SlideShare a Scribd company logo

introduction to ldap

Thevakumar Presanth
Thevakumar Presanth

Network System Design

Education
1 of 60
Download to read offline
Network SystemsNetwork Systems  Design 300g Lightweight Directory Access ProtocolLightweight Directory Access Protocol (LDAP) 
OverviewOverview Wh t i Di t• What is a Directory • Understanding LDAP – Information Structure – Naming – Functions/Operations – SecuritySecurity • Protocol • Schema Design • Namespace Design • Topology Design • Replication• Replication • Summary
What is a DirectoryWhat is a Directory i li d b• Specialised Database • Attribute – Value pairp • Offline – Static– Static • Online – Dynamic – Flexible – Personalised – Secure
DirectoriesDirectories • Factors to consider when deciding whether to  use a directory:y – Size of the information Character of the information– Character of the information – Read‐to‐write ratio – Search capability – Standards‐based access
What is LDAP?What is LDAP? • Lightweight Directory Access Protocol – Lightweight alternative to DAPLightweight alternative to DAP – Uses TCP/IP instead of OSI stack – Simplifies certain functions and omits others… • Originally used to access and update information in a directory built on the X.500 model – Due to its complexity, early adopters of X.500 found DAP was not well suited for desktop PCs LDAP Request LDAP Server 1 (slapd) LDAP Referral LDAP Client LDAP Request LDAP Server 2 (slapd) LDAP Results
LDAP ModelsLDAP Models I f ti• Information  – Structure of information stored in an LDAP directory • Naming• Naming  – How information is organised and identified • Functional OperationsFunctional Operations – Describes what operations can be performed on the  information stored in an LDAP directory • Security  – Describes how the information can be protected from  unauthorised accessunauthorised access
LDAP Information ModelLDAP Information Model • Schemas  – Defines what object classes allowed – Where they are stored – What attributes they have – Which attributes are optional – Type/syntax of each attribute • LDAP schema must be readable by the clientLDAP schema must be readable by the client
LDAP Naming • The LDAP naming model defines how you organise and refer to  your data.y – Directory Information Tree (DIT)  • Usually follow geographical or organisational scheme – The name of an LDAP entry is formed by connecting, in a series, all theThe name of an LDAP entry is formed by connecting, in a series, all the  individual names of the parent entries back to the root • Distinguished Names (DN)   • Relative Distinguished Names (RDN)• Relative Distinguished Names (RDN) 
LDAP Protocol OperationsLDAP Protocol Operations A th ti ti /C t l• Authentication/Control – BIND/UNBIND – ABANDON • Interrogation – Search  – Compare entryCompare entry  • Update – Add an entry D l– Delete an entry – Modify an entry  – Modify DN/RDN
Client /Server InteractionClient /Server Interaction • Client establishes session with server (BIND) • Client performs operations • Client ends the session• Client ends the session  (UNBIND)
Update OperationsUpdate Operations Th 4 LDAP ti dd d l t d dif• There are 4 LDAP operations: add, delete, rename and modify – All update operations are atomic
addadd • The add operation allows you to create new  directory entries:y – Requires 2 parameters – DN and set of attributes Requirements for add operation to complete:– Requirements for add operation to complete: • Parent must exist Th t t b th t f th• There must not be another entry of the same name • The new entry must conform to the schema U t h ffi i t i i• User must have sufficient permissions
deletedelete • The delete operation allows directory entries  to be deleted: – Requires 1 parameter – DN  Requirements for delete operation to complete:– Requirements for delete operation to complete: • Entry must exist E t t h hild• Entry must have no children • User must have sufficient permissions
renamerename • The rename (modify DN) operation is used to  rename and or move directory entries:y – Requires 4 parameters – DN, new RDN, new  parent (optional), delete‐old‐RDN flagparent (optional), delete old RDN flag – Requirements for modify DN operation to  complete:complete: • Entry must exist E t t h hild• Entry must have no children • User must have sufficient permissions
modifymodify h dif i i d d• The modify operation is used to update  directory entries: – Requires 2 parameters – DN, set of modifications to be applied.  – Requirements for modify DN operation to  complete: • Entry must exist. • All modifications must succeed. • Resulting entry must obey schema. • User must have sufficient permissions.
LDAP S itLDAP Security • Security = Encryption + Authentication + Access Control • No Authentication • Simple Authentication – DN and password provided – Clear‐text or Base 64 encoded • Simple Authentication over SSL/TLS • Simple Authentication and Security Layer SASL (RFC 2222) – Parameters: DN, mechanism, credentials – Provides cross protocol authentication callsp – Encryption can be optionally negotiated – ldap_sasl_bind() (ver3 call) – ldap://<ldap_server>/?supportedsaslmechanisms
LDIFLDIF h• LDAP Data Interchange Format • RFC 2849 • LDIF is the standard way of representing  directory data in a textual format:directory data in a textual format: – used when exporting data from  and importing data into a directory server– and importing data into a directory server. – Solely ASCII (LDAPv3 uses UTF‐8).
Schema DesignSchema Design • Attributes • Object ClassesObject Classes
S h D iSchema Design • Similar to database systems, a schema is a set of rules that  determines what data can be stored in the directory • Purposes of a schema: – Ensures that poorly designed applications “play by the rules” and do  t t d d t d t i th di tnot store redundant data in the directory – Can be used to impose constraints on the size, range and format of  data values stored in the directory Can help slow the effects of directory entropy– Can help slow the effects of directory entropy • LDAP‐based schemas consist of: – Attribute types – Attribute syntaxes – Matching rulesg – Object classes
AttributesAttributes • Directory entries contain a collection of attribute types and  lvalues b h ld f d l h• Attribute types hold specific data elements such as a name or  phone number
Att ib t ( t )Attributes (cont…) • In LDAP, the definition of attribute type includes the , yp following: – A name that uniquely identifies the attribute type – An OID that also uniquely identifies the attribute – A textual description – An indication of whether the attribute is single or multi‐valued – An associated attribute syntax and set of matching rules b d– An attribute usage indicator – Restrictions on the range or size of the values that may be stored  in the attributein the attribute – Indication of whether the attribute can be modified by regular  applicationspp
Namespace DesignNamespace Design Y di ’ id h b i b• Your directory’s namespace provides the basic means by  which information is referenced in the directory. (more later) • A properly designed namespace can lead to: – Easier data maintenance – More flexibility in setting access control and replication policies – The ability to satisfy a wider variety of directory‐enabled applications More natural navigation through the directory– More natural navigation through the directory
Structure of a Namespace • The LDAP model defines a flexible namespace framework, which  means that you can almost certainly design a namespace to satisfy  i tany requirements: – However, it also means that you have more choices to make than you might like • The LDAP namespace is inherited from the X.500 directory standard. – Tree‐structured • The basic LDAP model is also hierarchical or tree‐structured: LDAP d t di tl t i hi h t i ht b b th– LDAP does not directly support namespaces in which an entry might be both a  child and parent of the same entry: • Alias and referral object classes can be used to construct such structures • The seeAlso attribute indirectly supports such structures
Naming Entries in the Hierarchy • Recall that an LDAP entry is a collection of attribute values. – The name of an entry is created by choosing one of more of these attribute values to form a  Relative Distinguished Name (RDN). • E.g. cn: Babara Jensencn: Babara Jensen cn=Babara Jensencn=Babara Jensen cn: Babs Jensencn: Babs Jensen sn: Jensensn: Jensen title: Directortitle: Director uid: babsuid: babs uid=babsuid=babs uid=babs+sn=Jensenuid=babs+sn=Jensen mail=babs@airius.commail=babs@airius.com uid: babsuid: babs mail: babs@airius.commail: babs@airius.com EntryEntry Examples of RDNsExamples of RDNs • When the RDN of an entry is chosen and its position relative to other entries in the  hierarchy is determined, forming the entry’s full name simple: Just combine the RDNs of  EntryEntry Examples of RDNsExamples of RDNs y , g y p the entry and all of its ancestor entries. – Resulting name is a Distinguished Name (DN). – DNs are written in little‐endian order – Least significant component is written first. • E.g. cn=Barbara Jensen, o=Netscape, c=US
P f NPurposes of a Namespace • Data Reference – There must be a way of unambiguously referencing directory entries. – Provides a compact and efficient way to support groups of directory  entries and directory entries that refer to one another. 
Purposes of a Namespace (cont )Purposes of a Namespace (cont…) • Data Organisation: – For example, you might place all entries corresponding to  people in one portion of the namespace, entries  corresponding to devices in another etc… (further  partitioning is possible)partitioning is possible)
Purposes of a Namespace (cont…)Purposes of a Namespace (cont…) • Data partitioning: – A namespace enables directory data to be partitioned, or divided among  l i lmultiple servers • Partitioning can be performed only at a branch point in the directory • Data replication: – Choice of namespace design can constrain the replication scenarios your  directory can support – Most replication solutions require partitioning on branch points in the  namespace • Access control: – Like replication, some products allow the setting of access control only  at namespace branch points   • Application support: – From a functional perspective, the namespace should support the  applications that the directory is servingapplications that the directory is serving
Analysing Namespace NeedsAnalysing Namespace Needs • Choice of suffixes • Flat or hierarchical namespace • What attributes should you use to name entries • Application requirements • Administrative concerns P i• Privacy concerns • Future needsFuture needs
Choosing a Suffix h di i h l l l i b f l• The directory service may have only a local scope or it may be part of a larger or  global directory system: – 3 methods are commonly used – RFC 2247, organisation’s DNS name or X.500  ticonvention – Directory’s suffix should name the top of your department’s tree otherwise A di t h ld lti l ffi• A directory server may hold multiple suffixes: – You may want to design a service with multiple suffixes if you have two or more trees of  information that do not have a natural common root • Suffix should name the top of department’s tree – e g ou=Engineering dc=airius dc=com• Suffix should name the top of department s tree – e.g. ou=Engineering, dc=airius, dc=com
Fl t d Hi hi l S hFlat and Hierarchical Schemes • As a guiding design principle you should strive to• As a guiding design principle, you should strive to  mark a directory’s namespace as flat as possible: – The flatter the namespace is, the less likely names are to  change – Shorter names take up less space • E.g. increasing the average name by only 20 bytes (the g g g y y y ( approximate result of adding an extra component) represents  an increase of 2MB in a directory containing 100,000 entries!! – Shorter names are easier to remember!
Hierarchical StructuresHierarchical Structures • Hierarchies can be used to partition data amongst servers, enable  replication, provide finer‐grained access control, and browsing  purposes – If a centralised directory is anticipated, there is no need to introduce  hierarchies to enable data distribution • Design hierarchy in a way that minimises problematic name changes • Name changes can be avoided if you are able to design your hierarchy  based on information that is not connected to directory information  th t i lik l t hthat is likely to change
Naming AttributesNaming Attributes • Requirements imposed on naming attributes: – The RDN of the entry must be chosen from one or more of the entry’s  ibattributes – The RDN of the entry must be unique among all its siblings • Although these are the only restrictions, a policy which ensures  unique RDNs for people is preferable: – Has the benefit that, even if an entry has to be moved, no name clashes willHas the benefit that, even if an entry has to be moved, no name clashes will  occur • 2 approaches to ensuring unique names:2 approaches to ensuring unique names: – Using existing unique names: • Employee IDs • Unix login names• Unix login names – Constructing new  identifiers • Timestamping techniques • Appending numbers to names• Appending numbers to names • Multivalued RDNs (strongly discouraged)
Other Considerations • Applications considerations – Typically, a directory is required to support one or more directory enabled applicationsTypically, a directory is required to support one or more directory enabled applications • Administrative considerations What is the impact of your namespace design on administrative tasks such as adding/deleting– What is the impact of your namespace design on administrative tasks, such as adding/deleting  entries, name changes or migration across directory server platforms • Privacy considerationsy – You should not divulge any information through the namespace that you do not intend to divulge! • Anticipate the future (situations that precipitate a namespaceAnticipate the future (situations that precipitate a namespace  redesign): – Choosing the wrong naming attribute – A directory starts out under central administrative control, but you later decide to delegate someA directory starts out under central administrative control, but you later decide to delegate some  portion of the data – If you choose a hierarchical namespace with a hierarchy based on a geographical, organisational or  any scheme that is bound to change
Topology DesignTopology Design • Partitions • Gluing partitionsGluing partitions – Referrals Ch i i– Chaining • Name resolution • Authentication in a distributed directory Di i i i i LDAP• Directory partitioning in openLDAP
What is Topology Design?What is Topology Design? • LDAP directory services are designed to support a distributed  directory • The directory’s topology describes:  – the way you divide your directory tree among physical servers andthe way you divide your directory tree among physical servers and – How you allocate those servers among your organisation’s physical  locations • Benefits: – Achieve optimal performance for directory enabled applicationsAchieve optimal performance for directory enabled applications – Increase directory availability – Better managed directory
