LDAP

Material iz Vikipedii -- svobodnoi entsiklopedii

Tekushchaia versiia stranitsy poka ne proverialas' opytnymi uchastnikami i mozhet znachitel'no otlichat'sia ot versii, proverennoi 27 ianvaria 2024 goda; proverki trebuiut 8 pravok.

Pereiti k navigatsii Pereiti k poisku

LDAP
Organ standartizatsii	Inzhenernyi sovet Interneta

LDAP (angl. Lightweight Directory Access Protocol -- <protokol dostupa k katalogam>>) -- protokol prikladnogo urovnia dlia dostupa k sluzhbe katalogov X.500, razrabotannyi IETF kak oblegchionnyi variant razrabotannogo ITU-T protokola DAP. LDAP -- otnositel'no prostoi protokol, ispol'zuiushchii TCP/IP i pozvoliaiushchii proizvodit' operatsii autentifikatsii (bind), poiska (search) i sravneniia (compare), a takzhe operatsii dobavleniia, izmeneniia ili udaleniia zapisei. Obychno LDAP-server prinimaet vkhodiashchie soedineniia na port 389 po protokolam TCP ili UDP. Dlia LDAP-seansov, inkapsulirovannykh v SSL, obychno ispol'zuetsia port 636.

Opisanie

[pravit' | pravit' kod]

Vsiakaia zapis' v kataloge LDAP sostoit iz odnogo ili neskol'kikh atributov i obladaet unikal'nym imenem (DN -- angl. Distinguished Name). Unikal'noe imia mozhet vygliadet', naprimer, sleduiushchim obrazom: <>^[1]. Unikal'noe imia sostoit iz odnogo ili neskol'kikh otnositel'nykh unikal'nykh imion (RDN -- angl. Relative Distinguished Name), razdelionnykh zapiatoi. Otnositel'noe unikal'noe imia imeet vid ImiaAtributa=znachenie. Na odnom urovne kataloga ne mozhet sushchestvovat' dvukh zapisei s odinakovymi otnositel'nymi unikal'nymi imenami. V silu takoi struktury unikal'nogo imeni zapisi v kataloge LDAP mozhno legko predstavit' v vide dereva.

Zapis' mozhet sostoiat' tol'ko iz tekh atributov, kotorye opredeleny v opisanii klassa zapisi (object class), kotorye, v svoiu ochered', ob'edineny v skhemy (schema). V skheme opredeleno, kakie atributy iavliaiutsia dlia dannogo klassa obiazatel'nymi, a kakie -- neobiazatel'nymi. Takzhe skhema opredeliaet tip i pravila sravneniia atributov. Kazhdyi atribut zapisi mozhet khranit' neskol'ko znachenii.

Standarty

[pravit' | pravit' kod]

Protokol LDAP opredelion v sleduiushchikh RFC:

RFC 4510 -- Lightweight Directory Access Protocol (LDAP): Technical Specification Roadmap (zameniaet RFC 3377)
RFC 4511 -- Lightweight Directory Access Protocol (LDAP): The Protocol
RFC 4512 -- Lightweight Directory Access Protocol (LDAP): Directory Information Models
RFC 4513 -- Lightweight Directory Access Protocol (LDAP): Authentication Methods and Security Mechanisms
RFC 4514 -- Lightweight Directory Access Protocol (LDAP): String Representation of Distinguished Names
RFC 4515 -- Lightweight Directory Access Protocol (LDAP): String Representation of Search Filters
RFC 4516 -- Lightweight Directory Access Protocol (LDAP): Uniform Resource Locator
RFC 4517 -- Lightweight Directory Access Protocol (LDAP): Syntaxes and Matching Rules
RFC 4518 -- Lightweight Directory Access Protocol (LDAP): Internationalized String Preparation
RFC 4519 -- Lightweight Directory Access Protocol (LDAP): Schema for User Applications
RFC 4520 (aka BCP 64) -- Internet Assigned Numbers Authority (IANA) Considerations for the Lightweight Directory Access Protocol (LDAP) (zameniaet RFC 3383)
RFC 4521 (aka BCP 118) -- Considerations for Lightweight Directory Access Protocol (LDAP): Extension

Krome protokola, est' verkhneurovnevye mezhdunarodnye standarty, opisyvaiushchie vse, chto sviazano s model'iu integratsii sistem i katalogom (Directory), dostup k kotoromu realizuetsia s pomoshch'iu LDAP i DAP:

