Mind Dump, Tech And Life Blog
written by Ivan Alenko
published under license Attribution-ShareAlike 4.0 International (CC BY-SA 4.0)copy! share!
posted in category Systems Software / LDAP
posted at 13. Jan '16
last updated at 11. May '21

Introduction to LDAP in the modern era

What is LDAP? It means something liek Lightweight directory access protocol. Something like telephone directory. Tree structure like: root node -> doctors -> Van Helsing. Another point of view: it is a DATABASE.

In comparison with MySQL and such things it is not table based (n-tuples, 2D space, whatever). It uses tree structures and records are not n-tuples, but objects. Think objects as hashes, associative arrays or dicts. But structure of object is rigidly specified in advance in database structure, and it is quite hard to change with tools like text editors.

Today, the objects could be some JSON data, but well, LDAP is from SGML days.

An object is accessible via unique path. It is called distinguished name (dn). Think something like URL or URI and it is the path in the tree. Example: “cn=Vin Diesel,ou=people,dc=example,dc=foo,dc=org”. Why? Why that weird syntax? Ok, dc means domain component, ou organizational unit and cn is common name. The domain is on top of the tree. Then there is people structure with some object called Vin Diesel as the common name. dc, ou and cn are defined in schemas. And it is hard (read: impossible) to change the default way.

As for the performance, it has insane read speed and slower writes. It is pity, that there are so few articles about LDAP and for me it was like a blackhole. You know, that it exists, but cannot see it or understand.

If you have 1000 or even more users and email, file and samba server, libnss-mysql or libnss-maria are much easier to use and sufficient for needs. If you have domains or 10 000 users in a busy network (they authenticate frequently), LDAP could be a good choice. Just choose good tools, otherwise you will hate LDAP and spend the rest of your life writing LDIFF files like me :-D (edit in 2021 - in retrospective I just didn’t know I can create my own tools and my skills weren’t that good at the time. Also I just like SQL more than anything else).

Object structure

An object has certain properties. Schema of the object consists of more schemas (think XML schema or JSON schema). They are defined in weird syntax and you need OID to create new properties and objects. Well, you should have. It is rigid. You can also think about it like Ruby classes and mixins. Or other object oriented language.

One object, like account can mix in more schemas like people consists of unix account and samba account.

objectclass ( 1.3.6.1.4.1.1466.344 NAME 'dcObject'
	DESC 'RFC2247: domain component object'
	SUP top AUXILIARY MUST dc )

This is fun, right? That number is OID.

Now you know some basics and principles of LDAP. So now it won’t take you four years to understand crazy LDAP structures on your own.

Conclusion

Good luck, have fun.

And thank you, if you create tools like phpMyAdmin to work with it. phpldapadmin is unusable joke. And write howtos please, share your knowledge. I heard, that LDAP DB engine is considered as the alternative to BerkeleyDB. Which is another black hole for me. (edit 2021: I sort of understand what it is now and don’t care).

Add Comment