Web Developer's Virtual Library: Encyclopedia of Web Design Tutorials, Articles and Discussions

WDVL Newsletter
Active Server Pages
JSP/Java Servlets
Microsoft SQL Server
Daily Backup
Dedicated Servers
Streaming Audio/Video
24-hour Support    
jobs.webdeveloper.com

Hiermenus

e-commerce
Partner With Us

Developer Channel
FlashKit.com
JavaScript.com
JavaScriptSource
Developer Jobs
ScriptSearch
StreamingMediaWorld
Web Developer's Journal
Web Developer's Virtual Library
WebDeveloper.com
Webreference
Web Hosts
XMLfiles.com

internet.com
IT
Developer
Internet News
Small Business
Personal Technology

Search internet.com
Advertise
Corporate Info
Newsletters
Tech Jobs
E-mail Offers


Advanced Features of LDAP - Page 7

Wrox Press

February 15, 2002

Let's discuss some features which LDAP supports but are seldom used except by administrators or advanced users.

Asynchronous operations

LDAP supports asynchronous operations on the directory. Asynchronous operations are operations that do not block. Consider an application (LDAP-enabled or otherwise) that needs to frequently access external devices such as hard disks or networks apart from doing some other processing. An operation on an external device is quite slow to respond and the application is forced to wait in the subroutine that accessed the device until the device responded. This prevents the application from doing any other useful work. This is a typical application that is synchronous in nature.

In the case of asynchronous operation, the call to the device- specific function would not block in the subroutine, thereby allowing the application to continue and do other useful stuff. The application will subsequently be notified when the device responds. In the case of LDAP, the operations from the client to the server may block, as the transaction is happening over a network (most of the time). To allow the LDAP application to circumvent this, asynchronous operations are allowed.

The PHP client API does not support asynchronous LDAP operations.

Replication

For those of us who are familiar with replication in databases, this is pretty much the same. In certain deployment scenarios that require near-zero downtimes, it is necessary that the LDAP server be up and running and serving the directory information all the time. This can be achieved by mirroring or replicating the information residing on the LDAP server on one or more other LDAP servers, which participate in the replication.

In some large installations there would be producer and consumer LDAP servers. The updates are always done to the producer servers and they are periodically replicated with the consumer servers. The clients always access the consumer servers. The advantage of this is that the client operations are fast since they talk to servers that are not bogged down by the performance overhead associated with updates.

Referral

The referral service allows LDAP servers to distribute, de- centralize, and load-balance their processing. In the simple case of a referral, the LDAP server may choose to redirect the client to another LDAP server for a piece of information that the client requested. This allows for de-centralization because individual organizations within a company need to maintain only data specific to them and other servers can redirect queries to them that are specific to each of these organizational servers. Most of the client implementations follow these referrals and attempt to fetch the appropriate information. Thus, the whole process is transparent to the user.

Security

LDAP directories may store sensitive information such as Social Security Numbers, passwords, private keys, and other sensitive information. The protocol provides for safe transaction of such sensitive data by providing SASL that is flexible enough to accommodate various underlying encryption or certification schemes.

A possible LDAP application is one that alleviates the arduous task of needing to remember a separate password for each of the several services that we access. Services which are LDAP aware could accept the LDAP directory password for the user and obtain the necessary authentication information from the directory for the particular service and carry on from there. Such a scheme in general is called a single sign on server. Further, LDAP enforces access control for the operations that various users can perform on the directory. We shall see more about access control when we take a look at configuring the LDAP server in the next section.

Extended Features

In the functional model we have seen the basic nine operations that LDAP servers support. With LDAPv3 the need for allowing users to extend and customize the protocol has been addressed. This extensibility has been achieved through the following methods:

  • Extended operations
    It is now possible to extend the protocol to support a new operation other than the basic nine operations. For example, it is now possible for vendors to implement server-side sorting of results or password expiration though these are not part of the standard. If a client or a server does not understand the new operation, the corresponding operation is ignored.
  • Control information
    Additional information can now be sent along with an LDAP message that can alter the action of a basic protocol operation.
  • SASL
    The SASL framework, as we have seen before, allows us to plug in new authentication and security mechanisms as they evolve without making modifications to the core protocol.

For further read on LDAP, see Understanding and Deploying LDAP Directory Services from Macmillan Technical Publishing (ISBN 1-578700-70-1) and Implementing LDAP from Wrox (ISBN 1- 861002-21-1)

LDAP Software

In the LDAP server market space several companies offer comprehensive solutions:

  • Netscape's Directory Server
  • Innosoft's Distributed Directory Server
  • Lucent Technology's Internet Directory Server
  • Sun Microsystems' Directory Services
  • IBM's DSSeries LDAP Directory
  • Microsoft's Active Directory
  • University of Michigan's SLAPD server

The OpenLDAP project based on the University of Michigan's implementation is currently considered to be the open source LDAP solution of choice with several fully-fledged features seen hitherto only in commercial offerings.

There are more LDAP client solutions than there are server solutions, because there exists a whole lot of software which have LDAP client logic built into them - address books, e-mail clients, and browsers with ldap:// URL support are perfect examples.

Most of the server solutions mentioned above come with toolkits or libraries for client development, for example, Netscape's SDK for programming LDAP in C and Java. Other client-side programming solutions include the PerLDAP module for Perl, Sun's JNDI provider, and Microsoft's ADSI SDK. PHP has a client API that allows programming LDAP clients and ColdFusion is another server- side scripting tool that provides the LDAP API.

Update Operations - Page 6
Professional PHP4 Programming
Installing and Configuring an LDAP Server - Page 8

Up to => Home / Authoring / Languages / PHP / Pro



Jupiter Online Media: internet.comearthweb.comDevx.commediabistro.comGraphics.com

Search:

Jupitermedia Corporation has two divisions: Jupiterimages and Jupiter Online Media

Jupitermedia Corporate Info


Legal Notices, Licensing, & Permissions, Privacy Policy.

Web Hosting | Newsletters | Tech Jobs | Shopping | E-mail Offers