LDAP for StreetTalk
Introduction to the Guide
LDAP (Lightweight Directory Access Protocol) for StreetTalk Administrator's Guide provides details about using LDAP for StreetTalk software to let LDAP-enabled clients access your StreetTalk information. With LDAP for StreetTalk installed on your StreetTalk for Windows NT network, users can use LDAP-compliant clients such as Netscape® Communicator mail and Microsoft® Outlook Express to search for information in StreetTalk.
Note: This LDAP for StreetTalk Administrator's Guide is applicable to LDAP for StreetTalk versions 3.5 and 3.6.
This guide is intended for network administrators who install and manage LDAP for StreetTalk services on StreetTalk for Windows NT servers. LDAP for StreetTalk is based on LDAP version 3 and provides LDAP version 2 and LDAP version 3 compliance. Readers of this administrator's guide should be familiar with LDAP, StreetTalk, STDA, and directory services.
The following summarizes each chapter of this guide:
Chapter 1, LDAP for StreetTalk Service - Discusses the concepts underlying the LDAP for StreetTalk directory service.
Chapter 2, Configuring LDAP for StreetTalk Services - Details how to use LDAP Configuration Manager to configure LDAP for StreetTalk version 3.5 directory software.
Chapter 3, Using LDAP Configuration Manager to Manage LDAP Schema - Explains how to use LDAP Configuration Manager to manage the LDAP directory.
Chapter 4, LDAP Command Line Tools - Details the LDAP command line utilities provided when you install LDAP for StreetTalk. You use command line tools to manage LDAP for StreetTalk version 3.5 database entries, and for troubleshooting the directory database.
Chapter 5, Using LDAP for StreetTalk with LDAP Applications - Explains how to configure and use LDAP for StreetTalk with selected LDAP applications. Provides details about using n-level names and directory synchronization to let LDAP for StreetTalk and other LDAP applications share directory data and maintain matching directory information.
Appendix A, Using Web Browsers to Search LDAP - Introduces how to use the mail clients in LDAP-compliant web browsers to search the LDAP directory.
Appendix B, Directory Concepts - Reviews directory services, the Lightweight Directory Access Protocol (LDAP), and Banyan StreetTalk directory service, and how LDAP and STDA (StreetTalk Directory Assistance) work with one another to provide LDAP access to StreetTalk information.
Chapter 1 - LDAP for StreetTalk Service
LDAP for StreetTalk software, installed on StreetTalk for Windows NT servers, provides Lightweight Directory Access Protocol (LDAP) access to StreetTalk databases running on StreetTalk for Windows NT and native VINES servers.
LDAP for StreetTalk version 3.5 services provide LDAP version 3 and LDAP version 2 access to your StreetTalk directory. This chapter describes the LDAP for StreetTalk service and how it interacts with your StreetTalk database.
This chapter discusses:
|LDAP for StreetTalk features|
|How LDAP for StreetTalk works with StreetTalk and STDA|
|LDAP for StreetTalk and StreetTalk directory structure|
|Platforms and protocols|
|STDA configuration guidelines|
|Access Control Lists|
LDAP for StreetTalk Features
LDAP for StreetTalk service supports:
LDAP for StreetTalk tools - LDAP for StreetTalk service provides the following management tools:
|LDAP Configuration Manager - Helps you configure the LDAP for StreetTalk service.|
|Command line tools ldapdel, ldapmod, ldcomp, ldmodrdn, and ldsearch - Commands to help you find and manage entries in an LDAP Directory Information Tree (DIT) and display the information you want. Refer to Appendix B for more discussion of the DIT.|
Multi-valued Attributes - When you install LDAP for StreetTalk, you install enhancements to your LDAP server's StreetTalk and STDA services to support StreetTalk attributes that have more than one value (called multi-valued attributes or MVA). LDAP allows attributes to have more than one value, such as two or three phone numbers in the attribute telephoneNumber, or multiple name variations in the cn attribute, such as M. Dawes, Mary Dawes, and Mary Dawes, Ph.D.
As an example of a multiple valued attribute in StreetTalk, think of a StreetTalk list as an attribute, and each member of the list as a value of the attribute, so that the list is a multi-valued attribute.
