8e09dca18a95fc3277e0b349306e75a5831a63d6mark ! CCPL HEADER START
8e09dca18a95fc3277e0b349306e75a5831a63d6mark ! This work is licensed under the Creative Commons
8e09dca18a95fc3277e0b349306e75a5831a63d6mark ! Attribution-NonCommercial-NoDerivs 3.0 Unported License.
8e09dca18a95fc3277e0b349306e75a5831a63d6mark ! To view a copy of this license, visit
8e09dca18a95fc3277e0b349306e75a5831a63d6mark ! or send a letter to Creative Commons, 444 Castro Street,
8e09dca18a95fc3277e0b349306e75a5831a63d6mark ! Suite 900, Mountain View, California, 94041, USA.
8e09dca18a95fc3277e0b349306e75a5831a63d6mark ! You can also obtain a copy of the license at
8e09dca18a95fc3277e0b349306e75a5831a63d6mark ! See the License for the specific language governing permissions
8e09dca18a95fc3277e0b349306e75a5831a63d6mark ! and limitations under the License.
8e09dca18a95fc3277e0b349306e75a5831a63d6mark ! If applicable, add the following below this CCPL HEADER, with the fields
8e09dca18a95fc3277e0b349306e75a5831a63d6mark ! enclosed by brackets "[]" replaced with your own identifying information:
8e09dca18a95fc3277e0b349306e75a5831a63d6mark ! Portions Copyright [yyyy] [name of copyright owner]
8e09dca18a95fc3277e0b349306e75a5831a63d6mark ! CCPL HEADER END
57d6342a74476c0bf2200992e778229d62ab1fa6mark ! Copyright 2011-2015 ForgeRock AS.
8e09dca18a95fc3277e0b349306e75a5831a63d6mark xmlns='http://docbook.org/ns/docbook' version='5.0' xml:lang='en'
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <indexterm>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark </indexterm>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <indexterm>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark </indexterm>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <para>A directory resembles a dictionary or a phone book. If you know a
8e09dca18a95fc3277e0b349306e75a5831a63d6mark word, you can look it up its entry in the dictionary to learn its definition
8e09dca18a95fc3277e0b349306e75a5831a63d6mark or its pronunciation. If you know a name, you can look it up its entry in the
8e09dca18a95fc3277e0b349306e75a5831a63d6mark phone book to find the telephone number and street address associated with the
8e09dca18a95fc3277e0b349306e75a5831a63d6mark name. If you are bored, curious, or have lots of time, you can also read
8e09dca18a95fc3277e0b349306e75a5831a63d6mark through the dictionary, phone book, or directory, entry after entry.</para>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <para>Where a directory differs from a paper dictionary or phone book is
8e09dca18a95fc3277e0b349306e75a5831a63d6mark in how entries are indexed. Dictionaries typically have one index: words
8e09dca18a95fc3277e0b349306e75a5831a63d6mark in alphabetical order. Phone books, too: names in alphabetical order.
8e09dca18a95fc3277e0b349306e75a5831a63d6mark Directories entries on the other hand are often indexed for multiple
8e09dca18a95fc3277e0b349306e75a5831a63d6mark attributes, names, user identifiers, email addresses, telephone numbers.
8e09dca18a95fc3277e0b349306e75a5831a63d6mark This means you can look up a directory entry by the name of the user the
8e09dca18a95fc3277e0b349306e75a5831a63d6mark entry belongs to, but also by her user identifier, her email address, or
8e09dca18a95fc3277e0b349306e75a5831a63d6mark her telephone number, for example.</para>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <para>OpenDJ directory services are based on the Lightweight Directory Access
8e09dca18a95fc3277e0b349306e75a5831a63d6mark Protocol (LDAP). Much of this chapter serves therefore as an introduction to
8e09dca18a95fc3277e0b349306e75a5831a63d6mark LDAP. OpenDJ directory services also provide RESTful access to directory data,
8e09dca18a95fc3277e0b349306e75a5831a63d6mark yet as directory administrator you will find it useful to understand the
8e09dca18a95fc3277e0b349306e75a5831a63d6mark underlying model even if most users are accessing the directory over HTTP
8e09dca18a95fc3277e0b349306e75a5831a63d6mark rather than LDAP.</para>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <para>Phone companies have been managing directories for many decades. The
8e09dca18a95fc3277e0b349306e75a5831a63d6mark Internet itself has relied on distributed directory services like DNS since
8e09dca18a95fc3277e0b349306e75a5831a63d6mark the mid 1980s.</para>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <para>It was not until the late 1980s, however, that experts from what is now
8e09dca18a95fc3277e0b349306e75a5831a63d6mark the International Telecommunications Union brought forth the X.500 set of
8e09dca18a95fc3277e0b349306e75a5831a63d6mark international standards, including Directory Access Protocol. The X.500
8e09dca18a95fc3277e0b349306e75a5831a63d6mark standards specify Open Systems Interconnect (OSI) protocols and
8e09dca18a95fc3277e0b349306e75a5831a63d6mark data definitions for general-purpose directory services. The X.500 standards
8e09dca18a95fc3277e0b349306e75a5831a63d6mark were designed to meet the needs of systems built according to the X.400
8e09dca18a95fc3277e0b349306e75a5831a63d6mark standards, covering electronic mail services.</para>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <para>Lightweight Directory Access Protocol has been around since the early
8e09dca18a95fc3277e0b349306e75a5831a63d6mark 1990s. LDAP was originally developed as an alternative protocol that would
