Almost "Jargon Free IT" LDAP
by Darren Duke
If you use any type of corporate computer environment, or if you have ever logged on to a website that required a user name and password, chances are you are using a Lightweight Directory Access Protocol (LDAP) directory. This article will discuss the reasons for and uses of LDAP. Hopefully the reader will be able to hold a meaningful conversation at a cocktail party once you have read this “Jargon Free IT” discussion.
NOTE: The author is not held responsible for the reader being at an obviously lame cocktail party taking about LDAP.
LDAP has two constitutes components, a repository and protocol. Together they are commonly referred to as a “LDAP Directory”.
The repository can be almost any computer system capable of storing information about a user like name, address, email, password, etc. All of the large software vendors have an LDAP repository available. There are also open source alternatives like OpenLDAP. These can run on a variety of platforms.
Why should you not just build an Access database to house all of your users' details? Well, there are a multitude of answers. The most common being that LDAP is a recognized standard and is implemented into a wide variety of tools and applications. For example, most spam prevention appliances and software can be configured to check that a recipient of a email is a valid LDAP listed user. The appliance passes the inbound email address, and the LDAP repository ensures this email address exists and is valid before accepting the email for delivery. If no match is found by the appliance then the message stops processing and does not make its way into the corporate network.
Another advantage of a single, standard repository is that when data changes, it only needs to be changed in one place. Imagine if an employee moves and changes his home address, and then every instance of that address had to be changed across all the company systems and databases. Very soon the user information in all of these disparate systems would be out of sync. Which one is correct?
The protocol behind LDAP was developed to be Internet and TCP/IP friendly. It is also extensible and can be customized to fit an exact need. Because of the standard nature of LDAP, most directory have a common set of core functionality (although this does not mean they are all fully compatible with each other).
In the spam example, the appliance doesn't care which LDAP platform your organization uses. Both the LDAP directory and the appliance know how the standard is implemented and can use a the common protocol to communicate.
What it does
LDAP is sometimes confusing because it is actually used for two similar, yet different, tasks: authentication and authorization.
When you log in to your corporate computer network or you use a web browser to access your personal bank account, you are authenticating your identity via a set of credentials. The repository these credentials are stored in is normally an LDAP repository.
Usually this takes the form of a user name and password challenge and response. The system is challenging you, the user, to enter your credentials. The system then checks what you entered against what it has previously stored. If the system can find a match, then you are successfully authenticated, (the response). If no match is found, the system does some predetermined action such as prompting you again, or in some cases locking you out until an administrator has reset your credentials.
So, to sum up authentication, by providing your credentials to the system and the system matching them with credentials it has stored for you, the system believes you are who you say you are.
Now that the system knows who you are, it can also allow or deny access to specific parts of it. For example the HR manager maybe able to see the disciplinary list while a HR staffer can only see your pay details. Application developers still have to program these controls, but LDAP significantly reduces the effort to achieve this type of application security.
LDAP can also use groups. This means if a HR staffer resigns then you can simply remove them from a group and they no longer have access. Similarly, when their replacement is hired adding them to the group allows them access.
LDAP is widespread, but very well hidden from the average user. If, however, you use a computer for your job, you are almost certainly using it at some point in your normal day to day work. It is allowing you to authenticate to the system and authorizing you to access subsets of data, and it is the first line of protection against prying eyes. To see how LDAP works with OpenLDAP and Tomcat Java Server (both open source systems) see this more detailed article.
Should your organization require resources to help with any aspect of you design, development, testing, training or implementation please don't hesitate to contact STS for a quote.
This article was first published is a slightly edited form on the Atlanta Techlinks site. The version here on the STS site has better jokes.