Tải bản đầy đủ (.pdf) (774 trang)
  1. Trang chủ
    2. >>
  2. Công Nghệ Thông Tin
    3. >>
  3. Kỹ thuật lập trình

IT training understanding LDAP design and implementation

Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (6.36 MB, 774 trang )

Front cover

Understanding LDAP
Design and Implementation
LDAP concepts and architecture

Designing and maintaining
LDAP
Step-by-step approach
for directory

Steven Tuttle
Ami Ehlenberger
Ramakrishna Gorthi
Jay Leiserson
Richard Macbeth
Nathan Owen
Sunil Ranahandola
Michael Storrs
Chunhui Yang

ibm.com/redbooks



International Technical Support Organization
Understanding LDAP Design and Implementation
June 2004

SG24-4986-01



Note: Before using this information and the product it supports, read the information in
“Notices” on page xv.

Second Edition (June 2004)
This edition applies to Version 5, Release 2 of IBM Tivoli Directory Server.
© Copyright International Business Machines Corporation 1998, 2004. All rights reserved.
Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP
Schedule Contract with IBM Corp.


Contents
Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv
Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
The team that wrote this redbook. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
Become a published author . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix
Comments welcome. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xx
Summary of changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi
June 2004, Second Edition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi
Part 1. Directories and LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Chapter 1. Introduction to LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1 Directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.1.1 Directory versus database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.1.2 LDAP: Protocol or directory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.1.3 Directory clients and servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.1.4 Distributed directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.2 Advantages of using a directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
1.3 LDAP history and standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
1.3.1 OSI and the Internet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

1.3.2 X.500 the Directory Server Standard . . . . . . . . . . . . . . . . . . . . . . . . 13
1.3.3 Lightweight Access to X.500 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
1.3.4 Beyond LDAPv3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
1.4 Directory components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
1.5 LDAP standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
1.6 IBM’s Directory-enabled offerings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
1.7 Directory resources on the Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Chapter 2. LDAP concepts and architecture. . . . . . . . . . . . . . . . . . . . . . . . 27
2.1 Overview of LDAP architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
2.2 The informational model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
2.2.1 LDIF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
2.2.2 LDAP schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
2.3 The naming model. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
2.3.1 LDAP distinguished name syntax (DNs) . . . . . . . . . . . . . . . . . . . . . . 43
2.3.2 String form. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
2.3.3 URL form . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

© Copyright IBM Corp. 1998, 2004. All rights reserved.

iii


2.4 Functional model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
2.4.1 Query . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
2.4.2 Referrals and continuation references . . . . . . . . . . . . . . . . . . . . . . . 49
2.4.3 Search filter syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
2.4.4 Compare . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
2.4.5 Update operations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
2.4.6 Authentication operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
2.4.7 Controls and extended operations . . . . . . . . . . . . . . . . . . . . . . . . . . 52

2.5 Security model. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
2.6 Directory security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
2.6.1 No authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
2.6.2 Basic authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
2.6.3 SASL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
2.6.4 SSL and TLS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Chapter 3. Planning your directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
3.1 Defining the directory content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
3.1.1 Defining directory requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
3.2 Data design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
3.2.1 Sources for data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
3.2.2 Characteristics of data elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
3.2.3 Related data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
3.3 Organizing your directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
3.3.1 Schema design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
3.3.2 Namespace design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
3.3.3 Naming style . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
3.4 Securing directory entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
3.4.1 Purpose. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
3.4.2 Analysis of security requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
3.4.3 Design overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
3.4.4 Authentication design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
3.4.5 Authorization design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
3.4.6 Non-directory security considerations . . . . . . . . . . . . . . . . . . . . . . . . 71
3.5 Designing your server and network infrastructure . . . . . . . . . . . . . . . . . . . 72
3.5.1 Availability, scalability, and manageability requirements . . . . . . . . . 72
3.5.2 Topology design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
3.5.3 Replication design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
3.5.4 Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Part 2. IBM Tivoli Directory Server overview and installation . . . . . . . . . . . . . . . . . . . . . . 81

