LDAP (Lightweight Directory Access Protocol) is a software protocol for enabling anyone to locate organizations, individuals, and other resources such as files and devices in a network, whether on the public Internet or on a corporate intranet. LDAP is a "lightweight" (smaller amount of code) version of Directory Access Protocol (DAP), which is part of X.500, a standard for directory services in a network. LDAP is lighter because in its initial version it did not include security features. LDAP originated at the University of Michigan and has been endorsed by at least 40 companies. Netscape includes it in its latest Communicator suite of products. Microsoft includes it as part of what it calls Active Directory in a number of products including Outlook Express. Novell's NetWare Directory Services interoperates with LDAP. Cisco also supports it in its networking products
In a network, a directory tells you where in the network something is located. On TCP/IP networks (including the Internet), the domain name system (DNS) is the directory system used to relate the domain name to a specific network address (a unique location on the network). However, you may not know the domain name. LDAP allows you to search for an individual without knowing where they're located (although additional information will help with the search).
An LDAP directory is organized in a simple "tree" hierarchy consisting of the following levels:
- The root directory (the starting place or the source of the tree), which branches out to
- Countries, each of which branches out to
- Organizations, which branch out to
- Organizational units (divisions, departments, and so forth), which branches out to (includes an entry for)
- Individuals (which includes people, files, and shared resources such as printers)
An LDAP directory can be distributed among many servers. Each server can have a replicated version of the total directory that is synchronized periodically. An LDAP server is called a Directory System Agent (DSA). An LDAP server that receives a request from a user takes responsibility for the request, passing it to other DSAs as necessary, but ensuring a single coordinated response for the user.
LDAP(轻量级目录访问协议) 是一个软件协议旨在让人们在公共网络或者公司内部网络定位组织,个人或者其他资源信息,比如文件和设备。LDAP是DAP的轻量级版本,是网络目录服务标准x.500的一部分。LDAP之所以被称为轻量级协议是因为最初版本不包含安全特性。LDAP产生于Michigan大学,被至少40个公司支持。Netscape在他最新的Communicator系列产品中包含了LDAP,微软也将他作为活动目录的一部分,用于很多的产品中,比如Outlook Express,Novell在其目录服务中也包含了它,还有Cisco公司在其网络产品中同样对其进行了支持。
LDAP目录是通过树的结构进行组织的,他包含以下的层次:
根目录(树的起点或者源头)
国家
组织
组织单元(分支,部门等)
个体(包含人,文件以及共享资源,比如打印机)
LDAP目录可以分布在多台服务器,每一台服务器定期同步总目录获得一个拷贝的版本。每一台LDAP服务器被称为目录系统代理,他从用户那接收请求,负责处理请求,如果有必要可以转发给其他的目录系统代理,但是得确保给用户作出一个协调一致的反应。
Object Classes
An object class defines the types of entries in a directory
Object classes define what entries are possible in an LDAP directory. Every entry in an LDAP directory has an attribute named objectclass, and the objectclass attribute value(s) corresponds to an object class definition in the schema. Object classes define what attributes are required and which are optionally available for use with a directory entry. They also provide a convenient way for a user to query for all the entries with a particular objectclass attribute. For example, I might want to find all the entries with objectclass=user so I can identify all the user accounts in a Microsoft Active Directory.
对象类别 对象类别定义了目录中条目的类型
对象类别定义了目录中允许存在什么样的条目。每一个条目有一个属性叫objectclass,objectclass属性值对应社schema中对象类型的定义。对象类型定义了条目中那些属性是必须的,那些是可选的,他同时提供了一种便捷的方法来让用户搜索包含特定的一个对象类型的属性的所有条目。例如我想要查询objectclass=user 的所有条目,从而可以在微软活动目录中识别所有用户帐户。
LDIF
LDIF is a file format for LDAP directory entries
LDIF stands for the LDAP Data Interchange Format. LDIF is used to represent the entries of an LDAP directory or a set of changes to an LDAP directory in a text-based file format. You can use LDIF for a variety of management functions, including directory backup, replication, schema modifications, and bulk import or modifications of directory information.
LDIF allows complex manipulations on large sets of entries
Manipulation of directory information while it is in the LDIF format is much easier than in an LDAP directory. Text manipulation programming languages such as perl can be used to do more complex operations and perform bulk modifications on many directory entries while they are in a text-based file format. The LDIF format lends itself to simplifying changes to data sets that would be more difficult without it. For example, imagine that Mycompany has moved to a new city. As the administrator, you need to modify the postalCode attribute of employees to 87345, which is the postal code at the new site. Without LDIF, you could find all the entries with the postalCode set by using a presence filter (postalCode=*), but modifying all the entries would require painstaking work. With LDIF, you could dump all the entries to a file. Using perl or even a text editor like Microsoft Word, you could search and replace using the postalCode string as a match phrase.
