Glossary

access control list (ACL)

In computer security, a list associated with an object that identifies all the subjects that can access the object and their access rights.

access control groups

Groups to be used for access control. Each group contains a multivalued attribute consisting of member DNs. Access control groups have an object class of 'AccessGroup'.

access permissions

There are two sets of access permissions:

Permissions that apply to an entire object
Permissions that apply to attribute access classes or individual attributes.

aclEntry

A multivalue attribute that contains information pertaining to the access allowed to the entry and its attributes. An aclEntry lists the following types of information: who has rights to the entry (scope of the protection), what attributes or classes of attributes the user has access to (attribute access classes), and what rights the user or group has (permission).

aclPropagate

The attribute that controls ACL propagation. If the value is set to true, ACLs are propagated down the hierarchy tree. If the value is set to false, the ACL becomes an override, pertaining only to this particular object.

aclSource

A read only operational attribute that is associated with each object. This attribute contains the distinguished name (DN) of the entry in which the access control list (ACL) is defined.

Advanced Encryption Standard (AES)

A data encryption technique that improved upon and officially replaced the Data Encryption Standard (DES).

alias

A pointer to another directory object. Aliases can be used within LDAP to reference entries anywhere within the directory tree.

attribute access class

Class that consists of attributes that require similar permission for access. Attributes are assigned to an access class within the schema files. The user-modifiable access classes are normal, sensitive, critical, and restricted. An additional class of system is not user-modifiable.

bulkload

A command line utility that is used for bulk-loading large amounts of data in LDIF format.

cascading replication

A replication topology in which there are multiple tiers of servers. A peer/master server replicates to a small set of read-only servers which in turn replicate to other servers. Such a topology off-loads replication work from the master servers.

cipher

A cryptographic algorithm used to encrypt data that is unreadable until converted into plain data with a predefined key.

CipherSpec

The combination of encryption algorithm and hash function applied to an SSL message after authentication completes.

cipher specifications

Specifications that indicate the data encryption algorithm and key size to use for secure connections.

cipher suite

The combination of authentication, key exchange algorithm, and the Secure Sockets Layer (SSL) cipher specification used for the secure exchange of data.

consumer server

A server which receives changes through replication from a supplier server.

digital signature

Information that is encrypted with a private key and is appended to a message or object to assure the recipient of the authenticity and integrity of the message or object. The digital signature proves that the message or object was signed by the entity that owns, or has access to, the private key or shared-secret symmetric key. Digital signatures are used for authentication and integrity assurance of digital data.

directory schema

The valid attribute types, object classes, matching rules and syntaxes that can appear in a directory. The attribute types and object classes define the syntax of the attribute values, which attributes must be present, and which attributes may be present for specific object classes.

directory server instance

A directory server instance is comprised of all of the nonexecutable files that are required for a directory server and its corresponding administration daemon to run on a machine. These files include the ibmslapd.conf file, the schema files, the stash files, and the log files of the directory server instance. Each server instance and its corresponding administration daemon listens on a unique port with the same IP address.

distinguished name (DN)

The name that uniquely identifies an entry in a directory. A distinguished name is made up of attribute=value pairs, separated by commas.

dynamic group

A group that is defined using a search expression. A directory entry that matches the search expression is automatically a member of the group.

DMS (Database Managed Space)

A tablespace where the database manager controls the storage space.

entryOwner

An attribute whose value can refer to a user or a group. Each entry has an associated entryOwner attribute. However, the entryOwner subject has all authority to the entry.

Forwarding server

A read-only server that replicates all changes sent to it. This contrasts to a peer/master server in that it is read only and it can have no peers.

Gateway server

A server that forwards all replication traffic from the local replication site where it resides to other Gateway servers in the replicating network. Also receives replication traffic from other Gateway servers within the replication network, which it forwards to all servers on its local replication site.

Gateway servers must be masters (writable).

group

A logical organization of users based on some common criteria. Groups can be used in specifying a common set of directory access permissions.

hashing algorithm

The algorithm used by the anonymizer to anonymize a hash value into a cryptographic irreversible data value.

iKeyman

A tool supplied with the Gateway for maintaining digital certificates for SSLight and JSSE.

