< Back | Wikipedia | Home | Dark Mode

LDAP

LDAP (angl. Lightweight Directory Access Protocol -- Polegshenii protokol dostupu do direktorii / katalogiv) -- merezhevii protokol prikladnogo rivnia dlia nadsilannia zapitiv ta modifikatsiyi danikh sluzhbi katalogiv cherez TCP/IP. LDAP ie vidkritim, komertsiino-neitral'nim, (angl. vendor-neutral), promislovim standartnim protokolom. LDAP rozroblenii IETF iak polegshenii variant rozroblenogo ITU-T protokolu DAP.

Sered poshirenikh variantiv vikoristannia LDAP -- nadannia iedinogo skhovishcha dlia zberigannia imen koristuvachiv ta paroliv. Tse dozvoliaie riznim sluzhbam ta zastosunkam nadsilati zapiti do LDAP servera dlia validatsiyi koristuvachiv.

LDAP -- vidnosno prostii protokol, shcho vikoristovuie TCP/IP i dozvoliaie provoditi operatsiyi autentifikatsiyi (bind), poshuku (search) ta porivniannia (compare), a takozh operatsiyi dodavannia, zmini abo vidalennia zapisiv. Zazvichai LDAP-server priimaie vkhidni z'iednannia na port 389 po protokolakh TCP abo UDP. Dlia LDAP-seansiv, inkapsul'ovanikh v SSL, zazvichai vikoristovuiet'sia port 636.

Bud'-iakii zapis u katalozi LDAP skladaiet'sia z odnogo abo dekil'kokh atributiv i volodiie unikal'nim / rozriznial'nim im'iam (DN -- angl. Distinguished Name). Unikal'ne im'ia mozhe vigliadati, napriklad, nastupnim chinom: <>. Unikal'ne im'ia skladaiet'sia z odnogo abo dekil'kokh vidnosnikh unikal'nikh imen (RDN -- angl. Relative Distinguished Name), rozdilenikh komoiu. Vidnosne unikal'ne im'ia maie vigliad ImiaAtributa = znachennia. Na odnomu rivni katalogu ne mozhe isnuvati dvokh zapisiv z odnakovimi vidnosnimi unikal'nimi imenami. V silu tsiieyi strukturi unikal'nogo imeni zapisi v katalozi LDAP mozhna legko uiaviti u vigliadi dereva.

Zapis mozhe skladatisia til'ki z tikh atributiv, iaki viznacheni v opisi klasu zapisu (object class), iaki, u svoiu chergu, ob'iednani v skhemi (schema). U skhemi viznacheno, iaki atributi ie dlia danogo klasu obov'iazkovimi, a iaki -- neobov'iazkovimi. Takozh skhema viznachaie tip i pravila porivniannia atributiv. Kozhen atribut zapisu mozhe zberigati kil'ka znachen'.

Iak pravilo, katalog LDAP realizuiet'sia zgidno z modelliu X.500: vin skladaiet'sia iz dereva zapisiv, kozhne z iakikh skladaiet'sia iz mnozhini imenovanikh atributiv zi znachenniami. Deiaki zi sluzhb pidtrimuiut' skladnishu model' <>, ale bil'shist' maiut' lishe odin pochatkovii zapis.

Zalezhno vid obranoyi modeli, LDAP-katalog chasto viddzerkaliuie riznomanitni politichni, geografichni, ta (abo) organizatsiini regioni. Vstanovleni LDAP-sistemi skhiliaiut'sia do vikoristannia domennikh imen (DNS) dlia strukturuvannia naivishchikh rivniv iierarkhiyi. Na nizhchikh rivniakh v katalozi mozhut' buti zapisi, iaki vidpovidaiut' liudiam, organizatsiinim pidrozdilam, printeram, dokumentam, grupam liudei, abo bud' chomu inshomu, shcho predstavliaie danii zapis, abo mnozhinu zapisiv v katalozi.

Ostannia versiia protokolu -- LDAPv3. Standart LDAPv3 viznacheno v niztsi dokumentiv IETF, iak opisano v RFC 4510.

