使用 OpenLDAP Software to
provide directory services
什么是目录服务?
A directory is a
specialized database specifically designed for searching and browsing, in
additional to supporting basic lookup and update functions.
Directories tend to
contain descriptive, attribute-based information and support sophisticated
filtering capabilities.
Directories are generally
tuned to give quick response to high-volume lookup or search operations.
目录用于保存描述性的,基于属性的信息,并支持复杂的过滤功能.-->是一种特殊的专为搜索浏览功能优化的数据库.
There are many different
ways to provide a directory service. Different methods allow different kinds of
information to be stored in the directory, place different requirements on how
that information can be referenced, queried and updated, how it is protected
from unauthorized access, etc.
Some directory services
are local, providing service to a restricted context (e.g., the finger service
on a single machine). Other services are global.
有不同的方式提供目录服务.不同的方式决定存储不同的信息,不同的信息访问方式(如何引用,查询,更新),以及如何保护以免非授权访问等.有的服务是本地的(例如本机的finger服务).有些服务是全局的.
LDAP是什么?
LDAP stands for
Lightweight Directory Access Protocol.it is a lightweight protocol for
accessing directory services, specifically X.500-based directory services.
LDAP是访问目录服务的协议(特别是基于X.500协议的目录服务)
What kind of information
can be stored in the directory?
The LDAP information
model is based on entries. An entry is a collection of attributes that has a
globally-unique Distinguished Name (DN). The DN is used to refer to the entry
unambiguously.
Each of the entry's
attributes has a type and one or more values. The types are typically mnemonic
strings, like "cn" for common name, or "mail" for email
address. The syntax of values depend on the attribute type. For example, a cn attribute
might contain the value Babs Jensen. A mail attribute might contain the value
"babs@example.com".
全局唯一的DN来明确描述entry
How is
the information arranged?
In LDAP, directory
entries are arranged in a hierarchical tree-like structure.
In addition, LDAP allows
you to control which attributes are required and allowed in an entry through
the use of a special attribute called objectClass. The values of the
objectClass attribute determine the schema rules the entry must obey.
层次树形结构
How is the information
referenced?
An entry is referenced by
its distinguished name, which is constructed by taking the name of the entry
itself (called the Relative Distinguished Name or RDN) and concatenating the
names of its ancestor entries.
How is the information
accessed?
LDAP defines operations
for interrogating and updating the directory. Operations are provided for
adding and deleting an entry from the directory, changing an existing entry,
and changing the name of an entry. Most of the time, though, LDAP is used to search
for information in the directory. The LDAP search operation allows some portion
of the directory to be searched for entries that match some criteria specified
by a search filter. Information can be requested from each entry that matches
the criteria.
How is the information
protected from unauthorized access?
Some directory services
provide no protection, allowing anyone to see the information. LDAP provides a
mechanism for a client to authenticate, or prove its identity to a directory
server.
How does LDAP work?
LDAP utilizes a
client-server model. One or more LDAP servers contain the data making up the
directory information tree (DIT). The client connects to servers and asks it a
question. The server responds with an answer and/or with a pointer to where the
client can get additional information (typically, another LDAP server). No
matter which LDAP server a client connects to, it sees the same view of the
directory; a name presented to one LDAP server references the same entry it
would at another LDAP server. This is an important feature of a global
directory service.
目录里的所有数据形成了一个DIT
LDAP
is a directory access protocol to an X.500 directory service, the OSI directory
service.
LDAP是访问X.500目录服务的协议.
When
should I use LDAP?
you should use a
Directory server when you require data to be centrally managed, stored and
accessible via standards based methods.
Some common examples
found throughout the industry are, but not limited to:
Machine
Authentication
User
Authentication
User/System
Groups
Address
book
Organization
Representation
Asset
Tracking
Telephony
Information Store
User
resource management
E-mail
address lookups
Application
Configuration store
PBX
Configuration store
etc.....
访问控制
The default access
control policy is allow read by all clients. Regardless of what access control
policy is defined, the rootdn is always allowed full rights (i.e. auth, search,
compare, read and write) on everything and anything.
缺省的访问策略是所有客户都允许读.无论定义的访问控制策略是什么,rootdn总是有所有权限(例如认证,搜索,比较,读和写),可以读写任何信息
关于后端存储Berkeley
DB
OpenLDAP使用Berkeley
DB做后端存储
OpenLDAP uses Berkeley DB
concurrent / transactional database software. This is the same software used by
leading commercial directory software.
[root@localhost ~]# rpm
-qi db4
Berkeley 数据库 (Berkeley
DB) 是一个编程工具包。
它为传统的和客户机/服务器程序提供嵌入的数据库支持。Berkeley
DB 包括 B+tree、扩展的线形散列、固定的和长短不同的记录存取方法、事务、上锁、记录日志、共享的内存缓存、以及数据库恢复。Berkeley DB 支持
C、C++、Java、和 Perl API。它被许多程序使用,包括 Python 和 Perl,因此它应该在所有系统上安装。
Berkeley
DB是嵌入式数据库系统,而不是常见的关系/对象型数据库,对SQL语言不支持,也不提供数据库常见的高级功能,如存储过程,触发器等。
Berkeley DB的体系结构
Berkeley
DB以拥有比Microsoft SQL
Server和Oracle等数据库系统而言更简单的体系结构而著称。例如,它不支持网络访问—程序通过进程内的API访问数据库。
他不支持SQL或者其他的数据库查询语言,不支持表结构和数据列。 访问数据库的程序自主决定数据如何储存在记录里,Berkeley
DB不对记录里的数据进行任何包装,每个记录有且只有两部分:键、值,所以在Berkeley DB的背景下通常用key/data
pair指代一个记录。记录和它的键都可以达到4G字节的长度。
尽管架构很简单,Berkeley
DB却支持很多高级的数据库特性,比如ACID 数据库事务处理,细粒度锁,XA接口,热备份以及同步复制。
Berkeley
DB包含有与某些经典Unix数据库编程库兼容的接口,包括:dbm,ndbm和hsearch。
Ctrl+Enter 发布
发布
取消