Lightweight Directory Access Protocol (LDAP) is an industry-standard software protocol that enables a user to locate organizations, individuals, as well as other resources such as files and devices, for example, within a network. The network may be the Internet, for example, or on a smaller scale, the network may be a corporate intranet. LDAP is essentially a “lightweight” version of Directory Access Protocol (DAP), which is part of X.500, a standard for directory services in a network. An advantage of LDAP is that it runs directly over Transmission Control Protocol/Internet Protocol (TCP/IP) and provides most of the functionality of DAP, however, at a much lower cost.
A directory provides information as to the location of a particular thing within the network. For example, on TCP/IP networks, which include the Internet, the Domain Name System (DNS) is the directory system used to relate the domain name to a specific network address, for example, a unique location in the network. LDAP allows a user to search for an individual, for example, without knowing the domain name or where that individual may be located within the network.
An LDAP directory is typically organized in a hierarchical tree-like structure that reflects political, geographical and/or organizational boundaries. For example, the directory may include countries at the top of the tree. These countries may then branch out into organizations, which may extend to organizational units, such as divisions, departments, etc., and then to individuals, such as people, files, documents and shared resources such as printers.
The Lightweight Directory Access Protocol (LDAP) has emerged as an IETF open standard to provide directory services to applications ranging from e-mail systems to distributed system management tools. LDAP is an evolving protocol that is based on a client-server model in which a client makes a TCP/IP connection to an LDAP server, sends requests, and receives responses. The LDAP information model in particular is based on an “entry,” which contains information about some object. Entries are typically organized in a specified tree structure, and each entry is composed of attributes.
LDAP provides a number of known functions including query for example search and compare, update, authentication etc. The search and compare operations are used to retrieve information from the database. For the search function, the criteria of the search are specified in a search filter. The search filter typically is a Boolean expression that consists of qualifiers including attribute name, attribute value and Boolean operators like AND, OR and NOT. Users can use the filter to perform complex search operations. For example, one type of filter syntax is defined in RFC 2254.
LDAP thus provides the capability for directory information to be efficiently queried or updated. It offers a rich set of searching capabilities with which users can put together complex queries to get desired information from a backing store. Increasingly, it has become desirable to use a relational database for storing LDAP directory data. Representative database implementations include DB/2, Oracle, Sybase, Informix and the like. As is well known, Structured Query Language (SQL) is the standard language used to access such databases.
LDAP directory server is a light weight directory server used to provide authentication, authorization and identity management and many other robust features to the end user. Directory server available in the field comes with a database used to store user data, and overall the directory server solution provided to the customer is heavy due to several modules attached to it, such as replication, proxy, remote authentication, etc.