Order: work in the CA system used LDAP, using open source OpenLDAP, today because the work needs to participate in the basic training of the general LDAP, in this study notes, deepen learning effect.
1, what directory services and LDAP are
The directory service is a special database that holds descriptive, attribute-based details and supports filtering capabilities. The directory is dynamic, flexible, and extensible. For example: Personnel organization management, phone book, Address book, etc.
LDAP:LDAP (Lightweight Directory Access Protocol) represents the Lightweight directory protocol. There are several features:
1, a standard, extensible Internet Protocol for accessing directory services.
2, based on X.500 standard simpler, more refined, and better scalable.
3, it is lightweight compared to some other communication protocols.
The information is centrally stored in the LDAP directory on the server. The data is stored in a hierarchical tree structure; an information model is based on an entry (entry), an entry is a collection of attributes, and has a globally unique DN (distinguished Named)
Used to uniquely identify. The so-called entry is similar to a record in a database.
the difference between 2,LDAP and relational databases
LDAP is a special database that differs from a relational database, in the strict sense that LDAP is not a database at all but a protocol for accessing information stored in an information directory (that is, the LDAP directory).
LDAP and relational database are two different levels of concept, the latter is the storage mode (the same level as grid database, object database), the former is the storage model and access protocol. LDAP is a storage concept that is higher than the relational database abstraction level, which is the same level as the query language SQL of the relational database. The most basic form of LDAP is a standard way to connect to a database. The database is optimized for read queries, making LDAP reads better than write operations. So it can be very
Get query results quickly, but in other ways, such as updating, it's much slower.
Just as Sybase, Oracle, Informix, or Microsoft's database management system (DBMS) is used to process queries and update relational databases, the LDAP server is also used to process queries and update the LDAP directory. In other words
In other words, the LDAP directory is also a type of database, but it is not a relational database. Unlike a database that is designed to handle hundreds of thousands of data changes per minute, LDAP is primarily optimized for data read performance.
A directory is a specialized database with different characteristics from a relational database in the traditional sense:
1, the user accesses the directory is usually much more than the update directory, the directory is suitable for storing relatively static information. ,
2, directory does not support transaction mechanism
3, different information access mechanism
Most relational databases support standardized access to SQL, while access to LDAP directories uses simple and optimized access methods.
model of the 3,LDAP
LDAP includes information models, named models, functional models, and security models.
Information Model: A hierarchical structure entry by tree is a collection of attributes with a unique distinguished name DN. For example: The structure of a data table, or how a record is stored, belongs to the information model.
Named models: How to Organize and define data, and plan items into a tree structure. For example: By geographical location, organizational departments and other divisions.
Functional model: A functional model is a method that a directory client uses to communicate with a directory.
LDAP offers the following four categories of 10 operations:
– Query class operations-such as search, compare;
– Update class operations-such as adding entries, deleting entries, modifying entries, modifying entry names;
– Authentication class operation--doing client authentication and access control, authenticating the directory (Bind operation bind, unbind operation Unbind);
– Extended operations-such as discard and extend operations.
• In addition to the extended operation, the other is the standard operation of LDAP, and the extended operation is a standard extension framework provided by LDAP in order to add new functionality, and different LDAP vendors define their own scaling operations.
Security model: The security model provides a way to authenticate against the directory and to authorize the client to control access to the directory.
The security model consists of the following two components:
• Authentication using LDAP
• Access Control (ACL) for objects in the directory
LDAP authentication involves binding to an entity on an LDAP server. Determines the success or failure of a binding operation based on whether the entity's credentials are accepted or rejected. If the binding succeeds, the entity is authenticated, and if it fails, the entity does not pass the identity
Verify. When authenticated, the client can only use the LDAP directory as defined in the Access control list of the directory (LIST,ACL). The implementation of ACLs in the LDAP directory is dependent on implementation. LDAP body
Authentication is specifically designed to protect directory transactions. The use of LDAP authentication for purposes other than LDAP directory Access can cause performance issues. This is because the LDAP directory service is not designed to handle a large number of authentication requests
and is well suited for directory transaction processing.
Where is 4,ldap used?
The following data is suitable for storage in a directory server: 1, data that needs to be read frequently and less changed. 2, it is easier to represent data composed of attributes. 3, data that needs to be shared among multiple users. 4, the need to access the data in different locations , such as: User information, device information, address information. Therefore, it is necessary to change frequently and the data volume is very large, the structured and very poor data is not suitable for storage in the directory server, such as documents, reports, etc. cannot be used in the Attribute collection table .
The application of LDAP mainly involves several types:
Information Security Class: Digital certificate management (such as the storage of CA certificate subject DN), authorization management, single sign-on;
Scientific Computing classes: DCE (Distributed Computing envirionment, distributed computing Environment), UDDI (Universal description,discovery and integration, unified description, Discovery and integration);
Network resource Management class: Mail system, DNS system, network user management, telephone directory; e-government
Resource Management class: Intranet Organization Information Service, e-Government directory system, population base library, legal person base library.
LDAP Learning notes