User Management
604
SonicOS Enhanced 4.0 Administrator Guide
LDAP Terms
The following terms are useful when working with LDAP and its variants:
Schema – The schema is the set of rules or the structure that defines the types of data that
can be stored in a directory, and how that data can be stored. Data is stored in the form of
‘entries’.
Active Directory (AD) – The Microsoft directory service, commonly used with Windows-
based networking. Microsoft Active Directory is compatible with LDAP.
eDirectory – The Novell directory service, used for Novell NetWare-based networking.
Novell eDirectory has an LDAP gateway that can be used for management.
Entry – The data that is stored in the LDAP directory. Entries are stored in ‘attribute’/value
(or name/value) pairs, where the attributes are defined by ‘object classes’. A sample entry
would be ‘cn=john’ where ‘cn’ (common name) is the attribute, and ‘john’ is the value.
Object class – Object classes define the type of entries that an LDAP directory may contain.
A sample object class, as used by AD, would be ‘user’ or ‘group’.
Microsoft Active Directory’s Classes can be browsed at http://msdn.microsoft.com/library/
default.asp?url=/library/en-us/adschema/adschema/classes_all.asp
Object - In LDAP terminology, the entries in a directory are referred to as objects. For the
purposes of the SonicOS implementation of the LDAP client, the critical objects are ‘User’
and ‘Group’ objects. Different implementations of LDAP can refer to these object classes
in different fashions, for example, Active Directory refers to the user object as ‘user’ and
the group object as ‘group’, while RFC2798 refers to the user object as ‘inetOrgPerson’ and
the group object as ‘groupOfNames’.
Attribute - A data item stored in an object in an LDAP directory. Object can have required
attributes or allowed attributes. For example, the ‘dc’ attribute is a required attribute of the
‘dcObject’ (domain component) object.
dn - A ‘distinguished name’, which is a globally unique name for a user or other object. It is
made up of a number of components, usually starting with a common name (cn) component
and ending with a domain specified as two or more domain components (dc). For example,
‘cn=john,cn=users,dc=domain,dc=com’
cn – The ‘common name’ attribute is a required component of many object classes
throughout LDAP.
ou – The ‘organizational unit’ attribute is a required component of most LDAP schema
implementations.
dc – The ‘domain component’ attribute is commonly found at the root of a distinguished
name, and is commonly a required attribute.
TLS – Transport Layer Security is the IETF standardized version of SSL (Secure Sockets
Layer). TLS 1.0 is the successor to SSL 3.0.
Further Information on LDAP Schemas
Microsoft Active Directory: Schema information is available at http://msdn.microsoft.com/
library/default.asp?url=/library/en-us/adschema/adschema/active_directory_schema.asp
and http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ldap/ldap/
ldap_reference.asp
RFC2798 InetOrgPerson: Schema definition and development information is available at
http://rfc.net/rfc2798.html
RFC2307 Network Information Service: Schema definition and development information
is available at http://rfc.net/rfc2307.html