Write access - Enables network administrators and designated users to modify entries in the LDAP database. Entries can be added, modified, and deleted directly in the LDAP database as well as being changed in StreetTalk and then appearing in LDAP after the next STDA rebuild completes. When you add entries to your LDAP database, LDAP copies the entries to the StreetTalk service on the appropriate server.
Referrals - Enables an LDAP server that does not store the requested data to refer the client to another LDAP server that may contain the data. Refer to "Referrals" later in this chapter for additional information about configuring and using referrals.
Access control - Enables network administrators to control which users can access the LDAP directory, and what LDAP operations users can perform. LDAP for StreetTalk uses an Access Control List (ACL) in combination with StreetTalk Admin lists to set and determine user security settings.
Client support - LDAP for StreetTalk supports LDAP version 3 or LDAP version 2 compatible clients, such as Netscape Communicator or Microsoft Internet Explorer 3.0 or later.
How LDAP For StreetTalk Works with StreetTalk and STDA
Installing LDAP for StreetTalk software adds the LDAP for StreetTalk service and database to your StreetTalk for Windows NT server. Figure 1-1 shows how the LDAP for StreetTalk service integrates with your StreetTalk for Windows NT tools and applications.
LDAP for StreetTalk Components
LDAP for StreetTalk software includes LDAP for StreetTalk service software, as well as a windows-based LDAP for StreetTalk management tool and five command-line management tools. You purchase other Banyan and LDAP applications separately. Documentation for LDAP for StreetTalk for Windows NT is included as well.
LDAP for StreetTalk software includes the following components:
LDAP for StreetTalk service-Executables for creating and utilizing the LDAP database.
LDAP Configuration Manager-An LDAP service management tool. The LDAP configuration tool lets you:
Configure LDAP for StreetTalk service on the host machine or on remote machines
Add to, delete from, or modify schema for an LDAP for StreetTalk service by modifying object classes, attributes, or matching rules
Command line utilities-Tools for managing entries in the LDAP database, and for batch file command processing to make multiple changes to the database. Refer to Chapter 4 for information about using the command line tools:
ldsearch - Executes an LDAP search against directory entries in the LDAP database and provides options that specify the starting point, depth, and criteria for an LDAP search.
ldapdel - Deletes an LDAP database entry referenced in the command.
ldapmod - Adds or modifies an LDAP database entry whose Distinguished Name (DN) is listed in the command.
ldmodrdn - Modifies an LDAP database entry whose relative distinguished name (RDN) is provided in the command.
ldcomp - Compares the asserted attribute value in the command to the same attribute in the LDAP database entry listed in the command.
LDAP for StreetTalk and StreetTalk Directory Tree Structure
The LDAP for StreetTalk database hierarchy automatically reflects the hierarchy of your existing StreetTalk database as managed by StreetTalk Directory Assistance (STDA) service. However, to use LDAP for StreetTalk service, you must define the location of the LDAP for StreetTalk directory within the general LDAP Directory Information Tree.
Figure 1-2 shows how an LDAP for StreetTalk database fits within an LDAP directory information tree.
After you install LDAP for StreetTalk, you must configure the LDAP for StreetTalk database to fit appropriately within the global LDAP Directory Information Tree. This configuration involves using the Service Control dialog of LDAP Configuration Manager to define the suffix string to StreetTalk for Windows NT.
The directory suffix string you specify identifies the root directory of the LDAP Directory Information Tree. All LDAP for StreetTalk entries reside beneath this root. The suffix string is a comma-separated list of LDAP values, beginning with the lowest LDAP entry and ending with the highest. The suffix string represents your organization`s place in the global LDAP tree even if you plan only Intranet usage.
In Figure 1-2, the LDAP for StreetTalk database, comprising the WCTUS1 and WCTUS2 organizations is positioned as a subdirectory to the LDAP l=Boston directory entry. LDAP entry l=Boston is the root of the LDAP for StreetTalk database. The string l=Boston, o=WCT, c=US defines the location of the LDAP for StreetTalk database within the global LDAP tree. This suffix string includes all levels of the global LDAP tree that do not represent StreetTalk items, groups, and organizations.