Chapter 4. IBM Tivoli Directory Server overview . . . . . . . . . . . . . . . . . . . . 83
4.1 Definition of ITDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
4.2 ITDS 5.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

iv

Understanding LDAP Design and Implementation


4.3 Resources on ITDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
4.4 Summary of ITDS-related chapters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Chapter 5. ITDS installation and basic configuration - Windows . . . . . . . 95
5.1 Installable components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
5.2 Installation and configuration checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
5.3 System and software requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
5.3.1 ITDS Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
5.3.2 ITDS Server (including client) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
5.3.3 Web Administration Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
5.4 Installing the server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
5.4.1 Create a user ID for ITDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
5.4.2 Installing ITDS with the Installshield GUI . . . . . . . . . . . . . . . . . . . . 103
5.4.3 Configuring the Administrator DN and password . . . . . . . . . . . . . . 106
5.4.4 Configuring the database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
5.4.5 Adding a suffix. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
5.4.6 Removing or reconfiguring a database . . . . . . . . . . . . . . . . . . . . . . 117
5.4.7 Enabling and disabling the change log . . . . . . . . . . . . . . . . . . . . . . 118
5.5 Starting ITDS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Chapter 6. ITDS installation and basic configuration - AIX . . . . . . . . . . . 125
6.1 Installable components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
6.2 Installation and configuration checklist . . . . . . . . . . . . . . . . . . . . . . . . . . 128

6.3 System and software requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
6.3.1 ITDS Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
6.3.2 ITDS Server (including client) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
6.3.3 Web Administration Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
6.4 Installing the server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
6.4.1 Create a user ID for ITDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
6.4.2 Installing ITDS with the Installshield GUI . . . . . . . . . . . . . . . . . . . . 134
6.4.3 Configuring the Administrator DN and password . . . . . . . . . . . . . . 137
6.4.4 Configuring the database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
6.4.5 Adding a suffix. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
6.4.6 Removing or reconfiguring a database . . . . . . . . . . . . . . . . . . . . . . 147
6.4.7 Enabling and disabling the change log . . . . . . . . . . . . . . . . . . . . . . 148
6.5 Starting ITDS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
6.6 Uninstalling ITDS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Chapter 7. ITDS installation and basic configuration on Intel Linux . . . 155
7.1 Installable components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
7.2 Installation and configuration checklist . . . . . . . . . . . . . . . . . . . . . . . . . . 158
7.3 System and software requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
7.3.1 ITDS Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
7.3.2 ITDS Server (including client) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160

Contents

v


7.3.3 Web Administration Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
7.4 Installing the server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
7.4.1 Create a user ID for ITDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
7.4.2 Installing ITDS with the Installshield GUI . . . . . . . . . . . . . . . . . . . . 164

7.4.3 Configuring the Administrator DN and password . . . . . . . . . . . . . . 166
7.4.4 Configuring the database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
7.4.5 Adding a suffix. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
7.4.6 Removing or reconfiguring a database . . . . . . . . . . . . . . . . . . . . . . 174
7.4.7 Enabling and disabling the change log . . . . . . . . . . . . . . . . . . . . . . 176
7.5 Starting ITDS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
7.6 Quick installation of ITDS 5.2 on Intel (minimal GUI) . . . . . . . . . . . . . . . 180
7.7 Uninstalling ITDS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
7.8 Removing all vestiges of an ITDS 5.2 Install on Intel Linux . . . . . . . . . . 183
Chapter 8. IBM Tivoli Directory Server installation - IBM zSeries. . . . . . 185
8.1 Installing LDAP on z/OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
8.1.1 Using the ldapcnf utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
8.1.2 Running the MVS jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
8.1.3 Loading the schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
8.1.4 Enabling Native Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
8.2 Migrating data to LDAP on z/OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
8.2.1 Migrating LDAP server contents to z/OS . . . . . . . . . . . . . . . . . . . . 188
8.2.2 Moving RACF users to the TDBM space . . . . . . . . . . . . . . . . . . . . 189
Part 3. In-depth configuration and tuning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Chapter 9. IBM Tivoli Directory Server Distributed Administration . . . . 193
9.1 Web Administration Tool graphical user interface . . . . . . . . . . . . . . . . . . 194
9.2 Starting the Web Administration Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
9.3 Logging on to the console as the console administrator . . . . . . . . . . . . . 196
9.4 Logging on to the console as the server administrator . . . . . . . . . . . . . . 197
9.5 Logging on as member of administrative group or as LDAP user . . . . . . 198
9.6 Logging off the console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
9.7 Starting and stopping the server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
9.7.1 Using Web Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
9.7.2 Using the command line or Windows Services icon . . . . . . . . . . . . 200
9.8 Console layout. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200

