CONTENT TABLE

CHNG 5 GII THIU LDAP.................................................................1

5.1 GII THIU V LDAP............................................................................ 1
5.1.1 Khi nim c bn ........................................................................ 1
5.1.2 Phng thc hot ng ca LDAP ................................................ 2
5.1.3 Cc thao tc ca nghi thc LDAP .................................................. 3
5.1.4 Cc thao tc m rng .................................................................. 3
5.1.5 M hnh kt ni LDAP client v server ........................................... 4
5.2 CC M HNH LDAP ............................................................................ 5
5.2.1 M hnh LDAP (LDAP Information Model)....................................... 5
5.2.1.1 LDAP Data Interchange Format (LDIF) .................................... 6
5.2.1.2 Bo Tr cc h thng th mc................................................. 7
5.2.2 M hnh LDAP Naming (LDAP Naming Model) ................................ 7
5.2.2.1 Distinguished names & Relative Distingguished name ............... 9
5.2.2.2 B danh (Aliases) ................................................................. 10
5.2.3 M hnh LDAP Function .............................................................. 11
5.2.3.1 Cc thao tc thm tra (LDAP Interrogation) ........................... 11
5.2.3.2
Thao tc cp nht................................................................ 16
5.2.3.3 Cc thao tc xc thc v iu kin(LDAP authentiaction and
control Operations) ............................................................................. 19
5.2.4 M hnh LDAP Security............................................................... 19
5.3 S DNG LDAP ................................................................................ 19
5.3.1 ng dng xc thc dng LDAP ................................................... 19
5.3.2 Mt s dch v s dng nghi thc LDAP ...................................... 19

Ch.5 Gii thiu LDAP

Chng 5
Gii thiu LDAP
5.1

Gii thiu v LDAP

5.1.1 Khi nim c bn

Th mc (Directory)
nh ngha th mc l ni dng cha v cho php thc hin cc thao tc truy
xut thng tin.

Nghi thc truy cp th mc (LDAP)

LDAP (Lightweight Directory Access Protocol) l mt chun m rng cho nghi thc
truy cp th mc, hay l mt ngn ng LDAP client v severs s dng giao tip
vi nhau.
LDAP l mt nghi thc lightweight c ngha l y l mt giao thc c tnh hiu
qu, n gin v d dng ci t. trong khi chng s dng cc hm mc cao.
iu ny tri ngc vi nghi thc heavyweight nh l nghi thc truy cp th mc
X.500 (DAP). Nghi thc ny s dng cc phng thc m ho qu phc tp.
LDAP s dng cc tp cc phng thc n gin v l mt nghi thc thuc tng ng
dng.
LDAP pht trin vi phin bn LDAP v2 c nh ngha trong chun RFC 1777 v
1778, LDAP v3 l mt phn trong chun Internet, c nh ngha trong RFC 2251
cho n RFC 2256, do chng qu mi nn khng phi tt c mi th cc nh cung
cp h tr hon ton cho LDAP v3.
Ngoi vai tr nh l mt th tc mng, LDAP cn nh ngha ra bn m hnh, cc m
hnh ny cho php linh ng trong vic sp t cc th mc:

M hnh LDAP information - nh ngha ra cc loi d liu m bn cn t vo

th mc.

M hnh LDAP Naming - nh ngha ra cch bn sp xp v tham chiu n th

mc.

M hnh LDAP Functional - nh ngha cch m bn truy cp v cp nht thng

tin trong th mc ca bn.

M hnh LDAP Security - nh ngha ra cch thng tin trong trong th mc ca

bn c bo v trnh cc truy cp khng c php.

Ngoi cc m hnh ra LDAP cn nh ngha ra khun dng trao i d liu LDIF

(LDAP Data Interchange Format), dng thc vn bn dng m t thng tin v
th mc . LDIF cn c th m t mt tp hp cc th mc hay cc cp nht c th
c p dng trn th mc.

Ch.5 Gii thiu LDAP

5.1.2 Phng thc hot ng ca LDAP

Phn ny chng ta s m t nghi thc LDAP mt cch chi tit. Chng ta s bt u
xem xt LDAP nh l nghi thc giao tip gia client/server.

Mt nghi thc client/sever

L mt m hnh giao thc gia mt chng trnh client chy trn mt my tnh gi
mt yu cu qua mng n cho mt my tnh khc ang chy mt chng trnh
sever (phc v), chng trnh ny nhn ly yu cu v thc hin sau n tr li kt
qu cho chng trnh client. V d nhng nghi thc client/server khc l nghi thc
truyn siu vn bn (Hypertext transfer protocol ) vit tt l HTTP, nghi thc ny c
nhng ng dng rng ri phc v nhng trang web v nghi thc Internet Message
Access Protocol (IMAP), l mt nghi thc s dng truy cp n cc th thng bo
in t.
tng c bn ca nghi thc client/server l cng vic c gn cho nhng my
tnh c ti u ho lm thc hin cng vic . V d tiu biu cho mt my
server LDAP c rt nhiu RAM(b nh) dng lu tr ni dung cc th mc cho cc
thao tc thc thi nhanh v my ny cng cn a cng v cc b vi s l tc
cao.

