HP-UX Directory Server 8.1 deployment guide
1.3.1 About directory entries
LDAP Data Interchange Format (LDIF) is a standard text-based format for describing directory
entries. An entry consists of a number of lines in the LDIF file (also called a stanza), which contains
information about an object, such as a person in the organization or a printer on the network.
Information about the entry is represented in the LDIF file by a set of attributes and their values.
Each entry has an object class attribute that specifies the kind of object the entry describes and
defines the set of additional attributes it contains. Each attribute describes a particular trait of
an entry.
For example, an entry might be of object class organizationalPerson, indicating that the
entry represents a person within an organization. This object class supports the givenname and
telephoneNumber attributes. The values assigned to these attributes give the name and phone
number of the person represented by the entry.
Directory Server also uses read-only attributes that are calculated by the server. These attributes
are called operational attributes. The administrator can manually set operational attributes that
can be used for access control and other server functions.
1.3.1.1 Performing queries on directory entries
Entries are stored in a hierarchical structure in the directory tree. LDAP supports tools that query
the database for an entry and request all entries below it in the directory tree. The root of this
subtree is called the base distinguished name, or base DN. For example, if performing an LDAP
search request specifying a base DN of ou=people, dc=example,dc=com, then the search
operation examines only the ou=people subtree in the dc=example,dc=com directory tree.
Not all entries are automatically returned in response to an LDAP search, however, because
administrative entries (which have the ldapsubentry object class) are not returned by default
with LDAP searches. Administrative object, for example, can be entries used to define a role or
a class of service. To include these entries in the search response, clients need to search specifically
for entries with the ldapsubentry object class. See “About roles” for more information about
roles and “About class of service” for more information about class of service.
1.3.2 Distributing directory data
When various parts of the directory tree are stored in separate databases, the directory can process
client requests in parallel, which improves performance. The databases can even be located on
different machines to further improve performance.
Distributed data are connected by a special entry in a subtree of the directory, called a database
link, which point to data stored remotely. When a client application requests data from a database
link, the database link retrieves the data from the remote database and returns it to the client.
All LDAP operations attempted below this entry are sent to the remote machine. This method
is called chaining.
Chaining is implemented in the server as a plug-in, which is enabled by default.
1.4 Directory design overview
Planning the directory service before actual deployment is the most important task to ensure the
success of the directory. The design process involves gathering data about the directory
requirements, such as environment and data sources, users, and the applications that use the
directory. This information is integral to designing an effective directory service because it helps
identify the arrangement and functionality required.
The flexibility of Directory Server means the directory design can be reworked to meet unexpected
or changing requirements, even after the Directory Server is deployed.
1.4 Directory design overview 13