LDAP is an industry-standard method of accessing data from within a directory. If your organization already has a network directory service in place, it is likely that the directory is based on LDAP or is accessible via LDAP. LDAP is many things, and can be described in different ways. It is:
LDAP Information ModelThe basic unit of LDAP is an entry, or an instance of related attributes. It consists of one or more attributes and the values for those attributes in the following format: attribute=value LDAP uses the schema to define attributes, among other things. An object class specifies which attributes are required when populating the LDAP directory and which attributes will be allowed when populating the LDAP directory. This attribute definition provides data integrity. Object classes are defined in the schema. Because LDAP is so customizable, the schema can be tailored to meet the needs of many different deployments.
The LDAP TreeAn LDAP directory is arranged in a hierarchy called a tree. In a tree, each entry can have entries beneath it. One useful aspect of LDAP is that the structure of an LDAP hierarchy is not strictly defined, so it is open to different implementations depending on the site. This can lead to confusion when attempting to understand someone else's deployment, because the hierarchy has been customized.
The attributes are usually an abbreviation or mnemonic for a typical characteristic. For instance, dc stands for domain component and cn stands for common name. These abbreviations can be used in several locations within the tree and may not be specific to each entry within each entry. LDAP NamespaceBecause the structure of an LDAP directory can be different at each site, you have to tell any LDAP client where to find an entry. To request a particular entry, the client uses the logical path to the entry or the distinguished name (dn). This is similar to an absolute path in the Mac OS X file system. Here is an example of the dn for Warren Peece: dn:uidNumber=501,cn=users,dc=mainserver,dc=pretendco,dc=com The structure of the LDAP hierarchy is defined by the distinguished names. In addition, one or more attributes in an entry can be used as the name of the entry itself. This is the entry's relative distinguished name (rdn), which is similar to a relative path in the Mac OS X file system. For example rdn:uidNumber=501 refers to all the attribute/value pairs in that entry.
LDAP Search ParametersWhen a requestor (such as a login window) asks for data, some parameters must be defined. Search BaseThe search base is the point in the tree where the requestor starts the search. For instance, the client might want to start searching at the entry cn=users. If this is the case, then the search base would be defined as cn=users,dc=mainserver,dc=pretendco,dc=com ScopeThe scope defines how deep to go in the search. For instance, the search could be limited to the same level the search started, limited to the same level and one level below, or open to all levels below the one where the search started. This becomes important when searching a large LDAP database or using applications that frequently query the database. Walking down the entire tree consumes processor cycles and RAM, which can be avoided by refining the scope of the search. FilterFinally, a filter specifies the item that is being searched for. In Mac OS X, the filter is automatically constructed by the LDAPv3 plug-in. Filters, like scopes, can decrease the load on the directory by not searching entries that do not fit certain criteria. For example, a request might be made to find any cn entries under cn=users. However, since the information under cn=users may or may not be only user information, you can narrow the search to save time, which you're about to learn how to do. LDAP Search TransactionsWhen searching the LDAP directory with a tool such as ldapsearch, you would limit the request by specifying the search base and filter. The following figure demonstrates how to search for the mount entries in the LDAP directory on mainserver.pretendco.com.
Breaking down the line of code in the figure above, you can see it does the following:
At the end of the search command, you can specify which attributes you want displayed from the resulting entries. In this case, the attributes are the common name and the objectClass. By default, the search is performed at the level indicated by the search base and in all subtrees. The results of the search are a listing of all the group entries (the dn, cn, and objectClass attributes listed) at the dc=mainserver,dc=pretendco,dc=com level and below. The information is displayed in standard LDIF. You can also use the ldapsearch command to display information about the root or base dn of an LDAP tree. For example, ldapsearch -h "10.1.0.1" -x -a never -s base supportedSASLMechanisms namingContexts supportedLDAPVersion will display the names of the SASL mechanisms, the naming contexts, and the versions of the LDAP protocol that are supported by the server named 10.1.0.1. More Info To find out more about ldapsearch options such as -a, -s, or -h, please refer to the man page for ldapsearch. |