Chapter 17: Lightweight Directory Access Protocol (LDAP)

The Lightweight Directory Access Protocol (LDAP) is a method for organizing information in a hierarchical manner using directories. It can be thought of as a very simple database. Once organized, the data can then be accessed over a network. LDAP is based on the X.500 standard for directory sharing but is not as resource-intensive as X.500. In fact, LDAP is sometimes referred to as “X.500-lite.” LDAP directories can store a variety of information and can even be used to provide user authentication over a network in a manner similar to that of the Network Information System (NIS), allowing a user to access his or her account from any machine on an LDAP-enabled network.

In most cases, however, LDAP is used simply as a virtual phone directory, allowing users to easily access contact information about other users. But LDAP goes beyond a traditional phone directory, because it is capable of propagating its directories to other LDAP servers throughout the world, providing global access to information. Currently, however, LDAP is more commonly used within individual organizations, like universities, government departments, and private companies.

LDAP is a client-server system. The server can use a variety of databases to store a directory, each optimized for quick and copious read operations. When an LDAP client application connects to an LDAP server, it can either query a directory or upload information to it. In the event of a query, the server either answers the query or, if it cannot answer locally, refer the query upstream to a higher-level LDAP server that does have the answer. If the client application is attempting to upload information to an LDAP directory, the server verifies that the user has permission to make the change and then adds or updates the information.

This chapter discusses the configuration and use of OpenLDAP 2.0, an open-source implementation of the LDAPv2 and LDAPv3 protocols.

Why Use LDAP?

The main benefit of LDAP is that information for an entire organization can be consolidated into a central repository. For example, rather than managing user lists for each group within an organization, you can use LDAP as a central directory accessible from anywhere on the network. And since LDAP supports Secure Sockets Layer (SSL) and Transport Layer Security (TLS), sensitive data can be protected from prying eyes.

LDAP also supports a number of back-end databases in which to store directories. This allows administrators the flexibility to deploy the database best suited for the type of information the server is to supply. Also, because LDAP has a well-defined Application Programming Interface (API), the number of LDAP-enabled applications is numerous and increasing in quantity and quality. On the negative side, LDAP can require some work to configure properly.

OpenLDAP 2.0 Feature Enhancements

OpenLDAP 2.0 includes a number of important features:

• LDAPv3 Support — OpenLDAP 2.0 supports Simple Authentication and Security Layer (SASL), Transport Layer Security (TLS), and Secure Sockets Layer (SSL), among other improvements. Many of the changes in the protocol since LDAPv2 are designed to make LDAP more secure.

• IPv6 Support — OpenLDAP supports the next-generation Internet Protocol version 6.

• LDAP Over IPC — OpenLDAP can communicate within a system using interprocess communication (IPC). This enhances security by obviating the need to communicate over a network.

• Updated C API — Improves the way programmers can connect to and use the application.

• LDIFv1 Support — Full compliance with the LDAP Data Interchange Format (LDIF) version 1.

• Enhanced Stand-Alone LDAP Server — Includes an updated access control system, thread pooling, better tools, and much more.