362 lines
7.1 KiB
HTML
362 lines
7.1 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
|
|
<HTML
|
|
><HEAD
|
|
><TITLE
|
|
>LDAP backends, objects and attributes</TITLE
|
|
><META
|
|
NAME="GENERATOR"
|
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
|
|
REL="HOME"
|
|
TITLE="LDAP Linux HOWTO"
|
|
HREF="index.html"><LINK
|
|
REL="UP"
|
|
TITLE="Introduction"
|
|
HREF="introduction.html"><LINK
|
|
REL="PREVIOUS"
|
|
TITLE="How does LDAP work ?"
|
|
HREF="howitworks.html"><LINK
|
|
REL="NEXT"
|
|
TITLE="New versions of this document"
|
|
HREF="newversions.html"></HEAD
|
|
><BODY
|
|
CLASS="section"
|
|
BGCOLOR="#FFFFFF"
|
|
TEXT="#000000"
|
|
LINK="#0000FF"
|
|
VLINK="#840084"
|
|
ALINK="#0000FF"
|
|
><DIV
|
|
CLASS="NAVHEADER"
|
|
><TABLE
|
|
SUMMARY="Header navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TH
|
|
COLSPAN="3"
|
|
ALIGN="center"
|
|
>LDAP Linux HOWTO</TH
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="left"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="howitworks.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="80%"
|
|
ALIGN="center"
|
|
VALIGN="bottom"
|
|
>Chapter 1. Introduction</TD
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="right"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="newversions.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"></DIV
|
|
><DIV
|
|
CLASS="section"
|
|
><H1
|
|
CLASS="section"
|
|
><A
|
|
NAME="LdapBackends"
|
|
></A
|
|
>1.3. LDAP backends, objects and attributes</H1
|
|
><P
|
|
>The LDAP server daemon is called <EM
|
|
>Slapd</EM
|
|
>. <EM
|
|
>Slapd</EM
|
|
>
|
|
supports a variety of different <B
|
|
CLASS="command"
|
|
>database backends</B
|
|
> which you can use.</P
|
|
><P
|
|
>They include the <B
|
|
CLASS="command"
|
|
>primary choice BDB</B
|
|
>, a high-performance transactional database backend; LDBM, a lightweight DBM based backend; SHELL, a backend interface to arbitrary shell scripts and PASSWD, a simple backend interface to the passwd(5) file.</P
|
|
><P
|
|
>BDB utilizes <A
|
|
HREF="http://www.sleepycat.com/"
|
|
TARGET="_top"
|
|
>Sleepycat</A
|
|
> Berkeley DB 4. LDBM utilizes
|
|
either <A
|
|
HREF="http://www.sleepycat.com/"
|
|
TARGET="_top"
|
|
>Berkeley DB</A
|
|
> or <A
|
|
HREF="http://www.gnu.org/software/gdbm/"
|
|
TARGET="_top"
|
|
>GDBM</A
|
|
>.</P
|
|
><P
|
|
>BDB transactional backend is suited for multi-user read/write database access,
|
|
with any mix of read and write operations. BDB is used in applications that require:
|
|
|
|
<P
|
|
></P
|
|
><UL
|
|
><LI
|
|
><P
|
|
>Transactions, including making multiple changes to the
|
|
database atomically and rolling back uncommitted changes when necessary.</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>Ability to recover from systems crashes and hardware failures without
|
|
losing any committed transactions.</P
|
|
></LI
|
|
></UL
|
|
> </P
|
|
><P
|
|
>In this document I assume that you choose the <B
|
|
CLASS="command"
|
|
>BDB database.</B
|
|
></P
|
|
><P
|
|
>To import and export directory information between LDAP-based directory servers,
|
|
or to describe a set of changes which are to be applied to a directory, the
|
|
file format known as LDIF, for LDAP Data Interchange Format, is typically used.