Protokol nadaie interfeis z katalogami, iaki vidpovidaiut' standartu X.500 vidannia 1993 r.:

Zapis skladaiet'sia z naboru atributiv.
Atribut maie im'ia, iake mozhe buti tipom atributa (attribute type) abo opisom (faktichno skorochenoiu nazvoiu) atributa (attribute description), i odne abo kil'ka znachen'. Atributi viznacheni v skhemi.
Kozhen zapis maie unikal'nii identifikator: iogo rozriznial'ne im'ia (Distinguished Name -- DN). Vono skladaiet'sia z odnogo chi dekil'kokh vidnosnikh rozriznial'nikh imen (Relative Distinguished Name -- RDN), utvorenikh z odnogo chi dekil'kokh atributiv v zapisu. Mozhna uiaviti DN iak povnii shliakh do failu i RDN iak im'ia failu v bat'kivs'kii paptsi (napriklad, iakshcho /foo/bar/myfile.txt ie DN, to myfile.txt bude RDN). Dobre DN i RDN poiasneno tut [Arkhivovano 8 listopada 2014 u Wayback Machine.].

Pro opis atributa idet'sia v tret'omu rozdili RFC 4514:

Implementations MUST recognize AttributeType name strings (descriptors) listed in the following table, but MAY recognize other name strings. (Realizatsiyi POVINNI rozpiznavati riadki nazv AttributeType (deskriptoriv), perelichenikh v nastupnii tablitsi, ale MOZhUT' rozpiznavati i inshi nazvi riadkiv.) String X.500 AttributeType ------ -------------------------------------------- CN commonName (2.5.4.3) L localityName (2.5.4.7) ST stateOrProvinceName (2.5.4.8) O organizationName (2.5.4.10) OU organizationalUnitName (2.5.4.11) C countryName (2.5.4.6) STREET streetAddress (2.5.4.9) DC domainComponent (0.9.2342.19200300.100.1.25) UID userId (0.9.2342.19200300.100.1.1)

Podanu vishche tablitsiu mozhna oformiti tak:

Nazvi (imena) atributiv u formi tip atributa i opis atributa navedeni ta opisani v RFC 4519.

Telekomunikatsiini kompaniyi vprovadili kontseptsiiu sluzhbi katalogiv do informatsiinikh tekhnologii ta komp'iuternikh merezh tak iak voni rozumili, na pidstavi svogo 70-richnogo dosvidu roboti z telefonnimi katalogami. Tse vililosia u spetsifikatsiyi X.500 (naboru protokoliv rozroblenogo ITU u 1980 rokakh). X.500 sluzhbi katalogiv buli dostupni cherez X.500 protokol dostupu do katalogiv (angl. Directory Access Protocol -- DAP), iakii vikoristovuvav Open Systems Interconnection (OSI) stek protokoliv. Rozrobka LDAP mala na meti polegshiti dostup do X.500 sluzhbi katalogiv cherez prostishii stek protokoliv TCP/IP.

LDAP opisano v niztsi dokumentiv Request for Comments:

RFC 4510 -- LDAP: Technical Specification Road Map (LDAP: Dorozhnia karta (putivnik) tekhnichnikh kharakteristik) (Obsoletes (zaminiuie zastarili): RFC 2251, RFC 2252, RFC 2253, RFC 2254, RFC 2255, RFC 2256, RFC 2829, RFC 2830, RFC 3377, RFC 3771)
RFC 4511 -- LDAP: The Protocol (Protokol) (Obsoletes RFC 2251, RFC 2830 & RFC 3771)
RFC 4512 -- LDAP: Directory Information Models (Modeli vmistu katalogu) (Obsoletes RFC 2251, RFC 2252, RFC 2256 & RFC 3674)
RFC 4513 -- LDAP: Authentication Methods and Security Mechanisms (Metodi avtentifikatsiyi i mekhanizmi bezpeki) (Obsoletes RFC 2251, RFC 2829 & RFC 2830)
RFC 4514 -- LDAP: String Representation of Distinguished Names (Riadkove podannia rozriznial'nikh imen) (Obsoletes RFC 2253)
RFC 4515 -- LDAP: String Representation of Search Filters (Riadkove podannia fil'triv poshuku) (Obsoletes RFC 2254)
RFC 4516 -- LDAP: Uniform Resource Locator (Universal'nii lokator resursu) (Obsoletes RFC 2255)
RFC 4517 -- LDAP: Syntaxes and Matching Rules (Sintaksis i pravila vidpovidnosti) (Obsoletes RFC 2252 & RFC 2256, Updates (onovliuie) RFC 3698)
RFC 4518 -- LDAP: Internationalized String Preparation (Internatsionalizovana pidgotovka riadkiv)
RFC 4519 -- LDAP: Schema for User Applications (Skhema dlia koristuvats'kikh zastosunkiv/dodatkiv) (Obsoletes RFC 2256, Updates RFC 2247, RFC 2798 & RFC 2377)