Recommendation ITU-T X.200 (1994) | ISO/IEC 7498-1:1994, Information technology -- Open Systems Interconnection -- Basic Reference Model: The basic model.
Recommendation ITU-T X.500 (2019) | ISO/IEC 9594-1:2020, Information technology -- Open Systems Interconnection -- The Directory: Overview of concepts, models and services.
Recommendation ITU-T X.501 (2019) | ISO/IEC 9594-2:2020, Information technology -- Open Systems Interconnection -- The Directory: Models.
Recommendation ITU-T X.509 (2019) | ISO/IEC 9594-8:2020, Information technology -- Open Systems Interconnection -- The Directory: Public-key and attribute certificate frameworks.
Recommendation ITU-T X.511 (2019) | ISO/IEC 9594-3:2020, Information technology -- Open Systems Interconnection -- The Directory: Abstract service definition.
Recommendation ITU-T X.518 (2019) | ISO/IEC 9594-4:2020, Information technology -- Open Systems Interconnection -- The Directory: Procedures for distributed operation.
Recommendation ITU-T X.519 (2019) | ISO/IEC 9594-5:2020, Information technology -- Open Systems Interconnection -- The Directory: Protocol specifications.
Recommendation ITU-T X.520 (2019) | ISO/IEC 9594-6:2020, Information technology -- Open Systems Interconnection -- The Directory: Selected attribute types.
Recommendation ITU-T X.521 (2019) | ISO/IEC 9594-7:2020, Information technology -- Open Systems Interconnection -- The Directory: Selected object classes.
Recommendation ITU-T X.525 (2019) | ISO/IEC 9594-9:2020, Information technology -- Open Systems Interconnection -- The Directory: Replication.

Funktsional'noe opisanie protokola

[pravit' | pravit' kod]

V protokole LDAP opredeleny sleduiushchie operatsii dlia raboty s Katalogom:

Operatsii podkliucheniia/otkliucheniia
- Podkliuchenie (bind) -- pozvoliaet assotsiirovat' klienta s opredelionnym ob'ektom Kataloga (fakticheskim ili virtual'nym) dlia osushchestvleniia kontrolia dostupa dlia vsekh prochikh operatsii chteniia/zapisi. Dlia togo, chtoby rabotat' s Katalogom, klient obiazan proiti autentifikatsiiu kak ob'ekt, otlichitel'noe imia (Distinguished Name) kotorogo nakhoditsia v prostranstve imion, opisyvaemom Katalogom. V zaprose operatsii bind klient mozhet ne ukazyvat' otlichitel'noe imia, v takom sluchae budet osushchestvleno podkliuchenie pod spetsial'nym psevdonimom anonymous (obychno eto chto-to napodobie gostevoi uchiotnoi zapisi s minimal'nymi pravami)
- Otkliuchenie (unbind) -- pozvoliaet klientu v ramkakh seansa soedineniia s LDAP-serverom perekliuchit'sia na autentifikatsiiu s novym otlichitel'nym imenem. Komanda unbind vozmozhna tol'ko posle autentifikatsii na servere s ispol'zovaniem bind, v protivnom sluchae vyzov unbind vozvrashchaet oshibku
Poisk (search) -- chtenie dannykh iz Kataloga. Operatsiia slozhnaia, na vkhod prinimaet mnozhestvo parametrov, sredi kotorykh osnovnymi iavliaiutsia:
- Baza poiska (baseDN) -- vetka DIT, ot kotoroi nachinaetsia poisk dannykh
- Glubina poiska (scope) -- mozhet imet' znacheniia (v poriadke uvelicheniia okhvatyvaemoi oblasti): base, one, sub
  - base -- poisk neposredstvenno v uzle -- baze poiska
  - one -- poisk po vsem uzlam, iavliaiushchimsia priamymi potomkami bazovogo v ierarkhii, to est' lezhashchim na odin uroven' nizhe nego
  - sub -- poisk po vsei oblasti, nizhelezhashchei otnositel'no bazy poiska (baseDN)
- Fil'tr poiska (searchFilter) -- eto vyrazhenie, opredeliaiushchee kriterii otbora ob'ektov kataloga, popadaiushchikh v oblast' poiska, zadavaemuiu parametrom scope. Vyrazhenie fil'tra poiska zapisyvaetsia v pol'skoi (prefiksnoi) notatsii, sostoiashchei iz logicheskikh (bulevykh) operatorov i operandov, v svoiu ochered' iavliaiushchikhsia vnutrennimi operatorami sopostavleniia znachenii atributov LDAP (v levoi chasti) s vyrazheniiami (v pravoi chasti) s ispol'zovaniem znaka ravenstva.