LDAP L mt nghi thc hng thng ip

Do client v sever giao tip thng qua cc thng ip, Client to mt thng ip
(LDAP message) cha yu cu v gi n n cho server. Server nhn c thng
ip v s l yu cu ca client sau gi tr cho client cng bng mt thng ip
LDAP.
V d: khi LDAP client mun tm kim trn th mc, client to LDAP tm kim v gi
thng ip cho server. Sever tm trong c s d liu v gi kt qu cho client trong
mt thng ip LDAP.

1.Thao tc tm kim(search operation)

2. Sever tr li entry cho client
3. Tr v m thot (Result code)
LDAP server

LDAP client

Hnh 5 - 1 mt thao tc tm kim c bn

Nu client tm kim th mc v nhiu kt qu c tm thy, th cc kt qu ny
c gi n client bng nhiu thng ip.

Ch.5 Gii thiu LDAP

1. search operation, msgid = 1

2. search operation, msgid = 2
3. return entry, msgid = 1
4. return entry, msgid = 2
5. return code, msgid =2
LDAP client

6. return code, msgid =1

LDAP server

Hnh 5 - 2 Nhng thng ip client gi cho server

Do nghi thc LDAP l nghi thc thng ip nn, client c php pht ra nhiu thng
ip yu cu ng thi cng mt lc. Trong LDAP, message ID dng phn bit
cc yu cu ca client v kt qu tr v ca server.
1. Thc hin thao tc tm kim
2. Entry th 1 tr v cho client
3. Entry th 2 tr v cho client
N. Entry th N-1 tr v cho client
LDAP client

N+1. Tr v m thot (Result code)

LDAP server

Hnh 5 - 3 Nhiu kt qu tm kt cc tr v
Vic cho php nhiu thng ip cng s l ng thi lm cho LDAP linh ng hn cc
nghi thc khc v d nh HTTP, vi mi yu cu t client phi c tr li trc khi
mt yu cu khc c gi i, mt HTTP client program nh l Web browser mun
ti xung cng lc nhiu file th Web browser phi thc hin m tng kt ni cho
tng file, LDAP thc hin theo cch hon ton khc, qun l tt c thao tc trn mt
kt ni.
5.1.3 Cc thao tc ca nghi thc LDAP
LDAP c 9 thao tc c bn, chia thnh 3 nhm thao tc chnh:

Thao tc thm tra (interrogation) : search, compare. Hai thao tc ny cho php
chng ta thc hin thm tra trn th mc.

Thao tc cp nht (update): add, delete, modify, modify DN ( rename ). Nhng

thao tc ny cho php chng ta thc hin cp nht thng tin trn th mc.

Thao tc xc thc v iu kin(authentiaction and control) : bind, unbind,

abandon. Thao tc bind cho php client t xc nh c mnh vi th mc, thao
tc ny cung cp s xc nhn v xc thc chng th; unbind cho php client
hu b phn on lm vic hin hnh; v cui cng l thao tc abandon cho
php client ch ra cc thao tc m kt qu client khng cn quan tm n na.

5.1.4 Cc thao tc m rng

Ngoi 9 thao tc c bn. LDAP version 3 c thit k m rng thng qua 3 thao tc

Ch.5 Gii thiu LDAP

Thao tc m rng LDAP(LDAP extended operations) y l mt nghi thc thao

tc mi. Trong tng lai nu cn mt thao tc mi, th thao tc ny c th nh
ngha v tr thnh chun m khng yu cu ta phi xy dng li cc thnh phn
ct li ca LDAP. V d mt thao tc m rng l StarTLS, ngha l bo cho sever
rng client mun s dng transport layer security(TLS) m ho v tu chn
cch xc thc khi kt ni.

LDAP control - Nhng phn ca thng tin km theo cng vi cc thao tc LDAP,
thay i hnh vi ca thao tc trn cng mt i tng.

Xc thc n gin v tng bo mt (Simple Authentication and Security Layer

SASL) l mt m hnh h tr cho nhiu phng thc xc thc. Bng cch s
dng m hnh SASL thc hin chng thc. LDAP c th d dng thch nghi vi
cc phng thc xc thc mi khc, SASL cn h tr mt m hnh cho client v
server c th m phn trn h thng bo mt din ra cc tng thp(dn n
an ton cao). Mt d nh vy nhng cc m hnh ny ca SASL u thch
nghi vi cc nghi thc ca internet

5.1.5 M hnh kt ni LDAP client v server

Sau y l mt l mt tin trnh hot ng trao i gia LDAP client/server
1. Open conection and bind
2. kt qu ca thao tc bind
3. search operation
4. return entry # 1
5. return entry #2
6. return code of search operation
LDAP client

7. thao tc unbind

LDAP server

6. ng kt ni

Hnh 5 - 4 M hnh kt ni gia client /server

LDAP client v server thc hin theo cc bc sau:
Client m mt kt ni TCP n LDAP server v thc hin mt thao tc bind. Thao tc
bind bao gm tn ca mt directory entry ,v u nhim th s c s dng trong
qu trnh xc thc, u nhim th thng thng l pasword nhng cng c th l
chng ch in t dng xc thc client.
Sau khi th mc c c s xc nh ca thao tc bind, kt qu ca hao tc bind
c tr v cho client.
Client pht ra cc yu cu tm kim.
Server thc hin s l v tr v kt qu cho client.
Server thc hin s l v tr v kt qu cho client.
Server gi thng ip kt thc vic tm kim.
Client pht ra yu cu unbind, vi yu cu ny server bit rng client mun hu b
kt ni.
Server ng kt ni.

