ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzaty_5.4.0.1/itdoverldap.htm

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
  PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Interaction with iSeries Directory Server (LDAP)" />
<meta name="abstract" content="An LDAP directory is a listing of information about objects arranged in a particular order that gives details about each object. LDAP is a specialized database that has characteristics that set it apart from general purpose relational databases." />
<meta name="description" content="An LDAP directory is a listing of information about objects arranged in a particular order that gives details about each object. LDAP is a specialized database that has characteristics that set it apart from general purpose relational databases." />
<meta name="DC.Relation" scheme="URI" content="itdover.htm" />
<meta name="DC.Relation" scheme="URI" content="itdoverdomino.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2004, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2004, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="itdoverldap" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Interaction with iSeries Directory
Server (LDAP)</title>
</head>
<body id="itdoverldap"><a name="itdoverldap"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Interaction with <span class="keyword">iSeries</span> Directory
Server (LDAP)</h1>
<div><p>An LDAP directory is a listing of information about objects arranged
in a particular order that gives details about each object. LDAP is a specialized
database that has characteristics that set it apart from general purpose relational
databases.</p>
<p>One special characteristic of directories is that they are accessed (read
or searched) much more often than they are updated (written). Hundreds of
people might look up an individual's phone number, but the phone number rarely
changes.</p>
<p>IBM<sup>®</sup> Telephone
Directory V5.2 is used to search, view, and manage entries in an existing
directory, or it is used to set up a new directory. The application uses an
LDAP directory server to store and retrieve data. By default, the LDAP server
is automatically configured on your <span class="keyword">iSeries™ server</span> unless
another LDAP server already exists in your network. The LDAP server is not
required to reside on the same <span class="keyword">iSeries server</span> as
the application server. In addition, you can also use a Domino<sup>®</sup> LDAP server
with IBM Telephone
Directory. For more information, see the Redpaper  <a href="http://www.redbooks.ibm.com/abstracts/redp3624.html" target="_blank">WebSphere<sup>®</sup> Application Server Express on <span class="keyword">iSeries</span></a>.  <img src="www.gif" alt="Link outside Information Center" /></p>
<p>The LDAP server is accessible through TCP/IP. You perform most LDAP server
setup and administration tasks using <span class="keyword">iSeries Navigator</span>.
You must have <span class="keyword">iSeries Navigator</span> installed
on a workstation that is connected to your server.</p>
<div class="section"><h4 class="sectiontitle">LDAP entries</h4><p>The only default setting of IBM Telephone Directory
V5.2 installation is to allow users to anonymously search the directory.</p>
<p>When
you use IBM Telephone
Directory V5.2 application to add an entry to the directory, an entry is created
in the user's parent DN and uses the user ID value. For example, if you register
John Jones in the cn=users,dc=myhost,dc=mycompany,dc=com parent DN, his LDAP
entry is cn=John Jones,cn=users,dc=myhost,dc=mycompany,dc=com. The parent
DN update is hidden from the user and from the IBM Telephone Directory V5.2 administrator.
Objects in a directory are referenced by a distinguished name (DN) attribute.
During authentication, John is prompted for his user ID. He must enter the
user ID that was specified during registration. In this example, his user
name is John Jones.</p>
<p>Existing directory entries can be searched, viewed,
and managed if they are based on the standard inetOrgPerson object class.This
object class is an industry standard class that is commonly used to represent
and store information about people, such as first and last name, telephone
numbers, and email addresses. The directory can contain entries for other
object classes, such as those object classes used by the application to search
the directory; however, the default object class is inetOrgPerson.</p>
<p>Directory
entries modified by the application have an auxiliary object class added to
them called ibm-itdPerson. The ibm-itdPerson object class allows the IBM Telephone Directory
V5.2 application to use additional attributes not available with standard
object classes. Additional attributes include alternate phone numbers, alternate
addresses, DN values for assistants and backups, as well as work location
information including job responsibility, marketing territory, and trade area.
All attributes in the auxiliary ibm-itdPerson object class are optional. The
class is added to provide a way to store additional information about a person
that is not included in the inetOrgPerson object class.</p>
<p>Once the application
receives a request, it must connect to the LDAP server to act on it. Requests
are carried out under the authority of the user that is specified. The application
uses credentials passed on HTTP requests to connect to the LDAP server, if
necessary. The application requires credentials for some requests, such as
a request to create, update, or delete directory entries. Credentials required
to add new entries are provided by the administrator when open enrollment
is enabled.</p>
<p>If credentials are not required to do search requests, the
application connects to the LDAP server using anonymous bind to search the
directory. For anonymous search access, the <span class="uicontrol">Directory access</span> configuration
property must be set to <span class="uicontrol">Anonymous (no login)</span>. If credentials
are required to do search requests, the application connects to the LDAP server
using the user credentials that are passed on the HTTP requests. The request
fails if credentials are not provided. For authenticated search access, the <span class="uicontrol">Directory
access</span> configuration property must be set to <span class="uicontrol">Login
Required</span>. See <a href="itddiracc.htm">Modify directory access</a> for
more information.</p>
<p>The LDAP server controls what users are authorized
to do and whether their requests succeed or fail. This includes anonymous
user requests. All authorization settings for the directory are specified
and controlled by the LDAP server. The application transforms HTTP requests
into LDAP requests, ensures credentials are securely handled and supplied
to the LDAP sever, and formats the LDAP results (success or failure) into
HTML pages that resemble a simple address book.</p>
<p>Users provide the credentials
that the application uses to connect to the LDAP server. User credentials
are not used to connect to the LDAP server when open enrollment is specified.
For open enrollment, credentials are read from the application's configuration
file. The HTTP server is required to authenticate the user when necessary.
The application uses the credentials supplied on each request (when necessary)
to connect to the LDAP server. The application does not cache credentials
or reuse LDAP connections to handle multiple HTTP requests. LDAP connections
are disconnected after each request, which prevents the application from connecting
using a user's credentials to fulfill the request of another user. If the
HTTP server does not provide the credentials needed to connect to the LDAP
server, the application fails.</p>
<p>For more information about <span class="keyword">iSeries</span> Directory
Server (LDAP), see the following topics:</p>
<ul><li><a href="../rzahy/rzahyrzahywelpo.htm">Directory
Server (LDAP)</a></li>
<li><a href="http://www.ibm.com/servers/eserver/iseries/ldap" target="_blank"><span class="keyword">iSeries</span> Directory
Server (LDAP)</a>  <img src="www.gif" alt="Link outside Information Center" /> (http://www.ibm.com/servers/eserver/iseries/ldap) <p>The <span class="uicontrol">Articles
and Publications</span> section has links to articles, redbooks and other
related LDAP books.</p>
</li>
</ul>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="itdover.htm" title="This topic provides an overview of the IBM Telephone Directory V5.2 application and how it interacts with different iSeries server components and various software components.">Overview of IBM Telephone Directory V5.2</a></div>
</div>
<div class="relconcepts"><strong>Related concepts</strong><br />
<div><a href="itdoverdomino.htm" title="As an alternative to iSeries Directory Server (LDAP), you can use LDAP on Domino 6.0 for iSeries (Domino Directory services).">Interaction with LDAP on Domino 6.0 for iSeries</a></div>
</div>
</div>
</body>
</html>