Internet Express for Tru64 UNIX Version 6.8 Administration Guide (14233)
11 LDAP Directory Server Administration
The Lightweight Directory Access Protocol (LDAP) is an Internet standard directory service
protocol that runs over TCP/IP. An LDAP server manages entries in a directory, and makes the
information available to users and applications across the network. An LDAP server can be used
as a central repository of user information. When used in this way, an LDAP server is similar to
Network Information Services (NIS), also known as the yellow pages. When compared to NIS,
an LDAP server offers the following advantages:
• Scalability
An LDAP directory can contain millions of entries without negatively affecting performance.
• Centralized management
An LDAP directory database can be used to centralize management of user related
information, potentially easing the cost of administration and management of data.
Directory-aware clients and tools can be used to make the data available to where it is needed.
• Access control
The ability to modify an attribute can be controlled at the attribute level. Users can be allowed
to modify noncritical information (such as their preferred login shell or mail forwarding
address) on their own. Modifications to more sensitive information (such as UID, GID, or a
user's home directory) can be restricted to authorized directory managers only.
• Availability
You can set up multiple LDAP servers to make the data in the directory highly available.
Through a process called replication, you can ensure that all LDAP servers have identical
copies of the directory. When you enable replication, a special account for this purpose is
created. The LDAP servers bind to one another using this account and, through standard
LDAP commands, propagate changes to the directory. For more information on LDAP
directory replication, see the documentation for your specific Directory Server.
This chapter provides the following information:
• Understanding the LDAP directory schema (Section 11.1: Understanding the LDAP Directory
Schema)
• Managing and Using the OpenLDAP directory server (Section 11.3: Managing and Using
the OpenLDAP Directory Server)
See Section 4.1: Managing the LDAP Module for System Authentication for information on
enabling user authorization using the LDAP Module for System Authentication.
11.1 Understanding the LDAP Directory Schema
The basic unit of information in an LDAP directory is called an entry. An entry is a collection of
attribute and value pairs that describes something of interest, for example, a person, a company,
or a printer. The attribute value is constrained by its type (binary, integer, case-insensitive string,
and so on).
Entries are organized in a tree-like structure, as shown in Figure 11-1. Each entry in the directory
tree is identified or named with a distinguished name (DN). A distinguished name consists of
a sequence of relative distinguished names (RDNs). An RDN is one or more attribute/value pairs
that uniquely identify an LDAP entry from its sibling in the directory tree. A DN is a hierarchical
name similar to a file system pathname, while the RDN is similar to the file (or directory) name.
In distinguished names, however, the most significant part of the name (the name associated
with the root of the tree) is at the right end of the name; the least significant part is on the left
end.
11.1 Understanding the LDAP Directory Schema 201