LDAP for StreetTalk Administrator's Guide
The LDAP for StreetTalk Administrator's Guide provides details about using LDAP for StreetTalk software to let LDAP-enabled clients access your existing StreetTalk information. With LDAP for StreetTalk installed on your StreetTalk for Windows NT network, users can use LDAP-compliant clients such as Netscape® Communicator mail and Microsoft® Outlook Express to search for information in StreetTalk.
This guide is intended for network administrators who install and manage LDAP for StreetTalk services on StreetTalk for Windows NT servers. LDAP for StreetTalk version 3.0 is based on the LDAP standard version 3.0 and provides LDAP version 2 and LDAP version 3 compliance. Readers of this administrator's guide should be familiar with LDAP, StreetTalk, STDA, and directory services.
This guide contains the following chapters
Chapter 1 - LDAP for StreetTalk Service - Discuses the concepts underlying LDAP for StreetTalk directory services.
Chapter 2 - Configuring LDAP for StreetTalk Services - Details how to use LDAP Configuration Manager to configure LDAP for StreetTalk version 3.0 directory software.
Chapter 3 - Using LDAP Configuration Manager to Manage LDAP Schema - Explains how to use LDAP Configuration Manager to manage the LDAP directory.
Chapter 4 - LDAP Command Line Tools - Details the LDAP command line utilities installed when you install LDAP for StreetTalk. Command line tools are provided for managing LDAP for StreetTalk version 3.0 database entries, and for troubleshooting by Banyan support staff
Appendix A - Using Web Browsers to Search LDAP - A brief introduction to using the mail clients in LDAP-compliant web browser to search the LDAP directory.
Appendix B - Directory Concepts - Reviews directory services, the Lightweight Directory Access Protocol (LDAP), and Banyan StreetTalk directory service, and how LDAP and STDA work with one another to provide LDAP access to StreetTalk information.
Chapter 1 - LDAP for StreetTalk Service
LDAP for StreetTalk software, installed on a StreetTalk for Windows NT server, provides LDAP access to StreetTalk databases running on StreetTalk for Windows NT and native VINES servers.
LDAP for StreetTalk version 3.0 service provides LDAP version 3 and LDAP version 2 access to your StreetTalk directory. This chapter describes the LDAP for StreetTalk service and how it interacts with your StreetTalk database.
This chapter discusses:
LDAP for StreetTalk service supports:
LDAP for StreetTalk tools - LDAP for StreetTalk service provides the following management tools:
![]()
LDAP Configuration Manager - Helps you configure the LDAP for StreetTalk service. ![]()
Command line tools ldapdel, ldapmod, ldcomp, ldmodrdn, and ldsearch - Commands to help you find and manage entries in an LDAP Directory Information Tree (DIT) and display the information you want. Multi-valued Attributes - When you install LDAP for StreetTalk, you install enhancements to your LDAP server's StreetTalk and STDA services to support StreetTalk attributes that have more than one value (called multi-valued attributes or MVA). LDAP allows attributes to have more than one value, such as two or three phone numbers in the attribute telephoneNumber, or multiple name variations in the cn attribute, such as M. Dawes, Mary Dawes, and Mary Dawes, Ph.D.
For a multiple valued attribute in StreetTalk, you might think of a StreetTalk list as an attribute, and each member of the list as a value of the attribute, so that the list is a multi-value attribute.
Write access - Enables network administrators and designated users to modify entries in the LDAP database. Entries can be added, modified, and deleted directly in the LDAP database as well as being changed in StreetTalk and then appearing in LDAP after the next STDA rebuild completes. When you add entries to your LDAP database, LDAP copies the entries to the STDA service on the server.
Referrals - Referrals enable an LDAP server to pass a request for data that is not available in the local database to a remote LDAP server that may contain the data. Refer to "Referrals" later in this chapter for additional information about how referrals work.
Access control - Enables network administrators to control which users can access the LDAP directory, and what LDAP operations users can perform. LDAP for StreetTalk uses an Access Control List (ACL) in combination with StreetTalk Admin lists to set and determine user security settings.