Ch.5 Gii thiu LDAP

5.2

Cc m hnh LDAP

LDAP nh ngha ra 4 m hnh gm c LDAP informmation, LDAP Naming, LDAP

Functional, LDAP Security. By gi chng ta s tho lun chi tit tng m hnh trc
tin l vi LDAP information
5.2.1 M hnh LDAP (LDAP Information Model)
M hnh LDAP Information nh ngha ra cc kiu ca d liu v cc thnh phn c
bn ca thng tin m bn c th cha trong th mc. Hay chng ta c th ni rng
LDAP Information m t cch xy dng ra cc khi d liu m chng ta c th s
dng to ra th mc.
Thnh phn c bn ca thng tin trong mt th mc gi l entry y l mt tp hp
cha cc thng tin v i tng (Object). Thng th cc thng tin trong mt entry
m t mt i tng tht nh l thng tin v ngi, nhng y khng phi l qui
nh bt buc vi m hnh. V d nh trn th mc di y.
The organization
itseft
dc=airius dc=com

ou=People

ou=Engineering
uid=bjensen

ou=Servers

ou=Sales

cn= Engineering web server

Server
Applications

Organization units
(departments)
Person

Hnh 5 - 5 Mt cy th mc vi cc entry l cc thnh phn c bn

Mt entry l tp hp ca cc thuc tnh, tng thuc tnh ny m t mt nt t trng
tiu biu ca mt i tng. Mi thuc tnh c kiu mt hay nhiu gi tr,
kiu ca thuc tnh m t loi thng tin c cha, gi tr l d liu thc s
V d mt entry m t mt ngi vi cc thuc tnh: tn h, tn, s in thoi, v a
ch email.

Ch.5 Gii thiu LDAP

Atrribute type

Atrribute values

cn :

Barbara jensen
Bads jensen

sn :

jensen

telephone number :
mail :

+1 408 555 1212

bads@arius.com

Hnh 5 - 6 Mt entry vi cc thuc tnh c b

5.2.1.1 LDAP Data Interchange Format (LDIF)
LDAP nh ngha ra LDIF l dng vn bn m t thng tin th mc. LDIF c th
m t mt tp hp cc entry th mc hay l tp hp cc cp nht ln th mc d
liu ca cc th mc c th trao i cho nhau bng cch dng LDIF
Th d thng tin th mc dng vn bn LDIF, y l dng chun dnh cho vic
nhp v xut thng tin trn th mc, v cc tp tin LDIF u dng ASCII iu ny
lm cho chng d dng chuyn ti trn h thng email.
Mt entry th mc dang LDIF:
dn: uid=bjensen, dc=airius, dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: Barbara Jensen
cn: Babs Jensen
sn: Jensen
mail: bjensen@airius.com
telephoneNumber: +1 408 555 1212
description: A big sailing fan.
Dng mt entry LDIF bao gm nhiu dng, u tin l distinguished name (dn) l tn
ca entry th mc tt c c vit trn mt dng, sau ln lt l cc thuc tnh
ca entry, mi thuc tnh trn mt dng theo th t l
kiu thuc tnh : gi tr thuc tnh
Th t cc thuc tnh khng quan trng tuy nhin d c c thng tin chng ta
nn t cc gi tr objectclass trc tin v nn lm sao cho cc gi tr ca cc thuc
tnh cng kiu gn nhau.
KiuThuc tnh d liu qui nh, m t d liu c t vo v cch th mc so snh
gi tr khi d tm. V d nh c php

caseIgnoreString : qui nh trong trong mt ng cnh no th chng ta xem

nh nhau v khng cn thc hin so snh nh l Tom v tom nh nhau khng
phn bit ch hoa v thng.

Ch.5 Gii thiu LDAP

caseExactString : tri ngc li vi c php trn phn bit r rng ch hoa v

ch thng do Tom v tom l khng tng ng nhau.

LDAP sever khng h tr cc kiu d liu tr tng ch h tr duy nht cho cc kiu
chun. Khng nh nhng nghi thc khc chng hn l X.500 ngoi mt s liu d
liu chun (chui, s, kiu bool) v mt s kiu d liu phc tp xy dng t cc
kiu d liu trn. Tuy nhin nhng giao din plug-in cho php nh ngha cc c php
mi.
Cc thuc tnh cng phn thnh 2 loi: thuc tnh ngi dng, thuc tnh thao tc

Thuc tnh ngi dng (user attributes) l cc thuc tnh bnh thng ca mt
entry th mc, cc thuc tnh ny c th c iu chnh bi user ca th
mc(tt nhin l cc thao tc sa cha c php)..