Directory Topology OverviewDirectory Topology Overview • When you divide a single directory into manageable chunks and  i h i i i h diassign them to separate servers, you are partitioning the directory: – The directory itself is responsible for hiding partitioning details from usersThe directory itself is responsible for hiding partitioning details from users – Each server is responsible for only a portion of a tree • DNS operates in the same mannerDNS operates in the same manner – In X.500 terminology, the unit of division is known as a naming context ,  partition or suffixpartition or suffix – A directory partition is a complete sub‐tree of the DIT – All entries in a partition must share a common ancestor known as the partition  root
Directory Topology Overviewy p gy • It is also possible to exclude directories from a partition • Using these principles you can divide a single large directory  intro a number of smaller partitions
Gluing the Directory TogetherGluing the Directory Together • We need some way to describe the relationships between  directory partitions: – LDAP and X.500 defines these relationships in terms of knowledge  references • There are 2 types of knowledge references: – Immediate superior knowledge references: Point upward in the DIT toward  h d i h i ithe root and ties the naming context to its ancestor – Subordinate references: Point downward in the DIT to other partitionsp
Name ResolutionName Resolution • Name resolution is the process by which a directory maps a DN  id d b li t t t l bj t i th di tprovided by a client to an actual object in the directory • Name resolution is used in the following circumstances:• Name resolution is used in the following circumstances: – When locating the base object of an LDAP search or compare operation – When locating an entry to modify, delete, rename or bind as  – When locating the parent of an entry to be added to the directory A DN t d i thi f hi i ll d t d• A DN presented in this fashion is called a purported name: – The client claims that it exists and its up to the directory system to check  whether this is true
Name Resolution (Example)( p ) 1. The client presents the purported name 2. Since server 1 does not hold a naming context that could contain the entry, the  immediate superior knowledge reference allows the name resolution process to p g p walk up the tree to server 2 3 Server 2 contains a subordinate reference for the naming context3. Server 2 contains a subordinate reference for the naming context  ou=engineering, dc=airius, dc=com, so the name resolution process goes to  server 3 4. Server 3 holds a subordinate reference for the naming context ou=PCB design,  ou=engineering, dc=airius, dc=com, so the process walks down again 5. Finally, server 4 is consulted to check whether the entry exists 
Handling Distribution in the Client • LDAP referrals and search result continuation references are pieces of knowledge  reference information sent from an LDAP server to an LDAP client:reference information sent from an LDAP server to an LDAP client: – Indicates that other servers need to be contacted to fulfil request • LDAP referrals – When client performs add modify delete moddn compare orLDAP referrals  When client performs add, modify, delete, moddn, compare or  search operation with a base‐level scope and the server does not hold target entry,  an LDAP referral is returned • Search result continuation references – When search scope is not base‐level and  the server has knowledge of other subordinate directory partitions, search result  continuation references are returned • Similiar – Whereas referrals are contained in LDAP result messages, search result  continuation references are contained in search result messages • Normally, client libraries automatically handle processing of references • Follow the example in the additional notes.
Structure of a LDAP ReferralStructure of a LDAP Referral • The information in a LDAP referral is in the format of a LDAP  Uniform Resource Locator (URL)  • A referral gives the following information:• A referral gives the following information: – The hostname of the server to contact – The port number of the server – The base DN (search operation) or target DN (add, delete, compare or  moddn operation) • Optional: if absent, the client should use the same base DN it used when  performing the operation that resulted in the referralperforming the operation that resulted in the referral • E.g. if a client searches the subtree dc=airius, dc=com for all  entries with a surname smith, the referral would be returned as  the following LDAP URL: ldap://server3.airius.com:389/ou=engineering, dc=airius, dc=com
Handling Distribution in the Server ChainingHandling Distribution in the Server  ‐ Chaining • When chaining is used, the client starts by submitting  an operation to a server in the usual way: – If the server is unable to completely process the request  because it does not hold all the required data, it chases the  f l b t ti th b h lf f th li treferral by contacting other servers on behalf of the client – It returns the combined results to the client when the  other servers have completed the operationother servers have completed the operation
Deciding Between Client or ServerDeciding Between Client or Server  Distribution Handling  • Chaining in general reduces client complexity, but at  the cost of increased server complexity:the cost of increased server complexity: – Opposite is true if client is required to handle references • You may not have a choice about which method you  use: – openLDAP only supports client‐side processing
Authentication in a Distributed Directory • The server or servers that ultimately handle a client request must verify the  identity of the client so that they can enforce restrictions – This is true even if the server handling the request is not the server to which the  client originally authenticated • Authentication in a chained environment is accomplished as follows: 1. The directory client connects to server 1 and authenticates 2. If the client’s authentication credentials are successfully verified, server 1 returns a  success code to the client 3. The client submits a search operation to server 1 4. Server 1 determines that it does not hold the appropriate partition, so it chains the  operation to server 2
Authentication in a Distributed DirectoryAuthentication in a Distributed Directory h i h l h li• There are 2 ways server 2 might learn the clients  identity: – Server 1 might tell server 2 who the client is and server 2  might choose to believe server 1 i h h li ’ id i d– Server 1 might pass on to server 2 the client’s identity and  authentication credentials: • Server 2 could then independently verify the credentials• Server 2 could then independently verify the credentials
Security ImplicationsSecurity Implications • When using referrals, you should take precautions to ensure  that you have absolute control over the referrals contained inthat you have absolute control over the referrals contained in  your directory: – Additionally, you should allow referrals only to directories you trust • Important because some directory clients may choose to  automatically resubmit referred operations and authenticateautomatically resubmit referred operations and authenticate  to the referred‐to server using the same credentials used  when authenticating to the original server: – This means that if a rouge referral were placed in a directory, the  directory clients may be tricked into submitting their authentication  credentials – Similar principles apply for chaining – only trust remote servers under  your direct control
When to Partition?When to Partition? • Factors favouring a directory with larger number of• Factors favouring a directory with larger number of  partitions:  – The number of entries is too great for a single partition orThe number of entries is too great for a single partition or  server – Your directory‐enabled applications tend only to read and  modify entries from the local workgroupmodify entries from the local workgroup – The amount of update traffic to a single partition is too  large – Partitioning allows data and update traffic to remain local  and avoid spanning WAN links – Directory use will expand significantly in the future– Directory use will expand significantly in the future,  beyond the point where a single partition is feasible
ReplicationReplication • Replication design • Replication scopeReplication scope • Consistency and convergence • Replication strategies
Replication Design • Replication increases the availability of your directory server:p y y y – Increased reliability ‐ Protects your service from equipment failures,  network partitioning etc… Improved read performance Reduces server network load thus– Improved read performance – Reduces server, network load, thus  reducing latency at clients and better load distribution – Improved write performance – Multi‐master replication • Security purposes: – By selectively replicating portions of a directory the replica could– By selectively replicating portions of a directory, the replica could  function as a public directory service
Replication ConceptsReplication Concepts • Suppliers consumers and replication agreements• Suppliers, consumers and replication agreements • The unit of replication• The unit of replication • Consistency and convergenceConsistency and convergence • Incremental and total updatesp • Initial population of a replica • Replication strategies
Suppliers, Consumers and Replication  AgreementsAgreements • The terms supplier and consumer refer to the source andThe terms supplier and consumer refer to the source and  destination of replication updates: – These roles are not mutually exclusivey • The configuration information that tells a supplier serverThe configuration information that tells a supplier server  about a consumer server (and vice versa) is termed a  replication agreement: p g • includes the unit of replication • the hostname and port of the remote server and h d li i f ti• scheduling information – In essence, the replication agreement defines WHAT is to be replicated, WHERE  it is to be sent and HOW it is to be done
The Unit of Replication • Define subtree – specify DN at the top of a subtree and p y p replicate all entries subordinate to it • Filtered replication (unsupported by openldap): D fi l t t i i bt b d bj t l d fi iti– Define select entries in subtree – based on objectclass definitions: • X.500 defines this ability as the specification filter component of the unit  replicationp – Define select attribute types – based on attributetype definitions: • X.500 defines this as the attribute selection component of the unit of  replication
Consistency and ConvergenceConsistency and Convergence • Consistency describes how closely the contents of replicated• Consistency describes how closely the contents of replicated  servers match each other at a given point in time: – A strongly consistent replica is one that provides the same information g y p p as its supplier at all times – A weakly consistent replica is permitted to diverge from its supplier for  some period of time:p • All practical directory systems use weakly consistent replicas W th t li d h d h• We say that a supplier and consumer have converged when  they contain the same data
Initial Population of a ReplicaInitial Population of a Replica • The consumer (replica) contains no data when it is initially ( p ) y configured: – Or, in the event that a replica becomes damaged, it must be brought  back into synchronisationback into synchronisation • Directory vendors accomplish replica initialisation through y p p g similar techniques: – X.500 Directory Information Shadowing Protocol supports a total  update strategyupdate strategy – Most LDAP products, including openLDAP, use LDAP itself to initialise  the replica: di i f d l t ti t d i d t i d• sending a series of delete operations to remove undesired entries and a  series of add operations to populate the directory
Replication StrategiesReplication Strategies • The term replication strategy refers to the way updates flow  from server to server and the way servers interact when  propagating updatespropagating updates • But after a client has successfully modified, deleted, added or  renamed an entry, how does the server make it visible to its  replicas? • There are 3 main approaches toward solving this problem: – Single‐master replication Fl i li i ( d b ld ) d– Floating‐master replication (unsupported by openldap) and – Multi‐master replication (unsupported by openldap)
Single Master ReplicationSingle Master Replication • In single‐master replication, there is one and only one server that  contains a writable copy of a given directory entrycontains a writable copy of a given directory entry. – Replicas are all read‐only. • Advantage: since directory applications in general perform more read than write  operations. • Disadvantage: single point of failure as the read‐write server. • What if the client needs to write to the directory via the replica? – Referrals – Chaining
Floating Master ReplicationFloating‐Master Replication • Like single‐master replication, floating‐master replication maintains only a single  read‐write server: – When the read‐write server becomes unavailable, a voting‐based algorithm is used to g g elect a read‐write master from the remaining replicas – Avoids single‐point of failure • Complications in synchronisation arise when 2 masters are rejoined: – Requires an update conflict resolution policy  • Last writer wins policy ‐ timestampsLast writer wins policy timestamps • Business rules – precedence between departments – Never used in directory products
M lti t R li tiMulti‐master Replication • In multi‐master replication, there may be more than one  read‐write server available:read write server available: – Clients submit a write operation to any of the read‐write  replicas.p • Improves write performance – It becomes the responsibility of the set of cooperating servers to  ensure that changes are eventually propagated • Like floating master replication, this approach requires an  update conflict resolution policy
SummarySummary • The term LDAP has come to mean 4 things: – A set of models; information, naming, functional and security, that guides ; , g, y, g you in your use of the directory – The protocol itself – A standardised API for application development– A standardised API for application development – LDIF standard for interchanging directory data • Advantages: – Simple, yet versatile Ubiquitous– Ubiquitous – Easy to understand – Simply works better • Reading U d t di d D l i LDAP S i– Understanding and Deploying LDAP Services: • Chapters 1 – 2,  8 –11, 21