Client support - LDAP for StreetTalk supports LDAP version 3 or LDAP version 2 compatible clients, such as Netscape Communicator or Microsoft Internet Explorer 3.0 or later.
Installing LDAP for StreetTalk software adds the LDAP for StreetTalk service and database to your StreetTalk for Windows NT server. Figure 1-1 shows how the LDAP for StreetTalk service integrates with your StreetTalk for Windows NT tools and applications.
LDAP for StreetTalk software includes LDAP for StreetTalk service software, as well as a windows-based LDAP for StreetTalk management tool and five command-line management tools. You purchase other Banyan and LDAP applications separately. Documentation for LDAP for StreetTalk for Windows NT is included as well.
LDAP for StreetTalk software includes the following components:
LDAP for StreetTalk service-Executables for creating and utilizing the LDAP database.
LDAP Configuration Manager-An LDAP service management tool. The LDAP configuration tool lets you:
- Configure LDAP for StreetTalk service on the host machine or remote machines
- Add to, delete from, or modify schema for an LDAP for StreetTalk service by modifying object classes, attributes, or matching rules
Refer to Chapter 2 and Chapter 3 for information about using LDAP Configuration Manager to configure and manage LDAP for StreetTalk services.
Command line utilities-Tools for managing entries in the LDAP database, and for batch file command processing to make multiple changes to the database. Refer to Chapter 4 for information about using the command line tools:
ldsearch - Executes an LDAP search against directory entries in the LDAP database and provides options that specify the starting point, depth, and criteria for an LDAP search.
ldapdel - Deletes an LDAP entry referenced in the command.
ldapmod - Adds or modifies an LDAP entry whose Distinguished Name (DN) is listed in the command.
ldmodrdn - Modifies an LDAP entry whose relative distinguished name (RDN) is provided in the command.
ldcomp - Compares the asserted attribute value in the command to the same attribute in the LDAP entry listed in the command.
The LDAP for StreetTalk database hierarchy automatically reflects the hierarchy of your existing StreetTalk database as managed by StreetTalk Directory Assistance (STDA) service. However, to use LDAP for StreetTalk service, you must define the location of the LDAP for StreetTalk directory within the general LDAP Directory Information Tree.
Figure 1-2 shows how an LDAP for StreetTalk database fits within an LDAP directory information tree.
After you install LDAP for StreetTalk, you must configure the LDAP for StreetTalk database to fit appropriately within the global LDAP Directory Information Tree. This configuration involves using the Service Controls dialog box of LDAP Configuration Manager to define the suffix string to StreetTalk for Windows NT.
The directory suffix string you specify identifies the root directory of the LDAP Directory Information Tree. All LDAP for StreetTalk entries reside beneath this root. The suffix string is a comma-separated list of LDAP values, beginning with the lowest LDAP entry and ending with the highest. The suffix string represents your organization`s place in the global LDAP tree even if you plan only intranet usage.
In Figure 1-2, the LDAP for StreetTalk database, comprising the WCTUS1 and WCTUS2 organizations is positioned as a subdirectory to the LDAP l=Boston directory entry. LDAP entry l=Boston is the root of the LDAP for StreetTalk database. The string l=Boston, o=WCT, c=US defines the location of the LDAP for StreetTalk database within the global LDAP tree. This suffix string includes all levels of the global LDAP tree, that do not represent StreetTalk items, groups, and organizations.
Use the Service Control dialog box of LDAP Configuration Manager to configure the suffix string in LDAP for StreetTalk. Refer to Chapter 2 for information about using LDAP Configuration Manager to configure your LDAP for StreetTalk service.
Note: Consider the X.521 standard when you define the suffix for your LDAP installation. The X.521 standard specifies that an LDAP organization (o=) cannot have another organization (o=) as a direct subordinate. If the l=Boston level was removed, the example in Figure 1-2 would not comply with X.521 recommendations because the revised string would be o=WCTUS, o=WCT, c=US. LDAP for StreetTalk service does not enforce this requirement.