The ikeyman tool is a user-friendly GUI tool for managing key files. This tool allows creating of public-private key pairs and certificate requests, receiving certificate requests into a key database, and managing keys in a key database.

indexing rules

Index rules attached to attributes make it possible to retrieve information faster. The IBM® Security Directory Server provides the following indexing rules:

Equality
Approximate
Substring
Reverse

ldapadd

The LDAP modify-entry and LDAP add-entry tool ldapmodify is a shell-accessible interface to the ldap_modify and ldap_add library calls. ldapadd is implemented as a renamed version of ldapmodify. When invoked as ldapadd the -a (add new entry) flag is turned on automatically.

ldapdelete

The LDAP delete-entry tool ldapdelete is a shell-accessible interface to the ldap_delete library call. ldapdelete opens a connection to an LDAP server and binds and deletes one or more entries. If one or more dn arguments are provided, entries with those Distinguished Names (DN) are deleted. Each DN should be a string-represented DN.

ldapmodify

The LDAP modify-entry and LDAP add-entry tools ldapmodify is a shell-accessible interface to the ldap_modify and ldap_add library calls. ldapadd is implemented as a renamed version of ldapmodify. When invoked as ldapadd the -a (add new entry) flag is turned on automatically.

ldapmodrdn

LDAP modify-entry RDN tool ldapmodrdn is a shell-accessible interface to the ldap_modrdn library call. ldapmodrdn opens a connection to an LDAP server and binds and modifies the RDN of entries. The entry information is read from standard input, from a file, through the use of the - f option, or from the command-line pair DN and RDN.

ldapsearch

The LDAP search tool ldapsearch is a shell-accessible interface to the ldap_search library call. ldapsearch opens a connection to an LDAP server and binds and performs a search using the filter . The filter should conform to the string representation for LDAP filters.

LDAP Data Interchange Format (LDIF)

A format used by the LDAP import-export tools as well as ldapmodify, ldapadd, and ldapsearch command-line utilities to represent LDAP entries or changes to entries in a standard portable text form. See RFC 2849.

ldif2db

This program is used to load entries specified in text LDAP Directory Interchange Format (LDIF) into a directory stored in a relational database. The database must already exist. ldif2db can be used to add entries to an empty directory database or to a database that already contains entries.

matching rule

A rule that describes how to perform a comparison.

multiple values

Multiple values are used to assign more than one value to an attribute. The attribute can have multiple values, for example, to accommodate a maiden and married last name. To add multiple values to an attribute, click Multiple values, then add one value per line. If an attribute contains multiple values, the field displays as a drop-down list.

nested group

A child group entry whose distinguished name (DN) is referenced by an attribute contained within a parent group entry. The ibm-membergroup attribute has been defined to explicitly distinguish nested groups from ordinary members.

nested subtree

A subtree within another subtree of the directory.

object class definition

Statement that specifies which attributes must be present in an object of that class, as well as attributes that might be present. Every entry contains an objectClass attribute that identifies what type of information the entry contains.

object class types

Object classes can be structural, for example, person; abstract, for example top; or auxiliary, for example ePerson.

ownerPropagate

The attribute that controls directory object ownership propagation. If the value is set to true, directory object ownership is propagated down the hierarchy tree. If that attribute is set to false, the entry owner specified is an override, pertaining only to this particular entry.

ownerSource

A read only operational attribute that contains the distinguished name (DN) of the entry in which the owner values are defined. Each entry has an associated ownerSource attribute. This attribute is maintained by the server but can be retrieved for administrative purposes.

Peer server

The term used for a master server when there are multiple masters for a given subtree. A peer server does not replicate changes sent to it from another peer server; it only replicates changes that are originally made on it.

proxy server

A server that receives requests intended for another server and that acts on the client’s behalf (as the client’s proxy) to obtain the requested service. A proxy server is often used when the client and the server are incompatible for direct connection. For example, the client is unable to meet the security authentication requirements of the server but should be permitted some services.

public key

The non-secret half of a cryptographic key pair that is used with a public key algorithm. The public key is made available to everyone. Public keys are typically used to verify digital signatures or decrypt data that has been encrypted with the corresponding private key.