Recommended

31st TWNC IP OPM and TWNOG: RDAP and RPKI
31st TWNC IP OPM and TWNOG: RDAP and RPKI31st TWNC IP OPM and TWNOG: RDAP and RPKI
31st TWNC IP OPM and TWNOG: RDAP and RPKIAPNIC
 
IPv6 Transition Considerations for ISPs
IPv6 Transition Considerations for ISPsIPv6 Transition Considerations for ISPs
IPv6 Transition Considerations for ISPsCarlos Martinez Cagnazzo
 
Policy 2012 presentation
Policy 2012 presentationPolicy 2012 presentation
Policy 2012 presentationbdemchak
 
Insync10 goldengate
Insync10 goldengateInsync10 goldengate
Insync10 goldengateInSync Conference
 
Ogg oracle goldengate-v3.0
Ogg oracle goldengate-v3.0Ogg oracle goldengate-v3.0
Ogg oracle goldengate-v3.0Jos van den Oord [Oracle DBA,OCM,OCP,RAC,CLOUD]
 
Funtional Programming
Funtional ProgrammingFuntional Programming
Funtional ProgrammingGirish Khanzode
 
Hitachi Unified Storage and Hitachi NAS Platform 4000 Series -- Datasheet
Hitachi Unified Storage and Hitachi NAS Platform 4000 Series -- DatasheetHitachi Unified Storage and Hitachi NAS Platform 4000 Series -- Datasheet
Hitachi Unified Storage and Hitachi NAS Platform 4000 Series -- DatasheetHitachi Vantara
 
