快速掌握LDAP系统管理员必备指南

需积分: 9 149 浏览量更新于2024-07-28 收藏 6.74MB PDF 举报

"LDAP System Administration" 是由 Gerald Carter 所著的一本专业书籍，由 O'Reilly 出版，发行日期为2003年3月。这本书的ISBN号码是1-56592-491-6，共有308页。该书旨在帮助读者成为目录服务管理的专家，无论他们正在使用哪种LDAP版本。对于那些初次接触LDAP系统的人来说，这是一本极具价值的指南。书中详尽阐述了如何快速上手并掌握 LDAP（Lightweight Directory Access Protocol）系统的行政管理工作。通过阅读本书，即使没有先前的LDAP经验，读者也能学会如何将目录服务器整合到关键的网络服务中，如邮件系统（Mail）、域名系统（DNS）、超文本传输协议（HTTP）以及共享文件夹协议（SMB/CIFS）。这使得目录服务能够有效地支撑企业的身份管理和数据存储，提升网络的整体效率和安全性。《LDAP System Administration》的结构清晰，包括目录索引、读者评论和可能存在的错误列表（Errata），方便读者查找所需信息并确保获取准确无误的知识。这本书不仅适合系统管理员，也对IT专业人士在设计和维护企业级目录服务时提供了实用的参考。对于希望通过深入了解和实践来提升自身技能的专业人士来说，这本书无疑是宝贵的资源。

[ Team LiB ]

•

Table of Contents

•

Index

•

Reviews

•

Reader Reviews

•

Errata

LDAP System Administration

Gerald Carter

Publisher

: O'Reilly

Pub Date

: March 2003

ISBN

: 1-56592-491-6

Pages

: 308

If you want to be a master of your domain,

LDAP System Administration

will help you get up and running quickly

regardless of which LDAP version you use. After reading this book, even with no previous LDAP experience, you'll

be able to integrate a directory server into essential network services such as mail, DNS, HTTP, and SMB/CIFS.

[ Team LiB ]

LDAP is not a generalized replacement for specialized directories such as filesystems or DNS.

While storing certain types of binary information (e.g., JPEG photos) in directories can be useful, LDAP is not

intended for storing arbitrary "blobs" (Binary Lumps of Bits).

What about storing individual application settings for roaming users on an LDAP server? It is a judgment call

whether this is better served by a filesystem or a directory. For example, it is possible to store basic application

settings for Netscape Communicator in LDAP. Such things as an address book, a bookmarks file, and personal

preference settings are certainly appropriate for storage in a directory. However, using your directory as a location

for browser cache files would violate rule #2.

1.2.3 Access Protocol

All of this talk of directory services makes it is easy to forget that LDAP is a protocol. It is not uncommon to hear

someone refer to an LDAP server or LDAP tree. I have done so and will continue to do so. LDAP does provide a

treelike view of data, and it is this treelike view to which people refer when speaking of an LDAP server.

This introduction won't go into the specifics of the actual protocol. It is enough to think of LDAP as the message-

based, client/server protocol defined in

RFC 2251. LDAP is asynchronous (although many development kits provide

both blocking and nonblocking APIs), meaning that a client may issue multiple requests and that responses to

those requests may arrive in an order different from that in which they were issued. Notice in

Figure 1-3

that the

client sends Requests 1 and 2 prior to receiving a response, and the response to Request 3 is returned before the

response to Request 2.

Figure 1-3. LDAP requests and responses

More aspects of programming with LDAP operations will be covered in

Chapter 10

[ Team LiB ]

•

Table of Contents

•

Index

•

Reviews

•

Reader Reviews

•

Errata

LDAP System Administration

Gerald Carter

Publisher

: O'Reilly

Pub Date

: March 2003

ISBN

: 1-56592-491-6

Pages

: 308

If you want to be a master of your domain,

LDAP System Administration

will help you get up and running quickly

regardless of which LDAP version you use. After reading this book, even with no previous LDAP experience, you'll

be able to integrate a directory server into essential network services such as mail, DNS, HTTP, and SMB/CIFS.

[ Team LiB ]

1.3 LDAP Models

LDAP models represent the services provided by a server, as seen by a client. They are abstract models that

describe the various facets of an LDAP directory.

RFC 2251 divides an LDAP directory into two components: the

protocol model and the data model. However, in

Understanding and Deploying LDAP Directory Services

, by

Timothy A. Howes, Mark C. Smith, and Gordon S. Good (MacMillan), four models are defined:

Information model

The information model provides the structures and data types necessary for building an LDAP directory tree.