Thuc tnh thao tc (operational attributes) y l cc thuc tnh c bit v ch

c th c iu chnh bi directory server hay l cc thuc tnh cho bit trng
thi ca th mc, v d mt thuc tnh thao tc l mt thuc tnh
modifytimestamp, nhng thuc tnh ny c bo tr bi th muc v n cho bit
thi im cui cng m entry ny c cp nht. Khi entry c gi n cho
client, cc operational attributes s khng c gi i cng tr khi client yu
cu.

C mt s rng buc trn gi tr ca thuc tnh. Mt s server software cho php nh

qun tr khai bo rng mt thuc tnh c th gi mt hay nhiu gi tr. V d nh
thuc tnh givenName c th cha nhiu gi tr, khi mt ngi mun thm vo nhiu
tn (v d nh l Jim v James chng hn) v cng c mt s thuc tnh ch cha duy
nht mt gi tr. nhng nh qun tr h thng t ra phm vi gii hn ca d liu
ngn chn cc user s dng vt qua gii hn cho php.
5.2.1.2 Bo Tr cc h thng th mc
Bt k mt entry trong th mc c tp cc kiu thuc tnh y l cc kiu c yu
cu v c cho php, v d nh mt entry m t mt ngi th thuc tnh yu cu
cho entry l phi c cn(common name) v sn(surname). Mt s thuc tnh cho
php nhng phi l
cn thit cho entry m t mt ngi, cc thuc tnh khc khng c yu cu hay
khng c php s khng c mt trong entry.
Nhng tp hp cc tp thuc tnh yu cu v thuc tnh c php c gi l m
hnh th mc(directory schemas). Directory schemas c th c thit k cho php
chng ta c quyn iu kin v bo tr cc thng tin cha trong entry.
Chng ta c mt khi thng tin c bn l entry, nhng lm sao c th sp
xp xy dng mt cy thng tin th mc (directory information tree) DIT. Chng ta
s nghin cu cc qui tc xy dng trong phn LDAP Naming Model.
5.2.2 M hnh LDAP Naming (LDAP Naming Model)
M hnh LDAP Naming nh ngha ra cch chng ta c th sp xp v tham chiu
n d liu ca mnh. Hay chng ta c th ni rng m hnh ny m t cch sp xp
cc entry ca chng vo mt cu trc c logical, v m hnh LDAP Naming ch ra

Ch.5 Gii thiu LDAP

cch chng ta c th tham chiu n bt k mt entry th mc no nm trong

cu trc .
M hnh LDAP Naming cho php chng ta c th t d liu vo th mc theo cch
m chng ta c th d dng qun l nht. V d nh chng ta c th to ra mt
container(khi nim vt th cha ng) cha tt c cc entry m t ngi trong mt
t chc, v mt container cha tt c cc group ca bn, hoc bn c th thit k
entry theo m hnh phn cp theo cu trc t chc ca bn. Vic thit k tt cn phi
c nhng nghin cu tho ng.

Hnh 5 - 7 Mt cy th mc LDAP
Chng ta a ra h thng tp tin UNIX thy c nhng im khc bit vi h
thng th mc LDAP, sau phn tch m hnh cy th mc LDAP.
/

user

bin

ect

bin

etc

local

grep

Hnh 5 - 8 h thng tp tin ca unix

C ba im khc bit quan trng :

1.

im khc bit u tin gia hai m hnh l trong m hnh LDAP khng
thc s c mt entry gc(root). Root l ni m chng ta c th t cc
entry vo. Trn h thng LDAP c mt entry c bit c gi l root
DES cha cc thng tin v server, nhng y khng phi l mt entry th
mc bnh thng.

Ch.5 Gii thiu LDAP

2.

Khc bit th hai l th mc LDAP mi mt node cha d liu, v cng

c th l mt container cha cc entry khc. y l mt khc bit vi h
thng tp tin do h thng tp tin ch c th mc c th cha th mc
con v ch c tp tin mi cha d liu.
Ta c th thy rng entry trong th mc c th ng thi l tp tin v
th mc. Hnh 5-23 minh ho khi nim trn cc entry dc=airius,
dc=com, ou=People v ou=devices tt c u cha d liu nhng tt c
u c node con cp di
dn: dc=airius, dc=com
o : airius.com

dn:ou=People,dc=airius,dc=com
ou: People

dn:uid=bjensen, ou=people, dc=airius, dc=com

cn:Barbara Jensen
cn: babs Jensen
sn: Jensen

dn:ou=Device,dc=airius,dc=com
ou:
Devices

dn : cn=LaserPrinter, ou=Devices, dc=airius, dc=com

cn : LaserPrinter
resolution :600
description : in room 931

Hnh 5 - 9 Mt phn th mc LDAP vi cc entry cha thng tin

3.