Hafslund SESAM - Semantic integration in practice
Hafslund SESAM - Semantic integration in practiceHafslund SESAM - Semantic integration in practice
Hafslund SESAM - Semantic integration in practiceLars Marius Garshol
 

Recommended

31st TWNC IP OPM and TWNOG: RDAP and RPKI
31st TWNC IP OPM and TWNOG: RDAP and RPKI31st TWNC IP OPM and TWNOG: RDAP and RPKI
31st TWNC IP OPM and TWNOG: RDAP and RPKIAPNIC
 
IPv6 Transition Considerations for ISPs
IPv6 Transition Considerations for ISPsIPv6 Transition Considerations for ISPs
IPv6 Transition Considerations for ISPsCarlos Martinez Cagnazzo
 
Policy 2012 presentation
Policy 2012 presentationPolicy 2012 presentation
Policy 2012 presentationbdemchak
 
Insync10 goldengate
Insync10 goldengateInsync10 goldengate
Insync10 goldengateInSync Conference
 
Ogg oracle goldengate-v3.0
Ogg oracle goldengate-v3.0Ogg oracle goldengate-v3.0
Ogg oracle goldengate-v3.0Jos van den Oord [Oracle DBA,OCM,OCP,RAC,CLOUD]
 
Funtional Programming
Funtional ProgrammingFuntional Programming
Funtional ProgrammingGirish Khanzode
 
Hitachi Unified Storage and Hitachi NAS Platform 4000 Series -- Datasheet
Hitachi Unified Storage and Hitachi NAS Platform 4000 Series -- DatasheetHitachi Unified Storage and Hitachi NAS Platform 4000 Series -- Datasheet
Hitachi Unified Storage and Hitachi NAS Platform 4000 Series -- DatasheetHitachi Vantara
 
Hafslund SESAM - Semantic integration in practice
Hafslund SESAM - Semantic integration in practiceHafslund SESAM - Semantic integration in practice
Hafslund SESAM - Semantic integration in practiceLars Marius Garshol
 
Ozone: An Object Store in HDFS
Ozone: An Object Store in HDFSOzone: An Object Store in HDFS
Ozone: An Object Store in HDFSDataWorks Summit
 
Open Source SQL Databases
Open Source SQL DatabasesOpen Source SQL Databases
Open Source SQL DatabasesEmanuel Calvo
 
HDF Update
HDF UpdateHDF Update
HDF UpdateThe HDF-EOS Tools and Information Center
 
IPv6 in Cellular Networks
IPv6 in Cellular NetworksIPv6 in Cellular Networks
IPv6 in Cellular NetworksAPNIC
 
Edward King SPEDDEXES 2014
Edward King SPEDDEXES 2014Edward King SPEDDEXES 2014
Edward King SPEDDEXES 2014aceas13tern
 
Introduction to Hadoop Administration
Introduction to Hadoop AdministrationIntroduction to Hadoop Administration
Introduction to Hadoop AdministrationRamesh Pabba - seeking new projects
 
Netflix's Transition to High-Availability Storage (QCon SF 2010)
Netflix's Transition to High-Availability Storage (QCon SF 2010)Netflix's Transition to High-Availability Storage (QCon SF 2010)
Netflix's Transition to High-Availability Storage (QCon SF 2010)Sid Anand
 
Goods Receipt Document Imaging
Goods Receipt Document Imaging Goods Receipt Document Imaging
Goods Receipt Document Imaging Verbella CMG
 
Where are we now: IPv6 deployment update - Brunei National IPv6 Day Conference
Where are we now: IPv6 deployment update - Brunei National IPv6 Day ConferenceWhere are we now: IPv6 deployment update - Brunei National IPv6 Day Conference
Where are we now: IPv6 deployment update - Brunei National IPv6 Day ConferenceAPNIC
 
How many ways to monitor oracle golden gate-Collaborate 14
How many ways to monitor oracle golden gate-Collaborate 14How many ways to monitor oracle golden gate-Collaborate 14
How many ways to monitor oracle golden gate-Collaborate 14Bobby Curtis
 
btNOG 6: Next Generation Internet Registry Services - RDAP
btNOG 6: Next Generation Internet Registry Services - RDAPbtNOG 6: Next Generation Internet Registry Services - RDAP
btNOG 6: Next Generation Internet Registry Services - RDAPAPNIC
 
The Next Generation Internet Number Registry Services
The Next Generation Internet Number Registry ServicesThe Next Generation Internet Number Registry Services
The Next Generation Internet Number Registry ServicesMyNOG
 
Directory services by SAJID
Directory services by SAJIDDirectory services by SAJID
Directory services by SAJIDSajid khan
 
Active Directory & LDAP Authentication Without Triggers
Active Directory & LDAP Authentication Without TriggersActive Directory & LDAP Authentication Without Triggers
Active Directory & LDAP Authentication Without TriggersPerforce
 
LDAP(In_Linux).pptx
LDAP(In_Linux).pptxLDAP(In_Linux).pptx
LDAP(In_Linux).pptxShanmugapriyaSenthil3
 
LDAP - Lightweight Directory Access Protocol
LDAP - Lightweight Directory Access ProtocolLDAP - Lightweight Directory Access Protocol
LDAP - Lightweight Directory Access ProtocolS. Hasnain Raza
 
Fox pass
Fox passFox pass
Fox passfoxpass
 
Modern Deployment Strategies
Modern Deployment StrategiesModern Deployment Strategies
Modern Deployment StrategiesPerforce
 
Ldap 121020013604-phpapp01
Ldap 121020013604-phpapp01Ldap 121020013604-phpapp01
Ldap 121020013604-phpapp01SANE Ibrahima
 
Ldap introduction (eng)
Ldap introduction (eng)Ldap introduction (eng)
Ldap introduction (eng)Anatoliy Okhotnikov
 
Directory services
Directory servicesDirectory services
Directory servicesChristalin Nelson
 
Drill architecture 20120913
Drill architecture 20120913Drill architecture 20120913
Drill architecture 20120913jasonfrantz
 

More Related Content

What's hot

Ozone: An Object Store in HDFS
Ozone: An Object Store in HDFSOzone: An Object Store in HDFS
Ozone: An Object Store in HDFSDataWorks Summit
 
Open Source SQL Databases
Open Source SQL DatabasesOpen Source SQL Databases
Open Source SQL DatabasesEmanuel Calvo
 
IPv6 in Cellular Networks
IPv6 in Cellular NetworksIPv6 in Cellular Networks
IPv6 in Cellular NetworksAPNIC
 
Edward King SPEDDEXES 2014
Edward King SPEDDEXES 2014Edward King SPEDDEXES 2014
Edward King SPEDDEXES 2014aceas13tern
 
Netflix's Transition to High-Availability Storage (QCon SF 2010)
Netflix's Transition to High-Availability Storage (QCon SF 2010)Netflix's Transition to High-Availability Storage (QCon SF 2010)
Netflix's Transition to High-Availability Storage (QCon SF 2010)Sid Anand
 
Goods Receipt Document Imaging
Goods Receipt Document Imaging Goods Receipt Document Imaging
Goods Receipt Document Imaging Verbella CMG
 
Where are we now: IPv6 deployment update - Brunei National IPv6 Day Conference
Where are we now: IPv6 deployment update - Brunei National IPv6 Day ConferenceWhere are we now: IPv6 deployment update - Brunei National IPv6 Day Conference
Where are we now: IPv6 deployment update - Brunei National IPv6 Day ConferenceAPNIC
 
How many ways to monitor oracle golden gate-Collaborate 14
How many ways to monitor oracle golden gate-Collaborate 14How many ways to monitor oracle golden gate-Collaborate 14
How many ways to monitor oracle golden gate-Collaborate 14Bobby Curtis
 
btNOG 6: Next Generation Internet Registry Services - RDAP
btNOG 6: Next Generation Internet Registry Services - RDAPbtNOG 6: Next Generation Internet Registry Services - RDAP
btNOG 6: Next Generation Internet Registry Services - RDAPAPNIC
 
The Next Generation Internet Number Registry Services
The Next Generation Internet Number Registry ServicesThe Next Generation Internet Number Registry Services
The Next Generation Internet Number Registry ServicesMyNOG
 

What's hot (12)

Ozone: An Object Store in HDFS
Ozone: An Object Store in HDFSOzone: An Object Store in HDFS
Ozone: An Object Store in HDFS
 
