LDAP SCHEMA DESIGN_Synopsis （大纲）

 

Synopsis （大纲）

It is possible to make one LDAP directory serve many applications in an organisation. This has the advantage of reducing the effort required to maintain the data, but it does mean that the design must be thought out very carefully before implementation starts.

LDAP directories are structured as a tree of entries, where each entry consists of a set of attribute-value pairs describing one object. The objects are often people, organisations, and departments, but can be anything at all. Schema is the term used to describe the shape of the directory and the rules that govern its content.

在一个特定的组织中，经常会出现一个 LDAP 目录为多个应用程序提供服务的情况。这种做法有利于减少数据维护的工作量，但如果采取这种设计，就必须在实施之前进行认真的思考，规划。在结构上， LDAP 目录是一棵由实体（ entity ）组成的树（ tree ）。一个实体则是一个包含多个属性值对的对象。对应通常是人、组织，或者部门，或者其他任何事物。模式这个概念用来描述目录的的结构以及内容应该遵循的规范。

A hypothetical organisation is described, with requirements for “white pages” directory service as well as a wide range of authentication, authorisation, and application-specific directory needs.The issues arising from the LDAP standards are discussed, along with the problems of maintaining compatibility with a range of existing LDAP clients.

本文档描述了一个“假象的”组织，对该组织的描述满足以下需求：采用平面的描述方式；授权，认证，程序规范目录需求。讨论的主题包括 LDAP 标准，以及由兼容已经存在的 LDAP 客户端带来的兼容性问题。

A plan is proposed for the layout of the directory tree, with particular emphasis on avoiding the need to re-organise it later. This involves careful separation of the data describing people,departments, groups, and application-specific objects. A simple approach to entry design is shown, based on the use of locally-defined auxiliary object classes. The effects of schema design on lookup performance are discussed. Some design tricks and pitfalls are presented, based on recent consulting experience.

本文档还提出了一个目录树的推荐布局，该布局强调“避免今后可能出现的重新组织”。为了满足这一要求，在设计时需要注意区分人，部门，组织以及程序细节的对象。为此本文档展示了一个简单的基于使用本地定义的 object class 的 entry 设计策略。与此同时，与 schema 设计相关的查询性能问题在本文档中也有所涉及；并基于近期的咨询经验，给出了一些设计手段和缺陷预防措施。

1 LDAP

LDAP can be used to access information describing people, organisations, roles, services, and many other sorts of entity. It is a standard and widely-implemented protocol, which makes it extremely valuable for integrating multiple applications that need to share common data.

人们已经习惯于用 LDAP 来访问描述人，组织，角色，服务以及其他种类实体的信息。 LDAP 已经成为一个标准的，被广泛应用的协议，这一协议对在多个应用程序中共享数据有着重要价值。

It is important to understand the LDAP data model when considering schema. It is different from the relational model used by most well-known database systems, and this affects the way LDAP systems are designed and used.

要讨论 schema 设计，首先要理解 LDAP 数据模型。 LDAP 中使用到的数据模型与在其他数据库系统中大行其道的关系型模型不同，这一差异导致了 LDAP 系统的不同设计方式和应用方式。

Strictly speaking, LDAP is a protocol - the Lightweight Directory Access Protocol. It is not a database or even a directory although the term LDAP directory is often used to describe a directory service that is accessed using the LDAP protocol. LDAP derives from the X.500/ISO-9594 standards, and was originally intended as a simplified protocol for small computers to use when accessing X.500 systems. In recent years, LDAP has expanded and is now just as complex as X.500 but it still shares the same data model and part of the same distributed-service model.

严格来讲， LDAP 是一个协议（ Lightweight Directory Access Protocol 轻型目录访问协议）尽管 LDAP 目录通常用来描述使用 LDAP 进行访问的目录服务，但 LDAP 本身不是一个数据库也不是一个目录。 LDAP 这个概念来源于 X.500/ISO-9594 标准。这个概念本来用于表示小型机使用的，访问 X.500 系统的简单协议。但最近这些年， LDAP 已经被扩展到与 X.500 本身几乎同样复杂。但无论如何， LDAP 还是来用共享相同的数据模型和一部分相同的分布式服务模型。

[RFC3377]

1.1 The LDAP data structure

An LDAP Directory stores information in a tree structure known as the Directory Information Tree (DIT). The nodes in the tree are directory entries, and each entry contains information in attribute-value form. Some attributes may have multiple values; others are restricted to a single value. The set of attributes that may be present in an entry is determined by the objectClass attribute, which is always present. objectClass is a multi-valued attribute and each value defines a set of mandatory and/or optional attributes.

LDAP 目录将信息保存在树形结构中，这种结构被称为 DIT 。树中的节点称为实体，每个实体中保持的信息以属性值的方式存在。某些属性可能是多值的也可能是单值的。某个实体中可能出现的属性在该实体的 objectClass （ objectClass 是必然出现的）中描述。 objectClass 是一个多值属性，它的每一个值都会定义必须出现 / 可选的属性值。

Each node in the DIT has a name called the Relative Distinguished Name (RDN) which is unique among the peer nodes under its parent. It also has a globally-unique name called the Distinguished Name (DN) made up from the name of the node itself plus the names of all its superior nodes up to the root of the DIT.

每个 DIT 中的节点都拥有一个叫做 RDN 的名字。同一节点的所有子节点中，该名字是唯一的。除此之外，每个节点还会有一个全局唯一的名字叫做 DN 。 DN 由节点自己的名字加上其高级节点的所有名字序列组成。

1.2 The LDAP Distributed Service model

X.500 was conceived as a global directory service. As such, it was expected to hold hundreds of millions of entries and be managed by thousands of different organisations. This led to a service model based on many co-operating servers known as DSAs (Directory System Agents). Each DSA can hold data from one or more arcs of the DIT, and is provided with “knowledge” so that it can direct queries for on-local data to the appropriate place. Queries are expected to outnumber updates by a very large factor, and absolute data consistency across the DIT is not supported, so data can be replicated easily for performance and resilience.

X.500 本认为是一个全局的目录服务。因此，它应该能够保存成千上万的实体，这些实体由上千个不同的组织进行管理。这就引出了一个基于多个合作 server （ DSA ）的服务模式。每个 DSA 可以保持一个或多个 DIT 结构，与此同时， DSA 应该能够提供能够将对本地数据的查询路由到恰当之处的知识。由于一个重要因素，查询次数应该远远大于修改次数。 LDAP 并不支持跨越 DIT 的，绝对的数据一致性。因此数据可能因为性能和弹性因素被轻松的复制。

An LDAP server is effectively a DSA and it follows the same rules, though LDAP does not have such a good distributed-service model for very large networks. Most current LDAP deployments are limited to operation within a single organisation, so although data replication is commonly used, the other features of the distributed service model do not get so much exercise. X.500 and LDAP have many similarities with DNS in terms of data model and service model, but the directory systems are capable of more complex operations.

尽管 LDAP 并不能实现全网络的的分布式服务模型，一个 LDAP Server 实际上就是一个遵循同一规则的 DSA 。大多数并行的 LDAP 部署都仅仅局限于在同一个组织内部，所以尽管数据复制随处可见，其他分布式服务的特征却并不是很常见。 X.500 和 LDAP 在数据模型和服务模型上与 DNS 在概念上有很多相同之处，只不过目录系统包含更多复杂的操作。