8e09dca18a95fc3277e0b349306e75a5831a63d6mark allow directory access over Internet protocols rather than OSI protocols,
8e09dca18a95fc3277e0b349306e75a5831a63d6mark and be lightweight enough for desktop implementations. By the mid 1990s, LDAP
8e09dca18a95fc3277e0b349306e75a5831a63d6mark directory servers became generally available and widely used.</para>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <para>Until the late 1990s, LDAP directory servers were designed primarily
8e09dca18a95fc3277e0b349306e75a5831a63d6mark with quick lookups and high availability for lookups in mind. LDAP directory
8e09dca18a95fc3277e0b349306e75a5831a63d6mark servers replicate data, so when an update is made, that update gets pushed
8e09dca18a95fc3277e0b349306e75a5831a63d6mark out to other peer directory servers. Thus if one directory server goes down,
8e09dca18a95fc3277e0b349306e75a5831a63d6mark lookups can continue on other servers. Furthermore, if a directory service
8e09dca18a95fc3277e0b349306e75a5831a63d6mark needs to support more lookups, the administrator can simply add another
8e09dca18a95fc3277e0b349306e75a5831a63d6mark directory server to replicate with its peers.</para>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <para>As organizations rolled out larger and larger directories serving more
8e09dca18a95fc3277e0b349306e75a5831a63d6mark and more applications, they discovered that they needed high availability
8e09dca18a95fc3277e0b349306e75a5831a63d6mark not only for lookups, but also for updates. Around the year 2000 directories
8e09dca18a95fc3277e0b349306e75a5831a63d6mark began to support multi-master replication, that is replication with multiple
8e09dca18a95fc3277e0b349306e75a5831a63d6mark read-write servers. Soon thereafter the organizations with the very largest
8e09dca18a95fc3277e0b349306e75a5831a63d6mark directories started to need higher update performance as well as
8e09dca18a95fc3277e0b349306e75a5831a63d6mark availability.</para>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <para>The OpenDJ code base began in the mid 2000s, when engineers solving the
8e09dca18a95fc3277e0b349306e75a5831a63d6mark update performance issue decided the cost of adapting the existing C-based
8e09dca18a95fc3277e0b349306e75a5831a63d6mark directory technology for high performance updates would be higher than the
8e09dca18a95fc3277e0b349306e75a5831a63d6mark cost of building a next generation, high performance directory using Java
8e09dca18a95fc3277e0b349306e75a5831a63d6mark technology.</para>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark </section>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <indexterm>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark </indexterm>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <para>LDAP directory data is organized into entries, similar to the entries
8e09dca18a95fc3277e0b349306e75a5831a63d6mark for words in the dictionary, or for subscriber names in the phone book.
8e09dca18a95fc3277e0b349306e75a5831a63d6mark A sample entry follows.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkdn: uid=bjensen,ou=People,dc=example,dc=com
8e09dca18a95fc3277e0b349306e75a5831a63d6markuid: bjensen
8e09dca18a95fc3277e0b349306e75a5831a63d6markcn: Babs Jensen
8e09dca18a95fc3277e0b349306e75a5831a63d6markcn: Barbara Jensen
8e09dca18a95fc3277e0b349306e75a5831a63d6markfacsimileTelephoneNumber: +1 408 555 1992
8e09dca18a95fc3277e0b349306e75a5831a63d6markgidNumber: 1000
8e09dca18a95fc3277e0b349306e75a5831a63d6markgivenName: Barbara
8e09dca18a95fc3277e0b349306e75a5831a63d6markl: Cupertino
8e09dca18a95fc3277e0b349306e75a5831a63d6markmail: bjensen@example.com
8e09dca18a95fc3277e0b349306e75a5831a63d6markobjectClass: inetOrgPerson
8e09dca18a95fc3277e0b349306e75a5831a63d6markobjectClass: organizationalPerson
8e09dca18a95fc3277e0b349306e75a5831a63d6markobjectClass: person
8e09dca18a95fc3277e0b349306e75a5831a63d6markobjectClass: posixAccount
8e09dca18a95fc3277e0b349306e75a5831a63d6markobjectClass: top
8e09dca18a95fc3277e0b349306e75a5831a63d6markou: Product Development
8e09dca18a95fc3277e0b349306e75a5831a63d6markroomNumber: 0209
8e09dca18a95fc3277e0b349306e75a5831a63d6marktelephoneNumber: +1 408 555 1862
8e09dca18a95fc3277e0b349306e75a5831a63d6markuidNumber: 1076
08248b5c5b494aff8d1922e8e0b5777796d7450dmark </programlisting>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <para>Barbara Jensen's entry has a number of attributes, such as
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <literal>telephoneNumber: +1 408 555 1862</literal>, and
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <literal>objectClass: posixAccount</literal><footnote><para>The
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <literal>objectClass</literal> attribute type indicates which types of
8e09dca18a95fc3277e0b349306e75a5831a63d6mark attributes are allowed and optional for the entry. As the entries object
8e09dca18a95fc3277e0b349306e75a5831a63d6mark classes can be updated online, and even the definitions of object classes
8e09dca18a95fc3277e0b349306e75a5831a63d6mark and attributes are expressed as entries that can be updated online, directory
8e09dca18a95fc3277e0b349306e75a5831a63d6mark data is extensible on the fly.</para></footnote>. When you look up her entry
8e09dca18a95fc3277e0b349306e75a5831a63d6mark in the directory, you specify one or more attributes and values to match.