9.9 Configuration only mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
9.9.1 Minimum requirements for configuration-only mode . . . . . . . . . . . . 202
9.9.2 Starting LDAP in configuration-only mode . . . . . . . . . . . . . . . . . . . 202
9.9.3 Verifying the server is in configuration-only mode . . . . . . . . . . . . . 202
9.10 Setting up the console. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
9.10.1 Managing the console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
9.10.2 Creating an administrative group . . . . . . . . . . . . . . . . . . . . . . . . . 208

vi

Understanding LDAP Design and Implementation


9.10.3 Enabling and disabling the administrative group. . . . . . . . . . . . . . 209
9.10.4 Adding members to the administrative group . . . . . . . . . . . . . . . . 210
9.10.5 Modifying an administrative group member . . . . . . . . . . . . . . . . . 211
9.10.6 Removing a member from the administrative group . . . . . . . . . . . 213
9.11 ibmslapd command parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
9.12 Directory administration daemon. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
9.12.1 The ibmdiradm command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
9.12.2 Starting the directory administration daemon . . . . . . . . . . . . . . . . 217
9.12.3 Stopping the directory administration daemon . . . . . . . . . . . . . . . 218
9.12.4 Administration daemon error log . . . . . . . . . . . . . . . . . . . . . . . . . . 218
9.13 The ibmdirctl command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
9.14 Manual installation of IBM WAS - Express . . . . . . . . . . . . . . . . . . . . . . 230
9.14.1 Manually installing the Web Administration Tool. . . . . . . . . . . . . . 230
9.14.2 Manually uninstalling the Web Administration Tool. . . . . . . . . . . . 231
9.14.3 Default ports used by IBM WAS - Express . . . . . . . . . . . . . . . . . . 232
9.15 Installing in WebSphere Version 5.0 or later . . . . . . . . . . . . . . . . . . . . . 234
Chapter 10. Client tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237

10.1 The ldapchangepwd command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
10.1.1 Synopsis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
10.1.2 Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
10.1.3 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
10.1.4 SSL, TLS notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
10.1.5 Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
10.2 The ldapdelete command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
10.2.1 Synopsis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
10.2.2 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
10.2.3 Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
10.2.4 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
10.2.5 SSL, TLS notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
10.2.6 Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
10.3 The ldapexop command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
10.3.1 Synopsis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
10.3.2 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
10.3.3 Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
10.4 The ldapmodify and ldapadd commands . . . . . . . . . . . . . . . . . . . . . . . 265
10.4.1 Synopsis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
10.4.2 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
10.4.3 Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
10.4.4 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
10.4.5 SSL, TLS notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
10.4.6 Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
10.5 The ldapmodrdn command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270

Contents

vii



10.5.1 Synopsis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
10.5.2 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
10.5.3 Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
10.5.4 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
10.5.5 SSL, TLS notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
10.5.6 Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
10.6 The ldapsearch command. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
10.6.1 Synopsis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
10.6.2 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
10.6.3 Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
10.6.4 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
10.6.5 SSL, TLS notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
10.6.6 Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
10.7 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
Chapter 11. Schema management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
11.1 What is the schema. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
11.1.1 Available schema files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
11.1.2 Schema support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
11.1.3 OID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
11.1.4 Inheritance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
11.2 Modifying the schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
11.2.1 IBMAttributetypes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
11.2.2 Working with objectclasses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
11.2.3 Working with attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
11.2.4 Disallowed schema changes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
11.3 Indexing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
11.4 Migrating the schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
11.4.1 Exporting the schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
11.4.2 Importing the schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299

11.5 Dynamic schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
Chapter 12. Group and role management . . . . . . . . . . . . . . . . . . . . . . . . . 301
12.1 Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
12.1.1 Static groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
12.1.2 Dynamic groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
12.1.3 Nested groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
12.1.4 Hybrid groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
12.1.5 Determining group membership . . . . . . . . . . . . . . . . . . . . . . . . . . 312
12.1.6 Group object classes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
12.1.7 Group attribute types. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
12.2 Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
12.3 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318

viii

Understanding LDAP Design and Implementation


Chapter 13. Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
13.1 General replication concepts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
13.1.1 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
13.1.2 How replication functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
13.2 Major replication topologies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
13.2.1 Simple master-replica topology . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
13.2.2 Master-forwarder-replica topology (ITDS 5.2 and later) . . . . . . . . 324
13.2.3 GateWay Replication Topology (ITDS 5.2 and later) . . . . . . . . . . 325
13.2.4 Peer replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
13.3 Replication agreements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
13.4 Configuring replication topologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
13.4.1 Simple master-replica topology . . . . . . . . . . . . . . . . . . . . . . . . . . . 343