Open Source SQL Databases
Open Source SQL DatabasesOpen Source SQL Databases
Open Source SQL Databases
 
HDF Update
HDF UpdateHDF Update
HDF Update
 
IPv6 in Cellular Networks
IPv6 in Cellular NetworksIPv6 in Cellular Networks
IPv6 in Cellular Networks
 
Edward King SPEDDEXES 2014
Edward King SPEDDEXES 2014Edward King SPEDDEXES 2014
Edward King SPEDDEXES 2014
 
Introduction to Hadoop Administration
Introduction to Hadoop AdministrationIntroduction to Hadoop Administration
Introduction to Hadoop Administration
 
Netflix's Transition to High-Availability Storage (QCon SF 2010)
Netflix's Transition to High-Availability Storage (QCon SF 2010)Netflix's Transition to High-Availability Storage (QCon SF 2010)
Netflix's Transition to High-Availability Storage (QCon SF 2010)
 
Goods Receipt Document Imaging
Goods Receipt Document Imaging Goods Receipt Document Imaging
Goods Receipt Document Imaging
 
Where are we now: IPv6 deployment update - Brunei National IPv6 Day Conference
Where are we now: IPv6 deployment update - Brunei National IPv6 Day ConferenceWhere are we now: IPv6 deployment update - Brunei National IPv6 Day Conference
Where are we now: IPv6 deployment update - Brunei National IPv6 Day Conference
 
How many ways to monitor oracle golden gate-Collaborate 14
How many ways to monitor oracle golden gate-Collaborate 14How many ways to monitor oracle golden gate-Collaborate 14
How many ways to monitor oracle golden gate-Collaborate 14
 
btNOG 6: Next Generation Internet Registry Services - RDAP
btNOG 6: Next Generation Internet Registry Services - RDAPbtNOG 6: Next Generation Internet Registry Services - RDAP
btNOG 6: Next Generation Internet Registry Services - RDAP
 
The Next Generation Internet Number Registry Services
The Next Generation Internet Number Registry ServicesThe Next Generation Internet Number Registry Services
The Next Generation Internet Number Registry Services
 

Similar to introduction to ldap

Directory services by SAJID
Directory services by SAJIDDirectory services by SAJID
Directory services by SAJIDSajid khan
 
Active Directory & LDAP Authentication Without Triggers
Active Directory & LDAP Authentication Without TriggersActive Directory & LDAP Authentication Without Triggers
Active Directory & LDAP Authentication Without TriggersPerforce
 
LDAP - Lightweight Directory Access Protocol
LDAP - Lightweight Directory Access ProtocolLDAP - Lightweight Directory Access Protocol
LDAP - Lightweight Directory Access ProtocolS. Hasnain Raza
 
Modern Deployment Strategies
Modern Deployment StrategiesModern Deployment Strategies
Modern Deployment StrategiesPerforce
 
Ldap 121020013604-phpapp01
Ldap 121020013604-phpapp01Ldap 121020013604-phpapp01
Ldap 121020013604-phpapp01SANE Ibrahima
 
Drill architecture 20120913
Drill architecture 20120913Drill architecture 20120913
Drill architecture 20120913jasonfrantz
 
Scaling etl with hadoop shapira 3
Scaling etl with hadoop shapira 3Scaling etl with hadoop shapira 3
Scaling etl with hadoop shapira 3Gwen (Chen) Shapira
 
CIS13: A Breakthrough in Directory Technology: Meet the Elephant in the Room ...
CIS13: A Breakthrough in Directory Technology: Meet the Elephant in the Room ...CIS13: A Breakthrough in Directory Technology: Meet the Elephant in the Room ...
CIS13: A Breakthrough in Directory Technology: Meet the Elephant in the Room ...CloudIDSummit
 
LDAP Integration
LDAP IntegrationLDAP Integration
LDAP IntegrationDell World
 
Demystifying SharePoint Infrastructure – for NON-IT People
Demystifying SharePoint Infrastructure – for NON-IT People Demystifying SharePoint Infrastructure – for NON-IT People
Demystifying SharePoint Infrastructure – for NON-IT People SPC Adriatics
 
Migración desde BBDD propietarias a MariaDB
Migración desde BBDD propietarias a MariaDBMigración desde BBDD propietarias a MariaDB
Migración desde BBDD propietarias a MariaDBMariaDB plc
 
Security and LDAP integration in InduSoft Web Studio
Security and LDAP integration in InduSoft Web StudioSecurity and LDAP integration in InduSoft Web Studio
Security and LDAP integration in InduSoft Web StudioAVEVA
 
Introduction to firebidSQL 3.x
Introduction to firebidSQL 3.xIntroduction to firebidSQL 3.x
Introduction to firebidSQL 3.xFabio Codebue
 
Big Data Warehousing Meetup: Securing the Hadoop Ecosystem by Cloudera
Big Data Warehousing Meetup: Securing the Hadoop Ecosystem by ClouderaBig Data Warehousing Meetup: Securing the Hadoop Ecosystem by Cloudera
Big Data Warehousing Meetup: Securing the Hadoop Ecosystem by ClouderaCaserta
 

Similar to introduction to ldap (20)

Directory services by SAJID
Directory services by SAJIDDirectory services by SAJID
Directory services by SAJID
 
Active Directory & LDAP Authentication Without Triggers
Active Directory & LDAP Authentication Without TriggersActive Directory & LDAP Authentication Without Triggers
Active Directory & LDAP Authentication Without Triggers
 
LDAP(In_Linux).pptx
LDAP(In_Linux).pptxLDAP(In_Linux).pptx
LDAP(In_Linux).pptx
 
LDAP - Lightweight Directory Access Protocol
LDAP - Lightweight Directory Access ProtocolLDAP - Lightweight Directory Access Protocol
LDAP - Lightweight Directory Access Protocol
 
Fox pass
Fox passFox pass
Fox pass
 
Modern Deployment Strategies
Modern Deployment StrategiesModern Deployment Strategies
Modern Deployment Strategies
 
Ldap 121020013604-phpapp01
Ldap 121020013604-phpapp01Ldap 121020013604-phpapp01
Ldap 121020013604-phpapp01
 
Ldap introduction (eng)
Ldap introduction (eng)Ldap introduction (eng)
Ldap introduction (eng)
 
Directory services
Directory servicesDirectory services
Directory services
 
Drill architecture 20120913
Drill architecture 20120913Drill architecture 20120913
Drill architecture 20120913
 
Scaling etl with hadoop shapira 3
Scaling etl with hadoop shapira 3Scaling etl with hadoop shapira 3
Scaling etl with hadoop shapira 3
 
CIS13: A Breakthrough in Directory Technology: Meet the Elephant in the Room ...
CIS13: A Breakthrough in Directory Technology: Meet the Elephant in the Room ...CIS13: A Breakthrough in Directory Technology: Meet the Elephant in the Room ...
CIS13: A Breakthrough in Directory Technology: Meet the Elephant in the Room ...
 
LDAP Integration
LDAP IntegrationLDAP Integration
LDAP Integration
 
Demystifying SharePoint Infrastructure – for NON-IT People
Demystifying SharePoint Infrastructure – for NON-IT People Demystifying SharePoint Infrastructure – for NON-IT People
Demystifying SharePoint Infrastructure – for NON-IT People
 
Migración desde BBDD propietarias a MariaDB
Migración desde BBDD propietarias a MariaDBMigración desde BBDD propietarias a MariaDB
Migración desde BBDD propietarias a MariaDB
 
REDIS327
REDIS327REDIS327
REDIS327
 
Security and LDAP integration in InduSoft Web Studio
Security and LDAP integration in InduSoft Web StudioSecurity and LDAP integration in InduSoft Web Studio
Security and LDAP integration in InduSoft Web Studio
 
Introduction to firebidSQL 3.x
Introduction to firebidSQL 3.xIntroduction to firebidSQL 3.x
Introduction to firebidSQL 3.x
 
Ldap
LdapLdap
Ldap
 
Big Data Warehousing Meetup: Securing the Hadoop Ecosystem by Cloudera
Big Data Warehousing Meetup: Securing the Hadoop Ecosystem by ClouderaBig Data Warehousing Meetup: Securing the Hadoop Ecosystem by Cloudera
Big Data Warehousing Meetup: Securing the Hadoop Ecosystem by Cloudera
 

Recently uploaded

1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdfQucHHunhnh
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhikauryashika82
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...christianmathematics
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxVishalSingh1417
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeThiyagu K
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Disha Kariya
 
Disha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfDisha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfchloefrazer622
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3JemimahLaneBuaron
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfSoniaTolstoy
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityGeoBlogs
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactdawncurless
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDThiyagu K
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformChameera Dedduwage
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...fonyou31
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introductionMaksud Ahmed
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...EduSkills OECD
 
General AI for Medical Educators April 2024
General AI for Medical Educators April 2024General AI for Medical Educators April 2024
General AI for Medical Educators April 2024Janet Corral
 

Recently uploaded (20)

1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptx
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..
 
