LDAP and X'500 - PowerPoint PPT Presentation

1 / 15
About This Presentation
Title:

LDAP and X'500

Description:

The LDAP protocol was designed by University of Michigan to ... support for replication ( DISP) and chaining (DOP) X.500 cons. Implementation is difficult(OSI) ... – PowerPoint PPT presentation

Number of Views:327
Avg rating:3.0/5.0
Slides: 16
Provided by: Informatio367
Category:
Tags: ldap | dop

less

Transcript and Presenter's Notes

Title: LDAP and X'500


1
LDAP and X.500
  • Jieping Lu
  • summer, 1999

2
LDAP
  • The LDAP protocol was designed by University of
    Michigan to provide access to the X.500 Directory
    while not incurring the resource requirements of
    the Directory Access Protocol (DAP).
  • LDAP is a protocol for clients to query and
    manage information in a (hierarchical) Directory
    Service over a TCP connection
  • port number 389
  • Version 2 - RFC 1777, Version 3 - RFC 2551

3
LDAP and X.500
  • LDAP was originally developed as a front end to
    X.500, the OSI directory service. X.500 defines
    the Directory Access Protocol (DAP) for clients
    to use when contacting directory servers. DAP is
    a heavyweight protocol that runs over a full OSI
    stack and requires a significant amount of
    computing resources to run. LDAP runs directly
    over TCP and provides most of the functionality
    of DAP at a much lower cost.
  • The stand-alone LDAP daemon, or slapd, is meant
    to remove much of the burden from the server side
    just as LDAP itself removed much of the burden
    from clients. If you are already running an X.500
    service and you want to continue to do so, you
    can probably stop reading this guide, which is
    all about running LDAP via slapd, without running
    X.500.

4
  • Benefits
  • 1.Widespread development efforts around
    protocol
  • 2.Widely available clients (for e-mail type
    querying)
  • 3.Protocol allows "replication"
  • 4.Protocol allows "referrals"
  • 5.Flexible directory allows rich information
    (receive HTML mail, RTF Mail, URL, etc.)

5
  • Problems
  • 1.Directories have different schemas
  • 2.Security/Authentication schemes not
    standardized
  • 3.Still have the "loading"/"maintenance"
    issues
  • 4.Client interfaces that are user friendly are
    hard to do and still both allow "rich" searching
    and fast performance

6
LDAP Features
  • Designed to provide read and update access
  • Optimized for read-only applications
  • Use primitive string encoding for most data
    elements, making it more efficient and easier to
    implement
  • no compound objects or attributes
  • Run over TCP and make simplifications to full
    X.500 DAP, leaving out lesser-used features
  • An emerging distributed operation model defining
    how data may be distributed and referenced (v3)
    referenced and organized

7
LDAP and X.500
  • LDAP provides a low-overhead of accessing the
    X.500 directory
  • Run over TCP and make simplifications to full
    X.500 DAP, leaving out lesser-used features
  • Produce smaller protocol exchanges and smaller
    and less complex clients

8
Relationship between LDAP and X.500
X.500 DSA
X.500 DSA
LDAP Client
LDAP Server
Web Server
LDAP Data
9
Key Components
  • Data Format
  • defines how the directory information is stored
    and recalled
  • Protocol
  • defines how clients and server interact with each
    other
  • API
  • for programs to interact with an LDAP server

10
Data Format
  • Data are stored as Objects.
  • Objects are defined by Object Classes
  • Objects contains attributes.
  • Schema defines the attributes, objects that can
    be used in the DSA
  • In addition, a schema should define
  • the servers name
  • port
  • super user account
  • root domain of the object tree

11
Object Classes
  • Domain object
  • root level objects, defined by domainObject
  • Group object
  • contains DN of member entries
  • defined by groupOfUniqueMembers
  • Organizational Unit Object
  • defined by OrganizationalUnit class
  • Person Object
  • used to describe people in an organization
  • has two more specific types
  • organizationalPerson and InetOrgPerson

12
DAP in X.500
  • DAP (Directory Access Protocol)
  • defines the directory services provided to the
    use
  • Defines 4 read-like operations
  • read, compare, list, search
  • and 5 write-like operations
  • addEntry
  • removeEntry
  • modifyEntry
  • ModifyRDN - change the relative distinguished
    name
  • ModifiyDN - change the distinguished name

13
The LDAP Protocol
  • Designed to perform client side protocol
    operations against the server
  • Basic Steps
  • Connects to the server
  • Performs operations
  • Disconnects from the server
  • Operations
  • binding to the server
  • comparing entries
  • modifying entries
  • modifying RDN
  • searching the server
  • adding entries
  • removing entries

14
The LDAP Protocol
  • Other services (in version 3)
  • referral
  • allows LDAP servers to link to each other
  • can be transparent to end users
  • does not support server chaining--the CLIENT has
    to contact the referred server itself
  • replication
  • no standard yet
  • In U of M implimentation,
  • slapd produces an update log
  • slurpd exchanges the updates
  • two server stores the identical information -
    not selective replication
  • security
  • no standard for Access Control List(ACL)
  • support SASL and SSL protocols

15
LDAP APIs
  • University of Michigan API
  • C api
  • Netscape SDK
  • C/C, java, perl
  • SUN JDNI
  • Microsoft ADSI

16
LDAP Servers
  • OpenLDAP (U of M)
  • www.openldap.org
  • unix, will support NT (1999)
  • Netscape Directory Server ( Netscape)
  • native LDAP server
  • Novell Directory Service
  • provides LDAP interface to X500 NDS
  • Active Directory (Microsoft)
  • comes with NT 2000
  • Sun Directory Services (Sun)
  • native LDAP server to replace NIS/NIS
  • may incoorperate Netscape directory server
  • Innosoft
  • LDAP server and LDAP administrative tools

17
URL format of LDAP
  • Allow the LDAP to be accessed from the web

18
X.500 vs. LDAP
  • X.500 pros
  • Solid design for large scale distributed
    directory service
  • well defined information models ( how data are
    represented, organized and named)
  • tight security ( the access control model)
  • support for replication ( DISP) and chaining
    (DOP)
  • X.500 cons
  • Implementation is difficult(OSI)
  • changes will be made to support tcp/ip in the new
    version
  • Too large to run on PC clients
  • Poor user-interface

19
X.500 vs. LDAP
  • LDAP pros
  • LDAP runs directly over TCP and provides most of
    the functionality of DAP at a much lower cost.
  • Faster and more efficient than the DAP defined in
    X.500
  • Widespread development efforts around the
    protocol
  • LDAP cons
  • Directories have different schemas
  • Security/Authentication schemes not standardized
  • Only a server access protocol
  • may loose the tag lightweight if to compete
    with X.500
Write a Comment
User Comments (0)
About PowerShow.com