You are previewing Understanding LDAP - Design and Implementation.
O'Reilly logo
Understanding LDAP - Design and Implementation

Book Description

Lightweight Directory Access Protocol (LDAP) is a fast-growing technology for accessing common directory information. LDAP has been embraced and implemented in most network-oriented middleware. As an open, vendor-neutral standard, LDAP provides an extendable architecture for centralized storage and management of information that needs to be available for today's distributed systems and services.

After a fast start, it can be assumed that LDAP has become the de facto access method for directory information, much the same as the Domain Name System (DNS) is used for IP address look-up on almost any system on an intranet and on the Internet. LDAP is currently supported in most network operating systems, groupware and even shrink-wrapped network applications.

This redbook was written for those readers who need to understand the basic principles and concepts of LDAP. Some background knowledge about heterogeneous, distributed systems is assumed and is highly beneficial when reading this book. Because this book is not meant to be an LDAP implementation guide, it does not contain product-related or vendor-specific information other than that used in examples.

Table of Contents

  1. Front cover
  2. Notices
    1. Trademarks
  3. Preface
    1. The team that wrote this redbook
    2. Become a published author
    3. Comments welcome
  4. Summary of changes
    1. June 2004, Second Edition
  5. Part 1 Directories and LDAP
  6. Chapter 1. Introduction to LDAP
    1. 1.1 Directories
      1. 1.1.1 Directory versus database
      2. 1.1.2 LDAP: Protocol or directory
      3. 1.1.3 Directory clients and servers
      4. 1.1.4 Distributed directories
    2. 1.2 Advantages of using a directory
    3. 1.3 LDAP history and standards
      1. 1.3.1 OSI and the Internet
      2. 1.3.2 X.500 the Directory Server Standard
      3. 1.3.3 Lightweight Access to X.500
      4. 1.3.4 Beyond LDAPv3
    4. 1.4 Directory components
    5. 1.5 LDAP standards
    6. 1.6 IBM’s Directory-enabled offerings
    7. 1.7 Directory resources on the Web
  7. Chapter 2. LDAP concepts and architecture
    1. 2.1 Overview of LDAP architecture
    2. 2.2 The informational model
      1. 2.2.1 LDIF
      2. 2.2.2 LDAP schema
    3. 2.3 The naming model
      1. 2.3.1 LDAP distinguished name syntax (DNs)
      2. 2.3.2 String form
      3. 2.3.3 URL form
    4. 2.4 Functional model
      1. 2.4.1 Query
      2. 2.4.2 Referrals and continuation references
      3. 2.4.3 Search filter syntax
      4. 2.4.4 Compare
      5. 2.4.5 Update operations
      6. 2.4.6 Authentication operations
      7. 2.4.7 Controls and extended operations
    5. 2.5 Security model
    6. 2.6 Directory security
      1. 2.6.1 No authentication
      2. 2.6.2 Basic authentication
      3. 2.6.3 SASL
      4. 2.6.4 SSL and TLS
  8. Chapter 3. Planning your directory
    1. 3.1 Defining the directory content
      1. 3.1.1 Defining directory requirements
    2. 3.2 Data design
      1. 3.2.1 Sources for data
      2. 3.2.2 Characteristics of data elements
      3. 3.2.3 Related data
    3. 3.3 Organizing your directory
      1. 3.3.1 Schema design
      2. 3.3.2 Namespace design
      3. 3.3.3 Naming style
    4. 3.4 Securing directory entries
      1. 3.4.1 Purpose
      2. 3.4.2 Analysis of security requirements
      3. 3.4.3 Design overview
      4. 3.4.4 Authentication design
      5. 3.4.5 Authorization design
      6. 3.4.6 Non-directory security considerations
    5. 3.5 Designing your server and network infrastructure
      1. 3.5.1 Availability, scalability, and manageability requirements
