This week's book giveaway is in the Servlets forum.
We're giving away four copies of Murach's Java Servlets and JSP and have Joel Murach on-line!
See this thread for details.
The moose likes Security and the fly likes LDAP Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "LDAP" Watch "LDAP" New topic


Ronnie Phelps
Ranch Hand

Joined: Mar 12, 2001
Posts: 329
I here things about LDAP all the time. What is LDAP?
john guthrie
Ranch Hand

Joined: Aug 05, 2002
Posts: 124
it's a persistent store that is optimized for reads (vice writes) with a framework for querying a tree-based hierarchy, both elements and attributes.
openLDAP is the open-source version, elsewise netscape is the big player.
Payam Fard
Ranch Hand

Joined: Jan 31, 2003
Posts: 73
Could you please explain more as I am new to LDAP as well?
Ronnie Phelps
Ranch Hand

Joined: Mar 12, 2001
Posts: 329
Yeah maybe I'm just a novice security guy but could you explain that in english please?
john guthrie
Ranch Hand

Joined: Aug 05, 2002
Posts: 124
well, i think of it (correctly or not) as very similar to a database (i.e. persistent store) but optimized for reading, therefore useful for keeping data that does not need to be changed often (typically, user login data).
it differs from a database in that the data is stored hierarchically, so you access data by navigating the tree (like a DOM i guess). it also has a query language not at all like sql, that gain emphasizes the hierarchic nature of the data.
Tom Stevns
Ranch Hand

Joined: Nov 20, 2001
Posts: 120
Hello !
Imagine how to maintain 2500 users with access profiles to several corporate platforms like Lotus Domino, An application server, a content management system , SAP etc. ...
Wouldn't it be nice to maintain all those profiles from just one place with a "single sign on". As an example will a Logon to SAP give you implicit rights to the other platforms via LDAP.
Hopefully my english was not that bad !!

Regards Tom Stevns, SCJP2
Rama Raghavan
Ranch Hand

Joined: Aug 22, 2001
Posts: 116
Simply put a Directory is a hierachical data store. Information is stored as objects in folders (containers) or as leaf nodes.
LDAP is a protocol used to access data in this data store. Directory vendors support a server that can understand this protocol, and perform operation as specified by this protocol.
Well known directories are Novell's eDirectory, Microsoft's Active Directory and Sun/Netscape Directory.
LDAP directories are typically used to store User information - like login-name/password/profiles etc, like a phone book (phone directory) if you will. This way there is one place to store employee information: name, email, dept, phone, title, blah.blah.
When one such directory is designed and populated within one company, then many LDAP aware products can integrate with this directory, such as, VPN, Outlook, building access/security products, etc.etc.
Now when I change my password, I automatically reflects within all these other zillion applications...or if I walk one employee out of the door, there is one place to turn it "off".
But be aware to plan for redundancy and fault-tolerance 'cos if the CEO cannot login, you could be fired
Gregg Bolinger
GenRocket Founder
Ranch Hand

Joined: Jul 11, 2001
Posts: 15299

So is the LDAP Server something seperate from Active Directory or is the server part of Active Directory.

GenRocket - Experts at Building Test Data
Ronnie Phelps
Ranch Hand

Joined: Mar 12, 2001
Posts: 329
Okay now it's more clear to me....but was does the acronym stand for?
john guthrie
Ranch Hand

Joined: Aug 05, 2002
Posts: 124
LDAP => lightweight directory access protocol
and yes, there is a "heavyweight" directory access protocol, DAP (not HDAP).
Clayton Donley

Joined: Mar 03, 2003
Posts: 27
LDAP itself is just a protocol, just like HTTP, SMTP, etc...
The various products, such as Active Directory, eDirectory, Sun One Directory Server, and OpenLDAP, all have their own way of doing the actual storage of information on disk, but use LDAP as a way for clients to access and manage the information.
A lot of people will say that LDAP vs. Database is a comparison of faster searches vs. transactional and relationship capabilities. While this is usually true, the real judge of the type of information that should be accessible via LDAP vs a Database is twofold:
1. Is there standard schema for the data being stored? The LDAP standards define not only a protocol, but various schema related to things such as people and groups. Directories that store this type of information can be reused by many applications out-of-the-box, whereas with most databases there is no standard schema for this type of information so something custom is generally done to hook in this type of general-purpose information.
2. Even if the information is defined in a standard schema, it may not be worthwhile storing it in LDAP or it may be. The second test is really whether the data being stored is generally useful to a variety of applications in a non-relational way. Meaning that if you are constantly associating users with sales information in reports, it may be important that user information is stored in a database. The reverse could be true if you have relatively stand-alone information that is generally useful to many different applications, but doesn't have standard schema defined.
Sometimes information both needs to be in relation with other information and accessed in a standard way (such as LDAP) by off-the-shelf applications (like Netegrity and many application servers). In those cases there are various integration technologies that either synchronize information between directories and databases (meta-directories) or performs database->LDAP translation on the fly (virtual directories).
From a programmer's perspective and from a security perspective, the reason LDAP is so important is that most user accounts are now being managed in an LDAP-enabled directory. As an application developer, you wouldn't want the people using your applications to have to manage a whole set of users just for your application if these users are already being managed (passwords and everything) in an existing repository. Since most of those repositories are LDAP-enabled, you can easily use something like JNDI or JAAS to do your own authentication to these stores or use the built-in functionality in an application server (such as the LDAP Realm in BEA WebLogic Server).
Hope this helps...
[ March 17, 2003: Message edited by: Clayton Donley ]

Clayton Donley, CTO<br />Octet String, Inc.<br />Phone: +1-847-358-9358 ext. 111<br />Email:<p>Author: LDAP Programming, Management, and Integration<br />Manning: <a href="" target="_blank" rel="nofollow"></a><br />Amazon: <a href="" target="_blank" rel="nofollow"></a>
I agree. Here's the link:
subject: LDAP
Similar Threads
What on earth could that recruiter mean?
difference between LDAP and JNDI
Transaction management
LDAP Transaction
Weblogic is not getting started