Chapter 1. Introduction to directory services

Red Hat Directory Server provides global directory services by providing information to a wide variety of applications. Until recently, many applications came bundled with their own proprietary user databases, with information about the users specific to that application. While a proprietary database is convenient if you use only one application, multiple databases become an administrative burden if the databases manage the same information.

For example, a company runs three different proprietary email systems, and each email system has its own proprietary directory service. If users change their passwords in one directory, the changes are not automatically replicated to other directories. Management of the same information in different places increases the hardware and personnel costs. The increased maintenance overhead is referred to as the n+1 directory problem.

A global directory service solves the n+1 directory problem by offering a centralized repository accessible to any application. However, giving a wide variety of applications access to the directory service requires a network-based means of communicating between the applications and the directory service.

Red Hat Directory Server uses LDAP for applications to access to its global directory service.

LDAP provides a common language that client applications and servers use to communicate with one another. LDAP is a "lightweight" version of the Directory Access Protocol (DAP) that the ISO X.500 standard describes.

DAP gives any application access to the directory through an extensible and robust information framework but at a high administrative cost. DAP uses a communications layer that is not the Internet standard protocol and has complex directory-naming conventions.

LDAP preserves the best features of DAP while reducing administrative costs. LDAP uses an open directory access protocol running over TCP/IP and simplified encoding methods. It retains the data model and can support millions of entries for a modest investment in hardware and network infrastructure.

Directory Server is a multi-threaded application. It means that multiple clients can bind to the server at the same time over the same network. When directory services expand to include larger numbers of entries or geographically-distributed clients, the services also include multiple Directory Servers placed in strategic places around the network.

The server frontend of Directory Server manages communications with directory client applications using LDAP over TCP/IP and LDAP over Unix sockets (LDAPI).

Directory Server can establish a secure (encrypted) connection with Transport Layer Security (TLS), depending on if the client negotiates to use TLS for the connection. If clients were issued certificates, Directory Server can use TLS to confirm that the client has the right to access the server. In addition, TLS is used to perform other security activities, such as message integrity checks, digital signatures, and mutual authentication between servers.

The directory tree, also known as a directory information tree (DIT), mirrors the tree model used by most file systems. During installation, Directory Server creates a default directory tree.

After an installation, the directory contains the following root suffix and subtrees:

You can extend the default directory tree by adding any data relevant to the directory installation. For more information about directory trees, see Designing the directory tree.

LDAP Data Interchange Format (LDIF) is a standard text-based format for describing directory entries. An entry consists of a number of lines in the LDIF file and contains information about an object, such as a person in the organization or a printer on the network.

Information about the entry is represented as a set of attributes and their values. Each entry has an object class attribute that specifies the type of an object the entry describes and defines the set of additional attributes it contains. Each attribute describes a particular trait of an entry.

For example, an entry can have organizationalPerson object class indicating that the entry represents a person in an organization. This object class supports the givenName and telephoneNumber attributes. The values assigned to these attributes define the name and phone number of the person the entry presents.

Directory Server also uses read-only operational attributes that the server calculates. Administrators can manually set these operational attributes for access control and other server functions.

By default, an LDAP search does not return all entries and excludes administrative entries that have the ldapsubentry object class. Administrative entries can be used to define a role or a class of service. To include these entries in the search response, client applications need to additionally search for entries with the ldapsubentry object class.

If you store parts of the directory tree in a separate database, the directory can process client requests in parallel improving performance. You can even store databases on different machines for further performance improvement. To connect part of the directory, Directory Server uses database links and chaining. For more information about database links and chaining, see Using referrals in Directory Server.