Table of Contents

Part I Fundamental LDAP concepts 1

1 Introduction to LDAP 3

1.1 What LDAP is 4

Directory services and directory servers 4 - LDAP and directory services 4 - Other directory services 5

1.2 What LDAP is not 7

LDAP is not a relational database 7 - LDAP is not a file system for very large objects 7 - LDAP is not optimal for very dynamic objects 9 - LDAP is not useful without applications 9

1.3 Current applications 10

White pages 10 - Authentication and authorization 12 Personalization 13 - Roaming profiles 14 - Public Key Infrastructure 14 - Message delivery 15

1.4 Brief history 15

X.500 and DAP 15 - A new standard is born 16 LDAP goes solo 17 - LDAPv3 18

1.5 LDAP revisions and other standards 18

Replication and access control 19 - Directory Enabled Networking 21 - XML and directories 22

1.6Directory management 23

1.7 Directory integration 24

Integration via metadirectories 27

1.8 Integration and federation via virtual directory technology 30

1.9 Why this book? 31

1.10 Summary 32

2 Understanding the LDAP information model 34

2.1 Information model overview 35

Entries 35 - Attributes 36 - LDAP entries vs. database records 36

2.2 Working with LDAP schema 37

Standard LDAP schema 37

2.3 Attribute types 39

Defining attribute types 39 - Syntax definitions 40 - Matching rules for attributes 41 - Support for multiple values 43 - Inheritance 44 - User modification 45 - Variables in Java, Perl, and C 45

2.4 Object classes 46

Defining object classes 46 - Required and allowed attributes 47 - Object class inheritance 47 - Multiple object class memberships 48 - Object class types 48 - LDAP object classes and Java or C++ classes 50

2.5 Using object modeling to design LDAP schema 51

Modeling classes 51 - Modeling relationships 51 - Modeling object instances 53

2.6 Summary 54

3 Exploring the LDAP namespace 55

3.17 What is a namespace? 56

Hierarchical namespaces 57

3.2 Specifying distinguished names 59

Choosing a relative distinguished name attribute 60 - Determining the base 62

3.3 Assigning the root naming context 64

Traditional style of assigning the root name context 64 - Domain component style of assigning the root name context 65

3.4 Selecting and designing a directory tree 65

Intranet directories 66 - Internet directories 69 - Extranet directories 71

3.5 Summary 74

4 Search criteria 75

4.1Performing a search 76

4.2 Where to search: base and scope 76

Search base 76 - Search scope 77

4.3 What to evaluate: search filters 78

Presence filters 79 - Exact equality filters 80 - Substring matching 81 - Ordered matching (greater than/less than) 83 - Approximate filters 84 - Multiple filters: AND and OR operators 84 - Negative filters: the NOT operator 86 - Extensible searching and matching rules 86

4.4 What to return: the attribute return list 87

4.5 LDAP search criteria vs. SQL queries 87

Similarities between SQL SELECT and LDAP search criteria 88 - Differences between SQL SELECT and LDAP search criteria 88

4.6 Increasing search performance 88

4.7 Summary 89

5 Exchanging directory information 90

5.1 Representing directory information outside the directory 91

5.2 LDAP Data Interchange Format 92

Expressing entries in basic LDIF 92 - Writing LDAP changes as LDIF 94 F Representing schemas in LDIF 95 - Advantages and disadvantages of LDIF 96

5.3 Directory Services Markup Language 96

Why use DSML? 96 - Getting started with DSML 98 - A DSML example 98 - Handling binary values in DSML entries 99 - Entry changes and DSML 100

5.4 Defining directory schemas with DSML 100

DSML object classes 100 - DSML attribute types 101

5.5 XSLT and DSML 102

Converting DSML to HTML using XSLT 102

5.6 Summary 104

Part II LDAP management 105

6 Accessing LDAP directories with Perl 107

6.1 LDAP access from Perl 108

6.2 Getting started with Net::LDAP 109

Using the module 109 - Opening a connection 109 - Binding to the directory 110

6.3 Searching with Net::LDAP 111

Performing a search 111 - Understanding search scopes 113 - LDAP search filters 115 - Using search results 115 - Limiting attribute retrieval 115 - Handling referrals 116

6.4 Manipulating entries 116

Updating an entry 116 - Adding new entries 117 - Deleting an entry 117 - Renaming an entry 117

