In recent years, with the continuous expansion of LDAP (Light Directory Access Protocol, Light Directory Access Protocol, the continuous expansion of the application field, directory service technology has become the preferred option for many new technologies to implement information storage, management and query, especially In terms of network resource search, user access control and authentication information, new network services, network security, business network general database services and security services, etc., you need to apply directory service technology to implement a general purpose, perfect, simple application and Extended system
Contents of directory services
The directory service is a method of implementing information management and service interfaces in accordance with tree information organization mode. The directory service system is generally composed of two parts: the first part is a database, a distributed database, and has a plan to describe data; the second part is a detailed access protocol related to the database. Directory Services and relational databases are different. The directory does not support the transaction function required for bulk updates. The directory generally only performs simple update operations, suitable for the retrieval of large amounts of data; the directory has a wide replication of information, thus shortening The response time increases availability and reliability. At present, the international standards for directory service technology have two, namely, earlier X.500 standards and LDAP standards rapidly in recent years. The X.500 is a protocol X.500 is actually not an agreement, which consists of a protocol family: X.501 model emphasizes the basic model and concept of the directory service; how the X.509 authentication framework is processed in X.500 Customer and server authentication; X.511 Abstract service definition X.500 is required to provide functional services; X.518 Distributed operation procedure indicates how to span multiple servers to process directory services; X.519 protocol specification is X.500 Agreement, including directory access protocol, DAP, directory system protocol DSP, Directory Operation Binding Protocol DOP, Directory Information Shadowing Protocol DISP; X.520 Selected Properties Type Requirements Are the type of properties used by X.500; X.521 selected The object class is the object class used by X.500; how X.525 copy is how to copy the directory content between the directory server. There are a variety of content in these X.500 standards. A information model: Determine the format and character set in the directory, how to represent directory information (define object classes, attributes); a namespace: Identify organization and reference to information, how to organize and naming - - Directory Information Tree DIT and Hierarchy Model; A Function Model: Determines the operation you can perform on the information; an authentication frame: guarantee the security of information in the directory, how to implement the information of information in the directory - access control model; a distribution Operation model: Determine how data is distributed and how to perform operations for distribution data, how to divide the global directory tree into administrative domain for management - directory management model, client and server communication protocol - Directory Access Protocol DAP, to request users The directory system protocol DSP required to link between the servers, copy the selected information to the server, the desired directory information image protocol DISP is used to automatically negotiate connection configuration between the servers Directory Operation Binding Protocol DOP. . Although the X.500 is a complete directory service agreement, there is a lot of obstacles in the process of practical applications. Since the directory access protocol DAP This application layer protocol is strictly compliant with complex ISO seven-layer protocol models, too much requirement, mainly running on UNIX machines, on many small systems, such as PC and Macintosh Unable, so there is no many people in accordance with the DAP development application, the popularity of TCP / IP protocol systems, which makes this agreement increasingly unaffected. The LDAP directory Access Standard LDAP protocol has been approved from 1993, which has produced the LDAP V1 version, which released the third version of LDAP V3 in 1997. Its appearance is a milestone with the development of the LDAP protocol, which makes the LDAP protocol not only The X.500 simplified version, and provides many of the LDAP protocols, making the LDAP protocol function more complete, with greater vitality. The LDAP V3 protocol is not an agreement, but an agreement.
