Glossary

An instruction that grants or denies permissions to entries in the directory server.

Data associated with a file, directory, or other resource that defines the permissions that users, groups, processes, and devices have for accessing it.

Collective permissions and bind rules that are set as a pair.

See Access Control Instruction.

See Access Control List.

See Access Control Rule.

Microsoft's directory service used by the core operating system to store user account and system resource data and by the BackOffice suite of products as their data store.

A domain that allows a common login to work across several servers.

Andrew File System an enterprise-type file system that enables systems to share files and resources across local and wide area networks. It uses a clientserver architecture for file sharing.

Abstract Syntax Notation One (ASN.1) describes objects within a management information database.

Each LDAP entry consists of a number of named attributes, each of which has one or more values.

The means by which a server verifies a client's identity.

A backup mechanism that maintains a read-only copy of the SAM database.

The distinguished name (DN) where part of the directory information tree (DIT) is rooted. Sometimes indicated as baseDN.

See Backup Domain Controller.

A secret key cryptography that uses a variable key lengths of 32448 bits.

A way in which to locate an NIS server to bind to. The method sends out a broadcast message and binds to the first server that responds.

Certificate Authority. A trusted third party that issues digital certificates.

Encoded character or characters

Data that has been coded ( enciphered , encrypted, encoded) for security purposes.

Number of bits in the key used to encrypt data.

A way to provide a file to a client. The method contains information about how to locate directory objects and also a set of credentials. This is the preferred NIS+ method because it provides additional security.

One of the SASL mechanisms (RFC 2222) that was at one point proposed as a required mechanism for LDAP v3. CRAM stands for Challenge Response Authentication Mechanism. It uses the MD5 (message digest 5) hash algorithm developed by Ron Rivest for generating a message digest, which in turn is used for authentication.

Authentication information that the client software sends with each request to a naming server to verify the identity of the user or machine.

Conversion of data into a secret code for transmission over a network. The original data is converted into ciphertext (a coded equivalent) with an encryption algorithm. The ciphertext is decoded at the receiving end and turned back into the original form.

Directory Access Protocol (X.500).

A commonly used, highly sophisticated algorithm developed by the U.S. National Bureau of Standards for encrypting and decrypting data.

Directory Enabled Networks.

See Data Encryption Standard.

See Dynamic Host Configuration Protocol.

Cryptography that enables exchange of public keys using shared secret keys at both ends.

The Digest-MD5 mechanism is described in RFC 2831. In Digest-MD5, the LDAP server sends data that includes various authentication options that it is willing to support plus a special token to the LDAP client. The client responds by sending an encrypted response that indicates the authentication options that it has selected. The response is encrypted in such a way that proves that the client knows its password. The LDAP server then decrypts and verifies the client's response.

An arrangement of directory entries in a treelike structure.

A method to map to the DNS domain name of a company and its subdomains. Termed Active Directory by Microsoft.

A specific type of naming service in which the objects bound to names are directory entries.

A naming context that defines the root entry of the directory server.

The core program of Microsoft's Active Directory implementation.

A unique identifier of each entry in the DIT.

See Directory Information Tree.

See Distinguished Name.

See Domain Name System.

A set of domains or domain trees that do not form a contiguous namespace, but they do have an implicit trust relationship among them.

A method to solve the problem of locating computers on ArpaNet, the forerunner of the Internet. DNS is the de facto standard naming service of the Internet.

A set of domains that form a contiguous namespace through a set of hierarchal relationships.

Directory Services Agent.

See Directory Server Entry.

Directory Service Markup Language A set of XML tags that define the contents of a directory. Developed by Bowstreet Software, it is designed to allow directories to work together.

A procedure by which IP- related information is provided to new clients .

A single row of data in a database table, such as an LDAP element in a DIT.

A database that has built-in indexing features, along with other database features such as transaction logging and recovery. All Active Directory data resides in this database.

An area (domain) in which one NIS domain is not related to another.

A list that provides a way to centrally maintain information about users and universal groups for access control.

Greenwich Mean Time.

Generic Security Service Application Programming Interface. Used to provide a standard interface to different authentication methods .

Client access to the directory service itself. If the heartbeat or communication channels fail, then the cluster will not function properly.

Hypertext Transport Protocol.

Internet Assigned Numbers Authority.

A database modeled after the ESE and similar to the one in which Microsoft Exchange stores data.

Internet Message Access Protocol standard mail service protocol that provides a message store that holds incoming email.

International Standards Organization.

Java Naming and Directory Interface.

See Knowledge Consistency Checker.

See Key Distribution Center.

A network authentication protocol that provides strong authentication for client-server applications by using secret-key cryptography.

A clearinghouse required by Kerberos.

See Knowledge Module.

An Active Directory process that is responsible for mapping out the Active Directory domain controller topology and determining how replication should be performed.

A utility that monitors the iPlanet Directory Server. KM continually monitors and automatically reacts to critical infrastructure information.

Local area network

Lightweight Directory Access Protocol. The newest addition to the list of Solaris OE naming services. It is an optional naming service that can coexist with legacy Solaris OE naming services. LDAP shares some characteristics with NIS and NIS+, but it is more sophisticated in how stored data is structured and accessed.

A model that defines how LDAP clients communicate with LDAP servers.

