- What is the "big picture" of LDAP and how will it become more
to applications in the real world? What does it mean to me? How can it
help me in my work?
LDAP provides a central place to look up information. That
information can be about people, places, events, and other things. An
LDAP directory service is not a database to be used for generating reports
or for doing large amounts of changes. More applications are being written
or enhanced to use an LDAP directory service to retrieve information from
a central place because there is a standard way of communicating with it
and for querying for information stored in it. User authentication is one
use of LDAP which makes developing new applications easier by being able
to reuse previously written software.
- How is LDAP used for authentication?
A directory service does not provide any service other than a lookup of
information. However, it can be used by an authentication service to
lookup user IDs and passwords or any other storable security token or
credential. For example, the Name Information Service (NIS) on UNIX
systems provides the user ID and password information for users on a UNIX
system. The login command uses NIS to lookup the password for the user
logging in. Most UNIX systems are able to use LDAP as a name information
service in place of NIS. Thus, the login command can compare the password
the user types in at the prompt to the password stored in the LDAP
directory. If a match occurs, the user is authenticated. Otherwise, the
user is not authenticated.
Under Sun's Solaris (UNIX) operating system, the naming service
used can be switched from Sun's Name Information Service (NIS) to NIS+ or
LDAP by changing the entry in the /etc/nsswitch.conf file. Of course, the
appropriate backend system or server must be enabled.
- When will firstname.lastname@example.org be implemented?
No specific date has been set for implementing the use of the first and
last names as the e-mail address instead of the ITS username (UHUNIX
ID). While a central LDAP directory can be used to support this, changes
are required in the mail delivery system to make this possible.
- Is there more in-depth information about how different systems
interact to use a common directory for authentication?
The Internet standards, RFCs (Request For Comments), are the
documents that detail the inner workings of LDAP. RFCs are available via
Search the RFC
for "LDAP" to view all related RFCs or just search for the specific RFC
LDAP version 2 (RFC 1777, 1778, 1779)
LDAP version 3 (RFC 2251, 2252, 2253)
Information is also available in books and articles published in
magazines and on the Web and may be easier to understand than the RFCs:
An LDAP Roadmap & FAQ:
Mark Wahl's LDAP FAQ:
In general, LDAP provides a standard way for client systems to query a
central LDAP directory server. The query is formatted the same way for
all servers while the data in a particular server may be structured
differently. For example, user information may be structured by
organization name and country or by organization name and Internet domain.
- Who coordinates tying into LDAP for authentication of users?
If you would like to use the central LDAP directory server to authenticate
users, please contact Russ Tokuyama at
email@example.com or 956-3924.
- What's the issue with Microsoft's implementation relative to
Although there was a concern with Microsoft's implementation of
Kerberos for user authentication in Windows 2000, there weren't any
specific concerns raised relative to LDAP. However, the thing to keep in
mind with Windows 2000's Active Directory Services (ADS) is that Windows
2000 stores hardware configuration information in the Active
Directory. There are some difficulties in using it for an enterprise-wide
directory service due to the type and structure of information that is
stored in Active Directory.
- Is there any way to tie into LDAP or UNISON for a single sign on
Windows NT servers so campuses don't have to create a separate ID?
While it is possible to use LDAP to authenticate users on Windows NT
networks and servers, the details of how to implement this have not been
worked out. There are a few possible strategies to use but the main
constraints for this are ease of use and secure operation. If you have
further questions or would like to pursue a particular strategy, please
contact Russ Tokuyama at
- Is there more information about using LDAP with the Windows
Some applications for Windows are able to use LDAP. For example,
Netscape Communicator knows how to talk to an LDAP directory service to
store browser configuration settings so that a user can move from computer
to computer and have the same bookmarks, address book, and preferences
without having to copy the information from computer to computer.
Applications for Windows can be written using software development
libraries that permit access to an LDAP directory service. Netscape has a
freely available LDAP SDK (software development kit). There is probably a
COM library for Visual Basic. Sun provides a Java library and API for
accessing naming services such as LDAP.
- What future projects are planning to use LDAP?
Web-based systems (aka, Web Applications or Apps) will be able to use LDAP
for authentication and possibly for authorization (access control).
- Where is the University or ITS as far as trying to implement
networking and getting it going? What is ITS starting with?
ITS is developing procedures and guidelines for the installation,
configuration, and administration of wireless LAN access using IEEE 802.11
standard networking equipment. Due to the nature of wireless
communications, setup and configuration are critical to achieving reliable
connectivity. It is also very important to ensure secure and proper use
of network connectivity. The UH Manoa campus will probably be the first
to pilot wireless LAN connectivity.