Introduction to the LDAP Naming Service (Overview/Reference)
The LDAP chapters describe how to set up a Solaris naming client to work with the iPlanet Directory Server 5.1. A brief discussion of generic directory server requirements is in Chapter 18, General Reference.
Note - Though a directory server is not necessarily an LDAP server, in the context of these chapters, the term, "directory server", is considered synonymous with "LDAP server".
Audience Assumptions
The LDAP Naming Service chapters are written for system administrators who already have a working knowledge of LDAP. The following is a partial list of concepts with which you must be very familiar prior to deploying a Solaris-based LDAP naming service using this guide.
LDAP Information Model (entries, objectclasses, attributes, type, values)
LDAP Naming Model (Directory Information Tree (DIT) structure)
LDAP Functional Model (search parameters: base object (DN), scope, size limit, time limit, filters (Browsing Indexes for the iPlanet Directory Server), attribute list)
LDAP Security Model (authentication methods, access control models)
Overall planning and design of an LDAP directory service, including how to plan the data, design the DIT, design the topology, design the replication, and how to design the security.
Suggested Background Reading
If you need to learn more about any of the aforementioned concepts or would like to study LDAP and the deployment of directory services in general, the following are useful titles.
Understanding and Deploying LDAP Directory Services by Timothy A. Howes, Ph.D and Mark C. Smith
In addition to providing a thorough treatment of LDAP directory services, this book includes useful case studies on deploying LDAP at a large university, a large multinational enterprise, and an enterprise with an extranet.
iPlanet Directory Server 5.1 Deployment Guide, which is included in the documentation CD.
This guide provides a foundation for planning your directory, including directory design, including schema design, the directory tree, topology, replication, and security. The last chapter provides sample deployment scenarios to help you plan simple deployments as well as complex deployments designed to support millions of users distributed worldwide.
iPlanet Directory Server 5.1 Administrator's Guide, which is included in the documentation CD.
Additional Prerequisites
If you are transitioning from using NIS+ to using LDAP, refer to the Appendix entitled, "Transitioning from NIS+ to LDAP" in System Administration Guide: Naming and Directory Services (FNS and NIS+) and complete the transition before proceeding with these chapters.
If you need to Install the iPlanet Directory Server 5.1, refer to the iPlanet Directory Server 5.1 Installation Guide.
LDAP Naming Service Versus Other Naming Services
Below is a quick comparison between FNS, DNS, NIS, NIS+ and LDAP naming services.
| DNS | NIS | NIS+ | FNS | LDAP |
|---|---|---|---|---|---|
NAMESPACE | Hierarchical | Flat | Hierarchical | Hierarchical | Hierarchical |
DATA STORAGE | Files/ resource records | 2 column maps | Multi columned tables | Maps | Directories [varied] Indexed database |
SERVERS | Master/slave | Master /slave | Root master/ non-root master; primary/ secondary; cache/stub | N/A | Master/replica Multi master replica |
SECURITY | none | None (root or nothing) | DES Authentication | None (root or nothing) | SSL, varied |
TRANSPORT | TCP/IP | RPC | RPC | RPC | TCP/IP |
SCALE | Global | LAN | LAN | Global (with DNS)/LAN | Global |
Using Fully Qualified Domain Names
One significant difference between an LDAP client and a NIS or NIS+ client is that an LDAP client always returns a Fully Qualified Domain Name (FQDN) for a host name, similar to those returned by DNS. For example, if your domain name is
west.example.net |
both gethostbyname() and getipnodebyname() return the FQDN version when looking up the hostname server.
server.west.example.net |
Also if you use interface specific aliases like server-#, a long list of fully qualified host names is returned. If you are using host names to share file systems or have other such checks you need to account for it. This is especially true if you assume non-FQDN for local hosts and FQDN only for remote DNS resolved hosts. If you setup LDAP with a different domain name from DNS you might be surprised when the same host has two different FQDNs, depending on the lookup source.
Advantages of LDAP Naming Service
LDAP gives you the ability to consolidate information by replacing application-specific databases; reduces the number of distinct databases to be managed
LDAP allows for more frequent data synchronization between masters and replicas
LDAP is multi-platform and multi-vendor compatible
Disadvantages of LDAP Naming Service
The following are some disadvantages to using LDAP instead of other naming services.
There is no support for pre-Solaris 8 clients
An LDAP server cannot be its own client
Setting up and managing an LDAP naming service is more complex and requires careful planning
Note - A directory server (an LDAP server) cannot be its own client. In other words, you cannot configure the machine that is running the directory server software to become an LDAP naming service client.
New LDAP Naming Service Features for Solaris 9
Simplified configuration of LDAP directory server setup using idsconfig
A more robust security model, which supports strong authentication, TLS encrypted sessions. A client's proxy credentials are NO LONGER stored in a client's profile on the directory server
The ldapaddent command allows you to populate and dump data onto the server
Service Search Descriptors and Attribute Mapping
New profile schema