User Administration

A directory stores many different types of information. It can be used as a domain name system (DNS); it can store easily retrieved information about technical devices on a network, such as plotters and printers; and it can store information about persons, commonly known as "white pages" and "yellow pages." When storing data about persons, details such as a personal identifier and password can also be stored. The personal identifier in LDAP is called a "distinguished name." In UNIX and other operating systems, it is often called "userlD." Neither of these terms is precise. It should be called "user name," i.e., the string you use when you log in. The UserID, instead, is the tiny number that UNIX, for example, uses to identify the user. In any case, when using LDAP, you call the personal identifier the "distinguished name."

The nature of user administration depends heavily on the product you are using. Some implementations know about user groups, roles, access control lists, and proprietary extensions. Consult the documentation that ships with the product you are using. Most commercial products offer tools for the administration of user accounts. With these tools, your users can maintain their own data, such as their phone or fax numbers.

User accounts can furthermore be used for authentication purposes. For example, a Web application could use the directory server to authenticate the user. Most UNIX operating systems offer the possibility of authenticating their users against an LDAP database. Another software system using LDAP is Samba. Samba allows you to mount file systems on UNIX systems as if they were "shares" on an NT server. It is possible to configure Samba to use the LDAP server for authentication instead of the NT primary domain controller.

Note that the LDAP protocol does not dictate a particular concept of user data. All of the data needed for user administration is stored in the LDAP directory using standard objects.

The next section shows an example of user administration using the Perl language plus the Net::LDAP modules presented in Chapter 6. The user data is stored in the object class inetOrgPerson, which makes user authentication possible. The information about groups is stored in the object class groupOfUniqueNames.