Use the Service Control dialog of LDAP Configuration Manager to configure the suffix string in LDAP for StreetTalk. Refer to Chapter 2 for information about using LDAP Configuration Manager to configure your LDAP for StreetTalk service.
Consider the X.521 standard when you define the suffix for your LDAP installation. The X.521 standard specifies that an LDAP organization (o=) cannot have another organization (o=) as a direct subordinate. If the l=Boston level was removed, the example in Figure 1-2 would not comply with X.521 recommendations because the revised string would be o=WCTUS, o=WCT, c=US. LDAP for StreetTalk service does not enforce this requirement.
Platforms and Protocols
LDAP for StreetTalk software, installed on a StreetTalk for Windows NT server, provides LDAP access to StreetTalk databases running on StreetTalk for Windows NT and native VINES servers.
Table 1-1 outlines the platforms and protocols required to support LDAP for StreetTalk software. Refer to LDAP for StreetTalk Installation Guide for a more thorough discussion of the prerequisites for installing LDAP for StreetTalk on your StreetTalk for Windows NT server.
|LDAP Configuration Manager||Windows 95, Windows 98, or Windows NT||TCP/IP|
|LDAP Command Line Tools||Windows 95, Windows 98, or Windows NT||TCP/IP|
|Documentation .HTM files||Windows 95, Windows 98, or Windows NT||N/A|
|LDAP for StreetTalk Service||
Windows NT 4.0 server with
StreetTalk for Windows NT version 8.6
This section presents a sample configuration and describes some STDA configuration guidelines.
You can install the LDAP for StreetTalk version 3.5 software if your host server is running:
|Windows NT Server 4.0 with service pack 3 or service pack 4 installed|
|StreetTalk for Windows NT 8.6 or later|
|An STDA service|
LDAP for StreetTalk relies on the StreetTalk for Windows NT STDA service. You must install LDAP for StreetTalk on a server that is running an STDA service. To get the most benefit from your LDAP for StreetTalk service, configure the STDA service according to the guidelines in "STDA Configuration Guidelines" later in this chapter and according to the guidelines in LDAP for StreetTalk Installation Guide.
StreetTalk for Windows NT software supports master and satellite STDA services. Master services are configured to gather and filter large amounts of raw information, frequently from scattered locations. Satellite services are used primarily to refine information for presentation to users at local sites, and for further distribution to other satellite services.
The LDAP for StreetTalk service is typically installed on an STDA satellite or concentrator server. Figure 1-3 shows a typical configuration where LDAP for StreetTalk is installed on a StreetTalk for Windows NT server set up as an STDA concentrator service.
In Figure 1-3, each StreetTalk service resides on a different server, and GETNAMES, STDA, and LDAP reside on the StreetTalk for Windows NT server that has LDAP for StreetTalk installed.
STDA Configuration Guidelines
Configure your STDA service to do the following:
|Use the attribute configuration file (ATTRS.CFG)|
|Collect the labeledURI attribute|
|Set STDA attribute <5:34> to support LDAP|
Use the Attribute Configuration File
LDAP for StreetTalk includes the file ATTRS.CFG. This file lists StreetTalk vendor:attribute (<v:a>) pairs associated with commonly used LDAP attributes. Use StreetTalk Explorer to configure your STDA service attribute collection to use the file ATTRS.CFG. (Refer to "To Set the List of Attributes that STDA Collects" in the LDAP for StreetTalk Installation Guide for details). Using the file ATTRS.CFG causes the STDA service to collect, index, and display the attributes listed in the file, and makes the attributes available to the LDAP service for queries and for display to users.
To run the LDAP for StreetTalk service on an STDA satellite or an STDA concentrator, you must also configure the attribute collection of the Master STDA services to read from ATTRS.CFG. (Master STDA services collect the StreetTalk information for the satellite or concentrator to download.)
The list of attributes in ATTRS.CFG is large and may add a substantial amount of time to STDA rebuilds and use substantial disk space. If disk space and rebuild time are concerns in your configuration, you can tailor this list to better suit your organizational needs. Refer to Managing Users and StreetTalk in your StreetTalk for Windows NT documentation for more information about StreetTalk and STDA.
