CHAPTER 10:

DIRECTORY SERVICES
FRU NGANG
PLAN
• 10.1 Directory Servers
• 10.2Directory Services Concepts
• 10.3 LDAP Protocol
• 10.4 LDAP Replication Topologies

Systems and Networks Administration Chapter10 : Directory Services FRU

13/12/2022 NGANG 2
10.1 Directory Servers
• Directory Servers are centralized repositories for storing
and managing information in a hierarchical structure in
the database (directory). i.e. provides Directory
Services.
• Directories can be searched by specific criteria or by
predefined set of categories. Data search (access) is
frequent when compared to write (update).
• Types of Directories
• Centralized – One Directory Server per location.
• Distributed – Information can be partitioned or replicated
across multiple servers which are distributed geographically
13/12/2022 Systems and Networks Administration Chapter10 : 3
Directory Services FRU NGANG
10.1 Directory Servers
• Information stored in Directory Server
• Directory Server can store many kind of
information including
• Identity profiles & access privileges to information
about application and network resources, printers,
network devices and manufactured parts.
• Information can be used for authentication and
authorization of users to enable secure access to
enterprise and Internet services and applications.

13/12/2022 Systems and Networks Administration Chapter10 : 4

Directory Services FRU NGANG
10.2 Directory Services
• Directory Services were part of an OSI initiative for
common network standards and multi-vendor
interoperability.
• The ITU and ISO created (in 1980s) a set of standards for
directory services, initially to support the requirements of
inter-carrier electronic messaging and network-name lookup.
• When using a directory service, a user does not have to
remember the physical address of a network resource;
instead the user provides a name to locate the resource.
• Some directory services include access control
provisions, limiting the availability of directory
information to authorized
13/12/2022 Systems and Networksusers
Administration Chapter10 : 5
Directory Services FRU NGANG
10.2 Directory Services
• Provides a shared information infrastructure over network
 Allows sharing of information (about users, systems, networks, services,
and applications) throughout the network.
 Ease of locating, managing, administering and organizing everyday
items and network resources (including folders, files, printers, users,
groups, telephone numbers & other objects).
 Each resource on network is considered an object by server.
 Information about a particular resource is stored as a collection of
attributes associated with that resource or object.
• Plays a vital role in developing intranet/Internet applications
• As example, directory services may provide any organized set of
records, such as a corporate email directory, often with a hierarchical
structure

13/12/2022 Systems and Networks Administration Chapter10 : 6

Directory Services FRU NGANG
10.2 Directory Services
• A directory service defines a namespace for the
network.
 The namespace is used to assign a "name" (unique
identifier) to each of the objects.
 Directories typically have a set of rules determining how
network resources are named and identified, which
usually includes a requirement that the identifiers be
unique and unambiguous.
 Replicated namespace is governed by same authority
and distributed namespace can be governed by different
authority.
13/12/2022 Systems and Networks Administration Chapter10 : 7
Directory Services FRU NGANG
10.2 Directory Services
• Summary (General characteristics of
directory services)
Hierarchical naming model
Extended Search capability
Replicated data

13/12/2022 Systems and Networks Administration Chapter10 : 8

Directory Services FRU NGANG
10.2 Directory Services
• Examples
 DNS (Domain Naming System)
NIS (Sun Microsystems for Unix OS)
NetInfo (Apple systems for Mac OS X)
NT Domain (Microsoft)
X.500 (1988, ITU & ISO) – Series of Computer Networking
Standards or protocols which traditionally used the OSI
networking stack
 DAP (Directory Access Protocol) for Novell DS specified X.511
 DSP (Directory System Protocol)
 DISP (Directory Information Shadowing Protocol)
 DOP (Directory Operational Bindings Management Protocol)
LDAP (Lightweight DAP) or X.500-lite

13/12/2022 Systems and Networks Administration Chapter10 : 9

Directory Services FRU NGANG
10.2 Directory Services
• DNS Server
 Stores only Host names & IP addresses.
 Used to locate computers on a network
using host names rather than complex
numerical IP addresses

