Glossary

Also Access Control Instruction. An instruction that grants or denies permissions to entries in the directory.

Also Access Control List. The mechanism for controlling access to your directory.

In the context of access control, specify the level of access granted or denied. Access rights are related to the type of operation that can be performed on the directory. The following rights can be granted or denied: read, write, add, delete, search, compare, selfwrite, proxy and all.

Disables a user account, group of accounts, or an entire domain so that all authentication attempts are automatically rejected.

A size limit which is globally applied to every index key managed by the server. When the size of an individual ID list reaches this limit, the server replaces that ID list with an All IDs token.

A mechanism which causes the server to assume that all directory entries match the index key. In effect, the All IDs token causes the server to behave as if no index was available for the search request.

When granted, allows anyone to access directory information without providing credentials, and regardless of the conditions of the bind.

Holds descriptive information about an entry. Attributes have a label and a value. Each attribute also follows a standard syntax for the type of information that can be stored as the attribute value.

A list of required and optional attributes for a given entry type or object class.

In pass-through authentication (PTA), the authenticating Directory Server is the Directory Server that contains the authentication credentials of the requesting client. The PTA-enabled host sends PTA requests it receives from clients to the host.

(1) Process of proving the identity of the client user to the Directory Server. Users must provide a bind DN and either the corresponding password or certificate in order to be granted access to the directory. Directory Server allows the user to perform functions or access files and directories based on the permissions granted to that user by the directory administrator.

(2) Allows a client to make sure they are connected to a secure server, preventing another computer from impersonating the server or attempting to appear secure when it is not.

Digital file that is not transferable and not forgeable and is issued by a third party. Authentication certificates are sent from server to client or client to server in order to verify and authenticate the other party.

Base distinguished name. A search operation is performed on the base DN, the DN of the entry and all entries below it in the directory tree.

Distinguished name used to authenticate to Directory Server when performing an operation.

In the context of access control, the bind rule specifies the credentials and conditions that a particular user or client must satisfy in order to get access to directory information.

Software, such as Mozilla Firefox, used to request and view World Wide Web material stored as HTML files. The browser uses the HTTP protocol to communicate with the host server.

Also virtual view index. Speeds up the display of entries in the Directory Server Console. Browsing indexes can be created on any branchpoint in the directory tree to improve display performance.

In a cascading replication scenario, one server, often called the hub supplier, acts both as a consumer and a supplier for a particular replica. It holds a read-only replica and maintains a changelog. It receives updates from the supplier server that holds the master copy of the data and in turn supplies those updates to the consumer.

A collection of data that associates the public keys of a network user with their DN in the directory. The certificate is stored in the directory as user object attributes.

Company or organization that sells and issues authentication certificates. You may purchase an authentication certificate from a Certification Authority that you trust. Also known as a CA.

Common Gateway Interface. An interface for external programs to communicate with the HTTP server. Programs written to use CGI are called CGI programs or CGI scripts and can be written in many of the common programming languages. CGI programs handle forms or perform output parsing that is not done by the server itself.

A method for relaying requests to another server. Results for the request are collected, compiled, and then returned to the client.

A changelog is a record that describes the modifications that have occurred on a replica. The supplier server then replays these modifications on the replicas stored on consumer servers or on other suppliers, in the case of multi-master replication.

Distinguishes alphabetic characters from numeric or other characters and the mapping of upper-case to lower-case letters.

Encrypted information that cannot be read by anyone without the proper key to decrypt the information.

Specifies the information needed to create an instance of a particular object and determines how the object works in relation to other objects in the directory.

A classic CoS identifies the template entry by both its DN and the value of one of the target entry's attributes.

An internal table used by a locale in the context of the internationalization plug-in that the operating system uses to relate keyboard keys to character font screen displays.

Provides language and cultural-specific information about how the characters of a given language are to be sorted. This information might include the sequence of letters in the alphabet or how to compare letters with accents to letters without accents.

Server containing replicated directory trees or subtrees from a supplier server.

Replication configuration where consumer servers pull directory data from supplier servers.

In the context of replication, a server that holds a replica that is copied from a different server is called a consumer for that replica.

A method for sharing attributes between entries in a way that is invisible to applications.

