LDAP notes on Forgerock OpenDJ

Forgerock has a good explanation on their openDJ, LDAP, DS etc…

Below are some of my notes.

LDAP directory data is organized into entries, similar to the entries for words in the dictionary, or for subscriber names in the phone book.

dn: uid=bjensen,ou=People,dc=example,dc=com
uid: bjensen
cn: Babs Jensen
cn: Barbara Jensen
facsimileTelephoneNumber: +1 408 555 1992
gidNumber: 1000
givenName: Barbara
homeDirectory: /home/bjensen
l: San Francisco
mail: bjensen@example.com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: posixAccount
objectClass: top
ou: People
ou: Product Development
roomNumber: 0209
sn: Jensen
telephoneNumber: +1 408 555 1862
uidNumber: 1076

The entry also has a unique identifier, shown at the top of the entry, dn:uid=bjensen,ou=People,dc=example,dc=com. DN is an acronym for distinguished name. No two entries in the directory have the same distinguished name. Yet, DNs are typically composed of case-insensitive attributes.

When you look up her entry in the directory, you specify one or more attributes and values to match. The directory server then returns entries with attribute values that match what you specified.

A directory server stores two kinds of attributes in a directory entry: user attributes and operational attributes. User attributes hold the information for users of the directory. All of the attributes shown in the entry at the outset of this section are user attributes. Operational attributes hold information used by the directory itself. Examples of operational attributes include entryUUID, modifyTimestamp, and subschemaSubentry. When an LDAP search operation finds an entry in the directory, the directory server returns all the visible user attributes unless the search request restricts the list of attributes by specifying those attributes explicitly. The directory server does not, however, return any operational attributes unless the search request specifically asks for them. Generally speaking, applications should change only user attributes, and leave updates of operational attributes to the server, relying on public directory server interfaces to change server behavior. An exception is access control instruction (aci) attributes, which are operational attributes used to control access to directory data.


You may be used to web service client server communication, where each time the web client has something to request of the web server, a connection is set up and then torn down. LDAP has a different model. In LDAP the client application connects to the server and authenticates, then requests any number of operations, perhaps processing results in between requests, and finally disconnects when done.




GPL,以GPL为基础的软件也要用GPL,或者跟GPL兼容。有一个种方式可以做到不用GPL,把该软件版权持有者的公司,收购了,这是后话。目前GPL的主要流行版本是GPLv2 和GPLv3, 至于区别,可以理解为GPLv3有专利报复条款。

Apache License 比较宽松一些,简单可以理解为,在该授权软件基础上的软件可以不开源。

CDDL 可以理解为GPL 和Apache的折中,在一个软件中用不同几个包,在一个包里边,就是该比较完整的模块必须用CDDL,其他的可以用别的,甚至,不开源。

EPL则是因为后来IBM将Eclipse IDE交由名为“Eclipse基金会 (Eclipse Foundation)”来管理,对CPL为小部分修改为成的授权条款。EPL可以理解为在EPL授权的软件基础上的工作,如果新开的软件是源软件独立,就可以用其他的license,否则,只能用EPL。举个例子,你对EPL授权的软件,修正的bug,添加的性能提升,都不算独立的部分。