      2. 3.5.2 Topology design
      3. 3.5.3 Replication design
      4. 3.5.4 Administration
  9. Part 2 IBM Tivoli Directory Server overview and installation
  10. Chapter 4. IBM Tivoli Directory Server overview
    1. 4.1 Definition of ITDS
    2. 4.2 ITDS 5.2
    3. 4.3 Resources on ITDS
    4. 4.4 Summary of ITDS-related chapters
  11. Chapter 5. ITDS installation and basic configuration - Windows
    1. 5.1 Installable components
    2. 5.2 Installation and configuration checklist
    3. 5.3 System and software requirements
      1. 5.3.1 ITDS Client
      2. 5.3.2 ITDS Server (including client)
      3. 5.3.3 Web Administration Tool
    4. 5.4 Installing the server
      1. 5.4.1 Create a user ID for ITDS
      2. 5.4.2 Installing ITDS with the Installshield GUI
      3. 5.4.3 Configuring the Administrator DN and password
      4. 5.4.4 Configuring the database
      5. 5.4.5 Adding a suffix
      6. 5.4.6 Removing or reconfiguring a database
      7. 5.4.7 Enabling and disabling the change log
    5. 5.5 Starting ITDS
  12. Chapter 6. ITDS installation and basic configuration - AIX
    1. 6.1 Installable components
    2. 6.2 Installation and configuration checklist
    3. 6.3 System and software requirements
      1. 6.3.1 ITDS Client
      2. 6.3.2 ITDS Server (including client)
      3. 6.3.3 Web Administration Tool
    4. 6.4 Installing the server
      1. 6.4.1 Create a user ID for ITDS
      2. 6.4.2 Installing ITDS with the Installshield GUI
      3. 6.4.3 Configuring the Administrator DN and password
      4. 6.4.4 Configuring the database
      5. 6.4.5 Adding a suffix
      6. 6.4.6 Removing or reconfiguring a database
      7. 6.4.7 Enabling and disabling the change log
    5. 6.5 Starting ITDS
    6. 6.6 Uninstalling ITDS
  13. Chapter 7. ITDS installation and basic configuration on Intel Linux
    1. 7.1 Installable components
    2. 7.2 Installation and configuration checklist
    3. 7.3 System and software requirements
      1. 7.3.1 ITDS Client
      2. 7.3.2 ITDS Server (including client)
      3. 7.3.3 Web Administration Tool
    4. 7.4 Installing the server
      1. 7.4.1 Create a user ID for ITDS
      2. 7.4.2 Installing ITDS with the Installshield GUI
      3. 7.4.3 Configuring the Administrator DN and password
      4. 7.4.4 Configuring the database
      5. 7.4.5 Adding a suffix
      6. 7.4.6 Removing or reconfiguring a database
      7. 7.4.7 Enabling and disabling the change log
    5. 7.5 Starting ITDS
    6. 7.6 Quick installation of ITDS 5.2 on Intel (minimal GUI)
    7. 7.7 Uninstalling ITDS
    8. 7.8 Removing all vestiges of an ITDS 5.2 Install on Intel Linux
  14. Chapter 8. IBM Tivoli Directory Server installation - IBM zSeries
    1. 8.1 Installing LDAP on z/OS
      1. 8.1.1 Using the ldapcnf utility
      2. 8.1.2 Running the MVS jobs
      3. 8.1.3 Loading the schema
      4. 8.1.4 Enabling Native Authentication
    2. 8.2 Migrating data to LDAP on z/OS
      1. 8.2.1 Migrating LDAP server contents to z/OS
      2. 8.2.2 Moving RACF users to the TDBM space
  15. Part 3 In-depth configuration and tuning
  16. Chapter 9. IBM Tivoli Directory Server Distributed Administration
    1. 9.1 Web Administration Tool graphical user interface
    2. 9.2 Starting the Web Administration Tool
    3. 9.3 Logging on to the console as the console administrator
    4. 9.4 Logging on to the console as the server administrator
    5. 9.5 Logging on as member of administrative group or as LDAP user
    6. 9.6 Logging off the console
    7. 9.7 Starting and stopping the server
      1. 9.7.1 Using Web Administration
      2. 9.7.2 Using the command line or Windows Services icon
    8. 9.8 Console layout
    9. 9.9 Configuration only mode
