Enterprise customers often need to manage Host On-Demand user and group configuration information for a large number of users. For reasons of performance or administrative convenience, the information for these users may be distributed and managed across multiple Host On-Demand servers. Unfortunately, the user information is not shared among the Host On-Demand servers or among those servers and other applications.
However, a directory service, such as that provided by a Lightweight Directory Access Protocol (LDAP) server, can enable this kind of information sharing. For example, a single LDAP directory can store configuration information for multiple Host On-Demand servers. Configuration information is stored in directory entries in an LDAP directory; these entries are uniquely identified by a distinguished name (DN).
With Host On-Demand, you can use an LDAP directory instead of using the Host On-Demand server's private data store to store user, group, and session information. This option is available from the Directory Service in the Host On-Demand Administration window.
Migrating to LDAP has significant implications for your group and user configuration information. Make sure you understand these implications before you migrate. |
Additional general information about LDAP and the IBM SecureWay Directory can be found at the IBM SecureWay Directory Website. The IBM redbook Understanding LDAP, which can be downloaded from that page, is especially helpful.
A directory is a specialized database that stores information about objects and their relationships to each other.
For example, in a directory of users, each object might be a person with a user ID and password. These objects may also have application-specific information associated with them, such as group memberships, keyboard mappings, macro definitions, and session parameters.
The Lightweight Directory Access Protocol (LDAP) is an open standard that provides an extendable architecture for storage and management of directory information. Widely accepted and fast-growing, LDAP has become the de facto industry standard for accessing directory information over a TCP/IP network.
A distinguished name (DN) consists of one or more relative distinguished names (RDNs) arranged in a hierarchical, tree-like structure to uniquely identify a single directory entry. This tree-like structure is organized from more general to more specific, going from the root of the tree to the leaves, and is called a directory information tree (DIT). The arrangement of the RDNs in the DN reflects this tree-like structure. From left to right, the RDNs are arranged from most specific to least specific and are separated by commas.
For example, cn=Chris Smith,o=IBM,c=US
is a DN that consists of three RDNs that
uniquely identify Chris Smith, c=US
is an RDN that branches from the root of the DIT,
o=IBM
is an RDN that branches from RDN c=US
, and
cn=Chris Smith
is an RDN that branches from RDN o=IBM
.
Each RDN is derived from the attributes of the directory entry. In the simple and common case, an RDN consists of an attribute value pair that has the form attribute name = value. For more information, refer to the documentation for the LDAP directory service for your environment.