Information Technology Services: University of Hawaii

ITS Brown Bag Session on Lightweight Directory Access Protocol (LDAP)

Questions and Answers

At our 10/3/2000 ITS Brown Bag session, Russ Tokuyama of ITS presented information on LDAP. Following are questions and answers from the session:

  1. What is the "big picture" of LDAP and how will it become more important to applications in the real world? What does it mean to me? How can it help me in my work?

    LDAP provides a central place to look up information. That information can be about people, places, events, and other things. An LDAP directory service is not a database to be used for generating reports or for doing large amounts of changes. More applications are being written or enhanced to use an LDAP directory service to retrieve information from a central place because there is a standard way of communicating with it and for querying for information stored in it. User authentication is one use of LDAP which makes developing new applications easier by being able to reuse previously written software.

  2. How is LDAP used for authentication?

    A directory service does not provide any service other than a lookup of information. However, it can be used by an authentication service to lookup user IDs and passwords or any other storable security token or credential. For example, the Name Information Service (NIS) on UNIX systems provides the user ID and password information for users on a UNIX system. The login command uses NIS to lookup the password for the user logging in. Most UNIX systems are able to use LDAP as a name information service in place of NIS. Thus, the login command can compare the password the user types in at the prompt to the password stored in the LDAP directory. If a match occurs, the user is authenticated. Otherwise, the user is not authenticated.

    Under Sun's Solaris (UNIX) operating system, the naming service used can be switched from Sun's Name Information Service (NIS) to NIS+ or LDAP by changing the entry in the /etc/nsswitch.conf file. Of course, the appropriate backend system or server must be enabled.

  3. When will first_name.last_name@hawaii.edu be implemented?

    No specific date has been set for implementing the use of the first and last names as the e-mail address instead of the ITS username (UHUNIX ID). While a central LDAP directory can be used to support this, changes are required in the mail delivery system to make this possible.

  4. Is there more in-depth information about how different systems interact to use a common directory for authentication?

    The Internet standards, RFCs (Request For Comments), are the documents that detail the inner workings of LDAP. RFCs are available via the Web. Search the RFC Index for "LDAP" to view all related RFCs or just search for the specific RFC numbers below:

    LDAP version 2 (RFC 1777, 1778, 1779)
    LDAP version 3 (RFC 2251, 2252, 2253)

    Information is also available in books and articles published in magazines and on the Web and may be easier to understand than the RFCs:

    An LDAP Roadmap & FAQ:
    www.kingsmountain.com/ldapRoadmap.shtml

    Mark Wahl's LDAP FAQ:
    www2.innosoft.com/ldapworld/ldapfaq.html

    In general, LDAP provides a standard way for client systems to query a central LDAP directory server. The query is formatted the same way for all servers while the data in a particular server may be structured differently. For example, user information may be structured by organization name and country or by organization name and Internet domain.

  5. Who coordinates tying into LDAP for authentication of users?

    If you would like to use the central LDAP directory server to authenticate users, please contact Russ Tokuyama at russ@hawaii.edu or 956-3924.

  6. What's the issue with Microsoft's implementation relative to LDAP?

    Although there was a concern with Microsoft's implementation of Kerberos for user authentication in Windows 2000, there weren't any specific concerns raised relative to LDAP. However, the thing to keep in mind with Windows 2000's Active Directory Services (ADS) is that Windows 2000 stores hardware configuration information in the Active Directory. There are some difficulties in using it for an enterprise-wide directory service due to the type and structure of information that is stored in Active Directory.

  7. Is there any way to tie into LDAP or UNISON for a single sign on for Windows NT servers so campuses don't have to create a separate ID?

    While it is possible to use LDAP to authenticate users on Windows NT networks and servers, the details of how to implement this have not been worked out. There are a few possible strategies to use but the main constraints for this are ease of use and secure operation. If you have further questions or would like to pursue a particular strategy, please contact Russ Tokuyama at russ@hawaii.edu or 956-3924.

  8. Is there more information about using LDAP with the Windows environment?

    Some applications for Windows are able to use LDAP. For example, Netscape Communicator knows how to talk to an LDAP directory service to store browser configuration settings so that a user can move from computer to computer and have the same bookmarks, address book, and preferences without having to copy the information from computer to computer.

    Applications for Windows can be written using software development libraries that permit access to an LDAP directory service. Netscape has a freely available LDAP SDK (software development kit). There is probably a COM library for Visual Basic. Sun provides a Java library and API for accessing naming services such as LDAP.

  9. What future projects are planning to use LDAP?

    Web-based systems (aka, Web Applications or Apps) will be able to use LDAP for authentication and possibly for authorization (access control).

  10. Where is the University or ITS as far as trying to implement wireless networking and getting it going? What is ITS starting with?

    ITS is developing procedures and guidelines for the installation, configuration, and administration of wireless LAN access using IEEE 802.11 standard networking equipment. Due to the nature of wireless communications, setup and configuration are critical to achieving reliable connectivity. It is also very important to ensure secure and proper use of network connectivity. The UH Manoa campus will probably be the first to pilot wireless LAN connectivity.


Maintained by:
webhead@hawaii.edu
Copyright © 1997-2000 University of Hawaii
Last Reviewed: Jan. 18, 2001

Go to ITS Home Page Go to UHINFO Go to ITS Home Page