37.0 LDAP—A Directory Service
The Lightweight Directory Access Protocol (LDAP) is a set of protocols
designed to access and maintain information directories. LDAP can be used
for numerous purposes, such as user and group management, system configuration
management, or address management. This chapter provides a basic
understanding of how OpenLDAP works and how to manage LDAP data with
YaST. While there are several implementations of the LDAP protocol, this
chapter focuses entirely on the OpenLDAP implementation.
It is crucial within a networked environment to keep important information
structured and quickly available. This can be done with a directory
service that, like the common yellow pages, keeps information available in a
well-structured, quickly searchable form.
In the ideal case, a central server keeps the data in a directory and
distributes it to all clients using a certain protocol. The data is
structured in a way that allows a wide range of applications to access it.
That way, it is not necessary for every single calendar tool and e-mail
client to keep its own database—a central repository can be accessed
instead. This notably reduces the administration effort for the information.
The use of an open and standardized protocol like LDAP ensures that
as many different client applications as
possible can access such information.
A directory in this context is a type of database optimized for quick
and effective reading and searching:
-
To make numerous concurrent reading accesses possible, write
access is limited to a small number of updates by the administrator.
Conventional databases are optimized for accepting the largest possible
data volume in a short time.
-
Because write accesses can only be executed in a restricted fashion,
a directory service is used to administer mostly unchanging, static
information. Data in a conventional database typically changes very often
(dynamic data). Phone numbers in a company directory
do not change nearly as often as, for example, the figures administered in
accounting.
-
When static data is administered, updates of the existing data sets
are very rare. When working with dynamic data, especially when data sets
like bank accounts or accounting are concerned, the consistency of the data
is of primary importance. If an amount should be subtracted from one place
to be added to another, both operations must happen concurrently, within a
transaction, to ensure balance over the data
stock. Databases support such transactions. Directories do not. Short-term
inconsistencies of the data are quite acceptable in directories.
The design of a directory service like LDAP is not laid out to support
complex update or query mechanisms. All applications accessing this service
should gain access quickly and easily.