13.4.2 Using the command line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
13.4.3 Promoting a replica to peer/master . . . . . . . . . . . . . . . . . . . . . . . . 364
13.4.4 Command line for a complex replication . . . . . . . . . . . . . . . . . . . . 372
13.5 Web administration tasks for managing replication . . . . . . . . . . . . . . . . 377
13.5.1 Managing topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
13.5.2 Modifying replication properties . . . . . . . . . . . . . . . . . . . . . . . . . . 380
13.5.3 Creating replication schedules . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
13.5.4 Managing queues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
13.6 Repairing replication differences between replicas . . . . . . . . . . . . . . . . 385
13.6.1 The ldapdiff command tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385
Chapter 14. Access control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
14.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
14.2 ACL model. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
14.2.1 EntryOwner information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
14.2.2 Access Control information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
14.3 Access control attribute syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
14.3.1 Subject . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
14.3.2 Pseudo DNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
14.3.3 Object filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
14.3.4 Rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
14.3.5 Propagation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409
14.3.6 Access evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412
14.3.7 Working with ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415
14.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429
Chapter 15. Securing the directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431
15.1 Directory security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432
15.2 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432
15.2.1 Anonymous authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433
15.2.2 Basic authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433


Contents

ix


15.2.3 Authentication using SASL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434
15.2.4 Kerberos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436
15.3 Password policy enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437
15.3.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438
15.4 Password encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451
15.5 SSL/TLS support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455
15.5.1 Overview of TLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455
15.5.2 Overview of SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456
15.5.3 SSL utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458
15.5.4 Configuring SSL security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460
15.6 Protection against DoS attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468
15.6.1 Non-blocking sockets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468
15.6.2 Extended operation for killing connections . . . . . . . . . . . . . . . . . . 468
15.6.3 Emergency thread . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469
15.6.4 Connection reaping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470
15.6.5 Allow anonymous bind . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470
15.7 Access control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472
15.8 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472
Chapter 16. Performance Tuning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475
16.1 ITDS application components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477
16.2 ITDS LDAP caches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477
16.2.1 LDAP caches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478
16.2.2 LDAP filter cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479
16.2.3 Filter cache bypass limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479
16.2.4 LDAP entry cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480

16.2.5 Measuring filter and entry cache sizes . . . . . . . . . . . . . . . . . . . . . 481
16.2.6 LDAP ACL Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482
16.2.7 Setting other LDAP cache configuration variables . . . . . . . . . . . . 482
16.2.8 LDAP Attribute Cache (only on 5.2 and later) . . . . . . . . . . . . . . . . 484
16.2.9 Configuring attribute caching . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485
16.3 Transaction and Event Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487
16.4 Additional slapd and ibmslapd settings . . . . . . . . . . . . . . . . . . . . . . . . . 488
16.4.1 Tune the IBM Directory Server configuration file . . . . . . . . . . . . . 488
16.4.2 Suffixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 489
16.4.3 Recycle the IBM Directory Server . . . . . . . . . . . . . . . . . . . . . . . . . 490
16.4.4 Verify suffix order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490
16.5 DB2 tuning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491
16.5.1 Warning when IBM Directory Server is running . . . . . . . . . . . . . . 492
16.5.2 DB2 buffer pool tuning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493
16.5.3 LDAPBP buffer pool size. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494
16.5.4 IBMDEFAULTBP buffer pool size . . . . . . . . . . . . . . . . . . . . . . . . . 494
16.5.5 Setting buffer pool sizes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495

x

Understanding LDAP Design and Implementation


16.5.6 Warnings about buffer pool memory usage . . . . . . . . . . . . . . . . . 495
16.5.7 Other DB2 configuration parameters . . . . . . . . . . . . . . . . . . . . . . 496
16.5.8 Warning about MINCOMMIT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496
16.5.9 More DB2 configuration settings . . . . . . . . . . . . . . . . . . . . . . . . . . 496
16.5.10 Configuration script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
16.6 Directory size. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516
16.7 Optimization and organization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516