Identifies the type of CoS you are using. It is stored as an LDAP subentry below the branch it affects.

A background process on a Unix machine that is responsible for a particular system task. Daemon processes do not need human intervention to continue functioning.

Directory Access Protocol. The ISO X.500 standard protocol that provides client access to the directory.

An implementation of chaining. The database link behaves like a database but has no persistent storage. Instead, it points to data stored remotely.

One of a set of default indexes created per database instance. Default indexes can be modified, although care should be taken before removing them, as certain plug-ins may depend on them.

The logical representation of the information stored in the directory. It mirrors the tree model used by most filesystems, with the tree's root point appearing at the top of the hierarchy. Also known as DIT.

The privileged database administrator, comparable to the root user in UNIX. Access control does not apply to the Directory Manager.

Also DSGW. A collection of CGI forms that allows a browser to perform LDAP client functions, such as querying and accessing a Directory Server, from a web browser.

A database application designed to manage descriptive, attribute-based information about people and resources within an organization.

String representation of an entry's name and location in an LDAP directory.

Domain Name System. The system used by machines on a network to associate standard IP addresses (such as 198.93.93.10) with hostnames (such as www.example.com). Machines normally get the IP address for a hostname from a DNS server, or they look it up in tables maintained on their systems.

A DNS alias is a hostname that the DNS server knows points to a different host-specifically a DNS CNAME record. Machines always have one real name, but they can have one or more aliases. For example, an alias such as www.yourdomain.domain might point to a real machine called realthing.yourdomain.domain where the server currently exists.

A group of lines in the LDIF file that contains information about an object.

Method of distributing directory entries across more than one server in order to scale to support large numbers of entries.

Each index that the directory uses is composed of a table of index keys and matching entry ID lists. The entry ID list is used by the directory to build a list of candidate entries that may match the client application's search request.

Allows you to search efficiently for entries containing a specific attribute value.

The section of a filename after the period or dot (.) that typically defines the type of file (for example, .GIF and .HTML). In the filename index.html the file extension is html.

The format of a given file. For example, graphics files are often saved in GIF format, while a text file is usually saved as ASCII text format. File types are usually identified by the file extension (for example, .GIF or .HTML).

A constraint applied to a directory query that restricts the information returned.

Allows you to assign entries to the role depending upon the attribute contained by each entry. You do this by specifying an LDAP filter. Entries that match the filter are said to possess the role.

When granted, indicates that all authenticated users can access directory information.

Generic Security Services. The generic access protocol that is the native way for UNIX-based systems to access and authenticate Kerberos services; also supports session encryption.

A name for a machine in the form machine.domain.dom, which is translated into an IP address. For example, www.example.com is the machine www in the subdomain example and com domain.

Hypertext Markup Language. The formatting language used for documents on the World Wide Web. HTML files are plain text files with formatting codes that tell browsers such as the Mozilla Firefox how to display text, position graphics, and form items and to display links to other pages.

Hypertext Transfer Protocol. The method for exchanging information between HTTP servers and clients.

An abbreviation for the HTTP daemon or service, a program that serves information using the HTTP protocol. The daemon or service is often called an httpd.

A secure version of HTTP, implemented using the Secure Sockets Layer, SSL.

In the context of replication, a server that holds a replica that is copied from a different server, and, in turn, replicates it to a third server. See also cascading replication.

Each index that the directory uses is composed of a table of index keys and matching entry ID lists.

An indirect CoS identifies the template entry using the value of one of the target entry's attributes.

Also Internet Protocol address. A set of numbers, separated by dots, that specifies the actual location of a machine on the Internet (for example, 198.93.93.10).

Lightweight Directory Access Protocol. Directory service protocol designed to run over TCP/IP and across multiple platforms.

Version 3 of the LDAP protocol, upon which Directory Server bases its schema format.

Software used to request and view LDAP entries from an LDAP Directory Server. See also browser.

Provides the means of locating Directory Servers using DNS and then completing the query via LDAP. A sample LDAP URL is ldap://ldap.example.com.

A high-performance, disk-based database consisting of a set of large files that contain all of the data assigned to it. The primary data store in Directory Server.

LDAP Data Interchange Format. Format used to represent Directory Server entries in text form.

