1.1 The Lightweight Directory Access Protocol
Of course, you didn't buy this book to read about
the Domain Name System. And it's not likely that you
were looking for a general discussion of directory services. This
book is about a particular kind of directory service�namely, a
service for directories that implement the Lightweight
Directory Access Protocol (LDAP). LDAP has become somewhat of a
buzzword in contemporary IT shops. If you are like me, sometimes you
just have to ask, "Why all the
fuss?" The fuss is not so much about LDAP itself,
but about the potential of LDAP to consolidate existing services into
a single directory that can be accessed by LDAP clients from various
vendors. These clients can be web browsers, email clients, mail
servers, or any one of a myriad of other applications.
By consolidating information into a single directory, you are not
simply pouring the contents of your multitude of smaller pots into a
larger pot. By organizing your information well and thinking
carefully about the common information needed by client applications,
you can reduce data redundancy in your directories and therefore
reduce the administrative overhead needed to maintain that data.
Think about all the directory services that run on your network and
consider how much information is duplicated. Perhaps hosts on your
network use a DHCP server. This server has a certain amount of
information about IP addresses, Ethernet addresses, hostnames,
network topology, and so forth in its configuration files. Which
other applications use the same or similar information and could
share it if it were stored in a directory server? DNS comes
immediately to mind, as does NIS. If you have networked printers as
well, think about the amount of information that's
replicated on each client of the printing system (for example,
/etc/printcap files).
Now consider the applications that use your user account information.
The first ones that probably come to mind are
authentication
services: users need to type usernames and passwords to log in. Your
mail server probably uses the same username information for mail
routing, as well as for services such as mailing lists. There may
also be online phone books that keep track of names, addresses, and
phone numbers, as well as personnel systems that keep track of job
classifications and pay scales.
Imagine the administrative savings that would result if all the
redundant data on your network could be consolidated in a single
location. What would it take to delete a user account? We all know
what that takes now: you delete the user from
/etc/passwd, remove him by hand from any mailing
lists, remove him from the company phone list, and so on. If
you're clever, you've probably
written a script or two to automate the process, but
you're still manipulating the same information
that's stored in several different places. What if
there was a single directory that was the repository for all this
information, and deleting a user was simply a matter of removing some
records from this directory? Life would become much simpler.
Likewise, what would it take to track host-related information? What
would it be worth to you if you could minimize the possibility that
machines and users use out-of-date information?
This sounds like a network administrator's utopia.
However, I believe that as more and more client applications use LDAP
directories, making an investment in setting up an LDAP server will
have a huge payoff long-term. Realistically, we're
not headed for a utopia. We're going to be
responsible for more servers and more services, running on more
platforms. The dividends of our LDAP investment come when we
significantly reduce the number of directory technologies that we
have to understand and administer. That is our goal.
|