5.1 GII THIU V LDAP............................................................................ 1 5.1.1 Khi nim c bn ........................................................................ 1 5.1.2 Phng thc hot ng ca LDAP ................................................ 2 5.1.3 Cc thao tc ca nghi thc LDAP .................................................. 3 5.1.4 Cc thao tc m rng .................................................................. 3 5.1.5 M hnh kt ni LDAP client v server ........................................... 4 5.2 CC M HNH LDAP ............................................................................ 5 5.2.1 M hnh LDAP (LDAP Information Model)....................................... 5 5.2.1.1 LDAP Data Interchange Format (LDIF) .................................... 6 5.2.1.2 Bo Tr cc h thng th mc................................................. 7 5.2.2 M hnh LDAP Naming (LDAP Naming Model) ................................ 7 5.2.2.1 Distinguished names & Relative Distingguished name............... 9 5.2.2.2 B danh (Aliases) ................................................................. 10 5.2.3 M hnh LDAP Function.............................................................. 11 5.2.3.1 Cc thao tc thm tra (LDAP Interrogation) ........................... 11 5.2.3.2 Thao tc cp nht................................................................ 16 5.2.3.3 Cc thao tc xc thc v iu kin(LDAP authentiaction and control Operations)............................................................................. 19 5.2.4 M hnh LDAP Security............................................................... 19 5.3 S DNG LDAP ................................................................................ 19 5.3.1 ng dng xc thc dng LDAP................................................... 19 5.3.2 Mt s dch v s dng nghi thc LDAP ...................................... 19 Ch.5 Gii thiu LDAP 1 Chng 5 Gii thiu LDAP 5.1 Gii thiu v LDAP 5.1.1 Khi nim c bn Th mc (Directory) nh ngha th mc l ni dng cha v cho php thc hin cc thao tc truy xut thng tin. Nghi thc truy cp th mc (LDAP) LDAP (Lightweight Directory Access Protocol) l mt chun m rng cho nghi thc truy cp th mc, hay l mt ngn ng LDAP client v severs s dng giao tip vi nhau. LDAP l mt nghi thc lightweight c ngha l y l mt giao thc c tnh hiu qu, n gin v d dng ci t. trong khi chng s dng cc hm mc cao. iu ny tri ngc vi nghi thc heavyweight nh l nghi thc truy cp th mc X.500 (DAP). Nghi thc ny s dng cc phng thc m ho qu phc tp. LDAP s dng cc tp cc phng thc n gin v l mt nghi thc thuc tng ng dng. LDAP pht trin vi phin bn LDAP v2 c nh ngha trong chun RFC 1777 v 1778, LDAP v3 l mt phn trong chun Internet, c nh ngha trong RFC 2251 cho n RFC 2256, do chng qu mi nn khng phi tt c mi th cc nh cung cp h tr hon ton cho LDAP v3. Ngoi vai tr nh l mt th tc mng, LDAP cn nh ngha ra bn m hnh, cc m hnh ny cho php linh ng trong vic sp t cc th mc: M hnh LDAP information - nh ngha ra cc loi d liu m bn cn t vo th mc. M hnh LDAP Naming - nh ngha ra cch bn sp xp v tham chiu n th mc. M hnh LDAP Functional - nh ngha cch m bn truy cp v cp nht thng tin trong th mc ca bn. M hnh LDAP Security - nh ngha ra cch thng tin trong trong th mc ca bn c bo v trnh cc truy cp khng c php. Ngoi cc m hnh ra LDAP cn nh ngha ra khun dng trao i d liu LDIF (LDAP Data Interchange Format), dng thc vn bn dng m t thng tin v th mc . LDIF cn c th m t mt tp hp cc th mc hay cc cp nht c th c p dng trn th mc. Ch.5 Gii thiu LDAP 2 5.1.2 Phng thc hot ng ca LDAP Phn ny chng ta s m t nghi thc LDAP mt cch chi tit. Chng ta s bt u xem xt LDAP nh l nghi thc giao tip gia client/server. Mt nghi thc client/sever L mt m