LDAP for StreetTalk software, installed on a StreetTalk for Windows NT server, provides LDAP access to StreetTalk databases running on StreetTalk for Windows NT and native VINES servers.
Table 1-1 outlines the platforms and protocols required to successfully install LDAP for StreetTalk software. Refer to the LDAP for StreetTalk Installation Guide for a more through discussion of the prerequisites for installing LDAP for StreetTalk on your StreetTalk for Windows NT server.
Software Component | Platform | Protocol |
LDAP Configuration Manager | Windows 95 or Windows NT | TCP/IP |
LDAP Command Line Tools | Windows NT 4.0 or Windows 95 | TCP/IP |
Documentation .rtf or .txt files | Windows 95 and Windows NT 4.0 | N/A |
LDAP for StreetTalk Service |
Windows NT 4.0 server with StreetTalk for Windows NT version 8.5 |
TCP/IP, VIP |
This section presents a sample configuration and describes some STDA configuration guidelines.
You can install the LDAP for StreetTalk version 3 software if your host server is running:
![]()
Windows NT Server 4.0 with service pack 3 installed ![]()
StreetTalk for Windows NT 8.5 or later ![]()
An STDA service
LDAP for StreetTalk relies on the StreetTalk for Windows NT STDA service. You must install LDAP for StreetTalk on a server that is running an STDA service. To get the most benefit from your LDAP for StreetTalk service, configure the STDA service according to the guidelines in "STDA Configuration Guidelines" later in this chapter or according to the guidelines in the LDAP for StreetTalk Installation Guide.
StreetTalk for Windows NT software supports master and satellite STDA services. Master services are configured to gather and filter large amounts of raw information, frequently from scattered locations. Satellite services are used primarily to refine information for presentation to users at local sites, and for further distribution to other satellite services.
The LDAP for StreetTalk service is typically installed on an STDA satellite or concentrator server. Figure 1-3 shows a typical configuration where LDAP for StreetTalk is installed on a StreetTalk for Windows NT server set up as an STDA concentrator service.
Figure 1-3. Sample LDAP for StreetTalk Configuration
In Figure 1-3, each StreetTalk service resides on a different server, and GETNAMES, STDA, and LDAP reside on the Windows NT server that has LDAP for StreetTalk installed.
Configure your STDA service to do the following:
![]()
Use the attribute configuration file (attrs.cfg) ![]()
Collect the labeledURI attribute ![]()
Set STDA attribute <5:34> to support LDAP
The LDAP for StreetTalk includes the file attrs.cfg. This file lists StreetTalk vendor:attribute (<v:a>) pairs associated with commonly used LDAP attributes. Use StreetTalk Explorer to configure your STDA service attribute collection to use the file attrs.cfg. (See "To Set the List of Attributes that STDA Collects" in the LDAP for StreetTalk Installation Guide for details.) Using the file attrs.cfg causes the STDA service to collect, index, and display the attributes listed in the file and makes the attributes available to the LDAP service for queries and for display to users.
If you run the LDAP service on an STDA satellite or an STDA concentrator, you must also configure the attribute collection of the Master STDA services to read from attrs.cfg. (Master STDA services collect the StreetTalk information for the satellite or concentrator downloads.)
Note: The list of attributes in attrs.cfg is large and may add a substantial amount of time to STDA rebuilds and use substantial disk space. If disk space and rebuild time are concerns in your configuration, you can tailor this list to better suit your organizational needs. Refer to Managing Users and StreetTalk in your StreetTalk for Windows NT documentation for more information about StreetTalk and STDA.
Configure your STDA service to collect the labeledURI attribute (0:4220) for services if you want to configure other StreetTalk for Windows NT servers for LDAP support. If you read from file attrs.cfg without modifying the file, the attribute labeledURI is collected automatically. See "Using LDAP Configuration Manager" in Chapter 2 for additional information.
You must set STDA attribute <5:34> to provide the LDAP-specific support.