Khc bit cui cng l h thng tp tin phn cp v h thng LDAP:

Trong mt h thng tp tin khi ta i t tri sang phi tn tp tin l cch ta thc
hin i t gc(/) n tp tin. V d nh hnh 5-22 h thng file Unix tn file ca
node m mu l : /user/bin/grep

Vi h thng th mc LDAP ti node m mu c tn l uid=bjensen,

ou=people, dc=airius, dc=com nu chng ta i t tri sang phi th chng ta c
th quay ngc li nh ca cy. Ta thy rng h thng th mc LDAP sp t
c trt t cc entry ca th mc, tuy nhin LDAP khng quy nh bt k s phn
cp t bit no, chng ta c th t do sp xp h thng tp tin ca bn mt
cch c ngha nht vi bn.
Ngoi vic ch cho bn cch sp xp d liu vo trong cc cu trc phn cp, m
hnh LDAP Naming cn ch ra cch tham chiu n t entry trong th mc
by gi chng ta s phn tch k hn

5.2.2.1 Distinguished names & Relative Distingguished name

Distinguished names (DNs) trong LDAP y l tn ca mt entry ch ra cch bn c
th tham chiu n cc entry trn th mc, hai entry khc nhau trn th mc hai
DNs cng khc nhau.
Ging nh ng dn ca h thng tp tin, tn ca mt entry LDAP c hnh thnh
bng cch ni tt c cc tn ca tng entry cp trn (cha) cho n khi tr ln root,
nh hnh trn ta thy node c mu m s c tn l uid=bjensen, ou=people,
dc=airius, dc=com nu chng ta i t tri sang phi th chng ta c th quay ngc

Ch.5 Gii thiu LDAP

10

li nh ca cy, chng ta thy rng cc thnh phn ring l ca cy c phn cch

bi du phy khong trng sau du phy l tu , do hai DNs sau l tng ng:
uid=bjensen, ou=people, dc=airius, dc=com
uid=bjensen,ou=people,dc=airius,dc=com
Vi bt k mt DN, thnh phn tri nht c gi l relative distingguished name
(RDN), nh ni DN l tn duy nht cho mi entry trn th mc, do cc entry
c chng cha th RDN cng phi phn bit, v d hnh di y ta thy trn th mc
dc=airius,dc=com

ou=saled

ou= Engineering

cn=John Smith

cn=John Smith

Hnh 5 - 10
Mc d cho c hai entry c cng RDN cn=Joohn Smith nh hai entry hai nhnh
khc nhau.
5.2.2.2 B danh (Aliases)
Nhng entry b danh (Aliases entry)trong th mc LDAP cho php mt entry ch n
mt entry khc, do chng ta c th xy dng ra cu trc m th bt khng cn
chnh xc na, khi nim Aliases entry ging nh khi nim symbolic links trong UNIX
hay shortcuts trn Windows9x/NT. Hnh di y cho ta thy c mt aliases entry
tr n mt entry tht s.
to ra mt alias entry trong th mc trc tin bn phi to ra mt entry vi tn
thuc tnh l aliasedOjecctName vi gi tr thuc tnh l DN ca entry m chng ta
mun alias entry ny ch n.

Ch.5 Gii thiu LDAP

11

dc=ames, dc=com

dc=airius, dc=com

Server A

Server B

Alias
entry

Hnh 5 - 11 LDAP vi Alias entry

Nhng khng phi tt c cc LDAP Directory Server u h tr Aliases. Bi v mt
alias entry c th ch n bt k mt entry no, k c cc entry LDAP server khc. Do
vic tm kim khi gp phi mt b danh c th phi thc hin tm kim trn mt cy
th mc khc nm trn cc server khc, do lm tng chi phi cho vic tm kim v
y cng l l do chnh m cc phn mm khng h tr alias.
5.2.3 M hnh LDAP Function
Phn trn chng ta ni n m hnh LDAP Information v LDAP Naming, by gi
chng ta s xem xt m hnh LDAP Functional, y l m hnh m t cc thao tc cho
php chng ta c th thao tc trn th mc. Chng ta nhc li khi qut v m hnh
LDAP Functional.
M hnh LDAP Functional cha mt tp cc thao tc chia thnh 3 nhm. Thao tc
thm tra (interrogation) cho php bn c th search trn th mc v nhn d liu t
th mc. Thao tc cp nht (update): add, delete, rename v thay i cc entry th
mc. Thao tc xc thc v iu kin(authentiaction and control) cho php client xc
nh mnh n cho th mc v iu kin cc hot ng ca phin kt ni.
Vi version 3 nghi thc LDAP ngoi 3 nhm thao tc trn, cn c thao tc LDAP
extended, thao tc ny cho php nghi thc LDAP sau ny c th m rng mt cch
c t chc v khng lm thay i n nghi thc. By gi chng s phn tch k cc
thao tc theo tng nhm v u tin l cc thao tc LDAP interrogation.
5.2.3.1 Cc thao tc thm tra (LDAP Interrogation)
Hai thao tc thm tra (LDAP Interrogation) cho php client c th tm v nhn li
thng tin t th mc. nhng nghi thc LDAP khng c thao tc c mt entry th
mc,do khi chng ta mun c mt entry th ta phi thc hin tm kim v
dng tm kim ngay khi nhn c kt qu u tin. Thao tc tm kim (LDAP search
operation) yu cu 8 tham s:
Tham s u tin l i tng c s m cc thao tc tm kim thc hin trn y,
tham s ny l DN ch n nh ca cy m chng ta mun tm.
Tham s th hai l phm vi cho vic tm kim, chng ta c 3 phm vi thc hin tm
kim:

