Sun Microsystems, Inc.
spacerspacer
spacer www.sun.com docs.sun.com |
spacer
black dot
 
 
  Previous   Contents   Next 
   
 
Chapter 12

Introduction to the LDAP Naming Service (Overview/Reference)

The LDAP chapters describe how to set up a Solaris naming client to work with the iPlanet Directory Server 5.1. A brief discussion of generic directory server requirements is in Chapter 18, General Reference.


Note - Though a directory server is not necessarily an LDAP server, in the context of these chapters, the term, "directory server", is considered synonymous with "LDAP server".


Audience Assumptions

The LDAP Naming Service chapters are written for system administrators who already have a working knowledge of LDAP. The following is a partial list of concepts with which you must be very familiar prior to deploying a Solaris-based LDAP naming service using this guide.

  • LDAP Information Model (entries, objectclasses, attributes, type, values)

  • LDAP Naming Model (Directory Information Tree (DIT) structure)

  • LDAP Functional Model (search parameters: base object (DN), scope, size limit, time limit, filters (Browsing Indexes for the iPlanet Directory Server), attribute list)

  • LDAP Security Model (authentication methods, access control models)

  • Overall planning and design of an LDAP directory service, including how to plan the data, design the DIT, design the topology, design the replication, and how to design the security.

Suggested Background Reading

If you need to learn more about any of the aforementioned concepts or would like to study LDAP and the deployment of directory services in general, the following are useful titles.

  • Understanding and Deploying LDAP Directory Services by Timothy A. Howes, Ph.D and Mark C. Smith

    In addition to providing a thorough treatment of LDAP directory services, this book includes useful case studies on deploying LDAP at a large university, a large multinational enterprise, and an enterprise with an extranet.

  • iPlanet Directory Server 5.1 Deployment Guide, which is included in the documentation CD.

    This guide provides a foundation for planning your directory, including directory design, including schema design, the directory tree, topology, replication, and security. The last chapter provides sample deployment scenarios to help you plan simple deployments as well as complex deployments designed to support millions of users distributed worldwide.

  • iPlanet Directory Server 5.1 Administrator's Guide, which is included in the documentation CD.

Additional Prerequisites

If you are transitioning from using NIS+ to using LDAP, refer to the Appendix entitled, "Transitioning from NIS+ to LDAP" in System Administration Guide: Naming and Directory Services (FNS and NIS+) and complete the transition before proceeding with these chapters.

If you need to Install the iPlanet Directory Server 5.1, refer to the iPlanet Directory Server 5.1 Installation Guide.

LDAP Naming Service Versus Other Naming Services

Below is a quick comparison between FNS, DNS, NIS, NIS+ and LDAP naming services.

 

DNS

NIS

NIS+

FNS

LDAP

NAMESPACE

Hierarchical

Flat

Hierarchical

Hierarchical

Hierarchical

DATA STORAGE

Files/

resource records

2 column maps

Multi columned tables

Maps

Directories [varied]

Indexed database

SERVERS

Master/slave

Master

/slave

Root master/

non-root master; primary/

secondary; cache/stub

N/A

Master/replica

Multi master replica

SECURITY

none

None (root or nothing)

DES

Authentication

None (root or nothing)

SSL, varied

TRANSPORT

TCP/IP

RPC

RPC

RPC

TCP/IP

SCALE

Global

LAN

LAN

Global (with DNS)/LAN

Global

Using Fully Qualified Domain Names

One significant difference between an LDAP client and a NIS or NIS+ client is that an LDAP client always returns a Fully Qualified Domain Name (FQDN) for a host name, similar to those returned by DNS. For example, if your domain name is
west.example.net

both gethostbyname() and getipnodebyname() return the FQDN version when looking up the hostname server.
server.west.example.net

Also if you use interface specific aliases like server-#, a long list of fully qualified host names is returned. If you are using host names to share file systems or have other such checks you need to account for it. This is especially true if you assume non-FQDN for local hosts and FQDN only for remote DNS resolved hosts. If you setup LDAP with a different domain name from DNS you might be surprised when the same host has two different FQDNs, depending on the lookup source.

Advantages of LDAP Naming Service

  • LDAP gives you the ability to consolidate information by replacing application-specific databases; reduces the number of distinct databases to be managed

  • LDAP allows for more frequent data synchronization between masters and replicas

  • LDAP is multi-platform and multi-vendor compatible

Disadvantages of LDAP Naming Service

The following are some disadvantages to using LDAP instead of other naming services.

  • There is no support for pre-Solaris 8 clients

  • An LDAP server cannot be its own client

  • Setting up and managing an LDAP naming service is more complex and requires careful planning


Note - A directory server (an LDAP server) cannot be its own client. In other words, you cannot configure the machine that is running the directory server software to become an LDAP naming service client.


New LDAP Naming Service Features for Solaris 9

  • Simplified configuration of LDAP directory server setup using idsconfig

  • A more robust security model, which supports strong authentication, TLS encrypted sessions. A client's proxy credentials are NO LONGER stored in a client's profile on the directory server

  • The ldapaddent command allows you to populate and dump data onto the server

  • Service Search Descriptors and Attribute Mapping

  • New profile schema

 
 
 
  Previous   Contents   Next