STDA has an attribute to support LDAP functionality. The attribute has these characteristics:
![]()
Vendor No. = 5 ![]()
Attribute No. = 34 ![]()
AVD Name = LDAP Configuration Options ![]()
Type = String If you do not set attribute <5:34> on the STDA service, the STDA service does not provide the new LDAP-specific support.
If attribute <5:34> is set, it contains the following options:
![]()
LdapConfig ![]()
StuffCommonAttrs These options are not case sensitive and must be separated by newlines.
These options must be in the format of <OPTION>=ON or <OPTION>=OFF with no spaces between the option name, the equals sign, or the ON or OFF setting.
Following are detailed descriptions of the options.
The LdapConfig option builds an LDAP database from StreetTalk information gathered by STDA.
When <5:34> is set to ON, StuffCommonAttrs is automatically set to ON. With <5:34> set to OFF, StuffCommonAttrs is also set to OFF.
With this option set to ON, STDA (during the rebuild process) creates additional attributes for StreetTalk objects in the database. These additional attributes include:
StreetTalk Object Additional Attributes Created For StreetTalk Users, Lists, Services.* ObjectClass and CommonName For StreetTalk Nicknames. * ObjectClass For StreetTalk Groups ObjectClass and Organizational Unit For StreetTalk Organizations. ObjectClass and Organization Note: For the starred (*) items, ObjectClass will not be created if it is already set.
LDAP for StreetTalk services have two attributes (described in Table 1-2) that trigger compacting of the entire LDAP database or individual attribute databases (indexed attributes) when you start the LDAP service.
Table 1-2. LDAP Administrative Attributes
V:A Identifier | Attribute Label | Data Type | Access | Description |
<5:1000> | Compact LDAP Database | Any | Self and Admin | Compacts the LDAP database. |
<5:1001> | Compact LDAP Attribute Database | String | Self and Admin |
Compacts the LDAP attribute database for each specified attribute. The format of the attribute value is one attribute name per line followed by a carriage return. For example: cn Note: Attribute names are not case sensitive. |
StreetTalk and STDA support ISO Latin1 (Windows NT code page 1252), receiving Latin1 characters and storing Latin1 characters on disk. Clients may use alternate code pages, but StreetTalk sees client-side translations.
LDAP for StreetTalk version 3 receives transmissions of character data in UnicodeTM format. New StreetTalk attributes, presented in Table 1-3, allow StreetTalk and STDA to convert string attribute values in the database (Latin1 by default) to Unicode. Because Unicode characters are two bytes in length, the database grows if the conversion is enabled, dependent on the number of string attribute values in the database. Administrators should convert databases to store Unicode characters if a majority of the directory accesses are by the LDAP API. If the database is not converted to store Unicode characters, dynamic data conversions are done for LDAP accesses. If a majority of the directory accesses are by the VNS API, administrators should not convert the database.
As a result:
![]()
All LDAP for StreetTalk version 3-enabled applications work as designed. ![]()
Shift-JIS Kanji characters are not available through the LDAP interface, in accordance with the LDAP version 3 standard. Unicode Kanji is available. Applications that read Shift-JIS attribute values through the VNS API are unaffected. For Shift-JIS Kanji (code page 932) users, Banyan recommends setting attribute <5:2018> equal to 932 on StreetTalk services where LDAP for StreetTalk is configured. Code page 932 is the Shift-JIS Kanji character code page on Windows NT. Setting attribute <5:2018> enables StreetTalk to do the proper translation when reading string attribute values from the database, regardless of whether the Banyan API or the LDAP API wrote the data.
The following attributes implement code page conversion. LDAP for StreetTalk supports all the code pages supported by its host Windows NT 4.0 Server.
Note: For code page support, the code page must be available to the Windows NT Server that hosts the StreetTalk, STDA, and LDAP for StreetTalk services.