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptxINDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
 
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
 
Disha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfDisha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdf
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SD
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy Reform
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
 
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 
General AI for Medical Educators April 2024
General AI for Medical Educators April 2024General AI for Medical Educators April 2024
General AI for Medical Educators April 2024
 

introduction to ldap

  • 1. Network SystemsNetwork Systems  Design 300g Lightweight Directory Access ProtocolLightweight Directory Access Protocol (LDAP) 
  • 2. OverviewOverview Wh t i Di t• What is a Directory • Understanding LDAP – Information Structure – Naming – Functions/Operations – SecuritySecurity • Protocol • Schema Design • Namespace Design • Topology Design • Replication• Replication • Summary
  • 3. What is a DirectoryWhat is a Directory i li d b• Specialised Database • Attribute – Value pairp • Offline – Static– Static • Online – Dynamic – Flexible – Personalised – Secure
  • 4. DirectoriesDirectories • Factors to consider when deciding whether to  use a directory:y – Size of the information Character of the information– Character of the information – Read‐to‐write ratio – Search capability – Standards‐based access
  • 5. What is LDAP?What is LDAP? • Lightweight Directory Access Protocol – Lightweight alternative to DAPLightweight alternative to DAP – Uses TCP/IP instead of OSI stack – Simplifies certain functions and omits others… • Originally used to access and update information in a directory built on the X.500 model – Due to its complexity, early adopters of X.500 found DAP was not well suited for desktop PCs LDAP Request LDAP Server 1 (slapd) LDAP Referral LDAP Client LDAP Request LDAP Server 2 (slapd) LDAP Results
  • 6. LDAP ModelsLDAP Models I f ti• Information  – Structure of information stored in an LDAP directory • Naming• Naming  – How information is organised and identified • Functional OperationsFunctional Operations – Describes what operations can be performed on the  information stored in an LDAP directory • Security  – Describes how the information can be protected from  unauthorised accessunauthorised access
  • 7. LDAP Information ModelLDAP Information Model • Schemas  – Defines what object classes allowed – Where they are stored – What attributes they have – Which attributes are optional – Type/syntax of each attribute • LDAP schema must be readable by the clientLDAP schema must be readable by the client
  • 8. LDAP Naming • The LDAP naming model defines how you organise and refer to  your data.y – Directory Information Tree (DIT)  • Usually follow geographical or organisational scheme – The name of an LDAP entry is formed by connecting, in a series, all theThe name of an LDAP entry is formed by connecting, in a series, all the  individual names of the parent entries back to the root • Distinguished Names (DN)   • Relative Distinguished Names (RDN)• Relative Distinguished Names (RDN) 
  • 9. LDAP Protocol OperationsLDAP Protocol Operations A th ti ti /C t l• Authentication/Control – BIND/UNBIND – ABANDON • Interrogation – Search  – Compare entryCompare entry  • Update – Add an entry D l– Delete an entry – Modify an entry  – Modify DN/RDN
  • 10. Client /Server InteractionClient /Server Interaction • Client establishes session with server (BIND) • Client performs operations • Client ends the session• Client ends the session  (UNBIND)
  • 11. Update OperationsUpdate Operations Th 4 LDAP ti dd d l t d dif• There are 4 LDAP operations: add, delete, rename and modify – All update operations are atomic
  • 12. addadd • The add operation allows you to create new  directory entries:y – Requires 2 parameters – DN and set of attributes Requirements for add operation to complete:– Requirements for add operation to complete: • Parent must exist Th t t b th t f th• There must not be another entry of the same name • The new entry must conform to the schema U t h ffi i t i i• User must have sufficient permissions
  • 13. deletedelete • The delete operation allows directory entries  to be deleted: – Requires 1 parameter – DN  Requirements for delete operation to complete:– Requirements for delete operation to complete: • Entry must exist E t t h hild• Entry must have no children • User must have sufficient permissions
  • 14. renamerename • The rename (modify DN) operation is used to  rename and or move directory entries:y – Requires 4 parameters – DN, new RDN, new  parent (optional), delete‐old‐RDN flagparent (optional), delete old RDN flag – Requirements for modify DN operation to  complete:complete: • Entry must exist E t t h hild• Entry must have no children • User must have sufficient permissions
  • 15. modifymodify h dif i i d d• The modify operation is used to update  directory entries: – Requires 2 parameters – DN, set of modifications to be applied.  – Requirements for modify DN operation to  complete: • Entry must exist. • All modifications must succeed. • Resulting entry must obey schema. • User must have sufficient permissions.
  • 16. LDAP S itLDAP Security • Security = Encryption + Authentication + Access Control • No Authentication • Simple Authentication – DN and password provided – Clear‐text or Base 64 encoded • Simple Authentication over SSL/TLS • Simple Authentication and Security Layer SASL (RFC 2222) – Parameters: DN, mechanism, credentials – Provides cross protocol authentication callsp – Encryption can be optionally negotiated – ldap_sasl_bind() (ver3 call) – ldap://<ldap_server>/?supportedsaslmechanisms
  • 17. LDIFLDIF h• LDAP Data Interchange Format • RFC 2849 • LDIF is the standard way of representing  directory data in a textual format:directory data in a textual format: – used when exporting data from  and importing data into a directory server– and importing data into a directory server. – Solely ASCII (LDAPv3 uses UTF‐8).
  • 18. Schema DesignSchema Design • Attributes • Object ClassesObject Classes
  • 19. S h D iSchema Design • Similar to database systems, a schema is a set of rules that  determines what data can be stored in the directory • Purposes of a schema: – Ensures that poorly designed applications “play by the rules” and do  t t d d t d t i th di tnot store redundant data in the directory – Can be used to impose constraints on the size, range and format of  data values stored in the directory Can help slow the effects of directory entropy– Can help slow the effects of directory entropy • LDAP‐based schemas consist of: – Attribute types – Attribute syntaxes – Matching rulesg – Object classes
  • 20. AttributesAttributes • Directory entries contain a collection of attribute types and  lvalues b h ld f d l h• Attribute types hold specific data elements such as a name or  phone number
  • 21. Att ib t ( t )Attributes (cont…) • In LDAP, the definition of attribute type includes the , yp following: – A name that uniquely identifies the attribute type – An OID that also uniquely identifies the attribute – A textual description – An indication of whether the attribute is single or multi‐valued – An associated attribute syntax and set of matching rules b d– An attribute usage indicator – Restrictions on the range or size of the values that may be stored  in the attributein the attribute – Indication of whether the attribute can be modified by regular  applicationspp
  • 22. Namespace DesignNamespace Design Y di ’ id h b i b• Your directory’s namespace provides the basic means by  which information is referenced in the directory. (more later) • A properly designed namespace can lead to: – Easier data maintenance – More flexibility in setting access control and replication policies – The ability to satisfy a wider variety of directory‐enabled applications More natural navigation through the directory– More natural navigation through the directory
  • 23. Structure of a Namespace • The LDAP model defines a flexible namespace framework, which  means that you can almost certainly design a namespace to satisfy  i tany requirements: – However, it also means that you have more choices to make than you might like • The LDAP namespace is inherited from the X.500 directory standard. – Tree‐structured • The basic LDAP model is also hierarchical or tree‐structured: LDAP d t di tl t i hi h t i ht b b th– LDAP does not directly support namespaces in which an entry might be both a  child and parent of the same entry: • Alias and referral object classes can be used to construct such structures • The seeAlso attribute indirectly supports such structures
  • 24. Naming Entries in the Hierarchy • Recall that an LDAP entry is a collection of attribute values. – The name of an entry is created by choosing one of more of these attribute values to form a  Relative Distinguished Name (RDN). • E.g. cn: Babara Jensencn: Babara Jensen cn=Babara Jensencn=Babara Jensen cn: Babs Jensencn: Babs Jensen sn: Jensensn: Jensen title: Directortitle: Director uid: babsuid: babs uid=babsuid=babs uid=babs+sn=Jensenuid=babs+sn=Jensen mail=babs@airius.commail=babs@airius.com uid: babsuid: babs mail: babs@airius.commail: babs@airius.com EntryEntry Examples of RDNsExamples of RDNs • When the RDN of an entry is chosen and its position relative to other entries in the  hierarchy is determined, forming the entry’s full name simple: Just combine the RDNs of  EntryEntry Examples of RDNsExamples of RDNs y , g y p the entry and all of its ancestor entries. – Resulting name is a Distinguished Name (DN). – DNs are written in little‐endian order – Least significant component is written first. • E.g. cn=Barbara Jensen, o=Netscape, c=US
  • 25. P f NPurposes of a Namespace • Data Reference – There must be a way of unambiguously referencing directory entries. – Provides a compact and efficient way to support groups of directory  entries and directory entries that refer to one another. 
  • 26. Purposes of a Namespace (cont )Purposes of a Namespace (cont…) • Data Organisation: – For example, you might place all entries corresponding to  people in one portion of the namespace, entries  corresponding to devices in another etc… (further  partitioning is possible)partitioning is possible)