8e09dca18a95fc3277e0b349306e75a5831a63d6mark The directory server then returns entries with attribute values that match
8e09dca18a95fc3277e0b349306e75a5831a63d6mark what you specified.</para>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <para>The attributes you search for are indexed in the directory, so the
8e09dca18a95fc3277e0b349306e75a5831a63d6mark directory server can retrieve them more quickly.<footnote><para>Attribute
8e09dca18a95fc3277e0b349306e75a5831a63d6mark values do not have to be strings. Some attribute values are pure binary like
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <para>The entry also has a unique identifier, shown at the top of the entry,
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <literal>dn: uid=bjensen,ou=People,dc=example,dc=com</literal>. DN stands
8e09dca18a95fc3277e0b349306e75a5831a63d6mark for distinguished name. No two entries in the directory have the same
8e09dca18a95fc3277e0b349306e75a5831a63d6mark distinguished name. Yet, DNs are typically composed of case insensitive
8e09dca18a95fc3277e0b349306e75a5831a63d6mark attributes.<footnote><para>Sometimes your distinguished names include
8e09dca18a95fc3277e0b349306e75a5831a63d6mark characters that you must escape. The following example shows an entry that
8e09dca18a95fc3277e0b349306e75a5831a63d6mark includes escaped characters in the DN.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapsearch --port 1389 --baseDN dc=example,dc=com "(uid=escape)"</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>dn: cn=\" # \+ \, \; \< = \> \\ DN Escape Characters,dc=example,dc=com
8e09dca18a95fc3277e0b349306e75a5831a63d6markobjectClass: person
8e09dca18a95fc3277e0b349306e75a5831a63d6markobjectClass: inetOrgPerson
8e09dca18a95fc3277e0b349306e75a5831a63d6markobjectClass: organizationalPerson
8e09dca18a95fc3277e0b349306e75a5831a63d6markobjectClass: top
8e09dca18a95fc3277e0b349306e75a5831a63d6markgivenName: " # + , ; < = > \
8e09dca18a95fc3277e0b349306e75a5831a63d6markuid: escape
8e09dca18a95fc3277e0b349306e75a5831a63d6markcn: " # + , ; < = > \ DN Escape Characters
8e09dca18a95fc3277e0b349306e75a5831a63d6marksn: DN Escape Characters
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkmail: escape@example.com</computeroutput>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <para>LDAP entries are arranged hierarchically in the directory. The
8e09dca18a95fc3277e0b349306e75a5831a63d6mark hierarchical organization resembles a file system on a PC or a web server,
8e09dca18a95fc3277e0b349306e75a5831a63d6mark often imagined as an upside-down tree structure, looking similar to a
8e09dca18a95fc3277e0b349306e75a5831a63d6mark pyramid. <footnote><para>Hence pyramid icons are associated with directory
8e09dca18a95fc3277e0b349306e75a5831a63d6mark servers.</para></footnote> The distinguished name consists of components
8e09dca18a95fc3277e0b349306e75a5831a63d6mark separated by commas,
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <literal>uid=bjensen,ou=People,dc=example,dc=com</literal>. The names are
8e09dca18a95fc3277e0b349306e75a5831a63d6mark little-endian. The components reflect the hierarchy of directory entries.</para>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <alt>Directory data hierarchy as seen in OpenDJ Control Panel.</alt>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <imageobject>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <imagedata fileref="images/data-organization.png" format="PNG" />
8e09dca18a95fc3277e0b349306e75a5831a63d6mark </imageobject>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <textobject>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <para>You can see the hierarchy of directory data in the left pane of
8e09dca18a95fc3277e0b349306e75a5831a63d6mark the Manage Entries browser.</para>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark </textobject>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark </mediaobject>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <para>Barbara Jensen's entry is located under an entry with DN
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <literal>ou=People,dc=example,dc=com</literal>, an organization unit and
8e09dca18a95fc3277e0b349306e75a5831a63d6mark parent entry for the people at Example.com. The
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <literal>ou=People</literal> entry is located under the entry with DN
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <literal>dc=example,dc=com</literal>, the base entry for Example.com.
8e09dca18a95fc3277e0b349306e75a5831a63d6mark DC stands for domain component. The directory has other base entries, such
8e09dca18a95fc3277e0b349306e75a5831a63d6mark as <literal>cn=config</literal>, under which the configuration is accessible
8e09dca18a95fc3277e0b349306e75a5831a63d6mark through LDAP. A directory can serve multiple organizations, too. You might
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <literal>o=myOrganization</literal> in the same LDAP directory.
8e09dca18a95fc3277e0b349306e75a5831a63d6mark Therefore when you look up entries, you specify the base DN to look under
8e09dca18a95fc3277e0b349306e75a5831a63d6mark in the same way you need to know whether to look in the New York, Paris,
8e09dca18a95fc3277e0b349306e75a5831a63d6mark or Tokyo phone book to find a telephone number.<footnote>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <para>The root entry for the directory, technically the entry with DN
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <literal>""</literal> (the empty string), is called the root DSE, and
8e09dca18a95fc3277e0b349306e75a5831a63d6mark contains information about what the server supports, including the other
6dd0ce5fbe7ad94f3fc3ec79e9f0240b58f731afmark A directory server stores two kinds of attributes in a directory entry:
6dd0ce5fbe7ad94f3fc3ec79e9f0240b58f731afmark User attributes hold the information for users of the directory.
6dd0ce5fbe7ad94f3fc3ec79e9f0240b58f731afmark All of the attributes shown in the entry at the outset of this section
6dd0ce5fbe7ad94f3fc3ec79e9f0240b58f731afmark are user attributes.