Logicheskie operatory predstavleny standartnym <>: & (logicheskoe <>), | (logicheskoe <>) i ! (logicheskoe <>).

Primer fil'tra poiska^[gde?]:

(&(!(entryDN:dnSubtreeMatch:=dc=Piter,dc=Russia,ou=People,dc=example,dc=com))(objectClass=sambaSamAccount) (|(sn=Lazar*)(uid=Nakhims*)))

Operatsii modifikatsii -- pozvoliaiut izmeniat' dannye v Kataloge, pri etom v poniatie modifikatsii vkhodit kak dobavlenie, udalenie i peremeshchenie zapisei tselikom, tak i redaktirovanie zapisei na urovne ikh atributov. Podtipy modifikatsii:
Dobavlenie (add) -- dobavlenie novoi zapisi

Udalenie (delete) -- udalenie zapisi

Modifikatsiia RDN (modrdn) -- peremeshchenie/kopirovanie zapisi

Modifikatsiia zapisi (modify) -- pozvoliaet redaktirovat' zapis' na urovne eio atributov,
dobavliaia novyi atribut ili novoe znachenie mnogoznachnogo atributa (add)

udaliaia atribut so vsemi ego znacheniiami (delete)

zameniaia odno znachenie atributa na drugoe (replace)

a takzhe uvelichivaia (umen'shaia) znachenie atributa v ramkakh atomarnoi operatsii (increment)

Operatsiia sravneniia (compare) -- pozvoliaet dlia opredelionnogo otlichitel'nogo imeni sravnit' vybrannyi atribut s zadannym znacheniem

Operatsiia zaprosa vozmozhnostei
[pravit' | pravit' kod]

V standarte LDAP opredelena spetsial'naia operatsiia, pozvoliaiushchaia klientam poluchat' informatsiiu o podderzhivaemykh serverom versiiakh protokola i vozmozhnostiakh LDAP-servera. Eta komanda iavliaetsia nadstroikoi (rasshireniem) dlia operatsii search i vypolniaetsia pri sleduiushchem sochetanii parametrov poslednei:

BIND anonimnyi

Baza poiska baseDN ukazana kak "" (pustaia stroka)

Glubina poiska scope ukazana kak base

Fil'tr poiska: (objectClass=*)

Perechen' zaprashivaemykh atributov: libo iavnoe perechislenie, libo <<+>> (VNIMANIE! <<*>> ne pokazhet znacheniia sluzhebnykh atributov, soderzhashchikh vsiu poleznuiu informatsiiu)

Naprimer, pri ispol'zovanii LDAP-klienta iz postavki OpenLDAP komanda zaprosa vozmozhnostei mozhet vygliadet' kak:
ldapsearch -x -H ldap://host:port -LLL -b "" -s base '(objectClass=*)' supportedControls supportedCapabilities

Operatsiia zaprosa skhemy
[pravit' | pravit' kod]

Dlia zaprosa informatsii o deistvuiushchei skheme LDAP-kataloga prezhde neobkhodimo vypolnit' Operatsiiu zaprosa vozmozhnostei, poluchiv znachenie atributa subschemaSubentry.
ldapsearch -x -H ldap://host:port -LLL -s base -b "" '(objectClass=*)' subschemaSubentry
Poluchennoe znachenie ispol'zuetsia v kachestve Otlichitel'nogo imeni bazy poiska (baseDN) v Operatsii zaprosa skhemy, kotoruiu mozhno opisat' tak:

BIND anonimnyi, libo polnyi. Bol'shinstvo serverov katalogov podderzhivaiut zapros skhemy bez predvaritel'nogo BIND, no, est' iskliucheniia (naprimer, Active Directory);

Baza poiska baseDN ravna znacheniiu atributa subschemaSubentry, vozvrashchaemogo Operatsiei zaprosa vozmozhnostei;

Glubina poiska scope ukazana kak base;

Fil'tr poiska: (objectClass=*);

Perechen' zaprashivaemykh atributov: iavnoe perechislenie atributov (attributeTypes, objectClasses) vozmozhno dlia vsekh serverov katalogov, v sluchae OpenLDAP i nekotorykh drugikh (OpenDS,ApacheDS i t. d.) vozmozhno ukazanie <<+>>;