      1. 9.9.1 Minimum requirements for configuration-only mode
      2. 9.9.2 Starting LDAP in configuration-only mode
      3. 9.9.3 Verifying the server is in configuration-only mode
    10. 9.10 Setting up the console
      1. 9.10.1 Managing the console
      2. 9.10.2 Creating an administrative group
      3. 9.10.3 Enabling and disabling the administrative group
      4. 9.10.4 Adding members to the administrative group
      5. 9.10.5 Modifying an administrative group member
      6. 9.10.6 Removing a member from the administrative group
    11. 9.11 ibmslapd command parameters
    12. 9.12 Directory administration daemon
      1. 9.12.1 The ibmdiradm command
      2. 9.12.2 Starting the directory administration daemon
      3. 9.12.3 Stopping the directory administration daemon
      4. 9.12.4 Administration daemon error log
    13. 9.13 The ibmdirctl command
    14. 9.14 Manual installation of IBM WAS - Express
      1. 9.14.1 Manually installing the Web Administration Tool
      2. 9.14.2 Manually uninstalling the Web Administration Tool
      3. 9.14.3 Default ports used by IBM WAS - Express
    15. 9.15 Installing in WebSphere Version 5.0 or later
  17. Chapter 10. Client tools
    1. 10.1 The ldapchangepwd command
      1. 10.1.1 Synopsis
      2. 10.1.2 Options
      3. 10.1.3 Examples
      4. 10.1.4 SSL, TLS notes
      5. 10.1.5 Diagnostics
    2. 10.2 The ldapdelete command
      1. 10.2.1 Synopsis
      2. 10.2.2 Description
      3. 10.2.3 Options
      4. 10.2.4 Examples
      5. 10.2.5 SSL, TLS notes
      6. 10.2.6 Diagnostics
    3. 10.3 The ldapexop command
      1. 10.3.1 Synopsis
      2. 10.3.2 Description
      3. 10.3.3 Options
    4. 10.4 The ldapmodify and ldapadd commands
      1. 10.4.1 Synopsis
      2. 10.4.2 Description
      3. 10.4.3 Options
      4. 10.4.4 Examples
      5. 10.4.5 SSL, TLS notes
      6. 10.4.6 Diagnostics
    5. 10.5 The ldapmodrdn command
      1. 10.5.1 Synopsis
      2. 10.5.2 Description
      3. 10.5.3 Options
      4. 10.5.4 Examples
      5. 10.5.5 SSL, TLS notes
      6. 10.5.6 Diagnostics
    6. 10.6 The ldapsearch command
      1. 10.6.1 Synopsis
      2. 10.6.2 Description
      3. 10.6.3 Options
      4. 10.6.4 Examples
      5. 10.6.5 SSL, TLS notes
      6. 10.6.6 Diagnostics
    7. 10.7 Summary
  18. Chapter 11. Schema management
    1. 11.1 What is the schema
      1. 11.1.1 Available schema files
      2. 11.1.2 Schema support
      3. 11.1.3 OID
      4. 11.1.4 Inheritance
    2. 11.2 Modifying the schema
      1. 11.2.1 IBMAttributetypes
      2. 11.2.2 Working with objectclasses
      3. 11.2.3 Working with attributes
      4. 11.2.4 Disallowed schema changes
    3. 11.3 Indexing
    4. 11.4 Migrating the schema
      1. 11.4.1 Exporting the schema
      2. 11.4.2 Importing the schema
    5. 11.5 Dynamic schema
  19. Chapter 12. Group and role management
    1. 12.1 Groups
      1. 12.1.1 Static groups
      2. 12.1.2 Dynamic groups
      3. 12.1.3 Nested groups
      4. 12.1.4 Hybrid groups
      5. 12.1.5 Determining group membership
      6. 12.1.6 Group object classes
      7. 12.1.7 Group attribute types
    2. 12.2 Roles
    3. 12.3 Summary
  20. Chapter 13. Replication
    1. 13.1 General replication concepts
      1. 13.1.1 Terminology
      2. 13.1.2 How replication functions
    2. 13.2 Major replication topologies
      1. 13.2.1 Simple master-replica topology
      2. 13.2.2 Master-forwarder-replica topology (ITDS 5.2 and later)
      3. 13.2.3 GateWay Replication Topology (ITDS 5.2 and later)
      4. 13.2.4 Peer replication
    3. 13.3 Replication agreements
    4. 13.4 Configuring replication topologies
      1. 13.4.1 Simple master-replica topology
      2. 13.4.2 Using the command line
      3. 13.4.3 Promoting a replica to peer/master