16.7.1 Optimization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516
16.7.2 reorgchk and reorg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517
16.7.3 Indexes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521
16.7.4 Distributing the database across multiple physical disks . . . . . . . 522
16.7.5 Create file systems and directories on the target disks. . . . . . . . . 524
16.7.6 Backing up the existing database . . . . . . . . . . . . . . . . . . . . . . . . . 525
16.7.7 Perform a redirected restore of the database . . . . . . . . . . . . . . . . 525
16.8 DB2 backup and restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527
16.9 Concurrent updates on Symmetric Multi-Processor systems . . . . . . . . 529
16.10 AIX operating system tuning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529
16.10.1 Enabling large files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529
16.10.2 Tuning process memory size limits . . . . . . . . . . . . . . . . . . . . . . . 530
16.10.3 AIX-specific process size limits . . . . . . . . . . . . . . . . . . . . . . . . . . 531
16.10.4 AIX data segments and LDAP process DB2 connections. . . . . . 532
16.10.5 Verifying process data segment usage . . . . . . . . . . . . . . . . . . . . 532
16.11 Adding memory after installation on Solaris systems . . . . . . . . . . . . . 532
16.12 SLAPD_OCHANDLERS variable on Windows . . . . . . . . . . . . . . . . . . 533
16.13 IBM Directory Change and Audit Log . . . . . . . . . . . . . . . . . . . . . . . . . 533
16.13.1 When to configure the LDAP change log . . . . . . . . . . . . . . . . . . 533
16.13.2 When to configure the LDAP audit log . . . . . . . . . . . . . . . . . . . . 534
16.14 Hardware tuning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535
16.14.1 Disk speed improvements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535
16.15 Monitoring performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535
16.15.1 ldapsearch with "cn=monitor" . . . . . . . . . . . . . . . . . . . . . . . . . . . 535
16.15.2 Monitor examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541
16.16 Troubleshooting error files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543
Chapter 17. Monitoring IBM Tivoli Directory Server . . . . . . . . . . . . . . . . 547
17.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 548
17.2 Monitoring tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549
17.2.1 Viewing server state . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549

17.2.2 Viewing status of worker threads . . . . . . . . . . . . . . . . . . . . . . . . . 551
17.2.3 Viewing connections information. . . . . . . . . . . . . . . . . . . . . . . . . . 553
17.2.4 Viewing other general information about the directory server . . . . 556
17.2.5 Analyzing changelog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 566
17.2.6 Analyzing log files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567

Contents

xi


17.3 Operating system commands for monitoring ITDS . . . . . . . . . . . . . . . . 582
17.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 585
Part 4. Developing directory-enabled applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 587
Chapter 18. Debugging IBM Tivoli Directory Server related issues . . . . 589
18.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 590
18.2 Debugging problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 590
18.2.1 Debugging configuration problems . . . . . . . . . . . . . . . . . . . . . . . . 590
18.2.2 Debugging directory server related errors using log files . . . . . . . 592
18.2.3 Using server debug modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 592
18.2.4 DB2 error log file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 600
18.3 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 601
Chapter 19. Developing C-based applications . . . . . . . . . . . . . . . . . . . . . 603
19.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 604
19.2 Typical API usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605
19.3 API flow when searching a directory . . . . . . . . . . . . . . . . . . . . . . . . . . . 606
19.3.1 ldap_init() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 606
19.3.2 ldap_simple_bind_s() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607
19.3.3 ldap_search_s() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607
19.3.4 ldap_first_entry() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607

19.3.5 ldap_first_attribute() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 608
19.3.6 ldap_get_values() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 608
19.3.7 ldap_next_attribute() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 608
19.3.8 ldap_get_values() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 608
19.3.9 ldap_next_entry() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 609
19.3.10 ldap_unbind_s() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 609
19.4 Sample code to search a directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . 609
19.5 API flow when updating a directory entry . . . . . . . . . . . . . . . . . . . . . . . 612
19.5.1 ldap_init() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 613
19.5.2 ldap_simple_bind_s() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 613
19.5.3 ldap_modify_s(). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 614
19.5.4 ldap_unbind_s() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 615
19.6 Sample code to update a directory entry. . . . . . . . . . . . . . . . . . . . . . . . 615
Chapter 20. Developing JNDI-based applications . . . . . . . . . . . . . . . . . . 619
20.1 The JNDI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 621
20.2 Searching the directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 623
20.2.1 Creating the directory context . . . . . . . . . . . . . . . . . . . . . . . . . . . . 625
20.2.2 Performing the search. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 626
20.2.3 Processing the search results . . . . . . . . . . . . . . . . . . . . . . . . . . . . 627
20.3 Changing a directory entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 628
20.3.1 Creating the directory context . . . . . . . . . . . . . . . . . . . . . . . . . . . . 630

xii

Understanding LDAP Design and Implementation


20.3.2 Performing the modification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 630
Part 5. Appendixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 633
Appendix A. DSML Version 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 635