In secure communication, an algorithmic pattern used to decrypt messages that were encrypted by the corresponding private key. A public key is also used to encrypt messages that can be decrypted only by the corresponding private key. Users broadcast their public keys to everyone with whom they must exchange encrypted messages.

quiesce

To put the server into a state in which it does not accept client updates, except for those done by the administrator and accompanied by replication management control.

referral

A way for servers to refer clients to additional directory servers. Referrals can distribute namespace information among multiple servers, provide knowledge of where data resides within a set of interrelated servers, and route client requests to the appropriate server. The general format for a referral is: ldap[s]://hostname:port. Typically the format for a referral to a nonsecure server is: ldap://hostname:389 and to a secure SSL server is: ldaps://hostname:636.

relative distinguished name (RDN)

The first component of the distinguished name (DN). For example, if the entry's DN is cn=John Doe,ou=Test,o=sample, the RDN is cn=John Doe.

replica

A server that contains a copy of the directory or a copy of part of the directory of another server. Replicas back up servers in order to enhance performance or response times and to ensure data integrity.

replicated subtree

A portion of the directory information tree (DIT) that is replicated from one server to another. Under this design, a given subtree can be replicated to some servers and not to others. A subtree can be writable on a given server, while other subtrees might be read-only.

Replicating network

A network that contains connected replication sites.

replication agreement

Information contained in the directory that defines the connection or replication path between two servers. One server is called the supplier (the one that sends the changes) and the other is the consumer (the one that receives the changes). The agreement contains all the information needed for making a connection from the supplier to the consumer and scheduling replication.

replication context

The replication context identifies the root of a replicated subtree. The configuration information related to replication is maintained in a set of entries created below a replication context.

replication site

A Gateway server and any master, peer or replica servers configured to replicate together.

role

A job function that identifies the tasks that a user can perform and the resources to which a user has access. A user can be assigned one or more roles.

or

Defines what access levels a given user has and the specific resources they can modify at those levels. The user may be limited in how they can access information if they do not have the proper role. Multiple roles are permissible.

RSA encryption

A system for public-key cryptography used for encryption and authentication. It was invented in 1977 by Ron Rivest, Adi Shamir, and Leonard Adleman. The security of the system depends on the difficulty of factoring the product of two large prime numbers.

Secure Sockets Layer (SSL)

A security protocol that provides communication privacy. SSL enables client and server applications to communicate in a way that is designed to prevent eavesdropping, tampering, and message forgery. SSL was developed by Netscape Communications Corp. and RSA Data Security, Inc.

SMS (System Managed Space)

A tablespace where the operating system’s file system manager allocates and manages the space where the table is stored.

sorted search

Search that allows a client to receive search results sorted based on a list of criteria, where each criteria represents a sort key. This moves the responsibility of sorting from the client application to the server, where it might be done more efficiently.

subtree

A section of a directory hierarchy, which is also called a directory tree. The subtree typically starts at a particular directory and includes all subdirectories and objects below that directory in the directory hierarchy; that is, any subdirectories or objects connected to the directory or to any lower level of its subdirectories.

suffix

A distinguished name (DN) that identifies the top entry in a locally held directory hierarchy. Because of the relative naming scheme used in Lightweight Directory Access Protocol (LDAP), this suffix applies to every other entry within that directory hierarchy. A directory server can have multiple suffixes, each identifying a locally held directory hierarchy. A suffix is also known as a naming context.

supplier server

A server that sends changes to a consumer server.

syntax

Syntax refers to the required format for the values of an attribute. Supported syntaxes are:

IBM Attribute Type Description 
     Matching Rule Description 
     Name Form Description 
     Attribute Type Description 
     Object Class Description 
     DIT Structure Rule Description 
     DIT Content Rule Description 
     LDAP Syntax Description 
     OID 
     Matching Rule Use Description 
     Boolean - TRUE/FALSE 
     Binary - octet string 
     INTEGER - integral number 
     Generalized Time 
     IA5 String - case-sensitive string 
     Directory String - case-insensitive 
                        string 
     UTC time 
     Telephone Number 
     DN - distinguished name

Transport Layer Security (TLS)

An Internet Engineering Task Force (IETF)-defined security protocol that is based on Secure Sockets Layer (SSL) and is specified in RFC 2246.

VLV (Virtual List View)

A GUI technique that may be employed where ordered lists containing a large number of entries need to be displayed. VLV provides a scrollable view of large sorted data set through a window containing a small number of visible entries.