使用 OpenLDAP Software to
provide directory services
什麼是目錄服務?
A directory is a
specialized database specifically designed for searching and browsing, in
additional to supporting basic lookup and update functions.
Directories tend to
contain descriptive, attribute-based information and support sophisticated
filtering capabilities.
Directories are generally
tuned to give quick response to high-volume lookup or search operations.
目錄用於保存描述性的,基於屬性的信息,並支持複雜的過濾功能.-->是一種特殊的專爲搜索瀏覽功能優化的數據庫.
There are many different
ways to provide a directory service. Different methods allow different kinds of
information to be stored in the directory, place different requirements on how
that information can be referenced, queried and updated, how it is protected
from unauthorized access, etc.
Some directory services
are local, providing service to a restricted context (e.g., the finger service
on a single machine). Other services are global.
有不同的方式提供目錄服務.不同的方式決定存儲不同的信息,不同的信息訪問方式(如何引用,查詢,更新),以及如何保護以免非授權訪問等.有的服務是本地的(例如本機的finger服務).有些服務是全局的.
LDAP是什麼?
LDAP stands for
Lightweight Directory Access Protocol.it is a lightweight protocol for
accessing directory services, specifically X.500-based directory services.
LDAP是訪問目錄服務的協議(特別是基於X.500協議的目錄服務)
What kind of information
can be stored in the directory?
The LDAP information
model is based on entries. An entry is a collection of attributes that has a
globally-unique Distinguished Name (DN). The DN is used to refer to the entry
unambiguously.
Each of the entry's
attributes has a type and one or more values. The types are typically mnemonic
strings, like "cn" for common name, or "mail" for email
address. The syntax of values depend on the attribute type. For example, a cn attribute
might contain the value Babs Jensen. A mail attribute might contain the value
"[email protected]".
全局唯一的DN來明確描述entry
How is
the information arranged?
In LDAP, directory
entries are arranged in a hierarchical tree-like structure.
In addition, LDAP allows
you to control which attributes are required and allowed in an entry through
the use of a special attribute called objectClass. The values of the
objectClass attribute determine the schema rules the entry must obey.
層次樹形結構
How is the information
referenced?
An entry is referenced by
its distinguished name, which is constructed by taking the name of the entry
itself (called the Relative Distinguished Name or RDN) and concatenating the
names of its ancestor entries.
How is the information
accessed?
LDAP defines operations
for interrogating and updating the directory. Operations are provided for
adding and deleting an entry from the directory, changing an existing entry,
and changing the name of an entry. Most of the time, though, LDAP is used to search
for information in the directory. The LDAP search operation allows some portion
of the directory to be searched for entries that match some criteria specified
by a search filter. Information can be requested from each entry that matches
the criteria.
How is the information
protected from unauthorized access?
Some directory services
provide no protection, allowing anyone to see the information. LDAP provides a
mechanism for a client to authenticate, or prove its identity to a directory
server.
How does LDAP work?
LDAP utilizes a
client-server model. One or more LDAP servers contain the data making up the
directory information tree (DIT). The client connects to servers and asks it a
question. The server responds with an answer and/or with a pointer to where the
client can get additional information (typically, another LDAP server). No
matter which LDAP server a client connects to, it sees the same view of the
directory; a name presented to one LDAP server references the same entry it
would at another LDAP server. This is an important feature of a global
directory service.
目錄裏的所有數據形成了一個DIT
LDAP
is a directory access protocol to an X.500 directory service, the OSI directory
service.
LDAP是訪問X.500目錄服務的協議.
When
should I use LDAP?
you should use a
Directory server when you require data to be centrally managed, stored and
accessible via standards based methods.
Some common examples
found throughout the industry are, but not limited to:
Machine
Authentication
User
Authentication
User/System
Groups
Address
book
Organization
Representation
Asset
Tracking
Telephony
Information Store
User
resource management
E-mail
address lookups
Application
Configuration store
PBX
Configuration store
etc.....
訪問控制
The default access
control policy is allow read by all clients. Regardless of what access control
policy is defined, the rootdn is always allowed full rights (i.e. auth, search,
compare, read and write) on everything and anything.
缺省的訪問策略是所有客戶都允許讀.無論定義的訪問控制策略是什麼,rootdn總是有所有權限(例如認證,搜索,比較,讀和寫),可以讀寫任何信息
關於後端存儲Berkeley
DB
OpenLDAP使用Berkeley
DB做後端存儲
OpenLDAP uses Berkeley DB
concurrent / transactional database software. This is the same software used by
leading commercial directory software.
[root@localhost ~]# rpm
-qi db4
Berkeley 數據庫 (Berkeley
DB) 是一個編程工具包。
它爲傳統的和客戶機/服務器程序提供嵌入的數據庫支持。Berkeley
DB 包括 B+tree、擴展的線形散列、固定的和長短不同的記錄存取方法、事務、上鎖、記錄日誌、共享的內存緩存、以及數據庫恢復。Berkeley DB 支持
C、C++、Java、和 Perl API。它被許多程序使用,包括 Python 和 Perl,因此它應該在所有系統上安裝。
Berkeley
DB是嵌入式數據庫系統,而不是常見的關係/對象型數據庫,對SQL語言不支持,也不提供數據庫常見的高級功能,如存儲過程,觸發器等。
Berkeley DB的體系結構
Berkeley
DB以擁有比Microsoft SQL
Server和Oracle等數據庫系統而言更簡單的體系結構而著稱。例如,它不支持網絡訪問—程序通過進程內的API訪問數據庫。
他不支持SQL或者其他的數據庫查詢語言,不支持表結構和數據列。 訪問數據庫的程序自主決定數據如何儲存在記錄裏,Berkeley
DB不對記錄裏的數據進行任何包裝,每個記錄有且只有兩部分:鍵、值,所以在Berkeley DB的背景下通常用key/data
pair指代一個記錄。記錄和它的鍵都可以達到4G字節的長度。
儘管架構很簡單,Berkeley
DB卻支持很多高級的數據庫特性,比如ACID 數據庫事務處理,細粒度鎖,XA接口,熱備份以及同步複製。
Berkeley
DB包含有與某些經典Unix數據庫編程庫兼容的接口,包括:dbm,ndbm和hsearch。