intro.sdf

OpenLdap是LDAP的开源项目

# $OpenLDAP: pkg/openldap-guide/admin/intro.sdf,v 1.40.2.4 2007/01/02 21:43:43 kurt Exp $
# Copyright 1999-2007 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
H1: Introduction to OpenLDAP Directory Services

This document describes how to build, configure, and operate OpenLDAP
software to provide directory services.  This includes details on
how to configure and run the stand-alone {{TERM:LDAP}} daemon,
{{slapd}}(8) and the stand-alone LDAP update replication daemon,
{{slurpd}}(8). It is intended for newcomers and experienced
administrators alike.  This section provides a basic introduction
to directory services and, in particular, the directory services
provided by {{slapd}}(8).


H2: What is a directory service?

A directory is a specialized database optimized for reading, browsing
and searching.  Directories tend to contain descriptive, attribute-based
information and support sophisticated filtering capabilities.
Directories generally do not support complicated transaction or
roll-back schemes found in database management systems designed
for handling high-volume complex updates.  Directory updates are
typically simple all-or-nothing changes, if they are allowed at
all.  Directories are tuned to give quick response to high-volume
lookup or search operations. They may have the ability to replicate
information widely in order to increase availability and reliability,
while reducing response time.  When directory information is
replicated, temporary inconsistencies between the replicas may be
okay, as long as they get in sync eventually.

There are many different ways to provide a directory service.
Different methods allow different kinds of information to be stored
in the directory, place different requirements on how that information
can be referenced, queried and updated, how it is protected from
unauthorized access, etc.  Some directory services are {{local}},
providing service to a restricted context (e.g., the finger service
on a single machine). Other services are global, providing service
to a much broader context (e.g., the entire Internet).  Global
services are usually {{distributed}}, meaning that the data they
contain is spread across many machines, all of which cooperate to
provide the directory service. Typically a global service defines
a uniform {{namespace}} which gives the same view of the data no
matter where you are in relation to the data itself.  The Internet
{{TERM[expand]DNS}} (DNS) is an example of a globally distributed
directory service.


H2: What is LDAP?

{{TERM:LDAP}} stands for {{TERM[expand]LDAP}}.  As the name suggests,
it is a lightweight protocol for accessing directory services,
specifically {{TERM:X.500}}-based directory services.  LDAP runs
over {{TERM:TCP}}/{{TERM:IP}} or other connection oriented transfer
services.  The nitty-gritty details of LDAP are defined in
{{REF:RFC2251}} "The Lightweight Directory Access Protocol (v3)"
and other documents comprising the technical specification
{{REF:RFC3377}}.  This section gives an overview of LDAP from a
user's perspective.

{{What kind of information can be stored in the directory?}} The
LDAP information model is based on {{entries}}. An entry is a
collection of attributes that has a globally-unique {{TERM[expand]DN}}
(DN).  The DN is used to refer to the entry unambiguously. Each of
the entry's attributes has a {{type}} and one or more {{values}}.
The types are typically mnemonic strings, like "{{EX:cn}}" for
common name, or "{{EX:mail}}" for email address. The syntax of
values depend on the attribute type.  For example, a {{EX:cn}}
attribute might contain the value {{EX:Babs Jensen}}.  A {{EX:mail}}
attribute might contain the value "{{EX:babs@example.com}}". A
{{EX:jpegPhoto}} attribute would contain a photograph in the JPEG
(binary) format.

{{How is the information arranged?}} In LDAP, directory entries
are arranged in a hierarchical tree-like structure.  Traditionally,
this structure reflected the geographic and/or organizational
boundaries.  Entries representing countries appear at the top of
the tree. Below them are entries representing states and national
organizations. Below them might be entries representing organizational
units, people, printers, documents, or just about anything else
you can think of.  Figure 1.1 shows an example LDAP directory tree
using traditional naming.

!import "intro_tree.gif"; align="center"; \
	title="LDAP directory tree (traditional naming)"
FT[align="Center"] Figure 1.1: LDAP directory tree (traditional naming)

The tree may also be arranged based upon Internet domain names.
This naming approach is becoming increasing popular as it allows
for directory services to be located using the {{DNS}}.
Figure 1.2 shows an example LDAP directory tree using domain-based
naming.

!import "intro_dctree.gif"; align="center"; \
	title="LDAP directory tree (Internet naming)"
FT[align="Center"] Figure 1.2: LDAP directory tree (Internet naming)

In addition, LDAP allows you to control which attributes are required
and allowed in an entry through the use of a special attribute
called {{EX:objectClass}}.  The values of the {{EX:objectClass}}
attribute determine the {{schema}} rules the entry must obey.

{{How is the information referenced?}} An entry is referenced by
its distinguished name, which is constructed by taking the name of
the entry itself (called the {{TERM[expand]RDN}} or RDN) and
concatenating the names of its ancestor entries. For example, the
entry for Barbara Jensen in the Internet naming example above has
an RDN of {{EX:uid=babs}} and a DN of
{{EX:uid=babs,ou=People,dc=example,dc=com}}. The full DN format
is described in {{REF:RFC2253}}, "Lightweight Directory Access
Protocol (v3):  UTF-8 String Representation of Distinguished Names."

{{How is the information accessed?}} LDAP defines operations for
interrogating and updating the directory.  Operations are provided
for adding and deleting an entry from the directory, changing an
existing entry, and changing the name of an entry. Most of the
time, though, LDAP is used to search for information in the directory.
The LDAP search operation allows some portion of the directory to
be searched for entries that match some criteria specified by a
search filter. Information can be requested from each entry that
matches the criteria.

For example, you might want to search the entire directory subtree
at and below {{EX:dc=example,dc=com}} for people with the name
{{EX:Barbara Jensen}}, retrieving the email address of each entry
found. LDAP lets you do this easily.  Or you might want to search
the entries directly below the {{EX:st=California,c=US}} entry for
organizations with the string {{EX:Acme}} in their name, and that
have a fax number. LDAP lets you do this too. The next section
describes in more detail what you can do with LDAP and how it might
be useful to you.

{{How is the information protected from unauthorized access?}} Some
directory services provide no protection, allowing anyone to see
the information. LDAP provides a mechanism for a client to authenticate,
or prove its identity to a directory server, paving the way for
rich access control to protect the information the server contains.
LDAP also supports data security (integrity and confidentiality)
services.


H2: How does LDAP work?

LDAP directory service is based on a {{client-server}} model. One
or more LDAP servers contain the data making up the directory
information tree (DIT).  The client connects to servers and
asks it a question.  The server responds with an answer and/or 
with a pointer to where the client can get additional information
(typically, another LDAP server).  No matter which LDAP server a
client connects to, it sees the same view of the directory; a name
presented to one LDAP server references the same entry it would at
another LDAP server. This is an important feature of a global
directory service, like LDAP.


H2: What about X.500?

Technically, {{TERM:LDAP}} is a directory access protocol to an
{{TERM:X.500}} directory service, the {{TERM:OSI}} directory service.