Chapter 13. Lightweight Directory Access
Protocol (LDAP)
The Lightweight Directory Access
Protocol (LDAP) is a set of open
protocols used to access centrally stored information over a
network. It is based on the X.500 standard
for directory sharing, but is less complex and resource intensive.
For this reason, LDAP is sometimes referred to as "X.500 Lite." The X.500 standard is a directory that
contains hierarchical and categorized information, which could
include information such as names, addresses, and phone
numbers.
Like X.500, LDAP organizes information in a hierarchal manner
using directories. These directories can store a variety of
information and can even be used in a manner similar to the Network
Information Service (NIS), enabling anyone to access their account
from any machine on the LDAP enabled network.
In many cases, LDAP is used as a virtual phone directory,
allowing users to easily access contact information for other
users. But LDAP is more flexible than a traditional phone
directory, as it is capable of referring a querent to other LDAP
servers throughout the world, providing an ad-hoc global repository
of information. Currently, however, LDAP is more commonly used
within individual organizations, like universities, government
departments, and private companies.
LDAP is a client/server system. The server can use a variety of
databases to store a directory, each optimized for quick and
copious read operations. When an LDAP client application connects
to an LDAP server, it can either query a directory or attempt to
modify it. In the event of a query, the server either answers the
query locally, or it can refer the querent to an LDAP server which
does have the answer. If the client application is attempting to
modify information within an LDAP directory, the server verifies
that the user has permission to make the change and then adds or
updates the information.
This chapter refers to the configuration and use of OpenLDAP
2.0, an open source implementation of the LDAPv2 and LDAPv3
protocols.
The main benefit of using LDAP is that information for an entire
organization can be consolidated into a central repository. For
example, rather than managing user lists for each group within an
organization, LDAP can be used as a central directory accessible
from anywhere on the network. And because LDAP supports Secure
Sockets Layer (SSL) and Transport Layer Security (TLS), sensitive
data can be protected from prying eyes.
LDAP also supports a number of back-end databases in which to
store directories. This allows administrators the flexibility to
deploy the database best suited for the type of information the
server is to disseminate. Because LDAP also has a well-defined
client Application Programming Interface (API), the number of
LDAP-enabled applications are numerous and increasing in quantity
and quality.
OpenLDAP includes a number of important features.
-
LDAPv3 Support — OpenLDAP supports
Simple Authentication and Security Layer (SASL), Transport Layer
Security (TLS), and Secure Sockets Layer (SSL), among other
improvements. Many of the changes in the protocol since LDAPv2 are
designed to make LDAP more secure.
-
IPv6 Support — OpenLDAP supports
the next generation Internet Protocol version 6.
-
LDAP Over IPC — OpenLDAP can
communicate within a system using interprocess communication (IPC).
This enhances security by eliminating the need to communicate over
a network.
-
Updated C API — Improves the way
programmers can connect to and use LDAP directory servers.
-
LDIFv1 Support — Provides full
compliance with the LDAP Data Interchange Format (LDIF) version
1.
-
Enhanced Stand-Alone LDAP Server —
Includes an updated access control system, thread pooling, better
tools, and much more.
