LDAP introduction

1. Introduction and advantages

        LDAP：( Lightweight directory access protocol ,Lightweight Directory AccessProtocol）

        LDAP Directories store data in a tree like hierarchy , Directory is a query for 、 Professional distributed database optimized for browsing and searching , It organizes data in a tree structure . Catalog databases are different from relational databases , It has excellent read performance , But the writing performance is poor , And there are no transactions 、 Rollback and other complex functions , It's not suitable for storing frequently modified data . So the directory is naturally used to query , It's like its name . Directory service is a system composed of directory database and a set of access protocols .

        LDAP Provide very complex access control at different levels or ACI. Because these visits can be The server End control , This is much safer than using client software to ensure data security

3. LDAP The abbreviation corresponds to

        o– organization（ organization - company ）

        ou – organization unit（ Organizational unit - department ）

        c - countryName（ Country ）

        dc - domainComponent（ domain name ）

        sn – surname（ Real name ）

        cn - common name（ Common name ）

4、LDAP How to organize data

5、 Basic concepts

        1、Entry  entry ,

         Also called record item , yes LDAP The most basic particles in the world , It's like an entry in a dictionary , Or records in the database . Usually yes LDAP The addition of 、 Delete 、 change 、 Retrieval is based on items .

        dn： Each entry has a unique identification name （distinguished Name ,DN）, Like one in the picture above         dn："cn=baby,ou=marketing,ou=people,dc=mydomain,dc=org" . adopt DN The hierarchical grammatical structure of , It is convenient to show that the item is in LDAP The position in the tree , Usually used to retrieve

Base DN：LDAP At the top of the tree is the root , It's called “Base DN", Such as "dc=mydomain,dc=org".

        2 、Attribute attribute

         Each entry can have many attributes （Attribute）, For example, common people have names 、 Address 、 Phone and other attributes . Each attribute has a name and a corresponding value , Property values can have a single 、 Multiple , For example, you have multiple email .

         Attributes are not arbitrarily defined , There are rules that need to be met , And this rule can be passed schema To develop . such as , If one entry Not included in inetorgperson This schema Medium objectClass: inetOrgPerson, Then you can't assign it employeeNumber attribute , because employeeNumber Is in inetOrgPerson As defined in .

LDAP Design attributes for common objects in personnel organizations ( such as commonName,surname).

        3、 ObjectClass

         An object class is a collection of properties ,LDAP Envisioned a lot of common objects in people's organizations , And encapsulate it as an object class . Through the object class, you can easily define the item type . Each entry can directly inherit multiple object classes , In this way, all kinds of attributes are inherited .

         There are three types of object classes ： Structure type （Structural）、 Abstract type (Abstract) And auxiliary types （Auxiliary）. Structure type is the most basic type , It specifies the basic properties of object entities , Each entry belongs to and only belongs to one structured object class . An abstract type can be a structure type or a superclass of other abstract types , It organizes the common parts of object properties together , Templates called other classes , Items cannot be directly integrated into abstract object classes . Auxiliary types specify the extended properties of object entities . Each entry has at least one structural object class .

         Object classes themselves can inherit from each other , So the root class of the object class is top Abstract object classes . Take the common types of people as an example , Their inheritance relationship ：

4、 Schema

         Object class （ObjectClass）、 Attribute types （AttributeType）、 grammar （Syntax） The items are agreed respectively 、 attribute 、 value , The relationship between them is shown in the figure below . So these make up the pattern (Schema)—— A collection of object classes . Entry data usually needs to be schema checked when it is imported , It ensures that the data structure of all entries in the directory is consistent .

        schema（ Generally in /etc/ldap/schema/ Catalog ） Pay attention to the sequence before and after importing .

5、 backend & database

        ldap The background process of slapd receive 、 Response request , But actually storing data 、 The operation of obtaining data is performed by Backends It's done , And the data is stored in database in , So you can see that often you can see backend and database The instruction is the same value, such as bdb . One backend There can be multiple database instance, But every database Of suffix and rootdn Dissimilarity .

6、 LDIF

        LDIF（LDAP Data Interchange Format, Data exchange format ） yes LDAP A text format for database information , For data import and export , Every line is “ attribute : value ” Yes

 7、 Filters and Syntax

        LDAP It is a query based record structure , No matter what kind of query method , Finally, the query conditions are determined by the filter shortcomings . The filter is equivalent to SQL Medium WHERE Clause . whatever LDAP The class filter and string of must be placed in parentheses , Such as （objectclass=*）, Refers to listing all types of records （ But classification ）.

         have access to =,>=,<=,~=（ About equal to ） Compare , Such as (number<=100). Merger conditions are the strangest , The operator must be placed in front of the two operands, not in the middle , Single operands are enclosed in parentheses . Such as

        l A And B, No A&B, It is （&(A)(B)）.

        l Or use "|" Express ;

        l Non use "！" Express .

        l about " And ", or " or " The operator can be followed by multiple conditional expressions , But non post parameters are only single expressions .