6dd0ce5fbe7ad94f3fc3ec79e9f0240b58f731afmark Operational attributes hold information used by the directory itself.
6dd0ce5fbe7ad94f3fc3ec79e9f0240b58f731afmark Examples of operational attributes include
6dd0ce5fbe7ad94f3fc3ec79e9f0240b58f731afmark <literal>entryUUID</literal>, <literal>modifyTimestamp</literal>,
6dd0ce5fbe7ad94f3fc3ec79e9f0240b58f731afmark When an LDAP search operation finds an entry in the directory,
6dd0ce5fbe7ad94f3fc3ec79e9f0240b58f731afmark the directory server returns all the visible user attributes
6dd0ce5fbe7ad94f3fc3ec79e9f0240b58f731afmark unless the search request restricts the list of attributes
6dd0ce5fbe7ad94f3fc3ec79e9f0240b58f731afmark by specifying those attributes explicitly.
6dd0ce5fbe7ad94f3fc3ec79e9f0240b58f731afmark The directory server does not however return any operational attributes
6dd0ce5fbe7ad94f3fc3ec79e9f0240b58f731afmark unless the search request specifically asks for them.
6dd0ce5fbe7ad94f3fc3ec79e9f0240b58f731afmark Generally speaking, applications should change only user attributes,
6dd0ce5fbe7ad94f3fc3ec79e9f0240b58f731afmark and leave updates of operational attributes to the server,
6dd0ce5fbe7ad94f3fc3ec79e9f0240b58f731afmark relying on public directory server interfaces to change server behavior.
6dd0ce5fbe7ad94f3fc3ec79e9f0240b58f731afmark An exception is access control instruction (<literal>aci</literal>) attributes,
6dd0ce5fbe7ad94f3fc3ec79e9f0240b58f731afmark which are operational attributes used to control access to directory data.
8e09dca18a95fc3277e0b349306e75a5831a63d6mark </section>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <title>About LDAP Client & Server Communication</title>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <para>In some client server communication, like web browsing, a connection is
8e09dca18a95fc3277e0b349306e75a5831a63d6mark set up and then torn down for each client request to the server. LDAP has a
8e09dca18a95fc3277e0b349306e75a5831a63d6mark different model. In LDAP the client application connects to the server and
8e09dca18a95fc3277e0b349306e75a5831a63d6mark authenticates, then requests any number of operations, perhaps processing
8e09dca18a95fc3277e0b349306e75a5831a63d6mark results in between requests, and finally disconnects when done.</para>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <listitem>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <para>Bind (authenticate). The first operation in an LDAP session usually
8e09dca18a95fc3277e0b349306e75a5831a63d6mark involves the client binding to the LDAP server, with the server
8e09dca18a95fc3277e0b349306e75a5831a63d6mark authenticating the client.<footnote><para>If the client does not bind
8e09dca18a95fc3277e0b349306e75a5831a63d6mark explicitly, the server treats the client as an anonymous client. The client
8e09dca18a95fc3277e0b349306e75a5831a63d6mark can also bind again on the same connection.</para></footnote> Authentication
8e09dca18a95fc3277e0b349306e75a5831a63d6mark identifies the client's identity in LDAP terms, the identity which is later
8e09dca18a95fc3277e0b349306e75a5831a63d6mark used by the server to authorize (or not) access to directory data that the
8e09dca18a95fc3277e0b349306e75a5831a63d6mark client wants to lookup or change.</para>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark </listitem>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <listitem>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <para>Search (lookup). After binding, the client can request that the server
8e09dca18a95fc3277e0b349306e75a5831a63d6mark return entries based on an LDAP filter, which is an expression that the
8e09dca18a95fc3277e0b349306e75a5831a63d6mark server uses to find entries that match the request, and a base DN under
8e09dca18a95fc3277e0b349306e75a5831a63d6mark which to search. For example, to lookup all entries for people with email
8e09dca18a95fc3277e0b349306e75a5831a63d6mark address <literal>bjensen@example.com</literal> in data for Example.com,
8e09dca18a95fc3277e0b349306e75a5831a63d6mark you would specify a base DN such as
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <literal>ou=People,dc=example,dc=com</literal> and the filter
8e09dca18a95fc3277e0b349306e75a5831a63d6mark </listitem>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <listitem>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <para>Compare. After binding, the client can request that the server
8e09dca18a95fc3277e0b349306e75a5831a63d6mark compare an attribute value the client specifies with the value stored
8e09dca18a95fc3277e0b349306e75a5831a63d6mark on an entry in the directory.</para>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <para>This operation is not used as commonly as others.</para>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark </listitem>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <listitem>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <para>Modify. After binding, the client can request that the server
8e09dca18a95fc3277e0b349306e75a5831a63d6mark change one or more attribute values on an entry. Often administrators
8e09dca18a95fc3277e0b349306e75a5831a63d6mark do not allow clients to change directory data, so allow appropriate access
8e09dca18a95fc3277e0b349306e75a5831a63d6mark for client application if they have the right to update data.</para>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark </listitem>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <listitem>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <para>Add. After binding, the client can request to add one or more
8e09dca18a95fc3277e0b349306e75a5831a63d6mark new LDAP entries to the server. </para>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark </listitem>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <listitem>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <para>Delete. After binding, the client can request that the server
8e09dca18a95fc3277e0b349306e75a5831a63d6mark delete one or more entries. To delete and entry with other entries
8e09dca18a95fc3277e0b349306e75a5831a63d6mark underneath, first delete the children, then the parent.</para>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark </listitem>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <listitem>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <para>Modify DN. After binding, the client can request that the server
8e09dca18a95fc3277e0b349306e75a5831a63d6mark change the distinguished name of the entry. In other words, this renames
8e09dca18a95fc3277e0b349306e75a5831a63d6mark the entry or moves it to another location. For example, if Barbara
8e09dca18a95fc3277e0b349306e75a5831a63d6mark changes her unique identifier from <literal>bjensen</literal> to something
8e09dca18a95fc3277e0b349306e75a5831a63d6mark else, her DN would have to change. For another example, if you decide
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <literal>ou=Employees</literal> under <literal>ou=People</literal>
6dd0ce5fbe7ad94f3fc3ec79e9f0240b58f731afmark instead, all the entries underneath must change distinguished names.