See LDAP Data Interchange Format (LDIF)

A directory server uses the LDAP Data Interchange Format (LDIF) to describe a directory in text format. LDIF is often used to build a directory database. It is also a common method used for importing data from legacy data sources such as NIS maps, and to add large numbers of entries to the directory all at once.

A model that defines how entries are organized in a directory.

A model that defines how objects are named and the type of information which can be stored in the directory.

A mechanism used to instruct an LDAP client searching the directory to continue the search on another directory server.

The mechanism by which directory data is automatically copied from one directory server to another. Using replication, you can copy everything from entire directory trees to individual directory entries between servers.

A model that defines how information in the directory is protected from unauthorized access.

See LDAP Data Interchange Format.

See LDAP.

A data structure used to define network devices and objects that SNMP accesses .

In a general sense, a facility that organizes and names objects. It provides an association, often referred to as a binding, between a name and an object.

Netware Directory Server.

See NIS.

See NIS+.

The first UNIX-based distributed naming service. It replaced text files as the repository for storing information.

A successor to NIS that corrected a number of flaws in the NIS architecture.

Network Management Servers

A SAM agent that provides backward compatibility to Windows clients by using NT Lan Manager (NTLM) style authentication.

A number assigned to child object classes to ensure they will not conflict with another object class.

See Object identifier.

Open Systems Interconnection that allows network devices to read, write, and act upon management data.

See Pluggable Authentication Module.

See Primary Domain Controller.

An adjective meaning good performance potential.

A framework that allows new authentication technologies to be "plugged in" without changing commands such as login , ftp , and telnet .

A controller that has write privileges on the SAM database.

The private component of a pair of mathematically generated numbers, which, when combined with a private key, generates the DES key. The DES key in turn is used to encode and decode information. The private key of the sender is only available to the owner of the key.

The public component of a pair of mathematically generated numbers, which, when combined with a private key, generates the DES key. The DES key in turn is used to encode and decode information. The public key is available to all users and machines.

A language that enables users to write their own KMs.

Quick File System, a standalone file system that reduces bottlenecks by maximizing the performance of the file system in conjunction with the underlying disk technology. QFS limits the physical head movement of disks, and provides other state-of-the-art storage technologies.

Redundant Array of Inexpensive (or Independent) Disks a disk subsystem used to either increase performance, or fault tolerance, or both. RAID is often defined in levels 0 - 6 (plus various level combinations). RAID levels and how they apply to LDAP are covered in Chapter 8 "Selecting Storage for Optimum Directory Server Performance.

Role-Based Access Control a methodology or implementation where security is managed in a way that facilitates more granular control of enterprise systems access. Users are assigned one or more roles, and each role is assigned one or more privileges. Security administration with RBAC consists of determining the operations that must be executed by persons in particular jobs, and assigning employees to the proper roles.

Relative Distinguished Name. The left-most portion of a directory entry name.

A programming mechanism that enables NIS clients and servers to communicate with each other.

The mechanism by which directory data is automatically copied from one directory server to another.

Request for Comments, A means by which each distinct version of an Internet standards-related specification is published as part of the RFC document series.

See Remote Procedure Calls.

See Security Account Manager.

Storage and Archive Manager File System, a file system originally intended as a disk storage facility supporting SAM (Storage and Archive Manager, tapebased storage). Today, SAMFS is a versatile software package that provides reliable, high performance storage management, archival and retrieval services.

See Simple Authentication and Security Layer

A set of rules defining what types of data can be stored in any given LDAP DIT.

Software Development Kit

An authentication method developed by Netscape as a way to create a secure connection between a web client and a web server. It can be used as a transport-layer security mechanism to make application protocols such as LDAP secure.

A database of user account information maintained on special Windows NT servers called Domain Controllers, of which there are two varieties: primary (PDC) and backup (BDC).

An Active Directory service that clients search to locate the nearest controller.

SSDs define how and where an LDAP naming service client should search for information for a particular service.

An architecture wherein at any time a resource is owned by only one of the cluster nodes.

Security ID. An identification, the generation of which is specific to Microsoft's Active Directory implementation and not a standard LDAP concept.

A standard proposed for pluggable authentication methods to be used for adding authentication support to connection-based protocols such as LDAP. SASL allows negotiation about multiple authentication schemes between a client and a server. SASL is beneficial as a modular security layer.

A widely deployed protocol originally designed to manage network devices, SNMP can also be used to manage other items such as applications and services.

The ability to authenticate a user once upon login so that user is automatically authenticated for all applications the user accesses.

See Simple Network Management Protocol.

A tool to cope with the coexistence of multiple directory services present in the Solaris operating environment.

A utility that assigns shares of system resources to different applications, thereby maintaining a minimum threshold of performance.

A mechanism that specifies an NIS server or list of servers to bind to.

Structured Query Language. Standard used for database queries.

See Service Resource Records.

See Secure Socket Layer.

Security Support Provider Interface.

Transmission Control Protocol/Internet Protocol.

See Ticket-Granting Ticket.

A Kerberos method for application servers to grant service tickets to an authenticated user.

See Transport Layer Security.

The new standard for secure socket layers . A public-key-based Transport Layer Security protocol.

Uniform Resource Locator

Wide area network

A directory service defined as an Open Systems Interconnection (OSI) standard. A precursor to LDAP.