see also:
1.Distinguished names (DNs)DN名
范例:
cn=Ben Gray,ou=editing,o=New York Times,c=US
cn=Lucille White,ou=editing,o=New York Times,c=US
cn=Tom Brown,ou=reporting,o=New York Times,c=US
Relative Distinguished Name (RDN) .例如Cn=Tom brown就是RDN
值里头如果有特殊字符, = + < > # ; \ 、" 使用转义字符\。
2.Pseudo DNs
用于访问控制定义和评估。
IBM DS支持三种Pseudo DN
access-id: CN=THIS
引用bindDN
group: CN=ANYBODY
该group包括所有用户,包括没有被认证过的用户,用户不能从该group移除,该group也不能从数据库中删除。
group: CN=AUTHENTICATED
Example 1Consider the following ACL for object: cn=personA, c=USAclEntry: access-id: CN=THIS:critical:rwsc AclEntry: group: CN=ANYBODY: normal:rsc AclEntry: group: CN=AUTHENTICATED: sensitive:rcs
User Binding as | Would receive |
---|---|
cn=personA, c=US | normal:rsc:sensitive:rcs:critical:rwsc |
cn=personB, c=US | normal:rsc:sensitive:rsc |
Anonymous | normal:rsc |
In this example, personA receives permissions granted to the "CN=THIS" ID, and permissions given to both the "CN=ANYBODY" and "CN=AUTHENTICATED" pseudo DN groups.
Example 2
Consider the following ACL for object: cn=personA, c=US AclEntry: access-id:cn=personA, c=US: object:adAclEntry: access-id: CN=THIS:critical:rwsc AclEntry: group: CN=ANYBODY: normal:rsc AclEntry: group: CN=AUTHENTICATED: sensitive:rcsFor an operation performed on cn=personA, c=US:
User Binding as | Would receive |
---|---|
cn=personA, c=US | object:ad:critical:rwsc |
cn=personB, c=US | normal:rsc:sensitive:rsc |
Anonymous | normal:rsc |
3. 目录的层次结构
其中每个条目都有个objectclass的值,该objectclass定义了该条目中允许哪些属性存在,即一套属性集
例如电话号码和姓氏,这些object class都预先定义在schema中。
每个条目的objectclass是必须的,属性有些是可选的。有些定义为是必须的。 属性取值可以是单个value,
也可以多个value
例如:
dn: cn=John Smith,o=My Company,c=US
objectclass: inetorgperson
sn: Smith
cn: John Smith
cn: Jack Smith
cn: Johnny Smith
可以方便的搜索到这个人,不管是搜john还是jack 都可以返回相同的结果
二进制属性,例如一个JPEG图片
boolean属性,ture/false
schema就是一套用来定义条目类型的规则集。
所有object class 都继承自抽象object class:top
4.目录服务器和客户端 c/s模型
5.目录安全
用户认证,授权,授权基于ACLs,为简化ACL条目,相同的访问权限都归类到group
6.suffix后缀(命名上下文)
一个DS 服务器可以有多个后缀。预定义的suffix:
7.OID-Object identifier 对象标示符
十进制数字形式的字符串,用来表示一个唯一的object,例如object class或者属性。
如果你没有一个OID ,可以用属性名或者objectcalsee名字后面加上-OID来代表OID
例如创建一个属性tempid,它的OID可以是tempid-OID.
私有OID和授权OID,合法OID获得的2种方式
- Register the objects with an authority. This strategy can be convenient, for example, if you need a small number of OIDs.
- Obtain an arc (an arc is an individual subtree of the OID tree) from an authority and assign your own OIDs as needed. This strategy may be preferred if many OIDs are needed, or OID assignments are not stable.
The American National Standards Institute (ANSI) is the registration authority for organization names in the United States under the global registration process established by International Standards Organization (ISO) and International Telecommunication Union (ITU). More information about organization name registration can be found at the (www.ansi.org). The ANSI OID arc for organizations is 2.16.840.1. ANSI will assign a number (NEWNUM), creating a new OID arc: 2.16.840.1.NEWNUM.
In most countries or regions, the national standards association maintains an OID registry. As with the ANSI arc, these are generally arcs assigned under the OID 2.16. It may take some investigation to find the OID authority for a particular country or region. The national standards organization for your country or region may be an ISO member. The names and contact information of ISO members can be found at the (www.iso.ch).
The Internet Assigned Numbers Authority (IANA) assigns private enterprise numbers, which are OIDs, in the arc 1.3.6.1.4.1. IANA will assign a number (NEWNUM) so that the new OID arc will be 1.3.6.1.4.1.NEWNUM. These numbers can be obtained from the (www.iana.org).
8.认证
Root bind DN | string | name of administrative account on LDAP server (e.g. cn=Manager,dc=test,dc=org) |
到服务器的连接认证基于DN名字
From an LDAP perspective, there are two frameworks for authenticating to LDAP:
- Simple bind, in which an application provides a DN and the clear text password for that DN
- Simple Authentication and Security Layer (SASL), which provides several additional authentication methods, including CRAM-MD5, EXTERNAL, GSSAPI, and OS400-PRFTKN.
Simple bind (and CRAM-MD5)
To use a simple bind, the client must supply the DN of an existing LDAP entry and a password which matches the userPassword attribute for that entry. For example, you could create an entry for John Smith as follows:
sample.ldif: dn: cn=John Smith,cn=users,o=acme,c=us objectclass: inetorgperson cn: John Smith sn: smith userPassword: mypassword ldapadd -D cn=administrator -w secret -f sample.ldif
ldapadd -D cn=administrator -w secret -f sample.ldif
You can now use the DN "cn=John Smith,cn=users,o=acme,c=us" in access control, or make it a member of a group used in access control.
Several predefined objectclasses allow userPassword to be specified, including (but not limited to): person, organizationalperson, inetorgperson, organization, organizationalunit, and others.