      4. 13.4.4 Command line for a complex replication
    5. 13.5 Web administration tasks for managing replication
      1. 13.5.1 Managing topology
      2. 13.5.2 Modifying replication properties
      3. 13.5.3 Creating replication schedules
      4. 13.5.4 Managing queues
    6. 13.6 Repairing replication differences between replicas
      1. 13.6.1 The ldapdiff command tool
  21. Chapter 14. Access control
    1. 14.1 Overview
    2. 14.2 ACL model
      1. 14.2.1 EntryOwner information
      2. 14.2.2 Access Control information
    3. 14.3 Access control attribute syntax
      1. 14.3.1 Subject
      2. 14.3.2 Pseudo DNs
      3. 14.3.3 Object filter
      4. 14.3.4 Rights
      5. 14.3.5 Propagation
      6. 14.3.6 Access evaluation
      7. 14.3.7 Working with ACLs
    4. 14.4 Summary
  22. Chapter 15. Securing the directory
    1. 15.1 Directory security
    2. 15.2 Authentication
      1. 15.2.1 Anonymous authentication
      2. 15.2.2 Basic authentication
      3. 15.2.3 Authentication using SASL
      4. 15.2.4 Kerberos
    3. 15.3 Password policy enforcement
      1. 15.3.1 Overview
    4. 15.4 Password encryption
    5. 15.5 SSL/TLS support
      1. 15.5.1 Overview of TLS
      2. 15.5.2 Overview of SSL
      3. 15.5.3 SSL utilities
      4. 15.5.4 Configuring SSL security
    6. 15.6 Protection against DoS attacks
      1. 15.6.1 Non-blocking sockets
      2. 15.6.2 Extended operation for killing connections
      3. 15.6.3 Emergency thread
      4. 15.6.4 Connection reaping
      5. 15.6.5 Allow anonymous bind
    7. 15.7 Access control
    8. 15.8 Summary
  23. Chapter 16. Performance Tuning
    1. 16.1 ITDS application components
    2. 16.2 ITDS LDAP caches
      1. 16.2.1 LDAP caches
      2. 16.2.2 LDAP filter cache
      3. 16.2.3 Filter cache bypass limits
      4. 16.2.4 LDAP entry cache
      5. 16.2.5 Measuring filter and entry cache sizes
      6. 16.2.6 LDAP ACL Cache
      7. 16.2.7 Setting other LDAP cache configuration variables
      8. 16.2.8 LDAP Attribute Cache (only on 5.2 and later)
      9. 16.2.9 Configuring attribute caching
    3. 16.3 Transaction and Event Notification
    4. 16.4 Additional slapd and ibmslapd settings
      1. 16.4.1 Tune the IBM Directory Server configuration file
      2. 16.4.2 Suffixes
      3. 16.4.3 Recycle the IBM Directory Server
      4. 16.4.4 Verify suffix order
    5. 16.5 DB2 tuning
      1. 16.5.1 Warning when IBM Directory Server is running
      2. 16.5.2 DB2 buffer pool tuning
      3. 16.5.3 LDAPBP buffer pool size
      4. 16.5.4 IBMDEFAULTBP buffer pool size
      5. 16.5.5 Setting buffer pool sizes
      6. 16.5.6 Warnings about buffer pool memory usage
      7. 16.5.7 Other DB2 configuration parameters
      8. 16.5.8 Warning about MINCOMMIT
      9. 16.5.9 More DB2 configuration settings
      10. 16.5.10 Configuration script
    6. 16.6 Directory size
    7. 16.7 Optimization and organization
      1. 16.7.1 Optimization
      2. 16.7.2 reorgchk and reorg
      3. 16.7.3 Indexes
      4. 16.7.4 Distributing the database across multiple physical disks
      5. 16.7.5 Create file systems and directories on the target disks
      6. 16.7.6 Backing up the existing database
      7. 16.7.7 Perform a redirected restore of the database
    8. 16.8 DB2 backup and restore
    9. 16.9 Concurrent updates on Symmetric Multi-Processor systems
    10. 16.10 AIX operating system tuning
      1. 16.10.1 Enabling large files
      2. 16.10.2 Tuning process memory size limits
      3. 16.10.3 AIX-specific process size limits
      4. 16.10.4 AIX data segments and LDAP process DB2 connections
      5. 16.10.5 Verifying process data segment usage
    11. 16.11 Adding memory after installation on Solaris systems