Ch.5 Gii thiu LDAP

12

Phm vi base ch ra rng bn mun tm ngay ti i tng c s

Phm vi onelevel thao tc tm kim din ra ti cp di (con trc tip ca i tng
c s)
Phm vi subtree thao tc ny thc hin tm ht trn cy m i tng c s l
nh.
Sau y l cc hnh minh ho cc trng hp tm kim tng ng vi cc phm vi
trn
dc=airius, dc=com

ou= people

search base= ou=people, dc=airius, dc=com

search scope =base

Hnh 5 - 12 thao tc tm kim vi phm vi base

dc=airius, dc=com

ou= people

search base= ou=people, dc=airius, dc=com

search scope = onelevel

Hnh 5 - 13 thao tc tm kim vi phm vi onelevel

Ch.5 Gii thiu LDAP

13

dc=airius, dc=com

ou= people

search base= ou=people, dc=airius, dc=com

search scope = subtree

Hnh 5 - 14 thao tc tm kim vi phm vi subtree

Tham s th ba derefAliases , cho server bit rng liu b danh aliases c b b qua
hay khng tham kho n khi thc hin tm kim, c 4 gi tr m derefAliases c th
nhn c:

nerverDerefAliases - ngha l thc hin tm kim v khng b qua b danh

(aliases) trong lc thc hin tm kim v p dng vi c i tng c s.

derefInsearching - b qua cc aliases trong trong cc entry cp di ca i

tng c s, v khng quan tm n thuc tnh ca i tng c s.

derefFindingBaseObject - ngc li vi gi tr thuc tnh trn vi gi tr ny th

vic tm kim s b qua cc aliases ca i tng c s, v khng quan tm n
thuc tnh ca cc entry thp hn i tng c s.

derfAlways - b qua c hai nu vic tm kim thy i tng c s hay l cc

entry cp thp l cc entry aliases.

Tham s th bn cho server bit c ti a bao nhiu entry kt qu c tr v, v

d nh nu client cho bit tham s ny l 100, nhng server li tm c 500 entry
tho mn, nhng lc ny server s gi 100 entry cho cilent, nu client t tham s
ny l zero th client nhn c tt c cc kt qu ca vic d tm(ch tham s ny
c th c p t bi server v nhng ngi dng bnh thng khng th thay i
c).
Tham s th nm qui nh thi gian ti a cho vic thc hin tm kim, khi thi
gian tm kim vt qu thi gian ti a th server s gi cho client
LDAP_TIMELIMIT_EXCEEDED, nu tham s ny c thit lp l zero th ngha l
khng c gii hn thi gian cho vic tm kim, cng nh tham s th bn tham s
ny c th do server thit lp mt gii hn v ch c nhng ngi dng c c quyn
mi c th thay i c.
Tham s th su attrOnly l mt tham s kiu bool, nu c thit lp l true, th
server ch gi cc kiu thuc tnh ca entry cho client, nhng sever khng gi gi tr

Ch.5 Gii thiu LDAP

14

ca cc thuc tnh i, iu ny l cn thit nu nh client ch quan tm n cc kiu

thuc tnh cha trong
Tham s th by l b lc tm kim(search filter) y l mt biu thc m t cc
loi entry s c gi li. Trong LDAP chc nng tm kim vi biu thc lc nh vy
l rt linh ng, tham kho chi tit cc loi b lc vi phn tip theo.
Tham s th tm v y l tham s cui cng y l mt danh sch cc thuc tnh
c gi li vi mi entry. Bn c th ch nh cc thuc tnh c gi li.

Cc kiu b lc LDAP p dng cho vic tm kim

Filter Type

Format

Example

Matches

Equality

(attr=value)

sn=jensen

Tm kim cc entry
c surname l jensen

Substring

(attr=[leading]
*[any]*[trailin
g])

(sn=*jensen*)

Surname cha chui

con jensen

(sn=jensen*)
(sn=*jensen)
(sn=je*nse*n)

Surname bt u l
chui jensen
Surname kt thc vi
chui jensen
Surname bt u vi
chui je cha
chuinse v kt
thc l chui n

Approximate

(attr~=value)

(attr=~jensen)

Surname xp x nh
l chui jensen
chng hn nh
jensin hay jenson

Greater than
or equal to

(attr>=value)

(sn>=jensen)

Surname
>=jensen, b lc
ny p dng cho cc
thuc tnh l kiu c
gi tr

Less than or
equal to

(attr<=value)

(sn<=jensen)

Surname >=jensen

Presence

(attr=*)

(sn=*)

Tt c cc entry c
thuc tnh atrr

AND

(&(filter1)(filte
r2))

(&(sn=jensen)(obj
ectclass=person))

Cc entry l
objectclass person v
surname=jensen

OR

(|(filter1)(filter
2))

(|(sn~=jensen)(tel
ephonenumber=89
44570))

Cc entry csurname
xp s nh chui
jensen hay c s
in thoi l 8944570

NOT

(!(filter))

(!(age>=22))

Cc entry c thuc
tnh tui <22

Ch c LDAP version 3 h tr cho b lc ny: y l mt b lc thit k cho cc thao

tc tm kim pht trin trong tng lai. B lc ny mang tnh d dng m rng ca
LDAP khi cc thao tc tm kim pht trin. Mt v d cho thy s hu dng ca c
tnh ny l:
C php ca b lc m rng ny kh phc tp, gm c 5 phn v 3 trong l cc
tu chn, nhng phn l:

Tn ca thuc tnh.

