Chapter 12 Introduction to LDAP Naming Services (Overview/Reference)

The LDAP chapters describe how to set up a Solaris LDAP naming services client to work with Sun^TM ONE Directory Server 5.1 (formerly iPlanet^TM Directory Server 5.1). A brief description of generic directory server requirements appears in Chapter 18, LDAP General Reference (Reference).

A directory server is not necessarily an LDAP server. However, in the context of these chapters, the term “directory server” is synonymous with “LDAP server.”

Audience Assumptions

The LDAP naming services chapters are written for system administrators who already have a working knowledge of LDAP. Following is a partial list of concepts with which you must be very familiar. Otherwise, you might have difficulty using this guide to deploy LDAP naming services in the Solaris environment.

• LDAP Information Model (entries, object classes, attributes, types, values)

• LDAP Naming Model (Directory Information Tree (DIT) structure)

• LDAP Functional Model (search parameters: base object (DN), scope, size limit, time limit, filters (browsing indexes for the Sun ONE Directory Server), attribute list)

• LDAP Security Model (authentication methods, access control models)

• Overall planning and design of an LDAP directory service, including how to plan the data and how to design the DIT, topology, replication, and security

Suggested Background Reading

To learn more about any of the aforementioned concepts or to study LDAP and the deployment of directory services in general, refer to the following sources:

• Understanding and Deploying LDAP Directory Services by Timothy A. Howes, Ph.D. and Mark C. Smith

  In addition to providing a thorough treatment of LDAP directory services, this book includes useful case studies on deploying LDAP. Examples of deployments include a large university, a large multinational enterprise, and an enterprise with an extranet.

• Sun ONE Directory Server 5.1 Deployment Guide, which is included on the documentation CD

  This guide provides a foundation for planning your directory, including directory design, schema design, the directory tree, topology, replication, and security. The last chapter provides sample deployment scenarios to help you plan both simple, smaller-scale deployments and complex worldwide deployments.

• Sun ONE Directory Server 5.1 Administrator's Guide, which is included on the documentation CD

Additional Prerequisites

If you are transitioning from using NIS+ to using LDAP, refer to Chapter 19, Transitioning From NIS+ to LDAP. Complete the transition before proceeding with these chapters.

If you need to install Sun ONE Directory Server 5.1, refer to the Sun ONE Directory Server 5.1 Installation Guide.

LDAP Naming Services Compared to Other Naming Services

The following table shows a comparison between the FNS, DNS, NIS, NIS+, and LDAP naming services.

Using Fully Qualified Domain Names

Unlike NIS or NIS+ clients, an LDAP client always returns a fully qualified domain name (FQDN) for a host name. The LDAP FQDN is similar to the FQDN returned by DNS. For example, suppose your domain name is the following:

west.example.net

Both gethostbyname() and getipnodebyname() return the FQDN version when looking up the host name server:

server.west.example.net

Also, if you use interface-specific aliases such asserver-#, a long list of fully qualified host names are returned. If you are using host names to share file systems or have other such checks, you must account for the checks. For example, if you assume non-FQDNs for local hosts and FQDNs only for remote DNS-resolved hosts, you must account for the difference. If you set up LDAP with a different domain name from DNS, the same host might end up with two different FQDNs, depending on the lookup source.

Advantages of LDAP Naming Services

• LDAP enables you to consolidate information by replacing application-specific databases, which reduces the number of distinct databases to be managed.

• LDAP allows for more frequent data synchronization between masters and replicas.

• LDAP is multi-platform and multi-vendor compatible.

Restrictions of LDAP Naming Services

Following are some restrictions associated with LDAP naming services:

• Clients prior to Solaris 8 are not supported..

• An LDAP server cannot be its own client.

• Setting up and managing an LDAP naming services is more complex and requires careful planning.

A directory server (an LDAP server) cannot be its own client. That is, you cannot configure the machine that is running the directory server software to become an LDAP naming services client.

New LDAP Naming Services Features for Solaris 9

• The configuration of LDAP directory server setup has been simplified with the use of idsconfig.

• A more robust security model that supports strong authentication and Transport Layer Security (TLS) encrypted sessions. A client's proxy credentials are no longer stored in a client's profile on the directory server.

• The ldapaddent command allows you to populate and dump data onto the server.

• Service search descriptors and attribute mapping.

• New profile schema.

Transitioning from NIS+ to LDAP

NIS+ might not be supported in a future release. Tools to aid the migration from NIS+ to LDAP are available in the Solaris 9 operating environment.

For more information, go tohttp://www.sun.com/directory/nisplus/transition.html.

For information about transitioning from NIS+ to LDAP, refer to Chapter 19, Transitioning From NIS+ to LDAP.

LDAP Naming Services Setup (Task Map)