LDAP (Lightweight Directory Access Protocol) is a standard protocol used for accessing and managing directory services over a network. It is a key component in identity and access management, enabling centralized management of user, device, and resource data.
What is LDAP?
LDAP is a vendor-neutral protocol designed to query and manage directory information. A directory is a specialized database optimized for reading, searching, and retrieving data rather than heavy transactional updates. It is widely used for authentication, authorization, and directory services in applications like email systems, VPNs, and enterprise user directories.
Key Features of LDAP
- Hierarchical Organization: LDAP organizes data in a tree-like structure.
- Standardized Access: Uses a protocol for consistent querying and managing data.
- Cross-Platform: Supported by various systems, such as OpenLDAP, Microsoft Active Directory, and Apache Directory.
- Efficient Searches: Optimized for read-heavy workloads and directory searches.
High-Level Architecture of LDAP
LDAP architecture follows a client-server model, as depicted in the diagram below:
LDAP Architecture Diagram
- LDAP Client: Applications or users send requests to the LDAP server to perform operations like searching or modifying data.
- LDAP Server: Stores directory data and processes client requests. Examples include OpenLDAP and Active Directory.
- Directory Information Tree (DIT): Hierarchical structure where all data is stored.
- Database: Backend storage system for directory data (e.g., Berkeley DB).
- Replication: Ensures high availability and load balancing by synchronizing data across servers.
- Communication: Clients communicate with servers over the LDAP protocol, typically using ports 389 (LDAP) or 636 (LDAPS for secure communication).
How is Data Stored in LDAP?
LDAP organizes data in a tree structure, known as the Directory Information Tree (DIT).
- Hierarchical Structure
- Data is stored as entries, where each entry represents a node in the tree.
- The hierarchy starts with the root and branches out to organizational units (OUs), groups, users, or devices.
Example:
makefile
Copy code
dc=example,dc=com
├── ou=Users
│ ├── cn=John Doe
│ └── cn=Jane Smith
└── ou=Groups
└── cn=Admins
- Entries and Attributes
- Entry: A single unit in the directory with a unique identifier called the Distinguished Name (DN).
- Attributes: Key-value pairs describing an entry.
Example Entry:
makefile
Copy code
dn: cn=John Doe,ou=Users,dc=example,dc=com
cn: John Doe
sn: Doe
mail: john.doe@example.com
objectClass: inetOrgPerson
- Schema
- Defines the structure of the directory, specifying allowed attributes and object classes for entries.
Base DN
- The starting point for searches in the directory. For example, dc=example,dc=com is the base DN for an organization.
Common LDAP Terminologies
- Directory Information Tree (DIT): The hierarchical structure where all entries are stored.
- Entry: A record in the DIT with attributes describing an object.
- Distinguished Name (DN): A unique identifier for each entry, indicating its position in the DIT.
- Attributes: Key-value pairs that describe an entry (e.g., mail=john.doe@example.com).
- Object Class: Defines the schema or structure of an entry.
- Base DN: The starting point for LDAP operations like searches.
- Bind: The process of authenticating a client to the LDAP server.
- Search Filters: Queries used to find specific entries in the directory (e.g., (mail=john.doe@example.com)).
- Replication: Synchronizing data across LDAP servers for redundancy and load balancing.
- LDIF (LDAP Data Interchange Format): A standard text format for representing LDAP directory entries.
LDAP Operations
- Search: Query the directory to retrieve entries.
- Bind: Authenticate with the server.
- Add: Create new entries.
- Modify: Update attributes of existing entries.
- Delete: Remove entries.
- Unbind: Close the connection between the client and server.
0 comentários:
Post a Comment