Chapter 25. Lightweight Directory Access Protocol (LDAP)

Chapter 25. Lightweight Directory Access Protocol (LDAP)

25.1. Why Use LDAP?
25.1.1. OpenLDAP Features
25.2. LDAP Terminology
25.3. OpenLDAP Daemons and Utilities
25.3.1. NSS, PAM, and LDAP
25.3.2. PHP4, LDAP, and the Apache HTTP Server
25.3.3. LDAP Client Applications
25.4. OpenLDAP Configuration Files
25.5. The /etc/openldap/schema/ Directory
25.6. OpenLDAP Setup Overview
25.6.1. Editing /etc/openldap/slapd.conf
25.7. Configuring a System to Authenticate Using OpenLDAP
25.7.1. PAM and LDAP
25.7.2. Migrating Old Authentication Information to LDAP Format
25.8. Migrating Directories from Earlier Releases
25.9. Additional Resources
25.9.1. Installed Documentation
25.9.2. Useful Websites
25.9.3. Related Books

The Lightweight Directory Access Protocol (LDAP) is a set of open protocols used to access centrally stored information over a network. It is based on the X.500 standard for directory sharing, but is less complex and resource-intensive. For this reason, LDAP is sometimes referred to as "X.500 Lite." The X.500 standard is a directory that contains hierarchical and categorized information, which could include information such as names, addresses, and phone numbers.

Like X.500, LDAP organizes information in a hierarchal manner using directories. These directories can store a variety of information and can even be used in a manner similar to the Network Information Service (NIS), enabling anyone to access their account from any machine on the LDAP enabled network.

In many cases, LDAP is used as a virtual phone directory, allowing users to easily access contact information for other users. But LDAP is more flexible than a traditional phone directory, as it is capable of referring a querent to other LDAP servers throughout the world, providing an ad-hoc global repository of information. Currently, however, LDAP is more commonly used within individual organizations, like universities, government departments, and private companies.

LDAP is a client/server system. The server can use a variety of databases to store a directory, each optimized for quick and copious read operations. When an LDAP client application connects to an LDAP server, it can either query a directory or attempt to modify it. In the event of a query, the server either answers the query locally, or it can refer the querent to an LDAP server which does have the answer. If the client application is attempting to modify information within an LDAP directory, the server verifies that the user has permission to make the change and then adds or updates the information.

This chapter refers to the configuration and use of OpenLDAP 2.0, an open source implementation of the LDAPv2 and LDAPv3 protocols.

Note: This documentation is provided {and copyrighted} by Red Hat®, Inc. and is released via the Open Publication License. The copyright holder has added the further requirement that Distribution of substantively modified versions of this document is prohibited without the explicit permission of the copyright holder. The CentOS project redistributes these original works (in their unmodified form) as a reference for CentOS-5 because CentOS-5 is built from publicly available, open source SRPMS. The documentation is unmodified to be compliant with upstream distribution policy. Neither CentOS-5 nor the CentOS Project are in any way affiliated with or sponsored by Red Hat®, Inc.