Collect the labeledURI Attribute
Configure your STDA service to collect the labeledURI attribute (0:4220) for services to be able to configure other StreetTalk for Windows NT servers for LDAP support. If you read from file ATTRS.CFG without modifying the file, the attribute labeledURI is collected automatically. Refer to "Using LDAP Configuration Manager" in Chapter 2 for additional information.
Set STDA Attribute <5:34> to Support LDAP
You must set STDA attribute <5:34> to provide the LDAP-specific support.
STDA has an attribute to support LDAP functionality. The attribute has these characteristics:
|Vendor No. = 5|
|Attribute No. = 34|
|AVD Name = LDAP Configuration Options|
|Type = String|
If you do not set attribute <5:34> on the STDA service, the STDA service does not provide the new LDAP-specific support.
If attribute <5:34> is set, it contains the following options:
These options are not case sensitive and must be separated by newlines.
These options must be in the format of <OPTION>=ON or <OPTION>=OFF with no spaces between the option name, the equals sign, or the ON or OFF setting.
Following are detailed descriptions of the options.
The LdapConfig option builds an LDAP database from StreetTalk information gathered by STDA.
When <5:34> is set to ON, StuffCommonAttrs is automatically set to ON. With <5:34> set to OFF, StuffCommonAttrs is also set to OFF.
With this option set to ON, STDA (during the rebuild process) creates additional attributes for StreetTalk objects in the database. These additional attributes include:
StreetTalk Object Additional Attributes Created For StreetTalk Users, Lists, Services.* ObjectClass and CommonName For StreetTalk Nicknames. * ObjectClass For StreetTalk Groups ObjectClass and Organizational Unit For StreetTalk Organizations. ObjectClass and Organization
For the starred (*) items, ObjectClass will not be created if it is already set.
LDAP Administrative Attributes
LDAP for StreetTalk services have two attributes (described in Table 1-2) that trigger compacting of the entire LDAP database or individual attribute databases (indexed attributes) when you start the LDAP service.
|V:A Identifier||Attribute Label||Data Type||Access||Description|
|<5:1000>||Compact LDAP Database||Any||Self and Admin||Compacts the LDAP database.|
|<5:1001>||Compact LDAP Attribute Database||String||Self and Admin||
Compacts the LDAP attribute database for each specified attribute. The format of the attribute value is one attribute name per line followed by a carriage return. For example:
Note: Attribute names are not case sensitive.
StreetTalk Administrative Attributes and Unicode Support
StreetTalk and STDA support ISO Latin1 (Windows NT code page 1252), receiving Latin1 characters and storing Latin1 characters on disk. Clients may use alternate code pages, but StreetTalk sees client-side translations.
LDAP for StreetTalk receives transmissions of character data in UnicodeTM format. StreetTalk attributes, presented in Table 1-3, allow StreetTalk and STDA to convert string attribute values in the database (Latin1 by default) to Unicode. Because Unicode characters are two bytes in length, the database grows if the conversion is enabled, dependent on the number of string attribute values in the database. Administrators should convert databases to store Unicode characters if a majority of the directory accesses are by the LDAP API. If the database is not converted to store Unicode characters, dynamic data conversions are done for LDAP accesses. If a majority of the directory accesses are by the VNS API, administrators should not convert the database.
As a result:
|All LDAP for StreetTalk-enabled applications work as designed.|
|Shift-JIS Kanji characters are not available through the LDAP interface, in accordance with the LDAP version 3 standard. Unicode Kanji is available. Applications that read Shift-JIS attribute values through the VNS API are unaffected.|
For Shift-JIS Kanji (code page 932) users, Banyan recommends setting attribute <5:2018> equal to 932 on StreetTalk services where LDAP for StreetTalk is configured. Code page 932 is the Shift-JIS Kanji character code page on Windows NT. Setting attribute <5:2018> enables StreetTalk to do the proper translation when reading string attribute values from the database, regardless of whether the Banyan API or the LDAP API wrote the data.
The following attributes implement code page conversion. LDAP for StreetTalk supports all the code pages supported by its host Windows NT 4.0 Server.