|
|
A LDIF file stores information in object-oriented hierarchies of entries. The
|
|
LDAP software package you're going to get comes with an utility to convert LDIF
|
|
files to the BDB format</P
|
|
><P
|
|
>A common LDIF file looks like this:</P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="screen"
|
|
> dn: o=TUDelft, c=NL
|
|
o: TUDelft
|
|
objectclass: organization
|
|
dn: cn=Luiz Malere, o=TUDelft, c=NL
|
|
cn: Luiz Malere
|
|
sn: Malere
|
|
mail: malere@yahoo.com
|
|
objectclass: person
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><P
|
|
>As you can see each entry is uniquely identified by a distinguished name, or
|
|
DN. The DN consists of the name of the entry plus a path of names tracing the
|
|
entry back to the top of the directory hierarchy (just like a tree).</P
|
|
><P
|
|
>In LDAP, an <B
|
|
CLASS="command"
|
|
>object class</B
|
|
> defines the collection of <B
|
|
CLASS="command"
|
|
>attributes</B
|
|
> that can be used
|
|
to define an entry. The LDAP standard provides these basic types of object classes:</P
|
|
><P
|
|
></P
|
|
><UL
|
|
><LI
|
|
><P
|
|
>Groups in the directory, including unordered lists of individual objects
|
|
or groups of objects.</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>Locations, such as the country name and description.</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>Organizations in the directory.</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>People in the directory.</P
|
|
></LI
|
|
></UL
|
|
><P
|
|
>An entry can belong to more than one object class. For example, the entry for a
|
|
person is defined by the <EM
|
|
>person</EM
|
|
> object class, but may also be
|
|
defined by attributes in the inetOrgPerson, groupOfNames, and organization objectclasses.
|
|
The server's object class structure (it's schema) determines the total list of required and
|
|
allowed attributes for a particular entry.</P
|
|
><P
|
|
>Directory data is represented as attribute-value pairs. Any specific piece of
|
|
information is associated with a descriptive attribute.</P
|
|
><P
|
|
>For instance, the commonName, or cn, attribute is used to store a person's name
|
|
. A person named Jonas Salk can be represented in the directory as</P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="screen"
|
|
>cn: Jonas Salk</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><P
|
|
>Each person entered in the directory is defined by the collection of attributes
|
|
in the <EM
|
|
>person</EM
|
|
> object class. Other attributes used to define this
|
|
entry could include:</P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="screen"
|
|
> givenname: Jonas
|
|
surname: Salk
|
|
mail: jonass@airius.com
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><P
|
|
>Required attributes include the attributes that must be present in entries
|
|
using the object class. All entries require the objectClass attribute, which
|
|
lists the object classes to which an entry belongs.</P
|
|
><P
|
|
>Allowed attributes include the attributes that may be present in entries using
|
|
the object class. For example, in the person object class, the cn and sn
|
|
attributes are required. The description, telephoneNumber, seeAlso, and
|
|
userpassword attributes are allowed but are not required.</P
|
|
><P
|
|
>Each attribute has a corresponding syntax definition. The syntax definition
|
|
describes the type of information provided by the attribute, for instance:</P
|
|
><P
|
|
></P
|
|
><UL
|
|
><LI
|
|
><P
|
|
>bin binary.</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>ces case exact string (case must match during comparisons).</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>cis case ignore string (case is ignored during comparisons).</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>tel telephone number string (like cis but blanks and dashes `- ' are
|
|
ignored during comparisons).</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>dn distinguished name.</P
|
|
></LI
|
|
></UL
|
|
><P
|
|
><B
|
|
CLASS="command"
|
|
>Note: </B
|
|
>Usually objectclass and attribute definitions reside on schema files, on the
|
|
subdirectory <EM
|
|
>schema</EM
|
|
> under the OpenLDAP installation home.</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="NAVFOOTER"
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"><TABLE
|
|
SUMMARY="Footer navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="howitworks.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="index.html"
|
|
ACCESSKEY="H"
|
|
>Home</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="newversions.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
>How does LDAP work ?</TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="introduction.html"
|
|
ACCESSKEY="U"
|
|
>Up</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
>New versions of this document</TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
></BODY
|
|
></HTML
|
|
> |