How to get started with LDAP

If you are new to LDAP, you must have read many LDAP-related tutorials. Not very good, but this one is the best written.
DN: Location of a record
DC: Region of a record
Ou: the organization to which a record belongs
CN/uid: Name/ID of a record

In fact, I only think of it as a database. I will compare it with the MySQL database that I am very familiar with, and usually get a better understanding:

MySQL uses a table to store data, and LDAP uses a tree"
MySQL requires three conditions for specifying a record: DB, table, and row.
LDAP is more free. Why? Because LDAP data is tree-like, and the tree can be infinitely extended, how do you tell the Gardener Where an apple (a record) on the tree is located? Of course, you must first describe which tree (DC, equivalent to MySQL db) is used, and then all the "Forks" (ou, haha, MySQL does not seem to have this dd), and the Apple name (UID. Remember when we designed MySQL or other database tables, is a 'id' field added to facilitate management ?). Okay! Now we can clearly specify the location of this apple, that is, the east side of the "neck Tree", the Branch on the west side, the Branch on the north side, and the half red and half green on the branch ......, Dizzy! You can climb up directly! Let me talk about how to define the location of a field in LDAP, tree (Dc = waibo, Dc = com), split (ou = Bei, ou = xi, ou = Dong), Apple (CN = honglv), okay! Location:
DN: Cn = honglv, ou = Bei, ou = xi, ou = Dong, Dc = waibo, Dc = com

A famous painter said: "There are no two identical eggs in the world ". Of course there are no two identical apple ......, Likewise, there cannot be two identical DN in LDAP.

LDAP data filling principle
The growth of a tree should be gradual and gradual. If a forks have not yet grown, it is impossible to grow an apple in those forks (Q: ft! Does Apple grow on the fork branch? A: For ease of understanding, you should consider it.) Similarly, the LDAP database must be enriched step by step. Let's take an example of a school database, we will put a huge student archive in LDAP, which is roughly required:
---------------------------------------------
1. Create a "root" by modifying "slapd. conf, because the current purpose is to understand, so the specific steps will not be said, it is in this step to establish a "DC = ourschool, dc = org ". Note: I understand it as a "directory" or "container", and even it is a special form of file (Apple). It is easier for anyone familiar with Linux file systems.
2. Establish 18 systems: "DN: ou = computer, Dc = ourschool, Dc = org", "DN: ou = film, Dc = ourschool, dc = org "......
3. Of course, you must set up a major in each department, such as "DN: ou = Linux, ou = computer, Dc = ourschool, Dc = org "......
4. (start to grow the Apple !) Add students -- "DN: Cn = Stan, ou = Linux, ou = computer, Dc = ourschool, Dc = org "......
5. Has it been completed? Right! No student details yet! But first, record can be edited.

LDAP record details
DN: Cn = Stan, ou = Linux, ou = computer, Dc = ourschool, Dc = org
Objectclass: organizationalperson
CN: Stan
CN: knife
SN: knife
Description: agoodboy
(The above is a record. If you save it as an ldif file, you can import it to the LDAP database)
Didn't I say there is no student details? If you are in a hurry, you will write it out immediately, but it has not been imported into LDAP. That is what will happen in the future. Here I will answer your questions first.
---------------------------------------------
Q1: Isn't "cn" defined in "DN"? Why is it redefined later? A: You should regard "cn = Stan, ou = Linux, ou = computer, Dc = ourschool, Dc = org" as a whole. It is only the value of the property DN.
Q2: why are there two "cn" in the backend? Which of the following prevails? A: unlike normal databases, LDAP can have multiple values for each attribute. Isn't that good? When you look for me in the school database, you just need to remember one of my CN, you can find me with "cn = Stan" or "cn = knife!
Q3: Are these attributes involved? I don't know if you are a man or a girl. A: I declare that I am a male. LDAP imposes strict restrictions on the record attributes (which I don't like very much). That is to say, which attributes can be used and which cannot be empty, which attributes can only have one value at most, and so on, they are all set for you. Fortunately, you have the right to choose. For example, if we store student information this time, we will define an "objectclass: organizationalperson ", in this way, we can use all the attributes specified by the "organizationalperson" class, and it is really suitable for us. Although this class does not have the "sex" attribute, you can replace it with an "idle" attribute.

How to get started with LDAP