13/12/2022 Systems and Networks Administration Chapter10 : 10

Directory Services FRU NGANG
10.3 LDAP
• 10.3.1 LDAP overview
• 10.3.2 LDAP models

13/12/2022 Systems and Networks Administration Chapter10 : 11

Directory Services FRU NGANG
10.3 LDAP Overview
• LDAP consists of a set of protocols (with alternatives to
DAP) developed to allow Internet clients to access the
X.500 Directory using the TCP/IP networking stack.
• LDAP defines an open, vendor-neutral, industry standard
network protocol and set of access methods to a directory.
• Most directory services are accessed through LDAP.
• LDAP has become the standard access method for
directory information, much as the DNS on almost any
system on an intranet and on the Internet.
• LDAP is currently supported in most network OSs, groupware, and even
shrink-wrapped Internet applications

13/12/2022 Systems and Networks Administration Chapter10 : 12

Directory Services FRU NGANG
10.3.1 LDAP Overview
• DNS vs. LDAP service
 DNS is used for IP address look-up.
 Unlike DNS server, LDAP server allows to
store information on many other kinds of
real-world and conceptual objects.
• i.e. Physical device information, Employee
information, Contract or Account
information, Authentication information &
manufactured production information
13/12/2022 Systems and Networks Administration Chapter10 : 13
Directory Services FRU NGANG
10.3.1 LDAP Overview
• Although LDAP evolved from the X.500 OSI directory
service standard, still LDAP is more successful in the
forefront of Internet directory services.
• LDAP vs. X.500
 LDAP supports TCP/IP protocol which is widely available & less resource
intensive.
 X.500 incorporated many useful ideas, but was too heavy weight and
complex to be useful for Internet applications. LDAP was designed to
provide 90% of the functionality of the full X.500 specification at 10%
of the cost.
 LDAP radically simplifies the format in which messages are transported
across the wire, representing data elements as simple strings, and
leaving out many of the little-used but redundant operations in X.500.

13/12/2022 Systems and Networks Administration Chapter10 : 14

Directory Services FRU NGANG
10.3.1 LDAP Overview
• LDAP Architecture
– LDAP is based on client server model (LDAP client & server).
– Client Server Interaction (Steps involved)
• Binding
- LDAP Server is in Listening Mode.
- LDAP Client establishes a session with the LDAP server by specifying the
hostname or IP address and the TCP/IP port number of the LDAP listening server.
• Server authenticates the client (with username & password).
• Server grants the client access to the directory data to perform
operations such as read and write.
• Note: Searching is a common operation in LDAP.
• Unbinding
• The client’s session with the server is closed once the request is completed.

13/12/2022 Systems and Networks Administration Chapter10 : 15

Directory Services FRU NGANG
10.3.1 LDAP Overview
• LDAP defines
• How data is represented in the directory (Using
LDAP models).
• How data is loaded from and saved into directory
(Using LDIF)
• The LDAP Data Interchange Format (LDIF) is a
standard plain text data interchange format for
representing LDAP (Lightweight Directory Access
Protocol) directory content and update
requests. LDIF conveys directory content as a set
of records, one record for each object (or entry).
13/12/2022 Systems and Networks Administration Chapter10 : 16
Directory Services FRU NGANG
10.3.2 LDAP Models
• Overview of LDAP Models
 Information Model
 Naming Model
 Functional Model
 Security Model

13/12/2022 Systems and Networks Administration Chapter10 : 17

Directory Services FRU NGANG
10.3.2 a LDAP information Model
• Defines what kinds of information can be stored in a LDAP
Directory.
• Provides the structures and data types necessary for
building an LDAP directory tree.
• Schema defines the type of objects or concept in the real
world (i.e. a person, an organization, or a printer) to be
stored in directory.
• Entry
 Entries are basic units of information created in the directory to
hold information about some object/concept.
 Distinguished name is used to identify each entry uniquely.
 Entries are composed of attributes that contain information to be
recorded about the object.

