19
Notes on LDAP
- Lightweight Directory Access Protocol
- an application protocol used over an IP network
- used to manage and access the distributed directory information service
- directory service is used to provide a systematic set of records
In order to commence an LDAP session, a client needs to connect to the server known as the Directory System Agent, which is set by default to use TCP port 389. After the connection is established, the client and server exchange packets of data. Basic encoding rules are used to transfer information between the server and client.
The basic structure is as follows:
• A set of attributes is contained in any entry.
• Each attribute accommodates one or more values, and has a name.
• Each entry in the directory is assigned a unique identifier that consists of a Relative Distinguished Name.
The server is capable of holding a sub-tree and it's children, beginning from a particular entry.
In addition, they may also hold brief references to other remote servers.
A client has the option of contacting other servers too.
Here are some of the most prominent ones:
• Add -- This is used to insert a new entry into the directory-to-server database. If the name entered by a user already exists, the server fails to add a duplicate entry and instead shows an "entryAlreadyExists" message.
• Bind -- On connection with the LDAP server, the default authentication state of the session is anonymous. There are basically two types of LDAP authentication methods - the simple authentication method and the SASL authentication method.
• Delete -- As the name suggests, this operation is used to delete an entry from the directory. In order to do this, the LDAP client has to transmit a perfectly composed delete request to the server.
• Compare and search -- Various parameters such as baseObject, filter, scope, attributes, typesOnly, derefAliasis, timeLimit and sizeLimit are used to perform both search and read operations, in addition to performing comparison functions.
• Modify -- This operation is used by LDAP clients to make a request for making changes to the already existing database. The change to be made must be one of the following operations
- Add (including a new value).
- Delete (deleting an already existing value).
- Replace (Overwriting an existing value with a new one).
• Unbind -- This is the inverse of the bind operation. Unbind aborts any existing operations and terminates the connection, leaving no response in the end.
When you have a task that requires “write/update once, read/query many times”, you might consider using LDAP. LDAP is designed to provide extremely fast read/query performance for a large scale of dataset.
Imagine you have a website that has a million registered users with thousands of page requests per second. Without LDAP, every time users click a page, even for static page viewing, you will probably need to interact with your database to validate the user ID and its digital signature for this login session. Obviously, the query to your database for user-validation will become your bottleneck. By using LDAP, you can easily offload the user validation and gain significant performance improvement.
Essentially, in this example, LDAP is another optimization layer outside your database to enhance performance, not replacing any database functions.
Any task that has the following properties might be a good use case for LDAP:
- locate one piece of data many times
- logic and relations between different data do not matter
- data is not updated, added, or deleted frequently
- size of each data entry is small
- all these small pieces of data can be at a centralized place
19