V:A Identifier | Attribute Label | Class | Data Type | Access | Description |
<5:2018> | Default Codepage For Server Or Group | StreetTalk Group or Service | Integer | Admin | Code page default. This string determines the code page associated with any new string attributes written to the StreetTalk database. By default, this attribute is not set and defaults to the Latin 1 code page (1252). This attribute applies to a StreetTalk group or to a StreetTalk service. In the latter case, the action applies to all groups on the server. If the attribute is set to a code page value for both a group and the service where the group resides, precedence goes to the StreetTalk group attribute value. All code page values are supported. |
<5:2019> | Codepage To Convert String To Unicode | StreetTalk Service | Integer | Admin | Code page conversion. If this value is set to a code page value, all string attribute data in the StreetTalk database with this code page are converted to Unicode. The StreetTalk service reads this attribute during startup, so you must restart StreetTalk after setting this attribute for it to take effect. All code page values are supported. |
<5:2020> | Codepage To Convert String From Unicode | StreetTalk Service | Integer | Admin | Code page reversion. All string attribute data currently stored in the StreetTalk database in Unicode is converted to the code page that this attribute is set to. StreetTalk reads this attribute during startup, so you must restart StreetTalk after setting this attribute for it to take effect. All code page values are supported. |
Referrals enable you to expand a client's view of the LDAP for StreetTalk network by increasing the number of servers and databases that the client can access. Clients that support referrals can continue to process requests by forwarding the request to the appropriate server.
Clients receive referrals when the DN specified in the client request is not within the current LDAP server's directory tree. To return a referral, the LDAP server compares the distinguished name (DN) received from the client against suffixes specified for server specific referrals. If the LDAP server finds a match, LDAP returns the URL for the matching referred LDAP service.
LDAP uses the default referral when the client request does not match any of the suffixes specified by the referral options. To return a default referral, LDAP for StreetTalk first checks the server specific suffix of each referral server. If no match is found or no server specific referrals exist, the LDAP server returns the URL of the default referral server.
To specify referrals, use the Referrals page in the LDAP Configuration Manager. Refer to "Setting Access Controls" in Chapter 2 for additional information about using the Referrals page to specify referrals.
In addition to the traditional StreetTalk AdminList, each LDAP for StreetTalk service uses an Access Control List (ACL) to provide an extra level of access security. LDAP uses its ACL to determine which users have access to any or all attributes and entries in the LDAP directory tree, as well to define the level of access. By default, LDAP provides read access to all attributes and entries in the LDAP database, and write access as specified by the server's StreetTalk AdminList.
To determine the database access granted to users, LDAP searches the Access Control List from top to bottom for the first entry that matches. The user receives the access level determined by the first matching entry on the list, even if a later list entry would provide different access permissions.
Use the Access Control List dialog box in LDAP Configuration Manager to:
![]()
Set configuration options to allow access to attributes and entries in the directory by specifying the attribute or DN ![]()
Set configuration options to allow access by individual users, or groups of users, to the attributes and entries in the directory, by specifying the user's DN or a wildcarded DN to represent a group of users
LDAP for StreetTalk lets you grant access to the following objects in the LDAP database:
![]()
Specified DN ![]()
One or more attributes ![]()
All entries and attributes LDAP for StreetTalk lets you grant access to the LDAP database based on:
![]()
Specified DN ![]()
Self (owner of specified attributes) ![]()
All users LDAP for StreetTalk includes the following database access levels:
![]()
None - No access by the users specified in the Access By field to the entries or attributes specified in the Access To field of the Access Control list ![]()
Compare - Allow the specified users to perform compare operations on the LDAP entries or attributes appearing in the Access To portion of the Access Control list ![]()
Read - Allow the specified users to perform read operations on the LDAP entries or attributes appearing in the Access To portion of the Access Control list ![]()
Write - Allow the specified LDAP entry to perform write operations to the LDAP entries appearing in the Access To portion of the Access Control list Access levels are cumulative. Each higher access level includes all lower levels. For example, read access includes compare access, and write access includes read and compare.
LDAP for StreetTalk access control works in combination with StreetTalk AdminList permission. Users are granted write access to an LDAP entry only if they have been given write permission by the LDAP ACL and the are on the appropriate StreetTalk AdminList.