hnh giao thc gia mt chng trnh client chy trn mt my tnh gi mt yu cu qua mng n cho mt my tnh khc ang chy mt chng trnh sever (phc v), chng trnh ny nhn ly yu cu v thc hin sau n tr li kt qu cho chng trnh client. V d nhng nghi thc client/server khc l nghi thc truyn siu vn bn (Hypertext transfer protocol ) vit tt l HTTP, nghi thc ny c nhng ng dng rng ri phc v nhng trang web v nghi thc Internet Message Access Protocol (IMAP), l mt nghi thc s dng truy cp n cc th thng bo in t. tng c bn ca nghi thc client/server l cng vic c gn cho nhng my tnh c ti u ho lm thc hin cng vic . V d tiu biu cho mt my server LDAP c rt nhiu RAM(b nh) dng lu tr ni dung cc th mc cho cc thao tc thc thi nhanh v my ny cng cn a cng v cc b vi s l tc cao. LDAP L mt nghi thc hng thng ip Do client v sever giao tip thng qua cc thng ip, Client to mt thng ip (LDAP message) cha yu cu v gi n n cho server. Server nhn c thng ip v s l yu cu ca client sau gi tr cho client cng bng mt thng ip LDAP. V d: khi LDAP client mun tm kim trn th mc, client to LDAP tm kim v gi thng ip cho server. Sever tm trong c s d liu v gi kt qu cho client trong mt thng ip LDAP. Hnh 5 - 1 mt thao tc tm kim c bn Nu client tm kim th mc v nhiu kt qu c tm thy, th cc kt qu ny c gi n client bng nhiu thng ip. LDAP server 1.Thao tc tm kim(search operation) 2. Sever tr li entry cho client 3. Tr v m thot (Result code) LDAP client Ch.5 Gii thiu LDAP 3 Hnh 5 - 2 Nhng thng ip client gi cho server Do nghi thc LDAP l nghi thc thng ip nn, client c php pht ra nhiu thng ip yu cu ng thi cng mt lc. Trong LDAP, message ID dng phn bit cc yu cu ca client v kt qu tr v ca server. Hnh 5 - 3 Nhiu kt qu tm kt cc tr v Vic cho php nhiu thng ip cng s l ng thi lm cho LDAP linh ng hn cc nghi thc khc v d nh HTTP, vi mi yu cu t client phi c tr li trc khi mt yu cu khc c gi i, mt HTTP client program nh l Web browser mun ti xung cng lc nhiu file th Web browser phi thc hin m tng kt ni cho tng file, LDAP thc hin theo cch hon ton khc, qun l tt c thao tc trn mt kt ni. 5.1.3 Cc thao tc ca nghi thc LDAP LDAP c 9 thao tc c bn, chia thnh 3 nhm thao tc chnh: Thao tc thm tra (interrogation) : search, compare. Hai thao tc ny cho php chng ta thc hin thm tra trn th mc. Thao tc cp nht (update): add, delete, modify, modify DN ( rename ). Nhng thao tc ny cho php chng ta thc hin cp nht thng tin trn th mc. Thao tc xc thc v iu kin(authentiaction and control) : bind, unbind, abandon. Thao tc bind cho php client t xc nh c mnh vi th mc, thao tc ny cung cp s xc nhn v xc thc chng th; unbind cho php client hu b phn on lm vic hin hnh; v cui cng l thao tc abandon cho php client ch ra cc thao tc m kt qu client khng cn quan tm n na. 5.1.4 Cc thao tc m rng Ngoi 9 thao tc c bn. LDAP version 3 c thit k m rng thng qua 3 thao tc LDAP server 1. search operation, msgid = 1 5. return code, msgid =2 6. return code, msgid =1 4. return entry, msgid = 2 3. return entry, msgid = 1 2. search operation, msgid = 2 LDAP client LDAP server 1. Thc hin thao tc tm kim N. Entry th N-1 tr v cho client N+1. Tr v m thot (Result code) 3. Entry th 2 tr v cho client 2. Entry th 1 tr v cho client LDAP client Ch.5 Gii thiu LDAP 4 Thao tc m rng LDAP(LDAP extended operations) y l mt nghi thc thao tc mi. Trong tng lai nu cn mt thao tc mi, th thao tc ny c th nh ngha v tr thnh chun m khng yu cu ta phi xy dng li cc thnh phn ct li ca LDAP. V d mt thao tc m rng l StarTLS, ngha l bo cho sever rng client mun s dng transport layer security(TLS) m ho v tu chn cch xc thc khi kt ni. LDAP control - Nhng phn ca thng tin km theo cng vi cc thao tc LDAP, thay i hnh vi ca thao tc trn cng mt i tng. Xc thc n gin v tng bo mt (Simple Authentication and Security Layer SASL) l mt m hnh h