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <footnote><para>Renaming entire branches of entries can be a major
8e09dca18a95fc3277e0b349306e75a5831a63d6mark operation for the directory, so avoid moving entire branches if you
8e09dca18a95fc3277e0b349306e75a5831a63d6mark </listitem>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <listitem>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <para>Unbind. When done making requests, the client can request an
8e09dca18a95fc3277e0b349306e75a5831a63d6mark unbind operation to end the LDAP session.</para>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark </listitem>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <listitem>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <para>Abandon. When a request seems to be taking too long to complete,
8e09dca18a95fc3277e0b349306e75a5831a63d6mark or when a search request returns many more matches than desired, the client
8e09dca18a95fc3277e0b349306e75a5831a63d6mark can send an abandon request to the server to drop the operation in
8e09dca18a95fc3277e0b349306e75a5831a63d6mark progress.</para>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark </listitem>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark </itemizedlist>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <para>For practical examples showing how to perform the key operations using
8e09dca18a95fc3277e0b349306e75a5831a63d6mark the command line tools delivered with OpenDJ directory server, read
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <link xlink:show="new" xlink:href="admin-guide#chap-ldap-operations"
8e09dca18a95fc3277e0b349306e75a5831a63d6mark xlink:role="http://docbook.org/xlink/role/olink"><citetitle>Performing LDAP
8e09dca18a95fc3277e0b349306e75a5831a63d6mark </section>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <para>LDAP has standardized two mechanisms for extending what directory
8e09dca18a95fc3277e0b349306e75a5831a63d6mark servers can do beyond the basic operations listed above. One mechanism
8e09dca18a95fc3277e0b349306e75a5831a63d6mark involves using LDAP controls. The other mechanism involves using LDAP extended
8e09dca18a95fc3277e0b349306e75a5831a63d6mark operations.</para>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <indexterm>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark </indexterm>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <para>LDAP controls are information added to an LDAP message to further
8e09dca18a95fc3277e0b349306e75a5831a63d6mark specify how an LDAP operation should be processed. For example, the
8e09dca18a95fc3277e0b349306e75a5831a63d6mark Server Side Sort Request Control modifies a search to request that the
8e09dca18a95fc3277e0b349306e75a5831a63d6mark directory server return entries to the client in sorted order. The Subtree
8e09dca18a95fc3277e0b349306e75a5831a63d6mark Delete Request Control modifies a delete to request that the server
8e09dca18a95fc3277e0b349306e75a5831a63d6mark also remove child entries of the entry targeted for deletion.</para>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <para>One special search operation that OpenDJ supports is Persistent
8e09dca18a95fc3277e0b349306e75a5831a63d6mark Search. The client application sets up a Persistent Search to continue
8e09dca18a95fc3277e0b349306e75a5831a63d6mark receiving new results whenever changes are made to data that is in the
8e09dca18a95fc3277e0b349306e75a5831a63d6mark scope of the search, thus using the search as a form of change notification.
8e09dca18a95fc3277e0b349306e75a5831a63d6mark Persistent Searches are intended to remain connected permanently, though
8e09dca18a95fc3277e0b349306e75a5831a63d6mark they can be idle for long periods of time.</para>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <para>The directory server can also send response controls in some cases to
8e09dca18a95fc3277e0b349306e75a5831a63d6mark indicate that the response contains special information. Examples include
8e09dca18a95fc3277e0b349306e75a5831a63d6mark responses for entry change notification, password policy, and paged results.</para>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <para>For the list of supported LDAP controls, see
57d6342a74476c0bf2200992e778229d62ab1fa6mark <link xlink:show="new" xlink:href="reference#appendix-controls"
8e09dca18a95fc3277e0b349306e75a5831a63d6mark xlink:role="http://docbook.org/xlink/role/olink"><citetitle>LDAP
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <indexterm>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark </indexterm>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <para>LDAP extended operations are additional LDAP operations not included
8e09dca18a95fc3277e0b349306e75a5831a63d6mark in the original standard list. For example, the Cancel Extended Operation
8e09dca18a95fc3277e0b349306e75a5831a63d6mark works like an abandon operation, but finishes with a response from the
8e09dca18a95fc3277e0b349306e75a5831a63d6mark server after the cancel is complete. The StartTLS Extended Operation allows
8e09dca18a95fc3277e0b349306e75a5831a63d6mark a client to connect to a server on an unsecure port, but then start
8e09dca18a95fc3277e0b349306e75a5831a63d6mark Transport Layer Security negotiations to protect communications.</para>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <para>For the list of supported LDAP extended operations, see
57d6342a74476c0bf2200992e778229d62ab1fa6mark <link xlink:show="new" xlink:href="reference#appendix-extended-ops"
8e09dca18a95fc3277e0b349306e75a5831a63d6mark xlink:role="http://docbook.org/xlink/role/olink"><citetitle>LDAP Extended
8e09dca18a95fc3277e0b349306e75a5831a63d6mark </section>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <para>As mentioned early in this chapter, directories have indexes for
8e09dca18a95fc3277e0b349306e75a5831a63d6mark multiple attributes. In fact by default OpenDJ does not let normal users
8e09dca18a95fc3277e0b349306e75a5831a63d6mark perform searches that are not indexed, because such searches mean OpenDJ
8e09dca18a95fc3277e0b349306e75a5831a63d6mark has to scan the entire directory looking for matches.</para>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <para>As directory administrator, part of your responsibility is making sure
8e09dca18a95fc3277e0b349306e75a5831a63d6mark directory data is properly indexed. OpenDJ provides tools for building
8e09dca18a95fc3277e0b349306e75a5831a63d6mark and rebuilding indexes, for verifying indexes, and also for evaluating
8e09dca18a95fc3277e0b349306e75a5831a63d6mark how well they are working.</para>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <para>For help better understanding and managing indexes, read the chapter
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <link xlink:show="new" xlink:href="admin-guide#chap-indexing"
8e09dca18a95fc3277e0b349306e75a5831a63d6mark xlink:role="http://docbook.org/xlink/role/olink"><citetitle>Indexing
8e09dca18a95fc3277e0b349306e75a5831a63d6mark </section>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <indexterm>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark </indexterm>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <para>Some databases are designed to hold huge amounts of data for a
8e09dca18a95fc3277e0b349306e75a5831a63d6mark particular application. Although such databases might support multiple
8e09dca18a95fc3277e0b349306e75a5831a63d6mark applications, how their data is organized depends a lot on the particular
8e09dca18a95fc3277e0b349306e75a5831a63d6mark applications served.</para>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <para>In contrast, directories are designed for shared, centralized services.
8e09dca18a95fc3277e0b349306e75a5831a63d6mark Although the first guides to deploying directory services suggested taking
8e09dca18a95fc3277e0b349306e75a5831a63d6mark inventory of all the applications that would access the directory, many
8e09dca18a95fc3277e0b349306e75a5831a63d6mark directory administrators today do not even know how many applications use
8e09dca18a95fc3277e0b349306e75a5831a63d6mark their services. The shared, centralized nature of directory services fosters
8e09dca18a95fc3277e0b349306e75a5831a63d6mark interoperability in practice, and has helped directory services be successful
8e09dca18a95fc3277e0b349306e75a5831a63d6mark in the long term.</para>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <para>Part of what makes this possible is the shared model of directory user
8e09dca18a95fc3277e0b349306e75a5831a63d6mark information, and in particular the LDAP schema. LDAP schema defines what the
8e09dca18a95fc3277e0b349306e75a5831a63d6mark directory can contain. This means that directory entries are not arbitrary
8e09dca18a95fc3277e0b349306e75a5831a63d6mark data, but instead tightly codified objects whose attributes are completely
8e09dca18a95fc3277e0b349306e75a5831a63d6mark predictable from publicly readable definitions. Many schema definitions are
8e09dca18a95fc3277e0b349306e75a5831a63d6mark in fact standard, and so are the same not just across a directory service but
8e09dca18a95fc3277e0b349306e75a5831a63d6mark across different directory services.</para>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <para>At the same time, unlike some databases, LDAP schema and the data it
8e09dca18a95fc3277e0b349306e75a5831a63d6mark defines can be extended on the fly while the service is running. LDAP schema
8e09dca18a95fc3277e0b349306e75a5831a63d6mark is also accessible over LDAP. One attribute of every entry is its set of
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <literal>objectClass</literal> values. This gives you as administrator great
8e09dca18a95fc3277e0b349306e75a5831a63d6mark flexibility in adapting your directory service to store new data without
8e09dca18a95fc3277e0b349306e75a5831a63d6mark losing or changing the structure of existing data, and also without ever
8e09dca18a95fc3277e0b349306e75a5831a63d6mark stopping your directory service.</para>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark xlink:role="http://docbook.org/xlink/role/olink"><citetitle>Managing
8e09dca18a95fc3277e0b349306e75a5831a63d6mark </section>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <indexterm>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark </indexterm>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <para>In addition to directory schema, another feature of directory services
8e09dca18a95fc3277e0b349306e75a5831a63d6mark that enables sharing is fine-grained access control.</para>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <para>As directory administrator, you can control who has access to what
8e09dca18a95fc3277e0b349306e75a5831a63d6mark data when, how, where and under what conditions by using access control
8e09dca18a95fc3277e0b349306e75a5831a63d6mark instructions (ACI). You can allow some directory operations and not others.
