Oracle Solaris supports LDAP in conjunction with the Oracle Directory Server Enterprise Edition (ODSEE). However, any generic directory server can function as an LDAP server. In this book, the terms directory server and LDAP server are synonymous and used interchangeably.
For more information about directory servers, refer to the following sources:
Oracle Directory Server Enterprise Edition Deployment Guide
Oracle Directory Server Enterprise Edition Administration Guide
Installation guide for the version of ODSEE that you are using
LDAP has become a term that refers more to the naming service rather than the protocol itself. Throughout this book, the term LDAP is used to refer to the service rather than the protocol.
The LDAP naming service is one of various naming services that is supported in Oracle Solaris. For information about other naming services, see Working With Oracle Solaris 11.3 Directory and Naming Services: DNS and NIS. For a comparison of the different naming services in Oracle Solaris, see Comparing the Naming Services in Working With Oracle Solaris 11.3 Directory and Naming Services: DNS and NIS.
LDAP performs the following services:
Naming service – LDAP provides naming data in accordance with a client request. For example, when resolving host names, LDAP functions like DNS by providing the fully qualified domain names. Suppose that the name of a domain is west.example.net. If an application requests the host name by using gethostbyname() or getnameinfo(), LDAP returns the value server.west.example.net.
Authentication service – LDAP manages and provides information that relates to client identity, authentication, and accounts. Therefore, LDAP implements security measures to provide information only to authorized requesters.
The LDAP naming service provides the following advantages:
With the replacement of application-specific databases, information is consolidated and the number of distinct databases to manage is reduced.
Different naming services can share data.
Uses a central repository for data.
Performs frequent data synchronization between masters and replicas.
Multiplatform and multi-vendor compatible.
The following restrictions apply to the LDAP naming service:
An LDAP server cannot be its own client.
A client cannot be a client of NIS and LDAP at the same time.
Setting up and managing an LDAP naming service is complex and requires careful planning. For information about planning for LDAP services, see Planning Requirements for LDAP Naming Services.
The LDAP naming service stores information in a directory information tree (DIT). The information is stored in LDAP data interchange format (LDIF). The DIT consists of hierarchically structured containers of information that follow a defined LDAP schema.
The default schema that is followed by most DITs suffices for most networks that use LDAP. However, the DIT is flexible. You can specify search descriptors in the client profile to override the default structure of a DIT. For more information about search descriptors, see Service Search Descriptors and Schema Mapping.
The following table shows the containers of a DIT and the type of information each container stores.
|