本文介绍了LDAP版本2和3的安全模型,包括基于SASL的认证机制及其与GSSAPI的集成,以及通过SSL实现的安全连接。同时,文章还概述了LDAP的全局目录结构和C-Binding API的基本操作流程。
The Security Model
LDAP version 2 defines an authentication model based on clear text passwords or Kerberos V4.1. LDAP version 3 defines an extensible model based on the Simple Authentication and Security Layer (SASL). SASL uses a layered architecture for using different security providers. The Generic Security Service Application Program Interface (GSSAPI) is used as one of SASL's principal providers. GSSAPI is a security interface which defines a common interoperable security system for the Internet. LDAP version 3 defines the packet formats of the SASL requests and responses between the LDAP client and server. It supports both security authentication and encryption using different SASL and GSSAPI mechanisms.
In addition to SASL, LDAP version 3 also supports secure connections using the Secure Sockets Layer (SSL) protocol. LDAP SSL connections use port 636, whereas connections using SASL authentication and encryption use port 389.
The Topological Model
A major part of LDAP is that you can build a global directory structure using LDAP. It is essentially a directory Web in much the same way that HTTP and HTML are used to define and implement the global hypertext Web. One or more LDAP servers together make up the directory tree. An LDAP client connects to an LDAP server and makes a request. If the information is available locally, the server attempts to connect to another LDAP server that can fulfill the request. LDAP uses this referral capability to implement a global directory structure of independent LDAP servers that appear to a client to be a single LDAP server.
LDAP C-Binding API
RFC 1823 specifies the C-binding APIs for a client to access a Directory Service that supports the LDAP protocol. This API set is extremely simple and supports both synchronous and asynchronous calls to the server.
An application generally uses the LDAP API in four simple steps.
| • | Open a connection to an LDAP server. The ldap_open() call returns a handle to the connection, allowing multiple connections to be open at once. |
| • | Authenticate to the LDAP server and/or the X.500 DSA. The ldap_bind() call and friends support a variety of authentication methods. |
| • | Perform some LDAP operations and obtain some results ldap_search() and friends return results which can be parsed by ldap_result2error(), ldap_first_entry(), ldap_next_entry(), and so forth |
| • | Close the connection. The ldap_unbind() call closes the connection. |
Operations can be performed either synchronously or asynchronously. Synchronous calls end in _s. For example, a synchronous search can be completed by calling ldap_search_s(). An asynchronous search can be initiated by calling ldap_search(). All synchronous routines return an indication of the outcome of the operation (for example, the constant LDAP_SUCCESS or some other error code). The asynchronous routines return the message ID of the operation initiated. This ID can be used in subsequent calls to ldap_result() to obtain the result(s) of the operation. An asynchronous operation can be abandoned by calling ldap_abandon().
Here is a list of the LDAP API calls:
| API Name | Description |
| ldap_open | Opens a connection to an LDAP server |
| ldap_bind | This API and its friends are used to authenticate to the directory |
| ldap_unbind | This is used to unbind from the directory and close the connection. |
| ldap_search | This API and friends are used to search the LDAP directory |
| ldap_modify, ldap_modify_s | These routines are used to modify an existing LDAP entry |
| ldap_modrdn, ldap_modrdn_s | These routines are used to change the name of an LDAP entry |
| ldap_add, | These are used to add entries to the LDAP directory |
| ldap_delete, | These are used to delete entries from the LDAP directory |
| ldap_abandon | This is used to abandon an operation in progress |
| ldap_result | This is used to obtain the result of a previous asynchronously initiated operation |
| ldap_result2error, ldap_err2string and ldap_perror | These APIs are used to interpret errors returned by other APIs |
| ldap_first_entry | These routines are used to step through a set of entries in a search result |
| ldap_count_entries | This is used to count the number of entries returned |
| ldap_first_attribute and ldap_next_attribute | These APIs are used to step through the list of attribute types returned with an entry |
| ldap_get_values and ldap_get_values_len | These APIs are used to retrieve the values of a given attribute from an entry |
| ldap_get_dn | This is used to retrieve the name of an entry |
| ldap_explode_dn | This is used to break up the name into its component parts |
| ldap_dn2ufn | This API converts the DN into the user friendly format. |
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
