What is LDAP?
LDAP is an acronym for Lightweight Directory Access Protocol. Which immediately begs the question: what is the heavyweight directory access protocol? The heavy weight protocol is DAP (Directory Access Protocol) for X.500. X.500 was an effort from way back when to create directories for practically everything in the world. It is based upon a hierarchical directory structure. It turned out that X.500 was too big and complex to justify widespread implemention.
But, since the idea of a central directory service is an attractive one, simpler methods were sought to achieve this goal. A simpler method was using a subset of X.500, hence the genesis of Lightweight Directory Access Protocol. Blah, blah, blah.
If you really want, there's about a jillion sites on the internet and a million books that can tell you this story in more detail than I want to go on about. So let's start with some links to stuff I've seen.
Here is a great overview pictures, diagrams, and well written English. Or, read the Wikipedia article.
LDAP Docs, sites
Since this a developer oriented site, here is a list of LDAP RFCs. and another from Mentata . And then a classic article: A System Administrator's View of LDAP.
It doesn't hurt to start at the start, read the LDAP v3RootDSE Overview.
Take a quick sideways glance at...Sizing up LDAP servers.
Then there is A list of public LDAP sites.
Like many 4D developers, this is a bit dated but shows a surprisingly good grasp of the basics: LDAP Roadmap & FAQ.
The next question you're going to ask:
Why do I need a Directory when I could use a Relational Database?
The University of Michigan has always been on top of the LDAP game take a look at the description of their directory.
Stanford has a directory project.
If you want to see a comparison of schemas, there's the Schema Registry Project.
Schema design
An example of schema design for a college. Confused and over complicated is it not?
Books I like |
|||||
| LDAP Directories Explained | Developing LDAP and ADSI Clients for Microsoft(R) Exchange | Understanding and Deploying LDAP Directory Services | |||
 |
This book made directories comprehensible to me. It has some good low level detail while giving straightforward high level descriptions of _why_ implementations are done. The book also has a nice set of appendices describing the major directorys side-by-side. |
 |
All the examples are in C, but quite readable. Your writing will be done in 4D. It does a nice job of explaining what's available and what you can do. |
 |
If you really want to dive into detail, go to the "Bible". |
or LDAP for Rocket Scientists - is a fine online reference for OpenLDAP
Microsoft Windows
Windows exposes Active Directory with LDAP (hence the name Active Directory) . Practically everything under the hood is done via LDAP calls. That includes ADSI and other variants. You can also get to MS Exchange Server 5.5 and 6. MS has done a pretty thorough job - my hat is off to them. It is arguably the best directory server (hooked up to an NOS) available. Think of what you want to see; printers, computers, users, security info, it can probably be accessed (and modified) using LDAP.
Here are some references to get you started:
Understanding LDAP - with the Microsoft slant of course
LDAP properties for User objects - though this page seems to think that using VB is possible without risk of insanity.
Active Directory Naming standard - nice little blurb concerning GUIDs.
LDAP SearchSample for 2003 and Exchange 2000/2003 - like unix, many ways to do the same thing.
Window Server 2003 DNS Integration with Active Directory - ahhh, DC=Dogboy, DC=com
Microsoft LDAP Reference - for some reason they keep moving this page leaving no forwarding link.
Searching Active Directory for User Accounts - it's described in ADO, but can be done with LDAP4D.
Searching for Groups - search bases and so forth for AD groups.
Windows 2000 Schema links to Ambiguous Name Resolution for LDAP in Windows 2000
How to enable LDAP over SSL with a third-party certification authority
HOW TO: Enable Secure Socket Layer (SSL) Communication Over LDAP For Windows 2000 Domain Controllers
Searching a Directory - I think that the example code in the LDAP4D demo app is cleaner and easier to read.
HOWTO: Change a Windows 2000 User's Password Through LDAP - you'll need the source code version of LDAP4D to do this. (BER, Unicode stuff)
HOW TO: View and Set Lightweight Directory Access Protocol Policies by Using Ntdsutil.exe in Windows 2000 - not strictly LDAP4D, but interesting
Want to organize your directories? One solution is Microsoft Identity Integration Server 2003. The import of this is that LDAP will be used to do all the underlying communications. Repeat after me, "Embrace and extend".
