Could someone please explain LDAP?

I often hear things like "Can we load our employee info using LDAP?" Yet, the title "Lightweight Directory Access Protocol" makes me think of it as a protocol rather than a physical database management system like Oracle or MSSQL.

So could someone please explain to me what LDAP is, how it's used, and how it basically works? Is LDAP simply a standard protocol for extracting data from a variety of DBMSs? In an architecture diagram, would LDAP be simply an arrow drawn between the DB and the application server?

LDAP is a protocol for querying user directories. For example, Active Directory or Novell eDirectory both support LDAP. It is also, to a degree a syntax for doing such queries, like how SQL is a querying language for querying databases.

An LDAP command could look like

(givenName=Mike)

And it would return all Mikes in the directory.

LDAP is usually used as authentication database. Let's say you have CMS product you sell as Software-as-a-Service. So user gets CMS and you maintain it etc.

So, you install it to examplecustomer1.com, examplecustomer2.org, examplecustomer3.net (one software per domain). Now you have THREE user databases to maintain. So you add yourself to all systems as admin and customers accounts as well.

Then you discover LDAP. You add LDAP support to your product and now you have one central database of users. You can login as admin to all systems with your own ONE username and password. CMS system still contains user database and rights for each user but username is now used as reference to LDAP database and password field is deleted from CMS database schema.

Yes, LDAP (Lightweight Directory Access Protocol) is a protocol that runs on TCP/IP.

It is used to access directory services, like Microsoft's Active Directory, or Sun ONE Directory Server.

A directory service is a kind of database or data store, but not necessarily a relational database. The structure is usually much simpler, storing hierarchical collections of name-value pairs, e.g. lastName=Smith, firstName=John.

LDAP IS a protocol, but many people I know like to overload its meaning to include "any store capable of responding to LDAP queries." Active Directory is such a store, and there are many others. It is used when architects don't really care what the store is. It's used in the same as if you were to say "Store it in the SQL" when you don't care whether it's MySql or Oracle or SQL Server.

LDAP stands for Lightweight Directory Access Protocol. This is an extensible open network protocol standard that provides access to distributed directory services. LDAP is an Internet standard for directory services that run on TCP/IP. Under OpenLDAP and related servers, there are two servers – slapd, the LDAP daemon where the queries are sent to and slurpd, the replication daemon where data from one server is pushed to one or more slave servers. By having multiple servers hosting the same data, you can increase reliability, scalability, and availability.

It defines the operations one may perform like search, add, delete, modify, change name It defines how operations and data are conveyed.

LDAP has the potential to consolidate all the existing application specific information like user, company phone and e-mail lists. This means that the change made on an LDAP server will take effect on every directory service based application that uses this piece of user information. The variety of information about a new user can be added through a single interface which will be made available to Unix account, NT account, e-mail server, Web Server, Job specific news groups etc. When the user leaves his account can be disabled to all the services in a single operation.

So LDAP is most useful to provide “white pages” (e.g. names, phone numbers, roles etc) and “yellow pages” (e.g. location of printers, application servers etc) like services. Typically in a J2EE application environment it will be used to authenticate and authorise users.

LDAP is a protocol created in response to the complexity of the X.500 family of protocols. It is intended to represent a hierarchical directory structure. The X.500 standard was originally intended to be used over a complete OSI layer stack and was created to fulfill the requirements of the telecom industry. LDAP was designed to use TCP/IP to provide similar functionality without the extra overhead. You can find information on X.500, OSI and LDAP on wikipedia. X.500 and OSI are both covered in most data communications textbooks as well.

• http://en.wikipedia.org/wiki/X.500
• http://en.wikipedia.org/wiki/Open_Systems_Interconnection
• http://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol

What is LDAP:

All LDAP is a communication protocol which Microsoft implemented for the Active directory directory service and is used for other NTDS.DIT files. Lets get the confusion out of the way. NTDS.DIT contains Active Directory database. To ACCESS the data base you need the communication protocol LDAP. Thats it. So again NTDS.DIT is a simple database i.e ADDS Database (Active Director Directory Services) How do we access it?

We access it using LDAP.

lets use LDAP quick example.
C:/users/data.doc

or

> LDAP Syntax > > > CN=Bob,OU=Users,DC=Youtube,DC=Com > > CN = Canonical Name (object or name) > > OU = Organizational Unit (Folder in Active directory) > > DC = Domain Controller (Where it is)

Other info: Active directory is database based on the X.500 Standard which contains all the AD object which is the NTDS.DIT file.

