Friday, March 21, 2008


What is LDAP?
LDAP stands for Lightweight Directory Access Protocol. LDAP is a protocol which provides access to a compliant directory via TCP/IP. The strengths of LDAP-compliant directories include speed, simplicity, and the ability to be replicated and distributed across several servers. A LDAP directory can be used to store a great deal of information: from user login credentials to company telephone directories.
LDAP was created as a less complicated implementation of the Directory Access Protocol (DAP), and is based on the OSI X.500 standard. These standards establish directories as being hierarchical---representing the structure of an organization. There are many directories that support the LDAP protocol, each with their own benefits and drawbacks. Examples include openLDAP, the open-source implementation that ships with SLES; and eDirectory, Novell's flagship identity management product.
Directories vs. databases
The terms directory and database are often used interchangeably when referring to LDAP compliant directories. In this article, directory refers to a LDAP complaint directory, and database refers to relational databases, such as MySQL or Oracle. The two are related, in that they both store information in a structured way, but differ in their implementation. In many cases, directories and databases could both fulfill a particular need. It is important to understand the differences between the two to best determine which to implement.
The largest general difference between directories and databases is complexity. Databases are capable of storing almost any arbitrary set of information and can can be greatly customized for a specific purpose. They also provide a complex query interface, allowing for flexible searches returning customized results. Directories, on the other hand, tend to have very specific implementations that follow a strict pattern or schema. This allows them to be extremely fast, and allows for easy organization and comprehension of the data they store

LDAP concepts
Directories are viewed as a tree, like a computer's file system. This overall tree structure is called the Directory Information Tree (DIT). Each entry in a directory is called an object. These objects are of two types, containers and leafs. A container is like a folder: it contains other containers or leafs. A leaf is simply an object at the end of a tree. A tree cannot contain any arbitrary set of containers and leafs. It must match the schema defined for the directory.

No comments: