Chapter 18. Lightweight Directory Access Protocol (LDAP)
Lightweight Directory Access Protocol
(LDAP) is a set of open protocols used to access
centrally stored information over a network. It is based on the
X.500 standard for directory sharing, but is less
complex and resource intensive. For this reason, LDAP is sometimes referred
to as X.500 Lite.
Like X.500, LDAP organizes information in a hierarchal manner using
directories. These directories can store a variety of information and can
even be used in a manner similar to Network Information Service (NIS),
enabling anyone to access their account from any machine on the LDAP
enabled network.
In most cases, however, LDAP is used simply as a virtual phone directory,
allowing users to easily access contact information for other users. But
LDAP goes beyond a traditional phone directory, because it is capable of
propagating its directories to other LDAP servers throughout the world,
providing global access to information. Currently, however, LDAP is more
commonly used within individual organizations, like universities,
government departments, and private companies.
LDAP is a client-server system. The server can use a variety of databases
to store a directory, each optimized for quick and copious read
operations. When an LDAP client application connects to an LDAP server it
can either query a directory or upload information to it. In the event of
a query, the server either answers the query or, if it can not answer
locally, it can refer the query upstream to a higher level LDAP server
which does have the answer. If the client application is attempting to
upload information to an LDAP directory, the server verifies that the user has
permission to make the change and then adds or updates the information.
This chapter will refer to the configuration and use of OpenLDAP 2.0, an
open source implementation of the LDAPv2 and LDAPv3 protocol.
Why Use LDAP?
The main benefit of LDAP is that information for an entire organization
can be consolidated into a central repository. For example, rather than
managing user lists for each group within an organization, you can use
LDAP as a central directory accessible from anywhere on the network. And
since LDAP supports Secure Sockets Layer (SSL) and Transport Layer
Security (TLS), sensitive data can be protected from prying eyes.
LDAP also supports a number of back-end databases in which to store
directories. This allows administrators the flexibility to deploy the
database best suited for the type of information the server is to
disseminate. Also, because LDAP has a well-defined Application
Programming Interface (API), the number of LDAP-enabled applications are
numerous and increasing in quantity and quality.
On the negative side, LDAP can be non-trivial to configure.
OpenLDAP 2.0 Feature Enhancements
OpenLDAP 2.0 includes a number of important features.
LDAPv3 Support — OpenLDAP 2.0
supports Simple Authentication and Security Layer (SASL),
Transport Layer Security (TLS), and Secure Sockets Layer (SSL),
among other improvements. Many of the changes in the
protocol since LDAPv2 are designed to make LDAP more secure.
IPv6 Support — OpenLDAP supports
the next generation Internet Protocol version 6.
LDAP Over IPC — OpenLDAP can
communicate within a system using interprocess communication
(IPC). This enhances security by obviating the need to communicate
over a network.
Updated C API — Improves the way
programmers can connect to and use the application.
LDIFv1 Support — Full compliance with the
LDAP Data Interchange Format (LDIF) version 1.
Enhanced Stand-Alone LDAP Server —
Includes an updated access control system, thread pooling, better
tools and much more.
