FAQ
Main »» System Administration
| What the hell is LDAP? |
LDAP or the Lightweight Directory Access Protocol is a system to enable you to gain access to a directory service. This shouldn't be confused with a database.
LDAP was an evolution of the x500 directory access protocol. Many organisations use LDAP as a method of storing authentication information instead of using flat files or a systems such as NIS or NIS+ (network information service). It can also be used as a directory for person information. Sort of like a phone directory but with pictures and all those things in it.
LDAP is optomised for search or lots of read access. write access while still preforming fine is quite a bit slower.
You generally store data in a heirarchical manner in ldap so you have different attributes such as.
ou organisational unit
c Country
dc domain context
cn common name
sn surname
dn distinguished name
So you can have something like a search base (where everthing is located)
of say
dc=taslug,dc=org,dc=au
You'll notice this is a domain name. This is generally the way the domain context is setup as they are globally unique worldwide.
now you can break things up into organisational units or ou's a few of the default ou's that ldap generally has is People and Hosts. you'd find something like say
uid=ngrundy,ou=People,dc=taslug,dc=org,dc=au
you'll notice that i have a userid of ngrundy and i'm in the People organisational unit. This structure is also commonly refered to a dn or a distinguished name. A dn is like a key in a database. The dn is typically indexed to speed up searching.
if you want to get fancy you could replicate your organisations structure in ldap
uid=ngrundy,ou=IT Services,ou=Admin Services,ou=People,c=Australia,dc=worldwide,dc=company,dc=com
Going back to the previous record you can add attributes to a key to fill in a record such as:
uid=njgrundy,ou=People,dc=taslug,dc=org,dc=au
loginShell: /bin/tcsh
uidNumber: 1001
gidNumber: 75
givenName: Nick
sn: Grundy
uid: ngrundy
objectClass: account
objectClass: posixAccount
userPassword: {crypt} a3F0k1A9k
From this record you could effectivly create your standard /etc/passwd file infomation.
you can see that the username is from uid
the user will use /bin/tcsh as their prefered shell
their UID is 1001
their primary group id is 75
the givenName and sn tell us that the person's name is 'Nick Grundy'
the object we're looking at is an account and also a posixAccount (you generally have to have a posixAccount classtype to use the object as a login record for a unix system afaik)
and last of all the users password is in crypt (DES) format.
the objectClass stuff is mildly intresting and i must say I don't understand it fully. Basicly a LDAP system has a schema that tells you what a record looks like. so for the record above to have an objectClass of posixAccount it has to have met all of the requirements of the posixAccount schema entry. That posixAccount schema might say that an account must have a loginShell, uidNumber,gidNumber,uid and userPassword.
Anyway I've probably confused the hell out of you now. Anyone feel free to correct me if i've got the thing wrong.
Craig Cooper |
The comments are owned by the poster. We aren't responsible for their content.