DSML Version 2 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 636
DSML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 636
DSML Version 1.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 636
DSML Version 2.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 636
Difference between DSML v1 and DSML v2. . . . . . . . . . . . . . . . . . . . . . . 637
Difference between DSML v2 and LDAP . . . . . . . . . . . . . . . . . . . . . . . . . 637
Typical DSML Transaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 638
DSML Version 2 - IBM implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 638
ITDS DSML Version 2 support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 638
IBM DSML Version 2 top-level structure . . . . . . . . . . . . . . . . . . . . . . . . . . 640
IBM DSML LDAP Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 646
Bindings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 655
DSML communication between ITDI and ITDS . . . . . . . . . . . . . . . . . . . . 657
ITDS DSML Service Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 657
Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 658
Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 666
Execution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 668
Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 672
Java programming examples on DSML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 674
JNDI introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 674
Program examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 675
References to the DSML official specifications . . . . . . . . . . . . . . . . . . . . . . . 679
Appendix B. Directory Integration - IBM Tivoli Directory Integrator . . . 681
Why Directory Integration is important . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 683
Directory Integration Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 684
User provisioning applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 685
Directory Integration technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 686
Metadirectories and virtual directories . . . . . . . . . . . . . . . . . . . . . . . . . . . 690
Virtual directories vs. metadirectory technology. . . . . . . . . . . . . . . . . . . . . . . 691
Overview of IBM Tivoli Directory Integrator . . . . . . . . . . . . . . . . . . . . . . . . . . 692

Configuration of ITDI assembly lines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 698
Configuration of an ITDI Event Handler . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 700
ITDI solution example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 703
ITDI solution design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 705
HR System Extract . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 705
Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 706
Domino . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 706
XYZ Company ITDS Directory Information Tree . . . . . . . . . . . . . . . . . . . . 707

Contents

xiii


User and group containers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 707
Application container. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 708
LDAP Schema. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 709
Solution components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 710
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 714
Appendix C. Moving RACF users to TBDM. . . . . . . . . . . . . . . . . . . . . . . . 715
Sample programs to move RACF users to TBDM . . . . . . . . . . . . . . . . . . . . . 716
Appendix D. Schema changes that are not allowed . . . . . . . . . . . . . . . . 721
Operational attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 722
Restricted attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 723
Root DSE attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 723
Schema definition attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 723
Configuration attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 724
User Application attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 726
Abbreviations and acronyms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 727
Related publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 731

IBM Redbooks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 731
Online resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 731
How to get IBM Redbooks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 733
Help from IBM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 733
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 735

xiv

Understanding LDAP Design and Implementation


Notices
This information was developed for products and services offered in the U.S.A.
IBM may not offer the products, services, or features discussed in this document in other countries. Consult
your local IBM representative for information on the products and services currently available in your area.
Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM
product, program, or service may be used. Any functionally equivalent product, program, or service that
does not infringe any IBM intellectual property right may be used instead. However, it is the user's
responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document.
The furnishing of this document does not give you any license to these patents. You can send license
inquiries, in writing, to:
IBM Director of Licensing, IBM Corporation, North Castle Drive Armonk, NY 10504-1785 U.S.A.
The following paragraph does not apply to the United Kingdom or any other country where such provisions
are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES
THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT,
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer
of express or implied warranties in certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made

to the information herein; these changes will be incorporated in new editions of the publication. IBM may
make improvements and/or changes in the product(s) and/or the program(s) described in this publication at
any time without notice.
Any references in this information to non-IBM Web sites are provided for convenience only and do not in any
manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the
materials for this IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without
incurring any obligation to you.
Information concerning non-IBM products was obtained from the suppliers of those products, their published
announcements or other publicly available sources. IBM has not tested those products and cannot confirm
the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on
the capabilities of non-IBM products should be addressed to the suppliers of those products.
This information contains examples of data and reports used in daily business operations. To illustrate them
as completely as possible, the examples include the names of individuals, companies, brands, and products.
All of these names are fictitious and any similarity to the names and addresses used by an actual business
enterprise is entirely coincidental.
COPYRIGHT LICENSE:
This information contains sample application programs in source language, which illustrates programming
techniques on various operating platforms. You may copy, modify, and distribute these sample programs in
any form without payment to IBM, for the purposes of developing, using, marketing or distributing application
programs conforming to the application programming interface for the operating platform for which the
sample programs are written. These examples have not been thoroughly tested under all conditions. IBM,
therefore, cannot guarantee or imply reliability, serviceability, or function of these programs. You may copy,
modify, and distribute these sample programs in any form without payment to IBM for the purposes of
developing, using, marketing, or distributing application programs conforming to IBM's application
programming interfaces.

