Pull to the end of the article to participate in the lottery
With the rise of 5G technology and the popularization of various smart terminals, the cloud office market has ushered in a period of accelerated development. Follow [RongCloud] to learn more about the collaborative office platform.
More flexible and efficient cross-platform mobile collaborative office has become the mainstream. As the core foundation of enterprise collaborative office and the entry point to trigger unified communications and other related services, the importance of the corporate address book is self-evident.
Today, the corporate address book is not just an address book.
Figure 1 - Enterprise Address Book Entry Concept
Enterprise address book core technology LDAP
Due to historical reasons, various enterprises will use private or other different standards to implement the address book function, which results in the existence of different address book system services in the network, resulting in inconsistent user address book data.
To this end, the Open Mobile Alliance (OMA, Open Mobile Alliance) proposed the Converged Address Book (CAB, Converged Address Book) research project, the purpose is to form a unified address book system standard, so that all users and services can share the address book , so as to improve service quality and improve user experience.
In addition to CAB, the standard of the address book also includes RCS (Rich Communication Suite), a standard of rich communication technology. RCS is also a standardization organization initiated by European operators and has been included in the GSM Association (Global System for Mobile Communications). RCS is mainly composed of EAB (Enhanced Address Book) and NAB (Network Address Book), but the address book standard formulated in RCS is a personal address book standard.
EAB is an extension of the local personal address book system, and NAB is to add network functions to the local address book EAB. Users can upload the locally created address book EAB to the network, and the synchronization and management of the local address book are not responsible.
Although both CAB and RCS have made standard definitions for the implementation of address book services, such as the definition of the data model of the address book, which business functions are required, etc., these standards are customized for personal address books and do not take into account the enterprise address book. business scenarios and security. However, the address book business of collaborative office is quite different from the above standards . Therefore, when studying the enterprise address book, it is necessary to combine the actual application scenarios, rather than completely imitating the above two standards.
At present, many enterprise address books mainly use LDAP to realize the function of "secure communication". The following will introduce the principles and characteristics of LDAP.
LDAP Protocol Research
LDAP (Lightweight Directory Access Protocol), the Lightweight Directory Access Protocol, was born at the University of Michigan.
LDAP optimizes the query speed, adopts a tree-like information storage mode, can be deployed in a distributed manner, and has flexible access control. With the advantages of openness, scalability, and ease of development, it has become a standard directory access protocol, and has been widely used in basic in the information management system.
LDAP principle
The LDAP protocol consists of four models :
Information Model: Used to describe the representation of information in LDAP
【Attributes】
The storage of LDAP directory service is based on entries (Entry). Each entry contains a set of attributes to represent real entity information in the real world. The relationship between entries and attributes is as follows:
Figure 2 - Relationship between items, attributes, values
【Object class】
Entities in the real world often have some same or similar characteristics and are divided into different classes in the IDAP directory service. The directory entry also includes an important attribute, the object class attribute, which determines which attributes must and may be included in the directory entry. The attributes that must be included are called mandatory, and the attributes that may be included. Called optional (optional).
The object class can be customized. The customized object class follows the inheritance mechanism, and the subclass inherits all the mandatory and optional attributes of the parent class. The object class top is the parent class of all classes, that is, the root, and all object classes are derived from the top class.
Defining the mandatory attribute "object class" in the top class ensures that each entry contains at least one object class, and also satisfies the requirement that directory entries must have at least one object class before they can be added to the directory.
【model】
The schema of the directory is composed of a set of definitions of all attributes, object classes, syntax, and matching rules in the directory. Schema determines the storage form of data in the directory, and LDAP itself also defines it.
Standard Schema, including system object classes, attribute types, syntax, and matching rules. These system schemas are all standardized in the LDAP standard, you can view the RFC file of LDAP. Of course, various industries can also customize Schema to meet their own application needs. This is similar to XML, which has standard definitions, and industries can also customize DTD or DOM according to their needs.
However, for the compatibility of the system in the future, it is recommended to use the standard Schema as much as possible when using LDAP.
Naming Model: Describes how data is organized in LDAP
All entries in LDAP are stored according to a hierarchical model, which is logically a hierarchical or tree-like structure, which can be called a Directory Information Tree (DIT). This is similar to DNS. DNS is also organized according to a hierarchical structure. For better storage or search of objects in the directory tree.