Naprimer, pri ispol'zovanii LDAP-klienta iz postavki OpenLDAP Operatsiia zaprosa skhemy mozhet vygliadet' tak:
ldapsearch -x -H ldap://host:port -LLL -s base -b "cn=Subschema" '(objectClass=*)' ldapSyntaxes matchingRules

Realizatsii
[pravit' | pravit' kod]

Servernaia chast'
[pravit' | pravit' kod]

LDAP iavliaetsia shiroko ispol'zuemym standartom dostupa k sluzhbam katalogov. Iz svobodno rasprostraniaemykh otkrytykh realizatsii naibolee izvesten server OpenLDAP, iz proprietarnykh -- podderzhka protokola imeetsia v Active Directory -- sluzhbe katalogov ot kompanii Microsoft, prednaznachennoi dlia tsentralizatsii upravleniia setiami Windows. Server IBM Lotus Domino v svoiom sostave takzhe imeet sluzhbu LDAP^[2]^[3]. Svoi realizatsii sluzhb katalogov, podderzhivaiushchie LDAP kak protokol dostupa, predlagaiut i drugie krupnye kompanii, naprimer, Novell i Sun -- OpenDS^[angl.] i, vposledstvii, OpenDJ.
Perechen' naibolee izvestnykh na segodniashnii den' LDAP-serverov:

OpenLDAP

ForgeRock OpenDJ

Novell eDirectory

Apple Open Directory (fork proekta OpenLDAP)

Microsoft Active Directory

Samba4 LDAP (OpenSource-realizatsiia MS AD)

RedHat Directory Server

389 Directory Server (po suti testovaia versiia predydushchego)

Oracle Directory Server

Apache Directory Server

IBM Tivoli Directory Server

IBM Domino LDAP

CommuniGate LDAP

Klientskaia chast'
[pravit' | pravit' kod]

V kachestve klientov LDAP vystupaiut kak adresnye knigi pochtovykh klientov, tak i back-end'y razlichnykh setevykh sluzhb (servery DNS, SMTP, Samba, UTS i t. d.).

Sm. takzhe
[pravit' | pravit' kod]

Sluzhba katalogov

LDIF

Primechaniia
[pravit' | pravit' kod]

| Opisanie parametrov LDAP Arkhivnaia kopiia ot 31 maia 2011 na Wayback Machine (angl.)

| The Domino LDAP schema . Data obrashcheniia: 31 oktiabria 2010. Arkhivirovano iz originala 8 iiunia 2013 goda.

| Lotus Domino LDAP Configuration Guide . Data obrashcheniia: 31 oktiabria 2010. Arkhivirovano iz originala 4 marta 2016 goda.

Ssylki
[pravit' | pravit' kod]

Resursy
[pravit' | pravit' kod]

LDAP: arkhitektura, realizatsii i tendentsii

Understanding LDAP -- Design and Implementation -- redbook ot IBM

Servery
[pravit' | pravit' kod]

Domashniaia stranitsa proekta OpenLDAP

Apple Open Directory -- server katalogov i API-framework v Mac OS X Server

OpenDS -- otkrytyi proekt, sozdan na baze koda Sun Enterprise Java System Directory Server

389 Directory Server -- byvshii Fedora Project Directory Server, proekt s otkrytym iskhodnym kodom, na osnove kotorogo sozdaiotsia kommercheskii produkt -- RedHat Directory Server

The Apache Directory Project -- server katalogov, sozdavaemyi fondom Apache

Windows Server 2003 Active Directory -- ofitsial'nyi sait Active Directory

IBM Lotus Domino -- Google poisk po LDAP v Lotus Domino

Mandriva Directory Server

Klienty
[pravit' | pravit' kod]

Apache Directory Studio -- krossplatformennaia opensource (APL2) programma dlia administrirovaniia LDAP kataloga na baze Eclipse (Java);

LdapAdmin -- Otkrytaia (GPL) programma pod Windows, dlia upravleniia LDAP dannymi;

JXplorer -- OpenSource utilita dlia administrirovaniia kataloga LDAP na iazyke Java;

PHP LDAP admin -- razvityi klient LDAP s veb-interfeisom;

ldapsearch -- otkrytaia konsol'naia utilita dlia OS Linux (Stat'ia s opisaniem ldapsearch na saite OpenNet.ru).

