What is LDAP? What can we do with LDAP?
LDAP is an abbreviation of Lightweight Directory Access Protocol , which is a database that stores information on objects, for example People, who use the system.
In LDAP, various things can be realized mainly by "LDAP authentication" and "LDAP lookups". The following functions are commonly used.
1. Unify the Linux system account information (/etc/passwd and /etc/shadow) on each server.
If you have many Linux clients, you can log in with the same ID password from any Linux client if you register only one LDAP server without including ID password information on each one, Can also be acquired at login.
2. Unify ID & Password in various applications of Linux server.
For example, you can unify the ID password information of mail servers such as postfix and dovecot, and web (Apache) based application servers that require login.As a further development, we can also implement single sign-on (a mechanism that enables other servers to log in without authentication if you authenticate with one server).
3. Share employee information
For example, store information such as name, mail address, telephone number, department, etc. in the LDAP server.Then, install a groupware server such as Cybozu on another Linux server and put in appropriate settings.Then, when the user logs in to the groupware, inputs the name of another person on the search screen and pushes the search button, it can be configured to display the person's mail address, telephone number, belonging department.
4. LDAP lookups such as automatic account creation
For example, by setting the LDAP linkage setting in the same way on the groupware server side, if account is registered in LDAP without entering account setting on the groupware server side , LDAP It is possible to create an account automatically if the result of certification is OK.
Besides, the cooperation range is broad, in cooperation with postfix, by changing the SMTP relay destination depending on the user (mail address) and integrating management of access rights in cooperation with samba.
What is the difference between LDAP and database?
In the Relational Database, updating is frequently performed, and when updating one record in one database table, another table is often updated, so that a series of processing is performed as consistency. So it is suitable for updating complicated table structure , but the load is high.
On the other hand, LDAP has a simple tree structure and can not have a complicated structure like a database.Because it is light , it is suitable for system account management.
It is assumed that the database is updated multiple times in a day, but LDAP is assumed about once every few days.
What is the difference between LDAP and AD (Active Directory)?
Active Directory domain controller internally uses LDAP.This is unique to MS from OpenLDAP, but it conforms to RFC 4511.
But for Active Directory, LDAP is just one component to configure a solution called Active Directory.AD has standard Windows client administration control functions such as group policy, you can do more than normal LDAP server.Also, AD has a computer account (so-called client participating in a domain) as well as a user account.
In Active Directory, the cooperation shown in the example of OpenLDAP is usually possible.While OpenLDAP is specialized for Linux clients, Active Directory is specialized in Windows.
In addition to this, the domain controller also centrally controls access to the file server (for example, if there are multiple file servers, usually the account information is registered in each server and the access right is set on it, In AD environment, account information for access control is managed by AD, so it is possible to set access right to each server as standard) (It is also possible to cooperate with samba server even in OpenLDAP) The same can be done with).In addition, it is also possible to perform integrated management of Windows clients by Group Policy (for example, to force Windows firewall and screen saver settings, etc).