Next: 4. H.350 Introduction Up: 3.2 Directory Services Previous: 3.2.2 Enterprise Identity Management
|
Next: 4. H.350 Introduction Up: 3.2 Directory Services Previous: 3.2.2 Enterprise Identity Management
|
The Lightweight Directory Access Protocol (LDAP) is a standard describing access to directory services. LDAP was derived from the OSI (Open Source Interconnection) Directory Services model X.500 known as "DAP" (Directory Access Protocol). DAP runs over the OSI network protocol stack. LDAP's overall data and namespace model is quite similar to X.500. The major difference is that the LDAP protocol is designed to run directly over the TCP/IP stack, which makes it "lightweight". The current version, LDAP V3 (IETF RFC 3377), includes important security enhancements.
LDAP is a protocol, not a database. A protocol describes messages used to access certain types of data. It is possible to store data in a variety of backend data stores and use the LDAP protocol as a standardized querying interface. LDAP also provides a data model that standardizes the naming and organization of the data. Finally, LDAP servers are designed to optimize read functions, since the main purpose of this service is to answer queries regarding relatively non-volatile data.
The LDAP information model structures data as a tree - the Directory Information Tree (DIT). An entry in the DIT corresponds to a node in the tree and contains information about an object Class. Object classes have both required and optional attributes, and attribute typing defines the encoding and matching rules to be used during searching. The LDAP information model is also called the LDAP schema.
LDAP provides globally unique naming. By following a path from a node
back to the root of the DIT, a unique name is built and is referred
to as that node's distinguished name (DN). Figure ![[*]](crossref.png)
shows an example DIT. Following a path from the gray dotted arrow
to the base DN, the unique distinguished name "uid=jhc,ou=people,dc=uab,dc=edu"
is built.
Access via the LDAP protocol is implemented by bindings (authentication), queries, and updates. Authorization to access data can be managed using access control lists (ACL's).
This very brief summary is intended to provide you with enough vocabulary to read this cookbook. Our resources section at the end contains a number of excellent books and white papers providing more thorough information. A handy website for learning more about LDAP schema is Alan Knowles' LDAP Schema Viewer (http://ldap.akbkhome.com). Another useful tool is Jarek Gawor's LDAP Browser/Editor software (http://www.iit.edu/~gawojar/ldap/), available from the University of Chicago. This freely available software provides a user-friendly Windows Explorer-like interface to LDAP directories with tightly integrated browsing and editing capabilities for LDAP v2 and v3 servers.
