User authentication with directory services: LDAP

A “directory" is like a database, but tends to contain more descriptive, attribute-based information. The information in a directory is generally read much more often than it is written. As a consequence, directories don't usually implement the complicated transaction or rollback schemes regular databases use for doing high-volume complex updates (making directories much faster for read access).

X.500 is the model for Directory Services as defined by the Open System Interconnections (OSI) (the same standard that defined the network reference model with seven layers). The model encompasses the overall name space and the protocol for querying and updating it. The protocol is known as "DAP" (Directory Access Protocol), and runs over the OSI network protocol stack, which makes it complex and “heavyweight".

The Lightweight Directory Access Protocol (LDAP) was developed at the University of Michigan around 1992 to provide a simple protocol for access to database services. Because it runs directly on top of TCP/IP and lacks some of the most esoteric functions of X.500, it is comparatively “lightweight" and easier to implement in small computer systems.

Over the years, LDAP has become a de facto standard for access to corporate directory services. Using LDAP directories for the purpose of user authentication for network access enables further centralization of the user database compared to RADIUS because it allows the authentication directly against the enterprise database.

LDAP was originally defined without encryption, meaning that the transaction over the network is not secure against sniffing. Secure LDAP (SLDAP) implements data encryption based on the Secure Sockets Layer (SSL) protocol and provides more secure authentication.

An example of open source implementation of an LDAP server can be found at http://www.openldap.org. LDAP services have been also incorporated by most operating systems, including several versions of UNIX, Linux, and Windows.