  • 27. Purposes of a Namespace (cont…)Purposes of a Namespace (cont…) • Data partitioning: – A namespace enables directory data to be partitioned, or divided among  l i lmultiple servers • Partitioning can be performed only at a branch point in the directory • Data replication: – Choice of namespace design can constrain the replication scenarios your  directory can support – Most replication solutions require partitioning on branch points in the  namespace • Access control: – Like replication, some products allow the setting of access control only  at namespace branch points   • Application support: – From a functional perspective, the namespace should support the  applications that the directory is servingapplications that the directory is serving
  • 28. Analysing Namespace NeedsAnalysing Namespace Needs • Choice of suffixes • Flat or hierarchical namespace • What attributes should you use to name entries • Application requirements • Administrative concerns P i• Privacy concerns • Future needsFuture needs
  • 29. Choosing a Suffix h di i h l l l i b f l• The directory service may have only a local scope or it may be part of a larger or  global directory system: – 3 methods are commonly used – RFC 2247, organisation’s DNS name or X.500  ticonvention – Directory’s suffix should name the top of your department’s tree otherwise A di t h ld lti l ffi• A directory server may hold multiple suffixes: – You may want to design a service with multiple suffixes if you have two or more trees of  information that do not have a natural common root • Suffix should name the top of department’s tree – e g ou=Engineering dc=airius dc=com• Suffix should name the top of department s tree – e.g. ou=Engineering, dc=airius, dc=com
  • 30. Fl t d Hi hi l S hFlat and Hierarchical Schemes • As a guiding design principle you should strive to• As a guiding design principle, you should strive to  mark a directory’s namespace as flat as possible: – The flatter the namespace is, the less likely names are to  change – Shorter names take up less space • E.g. increasing the average name by only 20 bytes (the g g g y y y ( approximate result of adding an extra component) represents  an increase of 2MB in a directory containing 100,000 entries!! – Shorter names are easier to remember!
  • 31. Hierarchical StructuresHierarchical Structures • Hierarchies can be used to partition data amongst servers, enable  replication, provide finer‐grained access control, and browsing  purposes – If a centralised directory is anticipated, there is no need to introduce  hierarchies to enable data distribution • Design hierarchy in a way that minimises problematic name changes • Name changes can be avoided if you are able to design your hierarchy  based on information that is not connected to directory information  th t i lik l t hthat is likely to change
  • 32. Naming AttributesNaming Attributes • Requirements imposed on naming attributes: – The RDN of the entry must be chosen from one or more of the entry’s  ibattributes – The RDN of the entry must be unique among all its siblings • Although these are the only restrictions, a policy which ensures  unique RDNs for people is preferable: – Has the benefit that, even if an entry has to be moved, no name clashes willHas the benefit that, even if an entry has to be moved, no name clashes will  occur • 2 approaches to ensuring unique names:2 approaches to ensuring unique names: – Using existing unique names: • Employee IDs • Unix login names• Unix login names – Constructing new  identifiers • Timestamping techniques • Appending numbers to names• Appending numbers to names • Multivalued RDNs (strongly discouraged)
  • 33. Other Considerations • Applications considerations – Typically, a directory is required to support one or more directory enabled applicationsTypically, a directory is required to support one or more directory enabled applications • Administrative considerations What is the impact of your namespace design on administrative tasks such as adding/deleting– What is the impact of your namespace design on administrative tasks, such as adding/deleting  entries, name changes or migration across directory server platforms • Privacy considerationsy – You should not divulge any information through the namespace that you do not intend to divulge! • Anticipate the future (situations that precipitate a namespaceAnticipate the future (situations that precipitate a namespace  redesign): – Choosing the wrong naming attribute – A directory starts out under central administrative control, but you later decide to delegate someA directory starts out under central administrative control, but you later decide to delegate some  portion of the data – If you choose a hierarchical namespace with a hierarchy based on a geographical, organisational or  any scheme that is bound to change
  • 34. Topology DesignTopology Design • Partitions • Gluing partitionsGluing partitions – Referrals Ch i i– Chaining • Name resolution • Authentication in a distributed directory Di i i i i LDAP• Directory partitioning in openLDAP
  • 35. What is Topology Design?What is Topology Design? • LDAP directory services are designed to support a distributed  directory • The directory’s topology describes:  – the way you divide your directory tree among physical servers andthe way you divide your directory tree among physical servers and – How you allocate those servers among your organisation’s physical  locations • Benefits: – Achieve optimal performance for directory enabled applicationsAchieve optimal performance for directory enabled applications – Increase directory availability – Better managed directory
  • 36. Directory Topology OverviewDirectory Topology Overview • When you divide a single directory into manageable chunks and  i h i i i h diassign them to separate servers, you are partitioning the directory: – The directory itself is responsible for hiding partitioning details from usersThe directory itself is responsible for hiding partitioning details from users – Each server is responsible for only a portion of a tree • DNS operates in the same mannerDNS operates in the same manner – In X.500 terminology, the unit of division is known as a naming context ,  partition or suffixpartition or suffix – A directory partition is a complete sub‐tree of the DIT – All entries in a partition must share a common ancestor known as the partition  root
  • 37. Directory Topology Overviewy p gy • It is also possible to exclude directories from a partition • Using these principles you can divide a single large directory  intro a number of smaller partitions
  • 38. Gluing the Directory TogetherGluing the Directory Together • We need some way to describe the relationships between  directory partitions: – LDAP and X.500 defines these relationships in terms of knowledge  references • There are 2 types of knowledge references: – Immediate superior knowledge references: Point upward in the DIT toward  h d i h i ithe root and ties the naming context to its ancestor – Subordinate references: Point downward in the DIT to other partitionsp
  • 39. Name ResolutionName Resolution • Name resolution is the process by which a directory maps a DN  id d b li t t t l bj t i th di tprovided by a client to an actual object in the directory • Name resolution is used in the following circumstances:• Name resolution is used in the following circumstances: – When locating the base object of an LDAP search or compare operation – When locating an entry to modify, delete, rename or bind as  – When locating the parent of an entry to be added to the directory A DN t d i thi f hi i ll d t d• A DN presented in this fashion is called a purported name: – The client claims that it exists and its up to the directory system to check  whether this is true
  • 40. Name Resolution (Example)( p ) 1. The client presents the purported name 2. Since server 1 does not hold a naming context that could contain the entry, the  immediate superior knowledge reference allows the name resolution process to p g p walk up the tree to server 2 3 Server 2 contains a subordinate reference for the naming context3. Server 2 contains a subordinate reference for the naming context  ou=engineering, dc=airius, dc=com, so the name resolution process goes to  server 3 4. Server 3 holds a subordinate reference for the naming context ou=PCB design,  ou=engineering, dc=airius, dc=com, so the process walks down again 5. Finally, server 4 is consulted to check whether the entry exists 
  • 41. Handling Distribution in the Client • LDAP referrals and search result continuation references are pieces of knowledge  reference information sent from an LDAP server to an LDAP client:reference information sent from an LDAP server to an LDAP client: – Indicates that other servers need to be contacted to fulfil request • LDAP referrals – When client performs add modify delete moddn compare orLDAP referrals  When client performs add, modify, delete, moddn, compare or  search operation with a base‐level scope and the server does not hold target entry,  an LDAP referral is returned • Search result continuation references – When search scope is not base‐level and  the server has knowledge of other subordinate directory partitions, search result  continuation references are returned • Similiar – Whereas referrals are contained in LDAP result messages, search result  continuation references are contained in search result messages • Normally, client libraries automatically handle processing of references • Follow the example in the additional notes.
  • 42. Structure of a LDAP ReferralStructure of a LDAP Referral • The information in a LDAP referral is in the format of a LDAP  Uniform Resource Locator (URL)  • A referral gives the following information:• A referral gives the following information: – The hostname of the server to contact – The port number of the server – The base DN (search operation) or target DN (add, delete, compare or  moddn operation) • Optional: if absent, the client should use the same base DN it used when  performing the operation that resulted in the referralperforming the operation that resulted in the referral • E.g. if a client searches the subtree dc=airius, dc=com for all  entries with a surname smith, the referral would be returned as  the following LDAP URL: ldap://server3.airius.com:389/ou=engineering, dc=airius, dc=com
