Web Developer's Virtual Library: Encyclopedia of Web Design Tutorials, Articles and Discussions

WDVL Newsletter
Active Server Pages
JSP/Java Servlets
Microsoft SQL Server
Daily Backup
Dedicated Servers
Streaming Audio/Video
24-hour Support    
jobs.webdeveloper.com

Hiermenus

e-commerce
Partner With Us

Developer Channel
FlashKit.com
JavaScript.com
JavaScriptSource
Developer Jobs
ScriptSearch
StreamingMediaWorld
Web Developer's Journal
Web Developer's Virtual Library
WebDeveloper.com
Webreference
Web Hosts
XMLfiles.com

internet.com
IT
Developer
Internet News
Small Business
Personal Technology

Search internet.com
Advertise
Corporate Info
Newsletters
Tech Jobs
E-mail Offers


Update Operations - Page 6

Wrox Press

February 8, 2002

The update operations are add, delete, rename, and modify:

  • Add
    Entries can be added to the pre-existing set of entries in the directory, as long as they conform to the schema of the directory. All the attributes specified by the object corresponding to the entry need not be specified. The objects have some mandatory fields that are to be filled and the rest are optional. When an entry is added to the directory, its DN must be specified so that the LDAP server will know where to graft the entry into the tree. The client must have sufficient privileges to perform an add operation.
  • Delete
    Deleting an entry from the directory is pretty straightforward. We need to specify the DN of the entry that we want to delete. Sufficient privileges are obviously needed to do this.
  • Rename
    Renaming an entry needs to satisfy the following rules:
    • The entry should be present
    • There should not be a pre-existing entry with the same DN
    • The access control rules should permit a rename operation
  • Modify
    Entries can be modified by supplying the LDAP server with the DN of the entry and the set of attributes that need to be modified. The LDAP server performs modifications by changing, deleting, or adding new values for the specified attributes.

LDAP version 2 did not support renaming of a DN; instead only RDNs could be modified. So to rename a version 2 DN, we needed to copy the DN with its child nodes to the new location in the tree and delete the old entry and its child nodes.

Authentication and Control Operations

There are two authentication operations, bind and unbind, and one control operation, abandon:

  • bind
    This operation has a DN and a set of authentication credentials which it supplies to the server. The server decides to grant access to the client, based on these authentication credentials. The authenticated access is valid as long as the underlying network connection is alive or until such time that client re- authenticates or discards its authentication credentials using the unbind operation.
  • unbind
    The unbind operator has no arguments to it. It discards authentication credentials and terminates the underlying network connection.
  • abandon
    A client might choose to abandon a previous search operation, in which case it can use the abandon operation to dump the previously requested search. The operation specifies the message ID of the search or update operation it had requested earlier.

    Security Model

    The security model specifies how the contents of the directory can be protected from unauthorized access. It also specifies the scope of access for the clients, that is, it specifies which clients can access which parts of the directory tree and whether they can perform update or interrogation operations or both on that part of the tree.

    In LDAPv2, LDAP clients provide a DN and a clear-text password to the server. The password is the authentication credential and the DN defines the scope of authentication. However, this method is susceptible to a malicious user who steals passwords by eavesdropping on the network. This has been prevented lately by using the Kerberos authentication protocol.

    Since LDAPv3, SASL handles authentication and security. SASL is merely a standard way for plugging in different authentication protocols that do the actual work of authentication and enforcement of security. As we have seen, SSL is one such protocol that plugs into the SASL model and is almost the de facto standard for secure communications over TCP/IP networks.

    The successor to SSL is TLS (Transport Layer Security), which is also a pluggable authentication scheme that is supported by several LDAP vendors. In future, LDAP implementations are expected to use the startTLS mechanism to encrypt a communication channel and TLS for the clients to authenticate themselves and to verify identity of servers. Please see RFC 2487 for more information on startTLS.

    Currently LDAP does not have an inherent standard means to enforce access control. However, most LDAP vendors have some access control model built into their implementations. Access control is of significance because it allows the owners of information to modify it. For example, the access control policy of a directory can be set up such that a user can change his telephone number and address but cannot modify any other entries, a manager can modify his entry and all the entries belonging to his subordinates, or a facilities administrator can modify the room number and telephone number of all employees and nothing else.

    Stay tuned for Part 2 next week!

    LDAP Models (Con't) - Page 5
    Professional PHP4 Programming
    Advanced Features of LDAP - Page 7

    • Up to => Home / Authoring / Languages / PHP / Pro



    Jupiter Online Media: internet.comearthweb.comDevx.commediabistro.comGraphics.com

    Search:

    Jupitermedia Corporation has two divisions: Jupiterimages and Jupiter Online Media

    Jupitermedia Corporate Info


    Legal Notices, Licensing, & Permissions, Privacy Policy.

    Web Hosting | Newsletters | Tech Jobs | Shopping | E-mail Offers