© Copyright IBM Corp. 1998, 2004. All rights reserved.

xv



Trademarks
The following terms are trademarks of the International Business Machines Corporation in the United States,
other countries, or both:
AIX®
Cloudscape™
DB2 Universal Database™
DB2®
Domino®
IBM®
ibm.com®
iSeries™
Lotus Notes®
Lotus®

MVS™
Notes®
OS/390®
OS/400®
pSeries®
RACF®
RDN™
Redbooks (logo)
Redbooks™
Sametime®



SecureWay®

SP2®
Tivoli Enterprise™
Tivoli®
WebSphere®
World Registry™
xSeries®
z/OS®
zSeries®

The following terms are trademarks of other companies:
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the
United States, other countries, or both.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Sun
Microsystems, Inc. in the United States, other countries, or both.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Other company, product, and service names may be trademarks or service marks of others.

xvi

Understanding LDAP Design and Implementation


Preface
Lightweight Directory Access Protocol (LDAP) is a fast growing technology for
accessing common directory information. LDAP has been embraced and
implemented in most network-oriented middleware. As an open, vendor-neutral
standard, LDAP provides an extendable architecture for centralized storage and
management of information that needs to be available for today’s distributed
systems and services.
After a fast start, it can be assumed that LDAP has become the de facto access

method for directory information, much the same as the Domain Name System
(DNS) is used for IP address look-up on almost any system on an intranet and on
the Internet. LDAP is currently supported in most network operating systems,
groupware and even shrink-wrapped network applications.
This book was written for those readers who need to understand the basic
principles and concepts of LDAP. Some background knowledge about
heterogeneous, distributed systems is assumed and highly beneficial when
reading this book. This book is not meant to be an LDAP implementation guide,
nor does it contain product-related or vendor-specific information other than as
used in examples.

The team that wrote this redbook
This redbook was produced by a team of specialists from around the world
working at the International Technical Support Organization, Austin Center.
Steven Tuttle is a Project Leader for the International Technical Support
Organization (ITSO), Austin Center. He has 13 years of experience in the IT
industry. He has worked at IBM® for 10 years, with five years of experience with
IBM security products. He holds a degree in Computer Science from Clarkson
University in Potsdam, New York, with concentrations in Mathematics and
Psychology. His areas of expertise include the IBM Tivoli® Enterprise™ products
and the IBM Tivoli Security products. Before joining the ITSO, he worked for IBM
Tivoli Services in the Security Practice as an enterprise security solution
designer using IBM Tivoli software products.
Ami Ehlenberger has been with IBM for the past five years. Her career has
included working in OS/390® development, z/OS® Integration Test, and the
zSeries® Custom Technology Center. Her technical concentration is Internet
security, designing solutions that focus on WebSphere®, LDAP, and Tivoli

© Copyright IBM Corp. 1998, 2004. All rights reserved.


xvii


security products. Ami has a BS in Computer Science from Indiana University of
Pennsylvania and an MBA in e-Business from the University of Phoenix. Ami
currently manages the IBM Server and Technology Group's zSeries Services
Team. The team specializes in Web enablement and solution design,
concentrating on the zSeries platform.
Ramakrishna Gorthi is a developer for the IBM Tivoli Directory Server, Pune
Center in India. He has worked at IBM for two and a half years, with one year of
Level 2 Customer Support for the various versions of the IBM Tivoli Directory
Server. He holds a degree in Computer Engineering from Pune Institute of
Computer Technology, Pune (India). His areas of expertise include the IBM Tivoli
Directory Server from the Tivoli Security Products. Apart from the immense
experience gained as a Customer Support Representative, he has also earned a
good reputation in the different phases of the product life cycle for the IBM Tivoli
Directory Server, like development and testing.
Jay Leiserson is a Solution Architect for Tivoli Security products. He has
twenty-five years of experience in systems analysis, solution design, and
software development. He has worked at IBM for 24 years and has an extensive
and varied background that includes directory design and integration, identity
management solution design, Internet security, and application and operating
system development for distributed systems. He holds a degree in Economics
from Antioch College in Yellow Springs, Ohio.
Richard Macbeth is an IBM Directory Services Architect for Tivoli Services,
Americas Security Practice. He has been with IBM for 25 years in the
computer/IT field with 12 years of experience in the LDAP Directory field. He has
current certifications with Novell as a Certified Directory Engineer, Certified
Novell Instructor, Certified Novell Engineer, and Sun One Directory 5 Engineer.
He has worked on a number of versions of SecureWay®/IBM Directory Server on