An entry under which there are no other entries. A leaf entry cannot be a branch point in a directory tree.

Identifies the collation order, character type, monetary format and time / date format used to present data for users of a specific region, culture, and/or custom. This includes information on how data of a given language is interpreted, stored, or collated. The locale also indicates which code page should be used to represent a given language.

A standard value which the SNMP agent can access and send to the NMS. Each managed object is identified with an official name and a numeric identifier expressed in dot-notation.

A data structure that associates the names of suffixes (subtrees) with databases.

Provides guidelines for how the server compares strings during a search operation. In an international search, the matching rule tells the server what collation order and operator to use.

A message digest algorithm by RSA Data Security, Inc., which can be used to produce a short digest of data that is unique with high probability and is mathematically extremely hard to produce; a piece of data that will produce the same message digest.

Management Information Base. All data, or any portion thereof, associated with the SNMP network. We can think of the MIB as a database which contains the definitions of all SNMP managed objects. The MIB has a tree-like hierarchy, where the top level contains the most general information about the network and lower levels deal with specific, separate network areas.

Management Information Base namespace. The means for directory data to be named and referenced. Also called the directory tree.

Specifies the monetary symbol used by specific region, whether the symbol goes before or after its value, and how monetary units are represented.

An advanced replication scenario in which two servers each hold a copy of the same read-write replica. Each server maintains a changelog for the replica. Modifications made on one server are automatically replicated to the other server. In case of conflict, a time stamp is used to determine which server holds the most recent version.

The server containing the database link that communicates with the remote server.

The problem of managing multiple instances of the same information in different directories, resulting in increased hardware and personnel costs.

Network Management Station component that graphically displays information about SNMP managed devices (which device is up or down, which and how many error messages were received, etc.).

Network Information Service. A system of programs and data files that Unix machines use to collect, collate, and share specific information about machines, users, filesystems, and network parameters throughout a network of computers.

Also Network Management Station. Powerful workstation with one or more network management applications installed.

Red Hat's LDAP Directory Server daemon or service that is responsible for all actions of the Directory Server. See also slapd.

Defines an entry type in the directory by defining which attributes are contained in the entry.

Also OID. A string, usually of decimal numbers, that uniquely identifies a schema element, such as an object class or an attribute, in an object-oriented system. Object identifiers are assigned by ANSI, IETF or similar organizations.

Contains information used internally by the directory to keep track of modifications and subtree properties. Operational attributes are not returned in response to a search unless explicitly requested.

When granted, indicates that users have access to entries below their own in the directory tree if the bind DN is the parent of the targeted entry.

In pass-through authentication, the PTA directory server will pass through bind requests to the authenticating directory server from all clients whose DN is contained in this subtree.

A file on Unix machines that stores Unix user login names, passwords, and user ID numbers. It is also known as /etc/passwd because of where it is kept.

In the context of access control, permission states whether access to the directory information is granted or denied and the level of access that is granted or denied. See access rights.

Also Protocol Data Unit. Encoded messages which form the basis of data exchanges between SNMP devices.

A set of rules that describes how devices on a network exchange information.

A special form of authentication where the user requesting access to the directory does not bind with its own DN but with a proxy DN.

Used with proxied authorization. The proxy DN is the DN of an entry that has access permissions to the target on which the client-application is attempting to perform an operation.

Also Pass-through authentication. Mechanism by which one Directory Server consults another to check bind credentials.

In pass-through authentication (PTA), the PTA Directory Server is the server that sends (passes through) bind requests it receives to the authenticating directory server.

In pass-through authentication, the URL that defines the authenticating directory server, pass-through subtree(s), and optional parameters.

Random access memory. The physical semiconductor-based memory in a computer. Information stored in RAM is lost when the computer is shut down.

A file on Unix machines that describes programs that are run when the machine starts. It is also called /etc/rc.local because of its location.

Also Relative Distinguished Name. The name of the actual entry itself, before the entry's ancestors have been appended to the string to form the full distinguished name.

Mechanism that ensures that relationships between related entries are maintained within the directory.

(1) When a server receives a search or update request from an LDAP client that it cannot process, it usually sends back to the client a pointer to the LDAP sever that can process the request.