For code page support, the code page must be available to the Windows NT Server that hosts the StreetTalk, STDA, and LDAP for StreetTalk services.
|V:A Identifier||Attribute Label||Class||Data Type||Access||Description|
|<5:2018>||Default Codepage For Server Or Group||StreetTalk Group or Service||Integer||Admin||Code page default. This string determines the code page associated with any new string attributes written to the StreetTalk database. By default, this attribute is not set and defaults to the Latin 1 code page (1252). This attribute applies to a StreetTalk group or to a StreetTalk service. In the latter case, the action applies to all groups on the server. If the attribute is set to a code page value for both a group and the service where the group resides, precedence goes to the StreetTalk group attribute value. All code page values are supported.|
|<5:2019>||Codepage To Convert String To Unicode||StreetTalk Service||Integer||Admin||Code page conversion. If this value is set to a code page value, all string attribute data in the StreetTalk database with this code page are converted to Unicode. The StreetTalk service reads this attribute during startup, so you must restart StreetTalk after setting this attribute for it to take effect. All code page values are supported.|
|<5:2020>||Codepage To Convert String From Unicode||StreetTalk Service||Integer||Admin||Code page reversion. All string attribute data currently stored in the StreetTalk database in Unicode is converted to the code page that this attribute is set to. StreetTalk reads this attribute during startup, so you must restart StreetTalk after setting this attribute for it to take effect. All code page values are supported.|
Referrals enable you to expand a client's view of the LDAP for StreetTalk network by increasing the number of servers and databases the client can access. Clients that support referrals can continue to process requests by forwarding the request to the appropriate server.
How Referrals Work
Clients receive referrals when the distinguished name (DN, refer to the X.500 specification for details about distinguished names) specified in the client request is not within the current LDAP server's directory tree. To return a referral, the LDAP server compares the DN received from the client against suffixes specified for server specific referrals. If the LDAP server finds a match, LDAP returns the URL for the matching referred LDAP service.
LDAP uses the default referral when the client request does not match any of the suffixes specified by the referral options. To return a default referral, LDAP for StreetTalk first checks the server specific suffix of each referral server. If no match is found or no server-specific referrals exist, the LDAP server returns the URL of the default referral server.
To specify referrals, use the Referrals dialog in the LDAP Configuration Manager. Refer to "Setting Access Controls" in Chapter 2 for additional information about using the Referrals dialog to specify referrals.
Access Control Lists
In addition to the traditional StreetTalk AdminList, each LDAP for StreetTalk service uses an Access Control List (ACL) to provide an extra level of access security. LDAP uses its ACL to determine which users have access to any or all attributes and entries in the LDAP directory tree, as well as to define the level of access. By default, LDAP provides read access to all attributes and entries in the LDAP database, and write access as specified by the server's StreetTalk AdminList.
To determine the database access granted to users, LDAP searches the Access Control List from top to bottom for the first entry that matches the user. The user receives the access level determined by the first matching entry on the list, even if a later list entry would provide different access permissions.
Use the Access Control dialog in LDAP Configuration Manager to:
|Review the current access control list entries|
|Add, modify, or delete an access control list entry by clicking Add, Modify, or Delete.|
Access Control Options
LDAP for StreetTalk lets you grant access to the following objects in the LDAP database:
|One or more attributes|
|All entries and attributes|
LDAP for StreetTalk lets you grant access to the LDAP database based on:
|Self (owner of specified attributes)|
LDAP for StreetTalk includes the following database access levels:
|None - No access by the users specified in the Access By field to the entries or attributes specified in the Access To field of the ACL|
|Compare - Allow the specified users to perform compare operations on the LDAP entries or attributes appearing in the Access To field of the ACL|
|Read - Allow the specified users to perform read operations on the LDAP entries or attributes appearing in the Access To field of the ACL|
|Write - Allow the Access By or Users entry to perform write operations to the LDAP entries appearing in the Access To field of the ACL|
Access levels are cumulative. Each higher access level includes all lower levels except none. For example, read access includes compare access, and write access includes read and compare.
LDAP for StreetTalk access control works in combination with StreetTalk AdminList permission. Users are granted write access to an LDAP entry only if they have been granted write permission by the LDAP ACL and they are on the appropriate StreetTalk AdminList.