Chui tu chn : dn ch ra rng cc thuc tnh hnh thnh nn DN ca entry c

xem nh l mt thuc tnh ca entry trong sut thi gian thc hin tm kim.

Tu chn du : i sau l qui tc thc hin so snh nu trng th mt

qui tc mc nh thch hp s c la chn cho vic tm kim trn thuc tnh,
nu thuc tnh tn b b st th tu chn ny buc phi c mt.

Chui :=.

Mt gi tr dng so snh.

V d attr [:dn] [: matchingrule] : value

Cc k t c bit
Nu khi chng ta thc hin tm kim m mt s gi tr thuc tnh cha mt trong 5 k
t c bit trong bng bn di :
Bng cc k t trnh s dng trong b lc tm kim
K t
Gi tr h 10 Gi tr h 16 Escap Sequence
* (du hoa th)
42
0x2A
\2A
( (m ngoc)
40
0x28
\28
) (ng ngoc)
41
0x29
\29
\ (xt ngc)
92
0x5C
\5c
NULL
0
0x00
\00

thc hin tm kim mt thuc tnh cn=star* th chng ta s s dng b lc l

(cn=star\2A) y \2A thay th cho k t *.
5.2.3.2 Thao tc cp nht
Chng ta c 4 thao tc cp nht l add, delete, rename(modify DN), v modify

Add
Thao tc add to ra mt entry mi vi tn DN v danh sch cc thuc tnh truyn
vo, khi thc hin add mt entry mi vo th mc phi tho cc iu kin sau :

Entry l nt cha ca entry mi phi tn ti.

Cha tn ti mt entry no c cng tn DN vi entry mi trn th mc

Cc thao tc iu kin truy cp trn th mc l cc thao tc c php.

Delete
Thao tc xo (delete) ch cn truyn vo tn ca entry cn xo v thao tc thc hin
c nu nh:

Entry tn ti vi tn l DN truyn vo.

Entry b xo khng c cc entry con.

Cc thao tc iu kin truy cp trn th mc l cc thao tc c php xo.

Rename
Thao tc rename hay modify DN s dng i tn hay dng di chuyn cc entry
trong th mc, cc tham s cn truyn vo l DN ca entry cn i tn, RDN mi ca
entry v mt s tham s tu chn dnh cho cc entry l cha mi ca entry di chuyn
n, v cui cng l mt c cho php xo hay khng xa vi RDN c. Cng nh trn
thao tc thc hin c nu nh tho

Cc entry b i tn phi tn ti.

Tn mi ca entry phi cha tn ti.

Cc thao tc iu kin truy cp trn th mc l cc thao tc c php

Ni thm v tham s cho entry cha khi m entry ch thay i RDN th tham s ny l
\
Sau y mt s hnh nh minh ho cc thao tc
dc=airius,dc=com
ou=Engineering

ou=Engineering
ou=Adimistration

dc=airius,dc=com
ou=Adimistration
uid=bjensen

uid=bjensen

Gi tr ban u dn: uid=bjensen, ou=Engineering, dc=airius, dc=com

Gi tr mi
dn: uid=bjensen, ou=Adimistration, dc=airius, dc=com

Hnh 5 - 15 thao tc i ch entry uid =bjensen

dc=airius,dc=com
ou=Engineering

ou=Engineering
ou=Adimistration

uid=bjensen

dc=airius,dc=com
ou=Adimistration
uid=bjensen

Gi tr ban u dn: uid=bjensen, ou=Engineering, dc=airius, dc=com

Gi tr mi dn: uid=qtom, ou=Adimistration, dc=airius, dc=com

Hnh 5 - 16 thao tc i ch, i tn entry uid =bjensen khng i RDN

dc=airius,dc=com
ou=Engineering

dc=airius,dc=com

ou=Engineering
ou=Adimistration

ou=Adimistration
uid=btom

uid=bjensen

Gi tr ban u dn: uid=bjensen, ou=Engineering, dc=airius, dc=com

Gi tr mi dn: uid=qtom, ou=Adimistration, dc=airius, dc=com

Hnh 5 - 17 i ch v i RDN ca entry

dc=airius,dc=com
ou=Engineering

dc=airius,dc=com

ou=Engineering
ou=Adimistration

uid=bjensen

dn: uid=bjensen, ou=engineering, dc=com

.
.
uid=bjensen
.

ou=Adimistration

uid=btom

dn: uid=btom, ou=engineering, dc=com

.
.
uid=btom
.