tr cho nhiu phng thc xc thc. Bng cch s dng m hnh SASL thc hin chng thc. LDAP c th d dng thch nghi vi cc phng thc xc thc mi khc, SASL cn h tr mt m hnh cho client v server c th m phn trn h thng bo mt din ra cc tng thp(dn n an ton cao). Mt d nh vy nhng cc m hnh ny ca SASL u thch nghi vi cc nghi thc ca internet 5.1.5 M hnh kt ni LDAP client v server Sau y l mt l mt tin trnh hot ng trao i gia LDAP client/server Hnh 5 - 4 M hnh kt ni gia client /server LDAP client v server thc hin theo cc bc sau: Client m mt kt ni TCP n LDAP server v thc hin mt thao tc bind. Thao tc bind bao gm tn ca mt directory entry ,v u nhim th s c s dng trong qu trnh xc thc, u nhim th thng thng l pasword nhng cng c th l chng ch in t dng xc thc client. Sau khi th mc c c s xc nh ca thao tc bind, kt qu ca hao tc bind c tr v cho client. Client pht ra cc yu cu tm kim. Server thc hin s l v tr v kt qu cho client. Server thc hin s l v tr v kt qu cho client. Server gi thng ip kt thc vic tm kim. Client pht ra yu cu unbind, vi yu cu ny server bit rng client mun hu b kt ni. Server ng kt ni. LDAP server 1. Open conection and bind 5. return entry #2 6. return code of search operation 4. return entry # 1 3. search operation 2. kt qu ca thao tc bind 7. thao tc unbind 6. ng kt ni LDAP client Ch.5 Gii thiu LDAP 5 5.2 Cc m hnh LDAP LDAP nh ngha ra 4 m hnh gm c LDAP informmation, LDAP Naming, LDAP Functional, LDAP Security. By gi chng ta s tho lun chi tit tng m hnh trc tin l vi LDAP information 5.2.1 M hnh LDAP (LDAP Information Model) M hnh LDAP Information nh ngha ra cc kiu ca d liu v cc thnh phn c bn ca thng tin m bn c th cha trong th mc. Hay chng ta c th ni rng LDAP Information m t cch xy dng ra cc khi d liu m chng ta c th s dng to ra th mc. Thnh phn c bn ca thng tin trong mt th mc gi l entry y l mt tp hp cha cc thng tin v i tng (Object). Thng th cc thng tin trong mt entry m t mt i tng tht nh l thng tin v ngi, nhng y khng phi l qui nh bt buc vi m hnh. V d nh trn th mc di y. Hnh 5 - 5 Mt cy th mc vi cc entry l cc thnh phn c bn Mt entry l tp hp ca cc thuc tnh, tng thuc tnh ny m t mt nt t trng tiu biu ca mt i tng. Mi thuc tnh c kiu mt hay nhiu gi tr, kiu ca thuc tnh m t loi thng tin c cha, gi tr l d liu thc s V d mt entry m t mt ngi vi cc thuc tnh: tn h, tn, s in thoi, v a ch email. cn= Engineering web server The organization itseft Organization units (departments) Person Server Applications dc=airius dc=com ou=Servers ou=People ou=Sales uid=bjensen ou=Engineering Ch.5 Gii thiu LDAP 6 Hnh 5 - 6 Mt entry vi cc thuc tnh c b 5.2.1.1 LDAP Data Interchange Format (LDIF) LDAP nh ngha ra LDIF l dng vn bn m t thng tin th mc. LDIF c th m t mt tp hp cc entry th mc hay l tp hp cc cp nht ln th mc d liu ca cc th mc c th trao i cho nhau bng cch dng LDIF Th d thng tin th mc dng vn bn LDIF, y l dng chun dnh cho vic nhp v xut thng tin trn th mc, v cc tp tin LDIF u dng ASCII iu ny lm cho chng d dng chuyn ti trn h thng email. Mt entry th mc dang LDIF:
dn: uid=bjensen, dc=airius, dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson cn: Barbara Jensen cn: Babs Jensen sn: Jensen mail: bjensen@airius.com telephoneNumber: +1 408 555 1212 description: A big sailing fan. Dng mt entry LDIF bao gm nhiu dng, u tin l distinguished name (dn) l tn ca entry th mc tt c c vit trn mt dng, sau ln lt l cc thuc tnh ca entry, mi thuc tnh trn mt dng theo th t l kiu thuc tnh : gi tr thuc tnh Th t cc thuc tnh khng quan trng tuy nhin d c c thng tin chng ta nn t cc gi tr objectclass trc tin v nn lm sao cho cc gi tr ca cc thuc tnh cng kiu gn nhau. KiuThuc tnh d liu qui nh, m t d liu c t vo v cch th mc so snh gi tr khi d tm. V d nh c php caseIgnoreString : qui nh trong trong mt ng cnh no th chng ta xem nh nhau v khng cn thc hin so snh nh l Tom v tom nh nhau khng phn bit ch hoa v thng. cn : Barbara jensen Bads jensen sn : jensen telephone number : +1 408 555 1212 mail : bads@arius.com Atrribute type Atrribute values