LDAP is an internet protocol, which is used to look up data from a server, this protocol is used to store as well as retrive the information from the hierarchical directory structure. LDAP also follow a data model whch is hierarchical type. In simple term we can say its a hierarchical database where data is stored in tree like structure where leaf node hold the actual data.

LDAP never define how program function either on the client or server but it explain more about the type of messages that will be used to communicte between client and server. Message can be client requested information , server response and format of the data. These messages arepassed over TCP/IP protocal. So there should be some operation exist that will established a session connection and disconnect it after the operation completion between client and server. LDAP can bes used in the cased where large number of read operations and less number of write operation is required. For example User Authentication as we know that User Name and password are not change so frequently.

LDAP Operations Process

To start the communication, the client needs to create a session with a server. This process is called as binding. To bind to the server, the client has to specify the IP address or the host name and TCP/IP port-no, where the server is attending. The client can also provide credentials like username and password to ensure proper authentication with the server. Alternatively, the client can also create an anonymous session by using default access rights. Or both parties can establish a session which uses stronger security processes like data encryption. Once the session gets established, the client then performs its intended operation on directory data. In LDAP the directory information can be managed and queried as it provides read as well as update capabilities. The client closes the session when it finished making a request. This process is called as unbinding. LDAP Modes LDAP majorly relies on to the Data Models like

Information model The directory includes the basic unit of information and it is known as entry, which represents a real-world object like servers, people and so on. Entries include collection of attributes which define information about the object. Each attribute includes Type associated with syntax, and one or more values. The following diagram illustrates the relationship between entry and its attributes and their type & value:

Naming model The naming model of LDAP denotes how entries are recognized and organized. In LDAP the entries are organized in a hierarchical or tree-like structure called DIT (Directory Information Tree). The entries are ordered within the DIT according to their DN (Distinguishable Name), a unique name which clearly identifies a single entry.

Functional Model
LDAP defines operations requested by a client and can be divided into three categories. They are:

   1.  Query which is used to fetch information from a directory. Include operations like search and                   compare.

   2. Update which is used to update the information stored in the directory. Include operations like                add, modify and delete.

   3. Authentication which is  used to connect and disconnect with a server, create access rights and                preserve information. Include operations like bind, unbind and abandon.

Security Model

In LDAP, the security model relies on the bind operation. Three different bind operations are                possible according to the security mechanisms applied. They are:

1. No Authentication

The simplest method but could only be applied when data security isn’t a problem and where no     access control permissions are tangled. For example, the directory includes the address book that     can be browsable by anyone. If the user left the DN and password field empty during the bind API     call, the server will automatically adopt anonymous user session, and grants access along with the     corresponding access controls described for this type of access.

2. Basic Authentication

Basic authentication is the alternative simple security mechanism used in LDAP and it is employed     in several other web-oriented protocols, like HTTP. In this approach, the client has to authenticate     itself to the LDAP server by the way of entering a password and DN that is transferred in a clear text     over the network. On the other end, the server compares the DN and password with the entries in     the directory. And grants access if the password matches. Moreover, the passwords in clear text     format can’t guarantee confidentiality; hence, may result in password disclosure to unauthorized     parties.

3. SASL (Simple Authentication and Security Layer)

This framework has been added to LDAP V3 which adds an additional authentication method to     connection-oriented protocols. This mechanism specifies a challenge & response protocol where the     client and server exchange some data to ensure authentication and establish the security layer upon     which the subsequent communication will be carried out. With SASL, LDAP protocol can support any     sort of authentication approved upon by an LDAP client and an LDAP server.

Yes, LDAP itself usually requires a lower level DB store. I suggest you get your hands dirty here:

If you just install OpenLDAP & play with it... http://www.openldap.org/doc/admin22/install.html

...you will be forced to consider the dependencies.

One of which is, in this case, SleepyCat.

Have fun.

For more fun, here is a good philosophical discussion on the taxonomy: http://archive.oreilly.com/pub/post/ldap_is_not_a_database.html

LDAP is basically a protocol to access a directory. Directory here basically refers to a directory having information of the users present in the organisation. Examples of directory include Microsoft's Active Directory (AD) and Oracle's Internet Directory (OID). The directory basically are used for implementing the single sign on feature for the organisation by centralising user authentication and authorisation. For more details refer the below links:

1. http://searchmobilecomputing.techtarget.com/definition/LDAP
2. https://eagledatagistics.com/what-is-enterprise-user-security-eus/