LDAP 協議簡介

LDAP 協議簡介

LDAP （輕量級目錄訪問協議，Lightweight Directory Access Protocol) 是實現提供被稱為目錄服務的信息服務。目錄服務是一種特殊的數據庫系統，其專門針對讀取，瀏覽和搜索操作進行了特定的優化，因此它不同于常見的關系型數據庫。目錄一般用來包含描述性的，基于屬性的信息并支持精細復雜的過濾能力。目錄一般不支持通用數據庫針對大量更新操作操作需要的復雜的事務管理或回卷策略。而目錄服務的更新則一般都非常簡單。這種目錄可以存儲包括個人信息、web 鏈結、jpeg 圖像等各種信息。為了訪問存儲在目錄中的信息，就需要使用運行在 TCP/IP 之上的訪問協議 —— LDAP。

LDAP 目錄中的信息是是按照樹型結構組織，具體信息存儲在條目 (entry) 數據結構中。條目相當于關系數據庫中表的記錄；條目是具有區別名 DN （Distinguished Name）的屬性（Attribute），DN 是用來引用條目的，DN 相當于關系數據庫表中的關鍵字（Primary Key）。屬性由類型（Type）和一個或多個值（Values）組成，相當于關系數據庫中的字段（Field）由字段名和數據類型組成，只是為了方便檢索的需要，LDAP 中的 Type 可以有多個 Value，而不是關系數據庫中為降低數據的冗余性要求實現的各個域必須是不相關的。LDAP 中條目的組織通常按照地理位置和組織關系進行組織，這樣會非常的直觀。
圖 1. LDAP 信息的樹型結構存儲

如圖 1 所示，LDAP 的信息是以樹型結構存儲的，在樹根一般定義國家 (c=CN) 或域名 (dc=com)，在其下則往往定義一個或多個組織 (organization)(o=CSDL) 或組織單元 (organizational units) (ou=Regular)。一個組織單元可能包含諸如正式雇員、合同工類型雇員等信息。

此外，LDAP 支持對條目能夠和必須支持哪些屬性進行控制，這是有一個特殊的稱為對象類別 (objectClass) 的屬性來實現的。該屬性的值決定了該條目必須遵循的一些規則，其規定了該條目能夠及至少應該包含哪些屬性。例如： Person 對象類需要支持 sn(surname) 和 cn(common name) 屬性，但也可以包含可選的如郵件 (E-mail)，電話號碼 (Phone) 等屬性。dc：一條記錄所屬區域；ou：一條記錄所屬組織；cn/uid：一條記錄的名字 /ID。

Centralized Logins Using LDAP and RADIUS

refer http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch31_:_Centralized_Logins_Using_LDAP_and_RADIUS

Sponsors

Introduction

Many centralized database programs have been developed to allow users to log in on multiple computers using a single password. NIS was one of the first, but it doesn't encrypt the password transaction. It also uses the portmapper daemon, which uses an unpredictable range of TCP ports that are difficult for firewalls to track. LDAP (Lightweight Directory Access Protocol) provides an alternative based on the X.500 standard.

The X.500 standard defines how globally referenced directories of people should be structured. X.500 directories are organized under a common root directory in a tree hierarchy with different levels for each category of information, such as country, state, city, organization, organizational unit, and person. Designed to provide a simpler yet robust implementation of X.500, LDAP was originally used as the backbone of Microsoft's Active Directory Service and Novell's Novell Directory Services (NDS) products. LDAP can also interact with other login programs, such as Remote Authentication Dial-in User Service (RADIUS), which the network equipment of many ISPs uses to manage dialup Internet access.

It was later recognized that LDAP had features that could make it a desirable replacement for NIS in some scenarios. For example, it uses a single TCP port (389) for regular communication and another port (636) for encrypted transactions. LDAP also can interact with many login authentication, authorization, and accounting programs external to Linux and UNIX.

This chapter will first show you how to install and use LDAP on Fedora Linux systems, then go on to explain how LDAP interacts with RADIUS.

The LDAP Directory Structure

Like X.500, LDAP directory entries are arranged in a tree structure. Under the root, there are branches that represent countries, organizations, organizational units, and people.

In complicated LDAP deployments, in which you have to exchange information with the LDAP databases of other companies, you may want to get a formal organization number from the Internet Assigned Numbers Authority (IANA) to reduce any data conflicts. In the chapter's example this won't be necessary. Because there will be no data sharing, I'll just make up one.

Scenario

These concepts are easier to explain when working from an example, so imagine the IT department in a small organization called example.com has many Linux servers it needs to administer.