In order to find the corresponding object correctly, each object must have a unique identifier in the DIT, such as Distinguished Name (DN). DN can represent the full path of an object within the scope of the DIT. It consists of the path to the directory where the object is located.
In addition to this, we can also use Relative Distinguished Names (RDN, RDN is a subset of DN. The top-level node in the DIT represents countries such as US or CN, and their child nodes can be companies or provinces. .
Child nodes can represent specific people or some specific resources. For example, the following DN can be used to identify the user YANG in the figure: D: Cn=YANG,ou=CS,o=sict,c=CN.
Cn stands for common name, ou stands for organization unit, o stands for organization, and C stands for country.
Figure 3 - Directory Information Tree
Functional Model: Describes data manipulation access in LDAP
The functional model describes all the operations on the directory supported by the LDAP service. The interaction between the LDAP client and the server is shown in Figure 4, which mainly supports three operations:
Figure 4 - Interaction diagram between client and server
【Query operation】
The client can use the query interface provided by LDAP, and with related parameters such as baseDN (query starting point), scope (query scope), filter (filtering), etc., the query operation can be performed.
【Change operation】
Change operations mainly include add, delete, and modify, that is, add, delete, and modify operations. add and delete can implement the addition and deletion of directory entries, and modify can implement the modification of entries.
Although LDAP directory services do not support transactions, modifications to directory entries should be atomic and support the all-or-noting principle.
【Authentication Operation】
There are three authentication operations in LDAP, one is the bind operation, which is mainly used to initiate a session between the client and the server, ubind is used to terminate the session, and the abandon operation allows the client to request the server to terminate an operation.
Security Model: Describes the security mechanisms in LDAP
LDAP mainly realizes the security mechanism through identity authentication, secure channel and access control . The specific description is as follows:
【Authentication】
When the client program wants to establish an initial session with the server program, the server first needs to authenticate the client. The authentication methods have different authentication methods according to different levels. There are secure and non-guaranteed anonymous access methods. The authentication method based on the plaintext password and the encrypted session of the more secure SASL (Simple Authentication and Secure Layer) mechanism. The client program can choose the appropriate authentication method according to its own needs.
【Exit】
LDAP uses the SSL/TLS security protocol to provide security for the data exchanged between the client program and the server program. Currently, the https transmission protocol used in the Internet provides secure transmission through SSL/TLS. SSL/TLS adopts IKI information security technology, through which it can provide integrity and confidentiality services for data in transit, and can also realize mutual authentication of client and server identities.
【Access control】
In order to protect some sensitive information resources, LDAP directory service defines a series of access control rules, which can control the access rights of different entities to different directory nodes.
LDAP
Cross-platform support
The LDAP database and its related resources can be deployed to different platforms, such as Linux or Windows, and can also be ported across platforms.
Open source protocol <br>Users can customize the required modules from its open source implementation during development, realize the versatility of the program, and facilitate secondary development and post-maintenance. The LDAP server can replicate data in various ways, and can use "push" or "pull". For example, the LDAP server can push user data to a remote backup server to back up user data.
Optimize read operations
LDAP optimizes read operations for faster reads. If the user's data does not need to be updated frequently, but needs to be read frequently, LDAP storage is a good choice.
This is also one of the reasons for using LDAP for user information storage. Users generally only read their own information and rarely modify their own information.
Store information in a tree structure
LDAP stores information according to a tree structure, which can reflect the hierarchical membership and simple attributes of members. It is convenient for enterprises to control the management, organization and access rights of all employees, and also improves the access speed of employees. Therefore, LDAP is very suitable for storing the address book.
Today, when communication is gradually becoming unbounded, LDAP is reciting the security "tightening spell". As the "backbone road" of unified communication inside and outside the enterprise, the security of the enterprise address book is very important. The directory service designed based on LDAP can provide fine-grained permission control for the enterprise address book to ensure smooth and secure communication.
Interactive prizes <br>Interactive prizes:
Portable Double Drink Cup One Cup Double Drink Portable Anti-scalding
Follow + forward, participate in the lottery:
① Follow this official account and reply to Rongyun to get the lucky draw applet
② Forward this article to the circle of friends without setting up groups
※ Lucky students will be randomly drawn by the lottery assistant, remember to complete the above two actions for verification when redeeming the prize~
※ The final interpretation right of this event belongs to Rongyun
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。