11 LDAP Directory Server Administration

The Lightweight Directory Access Protocol (LDAP) is an Internet standard directory service protocol that runs over TCP/IP. An LDAP server manages entries in a directory, and makes the information available to users and applications across the network. An LDAP server can be used as a central repository of user information. When used in this way, an LDAP server is similar to Network Information Services (NIS), also known as the yellow pages. When compared to NIS, an LDAP server offers the following advantages:

Scalability

An LDAP directory can contain millions of entries without negatively affecting performance.

Centralized management

An LDAP directory database can be used to centralize management of user related information, potentially easing the cost of administration and management of data. Directory-aware clients and tools can be used to make the data available to where it is needed.

Access control

The ability to modify an attribute can be controlled at the attribute level. Users can be allowed to modify noncritical information (such as their preferred login shell or mail forwarding address) on their own. Modifications to more sensitive information (such as UID, GID, or a user's home directory) can be restricted to authorized directory managers only.

Availability

You can set up multiple LDAP servers to make the data in the directory highly available. Through a process called replication, you can ensure that all LDAP servers have identical copies of the directory. When you enable replication, a special account for this purpose is created. The LDAP servers bind to one another using this account and, through standard LDAP commands, propagate changes to the directory. For more information on LDAP directory replication, see the documentation for your specific Directory Server.

This chapter provides the following information:

Understanding the LDAP directory schema (Section : Understanding the LDAP Directory Schema)

Managing and Using the OpenLDAP directory server (Section : Managing and Using the OpenLDAP Directory Server)

See Section : Managing the LDAP Module for System Authentication for information on enabling user authorization using the LDAP Module for System Authentication.

Understanding the LDAP Directory Schema

The basic unit of information in an LDAP directory is called an entry. An entry is a collection of attribute and value pairs that describes something of interest, for example, a person, a company, or a printer. The attribute value is constrained by its type (binary, integer, case-insensitive string, and so on).

Entries are organized in a tree-like structure, as shown in Figure 64. Each entry in the directory tree is identified or named with a distinguished name (DN). A distinguished name consists of a sequence of relative distinguished names (RDNs). An RDN is one or more attribute/value pairs that uniquely identify an LDAP entry from its sibling in the directory tree. A DN is a hierarchical name similar to a file system pathname, while the RDN is similar to the file (or directory) name. In distinguished names, however, the most significant part of the name (the name associated with the root of the tree) is at the right end of the name; the least significant part is on the left end.

Understanding the LDAP Directory Schema 195