Introduction to LDAP (Lightweight Directory Access Protocol)
© Copyright Manning Publications Co. All rights reserved.
Introduction to LDAP
1.1 What LDAP is
1.2 What LDAP is not
1.3 Current applications
1.4 Brief history
1.5 LDAP revisions and other standards
1.6 Directory management
1.7 Directory integration
1.8 Integration and federation via virtual directory technology
1.9 Why this book?
In this chapter, we introduce the Lightweight Directory Access Protocol (LDAP) and attempt to answer the following questions:
- What is LDAP? Who needs it? How is it used?
- What are directory services? Where do they fit in the grand scheme of things? Which ones exist? What is their relation to LDAP?
- What are common issues in planning and deploying directory services?
- Where do metadirectories, provisioning tools, and virtual directories fit with LDAP?
- What standards organizations and industry consortia are responsible for further development of directory services and LDAP standards?
1.1 WHAT LDAP IS
LDAP is a standard that computers and networked devices can use to access common information over a network. The ability to provide network access to data in itself does not make LDAP stand out from dozens of other protocols defined for data access, such as Hypertext Transfer Protocol (HTTP). As you will see in this chapter and those following, a number of features and vendor efforts make LDAP very well-suited for access and updates to many types of common information.
For example, information about employees might be stored in a directory so that people and applications can locate their contact information. Such contact information might include email addresses and fax numbers, or even additional data that unambiguously identifies employees' attempts to access enterprise applications.
1.1.1 Directory services and directory servers
A directory is simply a collection of information. For example, the telephone book is a directory used by virtually everyone to find telephone numbers.
Directory services provide access to the information in a directory. A simple directory service that most people use from time to time is the directory assistance offered by most telephone companies. By dialing a telephone number, anyone can receive instant access to information in the telephone directory.
In the computer world, directories exist everywhere. The Unix password file can be considered a directory of computer accounts. The Domain Name Service (DNS) acts as a directory service providing information about network hosts.
Computer applications often have their own directories. The Apache web server can store usernames and passwords in a data file, which is thus a directory of users. Customer information stored in a database can also be considered directory information if it is of a common nature with applications outside a single program or system.
Directory servers are applications that primarily act as directory services, providing information from a directory to other applications or end users. This functionality is most applicable in client/server environments, where the service may be located remotely from the calling application or system. For example, on Unix or Linux computers running the Network Information Service (NIS), the ypserv program can be considered a directory server.
1.1.2 LDAP and directory services
LDAP provides client-server access to directories over a computer network and is therefore a directory service. In addition to offering the ability to search and read information, it defines a way to add, update, and delete information in a directory.
Two general types of directory server software implement the LDAP standards:
- Stand-alone LDAP servers
- LDAP gateway servers
Stand-alone LDAP servers focus exclusively on LDAP as their only access mechanism; their proprietary internal data stores are tuned for LDAP access. These are typically what people mean when they use the words LDAP server.
Instead of being tied to a local data store, LDAP gateway servers translate between LDAP and some other native network protocol or application program interface (API) to provide access to directory information that is more directly available via other means. One example is the original use of LDAP: to gateway to other directory services supporting the X.500 standards. Another more modern example of such an LDAP gateway is a server that provides LDAP access to information residing in Oracle database tables.
Figure 1.1 illustrates the two types of services that can be used to provide LDAP-enabled directory services.
LDAP directories and LDAP gateways are different types of products that provide LDAP-enabled directory services.
The examples throughout this book will not address one type of server over the other—the idea behind LDAP is that it shouldn't matter where the end data is stored, as long as the client and server can use LDAP to communicate that information in a standard way understood by both sides.
In addition, we will focus primarily on accessing and managing information and services through the LDAP protocol. Each directory server product is installed and configured differently, usually in ways that are well-documented in product manuals. It would be of little use to duplicate such information, because installation and configuration of the software is relatively trivial.
1.1.3 Other directory services
LDAP is not alone in providing computerized directory services. It is also not the first or even the most completely defined directory service.
Other directory services that have been popular in the past, and that are still in use in many organizations, include those based on standards such as X.500, WHOIS, NIS, PH/QI, and various proprietary directories from companies such as Novell, Banyan, and others.
X.500 is a set of standards that originated in the late 1980s, with significant updates as late as 2001. The standards are extensive and cover everything from access to replication. In many respects, X.500 is more mature as a protocol than LDAP, including such technologies as multimaster replication and access control, but its relative complexity has made it less popular for access. However, it is still very popular, and a number of vendors sell servers that support these standards. These vendors tend to focus on X.500-based protocols for interoperability between servers, while exposing the data using an LDAP gateway.
WHOIS was an early attempt at a simple protocol for Internet-accessible white pages. The services supporting this protocol took a simple string and returned free-form text in response. A WHOIS server could be written on most operating systems in a short amount of time, but lack of standard data representation made it difficult to do anything but display the results as they arrived. Unfortunately, this limitation makes programmatic use of the resulting data in nonwhite pages applications very difficult.
NIS, originally called Yellow Pages (YP), was Sun's remote procedure call (RPC)-based operating system directory. Most Unix-based servers support some variant of this protocol. With a relatively simple replication model and access protocol, as well as the ability to discover servers on a local network, its creation was necessary due to the growth in client-server computing where users might exist on a number of servers. However, it was not well-suited for wide area networks (WANs) offered little in the way of security, and was not easily extensible for storing additional information in existing maps.
PH/QI was very popular at about the time HTTP became widely used. It was a multipurpose client-server directory service developed by Paul Pomes at the University of Illinois at Urbana-Champaign (UIUC). It was especially popular at universities in North America and was used to store not only white pages information, but also information that could be used for security, such as logins and credentials. One of the earliest applications to take advantage of the Common Gateway Interface (CGI) that shipped with the original National Center for Supercomputing Applications (NCSA) HTTP server was a gateway that presented an HTML interface to a PH server. Some mail applications, such as Eudora, were also able to perform PH queries for address books. LDAP's acceptance in the industry curtailed any serious move to PH/QI; in addition, the service was somewhat limited. The protocol was relatively simple and text-based; it was easy to access programmatically but designed to run on a central server, limiting its scalability and scope.
Banyan was an early leader in MS-DOS/Windows operating system directories, but it didn't fare well as Microsoft and Novell became more directory-aware. Banyan eventually changed its name to ePresence and is currently one of the larger integrators focused on directory services.
Novell based the proprietary directory service for its Netware Network Operating System (NOS) on the X.500 standards. Netware's directory has long been regarded as one of the more solid operating system directories, and Novell has a long history of directory integration in its products. As LDAP picked up steam, Novell separated the NOS from the directory and created eDirectory; it is now a popular LDAP-enabled directory service with the broadest platform support of any directory services vendor's product.