RFC 2251 - LDAP V3 core protocol defines basic models and basic operations of the LDAP V3 protocol; RFC 2252 - defines the basic data modes (Schema) in LDAP V3 (including syntax, matching rules, attribute types, and object classes) And the standard system data mode; RFC 2253 - defines the resolution name (DN) expression in LDAP V3; RFC 2254 - Defines the expression of the filter in LDAP V3; RFC 2255 - LDAP unified resource address Format; RFC 2256 - Use X.500's schema list in LDAP V3; RFC 2829 - Defines the authentication mode in LDAP V3; RFC 2830 - Defines how to use TLS services by extending; RFC 1823 - defined C's LDAP client API development interface; RFC 2847 - Defines LDAP data import, export file interface LDIF. In these protocols, the contents of LDAP are mainly defined, and a information model is mainly defined: determine the format and character set in the LDAP directory, how to represent directory information (define object classes, properties, matching rules, grammar); A namespace: Determine Organizational Mode for Information - Directory Information Tree DIT, named DN and RDN-based naming methods, as well as the Internet representation of LDAP information; a functional model: Determine the communication that can be performed on the information API interface for these operations and the client on the client; a security frame: guarantees the security, anonymous, username / password, SASL, etc. in the directory, and communication protection framework combined with TLS; a distributed operation Model: Distributed operating framework based on the Referral mode; an LDAP extension framework: LDAP extension framework based on control and extended operations. However, in the LDAP protocol, the general access control model and replication protocol (corresponding to the X.500 mapping protocol DISP), although different LDAP vendors have realized their own control models and replication mechanisms, the development of LDAP standards is concentrated. Access Control Model, Replication Protocol (DUP), and extended operations, including queries, sorting, language tag, dynamic directory, LDAP service discovery, etc. Four basic models of LDAP
Information Model: Describe the information representation of the LDAP In the LDAP, in a tree manner, the basic data unit in the tree information is an entry, and each entry is composed of attributes, the property value is stored in the attribute; information in the LDAP Mode, similar to the object-oriented concept, each entry in LDAP must belong to a certain or more object class, each Object Class consists of multiple attribute types, each attribute type, corresponding syntax and Matching rules; definitions of object classes and attribute types can use inheritance concepts. When each entry is created, you must define the object class to which the object class must be provided, and you must provide the attribute value of the necessary attribute type in the object class. One attribute type in the LDAP can correspond to multiple values. The object class, attribute type, syntax, and matching rules are collectively referred to as Schema in LDAP. There are many system object classes, attribute types, grammar and match rules in LDAP. These system SCHEMAs have regulated in LDAP standards, while different applications The field also defines its own Schema, and the user can customize Schema as needed. This is similar to XML, in addition to the XML definition in the XML standard, each industry has its own standard DTD or DOM definition, and users can also expand; as as XML, in LDAP, users also encourage users to try to use standard Schema, Interconnection of enhanced information. The most difficult to understand in Schema is matching rules. This is the speed of the LDAP to speed up the query. For different data types, different matching methods can provide different matching methods, such as equal, blurred, greater than smaller than smashing themselves. Matching rules. Name Model: Describe the data in LDAP how to organize a naming model in LDAP, that is, the entries in LDAP. Each entry in LDAP has its own DN and RDN. DN is the unique name identifier in the entire tree, and the RDN is the unique name identifier of the entry in the parent node. In the file system, the file name with the path is DN, the file name is RDN. Function Model: Describe Data Operations in LDAP A total of four categories of operations in LDAP: query class action, such as search, comparison; update class action, such as adding an entry, deleting an entry, modifying an entry, modifying an entries; authentication class operation Such as binding, decaying; other operations, such as abandoning and extending operations. In addition to the expansion operation, the other 9 is the standard operation of LDAP; the extended operation is to increase new features in LDAP, and the extension of the LDAP standard has been extended, and there is a modification password and StartTls extension. New RFC standards and drafts are increasing some new extension operations, and different LDAP vendors have defined their extension operations. Security model: Describe the security model in the security mechanism in LDAP is mainly implemented by identity authentication, secure channels, and access control. Identification provides three certification mechanisms in LDAP, namely anonymous, basic authentication, and SASL (Simple Authentication and Secure Layer) authentication. Anonymous authentication is not authenticated by the user, the method is only applicable to the fully open manner; basic authentication is identified by the username and password, and is divided into simple password and summary password authentication; SASL authentication is available in SSL and TLS Identity authentication on the safety channel, including the authentication of the digital certificate. Communication Security provides communication security based on SSL / TLS in LDAP. SSL / TLS is based on PKI information security technology, which is a widely used security service on the Internet.
