BBS水木清华站∶精华区

发信人: precilla (晴朗的IWannaBe!), 信区: Unix
标  题: LDAP FAQ
发信站: BBS 水木清华站 (Sat May  6 10:10:11 2000)

From http://www.critical-angle.com/ldapworld/ldapfaq.html

LDAP FAQ
(More properly, it is an at-least-once asked questions)
This is the start of a "Frequently Asked Questions" listing for the Lightwei
ght Directory Access Protocol and its reference implementation, based on the
ldap@umich.edu mailing list.
This document expressly does not cover the following topics:
LDAPv3, as this is still in flux
implementations not derived from the University of Michigan code base
Disclaimer: this information is provided "AS-IS" with no guaranty of accurac
y, completeness or fitness. Any views expressed in this document are not nec
essarily those of any particular person or organization.
Last Modified June 27, 1997.
----------------------------------------------------------------------------
----
1. GENERAL QUESTIONS
1.1 What is LDAP?
1.2 Why do we need LDAP? Why don't we just use X.500?
1.3 What are some related protocols or alternatives to LDAP?
1.4 Where can I find out more about LDAP?
1.5 Where can I find out more about X.500?
1.6 Where are there publically-accessible LDAP servers for NameFLOW-Paradise
?
1.7 What can I store in an LDAP directory?
1.8 How should I structure my LDAP directory?
2. PROTOCOL QUESTIONS
2.1 What is the current version of LDAP (protocol)?
2.2 Can certificates and CRLs be carried in LDAP?
2.3 What character set is used in LDAP?
2.4 Can I remove multiple entries at once?
2.5 Can I search on components of the entry's name?
3. IMPLEMENTATION QUESTIONS
3.1 What are all the implementations of LDAP?
3.2 Is there an example of using the client API (RFC 1823)?
3.3 Does a whois-to-LDAP gateway exist?
3.4 Does a Ph-to-LDAP gateway exist?
3.5 Does a HTTP-to-LDAP gateway exist?
3.6 Does an LDAP-to-X.500 gateway exist?
3.7 Can I connect a stand-alone LDAP directory server into an X.500 director
y? Changed!
3.8 Why do some searches return neither results nor an error indication?
3.9 Is the common name attribute "CN" or "commonName"?
4. UMICH-SPECIFIC QUESTIONS
4.1 What is the current version of LDAP (Umich implementation)?
4.2 Where can I find out more about this code or report bugs?
4.3 Where can I FTP the Umich code?
4.4 Where are the "quipu" include files?
4.5 I have unresolved references such as "ufn_init" when using ISODE 8.
4.6 Problem with "errno" when compiling with DB 1.85 on Solaris.
4.7 slapd seg faults on AIX.
4.8 I am using NDBM and strange things are happening...
4.9 Why do I get a "decoding error" when trying a simple bind against someon
e elses server?
4.10 Does ldapd support aliases?
4.11 Does slapd support aliases?
4.12 Is there a [your database vendor] backend for slapd?
4.13 Does slapd run under Windows NT?
4.14 Does ldapd cache entries?
4.15 Why can't I remove an entry from slapd once I have removed all its chil
dren?
4.16 Strange file names in db directory (Added Aug 6, 1996)
----------------------------------------------------------------------------
----
1. GENERAL QUESTIONS
1.1 What is LDAP?
LDAP is a client-server protocol for accessing a directory service. It was i
nitially used as a front-end to X.500, but can also be used with stand-alone
and other kinds of directory servers.
1.2 Why do we need LDAP? Why don't we just use X.500?
LDAP does not require the upper layers OSI stack, it is a simpler protocol t
o implement (especially in clients), and LDAP is under IETF change control a
nd so can more easily evolve to meet Internet requirements.
1.3 What are some related protocols or alternatives to LDAP?
WHOIS++ is a simple text-based query protocol which can be used to construct
a distributed directory for white pages information. It is described in RFC
1835 and is discussed on the ietf-wnils@ucdavis.edu mailing list.
The Common Indexing Protocol (CIP) is a means of exchanging general index in
formation between attribute-value based directory services, such as WHOIS++
and LDAP. It was discussed in the IETF FIND Working Group.
1.4 Where can I find out more about LDAP?
Try the LDAP World pages at Innosoft International, Inc., or Jeff Hodges's L
DAP Road Map and FAQ , or at University of Michigan.
1.5 Where can I find out more about X.500?
One reference is Colin Robbin's Directory page at NEXOR.
1.6 Where are there publically-accessible LDAP servers for NameFLOW-Paradise
?
See DANTE's list of public directory interfaces.
1.7 What can I store in an LDAP directory?
The LDAP information model is based on the entry, which contains information
about some object (e.g., a person). Entries are composed of attributes, whi
