Java Reference
In-Depth Information
At each node there is a type (
c
,
cn
,
url
, and so on) and a name (or value)
for that type. The definitions of these types and the lists of types permitted at
a particular level depend on a
schema
which is controlled by whoever controls
the server that serves the given level of the hierarchy. In other words, as with
DNS, if you want to be part of the public, global namespace, you have to play
by the rules of the ancestor nodes. You can do what you want with your point
of control and below, but you must obey the naming schema of all of your
ancestors.
5
This explains why so few organizations actually use LDAP globally
(i.e., integrating directly with all other public LDAP servers in the world). In-
stead, they tend to use LDAP by setting up schema and servers that are com-
pletely internal and private so that they do not have to use the many required
parent nodes it would take to hook up to the global LDAP namespace.
6
LDAP can (and does) fill topics of its own. The type/name pairs are bulky
to type and hard to remember, but they allow you to easily map in entire other
naming systems, by simply assigning a type to a naming system and allowing
that system's names to be values at that level. Remember that these names are
hierarchical, so everything under
cn
(normally used for “common name”) ap-
plies to (in this case) Michael Schwarz. If I defined the schema for my space,
I could put anything I wanted under that name.
A common use of LDAP is for centralizing authentication and authoriza-
tion data for users. Users authenticate to LDAP and all systems in an organiza-
tion can validate a single credential to authenticate the user—the holy grail of
single sign-in. Alas, doing this right is nontrivial because LDAP doesn't specify
any mandatory authentication and encryption scheme. (Thus it is often the
hacker's holy grail of single sniff-in and 0wn3d systems.)
5. We want to be clear: You only have to do this if you wish to give those ancestors and outside
users access to your directories. You are free to create entirely private directory structures that
need not conform to anyone else's schema. It all depends on the purpose and audience of your
directory.
6. Another reason is that LDAP itself has no cryptographically secure authentication or trans-
port mechanisms. That means that hooking up all your directory data to the global Internet
gives hackers a one-stop opportunity to steal your data. Not good. Of course, as with other
protocols, there are several add-on security mechanisms for LDAP.
