HP UX Direry Server 1.4 Directory design overview, 1.3.1.1 Performing queries on directory entries, 1.3.1 About directory entries, 1.3.2 Distributing directory data, chaining

1.3.1 About directory entries

LDAP Data Interchange Format (LDIF) is a standard text-based format for describing directory entries. An entry consists of a number of lines in the LDIF file (also called a stanza), which contains information about an object, such as a person in the organization or a printer on the network.

Information about the entry is represented in the LDIF file by a set of attributes and their values. Each entry has an object class attribute that specifies the kind of object the entry describes and defines the set of additional attributes it contains. Each attribute describes a particular trait of an entry.

For example, an entry might be of object class organizationalPerson, indicating that the entry represents a person within an organization. This object class supports the givenname and telephoneNumber attributes. The values assigned to these attributes give the name and phone number of the person represented by the entry.

Directory Server also uses read-only attributes that are calculated by the server. These attributes are called operational attributes. The administrator can manually set operational attributes that can be used for access control and other server functions.

1.3.1.1 Performing queries on directory entries

Entries are stored in a hierarchical structure in the directory tree. LDAP supports tools that query the database for an entry and request all entries below it in the directory tree. The root of this subtree is called the base distinguished name, or base DN. For example, if performing an LDAP search request specifying a base DN of ou=people, dc=example,dc=com, then the search operation examines only the ou=people subtree in the dc=example,dc=com directory tree.

Not all entries are automatically returned in response to an LDAP search, however, because administrative entries (which have the ldapsubentry object class) are not returned by default with LDAP searches. Administrative object, for example, can be entries used to define a role or a class of service. To include these entries in the search response, clients need to search specifically for entries with the ldapsubentry object class. See “About roles” for more information about roles and “About class of service” for more information about class of service.

1.3.2 Distributing directory data

When various parts of the directory tree are stored in separate databases, the directory can process client requests in parallel, which improves performance. The databases can even be located on different machines to further improve performance.

Distributed data are connected by a special entry in a subtree of the directory, called a database link, which point to data stored remotely. When a client application requests data from a database link, the database link retrieves the data from the remote database and returns it to the client.

All LDAP operations attempted below this entry are sent to the remote machine. This method is called chaining.

Chaining is implemented in the server as a plug-in, which is enabled by default.

1.4 Directory design overview

Planning the directory service before actual deployment is the most important task to ensure the success of the directory. The design process involves gathering data about the directory requirements, such as environment and data sources, users, and the applications that use the directory. This information is integral to designing an effective directory service because it helps identify the arrangement and functionality required.

The flexibility of Directory Server means the directory design can be reworked to meet unexpected or changing requirements, even after the Directory Server is deployed.