-
Notifications
You must be signed in to change notification settings - Fork 0
LDAP
Traditionally, LDAP directory entries are arranged in a hierarchical structure that reflects organizatinoal boundaries.
Each directory entry has a special attribute called objectClass. This attribute controls which attributes are required and allowed in an entry. i.e. the values of the objectClass attribute determine the schema rules the entry must obey.
LDAP refers to entries with Distinguished Names (DNs). DNs consist of the name of the entry itself as well as the names, in order from bottom to top, of the objects above it in the directory. E.g. the complete DN for the entry in the bottom left corner is cn=Tim Jones, o=IBM, c=US.
Each entry has at least one attribute that is used to name the entry. This naming attribute is called the Relative Distinguished Name (RDN) of the entry. (<- is this Tivoli specific term?)
("root")
o=ibm, c=us / \
---------------------------------------------------------------
/ \ objectClass=country
(c = US) (c = UK)
/\ \
---------------------------------------------------------------
/ \ \ objectClass=organization
/ \ \
(o = IBM) (o= Lotus) (o = Tivoli)
/
---------------------------------------------------------------
/ objectClass=person
(cn = Tim Jones)
mail=tjones@ibm.com
telephoneNumber=555-555-1234
To give an LDAP server the capability to manage part of an LDAP directory, you specify the hightest level parent distinguished names in the configuration of the server. These distinguished names are called suffixes. The server can access all objects in the directory that are below the specified suffix in the directory hierarchy. E.g. if an LDAP server contained the directory shown above, it would need to have the suffix o=ibm, c=us specified in its configuration in order to be able to answer client queries regarding Tim Jones.