Understanding directories

Enterprise customers often need to manage Z and I Emulator for Web user and group configuration information for a large number of users. For reasons of performance or administrative convenience, the information for these users may be distributed and managed across multiple Z and I Emulator for Web servers. Unfortunately, the user information is not shared among the Z and I Emulator for Web servers or among those servers and other applications.

However, a directory service, such as that provided by a Lightweight Directory Access Protocol (LDAP) server, can enable this kind of information sharing. For example, a single LDAP directory can store configuration information for multiple Z and I Emulator for Web servers. Configuration information is stored in directory entries in an LDAP directory; these entries are uniquely identified by a distinguished name (DN).

With Z and I Emulator for Web, you can use an LDAP directory instead of using the Z and I Emulator for Web server's private data store to store user, group, and session information. This option is available from the Directory Service in the Z and I Emulator for Web Administration window.

Migrating to LDAP has significant implications for your group and user configuration information. Make sure you understand these implications before you migrate.

Additional general information about LDAP and the IBM SecureWay Directory can be found at the IBM Security Directory Server. The IBM redbook which can be downloaded from Understanding LDAP, is especially helpful.

Directory

A directory is a specialized database that stores information about objects and their relationships to each other.

For example, in a directory of users, each object might be a person with a user ID and password. These objects may also have application-specific information associated with them, such as group memberships, keyboard mappings, macro definitions, and session parameters.

Lightweight Directory Access Protocol (LDAP)

The Lightweight Directory Access Protocol (LDAP) is an open standard that provides an extendable architecture for storage and management of directory information. Widely accepted and fast-growing, LDAP has become the de facto industry standard for accessing directory information over a TCP/IP network.

Distinguished Name

A distinguished name (DN) consists of one or more relative distinguished names (RDNs) arranged in a hierarchical, tree-like structure to uniquely identify a single directory entry. This tree-like structure is organized from more general to more specific, going from the root of the tree to the leaves, and is called a directory information tree (DIT). The arrangement of the RDNs in the DN reflects this tree-like structure. From left to right, the RDNs are arranged from most specific to least specific and are separated by commas.

For example, cn=Chris Smith,o=HCL,c=US is a DN that consists of three RDNs that uniquely identify Chris Smith, c=US is an RDN that branches from the root of the DIT, o=HCL is an RDN that branches from RDN c=US, and cn=Chris Smith is an RDN that branches from RDN o=HCL.

Each RDN is derived from the attributes of the directory entry. In the simple and common case, an RDN consists of an attribute value pair that has the form attribute name = value. For more information, refer to the documentation for the LDAP directory service for your environment.

Related topics