    12. 16.12 SLAPD_OCHANDLERS variable on Windows
    13. 16.13 IBM Directory Change and Audit Log
      1. 16.13.1 When to configure the LDAP change log
      2. 16.13.2 When to configure the LDAP audit log
    14. 16.14 Hardware tuning
      1. 16.14.1 Disk speed improvements
    15. 16.15 Monitoring performance
      1. 16.15.1 ldapsearch with "cn=monitor"
      2. 16.15.2 Monitor examples
    16. 16.16 Troubleshooting error files
  24. Chapter 17. Monitoring IBM Tivoli Directory Server
    1. 17.1 Overview
    2. 17.2 Monitoring tools
      1. 17.2.1 Viewing server state
      2. 17.2.2 Viewing status of worker threads
      3. 17.2.3 Viewing connections information
      4. 17.2.4 Viewing other general information about the directory server
      5. 17.2.5 Analyzing changelog
      6. 17.2.6 Analyzing log files
    3. 17.3 Operating system commands for monitoring ITDS
    4. 17.4 Summary
  25. Part 4 Developing directory-enabled applications
  26. Chapter 18. Debugging IBM Tivoli Directory Server related issues
    1. 18.1 Overview
    2. 18.2 Debugging problems
      1. 18.2.1 Debugging configuration problems
      2. 18.2.2 Debugging directory server related errors using log files
      3. 18.2.3 Using server debug modes
      4. 18.2.4 DB2 error log file
    3. 18.3 Summary
  27. Chapter 19. Developing C-based applications
    1. 19.1 Overview
    2. 19.2 Typical API usage
    3. 19.3 API flow when searching a directory
      1. 19.3.1 ldap_init()
      2. 19.3.2 ldap_simple_bind_s()
      3. 19.3.3 ldap_search_s()
      4. 19.3.4 ldap_first_entry()
      5. 19.3.5 ldap_first_attribute()
      6. 19.3.6 ldap_get_values()
      7. 19.3.7 ldap_next_attribute()
      8. 19.3.8 ldap_get_values()
      9. 19.3.9 ldap_next_entry()
      10. 19.3.10 ldap_unbind_s()
    4. 19.4 Sample code to search a directory
    5. 19.5 API flow when updating a directory entry
      1. 19.5.1 ldap_init()
      2. 19.5.2 ldap_simple_bind_s()
      3. 19.5.3 ldap_modify_s()
      4. 19.5.4 ldap_unbind_s()
    6. 19.6 Sample code to update a directory entry
  28. Chapter 20. Developing JNDI-based applications
    1. 20.1 The JNDI
    2. 20.2 Searching the directory
      1. 20.2.1 Creating the directory context
      2. 20.2.2 Performing the search
      3. 20.2.3 Processing the search results
    3. 20.3 Changing a directory entry
      1. 20.3.1 Creating the directory context
      2. 20.3.2 Performing the modification
  29. Part 5 Appendixes
  30. Appendix A. DSML Version 2
    1. DSML Version 2 Introduction
    2. DSML Version 2 - IBM implementation
    3. ITDS DSML Service Deployment
    4. Java programming examples on DSML
    5. References to the DSML official specifications
  31. Appendix B. Directory Integration - IBM Tivoli Directory Integrator
    1. Why Directory Integration is important
    2. Directory Integration Services
    3. User provisioning applications
    4. Directory Integration technologies
    5. Virtual directories vs. metadirectory technology
    6. Overview of IBM Tivoli Directory Integrator
    7. Configuration of ITDI assembly lines
    8. Configuration of an ITDI Event Handler
    9. ITDI solution example
    10. ITDI solution design
    11. Solution components
    12. Summary
  32. Appendix C. Moving RACF users to TBDM
    1. Sample programs to move RACF users to TBDM
  33. Appendix D. Schema changes that are not allowed
    1. Operational attributes
    2. Restricted attributes
    3. Root DSE attributes
    4. Schema definition attributes
    5. Configuration attributes
    6. User Application attributes
  34. Related publications
    1. IBM Redbooks
    2. Online resources
    3. How to get IBM Redbooks
    4. Help from IBM
  35. Back cover