Ch.5 Gii thiu LDAP 7 caseExactString : tri ngc li vi c php trn phn bit r rng ch hoa v ch thng do Tom v tom l khng tng ng nhau. LDAP sever khng h tr cc kiu d liu tr tng ch h tr duy nht cho cc kiu chun. Khng nh nhng nghi thc khc chng hn l X.500 ngoi mt s liu d liu chun (chui, s, kiu bool) v mt s kiu d liu phc tp xy dng t cc kiu d liu trn. Tuy nhin nhng giao din plug-in cho php nh ngha cc c php mi. Cc thuc tnh cng phn thnh 2 loi: thuc tnh ngi dng, thuc tnh thao tc Thuc tnh ngi dng (user attributes) l cc thuc tnh bnh thng ca mt entry th mc, cc thuc tnh ny c th c iu chnh bi user ca th mc(tt nhin l cc thao tc sa cha c php).. Thuc tnh thao tc (operational attributes) y l cc thuc tnh c bit v ch c th c iu chnh bi directory server hay l cc thuc tnh cho bit trng thi ca th mc, v d mt thuc tnh thao tc l mt thuc tnh modifytimestamp, nhng thuc tnh ny c bo tr bi th muc v n cho bit thi im cui cng m entry ny c cp nht. Khi entry c gi n cho client, cc operational attributes s khng c gi i cng tr khi client yu cu. C mt s rng buc trn gi tr ca thuc tnh. Mt s server software cho php nh qun tr khai bo rng mt thuc tnh c th gi mt hay nhiu gi tr. V d nh thuc tnh givenName c th cha nhiu gi tr, khi mt ngi mun thm vo nhiu tn (v d nh l Jim v James chng hn) v cng c mt s thuc tnh ch cha duy nht mt gi tr. nhng nh qun tr h thng t ra phm vi gii hn ca d liu ngn chn cc user s dng vt qua gii hn cho php. 5.2.1.2 Bo Tr cc h thng th mc Bt k mt entry trong th mc c tp cc kiu thuc tnh y l cc kiu c yu cu v c cho php, v d nh mt entry m t mt ngi th thuc tnh yu cu cho entry l phi c cn(common name) v sn(surname). Mt s thuc tnh cho php nhng phi l cn thit cho entry m t mt ngi, cc thuc tnh khc khng c yu cu hay khng c php s khng c mt trong entry. Nhng tp hp cc tp thuc tnh yu cu v thuc tnh c php c gi l m hnh th mc(directory schemas). Directory schemas c th c thit k cho php chng ta c quyn iu kin v bo tr cc thng tin cha trong entry. Chng ta c mt khi thng tin c bn l entry, nhng lm sao c th sp xp xy dng mt cy thng tin th mc (directory information tree) DIT. Chng ta s nghin cu cc qui tc xy dng trong phn LDAP Naming Model. 5.2.2 M hnh LDAP Naming (LDAP Naming Model) M hnh LDAP Naming nh ngha ra cch chng ta c th sp xp v tham chiu n d liu ca mnh. Hay chng ta c th ni rng m hnh ny m t cch sp xp cc entry ca chng vo mt cu trc c logical, v m hnh LDAP Naming ch ra Ch.5 Gii thiu LDAP 8 cch chng ta c th tham chiu n bt k mt entry th mc no nm trong cu trc . M hnh LDAP Naming cho php chng ta c th t d liu vo th mc theo cch m chng ta c th d dng qun l nht. V d nh chng ta c th to ra mt container(khi nim vt th cha ng) cha tt c cc entry m t ngi trong mt t chc, v mt container cha tt c cc group ca bn, hoc bn c th thit k entry theo m hnh phn cp theo cu trc t chc ca bn. Vic thit k tt cn phi c nhng nghin cu tho ng. Hnh 5 - 7 Mt cy th mc LDAP Chng ta a ra h thng tp tin UNIX thy c nhng im khc bit vi h thng th mc LDAP, sau phn tch m hnh cy th mc LDAP. Hnh 5 - 8 h thng tp tin ca unix C ba im khc bit quan trng : 1 . im khc bit u tin gia hai m hnh l trong m hnh LDAP khng thc s c mt entry gc(root). Root l ni m chng ta c th t cc entry vo. Trn h thng LDAP c mt entry c bit c gi l root DES cha cc thng tin v server, nhng y khng phi l mt entry th mc bnh thng. / user bin etc local ect bin grep Ch.5 Gii thiu LDAP 9 2 . Khc bit th hai l th mc LDAP mi mt node cha d liu, v cng c th l mt container cha cc entry khc. y l mt khc bit vi h thng tp tin do h thng