ch have a type and one or move values. Each attribute has a syntax that dete
rmines what kind of values are allowed in the attribute and how those values
behave during directory operations. Examples of attribute syntaxes are for
IA5 (ASCII) strings, JPEG photographs, u-law encoded sounds, URLs and PGP ke
ys.
1.8 How should I structure my LDAP directory?
RFC 1617 discusses naming and structuring guidelines for X.500 Directory pil
ots, and much of this is applicable to LDAP as well.
----------------------------------------------------------------------------
----
2. PROTOCOL QUESTIONS
2.1 What is the current version of LDAP (protocol)?
Most existing clients and servers only implement version 2 of the LDAP proto
col, which was specified in RFC 1777, RFC 1778, and RFC 1779. These document
s were obsoleted by LDAP version 3. The document for LDAPv3 can be downloade
d from the LDAPv3 page.
Note that early LDAP releases (before 3.3) from the University of Michigan m
is-set tags in its BER encodings. See question 4.9 below.
2.2 Can certificates and CRLs be carried in LDAP?
Though there are syntaxes defined for certificates and revocation lists, the
re are two problems which prevent these from being used in LDAPv2.
The first is that the string representation of distinguished names used for
DNs inside a certificate does not give an indication of whether the name was
in the PrintableString or TeletexString character set. Because of this ambi
guity, it is not always possible for a client to correctly reconstruct the D
ER form of the certificate or revocation list in order to verify its signatu
re.
The second problem is that the syntaxes are based on the X.509(1988) definit
ions, whereas most new implementations today are following the post-1993 add
endums to X.509, which permit certificate and CRL extensions.
These issues have been considered in the design of LDAPv3: LDAPv3 permits cl
ients to retrieve the DER-encoded form of these attributes.
2.3 What character set is used in LDAP?
In LDAPv2, strings such as the values of the cn or description attributes ar
e in the T.61 character set, which is published as an ITU-T Recommendation.
In LDAPv3, strings are used in the UTF-8 encoding of the Unicode character s
et.
2.4 Can I remove multiple entries at once?
No, the Delete operation will only remove a single entry, and it does not re
move non-leaf entries which have subordinates.
2.5 Can I search on components of the entry's name?
Not in LDAPv2. However, this is permitted in LDAPv3
----------------------------------------------------------------------------
----
3. IMPLEMENTATION QUESTIONS
3.1 What are all the implementations of LDAP?
A list of clients, servers, gateways, libraries, backends, etc., is availabl
e at this site.
3.2 Is there an example of using the client API (RFC 1823)?
It's used in the finger code, the gopher code, and probably some other code
in the Umich ldap distribution. Take a look at finger/main.c, for example.
3.3 Does a whois-to-LDAP gateway exist?
Mark Prior wrote a whois++ to LDAP gateway a couple of years ago. It's inclu
ded in the ldap-3.2 release under contrib/whois++/. Mark admits that it is k
ind of out-of-date at this point, and may not even build as far as I know, b
ut you might start with that, at least. -- Tim
Sylvain Langlois comments: I'm working on a whois++ to LDAP gateway. It's ba
sed on the latest Uof Mich LDAP version. The major difference is that I'm us
ing CIP instead of proprietary indexing protocol of the release.
3.4 Does a Ph-to-LDAP gateway exist?
There may be one developed at Umea Universitet in Sweden. Also, from Eudora
at ftp://ftp.eudora.com/eudora/servers/unix/ph2ldap/ph2ldap_1.0B3.tar.
3.5 Does a HTTP-to-LDAP gateway exist?
Frank Richter has written a gateway called web500gw. For more information se
e http://www.tu-chemnitz.de/~fri/web500gw/.
3.6 Does an LDAP-to-X.500 gateway exist?
ldapd is included in the Umich release.
3.7 Can I connect a stand-alone LDAP directory server into an X.500 director
y?
Yes! See for example the X.500 Enabler.
3.8 Why do some searches return neither results nor an error indication?
Some filter component may be illegal (such as mistaking country name for com
mon name: country names are restricted to being exactly two characters long)
.
3.9 Is the common name attribute "CN" or "commonName"?
The shorter name should be used. This was being clarified in the spec for LD
APv3.
----------------------------------------------------------------------------
----
4. UMICH-SPECIFIC QUESTIONS
4.1 What is the current version of LDAP (Umich implementation)?
