Managing NFS and NIS, 2nd Edition - Mike Eisler [23]
X.500
Around the same time DNS and NIS were being designed and deployed, the International Standards Organization (ISO) started meeting to define an ISO standard directory, called X.500. X.500 shares DNS's and NIS+'s attributes for hierarchical operation, and NIS+'s attributes for security and simple update. X.500 differs from DNS, NIS, and NIS+ in the following ways:
X.500 is very explicit about what each level of the hierarchy of a domain name looks like. If you see a domain name like:chicago.manufacturing.widget.com
it could easily be a DNS, NIS, or NIS+ name, and it could very well be for a host or a domain. Moreover, while it might seem like chicago.manufacturing.widget.com refers to a subdomain of hosts located in the city of Chicago, assigned to Widget, Inc.'s manufacturing division, it could just as easily refer to a hand held computer on space station Alpha. This ambiguity is a concern to some folks. Hence, X.500 explicitly identifies what each level of hierarchy means. For example, the X.500 distinguished name corresponding to DNS style chicago.manufacturing.widget.com name would be:{ Country = US, Orglanization = Widget, Inc., Organizational Unit =
Manufacturing, Location = Chicago }
X.500 supports the notion of schema. A schema is a set of rules for what can be stored in a database. Defining a directory schema is useful when performing search operations on a directory. Say a database includes the hire dates of employees, and you want to search for all employees hired between a particular range of dates. Because the X.500 directory is "aware" that the field being searched is a date, it is possible to let the directory server do all the work of finding the matches. With DNS, NIS, and NIS+, you would be compelled to read every directory entry from the server, and perform the operation on the client, because the server treats the information opaquely. The X.500 way saves network bandwidth.
For many common databases, X.500 is overkill, but there are situations where having an X.500 schema is handy. Say you want to find all the hosts that are in the 192.1.1 network. If you defined X.500's equivalent to the hosts database with a schema that had substring matching rules, this would be easy and efficient.
Lightweight Directory Access Protocol (LDAP)
X.500 has a protocol called the Directory Access Protocol (DAP) to allow clients to access X.500 servers. DAP was designed to operate over ISO's Open Systems Interconnect (OSI) transport and network protocols. Once upon a time, people believed that TCP/IP would wither away and be replaced by OSI. As it turned out, too many people had deployed TCP/IP-based networks, and they saw no compelling reason to switch to OSI. Despite OSI mandates by most governments in the developed world, the Internet transport and network protocols persisted, and it was obvious by 1994, if not earlier, that the OSI transport and network was dead. However, as discussed earlier, X.500 has some extremely attractive properties for a directory, but it comes with the baggage of OSI transport and complex ASN.1 encoding. The Lightweight Directory Access Protocol (LDAP) was invented to allow clients using TCP/IP and simpler encoding schemes, to take advantage of the richness of X.500 directory service.
Another difference between LDAP and DAP is that LDAP is under the control of the Internet Engineering Task Force (IETF), the same organization that produced the standards behind the Internet. Whether intended or not, the effect is to get IETF to buy into X.500, whereas previously IETF had no control over OSI transport and network, and so it was much harder (and eventually impossible) to get IETF to accept OSI transport and network.
LDAP specifies lots of different security flavors, including ones based on public key certificates and Kerberos V5.
At the time this book was written, LDAP was only starting to be integrated with operating systems. Windows 2000 is the first such offering from Microsoft. Solaris 8 includes a fully integrated LDAP client, but no server.
NT