使用 OpenLDAP Software to provide directory services

 

 

A directory is a specialized database specifically designed for searching and browsing, in additional to supporting basic lookup and update functions.

Directories tend to contain descriptive, attribute-based information and support sophisticated filtering capabilities.

Directories are generally tuned to give quick response to high-volume lookup or search operations.

 

There are many different ways to provide a directory service. Different methods allow different kinds of information to be stored in the directory, place different requirements on how that information can be referenced, queried and updated, how it is protected from unauthorized access, etc.

Some directory services are local, providing service to a restricted context (e.g., the finger service on a single machine). Other services are global.

有不同的方式提供目录服务.不同的方式决定存储不同的信息,不同的信息访问方式(如何引用,查询,更新),以及如何保护以免非授权访问等.有的服务是本地的(例如本机的finger服务).有些服务是全局的.

 

 

LDAP是什么?

LDAP stands for Lightweight Directory Access Protocol.it is a lightweight protocol for accessing directory services, specifically X.500-based directory services.

LDAP是访问目录服务的协议(特别是基于X.500协议的目录服务)

 

What kind of information can be stored in the directory?

The LDAP information model is based on entries. An entry is a collection of attributes that has a globally-unique Distinguished Name (DN). The DN is used to refer to the entry unambiguously.

Each of the entry's attributes has a type and one or more values. The types are typically mnemonic strings, like "cn" for common name, or "mail" for email address. The syntax of values depend on the attribute type. For example, a cn attribute might contain the value Babs Jensen. A mail attribute might contain the value "babs@example.com".

全局唯一的DN来明确描述entry

 

How is the information arranged?

In LDAP, directory entries are arranged in a hierarchical tree-like structure.

In addition, LDAP allows you to control which attributes are required and allowed in an entry through the use of a special attribute called objectClass. The values of the objectClass attribute determine the schema rules the entry must obey.

层次树形结构

 

How is the information referenced?

An entry is referenced by its distinguished name, which is constructed by taking the name of the entry itself (called the Relative Distinguished Name or RDN) and concatenating the names of its ancestor entries.

 

 

How is the information accessed?

LDAP defines operations for interrogating and updating the directory. Operations are provided for adding and deleting an entry from the directory, changing an existing entry, and changing the name of an entry. Most of the time, though, LDAP is used to search for information in the directory. The LDAP search operation allows some portion of the directory to be searched for entries that match some criteria specified by a search filter. Information can be requested from each entry that matches the criteria.

 

How is the information protected from unauthorized access?

Some directory services provide no protection, allowing anyone to see the information. LDAP provides a mechanism for a client to authenticate, or prove its identity to a directory server.

 

 

How does LDAP work?

LDAP utilizes a client-server model. One or more LDAP servers contain the data making up the directory information tree (DIT). The client connects to servers and asks it a question. The server responds with an answer and/or with a pointer to where the client can get additional information (typically, another LDAP server). No matter which LDAP server a client connects to, it sees the same view of the directory; a name presented to one LDAP server references the same entry it would at another LDAP server. This is an important feature of a global directory service.

目录里的所有数据形成了一个DIT

 

 

 

When should I use LDAP?

you should use a Directory server when you require data to be centrally managed, stored and accessible via standards based methods.

Some common examples found throughout the industry are, but not limited to:

Machine Authentication

User Authentication

User/System Groups

Address book

Organization Representation

Asset Tracking

Telephony Information Store

User resource management

E-mail address lookups

Application Configuration store

PBX Configuration store

etc.....

 

 

访问控制

The default access control policy is allow read by all clients. Regardless of what access control policy is defined, the rootdn is always allowed full rights (i.e. auth, search, compare, read and write) on everything and anything.

缺省的访问策略是所有客户都允许读.无论定义的访问控制策略是什么,rootdn总是有所有权限(例如认证,搜索,比较,读和写),可以读写任何信息

 

 

 

关于后端存储Berkeley DB

OpenLDAP使用Berkeley DB做后端存储

OpenLDAP uses Berkeley DB concurrent / transactional database software. This is the same software used by leading commercial directory software.

 

[root@localhost ~]# rpm -qi db4

Berkeley 数据库 (Berkeley DB) 是一个编程工具包。

它为传统的和客户机/服务器程序提供嵌入的数据库支持。Berkeley DB 包括 B+tree、扩展的线形散列、固定的和长短不同的记录存取方法、事务、上锁、记录日志、共享的内存缓存、以及数据库恢复。Berkeley DB 支持 C、C++、Java、和 Perl API。它被许多程序使用，包括 Python 和 Perl，因此它应该在所有系统上安装。

 

Berkeley DB是嵌入式数据库系统，而不是常见的关系/对象型数据库，对SQL语言不支持，也不提供数据库常见的高级功能，如存储过程，触发器等。

Berkeley DB的体系结构

　　Berkeley DB以拥有比Microsoft SQL Server和Oracle等数据库系统而言更简单的体系结构而著称。例如，它不支持网络访问—程序通过进程内的API访问数据库。 他不支持SQL或者其他的数据库查询语言，不支持表结构和数据列。 访问数据库的程序自主决定数据如何储存在记录里，Berkeley DB不对记录里的数据进行任何包装，每个记录有且只有两部分：键、值，所以在Berkeley DB的背景下通常用key/data pair指代一个记录。记录和它的键都可以达到4G字节的长度。

　　尽管架构很简单，Berkeley DB却支持很多高级的数据库特性，比如ACID 数据库事务处理，细粒度锁，XA接口，热备份以及同步复制。

　　Berkeley DB包含有与某些经典Unix数据库编程库兼容的接口，包括：dbm，ndbm和hsearch。