LDAP at UH
The Lightweight Directory Access Protocol, also known as LDAP, is an Internet standard which makes it easy to access common information from many different computer systems and applications over the Internet. Although still in an early stage, UH is moving towards using LDAP to provide a central point of access for services such as the ITS modem pool and Web-based e-mail. Future projects such as wireless LAN access and Web portals will use LDAP to perform user authentication and authorization. As an introduction to LDAP at UH, information is provided in a question-and-answer format below.What is LDAP?
LDAP stands for Lightweight Directory Access Protocol. It is an Internet standard for information access over the Internet. As a standard, it provides for the exchange of information between a directory service and users of that service. While it holds information used by many, it is primarily for retrieval information and not for generating reports like you would expect from a database server.
The Internet standards called RFCs (Request For Comments) describe a common way of laying out the information, searching for and requesting information, securing access to the information, and sending the information over TCP/IP. This makes it easy to access common information from many different computer systems and applications.What is a directory?
A directory is a place to keep information such as a database or look-up table. The contents of the directory depends on what purpose the data is intended to serve. For example, a white pages directory is a listing of people, their telephone numbers, and their addresses; in other words, a phone book. The information stored in a directory can have a very complex or detailed structure but basically it's just information stored somewhere.What is a directory service?
A directory service is a service that provides information. In spite of the marketing hype, that's all there really is to it. There are many different forms of directory services but they all provide information. As telephone users, we're all familiar with the 411 directory service. It provides information such as the telephone number of a person or business that we're trying to call. Many Internet users obtain information from the Domain Name Service (DNS), a directory service that provides information about the IP address of a computer.What can LDAP do?
LDAP directory services can permit a central point of access to services such as the ITS modem pool, wireless LAN access, white pages information (phone book), and portals. It is also possible to store hardware configuration information in LDAP directories. This function is very helpful to those who need to manage many personal computers on a network.What is a simple example of what LDAP can do?
When students at the UH Manoa campus look for a student job, they log on to the Student Employment and Cooperative Education (SECE) system (see related article on the SECE system) using their ITS Username. The Web server uses LDAP to check whether the person logging in is allowed to use the SECE system. This process is known as user authentication.
In addition to determining whether a person can access the system, LDAP also keeps track of what the person is allowed to do within the system. This process is known as user authorization. If a student tries to log on as an employer to list a job opening, the student is prevented from doing so. While employers can list job openings, their role doesn't allow them to obtain referrals for student job openings. Along the same line, those on staff at the Student Employment Office have capabilities that neither students nor employers have because they have a different role determined by their logon. This is all made possible by a central LDAP directory service.How is this central LDAP directory service possible?
The ability to determine who a person is (authentication) and what services that person has access to (authorization) is essential as new systems and services are offered to UH faculty, staff, and students. In 1997, UNISON was conceived as a mechanism to capture information about people so that ITS Usernames could be created, modified, and removed as people's status relative to the University system changed. UNISON is a collection point of the authentication and authorization information. With that information, members of the University community have access to many services including:
The UNISON data is provided by various mechanisms specific to the different systems. Eventually, every service can use LDAP to get the authentication and authorization information.
The central LDAP directory service running on a Netscape Directory Server provides the authentication and authorization information via LDAP to the Student Employment and Cooperative Education (SECE) Web application that students and employers use at UH Manoa. SECE will soon serve the entire UH system and also feed the SCOPIS system used to pay students. The Web-based e-mail service uses its own directory server to store individual user profile and configuration information. However, it does use the same UNISON information for user logons.
This just scratches the surface of what's possible. Here are some other areas where LDAP could be used:
The source data is gathered from PeopleSoft (about employees), ISIS (about students at UH Manoa), and campus representatives (about students and staff from other campuses, RCUH, and other affiliates). While LDAP directory services are currently in production mode, we are working to improve the timeliness of the data so that it is as up-to-date as possible. Everyone's help is required to make it so.How do other campuses tap into the central LDAP directory service at UH Manoa?
Solaris 8 can use LDAP for user login authentication via the /etc/nsswitch.conf configuration file. Other operating systems may have LDAP libraries and configuration files that would allow them to query the information in an LDAP directory. Some details need to be addressed for specific systems.
For Windows networks, there may be several possibilities, however, nothing has been adequately tested to ensure proper operation and security of the data. If you would like to assist with this effort, please contact Russ Tokuyama.Who do I contact for more information?
For more information on LDAP, contact Russ Tokuyama of Information Technology Services at email@example.com or call 956-3924.
Maintained by: firstname.lastname@example.org
©2001 University of Hawaii
Updated: December 19, 2002