Chapter 13. Lightweight Directory Access Protocol (LDAP)
The Lightweight Directory Access Protocol
(LDAP) is a set of open protocols used to access
centrally stored information over a network. It is based on the
X.500 standard for directory sharing, but is less
complex and resource intensive. For this reason, LDAP is sometimes
referred to as "X.500 Lite." The X.500 standard is
a directory that contains hierarchical and categorized information, which
could include information such as names, addresses, and phone numbers.
Like X.500, LDAP organizes information in a hierarchal manner using
directories. These directories can store a variety of information and can
even be used in a manner similar to the Network Information Service (NIS),
enabling anyone to access their account from any machine on the LDAP
In many cases, LDAP is used as a virtual phone directory, allowing users to
easily access contact information for other users. But LDAP is more
flexible than a traditional phone directory, as it is capable of referring
a querent to other LDAP servers throughout the world, providing an ad-hoc
global repository of information. Currently, however, LDAP is more
commonly used within individual organizations, like universities,
government departments, and private companies.
LDAP is a client/server system. The server can use a variety of databases
to store a directory, each optimized for quick and copious read
operations. When an LDAP client application connects to an LDAP server, it
can either query a directory or attempt to modify it. In the event of a
query, the server either answers the query locally, or it can refer the
querent to an LDAP server which does have the answer. If the client
application is attempting to modify information within an LDAP directory,
the server verifies that the user has permission to make the change and
then adds or updates the information.
This chapter refers to the configuration and use of OpenLDAP 2.0, an open
source implementation of the LDAPv2 and LDAPv3 protocols.
The main benefit of using LDAP is that information for an entire
organization can be consolidated into a central repository. For example,
rather than managing user lists for each group within an organization,
LDAP can be used as a central directory accessible from anywhere on the
network. And because LDAP supports Secure Sockets Layer (SSL) and
Transport Layer Security (TLS), sensitive data can be protected from
LDAP also supports a number of back-end databases in which to store
directories. This allows administrators the flexibility to deploy the
database best suited for the type of information the server is to
disseminate. Because LDAP also has a well-defined client Application
Programming Interface (API), the number of LDAP-enabled applications are
numerous and increasing in quantity and quality.
OpenLDAP includes a number of important features.
LDAPv3 Support — OpenLDAP supports
Simple Authentication and Security Layer (SASL), Transport Layer Security
(TLS), and Secure Sockets Layer (SSL), among other
improvements. Many of the changes in the protocol since LDAPv2 are
designed to make LDAP more secure.
IPv6 Support — OpenLDAP supports
the next generation Internet Protocol version 6.
LDAP Over IPC — OpenLDAP can
communicate within a system using interprocess communication
(IPC). This enhances security by eliminating the need to communicate
over a network.
Updated C API — Improves the way
programmers can connect to and use LDAP directory servers.
LDIFv1 Support — Provides full
compliance with the LDAP Data Interchange Format (LDIF) version 1.
Enhanced Stand-Alone LDAP Server —
Includes an updated access control system, thread pooling, better
tools, and much more.