MacOS X
href="http://www.apple.com/server/macosx/pantherserver.html">Sneak Preview - Panther Server MacOS X. Good riddance I say. Using NetInfo for internal permissions (and "whizzing all over /etc") was a compromise from the word "go".Very nice two part article from O'Reilly - LDAP in Mac OS X Server and More LDAP in MacOS X Server
A nice utility AddressBook4LDAP - use it to keep your address book in synch - a bit dated for 10.4 though.
With LDAP4D, and few other publically available plugin/components you could create an application in 4D to implement the Root access security vunerability in Mac OS X. I think this just shows the power of 4D solutions!
A great reference! Using your Mac OS X Server Open Directory Database to share e-mail addresses.
A good article on Using Net Info domains for single sign-on to many servers. It's even got pictures!
Just saw this one,on MacOS X and LDAPAuthentication from a Paul Reilly at the University of Dublin
Other tips for enabling a view of NetInfo through LDAP... Try this tip from MacOSXHints. or this one.
For a bit more adventure there is Advanced Open Directory configuration from PADL.
You'll have to tinker with the /etc./openldap/ldap.conf file.
Ignore the suggestion about the "decent Java based LDAP browser" because you, of course, will be using LDAP4D.
Be warned, if you don't have a firewall, this will expose your Netinfo data to the world.
You'll have to implement access control lists yourself.
Or, just read the man page
A very useful article on Active Directory Integration in Three Hours or Less.
If you have money (a budget on top of the Windows licenses), and your Macs must admit that it's a Windows world, then look at Thursby Software's ADmitMac
A very exciting topic lately is enabling SAMBA as a Primary domain controller. It's a hot topic on the MacOS X server list lately and looks to be a comer. A good description is available at AFP548.com. I haven't done it yet because I've yet to dig through the SAMBA details, A peek at this stuff really opens the eyes to the possibilities and future directions inherent in uses of LDAP.
Linux/Unix/Other
OpenLDAP. here's something for higher education institutions.. A Recipe for Configuring and Operating LDAP Directories.
Putting XML in LDAP with LDAPHttp - a novel and promising approach using a java based open source project.
Here is the ftp link to a 7.3 MB 460 page PDF document. It's about OpenLDAP but is a nice overview/reference.
Sun1 Directory Server - formerly iPlanet, formerly Netscape , dig through the FAQs.
Novell eDirectory, IBM Directory Server (compare the IBM SDK to LDAP4D) I could implement all this, but where is the economic rationale?
OctetString's Directory Server Express is one. OctetString also provides virtual directory technology - something that provides a face for disparate information sources. Oww - these guys got bought by Oracle. Wish I had part of that deal.
There are various Linux tutorials available.
Web Based and other interfaces/tools
phpLDAPadmin is a PHP LDAP administration tool. You can administer your LDAP server completely from the web. DaveDAP allows you to browse your LDAP tree, create, delete, edit, and copy objects, and perform searches. You can even copy objects between two LDAP servers. Very cool. Plus, since the source is available, you can see how it is done.
John's LDAP Web Interface has a simple straightforward Administrators Guide.
web2ldap is a Full-featured web-based LDAPv3 client.
LDAP Browser/Editor 2.8.2 is a Java applet that does (approximately) what the LDAP4D demo does.
The future
Learning LDAP concepts won't be a waste of time. Direcories are here to stay and will only get more important - believe it!.
The future will probably be Directory Services Markup Language (DSML). DSML is simply an XML wrapper for LDAP commands. See
DSML v2 at OASIS for the full treatment. Tools are (of course) at DSMLTools.org! How long would it take a competent 4D developer to replicate this in 2003?
It's implemented as a beta in Windows 2000 Server, integrated in Windows 2003, and in
Novell's eDirectory among others. Apple, they did acquire PADL's NetInfo bridge Look for further expansion upon the RFC 2307 front.
And why be limited to one directory? If you're working in a big complex organization, you're going to have a bunch of directories. These are called meta-directories!
A nice article on how to Access Directories Through Firewalls With DSML.
Here is an overview of Security Assertion markup Language. The source of authentication would be an LDAP server.