Could someone please explain LDAP?

前端 未结 10 1290
旧巷少年郎
旧巷少年郎 2021-01-30 20:01

I often hear things like \"Can we load our employee info using LDAP?\" Yet, the title \"Lightweight Directory Access Protocol\" makes me think of it as a protocol rather than a

相关标签:
10条回答
  • 2021-01-30 20:20

    LDAP stands for Lightweight Directory Access Protocol. This is an extensible open network protocol standard that provides access to distributed directory services. LDAP is an Internet standard for directory services that run on TCP/IP. Under OpenLDAP and related servers, there are two servers – slapd, the LDAP daemon where the queries are sent to and slurpd, the replication daemon where data from one server is pushed to one or more slave servers. By having multiple servers hosting the same data, you can increase reliability, scalability, and availability.

    It defines the operations one may perform like search, add, delete, modify, change name It defines how operations and data are conveyed.

    LDAP has the potential to consolidate all the existing application specific information like user, company phone and e-mail lists. This means that the change made on an LDAP server will take effect on every directory service based application that uses this piece of user information. The variety of information about a new user can be added through a single interface which will be made available to Unix account, NT account, e-mail server, Web Server, Job specific news groups etc. When the user leaves his account can be disabled to all the services in a single operation.

    So LDAP is most useful to provide “white pages” (e.g. names, phone numbers, roles etc) and “yellow pages” (e.g. location of printers, application servers etc) like services. Typically in a J2EE application environment it will be used to authenticate and authorise users.

    0 讨论(0)
  • 2021-01-30 20:24

    LDAP is a protocol created in response to the complexity of the X.500 family of protocols. It is intended to represent a hierarchical directory structure. The X.500 standard was originally intended to be used over a complete OSI layer stack and was created to fulfill the requirements of the telecom industry. LDAP was designed to use TCP/IP to provide similar functionality without the extra overhead. You can find information on X.500, OSI and LDAP on wikipedia. X.500 and OSI are both covered in most data communications textbooks as well.

    • http://en.wikipedia.org/wiki/X.500
    • http://en.wikipedia.org/wiki/Open_Systems_Interconnection
    • http://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol
    0 讨论(0)
  • 2021-01-30 20:26

    Yes, LDAP itself usually requires a lower level DB store. I suggest you get your hands dirty here:

    If you just install OpenLDAP & play with it... http://www.openldap.org/doc/admin22/install.html

    ...you will be forced to consider the dependencies.

    One of which is, in this case, SleepyCat.

    Have fun.

    For more fun, here is a good philosophical discussion on the taxonomy: http://archive.oreilly.com/pub/post/ldap_is_not_a_database.html

    0 讨论(0)
  • 2021-01-30 20:27

    LDAP IS a protocol, but many people I know like to overload its meaning to include "any store capable of responding to LDAP queries." Active Directory is such a store, and there are many others. It is used when architects don't really care what the store is. It's used in the same as if you were to say "Store it in the SQL" when you don't care whether it's MySql or Oracle or SQL Server.

    0 讨论(0)
  • 2021-01-30 20:32

    LDAP is basically a protocol to access a directory. Directory here basically refers to a directory having information of the users present in the organisation. Examples of directory include Microsoft's Active Directory (AD) and Oracle's Internet Directory (OID). The directory basically are used for implementing the single sign on feature for the organisation by centralising user authentication and authorisation. For more details refer the below links:

    1. http://searchmobilecomputing.techtarget.com/definition/LDAP
    2. https://eagledatagistics.com/what-is-enterprise-user-security-eus/
    0 讨论(0)
  • 2021-01-30 20:37

    LDAP is an internet protocol, which is used to look up data from a server, this protocol is used to store as well as retrive the information from the hierarchical directory structure. LDAP also follow a data model whch is hierarchical type. In simple term we can say its a hierarchical database where data is stored in tree like structure where leaf node hold the actual data.

    LDAP never define how program function either on the client or server but it explain more about the type of messages that will be used to communicte between client and server. Message can be client requested information , server response and format of the data. These messages arepassed over TCP/IP protocal. So there should be some operation exist that will established a session connection and disconnect it after the operation completion between client and server. LDAP can bes used in the cased where large number of read operations and less number of write operation is required. For example User Authentication as we know that User Name and password are not change so frequently.

    LDAP Operations Process

    To start the communication, the client needs to create a session with a server. This process is called as binding. To bind to the server, the client has to specify the IP address or the host name and TCP/IP port-no, where the server is attending. The client can also provide credentials like username and password to ensure proper authentication with the server. Alternatively, the client can also create an anonymous session by using default access rights. Or both parties can establish a session which uses stronger security processes like data encryption. Once the session gets established, the client then performs its intended operation on directory data. In LDAP the directory information can be managed and queried as it provides read as well as update capabilities. The client closes the session when it finished making a request. This process is called as unbinding. LDAP Modes LDAP majorly relies on to the Data Models like

    Information model The directory includes the basic unit of information and it is known as entry, which represents a real-world object like servers, people and so on. Entries include collection of attributes which define information about the object. Each attribute includes Type associated with syntax, and one or more values. The following diagram illustrates the relationship between entry and its attributes and their type & value:

    Naming model The naming model of LDAP denotes how entries are recognized and organized. In LDAP the entries are organized in a hierarchical or tree-like structure called DIT (Directory Information Tree). The entries are ordered within the DIT according to their DN (Distinguishable Name), a unique name which clearly identifies a single entry.

    Functional Model
    LDAP defines operations requested by a client and can be divided into three categories. They are:

       1.  Query which is used to fetch information from a directory. Include operations like search and                   compare.
    
       2. Update which is used to update the information stored in the directory. Include operations like                add, modify and delete.
    
       3. Authentication which is  used to connect and disconnect with a server, create access rights and                preserve information. Include operations like bind, unbind and abandon.
    

    Security Model

    In LDAP, the security model relies on the bind operation. Three different bind operations are                possible according to the security mechanisms applied. They are:
    
    1. No Authentication

      The simplest method but could only be applied when data security isn’t a problem and where no access control permissions are tangled. For example, the directory includes the address book that can be browsable by anyone. If the user left the DN and password field empty during the bind API call, the server will automatically adopt anonymous user session, and grants access along with the corresponding access controls described for this type of access.

    2. Basic Authentication

      Basic authentication is the alternative simple security mechanism used in LDAP and it is employed in several other web-oriented protocols, like HTTP. In this approach, the client has to authenticate itself to the LDAP server by the way of entering a password and DN that is transferred in a clear text over the network. On the other end, the server compares the DN and password with the entries in the directory. And grants access if the password matches. Moreover, the passwords in clear text format can’t guarantee confidentiality; hence, may result in password disclosure to unauthorized parties.

    3. SASL (Simple Authentication and Security Layer)

      This framework has been added to LDAP V3 which adds an additional authentication method to connection-oriented protocols. This mechanism specifies a challenge & response protocol where the client and server exchange some data to ensure authentication and establish the security layer upon which the subsequent communication will be carried out. With SASL, LDAP protocol can support any sort of authentication approved upon by an LDAP client and an LDAP server.

    0 讨论(0)
提交回复
热议问题