The most recent is release 3.3 of April 30,1996. The announcement is availab
le from University of Michigan.
There is a collection of patches which bring this up to SLAPD 3.3.1 availabl
e here.
4.2 Where can I find out more about this code or report bugs?
There is a discussion list relating to this implementation, ldap@umich.edu.
To join contact ldap-request@umich.edu.
4.3 Where can I FTP the Umich code?
The primary distribution point of U-M LDAP 3.3 is ftp://terminator.rs.itd.um
ich.edu/ldap/ldap-3.3.tar.Z.
See http://www.umich.edu/~rsug/ldap/ for a list of mirror sites.
4.4 Where are the "quipu" include files?
You need to get the ISODE package. The last public version of ISODE, ISODE 8
, can be obtained from a number of anonymous FTP sites, such as ftp://ftp.uu
.net/networking/osi/isode/, but is several years out of date, contains numer
ous bugs and is unsupported. The ISODE stack and applications are now mainta
ined by ISODE Inc, who may be contacted at ic-info@isode.com.
4.5 I have unresolved references such as "ufn_init" when using ISODE 8.
Try specifying the libraries in a different order when invoking the linker.
.
4.6 Problem with "errno" when compiling with DB 1.85 on Solaris.
There is a patch in LDAP 3.3 build/db.1.85.patch which needs to be applied t
o DB 1.85.
4.7 slapd seg faults on AIX.
With some AIX compilers char defaults to unsigned char which can cause serio
us problems with the AVL tree routines. This can be worked around by changin
g line 24 of include/avl.h to read signed char avl_bf.
4.8 I am using NDBM and strange things are happening...
For example, when adding entries with either ldif2ldbm or ldapadd, I get the
error "idl_insert_key: No space left on device".
NDBM is severely limiting on Solaris and most other platforms and should not
be used in servers. Alternatives include the Berkeley database package and
GDBM.
Version 1.85 of the Berkeley hash and btree package can be obtained from ftp
∶//ftp.cs.berkeley.edu/ucb/4bsd/db.1.85.tar.Z. The hash implementation in 1.
85 limits a single level or index to approximately 8000 entries. This restri
ction will be removed in db 2.0, which is currently in alpha test.
GDBM can be obtained from the Free Software Foundation at prep.ai.mit.edu or
other FSF mirror sites.
See section 4 of the SLAPD and SLURPD Administrator's Guide for information
on how to build with GDBM or Berkeley DB.
Note: if you change database definitions in the top level Make-common file,
be certain to do a "make veryclean" at the top level of the distribution bef
ore rebuilding. If you don't, it is likely that you'll end up with some half
-ndbm build which won't work.
4.9 Why do I get a "decoding error" when trying a simple bind against someon
e elses server?
The server is based on an early Umich release which miscalculated tags.
4.10 Does ldapd support aliases?
Yes, so long as the X.500 Directory implementation supports them (which most
do).
4.11 Does slapd support aliases?
No.
4.12 Is there a [your database vendor] backend for slapd?
There have not yet been any public releases of additional backends for slapd
, though there are several people working on them.
4.13 Does slapd run under Windows NT?
The publically available Umich 3.3 servers don't support the Win32 API. SLAP
D has been ported by NorTel and is available from here.
4.14 Does ldapd cache entries?
The University of Michigan release of ldapd does not. ISODE Consortium added
caching support in its IC R3.
4.15 Why can't I remove an entry from slapd once I have removed all its chil
dren?
There is a known problem with slapd not updating one of its indexes properly
on the delete (the one that says whether an entry has children or not). The
problem will go away if you regenerate your indexes from an ldif file.
4.16 Strange file names in db directory
Q: I originally build the distrubtion with ndbm, then switched to Berkeley D
B (or GDBM). Now, the filenames in the db directory end with ".ndbm.dbb" (or
".ndbm.gdbm" or some other strange combination of suffixes). Slapd can't fi
nd any entries I've added.
A: Go to the top of the ldap source tree and edit "Make-common". Be sure tha
t there is only one LDBMBACKEND definition. Then, do a "make veryclean" foll
owed by a "make install".
4.17 Who is Babs Jensen?
See the Martha Smith entry.
----------------------------------------------------------------------------
----
LDAP World
Comments on this document may be sent to Mark Wahl.
Last Modified November 19, 1998.
This document is a collection of publically-available information.

--
  贪玩吧? 管它呢!



※ 来源:·BBS 水木清华站 smth.org·[FROM: 210.35.240.125]