LDIF是目录条目的文件格式
LDIF代表LDAP数据交换格式,它用文本格式记录LDAP目录的条目或者LDAP目录的一系列变化。你可以用LDIF做各式各样的功能的管理,包括目录备份,复制,schema修改,目录信息的批量导入或者修改。
LDIF可以对大量条目进行复杂操作。
LDIF格式目录信息的操作比直接在LDAP目录中要容易得多。文本编辑语言,诸如perl可以对文本格式文件中的很多目录条目进行复杂的操作以及批量修改。LDIF格式使得对数据集的变化得到了简化,没有他,一切都显得不易。比如,设想一个公司搬迁到另外一个城市,作为管理员,你需要修改员工的邮编号为新地点的87345,没有LDIF,你就需要使用过滤条件postalCode=*搜索所有条目,但是修改这些条目的工作让人头痛。使用LDIF,你可以将所有的条目信息输出到文件中。使用perl,甚至是诸如word这样的文本编辑器,你可以通配postalCode,搜索并且替换。
DSML
The Directory Services Markup Language v1.0 (DSMLv1) provides a means for representing directory structural information as an XML document.
DSMLv2 goes further, providing a method for expressing directory queries and updates (and the results of these operations) as XML documents. DSMLv2 documents can be used in a variety of ways. For instance, they can be written to files in order to be consumed and produced by programs, or they can be transported over HTTP to and from a server that interprets and generates them.
Directory Server(Sun Java System Directory Server Enterprise Edition 6.0) supports DSMLv2 SOAP over HTTP binding. DSML requests and responses are embedded in the body of SOAP v1.1, and transported in an HTTP/1.1 payload.
By using DSML, non-LDAP clients can perform directory operations.目录服务标记语言(DSML v1)提供一种方式用XML文档来表示目录结构信息。
DSMLv2 进一步用XML文档来展现目录信息的查询和更新(包含这些操作的结果), DSMLv2 文档可以以各种方式使用。比如,他们可以被写到文件中供程序使用,或者通过HTTP传入到服务器进行解释,或者服务器产生这些文档通过HTTP传出。
目录服务器(Sun Java System Directory Server Enterprise Edition 6.0)通过HTTP协议绑定的方式支持DSMLv2 SOAP,DSML请求和响应都内嵌在SOAP v1.1的BODY内,并且通过HTTP/1.1传输,使用DSML,非LDAP客户端可以执行各种形式的目录操作。
DSML V1 Syntax
A DSML version 1 document describes either directory entries, a directory schema or both. Each directory entry has a unique name called a distinguished name (DN). A directory entry has several property-value pairs called directory attributes. Every directory entry is a member of several object classes. An entry's object classes constrain the directory attributes the entry can take. Such constraints are described in a directory schema, which may be included in the same DSML document or may be in a separate document.
Top-Level Structure
The top-level document element of DSML is of the type dsml, which may have child elements of the following types:
directory-entries
directory-schema
The child element directory-entries may in turn have child elements of the type entry. Similarly the child element directory-schema may in turn have child elements of the types class and attribute-type.
At the top level, the structure of a DSML document looks like this:
< dsml:directory-entries >
< dsml:entry dn =" " > </ dsml:entry >
.
.
.
</ dsml:directory-entries >
.
.
.
< dsml:directory-schema >
< dsml:class id =" " > </ dsml:class >
< dsml:attribute-type id =" " > </ dsml:attribute-type >
.
.
.
</ dsml:directory-schema ></ dsml:dsml >
Directory Entries
The element type entry represents a directory entry in a DSML document. The entry element contains elements representing the entry's directory attributes. The distinguished name of the entry is indicated by the XML attribute dn.
Here is an XML entry to describe the directory entry:
< dsml:objectclass >
< dsml:oc-value > top </ dsml:oc-value >
< dsml:oc-value ref ="#person" > person </ dsml:oc-value >
< dsml:oc-value > organizationalPerson </ dsml:oc-value >
< dsml:oc-value > inetOrgPerson </ dsml:oc-value >
</ dsml:objectclass >
< dsml:attr name ="sn" >
< dsml:value > Siva </ dsml:value ></ dsml:attr >
< dsml:attr name ="uid" >
< dsml:value > Heman </ dsml:value ></ dsml:attr >
< dsml:attr name ="mail" >
< dsml:attr name ="givenname" >
< dsml:value > Siva V. Kumar </ dsml:value ></ dsml:attr >
< dsml:attr name ="cn" >
< dsml:value > [email protected] </ dsml:value ></ dsml:attr >
< dsml:value > Siva Kumar </ dsml:value ></ dsml:attr >
Schema Entries
The element type class represents a schema entry in a DSML document. The class element takes an XML attribute id to make referencing easier.
