith
loginshell: /usr/local/bin/bash
The value of the property is case-sensitive when saved, but case-insensitive when searched by default. Some special attributes
(For example, passwords) Search needs to be case-sensitive.
Let's analyze the above items bit by bit.
dn: uid=fsmith,ou=employees,dc=foobar,dc=com
This is the full DN of Fran's LDAP entry, including the full path in the directory tree. LDAP (and X.500) uses uid (user id) instead of.
Confuse it with the uid number of UNIX.
Object Class: People
Object class: organizationalPerson
objectclass: inetOrgPerson
objectclass: foobarPerson
You can assign multiple object types to any object as needed. The person object type requires cn (common name) and sn (last name).
These two fields cannot be empty. Persistent object types allow other optional fields, including givenname, telephonenumber, and so on.
Organizational person adds more optional fields to person, and inetOrgPerson adds more optional fields (including email information).
Finally, foobarPerson is an object type customized for Foobar, and many customized attributes have been added.
uid: fsmith
Given name: Fran
Sn: Smith
Cn: Fran Smith
Cn: Francis Smith
Telephone number: 5 10-555- 1234
Room number: 122G
O: Foobar company.
As I said before, uid stands for user id. When you see the uid, just think about "login" in your mind.
Note that CN has multiple values. As mentioned above, LDAP allows some attributes to have multiple values. Why are multiple values allowed? Suppose you are using
The company's LDAP server looks up Fran's phone number. You may only know her name as Fran, but for the human resources department, her name is Fran.
The official name is Francis. Because her two names are saved, you can find Fran's phone number by searching with any name.
E-mail address and office room number, etc.
E-mail address :fsmith@foobar.com
Mail Moderator: mail.foobar.com.
Just like most companies are online now, Foobar uses Sendmail to send mail and handle external mail routing information. Foobar will put all users
E-mail information of is stored in LDAP. The latest version of Sendmail supports this function.
User password: 3x 123 1v76T89N.
uidnumber: 1234
ID number: 1200
Francis Smith
homedirectory: /home/fsmith
loginshell: /usr/local/bin/bash
Note that the system administrator of Foobar also stores password mapping information of all users in LDAP. Objects of type FoobarPerson have this.
Kind of ability. Note again that user passwords are stored in UNIX password encryption format. The uid of UNIX is uidnumber here. Mind you,
There is a complete RFC on how to save NIS information in LDAP. I will talk about the integration of NIS in a future article.
LDAP replication
LDAP servers can use push or pull technology and use simple or secure authentication based on security certificates to copy a part of or.
Some data.
For example, Foobar has a "public" LDAP server with an address of ldap.foobar.com and a port of 389. Netscape communicator
Mail query function, UNIX "ph" command to use this server, users can also query employees anywhere on this server.
Contact information with customers. The company's main LDAP server runs on the same computer, but the port number is 1389.
You may not want employees to inquire about asset management or recipes, nor do you want information technology personnel to see the LDAP directory of the whole company. To solve
In this problem, Foobar selectively copies the subtree from the main LDAP server to the "public" LDAP server, and does not copy the information that needs to be hidden.
To keep the data up to date, the home directory server is set to "push" synchronization immediately. These methods are mainly for convenience, not for safety.
Because if an authorized user wants to query all the data, he can use another LDAP port.
Suppose Foobar has a low-bandwidth data connection to Europe through Auckland, and uses LDAP to manage customer contact information. You can create a file from ldap.foobar.com: 1389.
The data to munich-ldap.foobar.com:389 is copied as follows:
Periodic pull: ou = Asia, ou = customer, o = sendmail.com.
Pull regularly: ou=us, ou=customers, o = sendmail.com.
Instant push: ou = Europe, ou = customer, o = sendmail.com.
"Pull" connection is synchronized once every 15 minutes, which is sufficient under the above assumption. "Push" connection ensures that any contact information in Europe will change.
Was immediately "pushed" to Munich.
In the above replication mode, which server do users need to connect to to access data? Users in Munich only need to connect to local services.
Equipment. If they change the data, the local LDAP server will transmit these changes to the primary LDAP server. Then, the master LDAP server sends these changes
Push back to the local "public" LDAP server to keep the data synchronized. This is of great benefit to local users, because all queries (mostly reads) are carried out on the local server, which is very fast. When the information needs to be changed, the end users don't need to reconfigure the software of the client, because the LDAP directory server has completed all the data exchange work for them.