Internet Express for Tru64 UNIX Version 6.10 Administration Guide (5900-1418, March 2011)
11 LDAP Directory Server Administration
The Lightweight Directory Access Protocol (LDAP) is an Internet standard directory service protocol
that runs over TCP/IP. An LDAP server manages entries in a directory, and makes the information
available to users and applications across the network. An LDAP server can be used as a central
repository of user information. When used in this way, an LDAP server is similar to Network
Information Services (NIS), also known as the yellow pages. When compared to NIS, an LDAP
server offers the following advantages:
• Scalability
An LDAP directory can contain millions of entries without negatively affecting performance.
• Centralized management
An LDAP directory database can be used to centralize management of user related information,
potentially easing the cost of administration and management of data. Directory-aware clients
and tools can be used to make the data available to where it is needed.
• Access control
The ability to modify an attribute can be controlled at the attribute level. Users can be allowed
to modify noncritical information (such as their preferred login shell or mail forwarding address)
on their own. Modifications to more sensitive information (such as UID, GID, or a user's home
directory) can be restricted to authorized directory managers only.
• Availability
You can set up multiple LDAP servers to make the data in the directory highly available.
Through a process called replication, you can ensure that all LDAP servers have identical
copies of the directory. When you enable replication, a special account for this purpose is
created. The LDAP servers bind to one another using this account and, through standard LDAP
commands, propagate changes to the directory. For more information on LDAP directory
replication, see the documentation for your specific Directory Server.
This chapter provides the following information:
• Understanding the LDAP directory schema (Section : Understanding the LDAP Directory Schema)
• Managing and Using the OpenLDAP directory server (Section : Managing and Using the
OpenLDAP Directory Server)
See Section : Managing the LDAP Module for System Authentication for information on enabling
user authorization using the LDAP Module for System Authentication.
Understanding the LDAP Directory Schema
The basic unit of information in an LDAP directory is called an entry. An entry is a collection of
attribute and value pairs that describes something of interest, for example, a person, a company,
or a printer. The attribute value is constrained by its type (binary, integer, case-insensitive string,
and so on).
Entries are organized in a tree-like structure, as shown in Figure 64. Each entry in the directory
tree is identified or named with a distinguished name (DN). A distinguished name consists of a
sequence of relative distinguished names (RDNs). An RDN is one or more attribute/value pairs
that uniquely identify an LDAP entry from its sibling in the directory tree. A DN is a hierarchical
name similar to a file system pathname, while the RDN is similar to the file (or directory) name. In
distinguished names, however, the most significant part of the name (the name associated with
the root of the tree) is at the right end of the name; the least significant part is on the left end.
Understanding the LDAP Directory Schema 195