Lightweight Directory Access Protocol (Ldap); Why Use Ldap - Red Hat ENTERPRISE LINUX 3 Reference Manual

Lightweight Directory Access Protocol (LDAP)

Lightweight Directory Access Protocol (LDAP) is a set of open protocols used to access centrally
stored information over a network. It is based on the X.500 standard for directory sharing, but is less
complex and resource intensive. For this reason, LDAP is sometimes referred to as "X.500 Lite."
Like X.500, LDAP organizes information in a hierarchal manner using directories. These directories
can store a variety of information and can even be used in a manner similar to Network Informa-
tion Service (NIS), enabling anyone to access their account from any machine on the LDAP enabled
network.
In many cases LDAP is used as a virtual phone directory, allowing users to easily access contact infor-
mation for other users. But LDAP is more flexible than a traditional phone directory, as it is capable of
referring a querent to other LDAP servers throughout the world, providing an ad-hoc global repository
of information. Currently, however, LDAP is more commonly used within individual organizations,
like universities, government departments, and private companies.
LDAP is a client/server system. The server can use a variety of databases to store a directory, each
optimized for quick and copious read operations. When an LDAP client application connects to an
LDAP server, it can either query a directory or attempt to modify it. In the event of a query, the
server either answers the query locally, or it can refer the querent to an LDAP server which does have
the answer. If the client application is attempting to modify information within an LDAP directory,
the server verifies that the user has permission to make the change and then adds or updates the
information.
This chapter refers to the configuration and use of OpenLDAP 2.0, an open source implementation of
the LDAPv2 and LDAPv3 protocols.

13.1. Why Use LDAP?

The main benefit of using LDAP is that information for an entire organization can be consolidated
into a central repository. For example, rather than managing user lists for each group within an or-
ganization, LDAP can be used as a central directory accessible from anywhere on the network. And
because LDAP supports Secure Sockets Layer (SSL) and Transport Layer Security (TLS), sensitive
data can be protected from prying eyes.
LDAP also supports a number of back-end databases in which to store directories. This allows admin-
istrators the flexibility to deploy the database best suited for the type of information the server is to
disseminate. Because LDAP also has a well-defined client Application Programming Interface (API),
the number of LDAP-enabled applications are numerous and increasing in quantity and quality.
13.1.1. OpenLDAP 2.0 Feature Enhancements
OpenLDAP 2.0 includes a number of important features.
LDAPv3 Support — OpenLDAP 2.0 supports Authentication and Security Layer (SASL), Transport
•
Layer Security (TLS), and Secure Sockets Layer (SSL), among other improvements. Many of the
changes in the protocol since LDAPv2 are designed to make LDAP more secure.
IPv6 Support — OpenLDAP supports the next generation Internet Protocol version 6.
•
LDAP Over IPC — OpenLDAP can communicate within a system using interprocess communica-
•
tion (IPC). This enhances security by eliminating the need to communicate over a network.
Updated C API — Improves the way programmers can connect to and use LDAP directory servers.
•
Chapter 13.