LDAP launches TLS service in a STARTTLS manner to provide data confidentiality and integrity protection in communication; through the TLS service for client certificate authentication, you can implement two-way authentication for client identity and server-side identity. Access Control Although LDAP currently has no access to control standards, it is not difficult to see from some drafts or in fact LDAP products, we are not difficult to see: LDAP access control is well flexible and rich in LDAP, based on access control policies The statement is to achieve access control, which is different from the existing relational database system and application system, which is not implemented by the access control list, whether it is based on group mode or role mode. When using a relational database system development, it is often access to the database through several fixed database usernames. For the access control of the application system itself, it is often necessary to establish a special user table, develop access control authorization code for different users within the application system, so that the code is often changed once the access control policy is changed. In summary, the user data management and database access identifier in the application of the relational database are separated, and complex data access control needs to be implemented. For LDAP, user data management and access identification, the application does not require the implementation of access control. This is because the access control statement in the LDAP is implemented based on the policy statement, whether the data object of access control is, or the subject object of access control, is related to the location of these objects in the tree and the data characteristics of the object itself. . In LDAP, an entry of the entire directory, a directory, an entry, a specific entry property set, or an entry that meets a filter condition is authorized to be authorized; the specific user belongs to a specific group or all directory users as authorized main body Authorization; Final, you can define access to a specific location (eg, an IP address or DNS name). LDAP application
Since the LDAP has high query efficiency, the tree-shaped information management mode, distributed deployment framework, and flexible access control, the LDAP is widely used in basic, critical information management, such as user information, network resources. Information, etc. LDAP applications mainly involve several types. Information Security Category: Digital Certificate Management, Authorization Management, Single Login Resource Management Category: Mail System, DNS System, Network User Management, Telephone Directory At present, LDAP has been applied to Beijing University Campus Network User Management System, Novell's EPROVISION Application Solution, Shanghai Official Network Unified User Management, China Digital Library System User Management, and Beijing, Shanghai, Tianjin, Fujian and other provincial CAs Wait. LDAP application case in a city official website: three LDAP servers in the city's official website, an LDAP server is the master of CA in the official website project, one LDAP server is CA from the official website project, the third directory The server stores all user information in the Shanghai official website. In this system, a web-based user management system is established. Each bureau maintains its own data, user information in the CA system, and office automation systems, email systems, authorized management systems, shared resource management systems, and implemented through RMI interfaces. Synchronization with the information in the Treatment of the Tree Directory Service System.
Comparison analysis of X.500 and LDAP
From the development of directory service technology, LDAP standards are actually a simplified version generated on the basis of X.500 standard. The relationship between the two is related to the two independent developments that solve the same problem. Very different, therefore needs to be understood and analyzed on this basis. First, as an official standard for IETF (Internet Engineering Task Force), LDAP is a subset of directory access protocol DAP in the X.500 standard, which can be used to establish an X.500 directory. Therefore, these two directory service technology standards have a lot of common, that is, on the platform, a general platform structure is implemented, providing the information service type required by operating systems and applications, which can be made by many platforms and applications. Receive and implementation; on the information model, the concepts and modes of items, object classes, attributes are used to describe information; in terms of namespace, directory information tree structure and hierarchy model are used; on the functional model, they are used. Similar operational commands can manage directory information; user names and passwords can be implemented in terms of authentication framework, or based on secure encryption methods; on flexibility, their directory is large, large to global Directory tree, small to only one directory server; in distribution, directory information can be distributed in multiple directory servers, which can be managed by organizations, which guarantees the overall structure consistency of directory information, and satisfies grading. Management needs. The LDAP is the same as the DAP of the X.500 is that LDAP is also designed to extract information from the hierarchical directory. However, in fact, in order to keep the network bandwidth, LDAP is limited to the number of answers from the X.500 directory. Initially, LDAP is just a simple way to access the X.500 directory, which is the functional subset of X.500, but with its maturity and independence development, there has been a number of new features that have not been in X.500. The current LDAP can provide a light front end for the X.500 directory service, or you can implement a separate directory service. The uniqueness of LDAP First, the AP (Access Protocol) is both an X.500 access protocol, and is a directory system that can be implemented independently. Second, DAP (Directory Access Protocol) is based on the Internet protocol, X.500 based on OSI (open system interconnection) protocol: establishing an X.500 directory access protocol DAP on the application layer, requires a lot on the OSI session layer and representation Establish a task of connecting and package processing, requiring special network software to implement access to the network; LDAP runs directly on a simpler and generous TCP / IP or other reliable transport protocol layer, avoiding in OSI session and representation The overhead of the layer makes the establishment of the connection and the processing of the package easier, faster, and more ideal for the Internet and enterprise network applications. Furthermore, the LDAP protocol is simpler: LDAP inherits the best characteristics of X.500, while removing its complexity. LDAP implements list operations and readings using the lookup operation, and other aspects eliminates the deep and rare service control and security features of X.500, and only reserve commonly used features, simplifying the implementation of LDAP. Others, LDAP implements distributed access by reference mechanism: X.500 DSA implements distributed access through chain operations between servers, so that the pressure of queries is set to the server side; and LDAP implements distributed operations through the client API (for application Transparent) balance the load; Finally, LDAP has a low cost, easy configuration and easy management.
