Thursday, October 29, 2009

What is LDAP and Friends

LDAP stands for the Lightweight Directory Access Protocol, you can read more about it here.


Barring that, I'll give you a really quick run down of the history and uses of LDAP. LDAP is the Internet version of the X.500 Directory Access Protocol (DAP). In the beginning there was DAP, and no one used it (except maybe a couple of companies and the government, oh and Outlook as well.) DAP used the full OSI protocol stack which, in short, is seven layers thick. The Internet runs on a slightly lower calorie protocol, weighing in at four layers. Now one can transition between the two quite easily.


(NOTE: When people hear OSI they think OSI Model, there are also a ton of ITU-T papers that actually define a real set of protocols, you can check them out here.)


So at any rate, X.500 defined this whole suite of protocols that allowed globally unique messaging and directory services (basically the precursor to email and a global phone book for all those email accounts.) Needless to say this was a pretty lofty goal. Moving on, some companies actually implemented OSI and started using X.400 (mail) and X.500 (directory) for company mail. Then along came the Internet and suddenly DAP and all related technology found itself isolated. Enter LDAP, whereas DAP was made to use a seven layer protocol, LDAP was made to use TCP/IP. This includes IPv4 and IPv6 and TCP and UDP variations. It is important to note that LDAP runs only on TCP/IP, so if you are using an IPX/SPX network then you will be using something like NDS (Novell eDirectory) which is a X.500 implementation on IPX/SPX (NOTE: NDS doesn't do everything X.500 does, but neither does LDAP).


Since LDAP was made to use the protocol of the Internet, and the Internet has become so wildly popular, LDAP has become a very popular replacement for X.500 installations. The rest of the history of LDAP isn't all that fascinating so I'll leave at that.


So what is LDAP used for? Well it can be used as a limited gateway to X.500 directories (and for a lot of large companies that is exactly what it is used for) but also it can be it's own trimmed down X.500 directory. Trimmed down because LDAP doesn't implement the parts of X.500 that rely on the OSI protocol. So what is this directory? Well it is basically a database that houses user information. Usually the LDAP database is optimized for many reads and few writes and usually doesn't implement things in a relational manner like an RDBMS. Instead, LDAP is tree like and the database is optimized to think that way as well. LDAP is also good at storing user information that can be used on the application side. A RDBMS usually has data types that you store into it, an LDAP has a schema that is more role based as opposed to data based.


As an example, an RDBMS would have a user name and password field for user logins. LDAP would have a user schema that stores user name and password. Not much difference really but the schema is mostly role based, as you can imagine you can find a role that fits your needs from the IANA and add that to your LDAP server to fulfill that role. It makes a lot of sense when you get more complicated examples like a FedEx Account Contact role versus (FULLNAME, ADDRESS1, CITY, STATE, ZIP, ACCOUNT, ...) like you would find in a RDBMS.


Also, LDAP is tree like in nature. To implement the same ability in a RDBMS you need at least two tables, one to hold the normalized data and the other to add the structure you need. So you may have a list of contacts: in a LDAP directory each branch may separate that contacts role in your company; in a RDBMS you would need another table describing the roles and who belongs to them. I know it's not a big difference but it makes all the world of difference when you try to make optimizations and LDAP generally requires less administration and complex layouts.


So what role does LDAP play in the real world? Usually it stores user information, logins, contacts, and so on. Basically the same kind of information you might find in a phone book sans the whole computer aspect of it. This is really important in the real world as it allows people to centralize user information. Allowing only a few trusted sources to edit the data and allow the rest of the users to use it while conducting business. Think of it as a company wide Roladex. Because it stores contact information it can also store login information (basically a list of contacts that work for the company). The LDAP server can tell the difference between the role of "Standard-Contact" and "Employee-Contact". The standard contact might just have the regular information you'd expect, but the Employee contact may have everything a standard contact has and also have a password and username field within it.


I hope this gives you a better idea of how LDAP works in the real world. LDAP stores user information and anything that you might be interested in storing for that user (notes, bookmarks, appointments, etc...) It's not a replacement for a RDBMS, but it is a good solution for the purpose it was written for. If you find yourself building an application that doesn't need RDBMS but needs millions of reads and very few writes, LDAP would be a good solution for you.

No comments: