100% found this document useful (4 votes)

64 views77 pages

Full Download LDAP System Administration Putting Directories To Work 1st Edition Carter PDF

Carter

Uploaded by

sumoodlebah

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

100% found this document useful (4 votes)

64 views77 pages

Full Download LDAP System Administration Putting Directories To Work 1st Edition Carter PDF

Carter

Uploaded by

sumoodlebah

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 77

Visit https://ebookfinal.

com to download the full version and

explore more ebook

LDAP System Administration Putting Directories to

Work 1st Edition Carter

_ Click the link below to download _

https://ebookfinal.com/download/ldap-system-
administration-putting-directories-to-work-1st-edition-
carter/

Explore and download more ebook at ebookfinal.com

Here are some recommended products that might interest you.
You can download now and explore!

Enhancing Assessment in Higher Education Putting

Psychometrics to Work 1st Edition Tammie Cumming

https://ebookfinal.com/download/enhancing-assessment-in-higher-
education-putting-psychometrics-to-work-1st-edition-tammie-cumming/

ebookfinal.com

Mastering Linux System Administration 1st Edition

Christine Bresnahan

https://ebookfinal.com/download/mastering-linux-system-
administration-1st-edition-christine-bresnahan/

ebookfinal.com

Design Thinking for Entrepreneurs and Small Businesses

Putting the Power of Design to Work Ingle

https://ebookfinal.com/download/design-thinking-for-entrepreneurs-and-
small-businesses-putting-the-power-of-design-to-work-ingle/

ebookfinal.com

Solaris and LDAP Naming Services Deploying LDAP in the

Enterprise 1st Edition Tom Bialaski

https://ebookfinal.com/download/solaris-and-ldap-naming-services-
deploying-ldap-in-the-enterprise-1st-edition-tom-bialaski/

ebookfinal.com
Pro Python System Administration 2nd Edition Rytis Sileika

https://ebookfinal.com/download/pro-python-system-administration-2nd-
edition-rytis-sileika/

ebookfinal.com

Automating Linux and Unix System Administration 2nd

Edition Nathan Campi

https://ebookfinal.com/download/automating-linux-and-unix-system-
administration-2nd-edition-nathan-campi/

ebookfinal.com

UNIX and Linux System Administration Handbook Fourth

Edition Evi Nemeth

https://ebookfinal.com/download/unix-and-linux-system-administration-
handbook-fourth-edition-evi-nemeth/

ebookfinal.com

Making the System Work for Your Child with ADHD Making the
System Work for Your Child 1st Edition Peter S. Jensen

https://ebookfinal.com/download/making-the-system-work-for-your-child-
with-adhd-making-the-system-work-for-your-child-1st-edition-peter-s-
jensen/
ebookfinal.com

Principles of Network and System Administration 2nd ed

Edition Mark Burgess

https://ebookfinal.com/download/principles-of-network-and-system-
administration-2nd-ed-edition-mark-burgess/

ebookfinal.com
LDAP System Administration Putting Directories to
Work 1st Edition Carter Digital Instant Download
Author(s): Carter, Gerald
ISBN(s): 9781565924918, 1565924916
Edition: 1
File Details: PDF, 6.74 MB
Year: 2003
Language: english
[ Team LiB ]

• Table of Contents
• Index
• Reviews
• Reader Reviews
• Errata

LDAP System Administration

By Gerald Carter

Publisher : O'Reilly
Pub Date : March 2003
ISBN : 1-56592-491-6
Pages : 308

If you want to be a master of your domain, LDAP System Administration will help you get up and running quickly
regardless of which LDAP version you use. After reading this book, even with no previous LDAP experience, you'll
be able to integrate a directory server into essential network services such as mail, DNS, HTTP, and SMB/CIFS.

[ Team LiB ]
[ Team LiB ]

• Table of Contents
• Index
• Reviews
• Reader Reviews
• Errata

LDAP System Administration

By Gerald Carter

Publisher : O'Reilly
Pub Date : March 2003
ISBN : 1-56592-491-6
Pages : 308

Copyright
If you want to be a master of your domain, LDAP System Administration will help you get up and running quickly
Preface
regardless of which
How This LDAP
Book version you use. After reading this book, even with no previous LDAP experience, you'll
Is Organized
be able to integrate a directory server into essential network services such as mail, DNS, HTTP, and SMB/CIFS.
Conventions Used in This Book
Comments
[ Team LiB ] and Questions
Acknowledgments

Part I: LDAP Basics

Chapter 1. "Now where did I put that...?", or "What is a directory?"
Section 1.1. The Lightweight Directory Access Protocol
Section 1.2. What Is LDAP?
Section 1.3. LDAP Models

Chapter 2. LDAPv3 Overview

Section 2.1. LDIF
Section 2.2. What Is an Attribute?
Section 2.3. What Is the dc Attribute?
Section 2.4. Schema References
Section 2.5. Authentication
Section 2.6. Distributed Directories
Section 2.7. Continuing Standardization

Chapter 3. OpenLDAP
Section 3.1. Obtaining the OpenLDAP Distribution
Section 3.2. Software Requirements
Section 3.3. Compiling OpenLDAP 2
Section 3.4. OpenLDAP Clients and Servers
Section 3.5. The slapd.conf Configuration File
Section 3.6. Access Control Lists (ACLs)
[ Team LiB ]
Chapter 4. OpenLDAP: Building a Company White Pages
Section 4.1. A Starting Point
Section 4.2. Defining the Schema
Section 4.3. Updating slapd.conf
Section 4.4. Starting slapd
Section 4.5. Adding the Initial Directory Entries
Section 4.6. Graphical Editors

Chapter 5. Replication, Referrals, Searching, and SASL Explained

Section 5.1. More Than One Copy Is "a Good Thing"
Section 5.2. Distributing the Directory
Section 5.3. Advanced Searching Options
Section 5.4. Determining a Server's Capabilities
• Section
Table
5.5.
of Contents
Creating Custom Schema Files for slapd
• Index
Section 5.6. SASL and OpenLDAP
• Reviews
• Reader Reviews
• Part II: Application
Errata Integration
Chapter 6. Replacing NIS
LDAP System Administration
Section 6.1. More About NIS
By Gerald Carter
Section 6.2. Schemas for Information Services

Publisher Section 6.3. Information Migration

: O'Reilly
Pub Date Section
: March 2003The pam_ldap Module
6.4.

ISBN Section 6.5. The nss_ldap Module

: 1-56592-491-6
Pages Section
: 308 6.6. OpenSSH, PAM, and NSS
Section 6.7. Authorization Through PAM
Section 6.8. Netgroups
Section 6.9. Security
If you wantSection
to be a6.10. Automount
master Maps
of your domain, LDAP System Administration will help you get up and running quickly
regardless of which6.11.
Section LDAPPADL's
version you use.
NIS/LDAP After reading this book, even with no previous LDAP experience, you'll
Gateway
be able to integrate a directory server into essential network services such as mail, DNS, HTTP, and SMB/CIFS.
Chapter 7. Email and LDAP
[ Team LiBSection
] 7.1. Representing Users
Section 7.2. Email Clients and LDAP
Section 7.3. Mail Transfer Agents (MTAs)

Chapter 8. Standard Unix Services and LDAP

Section 8.1. The Directory Namespace
Section 8.2. An FTP/HTTP Combination
Section 8.3. User Authentication with Samba
Section 8.4. FreeRadius
Section 8.5. Resolving Hosts
Section 8.6. Central Printer Management

Chapter 9. LDAP Interoperability

Section 9.1. Interoperability or Integration?
Section 9.2. Directory Gateways
Section 9.3. Cross-Platform Authentication Services
Section 9.4. Distributed, Multivendor Directories
Section 9.5. Metadirectories
Section 9.6. Push/Pull Agents for Directory Synchronization

Chapter 10. Net::LDAP and Perl

Section 10.1. The Net::LDAP Module
Section 10.2. Connecting, Binding, and Searching
Section 10.3. Working with Net::LDAP::LDIF
[ Team LiBSection
] 10.4. Updating the Directory
Section 10.5. Advanced Net::LDAP Scripting

Part III: Appendixes

Appendix A. PAM and NSS
Section A.1. Pluggable Authentication Modules
Section A.2. Name Service Switch (NSS)

Appendix B. OpenLDAP Command-Line Tools

Section B.1. Debugging Options
Section B.2. Slap Tools
Section B.3. LDAP Tools

Appendix C. Common Attributes and Objects

• Table of Contents
• Section C.1. Schema Files
Index
• Section C.2. Attributes
Reviews
• Section C.3.Reviews
Reader Object Classes
• Errata
Appendix D. LDAP RFCs, Internet-Drafts, and Mailing Lists
LDAP System Administration
Section D.1. Requests for Comments
By Gerald Carter
Section D.2. Mailing Lists

Publisher : O'Reilly
Appendix E. slapd.conf ACLs
Pub Date : March 2003
Section E.1. What?
ISBN : 1-56592-491-6
Section E.2. Who?
Pages : 308
Section E.3. How Much?
Section E.4. Examples

If you want to be a master of your domain, LDAP System Administration will help you get up and running quickly
Colophon
regardless of which LDAP version you use. After reading this book, even with no previous LDAP experience, you'll
Index
be able to integrate a directory server into essential network services such as mail, DNS, HTTP, and SMB/CIFS.
[ Team LiB ]
[ Team LiB ]
[ Team LiB ]

Copyright © 2003 O'Reilly & Associates, Inc.

Printed in the United States of America.

Published by O'Reilly & Associates, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472.

O'Reilly & Associates books may be purchased for educational, business, or sales promotional use. Online editions
are also available for most titles (http://safari.oreilly.com). For more information, contact our
corporate/institutional sales department: (800) 998-9938 or [email protected].

Nutshell Handbook,
• Table the Nutshell Handbook logo, and the O'Reilly logo are registered trademarks of O'Reilly &
of Contents
Associates, Inc.Index
• Many of the designations used by manufacturers and sellers to distinguish their products are
claimed as trademarks.
• Reviews Where those designations appear in this book, and O'Reilly & Associates, Inc. was aware of
a trademark claim,
• theReviews
Reader designations have been printed in caps or initial caps. The association between the image of
a mink and theErrata
• topic of LDAP system administration is a trademark of O'Reilly & Associates, Inc.

LDAP System
While every Administration
precaution has been taken in the preparation of this book, the publisher and author assume no
By Gerald Carter
responsibility for errors or omissions, or for damages resulting from the use of the information contained herein.

Publisher : O'Reilly
[Pub
Team
Date
LiB: ]March 2003
ISBN : 1-56592-491-6
Pages : 308

[ Team LiB ]
[ Team LiB ]

Preface

In 1999 I began experimenting with the Lightweight Directory Access Protocol (LDAP) and immediately became
frustrated by lack of documentation. I set out to write the book that I needed, and I believe that I accomplished
that goal. After teaching instructional courses on LDAP for the past few years, I have come to the belief that many
people share the same frustration I felt at the beginning of my LDAP career. Managers and administrators alike can
sometimes be dazzled (or disgusted) by the plethora of acronyms in the IT industry. The goal of this book is to cut
through the glossy vendor brochures and give you the knowledge and tools necessary to deploy a working
directory on your network complete with integrated client applications.

Directory services have been a part of networks in one way or another for a long time. LDAP directories have been
growing roots in networks for as long as people have been proclaiming the current year to be the "year of LDAP."
•
With increasingTable of Contents
support from vendors in the form of clients and servers, LDAP has already become a staple for
• Index
many networks. Because of this gradual but steady growth, people waiting for the LDAP big bang may be
• Reviews
disappointed. You may wake up one morning and find that one of your colleagues has already deployed an LDAP-
•
based directoryReader
service.Reviews
If so, this book will help you understand how you can use the services that LDAP provides.
• Errata
If you are at the beginning of a project, this book will help you focus on the important points that are necessary to
succeed.
LDAP System Administration
By Gerald Carter
[ Team LiB ]

Publisher : O'Reilly
Pub Date : March 2003
ISBN : 1-56592-491-6
Pages : 308

[ Team LiB ]
[ Team LiB ]

How This Book Is Organized

This book is divided into two sections of five chapters each and a section of appendixes. You will most likely get the
most out of this book if you implement the example directories as they are covered. With only a few exceptions, all
client and server applications presented here are freely available or in common use.

Part I : LDAP Basics

Part I focuses on getting acquainted with LDAP and with the OpenLDAP server. In this part, I answer questions
such as: "What is lightweight about LDAP?," "What security mechanisms does LDAP support for preventing
unauthorized
• access to Contents
Table of data?," and "How can I build a fault-tolerant directory service?" In addition, the first part of
the
• book helps you
Indexgain practical experience with your own directory using the community-developed and freely
available
•
OpenLDAP server.
Reviews
• Reader Reviews
Chapter 1 is a high-level overview of directory services and LDAP in particular.
• Errata

LDAP 2System
Chapter Administration
digs into the details of the Lightweight Directory Access Protocol.
By Gerald Carter
Chapter 3 uses the free server distribution from OpenLDAP.org as an example to present practical experience with
an LDAP directory.
Publisher : O'Reilly
Pub Date 4 provides
Chapter : March 2003
some hands-on experience adding, modifying, and deleting information from a working
ISBN
directory : 1-56592-491-6
service.
Pages : 308
Chapter 5 wraps up the loose ends of some of the more advanced LDAPv3 and OpenLDAP features.

Part II want
If you
: Application Integration
to be a master of your domain, LDAP System Administration will help you get up and running quickly
regardless of which LDAP version you use. After reading this book, even with no previous LDAP experience, you'll
Part
be ableII istoallintegrate
about implementation. Rather
a directory server into than present
essential an LDAP
network cookbook,
services I bring
such as mail, different
DNS, HTTP,applications together
and SMB/CIFS.
in such a way that information common to one or more clients can be shared via the directory. You will see how to
[use LDAPLiB
Team as ]a practical data store for items such as user and group accounts, host information, general contact
information, and application configurations. I also discuss integration with other directory services such as
Microsoft's Active Directory, and how to develop your own Perl scripts to manage your directory service.

Chapter 6 explains how an LDAP directory can be used to replace Sun's Network Information Service (NIS) as the
means to distribute user and group accounts, host information, automount maps, and other system files.

Chapter 7 presents information related to both mail clients (Eudora, Mozilla, Outlook, and Pine) and servers
(Sendmail, Postfix, and Exim).

Chapter 8 explains how to use an LDAP directory to share information among essential network services such as
FTP, HTTP, LPD, RADIUS, DNS, and Samba.

Chapter 9 examines what to do when your LDAP directory must coexist with other directory technologies.

Chapter 10 provides the information necessary to roll your own LDAP management tools using Perl and the
Net::LDAP module.

Part III: Appendixes

The appendixes provide a quick reference for LDAP standards, common schema items used in this book, and the
command-line syntax for OpenLDAP client tools.

[ Team LiB ]
[ Team LiB ]

Conventions Used in This Book

The following conventions are used in this book:

Italic

Used for file, directory, user, and group names. It is also used for URLs and to emphasize new terms and
concepts when they are introduced.
Constant Width

Used for code examples, system output, parameters, directives, and attributes.
Constant Width Italic
• Table of Contents
• Used in examples
Index for variable input or output (e.g., a filename).
Constant Width
• Bold
Reviews
• Reader Reviews
Used in code examples for user input and for emphasis.
• Errata

LDAP System Administration

By Gerald Carter
This icon designates a note, which is an important aside to the nearby text.

Publisher : O'Reilly
Pub Date : March 2003
ISBN : 1-56592-491-6
Pages : 308
This icon designates a warning relating to the nearby text.

[If Team
you want
LiB to
] be a master of your domain, LDAP System Administration will help you get up and running quickly
regardless of which LDAP version you use. After reading this book, even with no previous LDAP experience, you'll
be able to integrate a directory server into essential network services such as mail, DNS, HTTP, and SMB/CIFS.

[ Team LiB ]
[ Team LiB ]

Comments and Questions

We at O'Reilly have tested and verified the information in this book to the best of our abilities, but you may find
that features have changed (or even that we have made mistakes!). Please let us know about any errors you find,
as well as your suggestions for future editions, by writing to:

O'Reilly & Associates, Inc.

1005 Gravenstein Highway North
Sebastopol, CA 95472
(800) 998-9938 (U.S. and Canada)
(707) 827-7000 (international/local)
(707) 829-0104 (fax)
• Table of Contents
• Index O'Reilly by email. To be put on the mailing list or request a catalog, send a message to:
You can also contact
• Reviews
• [email protected]
Reader Reviews
• Errata
We have a web page for this book, which lists errata, examples, and any additional information. You can access
LDAP
this pageSystem
at: Administration
By Gerald Carter
http://www.oreilly.com/catalog/ldapsa/
Publisher : O'Reilly
To
Pubcomment
Date or ask2003
: March technical questions about this book, send email to:
ISBN : 1-56592-491-6
[email protected]
Pages : 308
For more information about O'Reilly books, conferences, Resource Centers, and the O'Reilly Network, see the
O'Reilly web site at:

http://www.oreilly.com/
If you want to be a master of your domain, LDAP System Administration will help you get up and running quickly
regardless of which LDAP version you use. After reading this book, even with no previous LDAP experience, you'll
[beTeam LiBintegrate
able to ] a directory server into essential network services such as mail, DNS, HTTP, and SMB/CIFS.

[ Team LiB ]
[ Team LiB ]

Acknowledgments

At the end of every project, I am acutely aware that I could never have reached the end without the grace
provided to me by God through my Savior, Jesus Christ. I hope He is proud of how I have spent my time. I am
also very conscious of the patience bestowed upon me by my wife, Kristi, who is always there to listen when I need
to talk and laugh when I need a smile. Thank you.

There is a long list of people who have helped make this book possible. I do not claim that this is a complete list.
Mike Loukides has shown almost as much patience as my wife waiting on this book to be completed. I am in great
debt to the technical reviewers who each provided comments on some version of this manuscript: Robbie Allen,
David Blank-Edelman, Æleen Frisch, Robert Haskins, Luke Howard, Scott McDaniel, and Kurt Zeilenga. Thanks to
Æleen for convincing me to do this (even if I complained more than once). I must also mention the various coffee
• Table of Contents
shops, particularly the Books-A-Million in Auburn, AL, that have allowed me to consume far more than my fair
• Index
share of caffeine and electricity.
• Reviews
•
Finally, a huge Reader
amountReviews
of recognition must be given to the developers who made various pieces of software
available underErrata
• open source and free software licenses. It is such an enjoyable experience to be able to send and
receive feedback on problems, bugs, and solutions. Any other way would just be too painful.
LDAP System Administration
By Gerald Carter
[ Team LiB ]
Publisher : O'Reilly
Pub Date : March 2003
ISBN : 1-56592-491-6
Pages : 308

[ Team LiB ]
[ Team LiB ]

Part I: LDAP Basics

Chapter 1

Chapter 2

Chapter 3

Chapter 4

Chapter 5

•
[ Team LiB ] Table of Contents
• Index
• Reviews
• Reader Reviews
• Errata

LDAP System Administration

By Gerald Carter

Publisher : O'Reilly
Pub Date : March 2003
ISBN : 1-56592-491-6
Pages : 308

[ Team LiB ]
[ Team LiB ]

Chapter 1. "Now where did I put that...?", or "What is a directory?"

I have a fairly good memory for numbers, phone numbers in particular. This fact amazes my wife. For those
numbers I cannot recall to the exact digit, I have a dozen or so slots in my cell phone. However, as the company I
worked for grew, so did the list of people with whom I needed to stay in contact. And I didn't just need phone
numbers; I needed email and postal addresses as well. My cell phone's limited capabilities were no longer
adequate for maintaining the necessary information.

So I eventually broke down and purchased a PDA. I was then able to store contact information for thousands of
people. Still, two or three times a day I found myself searching the company's contact database for someone's
number or address. And I still had to go to other databases (phone books, corporate client lists, and so on) when I
needed to look up someone who worked for a different company.
• Table of Contents
•
Computer systemsIndexhave exactly the same problem as humans—both require the capability to locate certain types
• Reviewsefficiently, and quickly. During the early days of the ARPAnet, a listing of the small
of information easily,
•
community Reader
of hosts Reviews
could be maintained by a central authority—SRI's Network Information Center (NIC). As
TCP/IP becameErrata
• more widespread and more hosts were added to the ARPAnet, maintaining a centralized list of
hosts became a pipe dream. New hosts were added to the network before everyone had even received the last,
LDAP System Administration
now outdated, copy of the famous HOSTS.TXT file. The only solution was to distribute the management of the host
By Gerald Carter
namespace. Thus began the Domain Name System (DNS), one of the most successful directory services ever
implemented on the Internet. [1]
Publisher : O'Reilly
[1] For: more
Pub Date March information
2003 on the Domain Name System and its roots, see DNS and BIND , by Paul Albitz and
ISBN Cricket Liu (O'Reilly).
: 1-56592-491-6
Pages : 308
DNS is a good starting point for our overview of directory services. The global DNS shares many characteristics
with a directory service. While directory services can take on many different forms, the following five
characteristics hold true (at a minimum):

If you want to be a master of your domain, LDAP System Administration will help you get up and running quickly
A directory
regardless of whichservice is highly
LDAP version youoptimized
use. After for reads.
reading thisWhile
book,this is with
even not ano
restriction
previous on theexperience,
LDAP DNS model,you'll
for
performance
be able to integratereasons many
a directory DNS into
server servers cache network
essential the entire zone information
services in memory.
such as mail, Adding,
DNS, HTTP, modifying, or
and SMB/CIFS.
deleting an entry forces the server to reparse the zone files. Obviously, this is much more expensive than a
[ Team LiB ]DNS query.
simple

A directory service implements a distributed model for storing information. DNS is managed by
thousands of local administrators and is connected by root name servers managed by the InterNIC.

A directory service can extend the types of information it stores. Recent RFCs, such as RFC 2782,
have extended the types of DNS records to include such things as server resource records (RRs).

A directory service has advanced search capabilities. DNS supports searches by any implemented
record type (e.g., NS, MX, A, etc.).

A directory service has loosely consistent replication among directory servers. All popular DNS
software packages support secondary DNS servers via periodic "zone transfers" that contain the latest copy
of the DNS zone information.

[ Team LiB ]
[ Team LiB ]

1.1 The Lightweight Directory Access Protocol

Of course, you didn't buy this book to read about the Domain Name System. And it's not likely that you were
looking for a general discussion of directory services. This book is about a particular kind of directory
service—namely, a service for directories that implement the Lightweight Directory Access Protocol (LDAP). LDAP
has become somewhat of a buzzword in contemporary IT shops. If you are like me, sometimes you just have to
ask, "Why all the fuss?" The fuss is not so much about LDAP itself, but about the potential of LDAP to consolidate
existing services into a single directory that can be accessed by LDAP clients from various vendors. These clients
can be web browsers, email clients, mail servers, or any one of a myriad of other applications.

By consolidating information into a single directory, you are not simply pouring the contents of your multitude of
smaller pots into a larger pot. By organizing your information well and thinking carefully about the common
• Table of Contents
information needed by client applications, you can reduce data redundancy in your directories and therefore reduce
•
the administrativeIndex
overhead needed to maintain that data. Think about all the directory services that run on your
• Reviewshow much information is duplicated. Perhaps hosts on your network use a DHCP server. This
network and consider
• Reader
server has a certain Reviewsof information about IP addresses, Ethernet addresses, hostnames, network topology,
amount
• Errata
and so forth in its configuration files. Which other applications use the same or similar information and could share
it if it were
LDAP stored in Administration
System a directory server? DNS comes immediately to mind, as does NIS. If you have networked
printers
By Geraldas well, think about the amount of information that's replicated on each client of the printing system (for
Carter
example,/etc/printcap files).

Publisher : O'Reilly
Now consider the applications that use your user account information. The first ones that probably come to mind
Pub Date : Marchservices:
areauthentication 2003 users need to type usernames and passwords to log in. Your mail server probably uses
ISBN : 1-56592-491-6
the same username information for mail routing, as well as for services such as mailing lists. There may also be
online phone
Pages books that keep track of names, addresses, and phone numbers, as well as personnel systems that
: 308
keep track of job classifications and pay scales.

Imagine the administrative savings that would result if all the redundant data on your network could be
consolidated in a single location. What would it take to delete a user account? We all know what that takes now:
If you want to be a master of your domain, LDAP System Administration will help you get up and running quickly
you delete the user from /etc/passwd, remove him by hand from any mailing lists, remove him from the company
regardless of which LDAP version you use. After reading this book, even with no previous LDAP experience, you'll
phone list, and so on. If you're clever, you've probably written a script or two to automate the process, but you're
be able to integrate a directory server into essential network services such as mail, DNS, HTTP, and SMB/CIFS.
still manipulating the same information that's stored in several different places. What if there was a single directory
that
[ TeamwasLiB
the]repository for all this information, and deleting a user was simply a matter of removing some records
from this directory? Life would become much simpler. Likewise, what would it take to track host-related
information? What would it be worth to you if you could minimize the possibility that machines and users use out-
of-date information?

This sounds like a network administrator's utopia. However, I believe that as more and more client applications use
LDAP directories, making an investment in setting up an LDAP server will have a huge payoff long-term.
Realistically, we're not headed for a utopia. We're going to be responsible for more servers and more services,
running on more platforms. The dividends of our LDAP investment come when we significantly reduce the number
of directory technologies that we have to understand and administer. That is our goal.

[ Team LiB ]
[ Team LiB ]

1.2 What Is LDAP?

The best place to begin when explaining LDAP is to examine how it got its name. Let's start at the beginning. The
latest incarnation of LDAP (Version 3) is defined in a set of nine documents outlined in RFC 3377. This list includes:

RFC 2251-2256

The original core set of LDAPv3 RFCs

RFC 2829

"Authentication Methods for LDAP"

RFC 2830
• Table of Contents
• "Lightweight
IndexDirectory Access Protocol (v3): Extension for Transport Layer Security"
RFC 3377
• Reviews
• Reader Reviews
"Lightweight Directory Access Protocol (v3): Technical Specification"
• Errata

LDAP System Administration

By Gerald
1.2.1 Carter
Lightweight

Publisher
Why is LDAP: O'Reilly
considered lightweight? Lightweight compared to what? (As we look at LDAP in more detail, you'll
Pub Date be: asking
certainly March 2003
how something this complex could ever be considered lightweight.) To answer these questions,
it is necessary
ISBN to look at LDAP's origins. The roots of LDAP are closely tied to the X.500 directory service; LDAP
: 1-56592-491-6
was
Pages originally designed
: 308 as a lighter desktop protocol used to gateway requests to X.500 servers. X.500 is actually
a set of standards; anything approaching thorough coverage of X.500 is beyond the scope of this book.[2]

[2]Understanding X.500—The Directory , by David W. Chadwick, provides a good explanation of X.500

directories. While the book itself is out of print, an HTML version of it can be accessed from
If youhttp://www.salford.ac.uk/its024/X500.htm.
want to be a master of your domain, LDAP System Administration will help you get up and running quickly
regardless of which LDAP version you use. After reading this book, even with no previous LDAP experience, you'll
X.500
be ableearned the title
to integrate "heavyweight."
a directory server It required
into thenetwork
essential client and serversuch
services to communicate using
as mail, DNS, theand
HTTP, Open Systems
SMB/CIFS.
Interface (OSI) protocol stack. This seven-layered stack was a good academic exercise in designing a network
[protocol
Team LiB ] but when compared to the TCP/IP protocol suite, it is akin to traveling the European train system
suite,
with four fully loaded footlockers.[3]

[3]For a quick, general comparison of the OSI model and the TCP/IP protocol stack, see Computer N etworks,
by Andrew S. Tannenbaum (Prentice Hall).

LDAP is lightweight in comparison because it uses low overhead messages that are mapped directly onto the TCP
layer (port 389 is the default) of the TCP/IP protocol stack.[4] Because X.500 was an application layer protocol (in
terms of the OSI model), it carried far more baggage, as network headers were wrapped around the packet at
each layer before it was finally transmitted on the network (see Figure 1-1).

[4]A connectionless version of LDAP that provided access via UDP was defined by an Internet-Draft produced
by the LDAP Extension Working Group of the IETF. However, the current draft expired in November, 2001.
You can access the group's web site at http://www.ietf.org/html.charters/ldapext-charter.html.

Figure 1-1. X.500 over OSI versus LDAP over TCP/IP

[ Team LiB ]

LDAP is also considered lightweight because it omits many X.500 operations that are rarely used. LDAPv3 has only
nine core operations and provides a simpler model for programmers and administrators. Providing a smaller and
simpler
• set of operations allows developers to focus on the semantics of their programs without having to
Table of Contents
understand
• rarely used
Index features of the protocol. In this way, LDAP designers hoped to increase adoption by
providing
•
easier application
Reviews
development.
• Reader Reviews
• Errata
1.2.2 Directory
LDAP System Administration
By Gerald Carter
Network directory services are nothing new; we're all familiar with the rise of DNS. However, a directory service is
often confused with a database. It is easy to understand why. Directory services and databases share a number of
Publisher : O'Reilly
important characteristics, such as fast searches and an extendable schema. They differ in that a directory is
designed
Pub Date to:be read2003
March much more than it is written; in contrast, a database assumes that read and write operations
occur
ISBN with roughly the same frequency. The assumption that a directory is read often but written rarely means
: 1-56592-491-6
that
Pages certain features
: 308 that are essential to a database, such as support for transactions and write locks, are not
essential for a directory service such as LDAP.

At this point, it's important to make the distinction between LDAP and the backend used to store the persistent
data. Remember that LDAP is just a protocol; we'll discuss what that means shortly, but essentially, it's a set of
If you wantfor
messages toaccessing
be a master of your
certain domain,
kinds LDAP
of data. The System
protocolAdministration will helpabout
doesn't say anything you get up and
where running
the data quicklyA
is stored.
regardless of which LDAP version you use. After reading this book, even with no previous LDAP experience,
software vendor implementing an LDAP server is free to use whatever backend it desires, ranging from flat text you'll
be able to integrate a directory server into essential network services such as mail, DNS, HTTP, and SMB/CIFS.
files on one extreme to highly scalable, indexed relational databases on the other. So when I say that LDAP doesn't
have support for transactions and other features of databases, I mean that the protocol doesn't have the messages
[ Team LiB ]
that you would need to take advantage of these features (remember, it's lightweight) and doesn't require that the
backend data store provide these features.

The point is that the client will never (and should never) see or even know about the backend storage mechanism
(seeFigure 1-2). For this reason, LDAP-compliant clients written by vendor A should interoperate with an LDAP-
compliant server written by vendor Z. Standards can be a wonderful thing when followed.

Figure 1-2. Relationship between an LDAP client, LDAP server, and data storage facility

It has been suggested that an LDAP server could be used as backend storage for a web server. All HTML and
graphic files would be stored within the directory and could be queried by mutiple web servers. After all, a web
server typically only reads files and sends them to clients; the files themselves change infrequently. While it's
certainly possible to implement a web server that uses LDAP to access its backend storage, a special type of
directory already exists that is better suited to meet the needs of serving files, namely a filesystem. So, for
example, while an LDAP directory might not be a good location for storing spooled files in transit to a printer, using
it to store printer configuration settings (e.g., /etc/printcap ) shared among clients would be a big win.

This brings up two good points about the intended function of LDAP:

1.
[ Team LiB ]
1. LDAP is not a generalized replacement for specialized directories such as filesystems or DNS.

2. While storing certain types of binary information (e.g., JPEG photos) in directories can be useful, LDAP is not
intended for storing arbitrary "blobs" (Binary Lumps of Bits).

What about storing individual application settings for roaming users on an LDAP server? It is a judgment call
whether this is better served by a filesystem or a directory. For example, it is possible to store basic application
settings for Netscape Communicator in LDAP. Such things as an address book, a bookmarks file, and personal
preference settings are certainly appropriate for storage in a directory. However, using your directory as a location
for browser cache files would violate rule #2.

1.2.3 Access Protocol

• Table of Contents
All of this talk of directory services makes it is easy to forget that LDAP is a protocol. It is not uncommon to hear
•
someone refer Index
to an LDAP server or LDAP tree. I have done so and will continue to do so. LDAP does provide a
•
treelike view ofReviews
data, and it is this treelike view to which people refer when speaking of an LDAP server.
• Reader Reviews
This introduction
• won't go into the specifics of the actual protocol. It is enough to think of LDAP as the message-
Errata
based, client/server protocol defined in RFC 2251. LDAP is asynchronous (although many development kits provide
LDAP System Administration
both blocking and nonblocking APIs), meaning that a client may issue multiple requests and that responses to
By Gerald Carter
those requests may arrive in an order different from that in which they were issued. Notice in Figure 1-3 that the
client sends Requests 1 and 2 prior to receiving a response, and the response to Request 3 is returned before the
Publisher
response to:Request
O'Reilly 2.
Pub Date : March 2003
ISBN : 1-56592-491-6 Figure 1-3. LDAP requests and responses
Pages : 308

[ Team LiB ]

More aspects of programming with LDAP operations will be covered in Chapter 10.

[ Team LiB ]
[ Team LiB ]

1.3 LDAP Models

LDAP models represent the services provided by a server, as seen by a client. They are abstract models that
describe the various facets of an LDAP directory. RFC 2251 divides an LDAP directory into two components: the
protocol model and the data model. However, in Understanding and Deploying LDAP Directory Services , by
Timothy A. Howes, Mark C. Smith, and Gordon S. Good (MacMillan), four models are defined:

Information model

The information model provides the structures and data types necessary for building an LDAP directory tree.
An entry is the basic unit in an LDAP directory. You can visualize an entry as either an interior or exterior
node in the Directory Information Tree (DIT). An entry contains information about an instance of one or
• Table of Contents
moreobjectClass es. These objectClasses have certain required or optional attributes. Attribute types
• Indexencoding and matching rules that govern such things as the type of data the attribute can hold
have defined
• and howReviews
to compare this data during a search. This information model will be covered extensively in the
• Reader
next chapter Reviews
when we examine LDAP schema.
Naming model Errata
•

LDAP System Administration

The naming model defines how entries and data in the DIT are uniquely referenced. Each entry has an
By Gerald Carter
attribute that is unique among all siblings of a single parent. This unique attribute is called the relative
distinguished name (RDN). You can uniquely identify any entry within a directory by following the RDNs of
Publisher : O'Reilly
all the entries in the path from the desired node to the root of the tree. This string created by combining
Pub Date
RDNs: toMarch
form 2003
a unique name is called the node's distinguished name (DN).
ISBN : 1-56592-491-6
InFigure 1-4,
Pages the directory entry outlined in the dashed square has an RDN of cn=gerald carter. Note that the
: 308
attribute name as well as the value are included in the RDN. The DN for this node would be cn=gerald
carter,ou=people, dc=plainjoe,dc=org.

Functional model
If you want to be a master of your domain, LDAP System Administration will help you get up and running quickly
regardless of which LDAP
The functional version
model is the you
LDAPuse. After reading
protocol thisprotocol
itself. This book, even with no
provides theprevious LDAP
means for experience,
accessing you'll
the data in
be ablethe
to directory
integrate tree.
a directory
Accessserver into essential
is implemented network services
by authentication such as (bindings),
operations mail, DNS, query
HTTP, operations
and SMB/CIFS.
(searches and reads), and update operations (writes).
[Security
Team LiB ]
model

The security model provides a mechanism for clients to prove their identity (authentication) and for the
server to control an authenticated client's access to data (authorization). LDAPv3 provides several
authentication methods not available in previous protocol versions. Some features, such as access control
lists, have not been standardized yet, leaving vendors to their own devices.

Figure 1-4. Example LDAP directory tree

At this high level, LDAP is relatively simple. It is a protocol for building highly distributed directories. In the next
chapter, we will examine certain LDAP concepts such as schemas, referrals, and replication in much more depth.
[[ Team
Team LiB
LiB ]]

• Table of Contents
• Index
• Reviews
• Reader Reviews
• Errata

LDAP System Administration

By Gerald Carter

Publisher : O'Reilly
Pub Date : March 2003
ISBN : 1-56592-491-6
Pages : 308

[ Team LiB ]
[ Team LiB ]

Chapter 2. LDAPv3 Overview

Chapter 1 should have helped you understand the characteristics of a directory in general, and an LDAP directory in
particular. If you still feel a little uncomfortable about LDAP, relax. This chapter is designed to flesh out some of
the details that we glossed over. Your immediate goal should be to understand the basic building blocks of any
LDAPv3 directory server. In the next chapter, we will start building an LDAP directory.

[ Team LiB ]

• Table of Contents
• Index
• Reviews
• Reader Reviews
• Errata

LDAP System Administration

By Gerald Carter

Publisher : O'Reilly
Pub Date : March 2003
ISBN : 1-56592-491-6
Pages : 308

[ Team LiB ]
[ Team LiB ]

2.1 LDIF

Most system administrators prefer to use plain-text files for server configuration information, as opposed to some
binary store of bits. It is more comfortable to deal with data in vi, Emacs, or notepad than to dig though raw bits
and bytes. Therefore, it seems fitting to begin an exploration of LDAP internals with a discussion of representing
directory data in text form.

TheLDAP Interchange Format (LDIF), defined in RFC 2849, is a standard text file format for storing LDAP
configuration information and directory contents. In its most basic form, an LDIF file is:

A collection of entries separated from each other by blank lines

• Table of Contents
• A mapping of attribute names to values
Index
• Reviews
• A collection of directives
Reader Reviews that instruct the parser how to process the information
• Errata
The first two characteristics provide exactly what is needed to describe the contents of an LDAP directory. We'll
LDAP
return to System Administration
the third characteristic when we discuss modifying the information in the directory in Chapter 4.
By Gerald Carter
LDIF files are often used to import new data into your directory or make changes to existing data. The data in the
LDIF file must
Publisher obey the schema rules of your LDAP directory. You can think of the schema as a data definition for
: O'Reilly
your directory. Every item that is added or changed in the directory is checked against the schema for correctness.
Pub Date : March 2003
Aschema violation occurs if the data does not correspond to the existing rules.
ISBN : 1-56592-491-6
Pages : 308 a simple directory information tree. Each entry in the directory is represented by an entry in the
Figure 2-1 shows
LDIF file. Let's begin with the topmost entry in the tree labeled with the distinguished name (DN)
dc=plainjoe,dc=org:

# LDIF
If you listing
want to be a for theof entry
master dn: dc=plainjoe,dc=org
your domain, LDAP System Administration will help you get up and running quickly
dn: dc=plainjoe,dc=org
regardless of which LDAP version you use. After reading this book, even with no previous LDAP experience, you'll
objectClass: domain
be able to integrate a directory server into essential network services such as mail, DNS, HTTP, and SMB/CIFS.
dc: plainjoe
[ Team LiB ]
Figure 2-1. An LDAP directory tree

We can make a few observations about LDIF syntax on the basis of this short listing:

Comments in an LDIF file begin with a pound character (#) at position one and continue to the end of the
current line.

Attributes are listed on the lefthand side of the colon (:), and values are presented on the righthand side. The
colon character is separated from the value by a space.

Thedn attribute uniquely identifies theDN of the entry.

[ Team LiB ]
2.1.1 Distinguished Names and Relative Distinguished Names

It is important to realize that the full DN of an entry does not actually need to be stored as an attribute within that
entry, even though this seems to be implied by the previous LDIF extract; it can be generated on the fly as
needed. This is analogous to how a filesystem is organized. A file or directory does not store the absolute path to
itself from the root of the filesystem. Think how hard it would be to move files if this were true.

If the DN is like the absolute path between the root of a filesystem and a file, a relative distinguished name (RDN)
is like a filename. We've already seen that a DN is formed by stringing together the RDNs of every entity from the
element in question to the root of the directory tree. In this sense, an RDN works similarly to a filename. However,
unlike a filename, an RDN can be made up of multiple attributes. This is similar to a compound index in a relational
database system in which two or more fields are used in combination to generate a unique index key.

While a multivalued RDN is not shown in our example, it is not hard to imagine. Suppose that there are two
employees named
• Jane
Table Smith in your company: one in the Sales Department and one in the Engineering
of Contents
Department. Now
• suppose the entries for these employees have a common parent. Neither the common name
Index
(•cn) nor the organizational
Reviews unit (ou) attribute is unique in its own right. However, both can be used in combination
to
• generate a unique
Reader Reviews would look like:
RDN. This
• Errata
# Example of two entries with a multivalued RDN
LDAP System
dn: cn=Jane Administration
Smith+ou=Sales,dc=plainjoe,dc=org
By
cn:Gerald
JaneCarter
Smith
ou: Sales
<...remainder
Publisher of entry deleted...>
: O'Reilly
Pub Date : March 2003
dn: cn=Jane Smith+ou=Engineering,dc=plainjoe,dc=org
ISBN : 1-56592-491-6
cn: Jane Smith
Pages : 308
ou: Engineering
<...remainder of entry deleted...>

For both of these entries, the first component of the DN is an RDN composed of two values: cn=Jane
If you want to be aand
Smith+ou=Sales master of your
cn=Jane domain, LDAP System .Administration will help you get up and running quickly
Smith+ou=Engineering
regardless of which LDAP version you use. After reading this book, even with no previous LDAP experience, you'll
In
be the
ablemultivalued
to integrateRDN, the plus
a directory character
server (+) separates
into essential the services
network two attribute values
such as mail,used
DNS,toHTTP,
form the
andRDN. What if
SMB/CIFS.
one of the attributes used in the RDN contained the + character? To prevent the + character from being
[interpreted
Team LiBas ] a special character, we need to escape it using a backslash (\). The other special characters that
require a backslash-escape if used within an attribute value are:

A space or pound (#) character occurring at the beginning of the string

A space occurring at the end of the string

Acomma (,), a plus character (+), a double quote ("), a backslash (\), angle brackets (< or >), or a
semicolon (;)

Although multivalued RDNs have their place, using them excessively can become confusing, and can often be
avoided by a better namespace design. In the previous example, it is obvious that the multivalued RDN could be
avoided by creating different organizationalUnits ( ou) in the directory for both Sales and Engineering, as
illustrated in Figure 2-2. Using this strategy, the DN for the first entry would be cn=Jane
Smith,ou=Sales,dc=plainjoe,dc=org. This design does not entirely eliminate the need for multivalued RDNs;
we could still have two people named Jane Smith in the Engineering organization. But that will occur much less
frequently than having two Jane Smiths in the company. Look for ways to organize namespaces to avoid
multivalued RDNs as much as is possible and logical.

Figure 2-2. A namespace that represents Jane Smith with a unique, multivalued RDN
[ Team LiB ]

One final note about DNs.RFC 2253 defines a method of unambiguously representing a DN using a UTF-8 string
representation. This normalization process boils down to:

Removing all nonescaped whitespace surrounding the equal sign (=) in each RDN

Making sure the appropriate characters are escaped

• Table of Contents
• RemovingIndex
all nonescaped spaces surrounding the multi-value RDN join character (+)
• Reviews
Removing all nonescaped trailing spaces on RDNs
• Reader Reviews
• Errata
Therefore, the normalized version of:
LDAP System Administration
cn=gerald carter + ou=sales,
By Gerald Carter dc=plainjoe ,dc=org

would be:
Publisher : O'Reilly
Pub Date
cn=gerald: carter+ou=sales,dc=plainjoe,dc=org
March 2003
ISBN : 1-56592-491-6
Without
Pages getting
: 308ahead of ourselves, I should mention that the string representation of a distinguished name is
normally case-preserving, and the logic used to determine if two DNs are equal is usually a case-insensitive match.
Therefore:

cn=Gerald Carter,ou=People,dc=plainjoe,dc=org
If you want to be a master of your domain, LDAP System Administration will help you get up and running quickly
regardless of which LDAP
would be equivalent to: version you use. After reading this book, even with no previous LDAP experience, you'll
be able to integrate a directory server into essential network services such as mail, DNS, HTTP, and SMB/CIFS.
cn=gerald carter,ou=people,dc=plainjoe,dc=org
[ Team LiB ]
However, this case-preserving, case-insensitive behavior is based upon the syntax and matching rules (see Section
2.2 later in this chapter) of the attribute type used in each relative component of the complete DN. So while DNs
are often case-insensitive, do not assume that they will always be so.

Subsequent examples use the normalized versions of all DNs to prevent confusion, although I may tend to be lax
on capitalization.

2.1.2 Back to Our Regularly Scheduled Program . . .

Going back to Figure 2-1, your next question is probably, "Where did the extra lines in the LDIF listing come from?
" After all, the top entry in Figure 2-1 is simply dc=plainjoe,dc=org. But the LDIF lines corresponding to this
entry also contain an objectClass: line and a dc: line. These extra lines provide additional information stored
inside each entry. The next few sections answer the following questions:

What is an attribute?

What does the value of the objectClass attribute mean?

What is the dc attribute?

Ifdc=plainjoe,dc=org is the top entry in the directory, where is the entry for dc=org?

[ Team LiB ]
[ Team LiB ]

2.2 What Is an Attribute?

The concepts of attribute types and attribute syntax were mentioned briefly in the previous chapter. Attribute
types and the associated syntax rules are similar to variable and data type declarations found in many
programming languages. The comparison is not that big of a stretch. Attributes are used to hold values. Variables
in programs perform a similar task—they store information.

When a variable is declared in a program, it is defined to be of a certain data type. This data type specifies what
type of information can be stored in the variable, along with certain other rules, such as how to compare the
variable's value to the data stored in another variable of the same type. For example, declaring a 16-bit integer
variable in a program and then assigning it a value of 1,000,000 would make no sense (the maximum value
represented by a signed 16-bit integer is 32,767). The data type of a 16-bit integer determines what data can be
• Table of Contents
stored. The data type also determines how values of like type can be compared. Is 3 < 5? Yes, of course it is. How
• Index
do you know? Because there exists a set of rules for comparing integers with other integers. The syntax of LDAP
•
attribute types Reviews
performs a similar function as the data type in these examples.
• Reader Reviews
Unlike variables,
• however, LDAP attributes can be multivalued. Most procedural programming languages today
Errata
enforce "store and replace" semantics of variable assignment, and so my analogy falls apart. That is, when you
LDAP System Administration
assign a new value to a variable, its old value is replaced. As you'll see, this isn't true for LDAP; assigning a new
By Gerald Carter
value to an attribute adds the value to the list of values the attribute already has. Here's the LDIF listing for the
ou=devices,dc=plainjoe,dc=org entry from Figure 2-1; it demonstrates the purpose of multivalued attributes:
Publisher : O'Reilly
Pub Date listing
# LDIF : March 2003
for dn: ou=devices,dc=plainjoe,dc=org
dn:
ISBN ou=devices,dc=plainjoe,dc=org
: 1-56592-491-6
objectclass:
Pages : 308 organizationalUnit
ou: devices
telephoneNumber: +1 256 555-5446
telephoneNumber: +1 256 555-5447
description: Container for all network enabled
If you want to be a master of your domain, LDAP System Administration will help you get up and running quickly
devices existing within the plainjoe.org domain
regardless of which LDAP version you use. After reading this book, even with no previous LDAP experience, you'll
be able to integrate a directory server into essential network services such as mail, DNS, HTTP, and SMB/CIFS.

[ Team LiB ] Note that the description attribute spans two lines. Line continuation in LDIF is
implemented by leaving exactly one space at the beginning of a line. LDIF does not require
a backslash (\) to continue one line to the next, as is common in many Unix configuration
files.

The LDIF file lists two values for the telephoneNumber attribute. In real life, it's common for an entity to be
reachable via two or more phone numbers. Be aware that some attributes can contain only a single value at any
given time. Whether an attribute is single- or multivalued depends on the attribute's definition in the server's
schema. Examples of single-valued attributes include an entry's country (c), displayable name (displayName), or
a user's Unix numeric ID (uidNumber).

2.2.1 Attribute Syntax

An attribute type's definition lays the groundwork for answers to questions such as, "What type of values can be
stored in this attribute?", "Can these two values be compared?", and, if so, "How should the comparison take
place?"

Continuing with our telephoneNumber example, suppose you search the directory for the person who owns the
phone number 555-5446. This may seem easy when you first think about it. However, RFC 2252 explains that a
telephone number can contain characters other than digits (0-9) and a hyphen (-). A telephone number can
include:

a-z

A-Z
[ Team
0-9LiB ]

Various punctuation characters such as commas, periods, parentheses, hyphens, colons, question marks, and
spaces

555.5446 or 555 5446 are also correct matches to 555-5446. What about the area code? Should we also use it in
a comparison of phone numbers?

Attribute type definitions include matching rules that tell an LDAP server how to make comparisons—which, as
we've seen, isn't as easy as it seems. In Figure 2-3, taken from RFC 2256, the telephoneNumber attribute has
two associated matching rules. The telephoneNumberMatch rule is used for equality comparisons. While RFC
2552 defines telephoneNumberMatch as a whitespace-insensitive comparison only, this rule is often implemented
to be case-insensitive as well. The telephoneNumberSubstringsMatch rule is used for partial telephone number
matches—for example, when the search criteria includes wildcards, such as "555*5446".

• Figure 2-3. telephoneNumber attribute type definition

Table of Contents
• Index
• Reviews
• Reader Reviews
• Errata

LDAP System Administration

By Gerald Carter

Publisher : O'Reilly
Pub Date : March 2003
The
ISBNSYNTAX:keyword specifies the object identifier (OID) of the encoding rules used for storing and transmitting
1-56592-491-6
values
Pages of the attribute
: 308 type. The number enclosed by curly braces ({ }) specifies the minimum recommended
maximum length of the attribute's value that a server should support.

If you want to be a master of your domain, LDAP System Administration will help you get up and running quickly
Object Identifiers
regardless (OIDs)
of which LDAP version you use. After reading this book, even with no previous LDAP experience, you'll
be able to integrate a directory server into essential network services such as mail, DNS, HTTP, and SMB/CIFS.
LDAPv3 uses OIDs such as those used in SNMP MIBs. SNMP OIDs are allocated by the Internet
[Assigned
Team LiB ]
Numbers Authority (IANA) under the mgmt(2) branch of the number space displayed in
Figure 2-4. Newly created LDAPv3 OIDs generally fall under the private(4), enterprise(1) branch of the
tree. However, it is also common to see numbers under the joint-ISO-ccitt(2) branch of the number
tree. OIDs beginning with 2.5.4 come from the user attribute specifications defined by X.500.

An OID is a string of dotted numbers that uniquely identifies items such as attributes, syntaxes, object
classes, and extended controls. The allocation of enterprise numbers by IANA is similar to the central
distribution of IP address blocks; once you have been assigned an enterprise number by the IANA, you
can create your own OIDs underneath that number. Unlike the IP address space, there is no limit to
the number of OIDs you can create because there's no limit to the length of an OID.

For example, assume that you were issued the enterprise number 55555. Therefore, all OIDs
belonging to your branch of the OID tree would begin with 1.3.6.1.4.1.55555. How this subtree is
divided is at your discretion. You may choose to allocate 1.3.6.1.4.1.55555.1 to department A and
1.3.5.1.4.1.55555.2 to department B. Each allocated branch of your OID is referred to as an arc. The
local administrators of these departments could then subdivide their arcs according to the needs of
their network.

OID assignments must be unique worldwide. If you ever need to make custom schema files for your
directory (a common practice), go to http://www.iana.org/cgi-bin/enterprise.pl and request a private
enterprise number. The form is short and normally takes one to two weeks to be processed. Once you
have your own enterprise number, you can create your own OIDs without worrying about conflicts
with OIDs that have already been assigned. RFC 3383 describes some best practices for registering
new LDAP values with IANA.

Figure 2-4. Private enterprise OID number space

[ Team LiB ]

2.2.2 What Does the Value of the objectClass Attribute Mean?

• Table of Contents
•
All entries in anIndex
LDAP directory must have an objectClass attribute, and this attribute must have at least one
•
value. Multiple Reviews
values for the objectClass attribute are both possible and common given certain requirements, as
• Reader
you shall soon see. Reviews
Each objectClass value acts as a template for the data to be stored in an entry. It defines a
•
set of attributesErrata
that must be present in the entry and a set of optional attributes that may or may not be present.
LDAP System Administration
Let's go back and reexamine the LDIF representation of the ou=devices,dc=plainjoe,dc=org entry:
By Gerald Carter
# LDIF listing for dn: ou=devices,dc=plainjoe,dc=org
Publisher : O'Reilly
dn: ou=devices,dc=plainjoe,dc=org
Pub Date : March
objectclass: 2003
organizationalUnit
ou:
ISBN devices
: 1-56592-491-6
telephoneNumber:
Pages : 308 +1 256 555-5446
telephoneNumber: +1 256 555-5447
description: Container for all network enabled
devices existing within the plainjoe.org domain
If
In you
this want
case,to beentry's
the a master of your domain,
objectClass is an LDAP System Administration
organizationalUnit . (Thewill help you
schema get upfor
definition and running
this quicklyby
is illustrated
regardless of which LDAP version you use. After reading this book, even with no previous LDAP experience, you'll
two different representations in Figure 2-5.) The listing on the right shows the actual definition of the
be able to integrate a directory server
boxinto
essential network services such as mail, DNS, attributes.
HTTP, and SMB/CIFS.
objectClass from RFC 2256; the on the left summarizes the required and optional
[ Team LiB ]
Figure 2-5. organizationalUnit object class

Here's how to understand an objectClass definition:

[ Team LiB ]
An objectClass possesses an OID, just like attribute types, encoding syntaxes, and matching rules.

ThekeywordMUST denotes a set of attributes that must be present in any instance of this object. In this
case, "present" means "possesses at least one value."

To represent a zero-length attribute value in LDIF syntax, the attribute name must be
followed by a colon and zero or more spaces, and then a CR or CF/LF. For example,
the following LDIF line stores a zero-length description:

description:<ENTER>

ThekeywordMAY defines a set of attributes whose presence is optional in an instance of the object.

• ThekeywordTable
SUPofspecifies
Contents the parent object from which this object was derived. A derived object possesses
• Index type requirements of its parent. Attributes can be derived from other attributes as well,
all the attribute
• inheritingReviews
the syntax of its parent as well as matching rules, although the latter can be locally overridden by
• the new attribute. LDAP objects do not support multiple inheritance; they have a single parent object, like
Reader Reviews
• Java objects.
Errata

LDAP
It isSystem Administration
possible for two object classes to have common attribute members. Because the attribute type
By Gerald Carter
namespace is flat for an entire schema, the telephoneNumber attribute belonging to an
organizationalUnit is the same attribute type as the telephoneNumber belonging to some other object
class, :such
Publisher as a person (which is covered later in this chapter).
O'Reilly
Pub Date : March 2003
ISBN : 1-56592-491-6
Pages : 308
Object Class Types

Three types of object class definitions are used in LDAP directory servers:
If you want to be a master of your domain, LDAP System Administration will help you get up and running quickly
Structural of
object classes
regardless which LDAP version you use. After reading this book, even with no previous LDAP experience, you'll
be able to integrate a directory server into essential network services such as mail, DNS, HTTP, and SMB/CIFS.
Represent a real-world object, such as a person or an organizationalUnit. Each entry
[ Teamwithin
LiB ] an LDAP directory must have exactly one structural object class listed in the
objectClass attribute. According to the LDAP data model, once an entry's structural object
class has been instantiated, it cannot be changed without deleting and re-adding the entire
entry.
Auxiliary object classes

Add certain characteristics to a structural class. These classes cannot be used on their own, but
only to supplement an existing structural object. There is a special auxiliary object class
referred to in RFC 2252 named extensibleObject, which an LDAP server may support. This
object class implicitly includes all attributes defined in the server's schema as optional
members.
Abstract object classes

Act the same as their counterparts in object-oriented programming. These classes cannot be
used directly, but only as ancestors of derived classes. The most common abstract class relating
to LDAP (and X.500) that you will use is the top object class, which is the parent or ancestor of
all LDAP object classes.

Note that the type of an object cannot be changed by a derived class.

[ Team LiB ]
[ Team LiB ]

2.3 What Is the dc Attribute?

Returning to our discussion of the topmost entry in Figure 2-1, we can now explain the meaning of the domain
object class and the dc attribute. Here is the original LDIF listing for the entry:

# LDIF listing for the entry dn: dc=plainjoe,dc=org

dn: dc=plainjoe,dc=org
objectclass: domain
dc: plainjoe

The original recommendation for dividing the X.500 namespace was based on geographic and national regions. You
frequently see this convention in LDAP directories as well, given the heritage that LDAP shares with X.500. For
•
example, underTable of Contents
X.500, the distinguished name for a directory server in the plainjoe.org domain might be:
• Index
dn:
• o=plainjoe,l=AL,c=US
Reviews
• Reader Reviews
Here,
• the o attribute
Errata is the organizationName, the l attribute is the locality of the organization, and the c
attribute represents the country in which the organization exists. However, there is no central means of registering
LDAP System
such names, Administration
and therefore no general way to refer to the naming context of a directory server. RFC 2247
By Gerald Carter
introduced a system by which LDAP directory naming contexts can be piggybacked on top of an organization's
existing DNS infrastructure. Because DNS domain names are guaranteed to be unique across the Internet and can
Publisher : O'Reilly
be located easily, mapping an organization's domain name to an LDAP DN provides a simple way of determining
the base
Pub Date suffix served
: March 2003 by a directory and ensures that the naming context will be globally unique.
ISBN : 1-56592-491-6
Pages : 308

A directory's naming context is the DN of its topmost entry. The naming context of the
directory in our examples is dc=plainjoe,dc=org. This context is used by the LDAP
server to determine whether it will be able to service a client request. For example, our
If you want to be a master of your domain, LDAP System Administration will help you get up and running quickly
directory server will return an error (or possibly a referral) to a client who attempts to look
regardless of which LDAP version you use. After reading this book, even with no previous LDAP experience, you'll
up the information in an entry named cn=geraldcarter,ou=people,dc=taco,dc=org
be able to integrate a directory server into essential network services such as mail, DNS, HTTP, and SMB/CIFS.
because the entry would be outside our naming context.
[ Team LiB ]
However, the server would search the directory (and return no information) if the client
attempts to look up cn=geraldcarter,ou=people,dc=taco,dc=plainjoe,dc=org. In
this case, the directory's naming context does match the rightmost substring of the
requested entry's DN. The server just does not have any information on the entry.

To support a mapping between a DNS domain name and an LDAP directory namespace, RFC 2247 defines two
objects, shown in Figures 2-6 and 2-7, for storing domain components. The dcObject is an auxiliary class to
augment an existing entry containing organizational information (e.g., an organizationalUnit). The domain
object class acts as a standalone container for both the organizational information and the domain name
component (i.e., the dc attribute). The organizationalUnit and domain objects have many common attributes.

Figure 2-6. domain object class

[ Team LiB ]

• Table of Contents
• Index
• Reviews
• Reader Reviews
• Errata

LDAP System Administration

By Gerald Carter Figure 2-7. dcObject object class

Publisher : O'Reilly
Pub Date : March 2003
ISBN : 1-56592-491-6
Pages : 308

Generating an LDAP DN to represent a DNS domain name is a simple process. An empty DN is used as a starting
point. An RDN of dc=domaincomponent is appended to the DN for each portion of the domain name. For
If you want
example, thetodomain
be a master
name of your domain,
plainjoe.org mapsLDAP System
to our Administration
naming will help you get up and
context of dc=plainjoe,dc=org . running quickly
regardless of which LDAP version you use. After reading this book, even with no previous LDAP experience, you'll
be able to integrate a directory server into essential network services such as mail, DNS, HTTP, and SMB/CIFS.
2.3.1 Where Is dc=org?
[ Team LiB ]

As we saw in the previous section, dc=plainjoe,dc=org is the directory's naming context. If the directory's root
entry was dc=org, with a child entry of dc=plainjoe,dc=org, then the naming context would have been
dc=org. Our server would then unnecessarily respond to queries for any entry whose DN ended with dc=org, even
though it only has knowledge of entries underneath dc=plainjoe,dc=org.

In this respect, designing an LDAP namespace is similar to designing a DNS hierarchy. Domain name servers for
plainjoe.org have no need to service requests for the .org domain. These requests should be referred to the server
that actually contains information about the requested hosts.

[ Team LiB ]
[ Team LiB ]

2.4 Schema References

One of the most frequent questions asked by newly designated LDAP administrators is, "What do all of these
abbreviations mean?" Of course, the question refers to things such as cn,c, and sn. There is no single source of
information describing all possible LDAPv3 attribute types and object classes, but there are a handful of online sites
that can be consulted to cover the most common schema items:

RFC 3377 and related LDAPv3 standards (http://www.rfc-editor.org/)

The documents outlined in RFC 3377 provide a list of references for researching related LDAPv3 and X.500
topics.RFC 2256 in particular describes a set of X.500 schema items used with LDAPv3 directory servers.
LDAP Schema Viewer (http://ldap.akbkhome.com/)
• Table of Contents
• This site,Index
maintained by Alan Knowles, provides a nice means of browsing descriptions and dependencies
• among common
Reviews LDAP attributes, object classes, and OIDs.
Object
• Identifiers Registry
Reader (http://www.alvestrand.no/objectid/)
Reviews
• Errata
This site can be helpful in tracking down the owner of specific OID arcs.
LDAP
Sun SystemProduct
Microsystems Administration
Documentation (http://docs.sun.com)
By Gerald Carter
TheSunOne Directory Server, formerly owned by Netscape Communications, includes a large set of
reference
Publisher documentation on various LDAP schema items. Even if you are not using the SunOne DS product,
: O'Reilly
the schema
Pub Date : March reference
2003 can be helpful in understanding the meaning of various LDAP acronyms. Search the
ISBN site for "LDAP schema reference" to locate the most recent versions of the product documentation.
: 1-56592-491-6
Pages : 308

[ Team LiB ]

[ Team LiB ]
[ Team LiB ]

2.5 Authentication

Why is authentication needed in an LDAP directory? Remember that LDAP is a connection-oriented, message-based
protocol. The authentication process is used to establish the client's privileges for each session. All searches,
queries, etc. are controlled by the authorization level of the authenticated user.

Figure 2-8 describes the person object class and gives you an idea of what other attributes are available for the
cn=geraldcarter entry in Figure 2-1. In particular, you will need to define a userPassword attribute value to
further explore LDAP authentication.

Figure 2-8. person objectClass

• Table of Contents
• Index
• Reviews
• Reader Reviews
• Errata

LDAP System Administration

By Gerald Carter

Publisher : O'Reilly
Pub Date : March 2003
The LDIF representation for the expanded version cn=geraldcarter is:
ISBN : 1-56592-491-6
Pages : 308 carter,ou=people,dc=plainjoe,dc=org
dn: cn=gerald
objectClass: person
cn: gerald carter
sn: carter
telephoneNumber:
If 555-1234
you want to be a master of your domain, LDAP System Administration will help you get up and running quickly
userPassword:
regardless {MD5}Xr4ilOzQ4PCOq3aQ0qbuaQ=
of which LDAP version you use. After reading =this book, even with no previous LDAP experience, you'll
be able to integrate a directory server into essential network services such as mail, DNS, HTTP, and SMB/CIFS.
We have added an attribute named userPassword. This attribute stores a representation of the credentials
[necessary
Team LiB to]authenticate a user. The prefix (in this case, {MD5}) describes how the credentials are encoded. The
value in this case is simply the Base64 encoding of the MD5 hash of the word "secret."

RFC 2307 defines prefixes for several encryption algorithms. These are vendor-dependent, and you should consult
your server's documentation to determine which are supported. Generating userPassword values will be covered
in more detail in the context of various programming languages and APIs in later chapters. Some common
encoding types are:

{CRYPT}

The password hash should be generated using the local system's crypt( ) function, which is normally
included in the standard C library. The {CRYPT} prefix will be seen quite a bit in Chapter 6 when we discuss
using LDAP as a replacement for NIS.
{MD5}

The password hash is the Base64 encoding of the MD5 digest of the user's password.
{SHA} (Secure Hash Algorithm)

The password hash is the Base64 encoding of the 160-bit SHA-1 hash (RFC 3174) of the user's password.
{SSHA} (Salted Secure Hash Algorithm)

This password-hashing algorithm developed by Netscape is a salted version of the previous SHA-1
mechanism. {SSHA} is the recommended scheme for securely storing password information in an LDAP
directory.

The act of being authenticated by an LDAP directory is called binding. Most users are accustomed to providing a
username and password pair when logging onto a system. When authenticating an LDAP client, the username is
specified as a DN—in our example, cn=geraldcarter,ou=people,dc=plainjoe,dc=org. The credentials used
to authenticate this entry are given by the value of the userPassword attribute.
[ Team LiB ]
The LDAPv3 specifications define several mechanisms for authenticating clients:

Anonymous Authentication

Simple Authentication

Simple Authentication over SSL/TLS

Simple Authentication and Security Layer (SASL)

2.5.1 Anonymous Authentication

• Table of Contents
Anonymous Authentication is the process of binding to the directory using an empty DN and password. This form of
•
authentication Index
is very common; it's frequently used by client applications (for example, email clients searching an
•
address book). Reviews
• Reader Reviews
• Errata
2.5.2 Simple Authentication
LDAP System Administration
By Gerald Carter
ForSimple Authentication, the login name in the form of a DN is sent with a password in clear text to the LDAP
server. The server then attempts to match this password with the userPassword value, or with some other
Publisher : O'Reilly
predefined attribute that is contained in the entry for the specified DN. If the password is stored in a hashed
Pub Date
format, the :server
March 2003
must generate the hash of the transmitted password and compare it to the stored version.
ISBN
However, the : 1-56592-491-6
original password has been transmitted over the network in the clear. If both passwords (or
Pages : 308 match, the client is successfully authenticated. While this authentication method is supported by
password hashes)
virtually all existing LDAP servers (including LDAPv2 servers), its major drawback is its dependency on the client
transmitting clear-text values across the network.

If you want to be a master of your domain, LDAP System Administration will help you get up and running quickly
2.5.3 Simple
regardless of Authentication Overyou
which LDAP version SSL/TLS
use. After reading this book, even with no previous LDAP experience, you'll
be able to integrate a directory server into essential network services such as mail, DNS, HTTP, and SMB/CIFS.
If sending usernames and passwords over the network is not particularly tasty to you, perhaps wrapping the
[information
Team LiB in ] an encrypted transport layer will make it more palatable. LDAP can negotiate an encrypted transport
layer prior to performing any bind operations. Thus, all user information is kept secure (as well as anything else
transmitted during the session).

There are two means of using SSL/TLS with LDAPv3:

LDAP over SSL (LDAPS - tcp/636) is well supported by many LDAP servers, both commercial and open
source. Although frequently used, it has been deprecated in favor of the StartTLS LDAP extended operation.

RFC 2830 introduced an LDAPv3 extended operation for negotiating TLS over the standard tcp/389 port. This
operation, which is known as StartTLS, allows a server to support both encrypted and nonencrypted sessions
on the same port, depending on the clients' requests.

With the exception of the transport layer security negotiation, the binding process is the same as for Simple
Authentication.

Designers of LDAPv3 defined two pieces of functionality, Extended Operations and

Controls, to allow for additions to the original protocol without requiring a new version to
be standardized. LDAP Controls apply only to individual requests and responses, similar to
the way an adjective extends a noun. Depending on the client's needs, if a server does not
support a specified Control, the request may fail, or the Control may simply be ignored and
the request will continue normally. An Extended Operation is the equivalent of defining a
new word that must be understood by both the client and server.
2.5.4
[ TeamSimple
LiB ]Authentication and Security Layer (SASL)

SASL is an extensible security scheme defined in RFC 2222 that can be used to add additional authentication
mechanisms to connection-oriented protocols such as IMAP and LDAP. In essence, SASL supports a pluggable
authentication scheme by allowing a client and server to negotiate the authentication mechanism prior to the
transmission of any user credentials.

In addition to negotiating an authentication mechanism, the communicating hosts may also negotiate a security
layer (such as SSL/TLS) that will be used to encrypt all data during the session. The negotiation of transport layer
security within SASL is not related either to the StartTLS Extended Operation or to LDAPS.

RFC 2222 defines the several authentication schemes for SASL, including:

Kerberos v4 (KERBEROS_V4)

• Table
TheGeneric of Contents
Security Service Application Program Interface, Version 2 (GSSAPI), which is defined in RFC
• 2078 Index
• Reviews
• TheS/KeyReader
mechanism (SKEY), which is a one-time password scheme based on the MD5 message digest
Reviews
• algorithmErrata

LDAP
TheSystem Administration
External (EXTERNAL ) mechanism, which allows an application to make use of a user's credentials
By Gerald Carter by a lower protocol layer, such as authentication provided by SSL/TLS
provided

In addition :toO'Reilly
Publisher these, RFC 2831 has added an SASL/DIGEST-MD5 mechanism. This mechanism is compatible with
HTTP/1.1
Pub Date Digest
: MarchAccess
2003 Authentication.
ISBN : 1-56592-491-6
During the binding process, the client asks the server to authenticate its request using a particular SASL plug-in.
Pages : 308
The client and server then perform any extra steps necessary to validate the user's credentials. Once a success or
failure condition has been reached, the server returns a response to the client's bind request as usual, and LDAP
communication continues normally.

If you want to be a master of your domain, LDAP System Administration will help you get up and running quickly
[regardless
Team LiBof] which LDAP version you use. After reading this book, even with no previous LDAP experience, you'll
be able to integrate a directory server into essential network services such as mail, DNS, HTTP, and SMB/CIFS.

[ Team LiB ]
[ Team LiB ]

2.6 Distributed Directories

At this point we have completed examining the simple directory of Figure 2-1. Since we have covered the basics,
let's expand Figure 2-1 to create a distributed directory. In a distributed directory, different hosts possess different
portions of the directory tree.

Figure 2-9 illustrates how the directory would look if the peopleou were housed on a separate host. There are
many reasons for distributing the directory tree across multiple hosts. These can include, but are not limited to:

Performance

Perhaps one section of the directory tree is heavily used. Placing this branch on a host by itself lets clients
• Table
access the of Contents
remaining subtrees more quickly.
• Index
Geographic location
• Reviews
• Are all the clients
Reader that access a particular branch of the directory in one location? If so, it would make more
Reviews
• sense to Errata
place this section of the directory closer to the client hosts that require it. In this way, trips across a
possibly slow WAN link can be avoided.
LDAP System
Administrative Administration
boundaries
By Gerald Carter
It is sometimes easier to delegate administrative control of a directory branch by placing the branch on a
server
Publisher controlled by the group responsible for the information in that branch. In this way, the server
: O'Reilly
operators
Pub Date can
: March have full access for duties such as replication and backups without interfering with a larger,
2003
ISBN more: public server.
1-56592-491-6
Pages : 308

Figure 2-9. Building a distributed directory

[ Team LiB ]

To divide the directory tree between the two servers in Figure 2-9, you must configure two links between the main
directory server and the server that holds peopleou. To do so, create the superior and subordinate knowledge
reference links as shown.

Asubordinate knowledge link, often called simply a reference, logically connects a node within a directory tree to
the naming context of another server. Most often, the naming context of the second server is a continuation of the
directory. In this example, the peopleou in the main directory tree has no children because all queries of entries
in the ou=people,dc=plainjoe,dc=org tree should be served by the second server. The entry
ou=people,dc=plainjoe,dc=org on the main directory server is now a placeholder that contains the referral to
the actual directory server for this entry. Figure 2-10 shows the definition for the the referral object class
defined in RFC 3296.

Figure 2-10. The referral object class

[ Team LiB ]

LDAPv2 servers based on the original University of Michigan LDAP server supported an
experimental means of using referrals that is incompatible with the standardized referrals
included in LDAPv3.

Thereferral object contains only a single required attribute, ref. This attribute holds the URI that points to the
host that contains the subtree. The format of this URI is defined in RFC 2255 as:

• Table of Contents
ldap://[host:port]/[/dn[?attribute][?scope][?filter][?extensions]]
• Index
This syntax willReviews
• make more sense when we have covered LDAP search parameters in Chapter 4. For our purposes,
the most common
• URIReviews
Reader used as a ref value looks like:
• Errata
ldap://[host:port]/dn
LDAP System Administration
By
ForGerald Carter
example, the LDIF listing for the new peopleou entry is:

# LDIF listing
Publisher : O'Reillyfor the entry ou=people,dc=plainjoe,dc=org
dn: ou=people,dc=plainjoe,dc=org
Pub Date : March 2003
objectClass: referral
ISBN : 1-56592-491-6
ref: ldap://server2.plainjoe.org/ou=people,dc=plainjoe,dc=org
Pages : 308
Configuring the superior knowledge reference link, also called simply a referral but not to be confused with the
referral object class, from the second server back to the main directory is a vendor-dependent operation, so it is
difficult to tell you exactly what to expect. However, the purpose is to define an LDAP URI (just like the one used
as the want
If you ref attribute value) that
to be a master should
of your be returned
domain, to clients
LDAP System who attempt
Administration to help
will search
youorget
query entries
up and outside
running of the
quickly
naming
regardlesscontext of the
of which subordinate
LDAP server.
version you use. In thereading
After example discussed
this here,
book, even with wouldLDAP
no previous
server2 be configured to return
experience, you'll
be able to integrate a directory server into essential network
ldap://server1.plainjoe.org/dc=plainjoe,dc=org toservices
all clients whoasattempt
such to go
mail, DNS, outside
HTTP, andofSMB/CIFS.
ou=people,dc=plainjoe,dc=org.
[ Team LiB ]
Who should follow the referral link? There are two possible answers:

The server follows and resolves any referrals that it runs into during an LDAP operation. The client receives
only the result and never knows that the referral happened. This is known as "chaining" and is similar to a
recursive DNS server. Chaining has not been standardized. If you are interested, you should consult the
documentation for your server to determine whether chaining is supported.

The client follows links for itself. The LDAP client library normally follows the link, but the URI can be handed
to the calling application, which is then responsible for following the link itself. This method is supported by
all LDAPv3-compliant clients and servers.

There is one more mechanism for redirecting a client. An alias is a symbolic link in the
directory pointing from one entry to another (possibly on a different server). Aliases can be
used only on an entry, not on individual attributes. There may be specific situations that
require the use of aliases, but these are likely to be few. For this reason, aliases are not
stressed beyond the discussion here.

[ Team LiB ]
[ Team LiB ]

2.7 Continuing Standardization

LDAP is continuing to evolve as a protocol. There are currently two working groups within the IETF to help
shepherd this process:

TheLDAP Duplication/Replication/Update Protocols (LDUP) working group focuses on data replication and
consistency in LDAP directories. More information on the group's current activities can be found at
http://ietf.org/html.charters/ldup-charter.html.

TheLDAPv3 Revision (LDAPbis) working group directs its efforts toward attempting to clarify parts of the
original LDAPv3 specifications. This does not include work on a Version 4 of the LDAP protocol. More
• Table
information on of
theContents
LDAPbis working group can be found at http://ietf.org/html.charters/ldapbis-charter.html.
• Index
While not related
• to standardization processes, the LDAPzone web site (http://www.ldapzone.com) does provide a
Reviews
nice collection of
• LDAP-related
Reader Reviews topics, forums, and downloads.
• Errata
[ Team LiB ]
LDAP System Administration
By Gerald Carter

Publisher : O'Reilly
Pub Date : March 2003
ISBN : 1-56592-491-6
Pages : 308

[ Team LiB ]
[ Team LiB ]

Chapter 3. OpenLDAP

While reading this book, you may find yourself feeling a little like a sky diver who has just jumped out of an
airplane. As you approach the ground, things come more into focus. As you squint and try to make out the color of
that house far below, you suddenly realize that you are plummeting closer and closer toward the very thing you
are trying to observe.

Conceptual ideas need concrete implementations in order to solidify our understanding of them. A directory access
protocol is of no use without an actual implementation that allows us to put the protocol to work to solve real
information problems on a network. This chapter introduces OpenLDAP, a popular, open source LDAPv3-compliant
server. There are a number of popular commercial products, including Sun Microsystem's SunOne directory server
(formally owned by Netscape), Novell's eDirectory (formally referred to as NDS), and Microsoft's Active Directory,
• Table of Contents
although this directory encompasses much more than just LDAP.
• Index
• the OpenLDAP [1] server instead of one from another vendor? OpenLDAP is attractive for several
Reviews
Why are we using
•
reasons: Reader Reviews
• Errata
[1]
The "Open" in OpenLDAP refers to the open engineering process and community used to create OpenLDAP
LDAP System Administration
software.
By Gerald Carter

TheOpenLDAP
Publisher : O'Reilly source code is available for download from http://www.openldap.org/ under the OpenLDAP
Public License. Source code can provide a great deal of information to supplement existing (or absent)
Pub Date : March 2003
documentation.
ISBN : 1-56592-491-6
Pages OpenLDAP
: 308 2 is compliant with the core LDAPv3 specifications.

OpenLDAP is available for multiple platforms, including Linux, Solaris, Mac OS 10.2, and Windows (in its
various incarnations). For more information regarding OpenLDAP on Mac OS 10.2, see
If youhttp://www.padl.com//Articles/AdvancedOpenDirectoryConf.html.
want to be a master of your domain, LDAP System Administration will help you get up and running quickly
regardless of which LDAP version you use. After reading this book, even with no previous LDAP experience, you'll
The
be able to OpenLDAP
integrate aproject is aserver
directory continuation of the original
into essential networkUniversity of Michigan
services such as mail,LDAP
DNS,server. The SMB/CIFS.
HTTP, and relationship
between Michigan's LDAP server and many modern, commercial LDAP servers can be compared to the
[ Teamrelationship
LiB ] between modern web browsers and the original NCSA Mosaic code base.

The examples presented in this chapter configure OpenLDAP on a Unix-based server. Therefore, they use standard
Unix command-line tools such as tar,gzip, and make.

[ Team LiB ]
[ Team LiB ]

3.1 Obtaining the OpenLDAP Distribution

TheOpenLDAP project does not make binary distributions of its software available. The reason for this has a lot to
do with the number of dependencies it has on other packages. Many Linux vendors include precompiled versions of
OpenLDAP with their distributions. Still, we'll discuss how to compile the OpenLDAP source code distribution; you'll
need to build OpenLDAP to stay up to date, and studying the build process gives you a chance to learn more about
the LDAP protocol.

Symas Corporation also provides some precompiled OpenLDAP packages (including

requisite software components) for Solaris and HP-UX at http://www.symas.com/.
• Table of Contents
• Index
• Reviews
The latest version of OpenLDAP can be obtained from http://www.OpenLDAP.org/software/download/. There are
• Reader Reviews
two major incarnations of OpenLDAP. The older 1.2 releases are essentially enhancements or small bug fixes to the
• Errata
original University of Michigan code base and implement only LDAPv2. The OpenLDAP 2 branch is an LDAPv3-
compliant implementation.
LDAP System Administration
By Gerald Carter
There are several advantages of LDAPv3 over the previous version, such as:

Publisher : O'Reilly
The ability
Pub Date : Marchto 2003
refer clients to other LDAP servers for information. The LDAPv2 RFCs contained no provision for
ISBN returning a referral to a client. While the University of Michigan server supported an experimental
: 1-56592-491-6
Pages implementation
: 308 of referrals, the concept was not standardized until the LDAPv3 specifications.
Standardization made interoperability between servers and clients from different vendors possible, something
that was missing under LDAPv2.

The ability to publish the server's schema via LDAP operations, which makes it easier for clients to learn the
If youserver's
want to schema
be a master of performing
before your domain, LDAP System
searches. Administration
The only will help
way to determine theyou get up
schema and running
supported quickly
by an
regardless of which LDAP version you use. After reading this book, even with no previous LDAP experience,
LDAPv2 server was to examine the server's configuration files. Publishing the server's schema as entries you'll
be able to integrate a directory server into essential network services such as mail, DNS, HTTP, and SMB/CIFS.
within the directory allows for such things as real-time updates via standard LDAP operations. (Note that
LDAPv3 does not require dynamic updates.)
[ Team LiB ]
Internationalization support through the use of UTF-8 characters in strings (RFC 2253) and language tags for
attribute descriptions (RFC 2596).

Improved security and flexibility for authentication credentials and data via SASL and SSL/TLS. LDAPv2
supported only simple binds or Kerberos 4 authentication.

Support for protocol extensions as a mechanism to enhance existing operations or add new commands
without requiring that a new revision of the LDAP protocol be defined.

The OpenLDAP 2 release is an LDAPv3 server. However, LDAPv2 clients are not going away anytime soon.
Therefore, OpenLDAP 2 and the majority of other LDAP servers can support both LDAPv2 and v3 clients.[2]

[2]Most people are referring to the University of Michigan LDAP client and server implementation when using
the term LDAPv2. LDAPv2 as specified in the original RFCs has been moved to historic status.

[ Team LiB ]
[ Team LiB ]

3.2 Software Requirements

The examples presented in this book for building the client tools and server components are based on the latest
OpenLDAP 2.1 release available at the current time (Version 2.1.8). As with any piece of software, version
numbers and dependencies change. Make sure to consult the documentation included with future OpenLDAP
releases before building your server.

Our OpenLDAP server will require several external software packages:

Support for POSIX threads, either by the operating system or an external library.

• SSL/TLS libraries (such as the OpenSSL package, which is available from http://www.openssl.org/).
Table of Contents
• Index
• A database manager library that supports DBM type storage facilities. The current library of choice is the
Reviews
• Berkeley Reader
DB 4.1Reviews
package from Sleepycat Software (http://www.sleepycat.com/).
• Errata
Release 2.1 of the SASL libraries from Carnegie Mellon University (http://asg.web.cmu.edu/sasl/sasl-
LDAP System Administration
library.html).
By Gerald Carter

3.2.1 Threads
Publisher : O'Reilly
Pub Date : March 2003
If your server's
ISBN operating system supports threads, OpenLDAP 2 can take advantage of this feature. This support
: 1-56592-491-6
works
Pages fine out
: 308 the box on most current Linux systems, Solaris, and several other platforms.
of

If you run into problems related to POSIX thread support, your first option is to check the OpenLDAP.org web site
for installation notes specific to your platform. You may also wish to visit
http://www.gnu.ai.mit.edu/software/pth/related.html for a list of known POSIX thread libraries for Unix systems. It
If
is you wanttotodisable
possible be a master
threadofsupport
your domain, LDAP System
in the OpenLDAP Administration
server, will help you
slapd, by specifying get up and running
the —disable-threads quickly
option in
regardless of which LDAP version you use. After reading this book, even with no previous LDAP experience,
the OpenLDAP configure script prior to compiling. However, the replication helper daemon, slurpd, which is covered you'll
be able to 5,
in Chapter integrate
requiresa thread
directory server into essential network services such as mail, DNS, HTTP, and SMB/CIFS.
support.

[ Team LiB ]
3.2.2 SSL/TLS Libraries

RFC 2246 describes TLS 1.0, which resembles SSL 3.0. The StartTLS extended operation defined in RFC 2830
allows LDAP clients and servers to negotiate a TLS session at any point during a conversation (even prior to
authenticating the client). To enable support for this extended operation or the LDAPS protocol, you need to obtain
and install the latest version of the OpenSSL libraries. These can be downloaded from the OpenSSL Project at
http://www.openssl.org/.

Building and installing the OpenSSL libraries is straightforward. Just remember that, as of release 0.9.6g, shared
libraries are not built by default. To build shared libraries, pass the shared option to the OpenSSL build script. The
—openssldir option is used to define the install directory:

$ ./config shared --openssldir=/usr/local

Then follow with the obligatory:

$ make
$ /bin/su -c "make install"

to install the development libraries and tools in /usr/local/ .

3.2.3 Database Backend Modules

In order to build a standalone OpenLDAP server, it is necessary to provide libraries for some type of database
manager (DBM). OpenLDAP presently supports two categories of local DB storage. The first, referred to as ldbm,
[can use either
Team LiB ] the GNU Database Manager from the Free Software Foundation (http://www.fsf.org/) or the
BerkeleyDB package from Sleepycat software (http://www.sleepycat.com/). The second database type introduced
in OpenLDAP 2.1, called bdb, has been customized to use only the Berkeley DB 4 libraries. The newer bdb backend
type is preferred to the ldbm interface for servers that maintain local copies of data, such as those we will build in
this book.

To obtain and install the Berkeley DB 4.1 libraries, begin by downloading the source code from
http://www.sleepycat.com/download/index.shtml. Next, extract the source code to a temporary directory such as
/usr/local/src/. This example uses the release 4.1.24:

$ cd /usr/local/src/
$ gzip -dc {path-to-download-directory }/db-4.1.24.tar.gz | tar xvf -

The instructions for building the software on Unix-like systems are linked from the beginning page of the software's
documentation in db-<version>/docs/index.html . For most purposes, this boils down to:

• Table of Contents
$ cd db-version/build_unix
• Index
$ ../dist/configure --prefix=/usr/local/
•
$ make Reviews
•
$ /bin/su -cReader
"makeReviews
install"
• Errata
You can choose an installation directory other than /usr/local/ as long as you remember to take any necessary
LDAP System Administration
steps to ensure that the libraries and development files can be found by both the Cyrus SASL libraries and
By Gerald Carter
OpenLDAP when compiling these packages.

Publisher : O'Reilly
Once the process is completed, verify that the file libdb-4.1.so exists in the lib/ directory below the installation root
(e.g.,
Pub /usr/local/lib/
Date : March ).2003
ISBN : 1-56592-491-6
Pages : 308
3.2.4 SASL Libraries

Chapter 2 introduced the concept of pluggable authentication mechanisms. While the SASL libraries are not
required to build
If you want to beOpenLDAP 2,your
a master of the resulting LDAP System
domain, LDAP server will not be completely
Administration LDAPv3-compliant
will help if SASL quickly
you get up and running is
absent.
regardless of which LDAP version you use. After reading this book, even with no previous LDAP experience, you'll
be able to integrate a directory server into essential network services such as mail, DNS, HTTP, and SMB/CIFS.
The Computing Services Department at Carnegie-Mellon University has made a set of SASL libraries available for
[download
Team LiBunder
] a BSD-like license. The latest version can be found at ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/.
Thecyrus-sasl libraries v2.1 support several SASL mechanisms, including:

ANONYMOUS
CRAM-MD5
DIGEST-MD5
GSSAPI (MIT Kerberos 5 or Heimdal Kerberos 5)
KERBEROS_V4
PLAIN

To support the Kerberos plug-ins, you must obtain libraries from either Heimdal Kerberos
(http://www.pdc.kth.se/heimdal/) or the MIT Kerberos distribution
(http://web.mit.edu/kerberos/www/).

Understanding SASL is somewhat of an undertaking. You don't need to install the SASL libraries if you plan to
support only simple (clear-text) binds and simple binds over SSL/TLS. The most common reasons for requiring
SASL integration with LDAP are Kerberos authentication and integration with other SASL-enabled applications, such
as Sendmail or CMU's Cyrus IMAPD server.

For the sake of flexibility, we will build the server with SASL support. I recommend reading the SASL System
Administrator's HOWTO (sysadmin.html) included as part of the CMU distribution. This document gives some
general setup and configuration information. You may also wish to review the "GSSAPI Tutorial" mentioned in the
HOWTO and the Programmer's Guide. All of these are included in the Cyrus SASL distribution under the doc/
directory. You may also wish to refer to RFC 2222 for a general overview of SASL. The sample/ subdirectory also
includes a program for testing the SASL libraries. Chapter 9 includes examples of using the GSSAPI SASL
mechanism
[ Team LiB when
] exploring interoperability with Microsoft's Active Directory.

Building the SASL distribution requires only a few familar steps. In most environments, the following commands
will install the libraries and development files in /usr/local/ :

$ gzip -dc cyrus-sasl-2.1.9.tar.gz | tar xf -

$ cd cyrus-sasl-2.1.9
$ ./configure
$ make
$ /bin/su -c "make install && \
ln -s /usr/local/lib/sasl2 /usr/lib/sasl2"

The symbolic link is needed because the SASL library will look for installed mechanisms in /usr/lib/sasl2/ (as
described in the cyrus-sasl documentation).

[• Team LiB ] Table of Contents

• Index
• Reviews
• Reader Reviews
• Errata

LDAP System Administration

By Gerald Carter

Publisher : O'Reilly
Pub Date : March 2003
ISBN : 1-56592-491-6
Pages : 308

[ Team LiB ]
Exploring the Variety of Random
Documents with Different Content
cast upon the name of Briton when you, sir, are pleased to esteem it
among your glories,” said the House of Lords in their Address
thanking the King for his Speech.

2
That there have been many cases of dispute between the
Sovereign and his Ministers, in recent years, at least, as to either the
measures set out in the Speech or the phraseology of its sentences
is very unlikely. Only two instances during the long reign of Queen
Victoria have come to light. In 1859, Austria, struggling to maintain
her position in Italy, was at war with Sardinia, and the intervention
of France on the side of Sardinia was regarded in some circles in this
country as a characteristic act of aggression by the Emperor, Louis
Napoleon. The draft of the proposed Speech from the Throne
submitted to Queen Victoria contained the following passages:

Receiving assurances of friendship from both the contending parties, I

intend to maintain a strict and impartial neutrality, and hope, with God’s
assistance, to preserve to my people the blessing of continued peace.
I have, however, deemed it necessary, in the present state of Europe,
with no object of aggression, but for the security of my dominions, and
for the honour of my Crown, to increase my Naval Forces to an amount
exceeding that which has been sanctioned by Parliament.

The Queen sent to the Premier, Lord Derby, the following criticism:

B uckingham P alace ,
June 1, 1859.
The Queen takes objection to the wording of the two paragraphs
about the war and our armaments. As it stands, it conveys the
impression of a determination on the Queen’s part of maintaining a
neutrality— à tout prix —whatever circumstances may arise which would
do harm abroad, and be inconvenient at home. What the Queen may
express is her wish to remain neutral, and her hope that circumstances
may allow her to do so. The paragraph about the Navy, as it stands,
makes our position still more humble, as it contains a public apology for
arming, and yet betrays fear of our being attacked by France.
The Queen then suggested two amended forms for these
passages, in which she said she had taken pains to preserve Lord
Derby’s words, as far as was possible, with an avoidance of the
objections before stated:

I continue to receive, at the same time, assurances of friendship from

both contending parties. It being my anxious desire to preserve to my
people the blessing of uninterrupted peace, I trust in God’s assistance to
enable me to maintain a strict and impartial neutrality.
Considering, however, the present state of Europe, and the
complications which a war, carried on by some of the Great Powers, may
produce, I have deemed it necessary, for the security of my dominions
and the honour of my Crown, to increase my Naval Forces to an amount
exceeding that which has been sanctioned by Parliament.

Lord Derby, in his reply, contended that the country was

unanimous in favour of a strictly neutral policy. Its sympathies were
neither with France nor with Austria, but, were it not for the
intervention of France, it would generally be in favour of Italy. He
went on to say that the Opposition Press were insinuating that the
neutrality of the Government covered wishes and designs in favour
of Austria; and any words in the Speech from the Throne which
should imply a doubt of strict impartiality would certainly provoke a
hostile amendment in the interest of Sardinia, which might possibly
be carried, and in such circumstances her Majesty would be placed
in the painful position of having to select an Administration pledged
against the interests of Austria and of Germany. He thought the
Queen’s suggested words in regard to the Navy—“complications
which a war carried on by some of the Great Powers may produce”—
would inevitably lead to a demand for an explanation of the
“complications” which the Government foresaw as likely to lead to
war. The Prime Minister went on to say:

In humbly tendering to your Majesty his most earnest advice that your
Majesty will not insist on the proposed Amendments in his draft Speech
he believes that he may assure your Majesty that he is expressing the
unanimous opinion of his colleagues. Of their sentiments your Majesty
may judge by the fact that in the original draft he had spoken of your
Majesty’s “intention” to preserve peace “so long as it might be possible”;
but by universal concurrence these latter words were struck out; and the
“hope” was, instead of them, substituted for the “intention.”

In answer to this letter, Queen Victoria wrote that there was, in

fact, no difference between her and Lord Derby. She had suggested
the verbal amendments merely with a view to indicate the nature of
the difficulty as it presented itself to her. Whatever decision Lord
Derby might on further reflection come to, she was prepared to
accept. In the Speech read by the Queen from the Throne the two
paragraphs were somewhat modified in the sense her Majesty
desired.
Five years later, in 1864, another difference arose between Queen
Victoria and her advisers in regard to statements in the Speech.
Denmark and Germany were at war over the right to the Duchies of
Schleswig and Holstein—obtained finally by Germany—and the draft
of the Speech submitted to Queen Victoria contained a paragraph
plainly, if not menacingly, expressing the sympathy of England with
Denmark. To this the Queen objected. In her opinion the best policy
for this country was to stand neutral, and though the stubborn
Palmerston, who was then Prime Minister, was, as usual, disposed to
show fight, she finally had her way. The Speech as read in the
House of Lords declared that—

Her Majesty has been unremitting in her endeavours to bring about a

peaceful settlement of the differences which on this matter have arisen
between Germany and Denmark, and to ward off the dangers which
might follow from a beginning of warfare in the North of Europe, and her
Majesty will continue her efforts in the interest of peace.

It is not sufficient for the King formally to express approval of the

draft of the Speech submitted to him by his advisers. He must sign
the Speech in the presence of the Ministers, thus giving them a
guarantee of assurance that he will deliver that particular Speech,
and no other, to the two Houses of Parliament. Consequently, at a
meeting of the “King in Council,” or, in other words, the Privy
Council, at which, however, only Cabinet Ministers are present, the
King endorses the Speech with his signature. When next his Majesty
sees the Speech, a printed copy of it is presented to him on the
Throne of the House of Lords by the kneeling Lord Chancellor in the
presence of the Commons.
The Speech is written in a prescribed form. Each one bears the
closest resemblance outwardly to its predecessors. It is divided into
three sections. The first section, addressed generally to Members of
both Houses, “My Lords and Gentlemen,” deals exclusively with
foreign affairs; then there is a brief paragraph referring to the
Estimates, which specially concerns “Gentlemen of the House of
Commons,” as the sole custodians and guardians of the public purse
(or “Members of the House of Commons” as the phrase became
when the first female Member, Lady Astor, was elected in 1919); and
the third section, which opens again with “My Lords and Gentlemen,”
contains some general remarks on home affairs, and sets out the
legislative programme of the Session. “I pray,” the Speech usually
concludes, “that Almighty God may continue to guide you in the
conduct of your deliberations, and bless them with success.”

3
These Speeches possess a double interest, as the literary
compositions and the political manifestoes of the most eminent
statesmen of the Nation. To me it has been a pleasant occupation
dipping into them, here and there, in the volumes of Hansard and
extracting a few notes personal to the Sovereign, or references to
some of the great political issues of the latter half of the nineteenth
century and the opening decades of the twentieth. There is a
popular supposition that “the King’s Speeches” are the worst
possible models of “the King’s English.” The condemnation is too
sweeping. Unquestionably there are Speeches with sentences
doubtful in grammar, as well as feeble and pointless. The writing of
most of them, however, is pure and concise. It is possible to trace in
them the characteristic styles and different moods of mind of the
Prime Ministers by whom they were written. Disraeli’s Speeches
stand put as the most ornate. He used more rhetoric than other
Premiers deemed to be necessary or desirable. In one there is a
picture of “the elephants of Asia carrying the artillery of Europe over
the mountains of Rasselas”; in another the founding of British
Columbia calls up a vision of her Majesty’s dominions in North
America “peopled by an unbroken chain, from the Atlantic to the
Pacific, of a loyal and industrious population of subjects of the British
Crown.” Nothing could be more effective from an elocutionary point
of view. The “Speeches” of Lord Melbourne trembled at times on the
verge of puerility. Palmerston’s waved the Union Jack in relation to
foreign affairs, and his off-hand “Ha, ha!” was heard in references to
things domestic. Gladstone and Salisbury drafted “Speeches” equally
noted for freshness and strength of expression. Lloyd George
composed the longest and most comprehensive and possibly the
most historic “Speeches”—those that immediately followed the
conclusion of the World War. They were obviously addressed not so
much to Lords and Commons as to the people at large.