Nastupni RFCi detal'no opisuiut' LDAP-spetsifichni naikrashchi isnuiuchi praktiki/tekhnichni priiomi:

RFC 4520 (also (takozh) BCP 64) -- Internet Assigned Numbers Authority (IANA) Considerations for the Lightweight Directory Access Protocol (LDAP) (Administratsiyi adresnogo prostoru Internet (IANA) rekomendatsiyi/mirkuvannia dlia polegshenogo protokolu sluzhbi katalogiv (LDAP)) (replaced (zaminenii) RFC 3383)
RFC 4521 (also BCP 118) -- Considerations for Lightweight Directory Access Protocol (LDAP) Extensions (Rekomendatsiyi shchodo rozshiren' polegshenogo protokolu sluzhbi katalogiv (LDAP))

Nepovnii spisok RFCiv, iaki viznachaiut' rozshirennia LDAPv3:

RFC 2247 -- Use of DNS domains in distinguished names (Vikoristannia DNS domeniv v rozriznial'nikh imenakh) (Updated by RFC 4519 & RFC 4524)
RFC 2307 -- Using LDAP as a Network Information Service ^[en] (Vikoristannia LDAP iak Informatsiinoyi sluzhbi merezhi)
RFC 2589 -- LDAPv3: Dynamic Directory Services Extensions (Rozshirennia sluzhbi dinamichnogo katalogu)
RFC 2649 -- LDAPv3 Operational Signatures (LDAPv3 Operatsiini pidpisi)
RFC 2696 -- LDAP Simple Paged Result Control (LDAP Prostii storinkovii kontrol' rezul'tativ)
RFC 2798 -- inetOrgPerson LDAP Object Class (inetOrgPerson klas ob'iekta LDAP) (Updated by (Onovlenii v) RFC 3698, RFC 4519 & RFC 4524)
RFC 2830 -- LDAPv3: Extension for Transport Layer Security (LDAPv3: Rozshirennia dlia bezpeki na transportnomu rivni)