tp tin ch c th mc c th cha th mc con v ch c tp tin mi cha d liu. Ta c th thy rng entry trong th mc c th ng thi l tp tin v th mc. Hnh 5-23 minh ho khi nim trn cc entry dc=airius, dc=com, ou=People v ou=devices tt c u cha d liu nhng tt c u c node con cp di Hnh 5 - 9 Mt phn th mc LDAP vi cc entry cha thng tin 3 . Khc bit cui cng l h thng tp tin phn cp v h thng LDAP: Trong mt h thng tp tin khi ta i t tri sang phi tn tp tin l cch ta thc hin i t gc(/) n tp tin. V d nh hnh 5-22 h thng file Unix tn file ca node m mu l : /user/bin/grep Vi h thng th mc LDAP ti node m mu c tn l uid=bjensen, ou=people, dc=airius, dc=com nu chng ta i t tri sang phi th chng ta c th quay ngc li nh ca cy. Ta thy rng h thng th mc LDAP sp t c trt t cc entry ca th mc, tuy nhin LDAP khng quy nh bt k s phn cp t bit no, chng ta c th t do sp xp h thng tp tin ca bn mt cch c ngha nht vi bn. Ngoi vic ch cho bn cch sp xp d liu vo trong cc cu trc phn cp, m hnh LDAP Naming cn ch ra cch tham chiu n t entry trong th mc by gi chng ta s phn tch k hn 5.2.2.1 Distinguished names & Relative Distingguished name Distinguished names (DNs) trong LDAP y l tn ca mt entry ch ra cch bn c th tham chiu n cc entry trn th mc, hai entry khc nhau trn th mc hai DNs cng khc nhau. Ging nh ng dn ca h thng tp tin, tn ca mt entry LDAP c hnh thnh bng cch ni tt c cc tn ca tng entry cp trn (cha) cho n khi tr ln root, nh hnh trn ta thy node c mu m s c tn l uid=bjensen, ou=people, dc=airius, dc=com nu chng ta i t tri sang phi th chng ta c th quay ngc dn: dc=airius, dc=com o : airius.com dn:ou=People,dc=airius,dc=com ou: People dn:uid=bjensen, ou=people, dc=airius, dc=com cn:Barbara Jensen cn: babs Jensen sn: Jensen dn : cn=LaserPrinter, ou=Devices, dc=airius, dc=com cn : LaserPrinter resolution :600 description : in room 931 dn:ou=Device,dc=airius,dc=com ou: Devices Ch.5 Gii thiu LDAP 10 li nh ca cy, chng ta thy rng cc thnh phn ring l ca cy c phn cch bi du phy khong trng sau du phy l tu , do hai DNs sau l tng ng: uid=bjensen, ou=people, dc=airius, dc=com uid=bjensen,ou=people,dc=airius,dc=com Vi bt k mt DN, thnh phn tri nht c gi l relative distingguished name (RDN), nh ni DN l tn duy nht cho mi entry trn th mc, do cc entry c chng cha th RDN cng phi phn bit, v d hnh di y ta thy trn th mc Hnh 5 - 10 Mc d cho c hai entry c cng RDN cn=Joohn Smith nh hai entry hai nhnh khc nhau. 5.2.2.2 B danh (Aliases) Nhng entry b danh (Aliases entry)trong th mc LDAP cho php mt entry ch n mt entry khc, do chng ta c th xy dng ra cu trc m th bt khng cn chnh xc na, khi nim Aliases entry ging nh khi nim symbolic links trong UNIX hay shortcuts trn Windows9x/NT. Hnh di y cho ta thy c mt aliases entry tr n mt entry tht s. to ra mt alias entry trong th mc trc tin bn phi to ra mt entry vi tn thuc tnh l aliasedOjecctName vi gi tr thuc tnh l DN ca entry m chng ta mun alias entry ny ch n. dc=airius,dc=com ou=saled cn=John Smith ou= Engineering cn=John Smith Ch.5 Gii thiu LDAP 11 Hnh 5 - 11 LDAP vi Alias entry Nhng khng phi tt c cc LDAP Directory Server u h tr Aliases. Bi v mt alias entry c th ch n bt k mt entry no, k c cc entry LDAP server khc. Do vic tm kim khi gp phi mt b danh c th phi thc hin tm kim trn mt cy th mc khc nm trn cc server khc, do lm tng chi phi cho vic tm kim v y cng l l do chnh m cc phn mm khng h tr alias. 