6.5 Comparing entries 118

6.6 Handling errors 119

6.7 Support for encrypted/SSL connections 119

6.8 Summary 120

7 Managing directory entries, groups, and accounts 121

7.1 Common types of managed entries 122

7.2 Entry management models 122

Centralized administration 122 - Distributed administration 124 - User self-administration/self-service 125

7.3 Creating people entries 126

People entries via a web form 127 - People entries based on existing data 130 - Summary of creating entries 134

7.4 Creating and maintaining groups 134

Explicit groups 135 - Dynamic groups and LDAP URLs 136

7.5 Representing and managing account information 136

Unix user accounts 137 - Linking Unix accounts to people 141

7.6 Managing other information 142

Security services information 142 - DNS information 142 - Directory Enabled Networking information 143 - Card catalog information 143

7.7 Summary 143

8 Synchronizing LDAP information 144

8.1 Approaches to data flow management 145

Replication 145 - File export/import 146 - Scripting 146

8.2 Data flow analysis 146

Schema mapping 147 - Determining the authoritative source 147 - Data transformation 148 - Namespace translation 149

8.3 Interchange formats 150

LDAP Data Interchange Format 150 - Directory Services Markup Language 151

8.4 Migration to LDAP 152

Migrating a simple table 152 - Migrating from multiple sources 154 - Adding new information to existing entries 157

8.5 Joining related information 159

Multikey matches 159 - Fuzzy matching 160

8.6 Synchronization 162

Synchronization to LDAP 162 F Synchronization from LDAP 163 - Bidirectional synchronization 166

8.7 Summary 167

9 Accessing operational information in LDAP 168

9.1 Getting server information 169

Retrieving available root naming contexts 169 - Extracting object class information 170 - Getting attribute type details 174

9.2 Monitoring with LDAP 178

Getting the monitor?s name 178 - Reading the monitor information 178 - Polling the monitor entry 180

9.3 Testing replication 181

9.4 Summary 184

10 DSML: getting under the hood 185

10.1 DSML parsing with SAX 186

Basics of parsing XML with SAX 186 - A simple XML parser handler 186 - Parsing a simple document 188 - PerlSAX?s built-in error checking 189

10.2 Parsing DSML into a Perl object 190

Beginnings of a useful DSML parser handler 192 - Handling elements in the DSML file 193 - Extracting characters between start and end tags 194 - Preparing to use DSMLHandler 194 - Invoking the SAX parser using DSMLHandler 194

10.3 Generating DSML 196

Writing directory entries 196 - Converting RFC-style LDAP schemas to DSML LDAP schemas 199 - Conversion example for object classes 199 - Converting attribute types 204

10.4 Using Perl to convert DSML with XSLT 208

Converting DSML to HTML 209

10.5 Summary 211

Part III Application integration 213

11 Accessing LDAP directories with JNDI 215

11.1 Introduction to JNDI 216

JNDI versus the LDAP Java SDK 216

11.2 JNDI architecture 216

JNDI providers 217 - The JNDI package 217

11.3 JNDI operations: the DirContext class 217

Handling basic exceptions 218 - Closing the connection 218 - Binding to the directory 218 - A reusable LDAP connection handler 219

11.4 Searching with JNDI 220

Abstracting the entry 221 - A search class 223

11.5 Adding entries 226

A simple add example 226 - A generalized add example 227

11.6 Manipulating entries 229

Modifying entries 229 - Deleting entries 230 - Renaming entries 231

11.7 Summary 232

12 Java programming with DSML 233

12.1 Writing DSML with Java 234

12.2DSML with JNDI 235

Automatic DSML output from LDAP URLs 236

12.3 Working with schemas in DSML 237

Reading schemas with SAX 238 - Designing a basic SAX handler 240

12.4 Transformation with XSLT in Java 244

12.5 Enhancements with DSMLv2 248

Implementing interapplication communication 249 - Creating DSMLv2 SOAP requests 249 - Creating DSMLv2 SOAP requests with JNDI 252

11.6 Summary 252

13 Application security and directory services 253

13.1 The relationship between security and directories 254

What is security? 254 - How LDAP provides security 256

13.2 Storing key and certificate data 259

Preshared secret keys 259 - Public/private key pairs 261

13.3 Using digital certificates 262

Creating a digital certificate in Java 263 - Storing and distributing digital certificates 264

13.4 Managing authorization information 268

Understanding access control rules 268 - Directory authorization 269 - Application authorization 269

13.5 Encrypting LDAP sessions using JNDI and SSL 270

13.6 Summary 271

 
A: Standard schema reference 273
B: PerLDAP 302
index 317