(2) In the context of replication, when a read-only replica receives an update request, it forwards it to the server that holds the corresponding read-write replica. This forwarding process is called a referral.

A replica that refers all update operations to read-write replicas. A server can hold any number of read-only replicas.

A replica that contains a master copy of directory information and can be updated. A server can hold any number of read-write replicas.

Act of copying directory trees or subtrees from supplier servers to consumer servers.

Set of configuration parameters that are stored on the supplier server and identify the databases to replicate, the consumer servers to which the data is pushed, the times during which replication can occur, the DN and credentials used by the supplier to bind to the consumer, and how the connection is secured.

Request for Comments. Procedures or standards documents submitted to the Internet community. People can send comments on the technologies before they become accepted standards.

An entry grouping mechanism. Each role has members, which are the entries that possess the role.

Attributes that appear on an entry because it possesses a particular role within an associated CoS template.

The most privileged user available on Unix machines. The root user has complete access privileges to all files on the machine.

The parent of one or more sub suffixes. A directory tree can contain more than one root suffix.

Also Simple Authentication and Security Layer. An authentication framework for clients as they attempt to bind to a directory.

Definitions describing what types of information can be stored as entries in the directory. When information that does not match the schema is stored in the directory, clients attempting to access the directory may be unable to display the proper results.

Ensures that entries added or modified in the directory conform to the defined schema. Schema checking is on by default, and users will receive an error if they try to save an entry that does not conform to the schema.

When granted, indicates that users have access to their own entries if the bind DN matches the targeted entry.

Java-based application that allows you to perform administrative management of your Directory Server from a GUI.

The server daemon is a process that, once running, listens for and accepts requests from clients.

A directory on the server machine dedicated to holding the server program and configuration, maintenance, and information files.

A background process on a Windows machine that is responsible for a particular system task. Service processes do not need human intervention to continue functioning.

Server Instance Entry. The ID assigned to an instance of Directory Server during installation.

The most basic replication scenario in which two servers each hold a copy of the same read-write replicas to consumer servers. In a single-master replication scenario, the supplier server maintains a changelog.

LDAP Directory Server daemon or service that is responsible for most functions of a directory except replication. See also ns-slapd.

Also Simple Network Management Protocol. Used to monitor and manage application processes running on the servers by exchanging data about network activity.

Software that exchanges information between the various subagents and the NMS.

Software that gathers information about the managed device and passes the information to the master agent. Also subagent.

Also Secure Sockets Layer. A software library establishing a secure connection between two parties (client and server) used to implement HTTPS, the secure version of HTTP.

Allows for efficient searching against substrings within entries. Substring indexes are limited to a minimum of two characters for each entry.

The name of the entry at the top of the directory tree, below which data is stored. Multiple suffixes are possible within the same directory. Each database only has one suffix.

The most privileged user available on Unix machines. The superuser has complete access privileges to all files on the machine. Also called root.

Server containing the master copy of directory trees or subtrees that are replicated to consumer servers.

In the context of replication, a server that holds a replica that is copied to a different server is called a supplier for that replica.

Replication configuration where supplier servers replicate directory data to consumer servers.

Encryption that uses the same key for both encrypting and decrypting. DES is an example of a symmetric encryption algorithm.

Cannot be deleted or modified as it is essential to Directory Server operations.

In the context of access control, the target identifies the directory information to which a particular ACI applies.

Transmission Control Protocol/Internet Protocol. The main network protocol for the Internet and for enterprise (company) networks.

Indicates the customary formatting for times and dates in a specific region.

Also Transport Layer Security. The new standard for secure socket layers; a public key based protocol.

The way a directory tree is divided among physical servers and how these servers link with one another.

Uniform Resource Locator. The addressing system used by the server and the client to request documents. It is often called a location. The format of a URL is protocol://machine:port/document. The port number is necessary only on selected servers, and it is often assigned by the server, freeing the user of having to place it in the URL.

Also browsing index. Speeds up the display of entries in the Directory Server Console. Virtual list view indexes can be created on any branchpoint in the directory tree to improve display performance.

The set of ISO/ITU-T documents outlining the recommended information model, object classes and attributes used by directory server implementation.