Documentos de Académico
Documentos de Profesional
Documentos de Cultura
libre office..but my
college still hasn’t
kept up with
FOSS…SO A 2-
MINUTE NIROBOTA
FOR THAT….
LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL
LDAP…
?????
Well..lets see…ummm..lets find out about
protocols…
PROTOCOLS…DIRECTORIES..
LIGHTWEIGHT..
Protocol means a set of rules about how things are to be
done, but in this case between devices or processes in
computing and communications…
Good..at least something to do with computers..
Ok..so in a line it is..
A directory in this The most common application is when talking about
sense is an organized networks. It can mean the way two different system connect
set of records: for (via a common protocol) or the way two similar devices
example, a telephone connect (but over an intermediate system or connection.
directory is an SOME GYAN…
alphabetical list of (Protocols are usually published as an open standard so
persons and
everyone can design their equipment or systems for
organizations with an
address and phone compatibility.)
e et c us to m needs.
number in each
r e re a dil y a d apted to m as m o re easily
d m o s s … w
"record". .. sig n ifi ca n tly simpler an c e s s ar y fo r Internet acce
im p ler than
e ight as in h ich is n e h u s ag e .S
Light w s up p o rts TCP/IP, w m o d e st bandwidt
L DA P ti ve ly
Unlike X.500, in te r ne t d ue to its rela
over the
implemented
Lets do something serious…
LDAP ..A ONE LINER..application protocol for reading and editing
directories over an IP network.
A BIT ON X 500..
Point to Perhaps the biggest plus for LDAP is that your company can access
the LDAP directory from almost any computing platform, from any
one of the increasing number of readily available, LDAP-aware
Mark Wahl..of Critical Angle Inc..along with Steve n Tim formed the Ldap
v3 under IETF.. > PUBLISHED in 1997..had support for extensibilty..and
included support for Simple Authentication and Security Layer
Further develo
pment of the
extensions ad LDAPv3 specifi
ding features cations them
to LDAPv3 ha selves and of
s come throu numerous
gh the IETF.
IL L G OI N O N… ! !
N ITS ST
A bit on how it really works..
Step 1
Por
A client starts an LDAP session by connecting to an
LDAP server, called a Directory System Agent (DSA)
Step 2 389 t
..
The client then sends an operation request to the server,
and the server sends responses in return..
A server holds a subtree starting from a specific entry, e.g. "dc= example, dc=com"
and its children. Servers may also hold references to other servers, so an attempt to
access “ ou= department , dc= example , dc=com" could return
a referral or continuation reference to a server which holds that part of the directory
tree. The client can then contact the other server. Some servers also
support chaining, which means the server contacts the other server and returns the
results to the client.
This might help in getti ng a grasp
Its going to be deadly geeky..so hang on..or doze off..
StartTLS
The StartTLS operation establishes Transport Layer Security (the descendant of SSL) on the
connection. It can provide data confidentiality (to protect data from being observed by
third parties) and/or data integrity protection (which protects the data from tampering).
During TLS negotiation the server sends its X.509 certificate to prove its identity. The client
may also send a certificate to prove its identity. After doing so, the client may then
use SASL/EXTERNAL. By using the SASL/EXTERNAL, the client requests the server derive its
identity from credentials provided at a lower level (such as TLS). Though technically the
server may use any identity information established at any lower level, typically the server
will use the identity information established by TLS.
Bind (authenticate)
The Bind operation authenticates the client to the server. Simple Bind can send the user's
DN and password in plaintext, so the connection should be protected using Transport
Layer Security (TLS). The server typically checks the password against the user Password
attribute in the named entry. Anonymous Bind (with empty DN and password) resets the
connection to anonymous state. SASL (Simple Authentication and Security Layer) Bind
provides authentication services through a wide range of mechanisms, e.g. Kerberos or
the client certificate sent with TLS..
CONTD…
Bind also sets the LDAP protocol version. Normally clients should use LDAPv3, which is the
default in the protocol but not always in LDAP libraries.
Bind had to be the first operation in a session in LDAPv2, but is not required in LDAPv3 (the
Search and Compare
current
The SearchLDAP version).
operation is used to both search for and read entries. Its parameters are:
baseObject
The DN (Distinguished Name) of the entry at which to start the search,
scope
What elements below the baseObject to search. This can be BaseObject (search just the named entry, typically used to read
one entry), single Level (entries immediately below the base DN), or whole Subtree (the entire subtree starting at
the base DN).
filter
Criteria to use in selecting elements within scope. For example, the filter (&(objectClass=person)(|(givenName=John)
(mail=john*))) will select "persons" (elements of objectClass person) who either have the given name "John" or an e-
mail address that begins with the string "john".
derefAliases
Whether and how to follow alias entries (entries which refer to other entries),
attributes
Which attributes to return in result entries.
sizeLimit, timeLimit
Maximum number of entries to return, and maximum time to allow search to run.
typesOnly
Return attribute types only, not attribute values.The server returns the matching entries and
potentially continuation references. These may be returned in any order. The final result will
include the result code.
The Compare operation takes a DN, an attribute name and an attribute value, and checks if the
named entry contains that attribute with that value.
ITS STILL TECHNICAL..
Update Data
Add, Delete, and Modify DN - all require the DN of the entry that is to be changed.
Modify takes a list of attributes to modify and the modifications to each: Delete the
attribute or some values, add new values, or replace the current values with the new
ones.
Add operations also can have additional attributes and values for those attributes.
Modify DN (move/rename entry) takes the new RDN (Relative Distinguished Name),
optionally the new parent's DN, and a flag which says whether to delete the value(s) in
the entry which match the old RDN. The server may support renaming of entire
directory subtrees.
An update operation is atomic: Other operations will see either the new entry or the old
one. On the other hand, LDAP does not define transactions of multiple operations: If
you read an entry and then modify it, another client may have updated the entry in the
mean time. Servers may implement extensions which support this, though.
Extended operations
The Extended Operation is a generic LDAP operation which can be used to define new
operations. Examples include the Cancel and Password Modify.
THIS IS THE LAST OF THE TECHNICAL TORTURE..
Abandon
The Abandon operation requests that the server abort an operation named by a message ID.
The server need not honor the request. Unfortunately, neither Abandon nor a successfully
abandoned operation send a response. A similar Cancel extended operation has therefore
been defined which does send responses, but not all implementations support this.
Unbind
The Unbind operation abandons any outstanding operations and closes the connection. It
has no response. The name is of historical origin, and is not the opposite of the Bind
operation.
Clients can abort a session by simply closing the connection, but they should use
Unbind.Unbind allows the server to gracefully close the connection and free resources that
it would otherwise keep for some time until discovering the client had abandoned the
connection. It also instructs the server to cancel operations that can be canceled, and to not
send responses for operations that cannot be canceled.
Advantages galore!!
When should you use LDAP to store your data?
Most LDAP servers are heavily optimized for read-intensive operations. Because of this, one
can typically see an order of magnitude difference when reading data from an LDAP directory
versus obtaining the same data from a relational database server optimized for OLTP.
Because of this optimization, however, most LDAP directories are not well suited for storing
data where changes are frequent. For instance, an LDAP directory server is great for storing
your company's internal telephone directory, but don't even think of using it as a database
back end for your high-volume e-commerce site.
If the answer to each of the following questions is Yes, then storing your data in LDAP is a
good idea.
Would you like your data to be available cross-platform?
Do you need to access this data from a number of computers or applications?
Do the individual records you're storing change a few times a day or less, on average?
Does it make sense to store this type of data in a flat database instead of a relational
database? That is, could you effectively store all the data for a given item in a single record?
This final question often gives people pause, because it's very common to access a flat record
to obtain data that's relational in nature. For example, a record for a company employee
might include the login name of that employee's manager. It's fine to use LDAP to store this
kind of information. Rule of thumb: If you can imagine storing your data in a large electronic
Rolodex, you can store it easily in an LDAP directory.
Torture khatam…
U have questions after this…