8e09dca18a95fc3277e0b349306e75a5831a63d6mark You can scope access control from the whole directory service down to
8e09dca18a95fc3277e0b349306e75a5831a63d6mark individual attributes on directory entries. You can specify when, from what
8e09dca18a95fc3277e0b349306e75a5831a63d6mark host or IP address, and what strength of encryption is needed in order to
8e09dca18a95fc3277e0b349306e75a5831a63d6mark perform a particular operation.</para>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <para>As ACIs are stored on entries in the directory, you can furthermore
8e09dca18a95fc3277e0b349306e75a5831a63d6mark update access controls while the service is running, and even delegate that
8e09dca18a95fc3277e0b349306e75a5831a63d6mark control to client applications. OpenDJ combines the strengths of ACIs with
8e09dca18a95fc3277e0b349306e75a5831a63d6mark separate administrative privileges to help you secure access to directory
8e09dca18a95fc3277e0b349306e75a5831a63d6mark data.</para>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark xlink:role="http://docbook.org/xlink/role/olink"><citetitle>Configuring
8e09dca18a95fc3277e0b349306e75a5831a63d6mark Privileges & Access Control</citetitle></link>.</para>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark </section>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <para>Replication in OpenDJ consists of copying each update to the directory
8e09dca18a95fc3277e0b349306e75a5831a63d6mark service to multiple directory servers. This brings both redundancy in the
8e09dca18a95fc3277e0b349306e75a5831a63d6mark case of network partitions or of crashes, and also scalability for read
8e09dca18a95fc3277e0b349306e75a5831a63d6mark operations. Most directory deployments involve multiple servers replicating
8e09dca18a95fc3277e0b349306e75a5831a63d6mark together.</para>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <para>When you have replicated servers, all of which are writable, you can
8e09dca18a95fc3277e0b349306e75a5831a63d6mark have replication conflicts. What if, for example, there is a network outage
8e09dca18a95fc3277e0b349306e75a5831a63d6mark between two replicas, and meanwhile two different values are written to the
8e09dca18a95fc3277e0b349306e75a5831a63d6mark same attribute on the same entry on the two replicas? In nearly all cases,
8e09dca18a95fc3277e0b349306e75a5831a63d6mark OpenDJ replication can resolve these situations automatically without
8e09dca18a95fc3277e0b349306e75a5831a63d6mark involving you, the directory administrator. This makes your directory service
8e09dca18a95fc3277e0b349306e75a5831a63d6mark resilient and safe even in the unpredictable real world.</para>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <para>One perhaps counterintuitive aspect of replication is that although you
8e09dca18a95fc3277e0b349306e75a5831a63d6mark do add directory <emphasis>read</emphasis> capacity by adding replicas to
8e09dca18a95fc3277e0b349306e75a5831a63d6mark your deployment, you do not add directory <emphasis>write</emphasis> capacity
8e09dca18a95fc3277e0b349306e75a5831a63d6mark by adding replicas. As each write operation must be replayed everywhere, the
8e09dca18a95fc3277e0b349306e75a5831a63d6mark result is that if you have N servers, you have N write operations to
8e09dca18a95fc3277e0b349306e75a5831a63d6mark replay.</para>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <para>Another aspect of replication to keep in mind is that it is "loosely
8e09dca18a95fc3277e0b349306e75a5831a63d6mark consistent." Loosely consistent means that directory data will eventually
8e09dca18a95fc3277e0b349306e75a5831a63d6mark converge to be the same everywhere, but it will not necessarily be the same
8e09dca18a95fc3277e0b349306e75a5831a63d6mark everywhere right away. Client applications sometimes get this wrong when they
8e09dca18a95fc3277e0b349306e75a5831a63d6mark write to a pool of load-balanced directory servers, immediately read back
8e09dca18a95fc3277e0b349306e75a5831a63d6mark what they wrote, and are surprised that it is not the same. If your users
8e09dca18a95fc3277e0b349306e75a5831a63d6mark are complaining about this, either make sure their application always gets
8e09dca18a95fc3277e0b349306e75a5831a63d6mark sent to the same server, or else ask that they adapt their application to
8e09dca18a95fc3277e0b349306e75a5831a63d6mark work in a more realistic manner.</para>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <para>To get started with replication, see <link xlink:show="new"
8e09dca18a95fc3277e0b349306e75a5831a63d6mark xlink:role="http://docbook.org/xlink/role/olink"><citetitle>Managing Data
8e09dca18a95fc3277e0b349306e75a5831a63d6mark </section>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <indexterm>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark </indexterm>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <para>Directory Services Markup Language (DSML) was developed starting in 1999
8e09dca18a95fc3277e0b349306e75a5831a63d6mark and v2.0 became a standard in 2001. DSMLv2 describes directory data and basic
8e09dca18a95fc3277e0b349306e75a5831a63d6mark directory operations in XML format, allowing them to be carried in SOAP
8e09dca18a95fc3277e0b349306e75a5831a63d6mark messages. DSMLv2 further allows clients to batch multiple operations together
8e09dca18a95fc3277e0b349306e75a5831a63d6mark in a single request, to be processed either in sequential order or in
8e09dca18a95fc3277e0b349306e75a5831a63d6mark parallel.</para>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <para>OpenDJ provides support for DSMLv2 as a DSML gateway, which is a Servlet
8e09dca18a95fc3277e0b349306e75a5831a63d6mark that connects to any standard LDAPv3 directory. DSMLv2 opens basic directory
8e09dca18a95fc3277e0b349306e75a5831a63d6mark services to SOAP based web services and service oriented architectures.</para>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <para>To set up DSMLv2 access, see <link xlink:show="new"
8e09dca18a95fc3277e0b349306e75a5831a63d6mark xlink:role="http://docbook.org/xlink/role/olink"><citetitle>DSML Client