Hnh 5 - 18 thao tc i tn
dc=airius,dc=com
ou=Engineering

dc=airius,dc=com

ou=Engineering
ou=Adimistration

uid=bjensen

dn: uid=bjensen, ou=engineering, dc=com

.
.
uid=bjensen
.

ou=Adimistration

uid=btom

dn: uid=btom, ou=engineering, dc=com

.
uid=bjensen
uid=btom
.

Hnh 5 - 19 thao tc i tn khng xo entry c

Ch thch LDAP version 2 khng h tr thao tc modify DN, ch c thao tc modify
RDN, do ch thay i RDN ca entry cho nn LDAP version 2 ch cho php thc hin
rename tn ca entry nhng khng c kh nng di chuyn c n ni khc trn cy.

Update
Thao tc cui cng l thao tc cp nht vi tham s DN v tp hp cc thay i c
p dng ln y. V thao tc ny i hi :

Entry vi DN truyn vo phi tn ti.

Tt c cc thuc tnh thay i u thc hin thnh cng.

Cc thao tc cp nht phi l cc thao tc c php.

Nu mt iu kin no trn khng tho th cch cp nhn s khng c p dng

trn entry.
5.2.3.3 Cc thao tc xc thc v iu kin(LDAP authentiaction and control
Operations)
Thao tc xc thc gm: thao tc bind v unbind.
Thao tc iu kin ch c abandon.
Bind

Thao tc bind l cch client xc thc vi server, client a ra DN v u nhim th,

server kim tra DN v u nhim th nu thnh cng th client c quyn thc hin cc
thao tc ln th mc.
C nhiu phng thc bind khc nhau, n gin l client a ra mt DN v password
cc thng tin ny dng hiu c. Lc ny server ch cn tm entry vi tn DN v
kim tra xem gi tr thuc tnh userpassword c ng vi password truyn vo hay
khng. Tuy cc phng thc an ton hn l SSL hay l TLS
Vi LDAP version 3 c mt thao tc bind, l SASL bind y l mt nghi thc c lp
vi cc m hnh xc thc, vi SASL cho php client chn thao tc xc thc v nu
thao tc ny c server h tr th y l thao tc dng xc thc client.
Unbind

Thao tc unbind, khi client pht ra thng bo ny th server s hu b cc thng tin

lin quan n khch hng hu b tt c cc thao tc ang thi hnh trn th mc v
ng kt ni TCP.
Abandon

Thao tc abandon c mt tham s duy nht l ID ca thng ip, client thc hin
thao tc ny khi khng quan tm n kt qu ca thao tc bt k trc .
5.2.4 M hnh LDAP Security
Vn cui cng trong cc m hnh LDAP l vic bo v thng tin trong th mc
khi cc truy cp khng c php. Khi thc hin thao tc bind di mt tn DN hay
c th client mt ngi v danh th vi mi user c mt s quyn thao tc trn entry
th mc. V nhng quyn no c entry chp nhn tt c nhng iu trn gi l
truy cp iu kin (access control). Hin nay LDAP cha nh ngha ra mt m hnh
Access Control, cc iu kin truy cp ny c thit lp bi cc nh qun tr h
thng bng cc server software.
5.3

S dng LDAP

5.3.1 ng dng xc thc dng LDAP

5.3.2 Mt s dch v s dng nghi thc LDAP
Bng cch kt hp cc thao tc LDAP n gin ny. Th mc client c th thc hin
cc thao tc phc tp nh cc v d sau y

Mt chng mail c th thc hin dng chng ch in t cha trong th mc trn

server LDAP k, bng cch gi yu cu tm kim cho LDAP server , LDAP server gi
li cho client chng ch in t ca n sau chng trnh mail dng chng ch in
t k v gi cho Message sever. Nhng gc ngi dng th tt c qu trnh
trn u hot ng mt cch t ng v ngi dng khng phi quan tm

Tm kim user A trn LDAP server

Client nhn entry ca user A tr v
LDAP server

LDAP client

Messaging server

Hnh 6 - 20 mt m hnh n gin lu tr

Netscape Message server c th s dng LDAP directory thc hin kim tra cc
mail. Khi mt mail n t mt a ch, messeage server tm kim a ch email trong
th mc trn LDAP server lc ny Message server bit c hp th ngi s dng
c tn ti v nhn th.
1. Mt email n ti a ch
Barabara.Jensen@arrius.com

3 . Message server
nhn din c hp
th ngi dng v sau
nhn th

2. Message server d tm a ch
email trong th mc

Message Serserver

LDAP server

Hnh 5 - 21 dng LDAP qun l th

Dng LDAP xc thc mt user ng nhp vo mt h thng qua chng trnh thm
tra, chng trnh thc hin nh sau u tin chng trnh thm tra to ra mt i
din xc thc vi LDAP thng qua (1) sau so snh mt khu ca user A vi
thng tin cha trong th mc. Nu so snh thnh cng th user A xc thc thnh
cng
Application
User
A

Login {DN,PW}

1 Bind {DN-AP,PW-AP}
2 Compare {DN,PW}
DUA
LDAP Serserver

Hnh 5 - 22 xc thc dng LDAP