The early age at which I am called to the sovereignty of this Kingdom

renders it a more imperative duty that under Divine Providence I should
place my reliance upon your cordial co-operation, and upon the loyal
affection of all my people. I ascend the Throne with a deep sense of the
responsibility which is imposed upon me; but I am supported by the
consciousness of my own right intentions, and by my dependence upon
the protection of Almighty God.

These are the concluding words of the Speech from the Throne
read by Victoria, the girl-Queen, to her first Parliament, on
November 20, 1837. “Never,” wrote Mrs. Kemble, “have I heard any
spoken words more musical in their gentle distinctness than the ‘My
Lords and Gentlemen’ which broke the breathless stillness of the
illustrious assembly, whose gaze was riveted on that fair flower of
Royalty.” It was a new Parliament, fresh from the country, after the
General Election which, as the law then required, followed the
demise of the Crown owing to the death of William IV. The scene on
that historic occasion in the old House of Lords was most brilliant. To
the right of the young Queen stood her mother, the Duchess of Kent.
On her left was Viscount Melbourne, the Prime Minister. At the foot
of the Throne were grouped other great officers of State. The
benches were crowded with peers in their robes—amongst whom
Wellington, Brougham, Lyndhurst, were distinguished figures—and
with peeresses in Court plumes and diamonds. At the Bar were
assembled the Commons, Mr. Speaker Abercromby at their head,
and in the throng might be seen such eminent statesmen and
notabilities as Lord John Russell, Sir Robert Peel, Lord Palmerston,
Daniel O’Connell, Stanley (afterwards Lord Derby), and two young
Members, Gladstone, who already had four years’ experience of
Parliament, and Disraeli, just returned at the General Election for
Maidstone, who were destined to become the two greatest political
protagonists of the nineteenth century. Writing to his sister on
November 21, 1837, Disraeli thus comically describes how the
Commons went to the House of Lords, and what they saw there:

The rush was terrific; Abercromby himself nearly thrown down and
trampled upon, and his macebearer banging the Members’ heads with
his gorgeous weapon and cracking skulls with impunity. I was fortunate
enough to escape, however, and also to ensure an entry. It was a
magnificent spectacle. The Queen looked admirable; no feathers, but a
diamond tiara. The peers in robes, the peeresses and the sumptuous
groups of courtiers rendered the affair most glittering and imposing.

What a contrast between this splendid and joyful ceremony and

the pathetic scene that was witnessed in the same Chamber, just a
year earlier, when Parliament was opened by William IV for the last
time! The aged King, wrapped in his ample purple robes, and his
grey locks surmounted by the Imperial Crown, stood on the Throne
struggling with dim eyes in the twilight of the Chamber to read the
Speech prepared for him by Lord Melbourne. He stammered slowly,
and almost inaudibly, through the first few sentences, pausing now
and then over a difficult word, and querulously appealing to the
Prime Minister “What is it, Melbourne?” loudly enough to be heard
by the Assembly. At last, losing all patience, he angrily exclaimed, in
the full-blooded language of the period, “Damn it, I can’t see!”
Candles were instantly brought in and placed beside the King. “My
Lords and Gentlemen,” said he, “I have hitherto not been able, for
want of light, to read this Speech in a way its importance deserves;
but as lights are now brought me, I will read it again from the
commencement, and in a way which, I trust, will command your
attention.” Then in a pitiful effort to prove to Peers and Commons
that his mental and physical powers were by no means failing, he
commenced the Speech again and read it through in a fairly clear
voice and with some emphasis.
It was at the opening of the third session of the first Parliament of
Queen Victoria, on January 16, 1840, Lord Melbourne being still
Premier, that her Majesty read from her Speech the announcement
of her approaching marriage to Prince Albert. Writing to the Prince a
few days previously, she said the reading of the Speech was always
a nervous proceeding, and it would be made an “awful affair” by the
announcement of her engagement. “I have never failed yet,” she
added, “and this is the sixth time that I have done it, and yet I am
just as frightened as if I had never done it before. They say that
feeling of nervousness is never got over, and that William Pitt himself
never got up to make a speech without thinking he should fail. But
then I only read my speech.” The passage in the Speech from the
Throne in reference to her marriage is as follows:

My Lords and Gentlemen,—Since you were last assembled I have

declared my intention of allying myself in marriage with Prince Albert of
Saxe-Coburg and Gotha. I humbly implore that the Divine blessing may
prosper this union, and render it conducive to the interests of my
people, as well as to my own domestic happiness; and it will be to me a
source of the most lively satisfaction to find the resolution I have taken
approved by my Parliament. The constant proofs which I have received
of your attachment to my person and family persuade me that you will
enable me to provide for such an establishment as may appear suitable
to the rank of the Prince and the dignity of the Crown.

Mrs. Simpson, in her Many Memories of Many People, writes that

her first recollection of the opening of Parliament was on this
auspicious occasion. “I sat up in a little gallery over the Woolsack
between the beautiful Lady Dufferin and Miss Pitt,” she says. “I
remember well the Queen’s sweet voice and that the paper shook in
her hand. By her side stood Lord Melbourne, repeating inaudibly—
we could see his lips move—every word she uttered.”
On the next occasion her Majesty opened Parliament, February 3,
1842, Sir Robert Peel being Prime Minister, she announced in the
Speech another joyful event in her domestic life, the birth of the
Prince of Wales, which took place on November 9, 1841. The Speech
said:

My Lords and Gentlemen,—I cannot meet you in Parliament assembled

without making a public acknowledgment of my gratitude to Almighty
God on account of the birth of the Prince, my son—an event which has
completed the measure of my domestic happiness, and has been hailed
with every demonstration of affectionate attachment to my person and
government by my faithful and loyal people.

The Prince Consort died on December 14, 1861, at the early age
of forty-two years. At the opening by Commission of the next session
of Parliament, Lord Palmerston being Prime Minister, the domestic
affliction of the Sovereign was thus announced in “the Queen’s
Speech”:

My Lords and Gentlemen,—We are commanded by her Majesty to

assure you that her Majesty is persuaded that you will deeply participate
in the affliction by which her Majesty has been overwhelmed by the
calamitous, untimely and irreparable loss of her beloved Consort, who
has been her comfort and support. It has been, however, soothing to her
Majesty, while suffering most acutely under this awful dispensation of
Providence, to receive from all classes of her subjects the most cordial
assurances of their sympathy with her sorrow, as well as their
appreciation of the noble character of him, the greatness of whose loss
to her Majesty and to the nation is so justly and so universally felt and
lamented.

4
Six years elapsed before Queen Victoria was seen again at
Westminster. She opened the Conservative Parliament which
assembled on February 10, 1866. The ceremony, by her command,
was plain and simple. She declined to wear the purple robe of State,
and had it placed over the Chair of the Throne. Her attire consisted
of a black dress and a widow’s white cap, the only touch of bright
colour being the blue sash of the Garter across her breast. For the
first time also she did not read the Speech from the Throne. She
reverted to an ancient practice by deputing the Lord Chancellor,
Cranworth, to read it. The Speech announced the termination of the
long and bloody Civil War in America. “The abolition of slavery,” it
added, “is an event calling forth the cordial sympathies and
congratulations of this country, which has always been foremost in
showing its abhorrence for an institution repugnant to every feeling
of justice and humanity.”
Queen Victoria next opened the first session of the Liberal
Parliament on February 11, 1869, in which Gladstone for the first
time was Prime Minister. The great measure of that session was the
Bill for the disestablishment and disendowment of the Church in
Ireland. “The ecclesiastical arrangements of Ireland,” said the
Queen’s Speech, “will be brought under your consideration at a very
early date.” It went on to say:

I am persuaded that in the prosecution of the work you will bear

careful regard to every legitimate interest which it may involve, and that
you will be governed by the constant aim to promote the welfare of
religion through the principles of equal justice, to secure the action of
the individual feeling and opinion of Ireland on the side of loyalty and
law, to efface the memory of former contentions and to cherish the
sympathies of an affectionate people.

As the time approached for the meeting of Parliament in the

following year, 1870, Gladstone was most anxious that it should be
opened by the Queen. The chief business was to be a Bill dealing
with the Irish land question. Gladstone said to Lord Granville: “It
would be almost a crime in a Minister to omit anything that might
serve to mark and bring home to the minds of men the gravity of
the occasion.” “Moreover,” he added, “I am persuaded that the
Queen’s own sympathies would be—not as last year—in the same
current as ours.” This shows how important it was for the success of
the Government’s legislative programme that Parliament should, in
the opinion of Gladstone, be opened with the impressiveness that
attends the ceremony when it is performed by the Sovereign in
person. But her Majesty was unable, or disinclined, to comply with
his request. The opening passage of the Speech from the Throne is
significant, in the light of what happened—as we now know—behind
the scenes. It runs: “We have it in command from her Majesty again
to invite you to resume your arduous duties, and to express the
regret of her Majesty that recent indisposition has prevented her
from meeting you in person, as had been her intention, at a period
of remarkable public interest.”
The last time that Queen Victoria appeared at Westminster was on
January 21, 1886, at the assembling of a new Parliament, with the
Conservatives in office but not in power. “The Queen’s Speech”
which was read on that occasion was perhaps—having regard to
what occurred subsequently in Parliament—the most remarkable of
Victoria’s long reign. The session of 1886, which was destined to be
made historic by Gladstone’s first attempt to carry Home Rule, was
opened with a Speech from the Throne strongly reprobating any
disturbance of the Legislative Union.
The events which led up to this extraordinary constitutional
situation may be briefly related. In June 1885 the Gladstone
Administration, defeated on an amendment to their Budget
condemning the increases proposed in the beer and spirit duties,
resigned, and they were succeeded by a Conservative Government,
with Lord Salisbury as Prime Minister for the first time. There was a
General Election in November, and the Liberals came back from the
polls in triumph. The Government, although in a minority, did not
resign. They decided to meet Parliament, not to put their fortune to
the test, for they knew that was hopeless, but in order to have a
Speech from the Throne in which there should be an emphatic
declaration against any attempt to disturb the legislative relations
between Great Britain and Ireland, and the session was opened in
person by Queen Victoria to show her sympathy with the
maintenance of the Union. The Speech from the Throne, as in every
instance of the opening of Parliament by the Queen since the death
of the Prince Consort, was read by the Lord Chancellor. The principal
passage, relating to the Irish situation, was as follows:

I have seen with deep sorrow the renewal, since I last addressed you,
of the attempt to excite the people of Ireland to hostility against the
Legislative Union between that country and Great Britain. I am resolutely
opposed to any disturbance of that fundamental law, and in resisting it I
am convinced that I shall be supported by my Parliament and my people.

That Gladstone was committed to Home Rule was well known at

the time, and it was hoped by the Conservatives that this declaration
would prove embarrassing to him. Five days later the Government
were defeated on an amendment to the Address in reply to the
Speech in favour of small allotments for agricultural labourers.
Gladstone once again returned to office. The new Liberal
Government accepted the Address in reply to the Speech from the
Throne, drawn up by their Conservative predecessors, only adding to
it the amendment expressing regret that there was no promise in
the Speech of legislation to enable agricultural labourers to obtain
allotments and small holdings. At that time the Address was an echo
of the Speech itself. The Sovereign was thanked, separately and
specifically, for every expression of promise, hope or regret
contained in the Speech. Here is one sentence from the Address,
agreed to by the Liberal Government, which, in view of the
introduction of the Home Rule Bill by Gladstone as Prime Minister a
few months later, is one of the curiosities of constitutional history:

We humbly thank your Majesty for informing us that your Majesty has
seen with deep sorrow the renewal, since your Majesty last addressed
us, of the attempt to excite the people of Ireland to hostility against the
Legislative Union between that country and Great Britain; that your
Majesty is resolutely opposed to any disturbance of that fundamental
law; and that in resisting it your Majesty is convinced that your Majesty
will be heartily supported by your Parliament and your People.

Sure enough, the Home Rule Bill brought in by the Prime Minister
in June was rejected by a majority of thirty.
King Edward VII opened his first Parliament on February 14, 1901,
the Unionists being in office and Lord Salisbury Prime Minister. His
Majesty said:

I address you for the first time at a moment of national sorrow, when
the whole country is mourning the irreparable loss which we have so
recently sustained, and which has fallen with peculiar severity upon
myself. My beloved Mother, during her long and glorious reign, has set
an example before the world of what a monarch should be. It is my
earnest desire to walk in her footsteps.

Of the Speeches of King George V, one of the most interesting was

that which he read at the opening of Parliament in 1914—six months
before the outbreak of the Great War—when the country was in
turmoil over the question of Home Rule and seemed to be drifting
into Civil War. One of its passages was said at the time to have been
personally written by the King, with a view to mitigating the
excesses of Party spirit. It runs:

I regret that the efforts which have been made to arrive at a solution
by agreement of the problems connected with the Government of
Ireland have, so far, not succeeded. In a matter in which the hopes and
the fears of so many of my subjects are keenly concerned, and which,
unless handled now with foresight, judgment, and in the spirit of mutual
concession, threatens grave future difficulties, it is My most earnest wish
that the good will and co-operation of men of all Parties and creeds may
heal dissension and lay the foundations of a lasting settlement.

It was the good fortune of George V to be able to announce at the

opening of the new Parliament on February 11, 1919, “the end of
the struggle between German tyranny and European freedom” and
“the dawn of a new era.” The Speech was of unprecedented length,
as well as of historic importance. One of its most striking passages
was this:

To build a better Britain we must stop at no sacrifice of interest or

prejudice to stamp out unmerited poverty, to diminish unemployment
and mitigate its sufferings, to provide decent homes, to improve the
nation’s health, and to raise the standard of well-being throughout the
community.
Never before was the question of the condition of the people
enlarged upon so emphatically and boldly in the Speech from the
Throne. His Majesty added the warning:

We shall not achieve this end by undue tenderness towards

acknowledged abuses, and it must necessarily be retarded by violence
and even by disturbance.

5
For many years the Commons went to the House of Lords in a way
that was most unseemly in answer to the message of Black Rod, to
hear the Speech from the Throne read by the Sovereign. So great
was the rush and crush at one of the earlier openings of Parliament
by Queen Victoria, that Joseph Hume, as he bitterly complained in
the House of Commons, neither saw her Majesty nor heard her
voice, although he was within touch of the Speaker as he stood at
the Bar. “I was crushed into a corner,” he said, “my head being
knocked against a post, and I might have been much injured if a
stout Member had not come to my assistance.” Dickens, who was
present at the ceremony a few years later, said the Speaker was like
a schoolmaster with a mob of unmannerly boys at his heels. “He is
propelled,” the novelist wrote, “to the Bar of the House with the
frantic fear of being knocked down and trampled upon by the rush
of M.P.’s.” In 1851 the Speaker was so pushed and hustled that his
wig was knocked awry and his robe torn. Frank Hugh O’Donnell
relates in his book on The Irish Parliamentary Party how at one
opening of Parliament in the later ’seventies he saved Disraeli from
being knocked down by squaring his shoulders and elbows to keep
off the pressure of the mob of M.P.’s from the frail person of the
Prime Minister. Disraeli sent his secretary, Montagu Cory, to thank
O’Donnell. The last time such a scene was enacted was in 1901, at
the first opening of Parliament by King Edward. Since 1902 the
Strangers’ Gallery of the House of Lords has been set apart for
Members of the House of Commons, and they are allowed access to
it before the King appears in the Chamber and Black Rod is sent to
command the attendance of the Commons at the Bar. It is a
spectacle well worth seeing—the King crowned and in his purple
robes and standing on the Throne, surrounded by his Ministers,
addressing the assembled Lords and Commons. It is the most noble
and impressive sight to be seen at Westminster.
The Speech is read in both Houses—in the Lords by the Lord
Chancellor, in the Commons by the Speaker—when they reassemble
after the ceremony of the opening of Parliament by the King. But
before this is done each House gives a first reading to a Bill, in
obedience to a Standing Order in the Lords, and in the Commons by
ancient custom. The incident escapes the attention of most Lords
and Commons, so unostentatiously is it done, and probably its
constitutional significance is lost to most of those who may chance
to notice it. In the Lords the Bill is called “Select Vestries Bill,” and in
the Commons the “Bill for the more effectual Preventing of
Clandestine Outlawries.” It may seem a matter of form, the
procedure being that the Clerk in each House simply reads the title
of his Bill, but it is meant to assert the right of Parliament to act as it
thinks fit, without reference to any outside authority, to debate
matters other than “the causes of summons” set forth in the Speech
from the Throne. Neither of these Bills is ever heard of again during
the session. The Outlawries Bill, which does service in the House of
Commons, has been preserved in the drawers of the Table since the
opening of the present Chamber in 1852. For one moment, at the
opening of each session, it is produced by the Clerk, and is seen no
more for another twelve months.
CHAPTER XVIII

DEBATE ON THE ADDRESS TO THE KING

1
The Commons hear the Speech from the Throne twice—by the
Sovereign in the House of Lords and again at its subsequent recital
in their own Chamber by the Speaker. Macaulay states in his History
that the first Speech of James II to Parliament in 1685—notable for
its extraordinary admonition to the Commons, that if they wished to
meet frequently they must treat him generously in the matter of
supplies—was greeted with loud cheers by the Tory Members
assembled at the Bar of the House of Lords. “Such acclamations
were then usual,” says the historian. “It has now been during many
years the grave and decorous usage of Parliaments to hear in
respectful silence all expressions, acceptable or unacceptable, which
are uttered from the Throne.” The recital of the King’s Speech by Mr.
Speaker to the House of Commons was unmarked by any
demonstration of Party feeling for two centuries and a quarter. But at
the opening of the last session of the Balfour Parliament, in February
1905, there was a breach of the traditional decorum, which, as a
change in parliamentary manners, is noteworthy enough to be
placed on record. The promise in the Speech of economy, “so far as
the circumstances of the case admitted,” was received with derisive
laughter on the Opposition benches, while the mention of the
“prospect” of a promised Redistribution Bill, by which Ireland was to
lose twenty-two seats, provoked loud and angry cries of defiance
from the Irish Members. Since then the reading of the Speech by the
Speaker in the Commons, whether at the opening of a new
Parliament or a new session, is usually greeted with Ministerial
shouts of approbation or Opposition cries of dissent. These Party
cheers constitute a complete acknowledgment that the King’s
Speech is the speech, not of the King, but of his Ministers.