5.2.3 M hnh LDAP Function Phn trn chng ta ni n m hnh LDAP Information v LDAP Naming, by gi chng ta s xem xt m hnh LDAP Functional, y l m hnh m t cc thao tc cho php chng ta c th thao tc trn th mc. Chng ta nhc li khi qut v m hnh LDAP Functional. M hnh LDAP Functional cha mt tp cc thao tc chia thnh 3 nhm. Thao tc thm tra (interrogation) cho php bn c th search trn th mc v nhn d liu t th mc. Thao tc cp nht (update): add, delete, rename v thay i cc entry th mc. Thao tc xc thc v iu kin(authentiaction and control) cho php client xc nh mnh n cho th mc v iu kin cc hot ng ca phin kt ni. Vi version 3 nghi thc LDAP ngoi 3 nhm thao tc trn, cn c thao tc LDAP extended, thao tc ny cho php nghi thc LDAP sau ny c th m rng mt cch c t chc v khng lm thay i n nghi thc. By gi chng s phn tch k cc thao tc theo tng nhm v u tin l cc thao tc LDAP interrogation. 5.2.3.1 Cc thao tc thm tra (LDAP Interrogation) Hai thao tc thm tra (LDAP Interrogation) cho php client c th tm v nhn li thng tin t th mc. nhng nghi thc LDAP khng c thao tc c mt entry th mc,do khi chng ta mun c mt entry th ta phi thc hin tm kim v dng tm kim ngay khi nhn c kt qu u tin. Thao tc tm kim (LDAP search operation) yu cu 8 tham s: Tham s u tin l i tng c s m cc thao tc tm kim thc hin trn y, tham s ny l DN ch n nh ca cy m chng ta mun tm. Tham s th hai l phm vi cho vic tm kim, chng ta c 3 phm vi thc hin tm kim: Server A Server B Alias entry dc=airius, dc=com dc=ames, dc=com Ch.5 Gii thiu LDAP 12 Phm vi base ch ra rng bn mun tm ngay ti i tng c s Phm vi onelevel thao tc tm kim din ra ti cp di (con trc tip ca i tng c s) Phm vi subtree thao tc ny thc hin tm ht trn cy m i tng c s l nh. Sau y l cc hnh minh ho cc trng hp tm kim tng ng vi cc phm vi trn Hnh 5 - 12 thao tc tm kim vi phm vi base Hnh 5 - 13 thao tc tm kim vi phm vi onelevel dc=airius, dc=com ou= people search base= ou=people, dc=airius, dc=com search scope =base dc=airius, dc=com ou= people search base= ou=people, dc=airius, dc=com search scope = onelevel Ch.5 Gii thiu LDAP 13 Hnh 5 - 14 thao tc tm kim vi phm vi subtree Tham s th ba derefAliases , cho server bit rng liu b danh aliases c b b qua hay khng tham kho n khi thc hin tm kim, c 4 gi tr m derefAliases c th nhn c: nerverDerefAliases - ngha l thc hin tm kim v khng b qua b danh (aliases) trong lc thc hin tm kim v p dng vi c i tng c s. derefInsearching - b qua cc aliases trong trong cc entry cp di ca i tng c s, v khng quan tm n thuc tnh ca i tng c s. derefFindingBaseObject - ngc li vi gi tr thuc tnh trn vi gi tr ny th vic tm kim s b qua cc aliases ca i tng c s, v khng quan tm n thuc tnh ca cc entry thp hn i tng c s. derfAlways - b qua c hai nu vic tm kim thy i tng c s hay l cc entry cp thp l cc entry aliases. Tham s th bn cho server bit c ti a bao nhiu entry kt qu c tr v, v d nh nu client cho bit tham s ny l 100, nhng server li tm c 500 entry tho mn, nhng lc ny server s gi 100 entry cho cilent, nu client t tham s ny l zero th client nhn c tt c cc kt qu ca vic d tm(ch tham s ny c th c p t bi server v nhng ngi dng bnh thng khng th thay i c). Tham s th nm qui nh thi gian ti a cho vic thc hin tm kim, khi thi gian tm kim vt qu thi gian ti a th server s gi cho client LDAP_TIMELIMIT_EXCEEDED, nu tham s ny c thit lp l zero th ngha l khng c gii hn thi gian cho vic tm kim, cng nh tham s th bn tham s ny c th do server thit lp mt gii hn v ch c nhng ngi dng c c quyn mi c th thay i c. Tham s th su attrOnly l mt tham s kiu bool, nu c thit lp l true, th server ch gi cc kiu thuc tnh ca entry cho client, nhng sever khng gi gi tr dc=airius, dc=com ou= people search base= ou=people, dc=airius, dc=com search scope = subtree Ch.5 Gii thiu LDAP 14 ca cc thuc tnh i, iu ny l cn thit nu nh client ch quan tm n cc kiu thuc tnh cha trong Tham s th by l b lc tm kim(search filter) y l mt biu thc m t cc loi entry s c gi li. Trong LDAP chc nng tm kim vi biu thc lc nh vy l rt linh ng, tham kho chi tit cc loi b lc vi phn tip theo. Tham s th tm v y l tham s cui cng y l mt danh sch cc thuc tnh c gi li vi mi entry. Bn c th ch nh cc thuc tnh c gi li.
