Shulou(Shulou.com)06/02 Report--

What is a directory service (Directory Services)?

The directory is a special database dedicated to searching and browsing, as well as supporting basic query and update functions.

Directory is a professional distributed database optimized for query, browsing and searching. It organizes data in a tree structure, just like Linux/Unix

The file directory in the system is the same. Unlike relational databases, catalog databases have excellent read performance, but poor write performance and no transactions.

Complex functions such as processing and rollback are not suitable for storing frequently modified data. So the directory is naturally used to query, just like its name

Sample.

Based on the X.500 directory access protocol and the LDAP protocol developed on the X.500 basis, its [specific implementation] includes: OpenLDAP, ApacheDS, Active Directory, Red Hat Directory Service, IBM Directory Server.

What is LDAP?

LDAP is an acronym for Lightweight Directory Access Protocol, translated as lightweight Directory access Protocol. It is usually pronounced as "L-DAP" or "L-D-A-P" in China.

As the name implies, it refers to a lightweight directory access protocol (this is mainly relative to another directory access protocol X.500; LDAP omits many of the less commonly used features of x.500 and is based on the TCP/IP protocol). Directory services are very similar to databases, but they are very different. The database is designed to facilitate reading and writing, but the directory service is specially designed for read optimization, so it is not suitable for data storage with frequent write operations. At the same time, LDAP is just a protocol, it doesn't involve how to store this information, so you need a back-end database component to implement it. These backends can be bdb (BerkeleyDB), ldbm, shell, passwd, etc.

What kind of information can be stored in the directory? The LDAP information model is based on entries (entry). An entry is a collection of attributes that has a globally-unique Distinguished Name (DN). The DN is used to refer to the entry unambiguously. Each of the entry's attributes has a type and one or more values. The syntax of values depend on the attribute type.

How is the information organized?

Directory entries are organized in a hierarchical tree structure. Traditionally, this structure reflects geographical and organizational boundaries.

Trees can also be organized according to Internet domain names (named by Internet). This naming is also becoming more and more popular because it allows you to use DNS to locate directory services.

The LDAP directory stores data in a tree-like hierarchical structure (similar to DNS), and the topmost root is called "benchmark DN (base DN)", shaped like "dc=mydomain,dc=com" or "o=mydomain.org". The former approach is more flexible and is also used in Windows AD. There are many files and directories under the root directory. In order to logically separate these large amounts of data, LDAP, like other directory service protocols, also uses OU (Organization Unit), which can be used to represent internal organizations, such as departments, as well as equipment, personnel, and so on. At the same time, OU can also have a sub-OU, which can be used to represent a more detailed classification.

How is the information referenced?

Each record in LDAP has a unique name DN (Distinguished Name) that is different from other records, and the part in the "leaf" position is called RDN;. For example, tom in dn:cn=tom,ou=animals,dc=mydomain,dc=org means that RDN; RDN must be unique in an OU.

How is the information accessed?

LDAP defines query and update directory operations. The operations provided include adding and deleting an entry from the directory, changing an existing entry, and changing the name of an entry. Most of the time, though, LDAP is used to search directories for information. The LDAP search operation allows parts of the directory to be searched for items that meet the criteria specified by the search filter. You can request information for each entry that matches the requirement.

How does LDAP work?

LDAP utilizes a Client-Server (C _ paw S) model. One or more LDAP servers contain the data making up the directory information tree (DIT). The client connects to servers and asks it a question. The server responds with an answer and/or with a pointer to where the client can get additional information (typically, another LDAP server). No matter which LDAP server a client connects to, it sees the same view of the directory; a name presented to one LDAP server references the same entry it would at another LDAP server. This is an important feature of a global directory service.

What is the difference between LDAPv2 and LDAPv3?

LDAPv3 was developed at the end of 1990's to replace LDAPv2. LDAPv3 adds the following features to LDAP:

Using SASL to implement strong authentication and data security services

Using TLS (SSL) to implement certificate verification and data security services

Using Unicode coding to achieve internationalization

Forwarding and configuration

Schema Discovery

Scalability (control, operational extension, etc.)

LDAPv2 is out of date (RFC3494). Most of the so-called LDAPv2 implementations (including slapd (8)) no longer comply with the LDAPv2 technical specification, and the interoperability between those implementations that claim to support LDAPv2 is limited. Because of the significant differences between LDAPv2 and LDAPv3, deploying LDAPv2 and LDAPv3 at the same time is problematic. LDAPv2 should be avoided. LDAPv2 is disabled by default.

What is slapd and what can it do?

Slapd (Standalone LDAP Daemon) is an LDAP directory server that runs on many different platforms. Slapd is actually a specific open source implementation based on the LDAP protocol (OpenLDAP Software 2.4), which implements lightweight Directory access Protocol version 3 (LDAPv3) and supports IPv4 and IPv6 (TCP/IP) as well as Unix IPC network protocols.

Summary:

What is LDAP?

LDAP is an abbreviation for lightweight Directory access Protocol (Lightweight Directory Access Protocol) [Note: it is a protocol]. The LDAP protocol is actually a simplified version of the X.500 standard protocol. LDAP is an open Internet standard, and LDAP protocol is cross-platform. Unlike X. 500, LDAP supports TCP/IP (that is, it can support distributed deployment).

Several features of LDAP:

LDAP data is stored in a hierarchical tree structure rather than a two-dimensional table.