2
In each House a motion for an Address to the King for his “most
gracious Speech” is submitted on behalf of the Government. The
proposer and seconder of the Address in each House are in uniform
or full dress. This is the only occasion, be it noted, when a Member,
whether of the Peerage or of the Commons, is permitted to appear
in Parliament otherwise than in civilian clothes, a rule which,
probably in the history of Parliament, was suspended only during the
Great War, when many Members wore khaki. The uniforms of the
Militia or Yeomanry are much affected, and, failing the commission
to wear them, Court costume or levee dress is the rule. Another
order, which prohibits Members of either House from “carrying a
lethal weapon,” is also suspended for the occasion in favour of the
sword of the soldier or courtier. There is, however, one instance of
the Address having been seconded by a Member who wore no
costume of ceremony. That was when Charles Fenwick, the Labour
representative, who at the opening of the first session of the Liberal
Parliament of 1893-95 discharged that function in his ordinary
everyday clothes.
In March 1894 the same Liberal Administration being in office—
save that Lord Rosebery had succeeded Gladstone as Premier—an
amendment to the Address moved by Labouchere, Member for
Northampton, hostile to the House of Lords, was carried against the
Government by the narrow majority of two—147 votes to 145. It
declared “that the power now enjoyed by persons not elected to
Parliament by the possessors of the parliamentary franchise to
prevent Bills being submitted to your Majesty for your Royal approval
shall cease,” and expressed the hope that “if it be necessary your
Majesty will, with and by the advice of your responsible Ministers,
use the powers vested in your Majesty to secure the passing of this
much-needed reform.” The method suggested by Labouchere was
the creation of 500 peers who would be willing to carry through the
House of Lords a Bill for the abolition of that Chamber and
themselves. Sir William Harcourt, Chancellor of the Exchequer and
Leader of the House of Commons, declined to treat the reverse as a
vote of censure, or to add the amendment to the Address. “The
Address in answer to the Speech from the Throne,” said he, “is a
proceeding for which her Majesty’s Government make themselves
responsible—responsible as the representatives of the majority in
the House of Commons from whom that Address proceeds. I think
that is a clear constitutional principle which nobody will be disposed
to dispute. The Government could not present to the Sovereign in a
formal manner a document of which they are not prepared to accept
the entire and immediate responsibility.” He concluded by inviting the
House to negative the amended Address, and to adopt a new
Address, which simply assured her Majesty “that the measures
recommended to our consideration shall receive our most careful
attention.” This motion was seconded by John Morley.
The fact that neither of these Ministers wore Court dress or
uniform led that humourist, Colonel Saunderson, Member for North
Armagh, to indulge in a characteristic joke. Rising to a point of order,
he asked the Speaker whether it was not contrary to the immemorial
practice of the House for the mover of the Address to appear
without the uniform befitting his rank? If, he continued, the Speaker
should answer that question in the affirmative, he would move the
adjournment of the House for twenty minutes, so as to give the
Chancellor of the Exchequer an opportunity of arraying himself in
garments suitable to the occasion. The Speaker took no notice of the
question, for, of course, it was not seriously intended. What Colonel
Saunderson wanted was a laugh, and that he got in the fullest
measure. The incident, unprecedented in parliamentary history,
ended with the unanimous adoption of the new Address.
Another strange thing happened in relation to the Speech from the
Throne at the opening of a new session on February 12, 1918. I was
in the Reporters’ Gallery of the House of Lords when the Lord
Chancellor read the Speech at the reassembling of the House after
the opening ceremony by the King. As he was reading the
document, Lord Curzon, Leader of the House, handed him a slip of
paper. The Lord Chancellor then said that the following passage had
been accidentally omitted from the printed copy of the King’s
Speech, which was supplied to him and distributed to their lordships:

I have summoned representatives of my Dominions and of my Indian

Empire to a further session of the Imperial War Cabinet in order that I
may again receive their advice on questions of moment affecting the
common interests of the Empire.

It had also been omitted, by some oversight, from the copy of the
Speech given by the Lord Chancellor to the King to read from the
Throne. Attention was called to the matter in the House of
Commons. The Member for Carlisle, Mr. Denman, pointed out that
this paragraph was to be found in the Lords’ record of the King’s
Speech, but not in the record of the King’s Speech printed in the
Votes and Proceedings of the Commons. He thought it desirable that
the records of both Houses as to what was actually contained in the
King’s Speech should be identical. The Speaker, Mr. Lowther, said the
hon. Member seemed to want him to put into the mouth of the King
words which his Majesty did not use—a remark that was received
with laughter. He explained that the copy of the Speech which he
had read to the Commons had been supplied to him by the Home
Secretary, and he assumed it to be accurate. It was brought to his
notice afterwards that the copy of the Speech which he had read did
not correspond with the copy which had been read by the King, and
therefore he caused the official record to be amended so as to
correspond exactly with the actual Speech which his Majesty had
read from the Throne.

3
It is a compliment to be invited to move or second the motion for
the Address in reply to the Speech. Young Ministerialists of promise
in the House of Commons are generally selected for the distinction.
As a rule, one represents an urban and the other a rural
constituency; one is associated with agriculture and the other with
trade. The debate which follows is always of interest, and usually is
a good test of the debating quality of the House. The Opposition
give battle to the Ministerialists. The policy of the Government is
attacked along the whole line in a series of amendments to the
Address.
In former times the Address—as I have already mentioned—used
to be an elaborate answer to the Speech, paragraph by paragraph,
expressing approval of its every declaration, and thanking the
Sovereign in each instance for the great condescension and wisdom
of his words. This practice was abandoned owing to the waste of
time it involved, and for many years the Address has assumed a
more simple and rational form. From the Commons it consists of a
simple resolution in the following terms:

That a humble Address be presented to his Majesty, as followeth:

Most Gracious Sovereign,—We, your Majesty’s most dutiful and loyal
subjects, the Commons of the United Kingdom of Great Britain and
Ireland in Parliament assembled, beg leave to thank your Majesty for the
most gracious Speech which your Majesty has addressed to both Houses
of Parliament.

The Addresses from the Lords and Commons, in reply to the

Speech, were at one time presented to the Sovereign at Buckingham
Palace, nominally by “the whole House” in each case, but really by
the Lord Chancellor for the Lords and by the Speaker for the
Commons, each being attended by the proposer and seconder and a
few of the Ministers in either House. All the Members of each House,
however, were supposed to have the privilege of “free access” to the
Throne on these occasions; and, moreover, they might, if they so
pleased, enter the presence of the Sovereign in ordinary attire,
instead of in the regulation gold-braided coat and knee-breeches.
The ceremony of presenting the Address by the whole House is now
obsolete. The course which has been followed in recent years is that
the Addresses are presented by two Ministers who are members of
the Royal Household. These Ministers also bring back to both Houses
the King’s acknowledgment of the Addresses.
A message from the Crown, or, as it is styled officially, “a message
under the Royal sign-manual,” is presented to both Houses with
some ceremony. In the Lords, the Lord Steward of the Household,
wearing his official uniform, holding a white wand in one hand and a
roll of parchment in the other, rises in his place at an opportune
moment and announces that he has a message from the King. He
then hands his roll of parchment to the Lord Chancellor, who reads it
to the House. In the Commons the incident is perhaps a little more
picturesque. The Comptroller of the Household appears at the Bar
unannounced. Unlike the incursions of “Black Rod” from the House
of Lords, who is always heralded by the loud cry of the door-keeper,
and must knock at the door to obtain admittance, the Royal
Messenger who brings the King’s acknowledgment of the Address
has free entry to the House. He comes in, without fuss or noise,
and, his duty discharged, is allowed to depart silently and in peace.
Standing at the Bar, in his dark uniform relieved by a liberal display
of gold braid and gilt buttons, and carrying his long white wand, he
announces to the House—the Speaker standing and the Members
uncovering while the Message from the King is being delivered—that
he brings his Majesty’s most grateful thanks for the Address from his
faithful Commons. Then advancing to the Table, he hands the
document to the Clerk, and it is passed on to the Speaker, by whom
it is read to the House. The Comptroller of the Royal Household
retires, stepping backwards, bowing to the Chair, until the Bar is
reached, when, turning round, he disappears through the swing-
doors. But this happens a week or more after the Address has been
adopted, and the work of Parliament has begun in real earnest.
CHAPTER XIX

THE SERJEANT-AT-ARMS

1
“Order, order!” These are the words that are most frequently heard
in the House of Commons. They run like a refrain, appealing,
warning, and, at times, even menacing, through the babble and
confusion of the Party conflict. “Order, order!” Members shout at
each other with bitterness and defiance across the floor. “Order,
order!” cries Mr. Speaker, when he observes any breach of decorum
or rises to intervene in an altercation.
A conspicuous object in the House of Commons is a large armchair
of heavy oak, upholstered in dark green leather, at the Bar, raised a
few feet above the level of the floor, just inside the swing-doors of
the main entrance to the Chamber. It is the Serjeant-at-Arms’ chair.
The Serjeant-at-Arms is the chief executive officer of the House of
Commons. He it is who is charged with the duty of preserving
decorum in the Chamber and its precincts, of executing the warrants
of the House against persons it has adjudged guilty of breaches of
its privileges or contempt of its dignity; and it is he who backs with
force, when force is necessary, the “Order, order!” of Mr. Speaker. He
sits in his chair, facing the Speaker, picturesquely clad in a black
cutaway coat, open at the breast to show the daintiest of ruffles in
the whitest of cambric (of which fops in the times of the Georges
were so fond), knee-breeches, black silk stockings, and shoes with
silver buckles; and, as the symbol of the power and authority of his
office, a rapier in its scabbard is girt to his side. His voice is very
rarely heard in the House. It is seldom necessary for the Speaker to
give him an order in words, and a reply or explanation from him is
scarcely ever needed.
The Serjeant-at-Arms is appointed by the King personally. An
officer of his Majesty’s Forces—alternately soldier and sailor—usually
gets the position. He is styled “Serjeant-at-Arms in Ordinary to his
Majesty,” and his duty is, as described in the patent of his
appointment, “to attend upon his Majesty when there is no
Parliament, and for the time of every Parliament to attend upon the
Speaker of the House of Commons.” He has a salary of £1,200 and
an official residence in the Palace of Westminster. The Deputy
Serjeant-at-Arms, who, wearing the same official dress as the
Serjeant-at-Arms, takes turns at sitting on guard in the big chair at
the Bar, has a salary of £800 a year, and also lives in the Palace rent
free. There is also an assistant Serjeant-at-Arms, who usually
attends to the administrative work of the office outside the Chamber.
He has £500 a year and £150 as an allowance for a house. The
department of the Serjeant-at-Arms costs about £14,000 a year, for,
in addition to his deputy and assistant, there are also two door-
keepers and eighteen messengers (recognized by their brass chains
and badges of Mercury), who are his first reserves in the
maintenance of order in the House.
It is not alone to “strangers” who have offended the dignity and
majesty of the House of Commons that the Serjeant-at-Arms is an
awe-inspiring personage. Even the representatives of the people
may have occasion to shiver at the dread touch of his hand on their
shoulder. Of the large number of new Members returned at a
General Election few are probably aware of the fact (which, indeed,
is not generally known even to old Members) that the Clock Tower
contains a suite of rooms for the confinement of representatives who
may be pronounced guilty by the House of some serious breach of
its privileges or some outrage on its decorum. A Member of
Parliament arrested on the warrant of the Speaker was formerly
sent, like strangers guilty of breaches of privilege, to Newgate or to
the Tower. But in the building of the Palace of Westminster prison
accommodation was specially provided for Members and strangers
committed by the House to the custody of the Serjeant-at-Arms.
The prison of the House of Commons is not, however, a dungeon
vile, deep down below the vaults of the Palace, a dark and slimy
place into which the light of day never enters. It is situated about
half-way up the Clock Tower, and under the home of that popular
London celebrity, Big Ben, probably the best known clock in the
whole world. There are two suites of apartments, each consisting of
two bedrooms—one for the prisoner and the other for one of the
Serjeant-at-Arms’ messengers, who acts as gaoler—and a sitting-
room. There is, therefore, accommodation for two prisoners and two
gaolers in the Clock Tower, which so far has been found more than
sufficient.
Access to these rooms is obtained only through the residence of
the Serjeant-at-Arms, who is responsible for the safe keeping of a
prisoner of Parliament. Their windows command a view of the
Thames and Westminster Bridge on one side and of Palace Yard on
the other. Imprisonment under any conditions is, perhaps, an
undesirable position, but it must be said that in the Clock Tower it is
deprived of all its terrors and most of its inconveniences. The
prisoner may rise when he pleases; his meals are supplied from the
catering department of the House of Commons, and he can have
what he likes—at his own expense. After breakfast he is allowed an
hour’s recreation on the terrace, accompanied by his gaoler and a
police-officer in plain clothes, and he may take the air also in the
evening. Should his term of imprisonment extend over Sunday, he
may attend service in St. John’s Church, close to the Palace of
Westminster, to which he is accompanied by his guards.
The practice of the House of Commons, in recent times, was to
commit a person guilty of any violation of its privileges to the
custody of the Serjeant-at-Arms, to be detained during its pleasure.
The imprisonment generally continued until the prisoner expressed
contrition for his offence, or the House in its mercy resolved that he
be discharged. But before he was free to go he had to pay a
substantial fee to the Serjeant-at-Arms for locking him up and seeing
that he did not escape. The House, however, has no power to keep a
person in custody during its recess. If, therefore, the confinement
should last until the prorogation of Parliament, he may not only
claim his release but decline to make good the Serjeant-at-Arms’ bill
of costs. The last occupant of the prison was Charles Bradlaugh, the
Member for Northampton. His confinement for twenty-four hours, in
1880, was an episode in his long contest with the House of
Commons over his claim to be allowed, as an atheist, to take his
seat without having to use, in the oath of allegiance, the expression,
“So help me, God!” Bradlaugh, in a conversation about his prison
experiences, stated that while the rooms were comfortable, and the
confinement by no means irksome, the noisy passage of time as
recorded by Big Ben in booming the quarters and the hours at night
allowed him but little sleep.

2
Contumacy on the part of a Member nowadays would hardly be
visited by imprisonment. Among the expressions which are
considered out of order are treasonable or seditious words, the use
of the Sovereign’s name offensively, or, with a view to influence
debate, disparaging references to the character and proceedings of
Parliament, personal attacks on Members, allusions to matters
pending judicial decision in the courts of law, and insulting
reflections on Judges or other persons in high authority. The
Speaker, or the Chairman of Committees, has also the power, after
having called attention three times to the conduct of a Member who
persists in irrelevance, or in tedious repetition, to direct him to
discontinue his speech. If a Member’s conduct is grossly disorderly,
or if he refuses to apologize for an unparliamentary expression, the
Speaker or Chairman orders him to withdraw immediately from the
House and its precincts for the remainder of the sitting, and should
he refuse to leave he may be forcibly removed by the Serjeant-at-
Arms and his messengers. If suspension for the remainder of the
sitting be deemed by the Speaker an inadequate punishment for the
breach of order, the offending member may be named. The Speaker
simply says, “I name you, James Thomas Millwright.” The motion of
suspension which follows the naming of a Member is moved by the
Leader of the House or, in his absence, by another Minister. It is
simply and briefly worded, to this effect: “I beg to move that James
Thomas Millwright, Member for Little Peddlington, be suspended
from the service of the House.” It is put to the House immediately,
no amendment or debate, or even an explanation by the offending
Member, being allowed. If the offence has been committed in
Committee, the proceedings are at once suspended, the Speaker is
sent for, the House resumes, and the Chairman reports the
circumstances. The motion of suspension is then moved by the
Minister and put by the Speaker. The Member thus suspended must
forthwith quit the precincts of the House, a term officially interpreted
as “the area within the walls of the Palace of Westminster.” It will be
noticed that the period of suspension is not mentioned in the
motion. Formerly, the Standing Orders provided that for the first
offence it was to be one week, for the second a fortnight, and for
each further offence one month. But by amendments to the Orders
made in February 1902 the suspension continues in force till the end
of the session, unless previously rescinded. Suspension involves the
forfeiture of the right of entry to the lobby, the smoking-room and
dining-room, the library, the terrace, and indeed to any portion of
the Palace; but it does not exempt the Member from serving on any
committee for the consideration of a Private Bill to which he has
been appointed, and that is considered an additional hardship.
If too large a number of Members to be coped with effectively by
the force at the command of the Serjeant-at-Arms should disregard
the authority of the Chair, the Speaker, by powers vested in him in
February 1902, may forthwith adjourn the House. The new Standing
Order was designed to cope with such a scene of disorder as that
which occurred a short time previously, when a force of police was
brought into the Chamber by Mr. Speaker Gully to remove some Irish
Members who, as a protest against being closured in debate, refused
to take part in the division that was challenged on the question
under discussion. “In the case of grave disorder arising in the
House,” it runs, “the Speaker may, if he thinks it necessary to do so,
adjourn the House without question put, or suspend any sitting for a
time to be named by him.” In other words, the Speaker can turn out
the lights and the reporters, leaving the disorderly Members to cool
their anger in privacy and in darkness.
The House has also the power of expulsion. This punishment is
resorted to only in the case of a Member guilty of a gross criminal
offence. Strangely enough, it does not disqualify for re-election, if
the expelled Member could persuade a constituency to accept him.
But to name a Member is the highest coercive authority vested in
the Speaker for dealing with disorderly conduct in the House. It
should be a very grave breach of the privileges of the House, or very
indecorous conduct within its walls, that nowadays would land a
Member in the prison of the Clock Tower.
But to see the Serjeant-at-Arms in all his glory one must have the
good fortune to be present on one of those rare occasions when
some outside violator of the privileges of the House is brought to the
Bar for judgment. Parliament can itself redress its wrongs and
vindicate its privileges. It acknowledges no higher authority. It has
the power summarily to punish disobedience of its orders and
mandates, indignities offered to its proceedings, assaults upon the
persons or reflections upon the characters of its Members, or
interference with its officers in the discharge of their duties. The
Serjeant-at-Arms can arrest, under the warrant of the Speaker
issued by order of the House, any person anywhere within the limits
of the kingdom. In the execution of the warrant he can call on the
aid of the civil power. If he thinks it necessary, he can even summon
the military to his assistance. He can break into a private residence
between sunrise and sunset, if he has reason to suspect that the
person he is in search of is inside.
The most famous case of house-breaking in execution of a
warrant of the Commons was the forcible entrance into the
residence of Sir Francis Burdett, in Piccadilly, by the Serjeant-at-
Arms, supported by police and military, and the arrest of the Radical
Member for Westminster and his commitment to the Tower. Burdett
was pronounced guilty of a breach of privilege in April 1810 by
declaring in a letter to his constituents that the Commons had
exceeded their powers in sending to prison John Gale Jones, the
revolutionary orator, and an order for his commitment to the Tower
was carried by a Majority of 38—190 against 152. Burdett barricaded
his house against the Serjeant-at-Arms. An entrance was effected by
climbing the area railings and breaking open the area door. The
Serjeant-at-Arms found Burdett in the drawing-room upstairs. “Sir,”
said Burdett, “do you demand me in the name of the King? In that
case I am prepared to obey.” “No, sir,” replied the Serjeant-at-Arms,
“I demand you in the name and by the authority of the Commons of
England.” Burdett protested that the law of the land was being
violated, but he was carried off and lodged in the Tower. An action
which he afterwards brought against the Speaker for false
imprisonment failed on the ground that the Commons are the
supreme guardian of its own privileges and upholder of its authority.
Neither does any suit lie against the Serjeant-at-Arms. Arising out of
proceedings brought in 1884 by Charles Bradlaugh for assault
against the Serjeant-at-Arms in having him removed by force from
the House of Commons, Lord Chief Justice Coleridge laid it down
that the Serjeant-at-Arms was not liable for damages in the
execution of his duty, and that the court had no jurisdiction over
him.

