Shulou(Shulou.com)06/01 Report--

1. Concept:

Directory service is a professional distributed database optimized for query, browsing, and searching. It organizes data in a tree structure, just like a file directory in a Linux/Unix system. Different from relational database, catalog database has excellent read performance, but poor write performance, and has no complex functions such as transaction processing and rollback, so it is not suitable for storing frequently modified data.

LDAP is the abbreviation of lightweight Directory access Protocol (Lightweight Directory Access Protocol)

2. Features:

1.LDAP uses tree structure to represent data.

2.LDAP is the Cpact S model, Server is used to store data, and Client provides tools to manipulate the directory information tree.

3.LDAP has excellent read performance, but it is poor in writing.

4.LDAP is a cross-platform Interent standard. You can use client programs to access LDAP directories on any computer platform.

3. Function:

1.LDAP directory service can effectively solve the user account problem of many network services.

2.LDAP directory service provides a unified identity information database, identity authentication mechanism and interface, realizes the unified management of resources and information, and ensures the consistency and integrity of the data.

3.LDAP directory service describes data information in a tree-like hierarchical structure, which adapts to the business organization structure of many industry applications.

4. Common terms:

(1) entry (Entry):

Entry is the object of directory management and the most basic operation object in LDAP. Usually, the additions, deletions, modifications and queries of LDAP are based on items.

Each entry has a unique identification name (DN)

DN: each entry has a unique identification name (distinguished Name,DN), such as the following figure: cn= employee 1djou = department 1Magi dc.com, is an entry; through the hierarchical syntax structure of DN, you can easily indicate the location of the entry in the LDAP tree, which is usually used for retrieval.

RDN: generally refers to the leftmost part of the dn comma, such as cn= employee 1.

At the top of the Base DN:LDAP directory tree is the root, which is known as "Base DN", such as "dc= company 1dcenterorg".

(2) attribute (Attribute):

Each entry can have many attributes, such as name, address, phone number, and so on. Each attribute has a name and a corresponding value, and there can be single or multiple attribute values, for example, you have multiple mailboxes.

Attributes are not randomly defined and need to conform to certain rules, which can be made through schema. This file is included in the configuration file of ldap

For example, if the schema inetorgperson.schema is not in the configuration file, you cannot specify the employeeNumber property for it, because employeeNumber is defined in inetorgperson.schema.

LDAP designs properties (such as commonName,surname) for objects that are common in human organizations. Here are some common aliases:

Attribute alias syntax description value (for example) commonNamecnDirectory String name testsurnamesnDirectory String surname chenorganizationalUnitNameouDirectory String department name ITorganization oDirectory String company name orgtelephoneNumber

Telephone Number phone number 110objectClass

Built-in property organizationalPerson

(3) object class ObjectClass:

An object class is a collection of attributes. For example, person contains attributes such as surname (sn), first name (cn), telephone (telephoneNumber), password (userPassword), while organizationalPerson is the inheritance category of personnel (person). In addition to the above attributes, it also contains attributes such as position (title), postal code (postalCode), correspondence address (postalAddress) and so on.

The item type can be easily defined through the object class. Each entry can directly inherit multiple object classes, thus inheriting a variety of attributes. If there are the same attributes in the two object classes, only one attribute is retained after the entry is inherited. The object class also specifies which attributes are basic information and must contain (Must or Required, necessary attributes): which attributes are extended information and can contain (May or Optional, optional attributes).

There are three types of object classes: structural types (Structural), abstract types (Abstract), and auxiliary types (Auxiliary).

The object class itself can inherit from each other, so the root class of the object class is top abstract object class. Take the common types of people as an example, their inheritance relationship:

Note that when an object class inherits, it inherits whether the property is Must or May. In other words, person has two Must attributes, cn and sn, and organizationalPerson and inetOrgPerson also have these two Must attributes because they directly or indirectly inherit person.

The following is the definition of the inetOrgPerson object class in schema, you can clearly see its parent class SUB and optional attribute MAY, the necessary attribute MUST (inherited from organizationalPerson), and the syntax for each attribute is defined in attributetype in schema.

(4) Schema

The object class (ObjectClass), the attribute type (AttributeType), and the syntax (Syntax) stipulate entries, attributes, and values, respectively, and the relationship between them is shown in the following figure.

All of this makes up the Schema-- a collection of object classes. Item data is usually subject to schema checking when imported, which ensures that all item data structures in the directory are consistent.

Schema (usually in the / etc/ldap/schema/ directory) should pay attention to the order before and after the import.

4. TLS & SASL

Distributed LDAP sends information through the network in plaintext format, including the password for client to access ldap (of course, the general password is already binary). The encryption protocol of SSL/TLS is to ensure the confidentiality and integrity of data transmission.

SASL (Simple Authenticaion and Security Layer) simple authentication security framework, it can achieve openldap client-to-server user authentication, but also ldapsearch, ldapmodify these standard client tools try to authenticate users with LDAP server by default (provided that Cyrus SASL has been installed).

SASL has several major industrial implementation standards: Kerveros V5, DIGEST-MD5, EXTERNAL, PLAIN, LOGIN.

Kerveros V5 is the most complex one. Using GSSAPI mechanism, you must configure a complete Kerberos V5 security system. Passwords are no longer stored in the directory server, and each dn corresponds to the body of the Kerberos database. DIGEST-MD5 is a little simpler, the password is generated by saslpasswd2 and placed in the sasldb database, or the plaintext hash is stored in the userPassword of LDAP dn, and each authid is mapped to the dn of the directory server, often used in conjunction with SSL. Refer to configuring the LDAP client to use security

# rpm-ql cyrus-sasl.x86_64 (check if Cyrus SASL is installed)

This article refers to:

Https://segmentfault.com/a/1190000002607140

Http://407711169.blog.51cto.com/6616996/1439623

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.