Cc kiu b lc LDAP p dng cho vic tm kim Filter Type Format Example Matches Equality (attr=value) sn=jensen Tm kim cc entry c surname l jensen Substring (attr=[leading] *[any]*[trailin g]) (sn=*jensen*) (sn=jensen*) (sn=*jensen) (sn=je*nse*n) Surname cha chui con jensen Surname bt u l chui jensen Surname kt thc vi chui jensen Surname bt u vi chui je cha chuinse v kt thc l chui n Approximate (attr~=value) (attr=~jensen) Surname xp x nh l chui jensen chng hn nh jensin hay jenson Greater than or equal to (attr>=value) (sn>=jensen) Surname >=jensen, b lc ny p dng cho cc thuc tnh l kiu c gi tr Less than or equal to (attr<=value) (sn<=jensen) Surname >=jensen Presence (attr=*) (sn=*) Tt c cc entry c thuc tnh atrr AND (&(filter1)(filte r2)) (&(sn=jensen)(obj ectclass=person)) Cc entry l objectclass person v surname=jensen OR (|(filter1)(filter 2)) (|(sn~=jensen)(tel ephonenumber=89 44570)) Cc entry csurname xp s nh chui jensen hay c s in thoi l 8944570 NOT (!(filter)) (!(age>=22)) Cc entry c thuc tnh tui <22
Ch c LDAP version 3 h tr cho b lc ny: y l mt b lc thit k cho cc thao tc tm kim pht trin trong tng lai. B lc ny mang tnh d dng m rng ca LDAP khi cc thao tc tm kim pht trin. Mt v d cho thy s hu dng ca c tnh ny l: C php ca b lc m rng ny kh phc tp, gm c 5 phn v 3 trong l cc tu chn, nhng phn l: Tn ca thuc tnh. Chui tu chn : dn ch ra rng cc thuc tnh hnh thnh nn DN ca entry c xem nh l mt thuc tnh ca entry trong sut thi gian thc hin tm kim. Tu chn du : i sau l qui tc thc hin so snh nu trng th mt qui tc mc nh thch hp s c la chn cho vic tm kim trn thuc tnh, nu thuc tnh tn b b st th tu chn ny buc phi c mt. Chui :=. Mt gi tr dng so snh. V d attr [:dn] [: matchingrule] : value Cc k t c bit Nu khi chng ta thc hin tm kim m mt s gi tr thuc tnh cha mt trong 5 k t c bit trong bng bn di :
Bng cc k t trnh s dng trong b lc tm kim K t Gi tr h 10 Gi tr h 16 Escap Sequence * (du hoa th) 42 0x2A \2A ( (m ngoc) 40 0x28 \28 ) (ng ngoc) 41 0x29 \29 \ (xt ngc) 92 0x5C \5c NULL 0 0x00 \00 thc hin tm kim mt thuc tnh cn=star* th chng ta s s dng b lc l (cn=star\2A) y \2A thay th cho k t *. 5.2.3.2 Thao tc cp nht Chng ta c 4 thao tc cp nht l add, delete, rename(modify DN), v modify Add Thao tc add to ra mt entry mi vi tn DN v danh sch cc thuc tnh truyn vo, khi thc hin add mt entry mi vo th mc phi tho cc iu kin sau : Entry l nt cha ca entry mi phi tn ti. Cha tn ti mt entry no c cng tn DN vi entry mi trn th mc Cc thao tc iu kin truy cp trn th mc l cc thao tc c php. Delete Thao tc xo (delete) ch cn truyn vo tn ca entry cn xo v thao tc thc hin c nu nh:
Entry tn ti vi tn l DN truyn vo. Entry b xo khng c cc entry con. Cc thao tc iu kin truy cp trn th mc l cc thao tc c php xo. Rename Thao tc rename hay modify DN s dng i tn hay dng di chuyn cc entry trong th mc, cc tham s cn truyn vo l DN ca entry cn i tn, RDN mi ca entry v mt s tham s tu chn dnh cho cc entry l cha mi ca entry di chuyn n, v cui cng l mt c cho php xo hay khng xa vi RDN c. Cng nh trn thao tc thc hin c nu nh tho Cc entry b i tn phi tn ti. Tn mi ca entry phi cha tn ti. Cc thao tc iu kin truy cp trn th mc l cc thao tc c php Ni thm v tham s cho entry cha khi m entry ch thay i RDN th tham s ny l \ Sau y mt s hnh nh minh ho cc thao tc Hnh 5 - 15 thao tc i ch entry uid =bjensen Hnh 5 - 16 thao tc i ch, i tn entry uid =bjensen khng i RDN dc=airius,dc=com ou=Adimistration ou=Engineering uid=bjensen dc=airius,dc=com ou=Adimistration ou=Engineering uid=bjensen Gi tr ban u dn: uid=bjensen, ou=Engineering, dc=airius, dc=com Gi tr mi dn: uid=bjensen, ou=Adimistration, dc=airius, dc=com dc=airius,dc=com ou=Adimistration ou=Engineering uid=bjensen dc=airius,dc=com ou=Adimistration ou=Engineering uid=bjensen Gi tr ban u dn: uid=bjensen, ou=Engineering, dc=airius, dc=com Gi tr mi dn: uid=qtom, ou=Adimistration, dc=airius, dc=com