3
The Serjeant-at-Arms brings his prisoner to the House of
Commons. A brass rod is pulled out from the receptacle in which it is
telescoped at the Bar, and stretched across the line which marks the
technical boundary of the Chamber. The fixing of that glittering rod
is almost as fearfully thrilling as the putting on of the black cap by
the Judge to impose the sentence of death, and I have seen both
spectacles. Behind the rod stands the prisoner. To his right is the
Serjeant-at-Arms, carrying the glittering Mace on his shoulder. At the
other end of the Chamber, standing on the dais of the Chair, is Mr.
Speaker in his flowing silk gown, his face sternly set under his huge
wig—an awful figure indeed—delivering in the weightiest words he
can command, amid the dramatic hush of the crowded Chamber, the
sentence or reprimand of the House on the scorner or violator of its
ancient privileges. On such occasions, the Mace being off the table,
no Member can address the House. It would be out of order for a
Member to put a question direct to the prisoner at the Bar. If
therefore a Member desires to put such a question he must write it
down and submit it to the Speaker, who alone has then the right of
speech.
In former times the prisoner at the Bar was compelled to kneel
down while the Speaker delivered the sentence or censure of the
House. In February 1751 a Scottish gentleman named Alexander
Murray (brother of the Master of Elibank), having, in the course of a
contested election at Westminster, under the very shadow of the
House, spoken disrespectfully of the authority of that august
assembly, was brought to the Bar in custody. But so unimpressed
was he by the crowded benches, by Mr. Speaker Onslow in wig and
gown, by the Serjeant-at-Arms with the Mace on his shoulder, that
he flatly declined to kneel, though the Speaker sternly roared at him,
“Your obeisance, sir! You forget yourself! On your knees, sir!” “Sir,”
said Murray, “I beg to be excused; I never kneel but to God.” “On
your knees, sir!” again cried the Speaker. “Your obeisance—you must
kneel.” But down on his knees Murray stoutly declined to go. “That,”
said he, “is an attitude of humbleness which I adopt only when I
confess my sins to the Almighty.” The House declared that this
obstinacy aggravated his original offence. “Having in a most insolent,
audacious manner, at the Bar of the House, absolutely refused to go
upon his knees,” so ran the resolution of the House, “he is guilty of a
high and most dangerous contempt of the authority and privileges of
this House.” Murray was committed to Newgate, and so close was
his confinement that he was denied the visits of friends and the use
of pen, ink and paper. Committal to prison by Parliament lapses, as I
have said, at the end of the session. That being so, when Parliament
was prorogued the doors of Murray’s prison had to be flung open.
The House of Commons, however, was not satisfied that three or
four months’ incarceration had adequately purged the Scotsman of
his impudent offence. It has power to re-arrest when Parliament
meets again. Accordingly, in the new session a fresh warrant for
Murray’s committal was made out, and the Serjeant-at-Arms went to
his house to arrest him; but he had fled, and though a reward of
£500 was offered for his discovery, he was never captured.
Twenty years afterwards the custom requiring prisoners to kneel
at the Bar was abolished. The last prisoner to suffer this indignity
was a journalist—Mr. Baldwin, the publisher of The St. James’s
Chronicle. On March 14, 1771, he was arrested for publishing a
report of the proceedings of the House, and was compelled to
prostrate himself abjectly at the Bar while the Speaker scolded him
for having dared to inform the electors of the doings of their
representatives in Parliament. In 1772 a Standing Order was passed
—inspired, as John Hatsell, the Clerk of the House, ingenuously
suggests, by “the humanity of the House”—by which it was ordered
that in future delinquents should receive the Speaker’s judgment
standing. Perhaps the House was moved to take this action by the
cutting irony of a remark made by Baldwin. On rising from his knees,
after being censured, he said, as he brushed the dust from his
clothes, “What a damned dirty House!” Perhaps the House preferred
to allow culprits to stand at the Bar rather than run the risk, by
making them kneel, of exposing its majestic self any longer to such
ridicule.
The peers, however, have never formally renounced this custom
by Standing Order. Warren Hastings was obliged to kneel at the Bar
of the House of Lords on being admitted to bail, in 1787, on his
impeachment; and again, at the opening of his trial in the following
year, he remained on his knees until directed to rise by the Lord
Chancellor. “I can,” he afterwards wrote, half pathetically and half
indignantly, “with truth affirm that I have borne with indifference all
the base treatment I have had dealt to me—all except the
ignominious ceremonial of kneeling before the House.” Even on
being called to the Bar to hear his acquittal announced by the Lord
Chancellor, eight years subsequently, he had to undergo the same
humiliating ordeal. But the Lords have not for many years now
required a prisoner at the Bar to kneel.

4
Persons of all sorts and descriptions, as the Journals of the House
show, have stood at the Bar of the Commons not only for
disobedience of the orders of the House, for indignities offered to it,
for insults to Members, for reflections on their character and conduct
in Parliament, for interference with the officers of the House in the
discharge of their duties, but also to give evidence in inquiries
instituted by the House, to plead some cause, or to receive the
thanks of the House for services to the State. In each case the
Serjeant-at-Arms, with the Mace on his shoulder, was a prominent
figure in the scene. Samuel Pepys stood at the Bar to defend himself
against charges of dereliction of duty as registrar of the Navy Board.
To fortify himself for the ordeal he drank at home a half-pint of
mulled sack, and just before being called to the Bar he added a
dram of brandy. So completely did he answer the accusations that
he and his fellow-officials were acquitted of all blame. Titus Oates,
the perjurer, stood there to relate the particulars of his Popish Plot.
Dr. Sacheverell, the Jacobite divine, stood there in 1709 to answer
the charge of preaching “a scurrilous and seditious libel” in St. Paul’s
Cathedral—that famous sermon in which he asserted that it was
sinful for subjects to resist the authority of the King. Wellington sat
on a chair, set for him within the Bar, in 1814, to receive the thanks
of the House of Commons for his services in the Peninsular
campaign. Mrs. Clarke, the discarded mistress of the Duke of York,
appeared there in 1809, to give evidence in support of the charge
brought against his Royal Highness of having, as Commander-in-
Chief, corruptly bartered in the sale of Army Commissions, an
accusation that was declared not proven, though it led to the Duke’s
resignation. Warren Hastings stood there as a witness, close on
thirty years after his impeachment. Members cheered him on his
appearance, and when he retired they rose and uncovered. Daniel
O’Connell, the first Roman Catholic elected to Parliament since the
Welcome to our website – the ideal destination for book lovers and
knowledge seekers. With a mission to inspire endlessly, we offer a
vast collection of books, ranging from classic literary works to
specialized publications, self-development books, and children's
literature. Each book is a new journey of discovery, expanding
knowledge and enriching the soul of the reade

Our website is not just a platform for buying books, but a bridge
connecting readers to the timeless values of culture and wisdom. With
an elegant, user-friendly interface and an intelligent search system,
we are committed to providing a quick and convenient shopping
experience. Additionally, our special promotions and home delivery
services ensure that you save time and fully enjoy the joy of reading.

Let us accompany you on the journey of exploring knowledge and

personal growth!

ebookfinal.com

The Subtle Art of Not Giving a F*ck: A Counterintuitive Approach to Living a Good Life
From Everand
The Subtle Art of Not Giving a F*ck: A Counterintuitive Approach to Living a Good Life
Mark Manson
4/5 (6458)
Principles: Life and Work
From Everand
Principles: Life and Work
Ray Dalio
4/5 (650)
The Gifts of Imperfection: Let Go of Who You Think You're Supposed to Be and Embrace Who You Are
From Everand
The Gifts of Imperfection: Let Go of Who You Think You're Supposed to Be and Embrace Who You Are
Brené Brown
4/5 (1175)
Never Split the Difference: Negotiating As If Your Life Depended On It
From Everand
Never Split the Difference: Negotiating As If Your Life Depended On It
Chris Voss
4.5/5 (1005)
The Glass Castle: A Memoir
From Everand
The Glass Castle: A Memoir
Jeannette Walls
4.5/5 (1857)
Grit: The Power of Passion and Perseverance
From Everand
Grit: The Power of Passion and Perseverance
Angela Duckworth
4/5 (650)
The Perks of Being a Wallflower
From Everand
The Perks of Being a Wallflower
Stephen Chbosky
4.5/5 (4104)
Sing, Unburied, Sing: A Novel
From Everand
Sing, Unburied, Sing: A Novel
Jesmyn Ward
4/5 (1267)
Her Body and Other Parties: Stories
From Everand
Her Body and Other Parties: Stories
Carmen Maria Machado
4/5 (903)
Shoe Dog: A Memoir by the Creator of Nike
From Everand
Shoe Dog: A Memoir by the Creator of Nike
Phil Knight
4.5/5 (629)
Hidden Figures: The American Dream and the Untold Story of the Black Women Mathematicians Who Helped Win the Space Race
From Everand
Hidden Figures: The American Dream and the Untold Story of the Black Women Mathematicians Who Helped Win the Space Race
Margot Lee Shetterly
4/5 (1022)
The Hard Thing About Hard Things: Building a Business When There Are No Easy Answers
From Everand
The Hard Thing About Hard Things: Building a Business When There Are No Easy Answers
Ben Horowitz
4.5/5 (361)
The Emperor of All Maladies: A Biography of Cancer
From Everand
The Emperor of All Maladies: A Biography of Cancer
Siddhartha Mukherjee
4.5/5 (298)
Elon Musk: Tesla, SpaceX, and the Quest for a Fantastic Future
From Everand
Elon Musk: Tesla, SpaceX, and the Quest for a Fantastic Future
Ashlee Vance
4.5/5 (582)
Steve Jobs
From Everand
Steve Jobs
Walter Isaacson
4.5/5 (1139)
A Man Called Ove: A Novel
From Everand
A Man Called Ove: A Novel
Fredrik Backman
4.5/5 (5181)
The Yellow House: A Memoir (2019 National Book Award Winner)
From Everand
The Yellow House: A Memoir (2019 National Book Award Winner)
Sarah M. Broom
4/5 (100)
Angela's Ashes: A Memoir
From Everand
Angela's Ashes: A Memoir
Frank McCourt
4.5/5 (943)
Brooklyn: A Novel
From Everand
Brooklyn: A Novel
Colm Toibín
3.5/5 (2141)
The Little Book of Hygge: Danish Secrets to Happy Living
From Everand
The Little Book of Hygge: Danish Secrets to Happy Living
Meik Wiking
3.5/5 (464)
Devil in the Grove: Thurgood Marshall, the Groveland Boys, and the Dawn of a New America
From Everand
Devil in the Grove: Thurgood Marshall, the Groveland Boys, and the Dawn of a New America
Gilbert King
4.5/5 (280)
The World Is Flat 3.0: A Brief History of the Twenty-first Century
From Everand
The World Is Flat 3.0: A Brief History of the Twenty-first Century
Thomas L. Friedman
3.5/5 (2289)
Yes Please
From Everand
Yes Please
Amy Poehler
4/5 (2016)
Bad Feminist: Essays
From Everand
Bad Feminist: Essays
Roxane Gay
4/5 (1090)
A Tree Grows in Brooklyn
From Everand
A Tree Grows in Brooklyn
Betty Smith
4.5/5 (2033)
The Art of Racing in the Rain: A Novel
From Everand
The Art of Racing in the Rain: A Novel
Garth Stein
4/5 (4372)
The Outsider: A Novel
From Everand
The Outsider: A Novel
Stephen King
4/5 (2886)
The Woman in Cabin 10
From Everand
The Woman in Cabin 10
Ruth Ware
3.5/5 (2814)
A Heartbreaking Work Of Staggering Genius: A Memoir Based on a True Story
From Everand
A Heartbreaking Work Of Staggering Genius: A Memoir Based on a True Story
Dave Eggers
3.5/5 (233)
The Sympathizer: A Novel (Pulitzer Prize for Fiction)
From Everand
The Sympathizer: A Novel (Pulitzer Prize for Fiction)
Viet Thanh Nguyen
4.5/5 (141)
Team of Rivals: The Political Genius of Abraham Lincoln
From Everand
Team of Rivals: The Political Genius of Abraham Lincoln
Doris Kearns Goodwin
4.5/5 (244)
Wolf Hall: A Novel
From Everand
Wolf Hall: A Novel
Hilary Mantel
4/5 (4135)
On Fire: The (Burning) Case for a Green New Deal
From Everand
On Fire: The (Burning) Case for a Green New Deal
Naomi Klein
4/5 (78)
Rise of ISIS: A Threat We Can't Ignore
From Everand
Rise of ISIS: A Threat We Can't Ignore
Jay Sekulow
3.5/5 (144)
Manhattan Beach: A Novel
From Everand
Manhattan Beach: A Novel
Jennifer Egan
3.5/5 (919)
Fear: Trump in the White House
From Everand
Fear: Trump in the White House
Bob Woodward
3.5/5 (836)
John Adams
From Everand
John Adams
David McCullough
4.5/5 (2546)
E - Banking in ICICI Bank
100% (1)
E - Banking in ICICI Bank
70 pages
The Unwinding: An Inner History of the New America
From Everand
The Unwinding: An Inner History of the New America
George Packer
4/5 (45)
The Light Between Oceans: A Novel
From Everand
The Light Between Oceans: A Novel
M.L. Stedman
4.5/5 (815)
Little Women
From Everand
Little Women
Louisa May Alcott
4.5/5 (2369)
The Constant Gardener: A Novel
From Everand
The Constant Gardener: A Novel
John le Carré
4/5 (278)
Who Are The Skype Users?: Million %
No ratings yet
Who Are The Skype Users?: Million %
2 pages
Computer Networks Notes (17CS52) PDF
No ratings yet
Computer Networks Notes (17CS52) PDF
174 pages
All Songs
No ratings yet
All Songs
222 pages
Search Intent Satisfaction Guidelines
No ratings yet
Search Intent Satisfaction Guidelines
3 pages
Redacciones b2
No ratings yet
Redacciones b2
6 pages
Internet Banking - SWOT Analysis
0% (2)
Internet Banking - SWOT Analysis
4 pages
Voice Over Ip
No ratings yet
Voice Over Ip
11 pages
2.2.4 Communication (Culture and Innovation) NOTES
No ratings yet
2.2.4 Communication (Culture and Innovation) NOTES
11 pages
File Transfer Protocol (FTP)
No ratings yet
File Transfer Protocol (FTP)
9 pages
DayOne OSPF Enterprise
No ratings yet
DayOne OSPF Enterprise
98 pages
Csc290 - ch10 Firewall
No ratings yet
Csc290 - ch10 Firewall
76 pages
Information Technology
No ratings yet
Information Technology
6 pages
Research Report
No ratings yet
Research Report
4 pages
Css 12 Uccs q2 Wk5 6 Edit
No ratings yet
Css 12 Uccs q2 Wk5 6 Edit
31 pages
UNIT-3 Part 2 Cloud Computing
0% (1)
UNIT-3 Part 2 Cloud Computing
10 pages
FC Module 3
No ratings yet
FC Module 3
12 pages
Implementing Network Security
No ratings yet
Implementing Network Security
4 pages
Information Technology in The Accounting Curriculum
No ratings yet
Information Technology in The Accounting Curriculum
4 pages
DCC Final Micro-Project
No ratings yet
DCC Final Micro-Project
20 pages
Build Your Own Email Server On Ubuntu: Basic Postfix Setup
No ratings yet
Build Your Own Email Server On Ubuntu: Basic Postfix Setup
19 pages
Kodiaq Accessories New
No ratings yet
Kodiaq Accessories New
33 pages
DPICONFIG Conf
No ratings yet
DPICONFIG Conf
12 pages
Tourist Destination Choice and Social Media: Amina Merabet
No ratings yet
Tourist Destination Choice and Social Media: Amina Merabet
8 pages
IIoT Libraries SL - en
No ratings yet
IIoT Libraries SL - en
4 pages
DNS and BIND Security Issues
No ratings yet
DNS and BIND Security Issues
9 pages
Web results: Aram-jayamohan - அறம்ஜெ யம ோகன்.pdf (1.9 Mb)
No ratings yet
Web results: Aram-jayamohan - அறம்ஜெ யம ோகன்.pdf (1.9 Mb)
4 pages
Ex No: Book Bank System Date:: V+Team
No ratings yet
Ex No: Book Bank System Date:: V+Team
21 pages
Networking OSCS
No ratings yet
Networking OSCS
19 pages
Tixati Language Spanish
No ratings yet
Tixati Language Spanish
193 pages

Full Download LDAP System Administration Putting Directories To Work 1st Edition Carter PDF

Uploaded by

Full Download LDAP System Administration Putting Directories To Work 1st Edition Carter PDF

Uploaded by

Visit https://ebookfinal.

com to download the full version and

LDAP System Administration Putting Directories to

_____ Click the link below to download _____

Explore and download more ebook at ebookfinal.com

Enhancing Assessment in Higher Education Putting

Mastering Linux System Administration 1st Edition

Design Thinking for Entrepreneurs and Small Businesses

Solaris and LDAP Naming Services Deploying LDAP in the

Automating Linux and Unix System Administration 2nd

UNIX and Linux System Administration Handbook Fourth

Principles of Network and System Administration 2nd ed

LDAP System Administration

LDAP System Administration

Part I: LDAP Basics

Chapter 2. LDAPv3 Overview

Chapter 5. Replication, Referrals, Searching, and SASL Explained

Publisher Section 6.3. Information Migration

ISBN Section 6.5. The nss_ldap Module

Chapter 8. Standard Unix Services and LDAP

Chapter 9. LDAP Interoperability

Chapter 10. Net::LDAP and Perl

Part III: Appendixes

Appendix B. OpenLDAP Command-Line Tools

Appendix C. Common Attributes and Objects

Copyright © 2003 O'Reilly & Associates, Inc.

Printed in the United States of America.

How This Book Is Organized

Part I : LDAP Basics

Part III: Appendixes

Conventions Used in This Book

The following conventions are used in this book:

LDAP System Administration

Comments and Questions

O'Reilly & Associates, Inc.

Part I: LDAP Basics

LDAP System Administration

Chapter 1. "Now where did I put that...?", or "What is a directory?"

1.1 The Lightweight Directory Access Protocol

1.2 What Is LDAP?

The original core set of LDAPv3 RFCs

"Authentication Methods for LDAP"

LDAP System Administration

[2]Understanding X.500—The Directory , by David W. Chadwick, provides a good explanation of X.500

Figure 1-1. X.500 over OSI versus LDAP over TCP/IP

1.2.3 Access Protocol

1.3 LDAP Models

LDAP System Administration

Figure 1-4. Example LDAP directory tree

LDAP System Administration

Chapter 2. LDAPv3 Overview

LDAP System Administration

A collection of entries separated from each other by blank lines

Thedn attribute uniquely identifies theDN of the entry.

A space or pound (#) character occurring at the beginning of the string

A space occurring at the end of the string

Making sure the appropriate characters are escaped

2.1.2 Back to Our Regularly Scheduled Program . . .

What does the value of the objectClass attribute mean?

What is the dc attribute?

2.2 What Is an Attribute?

2.2.1 Attribute Syntax

• Figure 2-3. telephoneNumber attribute type definition

LDAP System Administration

Figure 2-4. Private enterprise OID number space

2.2.2 What Does the Value of the objectClass Attribute Mean?

Here's how to understand an objectClass definition:

Note that the type of an object cannot be changed by a derived class.

2.3 What Is the dc Attribute?

# LDIF listing for the entry dn: dc=plainjoe,dc=org

Figure 2-6. domain object class

LDAP System Administration

2.4 Schema References

RFC 3377 and related LDAPv3 standards (http://www.rfc-editor.org/)

Figure 2-8. person objectClass

LDAP System Administration

_ Click the link below to download _