Programmnye interfeisy (API)
[pravit' | pravit' kod]

Perl-LDAP -- ob'ektno-orientirovannyi modul' Perl dlia raboty s LDAP

python-ldap i ldaptor -- moduli dlia raboty s LDAP dlia Python

Java LDAP -- Java-biblioteka dlia raboty s LDAP

PHP LDAP -- PHP funktsii dlia raboty po protokolu LDAP

Crystal LDAP -- LDAP klient dlia iazyka Crystal

Iazyki zaprosov

.QL

CQL

CODASYL

COQL

Cypher

D

DAX

DMX

Datalog

ERROL

GraphQL

ISBL

LDAP

MQL

MDX

OQL

OCL

PGQL

Poliqarp Query Language

QUEL

SMARTS

SPARQL

SQL

SuprTool

TMQL

XQuery

XPath

XSQL

YQL

Iazyk grafovykh zaprosov

Standarty The Open Group

ARM

CDE

CLI

CMPI

DCE

DRDA

LDAP

Motif

SUS (POSIX)

X11

Skhemy URI
Ofitsial'nye

aaa

aaas

about

acap

cap

cid

crid

data

dav

dict

dns

fax

file

ftp

geo

go

gopher

h323

http

https

im

imap

iri

ldap

mailto

mid

news

nfs

nntp

pop

pres

rtsp

sip

sips

snmp

tel

telnet

urn

url

view-source

wais

xmpp

Neofitsial'nye

aim

bolo

btc

bzr

callto

chrome

cvs

cs2d

daap

ed2k

ed2kftp

feed

fish

git

gizmoproject

iax2

irc

ircs

itms

lastfm

ldaps

magnet

mms

msnim

psyc

rsync

secondlife

skype

ssh

svn

sftp

smb

sms

soldat

steam

tg

webcal

xfire

ymsgr

V stat'e est' spisok istochnikov, no ne khvataet snosok.
Bez snosok slozhno opredelit', iz kakogo istochnika vziato kazhdoe otdel'noe utverzhdenie. Vy mozhete uluchshit' stat'iu, prostaviv snoski na istochniki, podtverzhdaiushchie informatsiiu. Svedeniia bez snosok mogut byt' udaleny. (29 iiulia 2015)

Iazyki zaprosov
.QL CQL CODASYL COQL Cypher D DAX DMX Datalog ERROL GraphQL ISBL LDAP MQL MDX OQL OCL PGQL Poliqarp Query Language QUEL SMARTS SPARQL SQL SuprTool TMQL XQuery XPath XSQL YQL Iazyk grafovykh zaprosov

Standarty The Open Group
ARM CDE CLI CMPI DCE DRDA LDAP Motif SUS (POSIX) X11

Skhemy URI
Ofitsial'nye	aaa aaas about acap cap cid crid data dav dict dns fax file ftp geo go gopher h323 http https im imap iri ldap mailto mid news nfs nntp pop pres rtsp sip sips snmp tel telnet urn url view-source wais xmpp
Neofitsial'nye	aim bolo btc bzr callto chrome cvs cs2d daap ed2k ed2kftp feed fish git gizmoproject iax2 irc ircs itms lastfm ldaps magnet mms msnim psyc rsync secondlife skype ssh svn sftp smb sms soldat steam tg webcal xfire ymsgr

Istochnik -- https://ru.wikipedia.org/w/index.php?title=LDAP&oldid=150271897

Kategorii:
Iazyki zaprosov
Protokoly prikladnogo urovnia
Internet-protokoly
Skrytye kategorii:
Vikipediia:Cite web (ne ukazan iazyk)
Vikipediia:Stat'i, trebuiushchie konkretizatsii
Vikipediia:Stat'i s shablonami nedostatkov po alfavitu
Vikipediia:Stat'i bez snosok s iiulia 2015 goda
Vikipediia:Stat'i bez snosok
Stranitsy, ispol'zuiushchie volshebnye ssylki RFC

LDAP

Soderzhanie

Opisanie

Standarty

Funktsional'noe opisanie protokola

Operatsiia zaprosa vozmozhnostei

Operatsiia zaprosa skhemy

Realizatsii

Servernaia chast'

Klientskaia chast'

Sm. takzhe

Primechaniia

Ssylki

Resursy

Servery

Klienty

Programmnye interfeisy (API)

Navigatsiia

Poisk