The LDAP chapters describe how to set up a Solaris naming client to work with the iPlanet Directory Server 5.1. A brief discussion of generic directory server requirements is in Chapter 18, General Reference (Reference).
Though a directory server is not necessarily an LDAP server, in the context of these chapters, the term, “directory server”, is considered synonymous with “LDAP server”.
The LDAP Naming Service chapters are written for system administrators who already have a working knowledge of LDAP. The following is a partial list of concepts with which you must be very familiar prior to deploying a Solaris-based LDAP naming service using this guide.
LDAP Information Model (entries, object classes, attributes, type, values)
LDAP Naming Model (Directory Information Tree (DIT) structure)
LDAP Functional Model (search parameters: base object (DN), scope, size limit, time limit, filters (Browsing Indexes for the iPlanet Directory Server), attribute list)
LDAP Security Model (authentication methods, access control models)
Overall planning and design of an LDAP directory service, including how to plan the data, design the DIT, design the topology, design the replication, and how to design the security.
If you need to learn more about any of the aforementioned concepts or would like to study LDAP and the deployment of directory services in general, the following are useful titles.
Understanding and Deploying LDAP Directory Services by Timothy A. Howes, Ph.D and Mark C. Smith
In addition to providing a thorough treatment of LDAP directory services, this book includes useful case studies on deploying LDAP at a large university, a large multinational enterprise, and an enterprise with an extranet.
iPlanet Directory Server 5.1 Deployment Guide, which is included in the documentation CD.
This guide provides a foundation for planning your directory, including directory design, including schema design, the directory tree, topology, replication, and security. The last chapter provides sample deployment scenarios to help you plan simple deployments as well as complex deployments designed to support millions of users distributed worldwide.
iPlanet Directory Server 5.1 Administrator's Guide, which is included in the documentation CD.
If you are transitioning from using NIS+ to using LDAP, refer to the Appendix entitled, “Transitioning from NIS+ to LDAP” in System Administration Guide: Naming and Directory Services (FNS and NIS+) and complete the transition before proceeding with these chapters.
If you need to Install the iPlanet Directory Server 5.1, refer to the iPlanet Directory Server 5.1 Installation Guide.
Below is a quick comparison between FNS, DNS, NIS, NIS+ and LDAP naming services.
|
DNS |
NIS |
NIS+ |
FNS |
LDAP |
---|---|---|---|---|---|
NAMESPACE |
Hierarchical |
Flat |
Hierarchical |
Hierarchical |
Hierarchical |
DATA STORAGE |
Files/ resource records |
2 column maps |
Multi columned tables |
Maps |
Directories [varied] Indexed database |
SERVERS |
Master/slave |
Master /slave |
Root master/ non-root master; primary/ secondary; cache/stub |
N/A |
Master/replica Multi master replica |
SECURITY |
none |
None (root or nothing) |
DES Authentication |
None (root or nothing) |
SSL, varied |
TRANSPORT |
TCP/IP |
RPC |
RPC |
RPC |
TCP/IP |
SCALE |
Global |
LAN |
LAN |
Global (with DNS)/LAN |
Global |
One significant difference between an LDAP client and a NIS or NIS+ client is that an LDAP client always returns a Fully Qualified Domain Name (FQDN) for a host name, similar to those returned by DNS. For example, if your domain name is
west.example.net |
both gethostbyname() and getipnodebyname() return the FQDN version when looking up the hostname server.
server.west.example.net |
Also if you use interface specific aliases like server-#, a long list of fully qualified host names is returned. If you are using host names to share file systems or have other such checks you need to account for it. This is especially true if you assume non-FQDN for local hosts and FQDN only for remote DNS resolved hosts. If you setup LDAP with a different domain name from DNS you might be surprised when the same host has two different FQDNs, depending on the lookup source.
LDAP gives you the ability to consolidate information by replacing application-specific databases; reduces the number of distinct databases to be managed
LDAP allows for more frequent data synchronization between masters and replicas
LDAP is multi-platform and multi-vendor compatible
The following are some restrictions associated with the LDAP Naming Service.
There is no support for pre-Solaris 8 clients
An LDAP server cannot be its own client
Setting up and managing an LDAP naming service is more complex and requires careful planning
A directory server (an LDAP server) cannot be its own client. In other words, you cannot configure the machine that is running the directory server software to become an LDAP naming service client.
Simplified configuration of LDAP directory server setup using idsconfig
A more robust security model, which supports strong authentication, TLS encrypted sessions. A client's proxy credentials are NO LONGER stored in a client's profile on the directory server
The ldapaddent command allows you to populate and dump data onto the server
Service Search Descriptors and Attribute Mapping
New profile schema
NIS+ might not be supported in a future release. Tools to aid the migration from NIS+ to LDAP are available in the Solaris 9 operating environment.
For more information, visit http://www.sun.com/directory/nisplus/transition.html.
For information on transitioning from NIS+ to LDAP, see Chapter 19, Transitioning From NIS+ to LDAP.
Task |
For Instructions |
---|---|
Plan the Network Model | |
Plan the DIT | |
Set up replica servers | |
Plan the security model | |
Choose client profiles and default attribute values | |
Plan the data population | |
Configure the iPlanet Directory Server 5.1 prior to using it with LDAP naming services | |
Set up the iPlanet Directory Server 5.1 for use with LDAP naming clients | Chapter 15, iPlanet Directory Server 5.1 Setup (Tasks) |
Manage printer entries | |
Initialize an LDAP client | Initializing a Client |
Initialize a client using profiles | |
Initialize a client manually | |
Un-initialize a client | |
Use Service Search Descriptors to modify client profiles |
Using Service Search Descriptors to Modify Client Access to Various Services |
Retrieve naming service information | |
Customize a client environment |