Prologue

I actually got around to work with LDAP a few moments after i discovered it existed, almost as soon as i learned what is was, i saw that there are certain points that are better than many NIS solutions.

LDAP explained

LDAP itself wasn't meant for Unix authentication, it was meant for storing data in a directory, kinda like your phone book. it's not as flexible as SQL but it allows better protection, as it was meant to store sensitive data and retrieve it and not to process it in any way.

With LDAP clients you usually have to work with LDIF format, LDIF is a generic way to represent data in LDAP environment.

In an entry you can have many types of data, usually the allowed components are defined by a schema which 'binds' attributes to certain objectclasses. the most common objectclass is 'organizationalunit' which defines a new 'branch' for the LDAP 'tree'.

LDIF explained

LDIF, as i mentioned before, is the way of representing data in LDAP which looks kind of like this

              ressu@stradivarius:~ $ ldapsearch cn=imogen -L
              dn: cn=Imogen, ou=#linux, ou=irc, dc=example, dc=net
              cn: Imogen
              objectclass: top
              modes: bfo
              laston: 960852116 #Linux
              xtra: created 960300295
           

as you can see there is a dn-attribute in the beginning, it represents the name of the entry. then there are the objectclass entries, in this case i don't use schemas so i only have top. and the second meaningful attribute is cn, which is defined also in the entry itself as it is defined in the name. this is requred for searches, as the searches are also done with AV pairs.

LDAP Servers around there

One of the most common LDAP servers out there, for now, is iPlanet directory server. This is mostly because it is one of the big and solid servers around there, also it gets distributed with Solaris, which is one of the first Operating systems which moved to LDAP based authentication solutions.

This doesn't mean there aren't any other good solutions out there, one of the biggest names on OpenSource-Frontier is OpenLDAP, which is a bit more flexible than iPlanet but still even more lightweight than iPlanet.

I know that future can't and shouldn't be predicted, but the one LDAP server that will, to my guess, become the most popular is the Microsoft ActiveDirectory(tm) that is based on LDAP too. It is to my knowledge fully compatible with LDAPv3 but so far i have only set up one of these, but haven't had the time or equipment to test this.

Ways to connect Linux to LDAP

PAM must be the most common one, simple method, as the module connects to the server, requests data from it or sends data to the server which is then matched with the according entry.

Next is NSS-Library, which is used by the libc functions. it was implemented in libc5 with NYS support and is a standard in libc6 systems, which makes it pretty much a standard in newly installed systems.

Built in access methods in various programs. Programs such as ProFTPd and some POP3 servers have built in support for LDAP. It may or may not be more efficient than the PAM and NSS solutions.