LDAP can query efficiently, but it is much slower when it comes to writing.

LDAP is the Client-Server (Cramp S) model.

What is OpenLDAP?

OpenLDAP is a concrete implementation of LDAPv3 protocol, which can support multiple platforms to provide directory services. Its process is slapd.

1.3, configuration selection

Local directory service:

In this configuration, directory services are provided only for your local domain, and it does not interact with other directory servers in any way.

Local services with forwarding:

In this configuration, you provide directory services for your local domain and configure it to return to other servers that can handle requests.

Replicable directory services:

OpenLDAP supports synchronous replication, known as syncrepl, which can be used to maintain shadow replication of directory information on multiple directory servers. In the most basic configuration, the master server is the syncrepl vendor, while one or more slave servers are syncrepl consumers.

Distributed local directory service:

In this configuration, local services are divided into smaller services, each of which is replicable and forwarded with superiors and subordinates.

1.4. Copy

In order to provide a resilient enterprise deployment, replication directories are a basic requirement.

OpenLDAP 2.3 synchronous replication issues (online excerpts, untested):

The slurpd daemon operates in push mode, and the master server pushes change data to the slave server (unreliable)

Extremely sensitive to the order of records in replog

It is easy to lose synchronization, and manual intervention is needed to resynchronize the database from the server

If a slave server is down for a long time, the replog may become too large for slurpd to handle.

Need to stop and restart the master server to add a slave server

Only single master server replication is supported (1 master to multi-slave)

Syncrepl replication

LDAP syncrepl synchronous replication is an object-based replication mechanism. When any property value in a replicated object of the provider changes, each consumer retrieves and processes the complete change object during the replication process, including all changed and unchanged property values (synchronizing the entire item object, not a changed property). One advantage of this approach is that when multiple changes occur on a single object, the exact order of those changes does not need to be saved; only the final state makes sense. But this approach can have drawbacks when using patterns (matching methods) to deal with many objects in a single change.

For example, suppose you have a database that contains 100000 objects, each 1 KB. Further, suppose you often run a batch job to change a two-byte property value in each of the 100000 objects on the main server. Not counting the overhead of the LDAP and TCP/IP protocols, every time you run this job, each consumer will transmit and process 1 GB of data, just to handle changes to the 200KB!

In cases like this, 99.98% of the data transmitted and processed will be redundant because they represent values that have not been changed. This is a waste of valuable transmission and processing bandwidth and may lead to an unacceptable backlog of replication logs. Although this situation is extreme, it helps to demonstrate a very real problem with some LDAP deployments.

Delta-syncrepl replication (based on change log synchronization)

Delta-syncrepl, a syncrepl variant based on the change log, is designed to handle situations similar to those described above. Delta-syncrepl works by maintaining a change log with optional depth on the provider side. The replication consumer checks the change log for the changes it needs. As long as the change log contains the changes it needs, the consumer retrieves the changes from the change log and applies them to their own database. However, if a replication is too far from the state of the last synchronization (or the consumer is empty at all), you can use the regular syncrepl to restore it to the latest state and then replicate back to delta-syncrepl mode.

N-Way Multi-Master replication

Multi-Master replication is a replication technology that uses Syncrepl to replicate data to multiple provider (master server) directory servers.

Views on the validity of Multi-Master replication

If any provider fails, other providers will continue to accept updates

Avoid single point of failure

Providers can be located in different physical locations, such as across global networks.

Good automatic fault tolerance / high availability

The view that Multi-Master replication is invalid

(these are often claimed to be the advantages of Multi-Master replication, but those statements are wrong):

It has nothing to do with load balancing.

The provider must write to all other servers, which means that the network traffic and write load distributed across all servers is the same as a single master server.

The server utilization and load of multi-server is the same as that of single server at best; in the worst case, the order server is better, because the index can make different optimization adjustments when different modes are used between providers and consumers.

MirrorMode replication

MirrorMode is a hybrid configuration that provides both consistency guarantees for single-master replication and high availability for multi-master mode. In MirrorMode, both providers are set to replicate from each other (like a multi-host server configuration), but an extra front segment is used to direct all writes to only one of the two servers. The second provider will write only when the first server crashes, when the front end will switch paths to direct all writes to the second provider. When a crashed provider is repaired and restarted, it will automatically get any updates and resynchronization from the running provider.

Syncrepl proxy mode

Because the LDAP synchronization protocol supports both "pull" and "push" based replication, the "push" mode (refreshAndPersist) must still be initialized by the consumer before the provider starts the "push" change. In some network configurations, especially when the firewall limits the direction of the connection, a provider-initialized push mode is required.

This mode can be configured as LDAP Backend (Backends and slapd-ldap (8)). Instead of running the syncrepl engine on the actual consumer server, a slapd-ldap proxy is set close to (or paired with) the provider to point to the consumer, and the syncrepl engine runs on the proxy server.

OpenLDAP 2.4

Replace Slurpd

The old slurpd mechanism only operates push mode initialized by the master server. Slurpd replication has been replaced by Syncrepl replication and completely removed in OpenLDAP 2.4.

The usual rules for LDIF files apply to configuration information: comment lines that start with the'# 'character are ignored. If a line begins with a space, it is considered to continue the previous line (even if the previous line is a comment) and the single space is deleted. Entries are separated by blank lines.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.