An entry is the basic unit in an LDAP directory. You can visualize an entry as either an interior or exterior

node in the Directory Information Tree (DIT). An entry contains information about an instance of one or

objectClass

es. These

objectClass

es have certain required or optional attributes. Attribute types

have defined encoding and matching rules that govern such things as the type of data the attribute can hold

and how to compare this data during a search. This information model will be covered extensively in the

next chapter when we examine LDAP schema.

Naming model

The naming model defines how entries and data in the DIT are uniquely referenced. Each entry has an

attribute that is unique among all siblings of a single parent. This unique attribute is called the relative

distinguished name (RDN). You can uniquely identify any entry within a directory by following the RDNs of

all the entries in the path from the desired node to the root of the tree. This string created by combining

RDNs to form a unique name is called the node's distinguished name (DN).

Figure 1-4

, the directory entry outlined in the dashed square has an RDN of

cn=gerald carter

. Note that the

attribute name as well as the value are included in the RDN. The DN for this node would be

cn=gerald

carter,ou=people, dc=plainjoe,dc=org

Functional model

The functional model is the LDAP protocol itself. This protocol provides the means for accessing the data in

the directory tree. Access is implemented by authentication operations (bindings), query operations

(searches and reads), and update operations (writes).

Security model

The security model provides a mechanism for clients to prove their identity (authentication) and for the

server to control an authenticated client's access to data (authorization). LDAPv3 provides several

authentication methods not available in previous protocol versions. Some features, such as access control

lists, have not been standardized yet, leaving vendors to their own devices.

Figure 1-4. Example LDAP directory tree

At this high level, LDAP is relatively simple. It is a protocol for building highly distributed directories. In the next

chapter, we will examine certain LDAP concepts such as schemas, referrals, and replication in much more depth.

[ Team LiB ]

•

Table of Contents

•

Index

•

Reviews

•

Reader Reviews

•

Errata

LDAP System Administration

Gerald Carter

Publisher

: O'Reilly

Pub Date

: March 2003

ISBN

: 1-56592-491-6

Pages

: 308

If you want to be a master of your domain,

LDAP System Administration

will help you get up and running quickly

regardless of which LDAP version you use. After reading this book, even with no previous LDAP experience, you'll

be able to integrate a directory server into essential network services such as mail, DNS, HTTP, and SMB/CIFS.

[ Team LiB ]

2.1 LDIF

Most system administrators prefer to use plain-text files for server configuration information, as opposed to some

binary store of bits. It is more comfortable to deal with data in vi, Emacs, or notepad than to dig though raw bits

and bytes. Therefore, it seems fitting to begin an exploration of LDAP internals with a discussion of representing

directory data in text form.

The

LDAP Interchange Format (LDIF), defined in RFC 2849, is a standard text file format for storing LDAP

configuration information and directory contents. In its most basic form, an LDIF file is:

A collection of entries separated from each other by blank lines

A mapping of attribute names to values

A collection of directives that instruct the parser how to process the information

The first two characteristics provide exactly what is needed to describe the contents of an LDAP directory. We'll

return to the third characteristic when we discuss modifying the information in the directory in

Chapter 4

LDIF files are often used to import new data into your directory or make changes to existing data. The data in the

LDIF file must obey the schema rules of your LDAP directory. You can think of the schema as a data definition for

your directory. Every item that is added or changed in the directory is checked against the schema for correctness.

schema violation

occurs if the data does not correspond to the existing rules.

Figure 2-1

shows a simple directory information tree. Each entry in the directory is represented by an entry in the

LDIF file. Let's begin with the topmost entry in the tree labeled with the distinguished name (DN)

dc=plainjoe,dc=org

# LDIF listing for the entry dn: dc=plainjoe,dc=org

dn: dc=plainjoe,dc=org

objectClass: domain

dc: plainjoe

Figure 2-1. An LDAP directory tree

We can make a few observations about

LDIF syntax on the basis of this short listing:

Comments in an LDIF file begin with a

pound character (

) at position one and continue to the end of the

current line.

Attributes are listed on the lefthand side of the

colon (:), and values are presented on the righthand side. The

colon character is separated from the value by a space.

The

attribute uniquely identifies the

DN of the entry.

剩余262页未读，继续阅读

midnight123

粉丝: 0
资源: 1

快速掌握LDAP系统管理员必备指南

OpenLDAP-Admin-Guide.pdf open ldap 官网2.6.2 版本操作指南

LDAP入門LDAP入門LDAP入門

用sql语句的方式操作ldap

ldap实现登陆代码

java ldap增加用户

java连接ldap636端口案例

java ldap查询同名用户 代码

C#修改ldap用户密码

Java使用ldap API 实现添加数据

写 一个 Spring boot 集成 ldap 支持SSL 的demo

最新资源

java ldap查询同名用户代码

写一个 Spring boot 集成 ldap 支持SSL 的demo