Introduction to LDAP

November 16, 2002 / Kurt Nelson / 0 Comments

Table of Contents

1. What is LDAP?

LDAP stands for "Lightweight Directory Access Protocol". It is a TCP/IP
implementation of the X.500 DAP/OSI protocol.

Note: X.500 = DAP (DAP is just an older, non-standard name).

A Directory is just a database that usually follows these properties:

  • designed for reading more than writing
  • offers a static view of the data
  • simple updates without transactions

A Directory Service adds a network protocol used to access the
directory, on top of the above. We’ve all used a directory service in
the past day: DNS!

LDAP is defined by RFC 1777 (http://www.ietf.org/rfc/rfc1777.txt). Some
common points of the standard are:

  • a network protocol for accessing information in the directory
  • an information model defining the form and character of the
    information
  • a namespace defining how information is referenced and organized
  • an emerging distributed operation model defining how data may be
    distributed and referenced
  • designed-in extensibility

2. What good is LDAP?

A Directory holds information. It doesn’t matter what type: text,
photos, urls, pointers to whatever, binary data, public key
certificates, etc. (Note here that the particular LDAP server you use
may have limitations.)

There are different contexts for a Directory (and Directory Service).

  • LOCAL – only for a subset of machines/users/etc.
  • GLOBAL – can be accessed by anyone

LDAP is a vendor-independent, platform-independent protocol…this means
interconnection is easy! (The Internet, for instance.) Also because of
this same reason, translating from LDAP to another protocol/system is
easy.

Currently existing gateways:

  • LDAP to X.500 (and vice versa)
  • HTTP to LDAP
  • WHOIS++ to LDAP
  • FINGER to LDAP
  • E-mail to LDAP
  • ODBC to LDAP
  • and more!!!

Concrete example:
Address books usually use LDAP to store the book on a centralized
server and then pull down the information when requested. Netscape
Communicator uses this model. (Microsoft Exchange/Outlook does
something similar, but Microsoft hacks the protocol some.)

When the user pulls up his/her address book, the request is sent to
the LDAP server. This server then returns each entry in the book in
a standard format, similar to using XML.

3. Schemas

The Directory is actually a distributed, tree-like structure. Every
entry in the directory has a distinguished name (DN) which uniquely
identifies that entry. The DN can be generated by concatenating the
relative distinguished names (RDNs) of entries higher up in the tree.

ROOT
|
---------------------------------
||
C=USC=GB
--------------------
||
O=MITO=GT
-----------------
||
OU=ClassesOU=Clubs
-------------------
|||
CN=LUGCN=LAXCN=Ultimate

If you notice, the RDNs are all of the form parameter>=value>. The
idea behind a schema is related in the following flow chart (read it
like a CFG):

root := root country
| root locality
| root organization
| (epsilon).

country := locality

| organization.

locality := organizational_unit.

organization := organizational_unit.

organizational_unit := organizational_unit container
| (epsilon).

[Here a container is the base object, holding extremely specific]
[data, like a person's name, a department's budget, etc.]

A really good reference for learning about schemas for use in LDAP can
be found at:

http://homes.ukoln.ac.uk/~lisap/ccsap/Directory/Docs/prep.html.

4. Using LDAP in your shtuff

There is no "way" to use LDAP. It’s more of a methodology:

http://www.stanford.edu/~hodges/talks/mactivity.ldap.97/deplconsid1.html

Each language usually has its own hooks into LDAP.

C has a whole API suite.

Java uses the Java Naming and Directory Interface
(http://java.sun.com/products/jndi/).

A good step-by-step HOWTO can be found in Chapter 4 of IBM’s Redbook:
http://www.redbooks.ibm.com/pubs/pdfs/redbooks/sg244986.pdf. It uses
the C API to walk through accessing a LDAP server.

5. OpenSource Projects

OpenLDAP is perhaps the best known due to naming popularity and
similarities. The project consists of a stand-alone LDAP server, a
replication server, and client-application libraries. The latest
version is 2.1.8 as of this writing.

Installing and using OpenLDAP is fairly straight-forward. There is a
great online/HTML HOW-TO available from OpenLDAP’s site:

http://www.openldap.org/doc/

6. Other OS Projects

7. Resources