8e09dca18a95fc3277e0b349306e75a5831a63d6mark </section>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <title>About RESTful Access to Directory Services</title>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <indexterm>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark </indexterm>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <para>OpenDJ can expose directory data as JSON resources over HTTP to REST
8e09dca18a95fc3277e0b349306e75a5831a63d6mark clients, providing easy access to directory data for developers who are not
8e09dca18a95fc3277e0b349306e75a5831a63d6mark familiar with LDAP. RESTful access depends on configuration that describes
8e09dca18a95fc3277e0b349306e75a5831a63d6mark how the JSON representation maps to LDAP entries.</para>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <para>Although client applications have no need to understand LDAP, OpenDJ's
8e09dca18a95fc3277e0b349306e75a5831a63d6mark underlying implementation still uses the LDAP model for its operations. The
8e09dca18a95fc3277e0b349306e75a5831a63d6mark mapping adds some overhead. Furthermore, depending on the configuration,
8e09dca18a95fc3277e0b349306e75a5831a63d6mark individual JSON resources can require multiple LDAP operations. For example,
8e09dca18a95fc3277e0b349306e75a5831a63d6mark an LDAP user entry represents <literal>manager</literal> as a DN (of the
8e09dca18a95fc3277e0b349306e75a5831a63d6mark manager's entry). The same manager might be represented in JSON as an object
8e09dca18a95fc3277e0b349306e75a5831a63d6mark holding the manager's user ID and full name, in which case OpenDJ must look
8e09dca18a95fc3277e0b349306e75a5831a63d6mark up the manager's entry to resolve the mapping for the manager portion of the
8e09dca18a95fc3277e0b349306e75a5831a63d6mark JSON resource, in addition to looking up the user's entry. As another example,
8e09dca18a95fc3277e0b349306e75a5831a63d6mark suppose a large group is represented in LDAP as a set of 100,000 DNs. If the
8e09dca18a95fc3277e0b349306e75a5831a63d6mark JSON resource is configured so that a member is represented by its name, then
8e09dca18a95fc3277e0b349306e75a5831a63d6mark listing that resource would involve 100,000 LDAP searches to translate DNs to
8e09dca18a95fc3277e0b349306e75a5831a63d6mark names.</para>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <para>A primary distinction between LDAP entries and JSON resources is that
8e09dca18a95fc3277e0b349306e75a5831a63d6mark LDAP entries hold sets of attributes and their values, whereas JSON resources
8e09dca18a95fc3277e0b349306e75a5831a63d6mark are documents containing arbitrarily nested objects. As LDAP data is governed
8e09dca18a95fc3277e0b349306e75a5831a63d6mark by schema, almost no LDAP objects are arbitrary collections of data.
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <footnote><para>LDAP has the object class <literal>extensibleObject</literal>,
8e09dca18a95fc3277e0b349306e75a5831a63d6mark but its use should be the exception rather than the rule.</para></footnote>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark Furthermore, JSON resources can hold arrays, ordered collections that can
8e09dca18a95fc3277e0b349306e75a5831a63d6mark contain duplicates, whereas LDAP attributes are sets, unordered collections
8e09dca18a95fc3277e0b349306e75a5831a63d6mark without duplicates. For most directory and identity data, these distinctions
8e09dca18a95fc3277e0b349306e75a5831a63d6mark do not matter. You are likely to run into them however if you try to turn
8e09dca18a95fc3277e0b349306e75a5831a63d6mark your directory into a document store for arbitrary JSON resources.</para>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <para>Despite some extra cost in terms of system resources, exposing directory
8e09dca18a95fc3277e0b349306e75a5831a63d6mark data over HTTP can unlock your directory services for a new generation of
8e09dca18a95fc3277e0b349306e75a5831a63d6mark applications. The configuration provides flexible mapping, so that you can
8e09dca18a95fc3277e0b349306e75a5831a63d6mark configure views that correspond to how client applications need to see
8e09dca18a95fc3277e0b349306e75a5831a63d6mark directory data. OpenDJ also gives you a deployment choice for HTTP access.
8e09dca18a95fc3277e0b349306e75a5831a63d6mark You can deploy the REST LDAP gateway, which is a Servlet that connects to
8e09dca18a95fc3277e0b349306e75a5831a63d6mark any standard LDAPv3 directory, or you can activate the HTTP Connection Handler
8e09dca18a95fc3277e0b349306e75a5831a63d6mark on OpenDJ itself to allow direct and more efficient HTTP and HTTPS
8e09dca18a95fc3277e0b349306e75a5831a63d6mark access.</para>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <para>For examples showing how to use RESTful access, see the chapter on
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <link xlink:show="new" xlink:href="admin-guide#chap-rest-operations"
8e09dca18a95fc3277e0b349306e75a5831a63d6mark xlink:role="http://docbook.org/xlink/role/olink"><citetitle>Performing
8e09dca18a95fc3277e0b349306e75a5831a63d6mark </section>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <para>This chapter is meant to serve as an introduction, and so does not
8e09dca18a95fc3277e0b349306e75a5831a63d6mark even cover everything in this guide, let alone everything you might want
8e09dca18a95fc3277e0b349306e75a5831a63d6mark to know about directory services.</para>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark <para>When you have understood enough of the concepts to build the directory
8e09dca18a95fc3277e0b349306e75a5831a63d6mark services you want to deploy, you must still build a prototype and test it
8e09dca18a95fc3277e0b349306e75a5831a63d6mark before you roll out shared, centralized services for your organization.
8e09dca18a95fc3277e0b349306e75a5831a63d6mark xlink:role="http://docbook.org/xlink/role/olink"><citetitle>Tuning Servers
8e09dca18a95fc3277e0b349306e75a5831a63d6mark For Performance</citetitle></link> for a look at how to meet the service
8e09dca18a95fc3277e0b349306e75a5831a63d6mark levels your clients expect.</para>
8e09dca18a95fc3277e0b349306e75a5831a63d6mark </section>