Hnh 5 - 17 i ch v i RDN ca entry Hnh 5 - 18 thao tc i tn Hnh 5 - 19 thao tc i tn khng xo entry c Ch thch LDAP version 2 khng h tr thao tc modify DN, ch c thao tc modify RDN, do ch thay i RDN ca entry cho nn LDAP version 2 ch cho php thc hin rename tn ca entry nhng khng c kh nng di chuyn c n ni khc trn cy. Update Thao tc cui cng l thao tc cp nht vi tham s DN v tp hp cc thay i c p dng ln y. V thao tc ny i hi : Entry vi DN truyn vo phi tn ti. Tt c cc thuc tnh thay i u thc hin thnh cng. dc=airius,dc=com ou=Adimistration ou=Engineering uid=bjensen dc=airius,dc=com ou=Adimistration ou=Engineering uid=btom dn: uid=bjensen, ou=engineering, dc=com . . uid=bjensen . dn: uid=btom, ou=engineering, dc=com . . uid=btom . dc=airius,dc=com ou=Adimistration ou=Engineering uid=bjensen dc=airius,dc=com ou=Adimistration ou=Engineering uid=btom dn: uid=bjensen, ou=engineering, dc=com . . uid=bjensen . dn: uid=btom, ou=engineering, dc=com . uid=bjensen uid=btom . dc=airius,dc=com ou=Adimistration ou=Engineering uid=bjensen dc=airius,dc=com ou=Adimistration ou=Engineering uid=btom Gi tr ban u dn: uid=bjensen, ou=Engineering, dc=airius, dc=com Gi tr mi dn: uid=qtom, ou=Adimistration, dc=airius, dc=com
Cc thao tc cp nht phi l cc thao tc c php. Nu mt iu kin no trn khng tho th cch cp nhn s khng c p dng trn entry. 5.2.3.3 Cc thao tc xc thc v iu kin(LDAP authentiaction and control Operations) Thao tc xc thc gm: thao tc bind v unbind. Thao tc iu kin ch c abandon. Bind Thao tc bind l cch client xc thc vi server, client a ra DN v u nhim th, server kim tra DN v u nhim th nu thnh cng th client c quyn thc hin cc thao tc ln th mc. C nhiu phng thc bind khc nhau, n gin l client a ra mt DN v password cc thng tin ny dng hiu c. Lc ny server ch cn tm entry vi tn DN v kim tra xem gi tr thuc tnh userpassword c ng vi password truyn vo hay khng. Tuy cc phng thc an ton hn l SSL hay l TLS Vi LDAP version 3 c mt thao tc bind, l SASL bind y l mt nghi thc c lp vi cc m hnh xc thc, vi SASL cho php client chn thao tc xc thc v nu thao tc ny c server h tr th y l thao tc dng xc thc client. Unbind Thao tc unbind, khi client pht ra thng bo ny th server s hu b cc thng tin lin quan n khch hng hu b tt c cc thao tc ang thi hnh trn th mc v ng kt ni TCP. Abandon Thao tc abandon c mt tham s duy nht l ID ca thng ip, client thc hin thao tc ny khi khng quan tm n kt qu ca thao tc bt k trc . 5.2.4 M hnh LDAP Security Vn cui cng trong cc m hnh LDAP l vic bo v thng tin trong th mc khi cc truy cp khng c php. Khi thc hin thao tc bind di mt tn DN hay c th client mt ngi v danh th vi mi user c mt s quyn thao tc trn entry th mc. V nhng quyn no c entry chp nhn tt c nhng iu trn gi l truy cp iu kin (access control). Hin nay LDAP cha nh ngha ra mt m hnh Access Control, cc iu kin truy cp ny c thit lp bi cc nh qun tr h thng bng cc server software. 5.3 S dng LDAP 5.3.1 ng dng xc thc dng LDAP 5.3.2 Mt s dch v s dng nghi thc LDAP Bng cch kt hp cc thao tc LDAP n gin ny. Th mc client c th thc hin cc thao tc phc tp nh cc v d sau y
Mt chng mail c th thc hin dng chng ch in t cha trong th mc trn server LDAP k, bng cch gi yu cu tm kim cho LDAP server , LDAP server gi li cho client chng ch in t ca n sau chng trnh mail dng chng ch in t k v gi cho Message sever. Nhng gc ngi dng th tt c qu trnh trn u hot ng mt cch t ng v ngi dng khng phi quan tm Hnh 6 - 20 mt m hnh n gin lu tr Netscape Message server c th s dng LDAP directory thc hin kim tra cc mail. Khi mt mail n t mt a ch, messeage server tm kim a ch email trong th mc trn LDAP server lc ny Message server bit c hp th ngi s dng c tn ti v nhn th. Hnh 5 - 21 dng LDAP qun l th Messaging server LDAP server Tm kim user A trn LDAP server Client nhn entry ca user A tr v LDAP client 1. Mt email n ti a ch Barabara.Jensen@arrius.com 2. Message server d tm a ch email trong th mc 3 . Message server nhn din c hp th ngi dng v sau nhn th Message Serserver LDAP server
Dng LDAP xc thc mt user ng nhp vo mt h thng qua chng trnh thm tra, chng trnh thc hin nh sau u tin chng trnh thm tra to ra mt i din xc thc vi LDAP thng qua (1) sau so snh mt khu ca user A vi thng tin cha trong th mc. Nu so snh thnh cng th user A xc thc thnh cng Hnh 5 - 22 xc thc dng LDAP User A DUA LDAP Serserver Login {DN,PW} 1 Bind {DN-AP,PW-AP} 2 Compare {DN,PW} Application