RFC 2849 -- The LDAP Data Interchange Format (LDIF) (Format obminu danimi LDAP (LDIF))
RFC 2891 -- Server Side Sorting of Search Results (Serverna chastina/storona sortuvannia rezul'tativ poshuku)
RFC 3045 -- Storing Vendor Information in the LDAP root DSE (Zberezhennia informatsiyi pro virobnika v korenevikh DSE LDAP)
RFC 3062 -- LDAP Password Modify Extended Operation (Rozshirena operatsiia zmini parolia v LDAP)
RFC 3296 -- Named Subordinate References in LDAP Directories (Imenovani pidlegli posilannia v LDAP katalogakh)
RFC 3671 -- Collective Attributes in LDAP (Kolektivni/spil'ni atributi v LDAP)
RFC 3672 -- Subentries in LDAP (Pidzapisi v LDAP)
RFC 3673 -- LDAPv3: All Operational Attributes (LDAPv3: Vsi operatsiini atributi)
RFC 3687 -- LDAP Component Matching Rules (LDAP Komponent pravil vidpovidnosti)
RFC 3698 -- LDAP: Additional Matching Rules (LDAP: Dodatkovi pravila vidpovidnosti)
RFC 3829 -- LDAP Authorization Identity Request and Response Controls (Avtorizatsiia zapitiv identifikatsiyi i vidpovidi upravlinnia)
RFC 3866 -- Language Tags and Ranges in LDAP (Movni tegi i diapazoni v LDAP)
RFC 3909 -- LDAP Cancel Operation (LDAP Operatsiia skasuvannia)
RFC 3928 -- LDAP Client Update Protocol (LCUP) (Kliients'kii protokol onovlen')
RFC 4370 -- LDAP Proxied Authorization Control (Doruchenii kontrol' avtorizatsiyi)
RFC 4373 -- LDAP Bulk Update/Replication Protocol (LBURP) (Protokol masovogo onovlennia/replikatsiyi)
RFC 4403 -- LDAP Schema for Universal Description, Discovery, and Integration version 3 (UDDIv3) (LDAP Skhema dlia opisu, predstavlennia ta integratsiyi versiyi 3 (UDDIv3))
RFC 4522 -- LDAP: Binary Encoding Option (Optsiia dviikovogo koduvannia)
RFC 4523 -- LDAP: X.509 Certificate Schema (Skhema Kh.509-sertifikatu)
RFC 4524 -- LDAP: COSINE Schema (replaces RFC 1274) (Skhema COSINE (Co-operation and Open Systems Interconnection in Europe (Kooperatsiia i vzaiemodiia vidkritikh sistem v Ievropi))
RFC 4525 -- LDAP: Modify-Increment Extension (Rozshirennia zmini-zbil'shennia [znachennia atributiv])
RFC 4526 -- LDAP: Absolute True and False Filters (Absoliutni fil'tri istini i khibnosti)
RFC 4527 -- LDAP: Read Entry Controls (Upravlinnia chitanniam zapisiv)
RFC 4528 -- LDAP: Assertion Control (Upravlinnia pidtverdzhenniam)
RFC 4529 -- Requesting Attributes by Object Class in the Lightweight Directory Access Protocol (LDAP) (Zapit atributiv za klasom ob'iekta v LDAP)
RFC 4530 -- LDAP: entryUUID Operational Attribute (Operatsiinii atribut entry UUID [UUID zapisu])
RFC 4531 -- LDAP Turn Operation (Operatsiia zmini [rolei kliienta i servera])
RFC 4532 -- LDAP <> Operation (<> operatsiia)
RFC 4533 -- LDAP Content Synchronization Operation (Operatsiia sinkhronizatsiyi kontentu)
RFC 4876 -- Configuration Profile Schema for LDAP-Based Agents (Konfiguratsiia profiliu skhemi dlia LDAP-zasnovanikh agentiv)
RFC 5020 -- LDAP entryDN Operational Attribute (Operatsiinii atribut entryDN [zapis rozriznial'nogo imeni])

LDAPv2 bulo zaznacheno v nastupnikh dokumentakh RFC:

RFC 1777 -- Lightweight Directory Access Protocol (replaced RFC 1487)
RFC 1778 -- The String Representation of Standard Attribute Syntaxes (Riadkove podannia sintaksisiv standartnikh atributiv) (replaced RFC 1488)
RFC 1779 -- A String Representation of Distinguished Names (Riadkove podannia rozriznial'nikh imen) (replaced RFC 1485)

LDAPv2 buv nadanii istorichnii status za nastupnim RFC:

RFC 3494 -- Lightweight Directory Access Protocol version 2 (LDAPv2) to Historic Status (Polegshenii protokol dostupu do katalogiv versiyi 2 (LDAPv2)) v istorichnii status)

Tsiu storinku vostannie vidredagovano o 01:50, 13 zhovtnia 2023.
Tekst dostupnii na umovakh litsenziyi Creative Commons Attribution-ShareAlike; takozh mozhut' diiati dodatkovi umovi. Detal'nishe div. Umovi vikoristannia.

Poshuk Skhovati/pokazati zmist LDAP 43 movi Dodati temu

Source: uk.wikipedia.org