144 lines
9.9 KiB
HTML
144 lines
9.9 KiB
HTML
|
<?xml version="1.0" encoding="UTF-8"?>
|
||
|
<!DOCTYPE html
|
||
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
||
|
<html lang="en-us" xml:lang="en-us">
|
||
|
<head>
|
||
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
||
|
<meta name="security" content="public" />
|
||
|
<meta name="Robots" content="index,follow" />
|
||
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
||
|
<meta name="DC.Type" content="concept" />
|
||
|
<meta name="DC.Title" content="Interaction with iSeries Directory Server (LDAP)" />
|
||
|
<meta name="abstract" content="An LDAP directory is a listing of information about objects arranged in a particular order that gives details about each object. LDAP is a specialized database that has characteristics that set it apart from general purpose relational databases." />
|
||
|
<meta name="description" content="An LDAP directory is a listing of information about objects arranged in a particular order that gives details about each object. LDAP is a specialized database that has characteristics that set it apart from general purpose relational databases." />
|
||
|
<meta name="DC.Relation" scheme="URI" content="itdover.htm" />
|
||
|
<meta name="DC.Relation" scheme="URI" content="itdoverdomino.htm" />
|
||
|
<meta name="copyright" content="(C) Copyright IBM Corporation 2004, 2006" />
|
||
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2004, 2006" />
|
||
|
<meta name="DC.Format" content="XHTML" />
|
||
|
<meta name="DC.Identifier" content="itdoverldap" />
|
||
|
<meta name="DC.Language" content="en-us" />
|
||
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
||
|
<!-- US Government Users Restricted Rights -->
|
||
|
<!-- Use, duplication or disclosure restricted by -->
|
||
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
||
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
||
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
||
|
<title>Interaction with iSeries Directory
|
||
|
Server (LDAP)</title>
|
||
|
</head>
|
||
|
<body id="itdoverldap"><a name="itdoverldap"><!-- --></a>
|
||
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
||
|
<h1 class="topictitle1">Interaction with <span class="keyword">iSeries</span> Directory
|
||
|
Server (LDAP)</h1>
|
||
|
<div><p>An LDAP directory is a listing of information about objects arranged
|
||
|
in a particular order that gives details about each object. LDAP is a specialized
|
||
|
database that has characteristics that set it apart from general purpose relational
|
||
|
databases.</p>
|
||
|
<p>One special characteristic of directories is that they are accessed (read
|
||
|
or searched) much more often than they are updated (written). Hundreds of
|
||
|
people might look up an individual's phone number, but the phone number rarely
|
||
|
changes.</p>
|
||
|
<p>IBM<sup>®</sup> Telephone
|
||
|
Directory V5.2 is used to search, view, and manage entries in an existing
|
||
|
directory, or it is used to set up a new directory. The application uses an
|
||
|
LDAP directory server to store and retrieve data. By default, the LDAP server
|
||
|
is automatically configured on your <span class="keyword">iSeries™ server</span> unless
|
||
|
another LDAP server already exists in your network. The LDAP server is not
|
||
|
required to reside on the same <span class="keyword">iSeries server</span> as
|
||
|
the application server. In addition, you can also use a Domino<sup>®</sup> LDAP server
|
||
|
with IBM Telephone
|
||
|
Directory. For more information, see the Redpaper <a href="http://www.redbooks.ibm.com/abstracts/redp3624.html" target="_blank">WebSphere<sup>®</sup> Application Server Express on <span class="keyword">iSeries</span></a>. <img src="www.gif" alt="Link outside Information Center" /></p>
|
||
|
<p>The LDAP server is accessible through TCP/IP. You perform most LDAP server
|
||
|
setup and administration tasks using <span class="keyword">iSeries Navigator</span>.
|
||
|
You must have <span class="keyword">iSeries Navigator</span> installed
|
||
|
on a workstation that is connected to your server.</p>
|
||
|
<div class="section"><h4 class="sectiontitle">LDAP entries</h4><p>The only default setting of IBM Telephone Directory
|
||
|
V5.2 installation is to allow users to anonymously search the directory.</p>
|
||
|
<p>When
|
||
|
you use IBM Telephone
|
||
|
Directory V5.2 application to add an entry to the directory, an entry is created
|
||
|
in the user's parent DN and uses the user ID value. For example, if you register
|
||
|
John Jones in the cn=users,dc=myhost,dc=mycompany,dc=com parent DN, his LDAP
|
||
|
entry is cn=John Jones,cn=users,dc=myhost,dc=mycompany,dc=com. The parent
|
||
|
DN update is hidden from the user and from the IBM Telephone Directory V5.2 administrator.
|
||
|
Objects in a directory are referenced by a distinguished name (DN) attribute.