13/12/2022 Systems and Networks Administration Chapter10 : 18

Directory Services FRU NGANG
10.3.2 a LDAP information Model
• Attribute
• Some of the common attributes instead of full
attribute name
• Common name (cn), Organizational unit name (ou),
Organization (o), Country (c).
• Each attribute has a type and one or more values.
• Type of an attribute has a Syntax & Constraint
associated.
• The attributes required, permitted and optional in an
entry can also be controlled by content rules defined
on a per-server basis or using Special attributes

13/12/2022 Systems and Networks Administration Chapter10 : 19

Directory Services FRU NGANG
10.3.2 a LDAP information Model
• Attribute
• Some of the common attributes instead of full
attribute name
• Common name (cn), Organizational unit name (ou),
Organization (o), Country (c).
• Each attribute has a type and one or more values.
• Type of an attribute has a Syntax & Constraint
associated.
• The attributes required, permitted and optional in an
entry can also be controlled by content rules defined
on a per-server basis or using Special attributes

13/12/2022 Systems and Networks Administration Chapter10 : 20

Directory Services FRU NGANG
10.3.2 b LDAP Naming Model
• Defines how entries in an LDAP directory can be organized
and identified.
• Entries are stored in tree like structure called as Directory
Information Tree (DIT), for instance, following a geographical
and organizational distribution.
• Entries are named/identified uniquely according to their
position in the hierarchy by a distinguished name (DN).
• DN follows format of RFC 1779.
• Example: “cn = awono, ou=itt3ir, o=SUPPTIC, c=cm".
• Relative Distinguished Name (RDN): Each component of the DN
connected by commas.
• RDN is composed of one or more attributes from the entry.
• Sibling entries (entries with same parent) must have different RDNs.

13/12/2022 Systems and Networks Administration Chapter10 : 21

Directory Services FRU NGANG
10.3.2 c LDAP Security Model
• Defines
 How information can be protected from unauthorized access in
a LDAP directory
 What kinds of privileges users and applications require to
access the directory.
• Four aspects of Security
 Authentication
 Integrity
 Confidentiality
 Authorization

13/12/2022 Systems and Networks Administration Chapter10 : 22

Directory Services FRU NGANG
10.3.2 d LDAP functional Model
• After placing information in directory & authenticating
its clients, LDAP permits the clients to
 Access the directory
 Search the directory and retrieve information from it
 Update information in the directory.
• Operations can be grouped into three distinct areas
 Interrogation: The operations to interrogate and retrieve
information from directory (Search, Compare).
 Update: The operations to update information into the
directory (Add, delete, modify).
 Authentication: The way to secure information in the directory
is by bind and unbind operation (Bind, Unbind)

13/12/2022 Systems and Networks Administration Chapter10 : 23

Directory Services FRU NGANG
10.4 LDAP Replication
• Replication is a technique used by directory servers
to improve performance, availability, and reliability.
• Main benefits
• Redundancy of information
• Replicas back-up the content of their supplier servers.
• Faster searches
• Search requests can be spread among several different servers,
instead of a single server. This improves the response time for
the request completion.
• Security and content filtering
• Replicas can contain subsets of the data in a supplier server

Systems and Networks Administration Chapter10 :

13/12/2022 24
Directory Services FRU NGANG
10.4 LDAP Replication
• Major LDAP replication Topologies
 Simple Master-Replica Topology
 (Master directly updates the changes to the replica. Mostly the replica
is read only).
 Master-Forward-Replica Topology
 Consists of One master, One forwarder, & One replica. – Master would
not send the updates to the replica directly. – Forwarder is an
intermediate server between the Master and the Replica. All the
changes come via the Forwarder to the Replica from Master.
 Gateway Replication Topology
 A Replication site can be considered as a collection of Gateways, Masters,
Forwarder and Replica
 Peer Replication Topology
 A Replication site can be considered as a collection of Gateways,
Masters, Forwarder and Replica

13/12/2022 Systems and Networks Administration Chapter10 : 25

Directory Services FRU NGANG