  • 43. Handling Distribution in the Server ChainingHandling Distribution in the Server  ‐ Chaining • When chaining is used, the client starts by submitting  an operation to a server in the usual way: – If the server is unable to completely process the request  because it does not hold all the required data, it chases the  f l b t ti th b h lf f th li treferral by contacting other servers on behalf of the client – It returns the combined results to the client when the  other servers have completed the operationother servers have completed the operation
  • 44. Deciding Between Client or ServerDeciding Between Client or Server  Distribution Handling  • Chaining in general reduces client complexity, but at  the cost of increased server complexity:the cost of increased server complexity: – Opposite is true if client is required to handle references • You may not have a choice about which method you  use: – openLDAP only supports client‐side processing
  • 45. Authentication in a Distributed Directory • The server or servers that ultimately handle a client request must verify the  identity of the client so that they can enforce restrictions – This is true even if the server handling the request is not the server to which the  client originally authenticated • Authentication in a chained environment is accomplished as follows: 1. The directory client connects to server 1 and authenticates 2. If the client’s authentication credentials are successfully verified, server 1 returns a  success code to the client 3. The client submits a search operation to server 1 4. Server 1 determines that it does not hold the appropriate partition, so it chains the  operation to server 2
  • 46. Authentication in a Distributed DirectoryAuthentication in a Distributed Directory h i h l h li• There are 2 ways server 2 might learn the clients  identity: – Server 1 might tell server 2 who the client is and server 2  might choose to believe server 1 i h h li ’ id i d– Server 1 might pass on to server 2 the client’s identity and  authentication credentials: • Server 2 could then independently verify the credentials• Server 2 could then independently verify the credentials
  • 47. Security ImplicationsSecurity Implications • When using referrals, you should take precautions to ensure  that you have absolute control over the referrals contained inthat you have absolute control over the referrals contained in  your directory: – Additionally, you should allow referrals only to directories you trust • Important because some directory clients may choose to  automatically resubmit referred operations and authenticateautomatically resubmit referred operations and authenticate  to the referred‐to server using the same credentials used  when authenticating to the original server: – This means that if a rouge referral were placed in a directory, the  directory clients may be tricked into submitting their authentication  credentials – Similar principles apply for chaining – only trust remote servers under  your direct control
  • 48. When to Partition?When to Partition? • Factors favouring a directory with larger number of• Factors favouring a directory with larger number of  partitions:  – The number of entries is too great for a single partition orThe number of entries is too great for a single partition or  server – Your directory‐enabled applications tend only to read and  modify entries from the local workgroupmodify entries from the local workgroup – The amount of update traffic to a single partition is too  large – Partitioning allows data and update traffic to remain local  and avoid spanning WAN links – Directory use will expand significantly in the future– Directory use will expand significantly in the future,  beyond the point where a single partition is feasible
  • 49. ReplicationReplication • Replication design • Replication scopeReplication scope • Consistency and convergence • Replication strategies
  • 50. Replication Design • Replication increases the availability of your directory server:p y y y – Increased reliability ‐ Protects your service from equipment failures,  network partitioning etc… Improved read performance Reduces server network load thus– Improved read performance – Reduces server, network load, thus  reducing latency at clients and better load distribution – Improved write performance – Multi‐master replication • Security purposes: – By selectively replicating portions of a directory the replica could– By selectively replicating portions of a directory, the replica could  function as a public directory service
  • 51. Replication ConceptsReplication Concepts • Suppliers consumers and replication agreements• Suppliers, consumers and replication agreements • The unit of replication• The unit of replication • Consistency and convergenceConsistency and convergence • Incremental and total updatesp • Initial population of a replica • Replication strategies
  • 52. Suppliers, Consumers and Replication  AgreementsAgreements • The terms supplier and consumer refer to the source andThe terms supplier and consumer refer to the source and  destination of replication updates: – These roles are not mutually exclusivey • The configuration information that tells a supplier serverThe configuration information that tells a supplier server  about a consumer server (and vice versa) is termed a  replication agreement: p g • includes the unit of replication • the hostname and port of the remote server and h d li i f ti• scheduling information – In essence, the replication agreement defines WHAT is to be replicated, WHERE  it is to be sent and HOW it is to be done
  • 53. The Unit of Replication • Define subtree – specify DN at the top of a subtree and p y p replicate all entries subordinate to it • Filtered replication (unsupported by openldap): D fi l t t i i bt b d bj t l d fi iti– Define select entries in subtree – based on objectclass definitions: • X.500 defines this ability as the specification filter component of the unit  replicationp – Define select attribute types – based on attributetype definitions: • X.500 defines this as the attribute selection component of the unit of  replication
  • 54. Consistency and ConvergenceConsistency and Convergence • Consistency describes how closely the contents of replicated• Consistency describes how closely the contents of replicated  servers match each other at a given point in time: – A strongly consistent replica is one that provides the same information g y p p as its supplier at all times – A weakly consistent replica is permitted to diverge from its supplier for  some period of time:p • All practical directory systems use weakly consistent replicas W th t li d h d h• We say that a supplier and consumer have converged when  they contain the same data
  • 55. Initial Population of a ReplicaInitial Population of a Replica • The consumer (replica) contains no data when it is initially ( p ) y configured: – Or, in the event that a replica becomes damaged, it must be brought  back into synchronisationback into synchronisation • Directory vendors accomplish replica initialisation through y p p g similar techniques: – X.500 Directory Information Shadowing Protocol supports a total  update strategyupdate strategy – Most LDAP products, including openLDAP, use LDAP itself to initialise  the replica: di i f d l t ti t d i d t i d• sending a series of delete operations to remove undesired entries and a  series of add operations to populate the directory
  • 56. Replication StrategiesReplication Strategies • The term replication strategy refers to the way updates flow  from server to server and the way servers interact when  propagating updatespropagating updates • But after a client has successfully modified, deleted, added or  renamed an entry, how does the server make it visible to its  replicas? • There are 3 main approaches toward solving this problem: – Single‐master replication Fl i li i ( d b ld ) d– Floating‐master replication (unsupported by openldap) and – Multi‐master replication (unsupported by openldap)
  • 57. Single Master ReplicationSingle Master Replication • In single‐master replication, there is one and only one server that  contains a writable copy of a given directory entrycontains a writable copy of a given directory entry. – Replicas are all read‐only. • Advantage: since directory applications in general perform more read than write  operations. • Disadvantage: single point of failure as the read‐write server. • What if the client needs to write to the directory via the replica? – Referrals – Chaining
  • 58. Floating Master ReplicationFloating‐Master Replication • Like single‐master replication, floating‐master replication maintains only a single  read‐write server: – When the read‐write server becomes unavailable, a voting‐based algorithm is used to g g elect a read‐write master from the remaining replicas – Avoids single‐point of failure • Complications in synchronisation arise when 2 masters are rejoined: – Requires an update conflict resolution policy  • Last writer wins policy ‐ timestampsLast writer wins policy timestamps • Business rules – precedence between departments – Never used in directory products
  • 59. M lti t R li tiMulti‐master Replication • In multi‐master replication, there may be more than one  read‐write server available:read write server available: – Clients submit a write operation to any of the read‐write  replicas.p • Improves write performance – It becomes the responsibility of the set of cooperating servers to  ensure that changes are eventually propagated • Like floating master replication, this approach requires an  update conflict resolution policy
  • 60. SummarySummary • The term LDAP has come to mean 4 things: – A set of models; information, naming, functional and security, that guides ; , g, y, g you in your use of the directory – The protocol itself – A standardised API for application development– A standardised API for application development – LDIF standard for interchanging directory data • Advantages: – Simple, yet versatile Ubiquitous– Ubiquitous – Easy to understand – Simply works better • Reading U d t di d D l i LDAP S i– Understanding and Deploying LDAP Services: • Chapters 1 – 2,  8 –11, 21