|
||
|
During authentication, John is prompted for his user ID. He must enter the
|
||
|
user ID that was specified during registration. In this example, his user
|
||
|
name is John Jones.</p>
|
||
|
<p>Existing directory entries can be searched, viewed,
|
||
|
and managed if they are based on the standard inetOrgPerson object class.This
|
||
|
object class is an industry standard class that is commonly used to represent
|
||
|
and store information about people, such as first and last name, telephone
|
||
|
numbers, and email addresses. The directory can contain entries for other
|
||
|
object classes, such as those object classes used by the application to search
|
||
|
the directory; however, the default object class is inetOrgPerson.</p>
|
||
|
<p>Directory
|
||
|
entries modified by the application have an auxiliary object class added to
|
||
|
them called ibm-itdPerson. The ibm-itdPerson object class allows the IBM Telephone Directory
|
||
|
V5.2 application to use additional attributes not available with standard
|
||
|
object classes. Additional attributes include alternate phone numbers, alternate
|
||
|
addresses, DN values for assistants and backups, as well as work location
|
||
|
information including job responsibility, marketing territory, and trade area.
|
||
|
All attributes in the auxiliary ibm-itdPerson object class are optional. The
|
||
|
class is added to provide a way to store additional information about a person
|
||
|
that is not included in the inetOrgPerson object class.</p>
|
||
|
<p>Once the application
|
||
|
receives a request, it must connect to the LDAP server to act on it. Requests
|
||
|
are carried out under the authority of the user that is specified. The application
|
||
|
uses credentials passed on HTTP requests to connect to the LDAP server, if
|
||
|
necessary. The application requires credentials for some requests, such as
|
||
|
a request to create, update, or delete directory entries. Credentials required
|
||
|
to add new entries are provided by the administrator when open enrollment
|
||
|
is enabled.</p>
|
||
|
<p>If credentials are not required to do search requests, the
|
||
|
application connects to the LDAP server using anonymous bind to search the
|
||
|
directory. For anonymous search access, the <span class="uicontrol">Directory access</span> configuration
|
||
|
property must be set to <span class="uicontrol">Anonymous (no login)</span>. If credentials
|
||
|
are required to do search requests, the application connects to the LDAP server
|
||
|
using the user credentials that are passed on the HTTP requests. The request
|
||
|
fails if credentials are not provided. For authenticated search access, the <span class="uicontrol">Directory
|
||
|
access</span> configuration property must be set to <span class="uicontrol">Login
|
||
|
Required</span>. See <a href="itddiracc.htm">Modify directory access</a> for
|
||
|
more information.</p>
|
||
|
<p>The LDAP server controls what users are authorized
|
||
|
to do and whether their requests succeed or fail. This includes anonymous
|
||
|
user requests. All authorization settings for the directory are specified
|
||
|
and controlled by the LDAP server. The application transforms HTTP requests
|
||
|
into LDAP requests, ensures credentials are securely handled and supplied
|
||
|
to the LDAP sever, and formats the LDAP results (success or failure) into
|
||
|
HTML pages that resemble a simple address book.</p>
|
||
|
<p>Users provide the credentials
|
||
|
that the application uses to connect to the LDAP server. User credentials
|
||
|
are not used to connect to the LDAP server when open enrollment is specified.
|
||
|
For open enrollment, credentials are read from the application's configuration
|
||
|
file. The HTTP server is required to authenticate the user when necessary.
|
||
|
The application uses the credentials supplied on each request (when necessary)
|
||
|
to connect to the LDAP server. The application does not cache credentials
|
||
|
or reuse LDAP connections to handle multiple HTTP requests. LDAP connections
|
||
|
are disconnected after each request, which prevents the application from connecting
|
||
|
using a user's credentials to fulfill the request of another user. If the
|
||
|
HTTP server does not provide the credentials needed to connect to the LDAP
|
||
|
server, the application fails.</p>
|
||
|
<p>For more information about <span class="keyword">iSeries</span> Directory
|
||
|
Server (LDAP), see the following topics:</p>
|
||
|
<ul><li><a href="../rzahy/rzahyrzahywelpo.htm">Directory
|
||
|
Server (LDAP)</a></li>
|
||
|
<li><a href="http://www.ibm.com/servers/eserver/iseries/ldap" target="_blank"><span class="keyword">iSeries</span> Directory
|
||
|
Server (LDAP)</a> <img src="www.gif" alt="Link outside Information Center" /> (http://www.ibm.com/servers/eserver/iseries/ldap) <p>The <span class="uicontrol">Articles
|
||
|
and Publications</span> section has links to articles, redbooks and other
|
||
|
related LDAP books.</p>
|
||
|
</li>
|
||
|
</ul>
|
||
|
</div>
|
||
|
</div>
|
||
|
<div>
|
||
|
<div class="familylinks">
|
||
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="itdover.htm" title="This topic provides an overview of the IBM Telephone Directory V5.2 application and how it interacts with different iSeries server components and various software components.">Overview of IBM Telephone Directory V5.2</a></div>
|
||
|
</div>
|
||
|
<div class="relconcepts"><strong>Related concepts</strong><br />
|
||
|
<div><a href="itdoverdomino.htm" title="As an alternative to iSeries Directory Server (LDAP), you can use LDAP on Domino 6.0 for iSeries (Domino Directory services).">Interaction with LDAP on Domino 6.0 for iSeries</a></div>
|
||
|
</div>
|
||
|
</div>
|
||
|
</body>
|
||
|
</html>
|