Front cover Understanding LDAP Design and Implementation LDAP concepts and architecture Designing and maintaining LDAP Step-by-step approach for directory Steven Tuttle Ami Ehlenberger Ramakrishna Gorthi Jay Leiserson Richard Macbeth Nathan Owen Sunil Ranahandola Michael Storrs Chunhui Yang ibm.com/redbooks International Technical Support Organization Understanding LDAP Design and Implementation June 2004 SG24-4986-01 Note: Before using this information and the product it supports, read the information in “Notices” on page xv. Second Edition (June 2004) This edition applies to Version 5, Release 2 of IBM Tivoli Directory Server. © Copyright International Business Machines Corporation 1998, 2004. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Notices . xv Trademarks . xvi Preface . xvii The team that wrote this redbook. xvii Become a published author . xix Comments welcome. xx Summary of changes . xxi June 2004, Second Edition . xxi Part 1. Directories and LDAP . 1 Chapter 1. Introduction to LDAP . 3 1.1 Directories . 5 1.1.1 Directory versus database . 5 1.1.2 LDAP: Protocol or directory. 7 1.1.3 Directory clients and servers. 8 1.1.4 Distributed directories . 9 1.2 Advantages of using a directory . 10 1.3 LDAP history and standards . 12 1.3.1 OSI and the Internet . 12 1.3.2 X.500 the Directory Server Standard . 13 1.3.3 Lightweight Access to X.500 . 14 1.3.4 Beyond LDAPv3 . 15 1.4 Directory components . 16 1.5 LDAP standards . 20 1.6 IBM’s Directory-enabled offerings . 21 1.7 Directory resources on the Web . 23 Chapter 2. LDAP concepts and architecture. 27 2.1 Overview of LDAP architecture . 28 2.2 The informational model . 32 2.2.1 LDIF . 35 2.2.2 LDAP schema . 37 2.3 The naming model. 42 2.3.1 LDAP distinguished name syntax (DNs) . 43 2.3.2 String form. 46 2.3.3 URL form. 47 © Copyright IBM Corp. 1998, 2004. All rights reserved. iii 2.4 Functional model . 47 2.4.1 Query . 48 2.4.2 Referrals and continuation references . 49 2.4.3 Search filter syntax . 50 2.4.4 Compare . 51 2.4.5 Update operations. 51 2.4.6 Authentication operations . 52 2.4.7 Controls and extended operations . 52 2.5 Security model. 53 2.6 Directory security. 53 2.6.1 No authentication . 54 2.6.2 Basic authentication . 54 2.6.3 SASL . 55 2.6.4 SSL and TLS. 55 Chapter 3. Planning your directory . 57 3.1 Defining the directory content . 60 3.1.1 Defining directory requirements . 60 3.2 Data design . 60 3.2.1 Sources for data . 61 3.2.2 Characteristics of data elements. 62 3.2.3 Related data . 62 3.3 Organizing your directory . 63 3.3.1 Schema design . 63 3.3.2 Namespace design . 64 3.3.3 Naming style . 67 3.4 Securing directory entries . 68 3.4.1 Purpose. 68 3.4.2 Analysis of security requirements . 68 3.4.3 Design overview . 68 3.4.4 Authentication design . 69 3.4.5 Authorization design . 70 3.4.6 Non-directory security considerations . 71 3.5 Designing your server and network infrastructure. 72 3.5.1 Availability, scalability, and manageability requirements . 72 3.5.2 Topology design . 73 3.5.3 Replication design. 75 3.5.4 Administration . 79 Part 2. IBM Tivoli Directory Server overview and installation . 81 Chapter 4. IBM Tivoli Directory Server overview . 83 4.1 Definition of ITDS . 84 4.2 ITDS 5.2 . 87 iv Understanding LDAP Design and Implementation 4.3 Resources on ITDS . 92 4.4 Summary of ITDS-related chapters. 92 Chapter 5. ITDS installation and basic configuration - Windows . 95 5.1 Installable components . 97 5.2 Installation and configuration checklist . 98 5.3 System and software requirements. 99 5.3.1 ITDS Client . 99 5.3.2 ITDS Server (including client) . 100 5.3.3 Web Administration Tool . ..