most platforms. He also has four years of experience with Tivoli Access Manager
and one year of experience with IBM Directory Integrator. He also held a CCNP
Certification with Cisco and had over 10 years of experience as a Senior Network
IT Specialist.
Nathan Owen is a Identity Management Architect within IBM Software Group.
Nathan has worked in the Identity Management space for over eight years with a
particular focus on directory service related technologies such as X.500/LDAP
directories, Meta-directories, and Virtual Directories. He took a three year pause
from IBM in 1999 and co-founded virtual directory vendor Octet String Inc.,
before returning to IBM late in 2002. He holds Political Science degree from
Central Michigan University in Mt. Pleasant, Michigan. His areas of expertise
include IBM Tivoli Directory Server (ITDS), IBM Tivoli Directory Integrator (ITDI),
as well as the other the products in the Tivoli Identity Management portfolio.

xviii

Understanding LDAP Design and Implementation


Sunil Ranahandola is a Software Engineer for the IBM Global Services (IGSI),
India Center. He started his career with IBM in March 2001 and has been
working with IBM since then. He has almost three years of experience in the IT
industry. He holds a degree in Computer Science from University College of
Engineering, Burla, Orissa, India. His areas of expertise include the IBM Tivoli
Directory Services.
Michael Storrs is an IT Specialist for the Tivoli Security Group. He has seven
years of experience in the IT industry, and has worked with enterprise access
and identity management products for the last five years. He holds a degree in
Electrical Engineering from the University of Virginia. His areas of expertise
include the Tivoli Security Products, IBM Tivoli Directory Integrator, directory

servers, and application development.
Chunhui Yang is a Metadata Architect and Directory Consultant in IBM Software
Group, RTP. She has direct experience with the full project lifecycle of
information systems for Microsoft®, Dow Jones, Reuters, and IBM, and is
recognized as a chief contributor with National awards to many projects in areas
of system architecture design, development and deployment on Directory
solutions and n-tier Web-based application solutions.
Thanks to the following people for their contributions to this project:
Tony Bhe, Tamikia Barrow, Linda Robinson, Margaret Ticknor
International Technical Support Organization, Austin Center
Julie Czubik
International Technical Support Organization, Poughkeepsie Center
Chris Ehrsam
IBM Directory Solutions Architect
John McGarvey
IBM Directory Solutions Architect/Security Integration

Become a published author
Join us for a two- to six-week residency program! Help write an IBM Redbook
dealing with specific products or solutions, while getting hands-on experience
with leading-edge technologies. You'll team with IBM technical professionals,
Business Partners and/or customers.
Your efforts will help increase product acceptance and customer satisfaction. As
a bonus, you'll develop a network of contacts in IBM development labs, and
increase your productivity and marketability.

Preface

xix



Find out more about the residency program, browse the residency index, and
apply online at:
ibm.com/redbooks/residencies.html

Comments welcome
Your comments are important to us!
We want our Redbooks™ to be as helpful as possible. Send us your comments
about this or other Redbooks in one of the following ways:
Use the online Contact us review redbook form found at:
ibm.com/redbooks

Send your comments in an Internet note to:


Mail your comments to:
IBM Corporation, International Technical Support Organization
Dept. JN9B Building 003 Internal Zip 2834
11400 Burnet Road
Austin, Texas 78758-3493

xx

Understanding LDAP Design and Implementation


Summary of changes
This section describes the technical changes made in this edition of the book and
in previous editions. This edition may also include minor corrections and editorial
changes that are not identified.

Summary of Changes
for SG24-4986-01
for Understanding LDAP
as created or updated on July 18, 2006.

June 2004, Second Edition
This revision reflects the addition, deletion, or modification of new and changed
information described below.

New information
IBM Tivoli Directory Integrator information
Information on zSeries and Intel® Linux

Changed information
Updated information to latest release of products

© Copyright IBM Corp. 1998, 2004. All rights reserved.

xxi


xxii

Understanding LDAP Design and Implementation


Part 1

Part


1

Directories and LDAP

In this part we introduce directories and LDAP. Specifically, we provide an
introduction to LDAP, cover LDAP concepts and architecture, and provide some
information on how to plan for a directory deployment in your environment.

© Copyright IBM Corp. 1998, 2004. All rights reserved.

1


Tài liệu liên quan

Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Tải bản đầy đủ ngay
×