lightweight directory access protocol - nfsv4bat.org fileldap provides a lightweight industry...
TRANSCRIPT
What Is LDAP?
• LDAP– History– X.500 vs . LDAP– Data model– Advantages /d isadvantages
• Lates t from IETF
• Issues
LDAP
Provides a lightweight indust ry standard protocol to retrieve and manage informat ion s tored in a directory
Client
LDAP DirectoryServer
LDAP
• Access Protocol
• Extensible Add, Dele te, Modify, and Search operat ions
• Key features :– Lightweight– Open s tandard– Runs over TCP/IP– Hierarchical d i rec tory s tructure
LDAP History
• Universi ty of Michigan
• X.500 roots
• LDAPv1
• LDAPv2
• LDAPv3
Physical
Datal ink
Network
Transpor t
Session
Presenta tion
Appl ica tion
X.500 vs . LDAP
DynamicFixedFixedFixedSchema
Referra lsDumb refer rals
Servers chain
reques ts
Servers chain
reques ts
Not found act ion
Password
Strong*PasswordPasswordPassword
StrongSecur ity
TCP/IP (repl ica tion
only)*NoneX.500 OSIOSI
Server to Server
TCP/IPTCP/IPTCP/IPOSIClient to Server
LDAPv3LDAPv2LDAPv1X.500
Hierarchical Directory Structure
• Similar di rec tory informat ion structure as X.500
• Entr ies are dis tinguished by an unique name (DN), that ident i fies the entry wi thin DIT
cn=Morteza Ansar i, ou=people ,o=Sun Microsystems Inc,st=CA, c=US
uid=mortezauidNumber=84760loginShel l=/bin/[email protected]…
country
state state
org org org
Hierarchical Directory Structure
• Similar di rec tory informat ion structure as X.500
• Entr ies are dis tinguished by an unique name (DN), that ident i fies the entry wi thin DIT
cn=Morteza Ansar i, ou=people ,dc=eng,dc=sun,dc=com
uid=mortezauidNumber=84760loginShel l=/bin/[email protected]…
domain
Sub-domain Sub-domain
Category Category Category
Advantages of LDAP
• Open s tandard
• Avai lable on vi rtua l ly al l opera ting systems
• Database and vendor independent
• Relat ively s imple to LDAP-enable appl ica tions
Disadvantages of LDAP
• Slowly becoming a “Heavyweight” protocol!
• No off icia l ent ity for regis ter ing Schemas
• Access control & repl icat ion is vendor speci fic
• Clients tend to get more and more complex
Lates t from IETF
• LDAP Authentica tion is approveddraf t-ie tf-ldapext-authmeth-04. tx tdraf t-ie tf-ldapext- ldapv3- tl s-06. tx tdraf t-leach-diges t-sas l -05. tx t
• C-API is c lose to RFC sta tus• Access control is expected to reach
RFC status la ter this year• Repl ica tion work is coming along,
but i s still long ways off
Other Indus try Ef for ts
• Directory Interoperabi lity Forum– Sun/AOL al l iance , IB M, ISOCOR, Lotus,
Novel l, and Oracle– Promote a common set of APIs and SDKs– Accelera te acceptance of s tandards– Provide inte roperabi l ity , conformance, and
cer ti fica tion of d i rec tories (through Open Group)
– Sti ll miss ing Microsof t
Other Indus try Ef for ts
• Directory Services Markup Language (DSM L) Al l iance
– Bowstreet , IBM, Lotus , Microsof t, Novel l , Oracle , and Sun/Netscape
– Use XML to descr ibe d i rec tory content and structure
LDAP C-API
• Based on Univers ity of Michigan source
• draf t-ie tf-ldapext -ldap-c-api -04.tx t
• Minimal secur ity– SIMPLE– CRA M-MD5
LDAP Naming Service
• Use LDAP as the di rect ory for stor ing Network Information Services
• Reduce redundant data
• Simpl i fy admini stration
• Data shar ing among apps & OS’s
• Common authent ica tion
LDAP Naming Service
NSSbackends
Applications using getXbyY()
Name Service Switch
frontend getXbyY()
Files NIS NIS+ DNS
Unchanged components
New/modified components
LDAP
ApplicationsUsing
NamingSpecificAPI’s
login/passwd
Simplified LDAP APIs
LDAP C-APIs
PAM
pam_ldap
pam_unix
ldap_cachemgrdaemon
ldap configfiles
LDAP Naming Service
Applications using getXbyY()
Name Service Switch
frontend getXbyY()
Files NIS NIS+ DNS LDAP
ApplicationsUsing
NamingSpecificAPI’s
login/passwd
Simplified LDAP APIs
LDAP C-APIs
PAM
pam_ldap
pam_unix
ldap_cachemgrdaemon
nsswitch.conf
ldap configfiles
PA M LDAP
Applications using getXbyY()
Name Service Switch
frontend getXbyY()
Files NIS NIS+ DNS LDAP
ApplicationsUsing
NamingSpecificAPI’s
login/passwd
Simplified LDAP APIs
LDAP C-APIs
PAM
pam_ldap
pam_unix
ldap_cachemgrdaemon
nsswitch.conf
ldap configfiles
PA M LDAP
• Schema– rfc2307 ( rfc 2307bis draf t)– Automount tables in nisMap/nisObject OC– Solar isNamingProf i le
• Client conf igurat ions (prof i les) are stored in LDAP and are cached local ly
DIT Layout
nisMapName=*,…nisObjectgener ic
gete tgr*()ou=netgroup,…nisNetworknetgroup
gete tgr*()ou=networks ,…ipNetworknetworks
netmasks
ou=ethers ,…bootableDevicebootparams
ether_*()ou=ethers ,…ieee802Deviceethers
gethost*()
get ipnode*()ou=hosts ,…ipHost
hosts
ipnodes
getrpc*()ou=rpc,…oncRpcrpc
getproto*()ou=protocols ,…ipProtocolprotocols
getserv*()ou=services ,…ipServiceservices
getgr*()ou=group,…posixGroupgroup
getpw*()
getsp*()ou=people ,…
posixAccount
shadowAccountpasswd
getXbyY()naming contextobject c lassNIS map
References
• ht tp ://www.directoryforum.org
• ht tp ://www.dsml .org
• ht tp ://www.umich.edu/~dirsvcs/ ldap
• IETF:– LDAP Extension working group
http ://www.ie tf.org /html .char ters /ldapext-char ter .html
– LDAP Duplica tion/Replica tion/Update WGhttp ://www.ie tf.org /html .char ters /ldup-char ter .html