/pcq/media/agency_attachments/L8pkS8gpnodJThOdAfv1.jpg)
Follow UsA company has a few departments and several hundred employees. Its HR department maintains bulky registers and Excel sheets that contain information about all employees. Now, if you need to find the e-mail address or cellphone number of a colleague, you can call madam HR, who will do the needful. Another scenario could be the frequent calls to the system administrator about the queue name of a network-shared printer, shared login credentials and IP address of the new database server.
Some organizations maintain searchable databases of such information. Some may also have a hierarchical diagram of the entire organization, which depicts all the departments and the details of the resources (hardware or software) installed in each department (much like a network diagram generated using Visio). So, if you know that the network printer is lying in department d1, you can easily search for its queue name through the diagram. LDAP or Leightweight Directory Access Protocol facilitates all this, and much more.
/pcq/media/post_attachments/c126068786a722141ea3528b526b3dd42ccfa6f2e059becc8cdf9b299903e64f.jpg)
LDAP is an open protocol for directory services on a network–intranet or Internet. A software directory service is much like the yellow pages of a telephone directory that you use to find the details about individuals and services, such as fire stations, hospitals and hotels. On a computer network, you can use LDAP to find the details about individuals, such as their full names, addresses and telephone numbers. LDAP can also hold details such as logins, password, path and IP address, to access shared resources on the network (such as printers, hard disks and scanners). You use an LDAP client to browse the directory service. For example, Outlook Express is a simple LDAP client, which can retrieve individuals’ details and e-mail addresses from an LDAP directory.
| Entry Name: Shekhar Govindarajan |
|
| Attributes | Values |
| First Name |
Shekhar |
| Last Name |
Govindarajan |
| Address | xyz, New Delhi |
| Phone | 12345678 |
| shekharg@cmil.com | |
LDAP Server and Client
Like most network services, an LDAP-based directory service consists of a server (or daemon), called slapd. This daemon, which is usually run on a server-based machine (due to performance considerations), listens to a standard port 389 (default) for client connections. LDAP maintains the directory of resources in a logical tree-like structure. Upon connection, an LDAP client can browse or search through this tree or hierarchical structure of resources. LDAP follows the TCP/IP protocol for connection between the client and the server, hence can be used on a local TCP/IP network or across the Internet.
Directory Entries
Each entry in an LDAP directory is called an Entry. For example, to enter the details of a person named Shekhar Govindarajan, an Entry named ‘Shekhar Govindarajan’ is created. The name of the Entry must be unique across directory services running on the connected networks. The scheme for coming up with a unique entry name is discussed later in this article. For the time being, assume that ‘Shekhar Govindarajan’ is a unique entry name. Now all the details of shekhar take the form of attribute-value pairs (within the Entry) as shown in the table below.
An e-mail client such as Outlook Express can communicate with an LDAP server and construct an address book out of the Entries stored on the server. There can be a problem here. While entering the attributes and their values in the directory service, you may call the attribute for ‘first name’ as fname or first_name. In such a case, LDAP clients will get confused about the inconsistency. Hence, there must be a consistent naming scheme for the attributes. To achieve this, LDAP Entries have an attribute called objectclass, which holds the name of a schema. A schema defines the name and the value format for attributes acceptable in an entry. LDAP installations come with a number of pre-defined schemas such as organization, person, organizationalUnit and organizationalPerson. Here, the organization schema defines attributes specific to an organization, such as businessCategory, postAddress, telexNumber and interenationalISDNNumber. The organizationalPerson schema defines attributes such as sn (surname), mail, postalAddress and mobile. You can also construct your own schema. The schema is usually defined in a text file and there is syntax to define schemas.
Tree Directory Structure
Like a tree, LDAP directories also have a root–a root entry. As we said above, each entry should have a unique name. For this LDAP uses a unique suffix. This suffix, when appended to the entries in the directory, should make them unique across other directories. A recommended value for such a suffix is the domain name of the company. For example, our company
CyberMedia India Ltd owns a domain named cmil.com. In LDAP, we can use the components cmil and com of this domain to construct a unique suffix as follows:
“dc=cmil,dc=com”
Here dc stands for Domain Component. Our first entry (the base entry) in the directory tree will have a unique name as “dc=cmil,dc=com”. This unique name is called a Distinguished Name or DN in LDAP terminology. The DN of the subsequent entries will have the DN of the parent entry suffixed. Like other details, the DNs are also defined as attributes of the Entries.
With all the above concepts in place, let’s look at the hierarchical diagram of an organization. The above hierarchical structure depicts the organization of CyberMedia, which consists of two departments: PCQLabs and PCQuest. CyberMedia, PCQLabs, PCQuest, Employee1, Employee2, etc represent the Entries in the LDAP directory. The details of the organization department and employees are recorded in the directory as attribute-value pairs. Note the use of the attributes o, ou and cn in the DNs of the entries. They stand for organization, organizational unit and common name. These attributes are used to specify the name of the organization, department and an employee/person, respectively. Also notice that the DN of a child entry (say ‘Shekhar Govindarajan’) has the DN of the parent entry (PCQLabs) suffixed to it.
DN of the entry for Shekhar Govindarajan = “cn=shekhar govindarajan” + “DN of PCQLabs”
á DN of the entry for Shekhar Govindarajan = “cn=shekhar govindarajan” +
“ou=pcqlabs, o=cybermedia,dc=cmil,dc=com”
In the article Setting up LDAP on Linux, page 121 of this issue, we implement the above directory structure on an LDAP server running on Linux. To understand the concept of LDAP, we have just given one example. As said, LDAP can be used to store information about anything and everything. Being an open protocol, LDAP implementations (server and clients) are available for various platforms, including Windows, Linux, Unix and Netware.
Shekhar Govindarajan