For example, the object class definition for the person object class might look like the following:
< dsml:name > person </ dsml:name >
< dsml:description > </ dsml:description >
< dsml:object-identifier > 2.5.6.6 </ object-identifier >
< dsml:attribute ref ="#sn" required ="true" />
< dsml:attribute ref ="#cn" required ="true" />
< dsml:attribute ref ="#userPassword" required ="false" />
< dsml:attribute ref ="#telephoneNumber" required ="false" />
< dsml:attribute ref ="#seeAlso" required ="false" />
< dsml:attribute ref ="#description" required ="false" />
</ dsml:class >
The directory attributes are described in a similar way. For example, the attribute definition for the cn attribute may look like this:
< dsml:name > cn </ dsml:name >
< dsml:description > </ dsml:description >
< dsml:object-identifier > 2.5.4.3 </ object-identifier >
< dsml:syntax > 1.3.6.1.4.1.1466.115.121.1.44 </ dsml:syntax >
</ dsml:attribute-type >
DSML语法
DSML v1描述了目录中的条目,目录模式,或者同时两者。每一个目录条目都有一个唯一名叫区别名(DN)。一个目录条目有一些属性值对,称为目录属性。每一个目录条目都是若干object classes的成员。一个条目的object classes限制了条目中能存在的属性。这样的限制条件用同一dsml文档或者另外的文档中的directory schema元素进行描述。
顶层结构
顶层结构的元素类型为dsml,他有以下类型的的子元素directory-entries,directory-schema,directory-entries 可以有entry子元素类型,同样的directory-schema有class,attribute-type子元素类型。
目录条目
元素类型entry代表dsml文档中的一个目录条目,entry包含一些目录属性元素,用xml 属性DN指定entry的区别名。oc-value 的ref属性是一个URI引用,用来引用定义object class的class属性,这个例子中,他指向定义person类型的元素,子元素objectclass和attr用于指定目录条目的类型和属性。
模式条目
模式条目有一个xml 属性id方便引用元素。
DSMLv2 Document Structure
There are two types of DSMLv2 documents:
• Request document
• Response document
In a DSMLv2-based interaction between a client and a server there is a pairing of requests and responses. For each request document submitted by the client, one response document is produced by the server.
The top-level element of a request fragment is a BatchRequest and the top-level element of a response fragment is a BatchResponse.
A BatchRequest contains zero, one, or many individual request elements and a BatchResponse consists of zero, one or many individual response elements. A BatchRequest containing zero request elements is a valid request; the valid response is a BatchResponse containing zero response elements. Such a batch requestresponse pair can be used to verify that a server is capable of processing DSMLv2 documents.
DSML V2文档结构
DSML V2文档包含请求和响应两个类型文档。
在基于DSML v2客户端服务器端交互中存在一对请求和响应。对于客户端提交的每一个请求,服务器会产生一个响应。最顶层的请求块是BatchRequest,响应块是Batch Response.一个BatchRequest元素包含0个,1个,或者多个单个的请求元素,同样 BatchResponse 包含0,1或者多个单个的响应元素。,包含0个请求的元素的BatchRequest 是合法的,对于BatchResponse也是如此。这样的requestresponse 对可以用于验证服务器可以处理DSML v2信息。
DSMLv2 Request Document:
< modifyRequest > … </ modifyRequest >
< addRequest > … </ addRequest >
< delRequest > … </ delRequest >
< addRequest > … </ addRequest >
</ batchRequest >
DSMLv2 Response Document:
< modifyResponse > … </ modifyResponse >
< addResponse > … </ addResponse >
< delResponse > … </ delResponse >
< addResponse > … </ addResponse >
</ batchResponse >
LDAP API
There are a few existing LDAP API around there. Here is a short list and description.
API | Version | License | Description |
---|---|---|---|
Apache Directory Client API | 0.1 | ASL 2.0 | The Apache Directory Server CLient API. |
jLDAP | 2008_03-01-1 | OpenLDAP Public License | A Novell contribution to the OpenLDAP project |
JNDI | 1.2 | Sun license | This is not a pure LDAP API, however it's included in J2SE since Java 5. Probably the API selected by many developers |
ldapSDK | 4.17 | Netscape Public License | The Mozilla API, formally the Netscape LDAP API |
OpenDS client API | N/A | CDDL | The OpenDS API |
UnboundID API | 0.9.10 | GPLv2 | A new API developed by the UnboundID company |
ref
http://searchmobilecomputing.techtarget.com/definition/LDAP
http://edwin.baculsoft.com/2011/10/ldap-programming-with-java/
https://www.oasis-open.org/committees/dsml/docs/DSMLv2.doc
http://xml.coverpages.org/MS-DSMLv2.html
https://cwiki.apache.org/DIRxSRVx10/221-connecting-to-apacheds-with-graphical-tools-3rd-party.html#2.2.1.ConnectingtoApacheDSwithgraphicaltools%25283rdparty%2529-SofterraLDAPBrowser
http://directory.apache.org/api/java-api.html
http://www.ldap.ncsu.edu/index.php