What is LDAP?
(1) Before introducing what LDAP is, let's review one thing: "What is a directory service?" ”
1. The directory service is a special database that holds descriptive, attribute-based details with filtering capabilities.
2. It is dynamic, flexible, and easily scalable.
For example: personnel organization and management, telephone book, address book.
(2) After understanding the directory service, let's take a look at the introduction of LDAP:
LDAP (Light Directory Access Portocol), which is a lightweight directory access protocol based on the X.500 standard.
A directory is a database optimized for querying, browsing, and searching, organizing data in a tree-like structure, similar to a file directory.
Directory databases are different from relational databases in that they have excellent read performance but poor write performance, and do not have complex functions such as transaction processing and rollback, making them unsuitable for storing frequently modified data. So the table of contents is inherently used for querying, just like its name.
LDAP directory service is a system consisting of a directory database and a set of access protocols.
(3) Why it should be used
LDAP is an open Internet standard, supporting cross-platform Internet protocols, widely recognized in the industry, and most products on the market or in the open source community have added support for LDAP, so for this type of system, there is no need to customize separately, only need to do simple configuration through LDAP to authenticate and interact with the server. "Simple and crude" can greatly reduce the cost of repeated development and docking.
LDAP's main products:
| | | | | Text database-based storage, fast speed. | | | DB2-based databases have average speed. | | | Text database-based storage is fast and not commonly used. | | Microsoft Active Directory | Based on WINDOWS system users, the processing speed of large data volume is average, but it is easy to maintain, has a large ecosystem, and is relatively simple to manage. | | | OpenLDAP is an open-source project that is fast but not a mainstream application. |
Basic model of LDAP
Every system and protocol will have its own model, and LDAP is no exception, before understanding the basic model of LDAP, we need to understand several LDAP directory tree concepts:
(1) Catalog tree concept
1. Directory tree: In a directory service system, the entire directory information set can be represented as a directory information tree, and each node in the tree is an entry.
2. Entry: Each entry is a record, and each entry has its own unique distinguishable name (DN).
3. Object class: A set of attributes corresponding to an entity type, the object class can be inherited, so that the necessary attributes of the parent class will also be inherited.
4. Attributes: Describe the information of an aspect of the entry, an attribute consists of an attribute type and one or more attribute values, and the attributes have mandatory and non-mandatory attributes.
(2) DC, UID, OU, CN, SN, DN, RDN
| | | | | The domain name part is divided into several parts in the form of a complete domain name, such as example.com domain name becomes dc=example, dc=com (the location of a record) | | | User ID songtao.xu (ID of a record) | | | Organisation units, organisation units can contain various other objects (including other organisation units), such as "oa group" (the organization to which a record belongs) | | | Public names, such as "Thomas Johansson" (the name of a record) | | | | | | "uid=songtao.xu,ou=oa group,dc=example,dc=com", the location of a record (unique) | | | Relative discrimination, similar to relative paths in a file system, is part of the directory tree structure that has nothing to do with it, such as "uid=tom" or "cn= Thomas Johansson" |
Introduction to OpenLDAP
LDAP is a lightweight directory access protocol (LDAP), which is an implementation of an open source centralized account management architecture and supports many system versions, and is adopted by the majority of Internet companies.
LDAP provides and implements the information service of directory service, which is a special database system that has a good effect on data reading, browsing, and searching. Directory services are generally used to contain descriptive information based on attributes and support sophisticated filtering functions, but OpenLDAP directory services do not support complex transaction management or rollback policies required for a large number of update operations of general-purpose databases.
LDAP has two standards, namely X.500 and LDAP. OpenLDAP is based on the X.500 standard, and it removes the complex functions of X.500 and can be customized with additional extensions according to its own needs, but there are also differences from X.500, such as OpenLDAP supports TCP/IP protocol, etc., TCP/IP is currently the protocol for accessing the Internet on the Internet.
OpenLDAP can run directly on the simpler and more general TCP/IP or other reliable transport protocol layers, avoiding the overhead at the OSI session and presentation layers, making connection establishment and packet processing simpler and faster, making it ideal for Internet and enterprise network applications.
The information in the OpenLDAP directory is stored in a tree-like hierarchy (much like DNS), and the top layer is called the "base DN", such as "dc=mydomain, dc=org" or "o=mydomain.org", the former is more flexible and is also used in Windows AD. There are many files and directories under the root directory, and in order to logically separate these large amounts of data, OpenLDAP uses OU (Organization Unit) like other directory service protocols, which can be used to represent internal company organizations, such as departments, etc., and can also be used to represent equipment, personnel, etc. At the same time, OU can also have sub-OUs, which can be used to represent more detailed classifications.
Each record in OpenLDAP has a unique name that distinguishes it from other records, DN (Distinguished Name), and the part of the "leaf" is called RDN (Relative Identifier of User Entry). For example, cn in dn:cn=tom, ou=animals, dc=ilanni, dc=com is RDN, and RDN must be unique in an OU.
By default, OpenLDAP uses Berkeley DB as the backend database, and the Berkeley DB database mainly stores data in the form of hashed data types, such as key-value pairs.
BerkeleyDB is a special type of database optimized for query and read, mainly used for searching, browsing, and updating query operations, and generally has a good effect on writing data at one time, querying and searching multiple times. BerkeleyDB does not support the high concurrency throughput and complex transactional operations supported by transactional databases (MySQL, MariDB, Oracle, etc.).
|
Posted on 6/21/2020 8:25:32 PM
|
|
|
|
