LDAP 协议简介
LDAP (轻量级目录访问协议,Lightweight Directory Access Protocol) 是实现提供被称为目录服务的信息服务。目录服务是一种特殊的数据库系统,其专门针对读取,浏览和搜索操作进行了特定的优化,因此它不同于常见的关系型数据库。目录一般用来包含描述性的,基于属性的信息并支持精细复杂的过滤能力。目录一般不支持通用数据库针对大量更新操作操作需要的复杂的事务管理或回卷策略。而目录服务的更新则一般都非常简单。这种目录可以存储包括个人信息、web 链结、jpeg 图像等各种信息。为了访问存储在目录中的信息,就需要使用运行在 TCP/IP 之上的访问协议 —— LDAP。
LDAP 目录中的信息是是按照树型结构组织,具体信息存储在条目 (entry) 数据结构中。条目相当于关系数据库中表的记录;条目是具有区别名 DN (Distinguished Name)的属性(Attribute),DN 是用来引用条目的,DN 相当于关系数据库表中的关键字(Primary Key)。属性由类型(Type)和一个或多个值(Values)组成,相当于关系数据库中的字段(Field)由字段名和数据类型组成,只是为了方便检索的需要,LDAP 中的 Type 可以有多个 Value,而不是关系数据库中为降低数据的冗余性要求实现的各个域必须是不相关的。LDAP 中条目的组织通常按照地理位置和组织关系进行组织,这样会非常的直观。
图 1. LDAP 信息的树型结构存储
如图 1 所示,LDAP 的信息是以树型结构存储的,在树根一般定义国家 (c=CN) 或域名 (dc=com),在其下则往往定义一个或多个组织 (organization)(o=CSDL) 或组织单元 (organizational units) (ou=Regular)。一个组织单元可能包含诸如正式雇员、合同工类型雇员等信息。
此外,LDAP 支持对条目能够和必须支持哪些属性进行控制,这是有一个特殊的称为对象类别 (objectClass) 的属性来实现的。该属性的值决定了该条目必须遵循的一些规则,其规定了该条目能够及至少应该包含哪些属性。例如: Person 对象类需要支持 sn(surname) 和 cn(common name) 属性,但也可以包含可选的如邮件 (E-mail),电话号码 (Phone) 等属性。dc:一条记录所属区域;ou:一条记录所属组织;cn/uid:一条记录的名字 /ID。
refer http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch31_:_Centralized_Logins_Using_LDAP_and_RADIUS
Sponsors
Introduction
Many centralized database programs have been developed to allow users to log in on multiple computers using a single password. NIS was one of the first, but it doesn't encrypt the password transaction. It also uses the portmapper daemon, which uses an unpredictable range of TCP ports that are difficult for firewalls to track. LDAP (Lightweight Directory Access Protocol) provides an alternative based on the X.500 standard.
The X.500 standard defines how globally referenced directories of people should be structured. X.500 directories are organized under a common root directory in a tree hierarchy with different levels for each category of information, such as country, state, city, organization, organizational unit, and person. Designed to provide a simpler yet robust implementation of X.500, LDAP was originally used as the backbone of Microsoft's Active Directory Service and Novell's Novell Directory Services (NDS) products. LDAP can also interact with other login programs, such as Remote Authentication Dial-in User Service (RADIUS), which the network equipment of many ISPs uses to manage dialup Internet access.
It was later recognized that LDAP had features that could make it a desirable replacement for NIS in some scenarios. For example, it uses a single TCP port (389) for regular communication and another port (636) for encrypted transactions. LDAP also can interact with many login authentication, authorization, and accounting programs external to Linux and UNIX.
This chapter will first show you how to install and use LDAP on Fedora Linux systems, then go on to explain how LDAP interacts with RADIUS.
The LDAP Directory Structure
Like X.500, LDAP directory entries are arranged in a tree structure. Under the root, there are branches that represent countries, organizations, organizational units, and people.
In complicated LDAP deployments, in which you have to exchange information with the LDAP databases of other companies, you may want to get a formal organization number from the Internet Assigned Numbers Authority (IANA) to reduce any data conflicts. In the chapter's example this won't be necessary. Because there will be no data sharing, I'll just make up one.
Scenario
These concepts are easier to explain when working from an example, so imagine the IT department in a small organization called example.com has many Linux servers it needs to administer.
........